--- /dev/null
+From 33fde6f7d25738690a8f07a98dea748fe037ae82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Jul 2025 07:37:08 +0200
+Subject: ALSA: usb: scarlett2: Fix missing NULL check
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit df485a4b2b3ee5b35c80f990beb554e38a8a5fb1 ]
+
+scarlett2_input_select_ctl_info() sets up the string arrays allocated
+via kasprintf(), but it misses NULL checks, which may lead to NULL
+dereference Oops. Let's add the proper NULL check.
+
+Fixes: 8eba063b5b2b ("ALSA: scarlett2: Simplify linked channel handling")
+Link: https://patch.msgid.link/20250731053714.29414-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/mixer_scarlett2.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/sound/usb/mixer_scarlett2.c b/sound/usb/mixer_scarlett2.c
+index 93589e86828a..c137e44f8f8c 100644
+--- a/sound/usb/mixer_scarlett2.c
++++ b/sound/usb/mixer_scarlett2.c
+@@ -3971,8 +3971,13 @@ static int scarlett2_input_select_ctl_info(
+ goto unlock;
+
+ /* Loop through each input */
+- for (i = 0; i < inputs; i++)
++ for (i = 0; i < inputs; i++) {
+ values[i] = kasprintf(GFP_KERNEL, "Input %d", i + 1);
++ if (!values[i]) {
++ err = -ENOMEM;
++ goto unlock;
++ }
++ }
+
+ err = snd_ctl_enum_info(uinfo, 1, i,
+ (const char * const *)values);
+--
+2.39.5
+
--- /dev/null
+From 0b942591714affbbfc020bc2e88108a5082f91ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 May 2025 12:54:38 -0700
+Subject: apparmor: ensure WB_HISTORY_SIZE value is a power of 2
+
+From: Ryan Lee <ryan.lee@canonical.com>
+
+[ Upstream commit 6c055e62560b958354625604293652753d82bcae ]
+
+WB_HISTORY_SIZE was defined to be a value not a power of 2, despite a
+comment in the declaration of struct match_workbuf stating it is and a
+modular arithmetic usage in the inc_wb_pos macro assuming that it is. Bump
+WB_HISTORY_SIZE's value up to 32 and add a BUILD_BUG_ON_NOT_POWER_OF_2
+line to ensure that any future changes to the value of WB_HISTORY_SIZE
+respect this requirement.
+
+Fixes: 136db994852a ("apparmor: increase left match history buffer size")
+
+Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/include/match.h | 3 ++-
+ security/apparmor/match.c | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
+index 536ce3abd598..b45fc39fa837 100644
+--- a/security/apparmor/include/match.h
++++ b/security/apparmor/include/match.h
+@@ -137,7 +137,8 @@ aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start,
+
+ void aa_dfa_free_kref(struct kref *kref);
+
+-#define WB_HISTORY_SIZE 24
++/* This needs to be a power of 2 */
++#define WB_HISTORY_SIZE 32
+ struct match_workbuf {
+ unsigned int count;
+ unsigned int pos;
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index f2d9c57f8794..1ceabde550f2 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -681,6 +681,7 @@ aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start,
+
+ #define inc_wb_pos(wb) \
+ do { \
++ BUILD_BUG_ON_NOT_POWER_OF_2(WB_HISTORY_SIZE); \
+ wb->pos = (wb->pos + 1) & (WB_HISTORY_SIZE - 1); \
+ wb->len = (wb->len + 1) & (WB_HISTORY_SIZE - 1); \
+ } while (0)
+--
+2.39.5
+
--- /dev/null
+From 308d135e1a2f457d21a0836e77b50c178cfc4290 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 May 2025 12:54:39 -0700
+Subject: apparmor: fix loop detection used in conflicting attachment
+ resolution
+
+From: Ryan Lee <ryan.lee@canonical.com>
+
+[ Upstream commit a88db916b8c77552f49f7d9f8744095ea01a268f ]
+
+Conflicting attachment resolution is based on the number of states
+traversed to reach an accepting state in the attachment DFA, accounting
+for DFA loops traversed during the matching process. However, the loop
+counting logic had multiple bugs:
+
+ - The inc_wb_pos macro increments both position and length, but length
+ is supposed to saturate upon hitting buffer capacity, instead of
+ wrapping around.
+ - If no revisited state is found when traversing the history, is_loop
+ would still return true, as if there was a loop found the length of
+ the history buffer, instead of returning false and signalling that
+ no loop was found. As a result, the adjustment step of
+ aa_dfa_leftmatch would sometimes produce negative counts with loop-
+ free DFAs that traversed enough states.
+ - The iteration in the is_loop for loop is supposed to stop before
+ i = wb->len, so the conditional should be < instead of <=.
+
+This patch fixes the above bugs as well as the following nits:
+ - The count and size fields in struct match_workbuf were not used,
+ so they can be removed.
+ - The history buffer in match_workbuf semantically stores aa_state_t
+ and not unsigned ints, even if aa_state_t is currently unsigned int.
+ - The local variables in is_loop are counters, and thus should be
+ unsigned ints instead of aa_state_t's.
+
+Fixes: 21f606610502 ("apparmor: improve overlapping domain attachment resolution")
+
+Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
+Co-developed-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/include/match.h | 5 +----
+ security/apparmor/match.c | 22 +++++++++++-----------
+ 2 files changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
+index b45fc39fa837..27cf23b0396b 100644
+--- a/security/apparmor/include/match.h
++++ b/security/apparmor/include/match.h
+@@ -140,15 +140,12 @@ void aa_dfa_free_kref(struct kref *kref);
+ /* This needs to be a power of 2 */
+ #define WB_HISTORY_SIZE 32
+ struct match_workbuf {
+- unsigned int count;
+ unsigned int pos;
+ unsigned int len;
+- unsigned int size; /* power of 2, same as history size */
+- unsigned int history[WB_HISTORY_SIZE];
++ aa_state_t history[WB_HISTORY_SIZE];
+ };
+ #define DEFINE_MATCH_WB(N) \
+ struct match_workbuf N = { \
+- .count = 0, \
+ .pos = 0, \
+ .len = 0, \
+ }
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index 1ceabde550f2..c5a91600842a 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -679,35 +679,35 @@ aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start,
+ return state;
+ }
+
+-#define inc_wb_pos(wb) \
+-do { \
++#define inc_wb_pos(wb) \
++do { \
+ BUILD_BUG_ON_NOT_POWER_OF_2(WB_HISTORY_SIZE); \
+ wb->pos = (wb->pos + 1) & (WB_HISTORY_SIZE - 1); \
+- wb->len = (wb->len + 1) & (WB_HISTORY_SIZE - 1); \
++ wb->len = (wb->len + 1) > WB_HISTORY_SIZE ? WB_HISTORY_SIZE : \
++ wb->len + 1; \
+ } while (0)
+
+ /* For DFAs that don't support extended tagging of states */
++/* adjust is only set if is_loop returns true */
+ static bool is_loop(struct match_workbuf *wb, aa_state_t state,
+ unsigned int *adjust)
+ {
+- aa_state_t pos = wb->pos;
+- aa_state_t i;
++ int pos = wb->pos;
++ int i;
+
+ if (wb->history[pos] < state)
+ return false;
+
+- for (i = 0; i <= wb->len; i++) {
++ for (i = 0; i < wb->len; i++) {
+ if (wb->history[pos] == state) {
+ *adjust = i;
+ return true;
+ }
+- if (pos == 0)
+- pos = WB_HISTORY_SIZE;
+- pos--;
++ /* -1 wraps to WB_HISTORY_SIZE - 1 */
++ pos = (pos - 1) & (WB_HISTORY_SIZE - 1);
+ }
+
+- *adjust = i;
+- return true;
++ return false;
+ }
+
+ static aa_state_t leftmatch_fb(struct aa_dfa *dfa, aa_state_t start,
+--
+2.39.5
+
--- /dev/null
+From b992ffe27404d9f0d31943b9146be37895dc6361 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 May 2025 17:08:22 +0200
+Subject: apparmor: Fix unaligned memory accesses in KUnit test
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit c68804199dd9d63868497a27b5da3c3cd15356db ]
+
+The testcase triggers some unnecessary unaligned memory accesses on the
+parisc architecture:
+ Kernel: unaligned access to 0x12f28e27 in policy_unpack_test_init+0x180/0x374 (iir 0x0cdc1280)
+ Kernel: unaligned access to 0x12f28e67 in policy_unpack_test_init+0x270/0x374 (iir 0x64dc00ce)
+
+Use the existing helper functions put_unaligned_le32() and
+put_unaligned_le16() to avoid such warnings on architectures which
+prefer aligned memory accesses.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Fixes: 98c0cc48e27e ("apparmor: fix policy_unpack_test on big endian systems")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/policy_unpack_test.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/security/apparmor/policy_unpack_test.c b/security/apparmor/policy_unpack_test.c
+index 5b2ba88ae9e2..cf18744dafe2 100644
+--- a/security/apparmor/policy_unpack_test.c
++++ b/security/apparmor/policy_unpack_test.c
+@@ -9,6 +9,8 @@
+ #include "include/policy.h"
+ #include "include/policy_unpack.h"
+
++#include <linux/unaligned.h>
++
+ #define TEST_STRING_NAME "TEST_STRING"
+ #define TEST_STRING_DATA "testing"
+ #define TEST_STRING_BUF_OFFSET \
+@@ -80,7 +82,7 @@ static struct aa_ext *build_aa_ext_struct(struct policy_unpack_fixture *puf,
+ *(buf + 1) = strlen(TEST_U32_NAME) + 1;
+ strscpy(buf + 3, TEST_U32_NAME, e->end - (void *)(buf + 3));
+ *(buf + 3 + strlen(TEST_U32_NAME) + 1) = AA_U32;
+- *((__le32 *)(buf + 3 + strlen(TEST_U32_NAME) + 2)) = cpu_to_le32(TEST_U32_DATA);
++ put_unaligned_le32(TEST_U32_DATA, buf + 3 + strlen(TEST_U32_NAME) + 2);
+
+ buf = e->start + TEST_NAMED_U64_BUF_OFFSET;
+ *buf = AA_NAME;
+@@ -103,7 +105,7 @@ static struct aa_ext *build_aa_ext_struct(struct policy_unpack_fixture *puf,
+ *(buf + 1) = strlen(TEST_ARRAY_NAME) + 1;
+ strscpy(buf + 3, TEST_ARRAY_NAME, e->end - (void *)(buf + 3));
+ *(buf + 3 + strlen(TEST_ARRAY_NAME) + 1) = AA_ARRAY;
+- *((__le16 *)(buf + 3 + strlen(TEST_ARRAY_NAME) + 2)) = cpu_to_le16(TEST_ARRAY_SIZE);
++ put_unaligned_le16(TEST_ARRAY_SIZE, buf + 3 + strlen(TEST_ARRAY_NAME) + 2);
+
+ return e;
+ }
+--
+2.39.5
+
--- /dev/null
+From 4a196ea481a5db4183349998e3f7a4009f7b9553 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Mar 2025 20:11:16 +0100
+Subject: arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX
+
+From: Johan Korsnes <johan.korsnes@gmail.com>
+
+[ Upstream commit 75cd37c5f28b85979fd5a65174013010f6b78f27 ]
+
+This option was removed from the Kconfig in commit
+8c710f75256b ("net/sched: Retire tcindex classifier") but it was not
+removed from the defconfigs.
+
+Fixes: 8c710f75256b ("net/sched: Retire tcindex classifier")
+Signed-off-by: Johan Korsnes <johan.korsnes@gmail.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20250323191116.113482-1-johan.korsnes@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/configs/ppc6xx_defconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/powerpc/configs/ppc6xx_defconfig b/arch/powerpc/configs/ppc6xx_defconfig
+index f96f8ed9856c..bb359643ddc1 100644
+--- a/arch/powerpc/configs/ppc6xx_defconfig
++++ b/arch/powerpc/configs/ppc6xx_defconfig
+@@ -252,7 +252,6 @@ CONFIG_NET_SCH_DSMARK=m
+ CONFIG_NET_SCH_NETEM=m
+ CONFIG_NET_SCH_INGRESS=m
+ CONFIG_NET_CLS_BASIC=m
+-CONFIG_NET_CLS_TCINDEX=m
+ CONFIG_NET_CLS_ROUTE4=m
+ CONFIG_NET_CLS_FW=m
+ CONFIG_NET_CLS_U32=m
+--
+2.39.5
+
--- /dev/null
+From 0957ace6dcd30b7aec7235ce811cc6f821ce772e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 14:24:41 +0200
+Subject: ARM: dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485
+ interface
+
+From: Annette Kobou <annette.kobou@kontron.de>
+
+[ Upstream commit 47ef5256124fb939d8157b13ca048c902435cf23 ]
+
+The polarity of the DE signal of the transceiver is active-high for
+sending. Therefore rs485-rts-active-low is wrong and needs to be
+removed to make RS485 transmissions work.
+
+Signed-off-by: Annette Kobou <annette.kobou@kontron.de>
+Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Fixes: 1ea4b76cdfde ("ARM: dts: imx6ul-kontron-n6310: Add Kontron i.MX6UL N6310 SoM and boards")
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/nxp/imx/imx6ul-kontron-bl-common.dtsi | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/nxp/imx/imx6ul-kontron-bl-common.dtsi b/arch/arm/boot/dts/nxp/imx/imx6ul-kontron-bl-common.dtsi
+index 29d2f86d5e34..f4c45e964daf 100644
+--- a/arch/arm/boot/dts/nxp/imx/imx6ul-kontron-bl-common.dtsi
++++ b/arch/arm/boot/dts/nxp/imx/imx6ul-kontron-bl-common.dtsi
+@@ -168,7 +168,6 @@ &uart2 {
+ pinctrl-0 = <&pinctrl_uart2>;
+ linux,rs485-enabled-at-boot-time;
+ rs485-rx-during-tx;
+- rs485-rts-active-low;
+ uart-has-rtscts;
+ status = "okay";
+ };
+--
+2.39.5
+
--- /dev/null
+From 80cc72fa5af01e4c8cbf901e58f27e6bd02af4c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 09:08:42 -0700
+Subject: ARM: dts: microchip: sam9x7: Add clock name property
+
+From: Ryan Wanner <Ryan.Wanner@microchip.com>
+
+[ Upstream commit 2e24723492b28ffdccb0e3e68725673e299e3823 ]
+
+Add clock-output-names to the xtal nodes, so the driver can correctly
+register the main and slow xtal.
+
+This fixes the issue of the SoC clock driver not being able to find
+the main xtal and slow xtal correctly causing a bad clock tree.
+
+Fixes: 41af45af8bc3 ("ARM: dts: at91: sam9x7: add device tree for SoC")
+Signed-off-by: Ryan Wanner <Ryan.Wanner@microchip.com>
+Link: https://lore.kernel.org/r/036518968ac657b93e315bb550b822b59ae6f17c.1750175453.git.Ryan.Wanner@microchip.com
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/microchip/sam9x7.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm/boot/dts/microchip/sam9x7.dtsi b/arch/arm/boot/dts/microchip/sam9x7.dtsi
+index b217a908f525..114449e90720 100644
+--- a/arch/arm/boot/dts/microchip/sam9x7.dtsi
++++ b/arch/arm/boot/dts/microchip/sam9x7.dtsi
+@@ -45,11 +45,13 @@ cpu@0 {
+ clocks {
+ slow_xtal: clock-slowxtal {
+ compatible = "fixed-clock";
++ clock-output-names = "slow_xtal";
+ #clock-cells = <0>;
+ };
+
+ main_xtal: clock-mainxtal {
+ compatible = "fixed-clock";
++ clock-output-names = "main_xtal";
+ #clock-cells = <0>;
+ };
+ };
+--
+2.39.5
+
--- /dev/null
+From 16c3fb10b6ca824c0a8911655ac85ed9312a04ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 09:08:41 -0700
+Subject: ARM: dts: microchip: sama7d65: Add clock name property
+
+From: Ryan Wanner <Ryan.Wanner@microchip.com>
+
+[ Upstream commit 0029468132ba2e00a3010865038783d9b2e6cc07 ]
+
+Add clock-output-names to the xtal nodes, so the driver can correctly
+register the main and slow xtal.
+
+This fixes the issue of the SoC clock driver not being able to find
+the main xtal and slow xtal correctly causing a bad clock tree.
+
+Fixes: 261dcfad1b59 ("ARM: dts: microchip: add sama7d65 SoC DT")
+Signed-off-by: Ryan Wanner <Ryan.Wanner@microchip.com>
+Link: https://lore.kernel.org/r/3878ae6d0016d46f0c91bd379146d575d5d336aa.1750175453.git.Ryan.Wanner@microchip.com
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/microchip/sama7d65.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm/boot/dts/microchip/sama7d65.dtsi b/arch/arm/boot/dts/microchip/sama7d65.dtsi
+index d08d773b1cc5..f96b073a7db5 100644
+--- a/arch/arm/boot/dts/microchip/sama7d65.dtsi
++++ b/arch/arm/boot/dts/microchip/sama7d65.dtsi
+@@ -38,11 +38,13 @@ cpu0: cpu@0 {
+ clocks {
+ main_xtal: clock-mainxtal {
+ compatible = "fixed-clock";
++ clock-output-names = "main_xtal";
+ #clock-cells = <0>;
+ };
+
+ slow_xtal: clock-slowxtal {
+ compatible = "fixed-clock";
++ clock-output-names = "slow_xtal";
+ #clock-cells = <0>;
+ };
+ };
+--
+2.39.5
+
--- /dev/null
+From a4214ad373e91789356c4bbd1372e3d5fe3fe601 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 13:48:39 +0200
+Subject: arm: dts: ti: omap: Fixup pinheader typo
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Albin Törnqvist <albin.tornqvist@codiax.se>
+
+[ Upstream commit a3a4be32b69c99fc20a66e0de83b91f8c882bf4c ]
+
+This commit fixes a typo introduced in commit
+ee368a10d0df ("ARM: dts: am335x-boneblack.dts: unique gpio-line-names").
+gpio0_7 is located on the P9 header on the BBB.
+This was verified with a BeagleBone Black by toggling the pin and
+checking with a multimeter that it corresponds to pin 42 on the P9
+header.
+
+Signed-off-by: Albin Törnqvist <albin.tornqvist@codiax.se>
+Link: https://lore.kernel.org/r/20250624114839.1465115-2-albin.tornqvist@codiax.se
+Fixes: ee368a10d0df ("ARM: dts: am335x-boneblack.dts: unique gpio-line-names")
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/ti/omap/am335x-boneblack.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/ti/omap/am335x-boneblack.dts b/arch/arm/boot/dts/ti/omap/am335x-boneblack.dts
+index 16b567e3cb47..b4fdcf9c02b5 100644
+--- a/arch/arm/boot/dts/ti/omap/am335x-boneblack.dts
++++ b/arch/arm/boot/dts/ti/omap/am335x-boneblack.dts
+@@ -35,7 +35,7 @@ &gpio0 {
+ "P9_18 [spi0_d1]",
+ "P9_17 [spi0_cs0]",
+ "[mmc0_cd]",
+- "P8_42A [ecappwm0]",
++ "P9_42A [ecappwm0]",
+ "P8_35 [lcd d12]",
+ "P8_33 [lcd d13]",
+ "P8_31 [lcd d14]",
+--
+2.39.5
+
--- /dev/null
+From 30e08811a3f9c2b7891597da03ce3f8eece03761 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 09:19:22 +0200
+Subject: ARM: dts: vfxxx: Correctly use two tuples for timer address
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit f3440dcf8b994197c968fbafe047ce27eed226e8 ]
+
+Address and size-cells are 1 and the ftm timer node takes two address
+spaces in "reg" property, so this should be in two <> tuples. Change
+has no functional impact, but original code is confusing/less readable.
+
+Fixes: 07513e1330a9 ("ARM: dts: vf610: Add Freescale FlexTimer Module timer node.")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/nxp/vf/vfxxx.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/nxp/vf/vfxxx.dtsi b/arch/arm/boot/dts/nxp/vf/vfxxx.dtsi
+index 597f20be82f1..62e555bf6a71 100644
+--- a/arch/arm/boot/dts/nxp/vf/vfxxx.dtsi
++++ b/arch/arm/boot/dts/nxp/vf/vfxxx.dtsi
+@@ -603,7 +603,7 @@ usbmisc1: usb@400b4800 {
+
+ ftm: ftm@400b8000 {
+ compatible = "fsl,ftm-timer";
+- reg = <0x400b8000 0x1000 0x400b9000 0x1000>;
++ reg = <0x400b8000 0x1000>, <0x400b9000 0x1000>;
+ interrupts = <44 IRQ_TYPE_LEVEL_HIGH>;
+ clock-names = "ftm-evt", "ftm-src",
+ "ftm-evt-counter-en", "ftm-src-counter-en";
+--
+2.39.5
+
--- /dev/null
+From f1bf55d87c6a251b2b098cd35fa5c49336569a5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 10:34:25 +0100
+Subject: arm64: dts: exynos: gs101: Add 'local-timer-stop' to cpuidle nodes
+
+From: Will Deacon <willdeacon@google.com>
+
+[ Upstream commit b649082312dd1a4c3989bbdb7c25eb711e9b1d94 ]
+
+In preparation for switching to the architected timer as the primary
+clockevents device, mark the cpuidle nodes with the 'local-timer-stop'
+property to indicate that an alternative clockevents device must be
+used for waking up from the "c2" idle state.
+
+Signed-off-by: Will Deacon <willdeacon@google.com>
+[Original commit from https://android.googlesource.com/kernel/gs/+/a896fd98638047989513d05556faebd28a62b27c]
+Signed-off-by: Will McVicker <willmcvicker@google.com>
+Reviewed-by: Youngmin Nam <youngmin.nam@samsung.com>
+Tested-by: Youngmin Nam <youngmin.nam@samsung.com>
+Fixes: ea89fdf24fd9 ("arm64: dts: exynos: google: Add initial Google gs101 SoC support")
+Signed-off-by: Peter Griffin <peter.griffin@linaro.org>
+Reviewed-by: Peter Griffin <peter.griffin@linaro.org>
+Tested-by: Peter Griffin <peter.griffin@linaro.org>
+Link: https://lore.kernel.org/r/20250611-gs101-cpuidle-v2-1-4fa811ec404d@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/exynos/google/gs101.dtsi | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/exynos/google/gs101.dtsi b/arch/arm64/boot/dts/exynos/google/gs101.dtsi
+index 48c691fd0a3a..94aa0ffb9a97 100644
+--- a/arch/arm64/boot/dts/exynos/google/gs101.dtsi
++++ b/arch/arm64/boot/dts/exynos/google/gs101.dtsi
+@@ -155,6 +155,7 @@ ananke_cpu_sleep: cpu-ananke-sleep {
+ idle-state-name = "c2";
+ compatible = "arm,idle-state";
+ arm,psci-suspend-param = <0x0010000>;
++ local-timer-stop;
+ entry-latency-us = <70>;
+ exit-latency-us = <160>;
+ min-residency-us = <2000>;
+@@ -164,6 +165,7 @@ enyo_cpu_sleep: cpu-enyo-sleep {
+ idle-state-name = "c2";
+ compatible = "arm,idle-state";
+ arm,psci-suspend-param = <0x0010000>;
++ local-timer-stop;
+ entry-latency-us = <150>;
+ exit-latency-us = <190>;
+ min-residency-us = <2500>;
+@@ -173,6 +175,7 @@ hera_cpu_sleep: cpu-hera-sleep {
+ idle-state-name = "c2";
+ compatible = "arm,idle-state";
+ arm,psci-suspend-param = <0x0010000>;
++ local-timer-stop;
+ entry-latency-us = <235>;
+ exit-latency-us = <220>;
+ min-residency-us = <3500>;
+--
+2.39.5
+
--- /dev/null
+From c5a7ede7b701e3b5a725bc79aa67ab565cbfe0c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 15:51:41 +0200
+Subject: arm64: dts: freescale: imx8mp-toradex-smarc: fix lvds dsi mux gpio
+
+From: Max Krummenacher <max.krummenacher@toradex.com>
+
+[ Upstream commit 29d34c678cf82341cb0bedb3179d59c56856a80f ]
+
+The MUX which either outputs DSI or 2nd channel LVDS signals is part of
+the SoM. Move the pinmuxing of the GPIO used for controlling the MUX
+to the SoM dtsi file.
+
+Fixes: 97dc91c04558 ("arm64: dts: freescale: add Toradex SMARC iMX8MP")
+Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mp-toradex-smarc-dev.dts | 5 -----
+ arch/arm64/boot/dts/freescale/imx8mp-toradex-smarc.dtsi | 2 ++
+ 2 files changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mp-toradex-smarc-dev.dts b/arch/arm64/boot/dts/freescale/imx8mp-toradex-smarc-dev.dts
+index 55b8c5c14fb4..d5fa9a8d414e 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mp-toradex-smarc-dev.dts
++++ b/arch/arm64/boot/dts/freescale/imx8mp-toradex-smarc-dev.dts
+@@ -102,11 +102,6 @@ &gpio1 {
+ <&pinctrl_gpio13>;
+ };
+
+-&gpio3 {
+- pinctrl-names = "default";
+- pinctrl-0 = <&pinctrl_lvds_dsi_sel>;
+-};
+-
+ &gpio4 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_gpio4>, <&pinctrl_gpio6>;
+diff --git a/arch/arm64/boot/dts/freescale/imx8mp-toradex-smarc.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-toradex-smarc.dtsi
+index 22f6daabdb90..11fd5360ab90 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mp-toradex-smarc.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mp-toradex-smarc.dtsi
+@@ -320,6 +320,8 @@ &gpio2 {
+ };
+
+ &gpio3 {
++ pinctrl-names = "default";
++ pinctrl-0 = <&pinctrl_lvds_dsi_sel>;
+ gpio-line-names = "ETH_0_INT#", /* 0 */
+ "SLEEP#",
+ "",
+--
+2.39.5
+
--- /dev/null
+From db9965bd2055e0f669b6d47ab906dc9002a03857 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 11:41:27 +0200
+Subject: arm64: dts: freescale: imx93-tqma9352: Limit BUCK2 to 600mV
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit 696a4c325fad8af95da6a9d797766d1613831622 ]
+
+TQMa9352 is only using LPDDR4X, so the BUCK2 regulator should be fixed
+at 600MV.
+
+Fixes: d2858e6bd36c ("arm64: dts: freescale: imx93-tqma9352: Add PMIC node")
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Acked-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi b/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi
+index 2cabdae24227..09385b058664 100644
+--- a/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi
+@@ -1,6 +1,6 @@
+ // SPDX-License-Identifier: (GPL-2.0-or-later OR MIT)
+ /*
+- * Copyright (c) 2022 TQ-Systems GmbH <linux@ew.tq-group.com>,
++ * Copyright (c) 2022-2025 TQ-Systems GmbH <linux@ew.tq-group.com>,
+ * D-82229 Seefeld, Germany.
+ * Author: Markus Niebel
+ */
+@@ -110,11 +110,11 @@ buck1: BUCK1 {
+ regulator-ramp-delay = <3125>;
+ };
+
+- /* V_DDRQ - 1.1 LPDDR4 or 0.6 LPDDR4X */
++ /* V_DDRQ - 0.6 V for LPDDR4X */
+ buck2: BUCK2 {
+ regulator-name = "BUCK2";
+ regulator-min-microvolt = <600000>;
+- regulator-max-microvolt = <1100000>;
++ regulator-max-microvolt = <600000>;
+ regulator-boot-on;
+ regulator-always-on;
+ regulator-ramp-delay = <3125>;
+--
+2.39.5
+
--- /dev/null
+From d82c10d6ee7b72a7117c39d38bf939d1667e089a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 16:34:45 -0500
+Subject: arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit f83f69097a302ed2a2775975ddcf12e6a5ac6ec3 ]
+
+The reference manual for the i.MX8MM states the clock rate in
+MMC mode is 1/2 of the input clock, therefore to properly run
+at HS400 rates, the input clock must be 400MHz to operate at
+200MHz. Currently the clock is set to 200MHz which is half the
+rate it should be, so the throughput is half of what it should be
+for HS400 operation.
+
+Fixes: 593816fa2f35 ("arm64: dts: imx: Add Beacon i.MX8m-Mini development kit")
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
+index 21bcd82fd092..8287a7f66ed3 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
+@@ -294,6 +294,8 @@ &usdhc3 {
+ pinctrl-0 = <&pinctrl_usdhc3>;
+ pinctrl-1 = <&pinctrl_usdhc3_100mhz>;
+ pinctrl-2 = <&pinctrl_usdhc3_200mhz>;
++ assigned-clocks = <&clk IMX8MM_CLK_USDHC3>;
++ assigned-clock-rates = <400000000>;
+ bus-width = <8>;
+ non-removable;
+ status = "okay";
+--
+2.39.5
+
--- /dev/null
+From 3fe5b09b686159f66106ede09453aa0693eaf7b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 16:34:46 -0500
+Subject: arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit e16ad6c79906bba5e2ac499492b6a5b29ab19d6c ]
+
+The reference manual for the i.MX8MN states the clock rate in
+MMC mode is 1/2 of the input clock, therefore to properly run
+at HS400 rates, the input clock must be 400MHz to operate at
+200MHz. Currently the clock is set to 200MHz which is half the
+rate it should be, so the throughput is half of what it should be
+for HS400 operation.
+
+Fixes: 36ca3c8ccb53 ("arm64: dts: imx: Add Beacon i.MX8M Nano development kit")
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
+index 67a99383a632..917b7d0007a7 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
+@@ -305,6 +305,8 @@ &usdhc3 {
+ pinctrl-0 = <&pinctrl_usdhc3>;
+ pinctrl-1 = <&pinctrl_usdhc3_100mhz>;
+ pinctrl-2 = <&pinctrl_usdhc3_200mhz>;
++ assigned-clocks = <&clk IMX8MN_CLK_USDHC3>;
++ assigned-clock-rates = <400000000>;
+ bus-width = <8>;
+ non-removable;
+ status = "okay";
+--
+2.39.5
+
--- /dev/null
+From 1492f5adc38849fa340f33dcde736799c7a26292 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 15:51:04 -0700
+Subject: arm64: dts: imx8mp-venice-gw74xx: update name of M2SKT_WDIS2# gpio
+
+From: Tim Harvey <tharvey@gateworks.com>
+
+[ Upstream commit 26a6a9cde64a890997708007d9de25809970eac9 ]
+
+The GW74xx D revision has added a M2SKT_WDIS2# GPIO which routes to the
+W_DISABLE2# pin of the M.2 socket. Update the gpio name for consistency.
+
+Fixes: 6a5d95b06d93 ("arm64: dts: imx8mp-venice-gw74xx: add M2SKT_GPIO10 gpio configuration")
+Signed-off-by: Tim Harvey <tharvey@gateworks.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mp-venice-gw74xx.dts | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw74xx.dts b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw74xx.dts
+index 568d24265ddf..12de7cf1e853 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw74xx.dts
++++ b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw74xx.dts
+@@ -301,7 +301,7 @@ &gpio2 {
+ &gpio3 {
+ gpio-line-names =
+ "", "", "", "", "", "", "m2_rst", "",
+- "", "", "", "", "", "", "m2_gpio10", "",
++ "", "", "", "", "", "", "m2_wdis2#", "",
+ "", "", "", "", "", "", "", "",
+ "", "", "", "", "", "", "", "";
+ };
+@@ -310,7 +310,7 @@ &gpio4 {
+ gpio-line-names =
+ "", "", "m2_off#", "", "", "", "", "",
+ "", "", "", "", "", "", "", "",
+- "", "", "m2_wdis#", "", "", "", "", "",
++ "", "", "m2_wdis1#", "", "", "", "", "",
+ "", "", "", "", "", "", "", "rs485_en";
+ };
+
+@@ -811,14 +811,14 @@ pinctrl_hog: hoggrp {
+ MX8MP_IOMUXC_GPIO1_IO09__GPIO1_IO09 0x40000040 /* DIO0 */
+ MX8MP_IOMUXC_GPIO1_IO11__GPIO1_IO11 0x40000040 /* DIO1 */
+ MX8MP_IOMUXC_SAI1_RXD0__GPIO4_IO02 0x40000040 /* M2SKT_OFF# */
+- MX8MP_IOMUXC_SAI1_TXD6__GPIO4_IO18 0x40000150 /* M2SKT_WDIS# */
++ MX8MP_IOMUXC_SAI1_TXD6__GPIO4_IO18 0x40000150 /* M2SKT_WDIS1# */
+ MX8MP_IOMUXC_SD1_DATA4__GPIO2_IO06 0x40000040 /* M2SKT_PIN20 */
+ MX8MP_IOMUXC_SD1_STROBE__GPIO2_IO11 0x40000040 /* M2SKT_PIN22 */
+ MX8MP_IOMUXC_SD2_CLK__GPIO2_IO13 0x40000150 /* PCIE1_WDIS# */
+ MX8MP_IOMUXC_SD2_CMD__GPIO2_IO14 0x40000150 /* PCIE3_WDIS# */
+ MX8MP_IOMUXC_SD2_DATA3__GPIO2_IO18 0x40000150 /* PCIE2_WDIS# */
+ MX8MP_IOMUXC_NAND_DATA00__GPIO3_IO06 0x40000040 /* M2SKT_RST# */
+- MX8MP_IOMUXC_NAND_DQS__GPIO3_IO14 0x40000040 /* M2SKT_GPIO10 */
++ MX8MP_IOMUXC_NAND_DQS__GPIO3_IO14 0x40000150 /* M2KST_WDIS2# */
+ MX8MP_IOMUXC_SAI3_TXD__GPIO5_IO01 0x40000104 /* UART_TERM */
+ MX8MP_IOMUXC_SAI3_TXFS__GPIO4_IO31 0x40000104 /* UART_RS485 */
+ MX8MP_IOMUXC_SAI3_TXC__GPIO5_IO00 0x40000104 /* UART_HALF */
+--
+2.39.5
+
--- /dev/null
+From 0c08203ac45906495beb3f23811209fb4fa1a5f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Jun 2025 22:35:03 +0200
+Subject: arm64: dts: qcom: msm8976: Make blsp_dma controlled-remotely
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: André Apitzsch <git@apitzsch.eu>
+
+[ Upstream commit 76270a18dbdf0bb50615f1b29d2cae8d683da01e ]
+
+The blsp_dma controller is shared between the different subsystems,
+which is why it is already initialized by the firmware. We should not
+reinitialize it from Linux to avoid potential other users of the DMA
+engine to misbehave.
+
+In mainline this can be described using the "qcom,controlled-remotely"
+property. In the downstream/vendor kernel from Qualcomm there is an
+opposite "qcom,managed-locally" property. This property is *not* set
+for the qcom,sps-dma@7884000 and qcom,sps-dma@7ac4000 [1] so adding
+"qcom,controlled-remotely" upstream matches the behavior of the
+downstream/vendor kernel.
+
+Adding this fixes booting Longcheer L9360.
+
+[1]: https://git.codelinaro.org/clo/la/kernel/msm-3.10/-/blob/LA.BR.1.3.7.c26/arch/arm/boot/dts/qcom/msm8976.dtsi#L1149-1163
+
+Fixes: 0484d3ce0902 ("arm64: dts: qcom: Add DTS for MSM8976 and MSM8956 SoCs")
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Signed-off-by: André Apitzsch <git@apitzsch.eu>
+Link: https://lore.kernel.org/r/20250615-bqx5plus-v2-1-72b45c84237d@apitzsch.eu
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8976.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8976.dtsi b/arch/arm64/boot/dts/qcom/msm8976.dtsi
+index e2ac2fd6882f..2a3024638470 100644
+--- a/arch/arm64/boot/dts/qcom/msm8976.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8976.dtsi
+@@ -1331,6 +1331,7 @@ blsp1_dma: dma-controller@7884000 {
+ clock-names = "bam_clk";
+ #dma-cells = <1>;
+ qcom,ee = <0>;
++ qcom,controlled-remotely;
+ };
+
+ blsp1_uart1: serial@78af000 {
+@@ -1451,6 +1452,7 @@ blsp2_dma: dma-controller@7ac4000 {
+ clock-names = "bam_clk";
+ #dma-cells = <1>;
+ qcom,ee = <0>;
++ qcom,controlled-remotely;
+ };
+
+ blsp2_uart2: serial@7af0000 {
+--
+2.39.5
+
--- /dev/null
+From aa937077b1f7e7460050f85efe97dab66d9d2b34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 11:00:03 +0800
+Subject: arm64: dts: qcom: qcs615: disable the CTI device of the camera block
+
+From: Jie Gan <jie.gan@oss.qualcomm.com>
+
+[ Upstream commit 1b7fc8a281cae9e3176584558a4ac551ce0f777d ]
+
+Disable the CTI device of the camera block to prevent potential NoC errors
+during AMBA bus device matching.
+
+The clocks for the Qualcomm Debug Subsystem (QDSS) are managed by aoss_qmp
+through a mailbox. However, the camera block resides outside the AP domain,
+meaning its QDSS clock cannot be controlled via aoss_qmp.
+
+Fixes: bf469630552a ("arm64: dts: qcom: qcs615: Add coresight nodes")
+Signed-off-by: Jie Gan <jie.gan@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250611030003.3801-1-jie.gan@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/qcs615.dtsi | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/qcs615.dtsi b/arch/arm64/boot/dts/qcom/qcs615.dtsi
+index 559d3a4ba605..e5d118c755e6 100644
+--- a/arch/arm64/boot/dts/qcom/qcs615.dtsi
++++ b/arch/arm64/boot/dts/qcom/qcs615.dtsi
+@@ -2462,6 +2462,9 @@ cti@6c13000 {
+
+ clocks = <&aoss_qmp>;
+ clock-names = "apb_pclk";
++
++ /* Not all required clocks can be enabled from the OS */
++ status = "fail";
+ };
+
+ cti@6c20000 {
+--
+2.39.5
+
--- /dev/null
+From 1042a31aa706f90bf16b8d79429523c7262db96e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 08:50:16 +0800
+Subject: arm64: dts: qcom: qcs615: fix a crash issue caused by infinite loop
+ for Coresight
+
+From: Jie Gan <jie.gan@oss.qualcomm.com>
+
+[ Upstream commit bd4f35786d5f0798cc1f8c187a81a7c998e6c58f ]
+
+An infinite loop has been created by the Coresight devices. When only a
+source device is enabled, the coresight_find_activated_sysfs_sink function
+is recursively invoked in an attempt to locate an active sink device,
+ultimately leading to a stack overflow and system crash. Therefore, disable
+the replicator1 to break the infinite loop and prevent a potential stack
+overflow.
+
+replicator1_out -> funnel_swao_in6 -> tmc_etf_swao_in -> tmc_etf_swao_out
+ | |
+replicator1_in replicator_swao_in
+ | |
+replicator0_out1 replicator_swao_out0
+ | |
+replicator0_in funnel_in1_in3
+ | |
+tmc_etf_out <- tmc_etf_in <- funnel_merg_out <- funnel_merg_in1 <- funnel_in1_out
+
+[call trace]
+ dump_backtrace+0x9c/0x128
+ show_stack+0x20/0x38
+ dump_stack_lvl+0x48/0x60
+ dump_stack+0x18/0x28
+ panic+0x340/0x3b0
+ nmi_panic+0x94/0xa0
+ panic_bad_stack+0x114/0x138
+ handle_bad_stack+0x34/0xb8
+ __bad_stack+0x78/0x80
+ coresight_find_activated_sysfs_sink+0x28/0xa0 [coresight]
+ coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight]
+ coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight]
+ coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight]
+ coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight]
+ ...
+ coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight]
+ coresight_enable_sysfs+0x80/0x2a0 [coresight]
+
+side effect after the change:
+Only trace data originating from AOSS can reach the ETF_SWAO and EUD sinks.
+
+Fixes: bf469630552a ("arm64: dts: qcom: qcs615: Add coresight nodes")
+Signed-off-by: Jie Gan <jie.gan@oss.qualcomm.com>
+Acked-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20250522005016.2148-1-jie.gan@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/qcs615.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/qcs615.dtsi b/arch/arm64/boot/dts/qcom/qcs615.dtsi
+index bb8b6c3ebd03..559d3a4ba605 100644
+--- a/arch/arm64/boot/dts/qcom/qcs615.dtsi
++++ b/arch/arm64/boot/dts/qcom/qcs615.dtsi
+@@ -1902,6 +1902,7 @@ replicator@604a000 {
+
+ clocks = <&aoss_qmp>;
+ clock-names = "apb_pclk";
++ status = "disabled";
+
+ in-ports {
+ port {
+--
+2.39.5
+
--- /dev/null
+From 041bb9836a241b2dbcbac41915d8483d52220e16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 10:39:33 +0800
+Subject: arm64: dts: qcom: sa8775p: Correct the interrupt for remoteproc
+
+From: Lijuan Gao <lijuan.gao@oss.qualcomm.com>
+
+[ Upstream commit 7bd7209e9cb11c8864e601d915008da088476f0c ]
+
+Fix the incorrect IRQ numbers for ready and handover on sa8775p.
+The correct values are as follows:
+
+Fatal interrupt - 0
+Ready interrupt - 1
+Handover interrupt - 2
+Stop acknowledge interrupt - 3
+
+Fixes: df54dcb34ff2e ("arm64: dts: qcom: sa8775p: add ADSP, CDSP and GPDSP nodes")
+Signed-off-by: Lijuan Gao <lijuan.gao@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250612-correct_interrupt_for_remoteproc-v1-2-490ee6d92a1b@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sa8775p.dtsi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sa8775p.dtsi b/arch/arm64/boot/dts/qcom/sa8775p.dtsi
+index 45f536633f64..f682a53e83e5 100644
+--- a/arch/arm64/boot/dts/qcom/sa8775p.dtsi
++++ b/arch/arm64/boot/dts/qcom/sa8775p.dtsi
+@@ -5571,8 +5571,8 @@ remoteproc_gpdsp0: remoteproc@20c00000 {
+
+ interrupts-extended = <&intc GIC_SPI 768 IRQ_TYPE_EDGE_RISING>,
+ <&smp2p_gpdsp0_in 0 0>,
+- <&smp2p_gpdsp0_in 2 0>,
+ <&smp2p_gpdsp0_in 1 0>,
++ <&smp2p_gpdsp0_in 2 0>,
+ <&smp2p_gpdsp0_in 3 0>;
+ interrupt-names = "wdog", "fatal", "ready",
+ "handover", "stop-ack";
+@@ -5614,8 +5614,8 @@ remoteproc_gpdsp1: remoteproc@21c00000 {
+
+ interrupts-extended = <&intc GIC_SPI 624 IRQ_TYPE_EDGE_RISING>,
+ <&smp2p_gpdsp1_in 0 0>,
+- <&smp2p_gpdsp1_in 2 0>,
+ <&smp2p_gpdsp1_in 1 0>,
++ <&smp2p_gpdsp1_in 2 0>,
+ <&smp2p_gpdsp1_in 3 0>;
+ interrupt-names = "wdog", "fatal", "ready",
+ "handover", "stop-ack";
+@@ -5755,8 +5755,8 @@ remoteproc_cdsp0: remoteproc@26300000 {
+
+ interrupts-extended = <&intc GIC_SPI 578 IRQ_TYPE_EDGE_RISING>,
+ <&smp2p_cdsp0_in 0 IRQ_TYPE_EDGE_RISING>,
+- <&smp2p_cdsp0_in 2 IRQ_TYPE_EDGE_RISING>,
+ <&smp2p_cdsp0_in 1 IRQ_TYPE_EDGE_RISING>,
++ <&smp2p_cdsp0_in 2 IRQ_TYPE_EDGE_RISING>,
+ <&smp2p_cdsp0_in 3 IRQ_TYPE_EDGE_RISING>;
+ interrupt-names = "wdog", "fatal", "ready",
+ "handover", "stop-ack";
+@@ -5887,8 +5887,8 @@ remoteproc_cdsp1: remoteproc@2a300000 {
+
+ interrupts-extended = <&intc GIC_SPI 798 IRQ_TYPE_EDGE_RISING>,
+ <&smp2p_cdsp1_in 0 IRQ_TYPE_EDGE_RISING>,
+- <&smp2p_cdsp1_in 2 IRQ_TYPE_EDGE_RISING>,
+ <&smp2p_cdsp1_in 1 IRQ_TYPE_EDGE_RISING>,
++ <&smp2p_cdsp1_in 2 IRQ_TYPE_EDGE_RISING>,
+ <&smp2p_cdsp1_in 3 IRQ_TYPE_EDGE_RISING>;
+ interrupt-names = "wdog", "fatal", "ready",
+ "handover", "stop-ack";
+@@ -6043,8 +6043,8 @@ remoteproc_adsp: remoteproc@30000000 {
+
+ interrupts-extended = <&pdc 6 IRQ_TYPE_EDGE_RISING>,
+ <&smp2p_adsp_in 0 IRQ_TYPE_EDGE_RISING>,
+- <&smp2p_adsp_in 2 IRQ_TYPE_EDGE_RISING>,
+ <&smp2p_adsp_in 1 IRQ_TYPE_EDGE_RISING>,
++ <&smp2p_adsp_in 2 IRQ_TYPE_EDGE_RISING>,
+ <&smp2p_adsp_in 3 IRQ_TYPE_EDGE_RISING>;
+ interrupt-names = "wdog", "fatal", "ready", "handover",
+ "stop-ack";
+--
+2.39.5
+
--- /dev/null
+From 088d8fbcae7efb0836669f12a952673b450bd39c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 01:18:18 +0200
+Subject: arm64: dts: qcom: sc7180: Expand IMEM region
+
+From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+
+[ Upstream commit 965e28cad4739b11f1bc58c0a9935e025938bb1f ]
+
+We need more than what is currently described, expand the region to its
+actual boundaries.
+
+Fixes: ede638c42c82 ("arm64: dts: qcom: sc7180: Add IMEM and pil info regions")
+Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250523-topic-ipa_mem_dts-v1-3-f7aa94fac1ab@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sc7180.dtsi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sc7180.dtsi b/arch/arm64/boot/dts/qcom/sc7180.dtsi
+index 01e727b021ec..3afb69921be3 100644
+--- a/arch/arm64/boot/dts/qcom/sc7180.dtsi
++++ b/arch/arm64/boot/dts/qcom/sc7180.dtsi
+@@ -3526,18 +3526,18 @@ spmi_bus: spmi@c440000 {
+ #interrupt-cells = <4>;
+ };
+
+- sram@146aa000 {
++ sram@14680000 {
+ compatible = "qcom,sc7180-imem", "syscon", "simple-mfd";
+- reg = <0 0x146aa000 0 0x2000>;
++ reg = <0 0x14680000 0 0x2e000>;
+
+ #address-cells = <1>;
+ #size-cells = <1>;
+
+- ranges = <0 0 0x146aa000 0x2000>;
++ ranges = <0 0 0x14680000 0x2e000>;
+
+- pil-reloc@94c {
++ pil-reloc@2a94c {
+ compatible = "qcom,pil-reloc-info";
+- reg = <0x94c 0xc8>;
++ reg = <0x2a94c 0xc8>;
+ };
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 4d33fcb3d9121c62f9328eaa9a0d8531504a34c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 01:18:17 +0200
+Subject: arm64: dts: qcom: sdm845: Expand IMEM region
+
+From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+
+[ Upstream commit 81a4a7de3d4031e77b5796479ef21aefb0862807 ]
+
+We need more than what is currently described, expand the region to its
+actual boundaries.
+
+Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Fixes: 948f6161c6ab ("arm64: dts: qcom: sdm845: Add IMEM and PIL info region")
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250523-topic-ipa_mem_dts-v1-2-f7aa94fac1ab@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sdm845.dtsi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm845.dtsi b/arch/arm64/boot/dts/qcom/sdm845.dtsi
+index 3bc8471c658b..6ee97cfecc70 100644
+--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi
++++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi
+@@ -5081,18 +5081,18 @@ spmi_bus: spmi@c440000 {
+ #interrupt-cells = <4>;
+ };
+
+- sram@146bf000 {
++ sram@14680000 {
+ compatible = "qcom,sdm845-imem", "syscon", "simple-mfd";
+- reg = <0 0x146bf000 0 0x1000>;
++ reg = <0 0x14680000 0 0x40000>;
+
+ #address-cells = <1>;
+ #size-cells = <1>;
+
+- ranges = <0 0 0x146bf000 0x1000>;
++ ranges = <0 0 0x14680000 0x40000>;
+
+- pil-reloc@94c {
++ pil-reloc@3f94c {
+ compatible = "qcom,pil-reloc-info";
+- reg = <0x94c 0xc8>;
++ reg = <0x3f94c 0xc8>;
+ };
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 56d5b6f828506014de997ef2d21754e9d21cdf27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 May 2025 22:14:46 +0200
+Subject: arm64: dts: qcom: x1p42100: Fix thermal sensor configuration
+
+From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+
+[ Upstream commit 63350a07966f61183462c200361a8c8cc275d560 ]
+
+The 8-core SKUs of the X1 family have a different sensor configuration.
+Override it to expose what the sensors really measure.
+
+Fixes: f08edb529916 ("arm64: dts: qcom: Add X1P42100 SoC and CRD")
+Tested-by: Jens Glathe <jens.glathe@oldschoolsolutions.biz>
+Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250520-topic-x1p4_tsens-v2-1-9687b789a4fb@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/x1e80100.dtsi | 2 +-
+ arch/arm64/boot/dts/qcom/x1p42100.dtsi | 556 +++++++++++++++++++++++++
+ 2 files changed, 557 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/x1e80100.dtsi b/arch/arm64/boot/dts/qcom/x1e80100.dtsi
+index a8eb4c5fe99f..5edcfb83c61a 100644
+--- a/arch/arm64/boot/dts/qcom/x1e80100.dtsi
++++ b/arch/arm64/boot/dts/qcom/x1e80100.dtsi
+@@ -8548,7 +8548,7 @@ timer {
+ <GIC_PPI 10 IRQ_TYPE_LEVEL_LOW>;
+ };
+
+- thermal-zones {
++ thermal_zones: thermal-zones {
+ aoss0-thermal {
+ thermal-sensors = <&tsens0 0>;
+
+diff --git a/arch/arm64/boot/dts/qcom/x1p42100.dtsi b/arch/arm64/boot/dts/qcom/x1p42100.dtsi
+index 27f479010bc3..9af9e707f982 100644
+--- a/arch/arm64/boot/dts/qcom/x1p42100.dtsi
++++ b/arch/arm64/boot/dts/qcom/x1p42100.dtsi
+@@ -18,6 +18,7 @@
+ /delete-node/ &cpu_pd10;
+ /delete-node/ &cpu_pd11;
+ /delete-node/ &pcie3_phy;
++/delete-node/ &thermal_zones;
+
+ &gcc {
+ compatible = "qcom,x1p42100-gcc", "qcom,x1e80100-gcc";
+@@ -79,3 +80,558 @@ pcie3_phy: phy@1bd4000 {
+ status = "disabled";
+ };
+ };
++
++/* While physically present, this controller is left unconfigured and unused */
++&tsens3 {
++ status = "disabled";
++};
++
++/ {
++ thermal-zones {
++ aoss0-thermal {
++ thermal-sensors = <&tsens0 0>;
++
++ trips {
++ trip-point0 {
++ temperature = <90000>;
++ hysteresis = <2000>;
++ type = "hot";
++ };
++
++ trip-point1 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpu0-0-top-thermal {
++ thermal-sensors = <&tsens0 1>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpu0-0-btm-thermal {
++ thermal-sensors = <&tsens0 2>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpu0-1-top-thermal {
++ thermal-sensors = <&tsens0 3>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpu0-1-btm-thermal {
++ thermal-sensors = <&tsens0 4>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpu0-2-top-thermal {
++ thermal-sensors = <&tsens0 5>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpu0-2-btm-thermal {
++ thermal-sensors = <&tsens0 6>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpu0-3-top-thermal {
++ thermal-sensors = <&tsens0 7>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpu0-3-btm-thermal {
++ thermal-sensors = <&tsens0 8>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpuss0-top-thermal {
++ thermal-sensors = <&tsens0 9>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpuss0-btm-thermal {
++ thermal-sensors = <&tsens0 10>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ mem-thermal {
++ thermal-sensors = <&tsens0 11>;
++
++ trips {
++ trip-point0 {
++ temperature = <90000>;
++ hysteresis = <2000>;
++ type = "hot";
++ };
++
++ trip-point1 {
++ temperature = <115000>;
++ hysteresis = <0>;
++ type = "critical";
++ };
++ };
++ };
++
++ video-thermal {
++ thermal-sensors = <&tsens0 12>;
++
++ trips {
++ trip-point0 {
++ temperature = <90000>;
++ hysteresis = <2000>;
++ type = "hot";
++ };
++
++ trip-point1 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ aoss1-thermal {
++ thermal-sensors = <&tsens1 0>;
++
++ trips {
++ trip-point0 {
++ temperature = <90000>;
++ hysteresis = <2000>;
++ type = "hot";
++ };
++
++ trip-point1 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpu1-0-top-thermal {
++ thermal-sensors = <&tsens1 1>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpu1-0-btm-thermal {
++ thermal-sensors = <&tsens1 2>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpu1-1-top-thermal {
++ thermal-sensors = <&tsens1 3>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpu1-1-btm-thermal {
++ thermal-sensors = <&tsens1 4>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpu1-2-top-thermal {
++ thermal-sensors = <&tsens1 5>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpu1-2-btm-thermal {
++ thermal-sensors = <&tsens1 6>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpu1-3-top-thermal {
++ thermal-sensors = <&tsens1 7>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpu1-3-btm-thermal {
++ thermal-sensors = <&tsens1 8>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpuss1-top-thermal {
++ thermal-sensors = <&tsens1 9>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ cpuss1-btm-thermal {
++ thermal-sensors = <&tsens1 10>;
++
++ trips {
++ trip-point0 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ aoss2-thermal {
++ thermal-sensors = <&tsens2 0>;
++
++ trips {
++ trip-point0 {
++ temperature = <90000>;
++ hysteresis = <2000>;
++ type = "hot";
++ };
++
++ trip-point1 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ nsp0-thermal {
++ thermal-sensors = <&tsens2 1>;
++
++ trips {
++ trip-point0 {
++ temperature = <90000>;
++ hysteresis = <2000>;
++ type = "hot";
++ };
++
++ trip-point1 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ nsp1-thermal {
++ thermal-sensors = <&tsens2 2>;
++
++ trips {
++ trip-point0 {
++ temperature = <90000>;
++ hysteresis = <2000>;
++ type = "hot";
++ };
++
++ trip-point1 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ nsp2-thermal {
++ thermal-sensors = <&tsens2 3>;
++
++ trips {
++ trip-point0 {
++ temperature = <90000>;
++ hysteresis = <2000>;
++ type = "hot";
++ };
++
++ trip-point1 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ nsp3-thermal {
++ thermal-sensors = <&tsens2 4>;
++
++ trips {
++ trip-point0 {
++ temperature = <90000>;
++ hysteresis = <2000>;
++ type = "hot";
++ };
++
++ trip-point1 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ gpuss-0-thermal {
++ polling-delay-passive = <200>;
++
++ thermal-sensors = <&tsens2 5>;
++
++ cooling-maps {
++ map0 {
++ trip = <&gpuss0_alert0>;
++ cooling-device = <&gpu THERMAL_NO_LIMIT THERMAL_NO_LIMIT>;
++ };
++ };
++
++ trips {
++ gpuss0_alert0: trip-point0 {
++ temperature = <95000>;
++ hysteresis = <1000>;
++ type = "passive";
++ };
++
++ trip-point1 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ gpuss-1-thermal {
++ polling-delay-passive = <200>;
++
++ thermal-sensors = <&tsens2 6>;
++
++ cooling-maps {
++ map0 {
++ trip = <&gpuss1_alert0>;
++ cooling-device = <&gpu THERMAL_NO_LIMIT THERMAL_NO_LIMIT>;
++ };
++ };
++
++ trips {
++ gpuss1_alert0: trip-point0 {
++ temperature = <95000>;
++ hysteresis = <1000>;
++ type = "passive";
++ };
++
++ trip-point1 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ gpuss-2-thermal {
++ polling-delay-passive = <200>;
++
++ thermal-sensors = <&tsens2 7>;
++
++ cooling-maps {
++ map0 {
++ trip = <&gpuss2_alert0>;
++ cooling-device = <&gpu THERMAL_NO_LIMIT THERMAL_NO_LIMIT>;
++ };
++ };
++
++ trips {
++ gpuss2_alert0: trip-point0 {
++ temperature = <95000>;
++ hysteresis = <1000>;
++ type = "passive";
++ };
++
++ trip-point1 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ gpuss-3-thermal {
++ polling-delay-passive = <200>;
++
++ thermal-sensors = <&tsens2 8>;
++
++ cooling-maps {
++ map0 {
++ trip = <&gpuss3_alert0>;
++ cooling-device = <&gpu THERMAL_NO_LIMIT THERMAL_NO_LIMIT>;
++ };
++ };
++
++ trips {
++ gpuss3_alert0: trip-point0 {
++ temperature = <95000>;
++ hysteresis = <1000>;
++ type = "passive";
++ };
++
++ trip-point1 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ camera0-thermal {
++ thermal-sensors = <&tsens2 9>;
++
++ trips {
++ trip-point0 {
++ temperature = <90000>;
++ hysteresis = <2000>;
++ type = "hot";
++ };
++
++ trip-point1 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++
++ camera1-thermal {
++ thermal-sensors = <&tsens2 10>;
++
++ trips {
++ trip-point0 {
++ temperature = <90000>;
++ hysteresis = <2000>;
++ type = "hot";
++ };
++
++ trip-point1 {
++ temperature = <115000>;
++ hysteresis = <1000>;
++ type = "critical";
++ };
++ };
++ };
++ };
++};
+--
+2.39.5
+
--- /dev/null
+From 397ec7c2c4e6f959b85eca2454e4952a634771d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 13:26:08 +0200
+Subject: arm64: dts: renesas: r8a779g3-sparrow-hawk-fan-pwm: Add missing
+ install target
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+
+[ Upstream commit 7e5624e231eea73a6a2c2d0b837a085267590167 ]
+
+The target to consider the dtbo file for installation is missing, add
+it.
+
+Fixes: a719915e76f2 ("arm64: dts: renesas: r8a779g3: Add Retronix R-Car V4H Sparrow Hawk board support")
+Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Reviewed-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Link: https://lore.kernel.org/20250701112612.3957799-2-niklas.soderlund+renesas@ragnatech.se
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/renesas/Makefile b/arch/arm64/boot/dts/renesas/Makefile
+index aa7f996c0546..f9f70f181d10 100644
+--- a/arch/arm64/boot/dts/renesas/Makefile
++++ b/arch/arm64/boot/dts/renesas/Makefile
+@@ -96,6 +96,7 @@ dtb-$(CONFIG_ARCH_R8A779G0) += r8a779g2-white-hawk-single-ard-audio-da7212.dtb
+
+ DTC_FLAGS_r8a779g3-sparrow-hawk += -Wno-spi_bus_bridge
+ dtb-$(CONFIG_ARCH_R8A779G0) += r8a779g3-sparrow-hawk.dtb
++dtb-$(CONFIG_ARCH_R8A779G0) += r8a779g3-sparrow-hawk-fan-pwm.dtbo
+ r8a779g3-sparrow-hawk-fan-pwm-dtbs := r8a779g3-sparrow-hawk.dtb r8a779g3-sparrow-hawk-fan-pwm.dtbo
+ dtb-$(CONFIG_ARCH_R8A779G0) += r8a779g3-sparrow-hawk-fan-pwm.dtb
+
+--
+2.39.5
+
--- /dev/null
+From b090444dea54f65b98f1e440df37275d00ac8027 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Jun 2025 16:58:30 +0000
+Subject: arm64: dts: rockchip: Enable eMMC HS200 mode on Radxa E20C
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+[ Upstream commit 6e3071f4e03997ca0e4388ca61aa06df2802dcd1 ]
+
+eMMC HS200 mode (1.8V I/O) is supported by the MMC host controller on
+RK3528 and works with the optional on-board eMMC module on Radxa E20C.
+
+Be explicit about HS200 support in the device tree for Radxa E20C.
+
+Fixes: 3a01b5f14a8a ("arm64: dts: rockchip: Enable onboard eMMC on Radxa E20C")
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Link: https://lore.kernel.org/r/20250621165832.2226160-1-jonas@kwiboo.se
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3528-radxa-e20c.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3528-radxa-e20c.dts b/arch/arm64/boot/dts/rockchip/rk3528-radxa-e20c.dts
+index 9f6ccd9dd1f7..ea722be2acd3 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3528-radxa-e20c.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3528-radxa-e20c.dts
+@@ -278,6 +278,7 @@ &saradc {
+ &sdhci {
+ bus-width = <8>;
+ cap-mmc-highspeed;
++ mmc-hs200-1_8v;
+ no-sd;
+ no-sdio;
+ non-removable;
+--
+2.39.5
+
--- /dev/null
+From 26aa58bf4a5684072fcd6350cb8dd5a87552d57d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 18:22:16 +0200
+Subject: arm64: dts: rockchip: fix endpoint dtc warning for PX30 ISP
+
+From: Quentin Schulz <quentin.schulz@cherry.de>
+
+[ Upstream commit 5ddb2d46852997a28f8d77153e225611a8268b74 ]
+
+dtc complains with the following message for DTSes which use the ISP:
+
+arch/arm64/boot/dts/rockchip/px30.dtsi:1272.19-1276.6: Warning (graph_child_address): /isp@ff4a0000/ports/port@0: graph node has single child node 'endpoint@0', #address-cells/#size-cells are not necessary
+
+Typically, it is expected from the device DTS(I) to update the SoC DTSI
+nodes if they have more than one endpoint, so let's assume there's only
+one endpoint in port@0 by default, instead of forcing board DTS(I)s to
+/delete-property/ address-cells and size-cells to make dtc happy.
+
+Because PX30 PP1516/EVB's endpoint@0 is the only endpoint and
+considering its parent node now has no address-cells property, dtc
+complains (same messages for PX30 EVB):
+
+arch/arm64/boot/dts/rockchip/px30-pp1516.dtsi:447.29-451.6: Warning (avoid_default_addr_size): /isp@ff4a0000/ports/port@0/endpoint@0: Relying on default #address-cells value
+arch/arm64/boot/dts/rockchip/px30-pp1516.dtsi:447.29-451.6: Warning (avoid_default_addr_size): /isp@ff4a0000/ports/port@0/endpoint@0: Relying on default #size-cells value
+arch/arm64/boot/dts/rockchip/px30-pp1516-ltk050h3146w-a2.dtb: Warning (avoid_unnecessary_addr_size): Failed prerequisite 'avoid_default_addr_size'
+arch/arm64/boot/dts/rockchip/px30-pp1516-ltk050h3146w-a2.dtb: Warning (unique_unit_address_if_enabled): Failed prerequisite 'avoid_default_addr_size'
+arch/arm64/boot/dts/rockchip/px30-pp1516.dtsi:447.29-451.6: Warning (graph_endpoint): /isp@ff4a0000/ports/port@0/endpoint@0: graph node '#address-cells' is -1, must be 1
+arch/arm64/boot/dts/rockchip/px30-pp1516.dtsi:447.29-451.6: Warning (graph_endpoint): /isp@ff4a0000/ports/port@0/endpoint@0: graph node '#size-cells' is -1, must be 0
+arch/arm64/boot/dts/rockchip/px30-pp1516-ltk050h3146w-a2.dtb: Warning (graph_child_address): Failed prerequisite 'graph_endpoint'
+
+so we fix that by removing the reg property. dtc still complains (same
+messages for PX30 EVB):
+
+arch/arm64/boot/dts/rockchip/px30-pp1516.dtsi:447.29-450.6: Warning (unit_address_vs_reg): /isp@ff4a0000/ports/port@0/endpoint@0: node has a unit name, but no reg or ranges property
+
+so we also remove the @0 suffix off the node name.
+
+Fixes: 8df7b4537dfb ("arm64: dts: rockchip: add isp node for px30")
+Fixes: 474a77395be2 ("arm64: dts: rockchip: hook up camera on px30-evb")
+Fixes: 56198acdbf0d ("arm64: dts: rockchip: add px30-pp1516 base dtsi and board variants")
+Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
+Link: https://lore.kernel.org/r/20250610-ringneck-haikou-video-demo-cam-v2-1-de1bf87e0732@cherry.de
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/px30-evb.dts | 3 +--
+ arch/arm64/boot/dts/rockchip/px30-pp1516.dtsi | 3 +--
+ arch/arm64/boot/dts/rockchip/px30.dtsi | 2 --
+ 3 files changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/px30-evb.dts b/arch/arm64/boot/dts/rockchip/px30-evb.dts
+index d93aaac7a42f..bfd724b73c9a 100644
+--- a/arch/arm64/boot/dts/rockchip/px30-evb.dts
++++ b/arch/arm64/boot/dts/rockchip/px30-evb.dts
+@@ -483,8 +483,7 @@ &isp {
+
+ ports {
+ port@0 {
+- mipi_in_ucam: endpoint@0 {
+- reg = <0>;
++ mipi_in_ucam: endpoint {
+ data-lanes = <1 2>;
+ remote-endpoint = <&ucam_out>;
+ };
+diff --git a/arch/arm64/boot/dts/rockchip/px30-pp1516.dtsi b/arch/arm64/boot/dts/rockchip/px30-pp1516.dtsi
+index 3f9a133d7373..b4bd4e34747c 100644
+--- a/arch/arm64/boot/dts/rockchip/px30-pp1516.dtsi
++++ b/arch/arm64/boot/dts/rockchip/px30-pp1516.dtsi
+@@ -444,8 +444,7 @@ &isp {
+
+ ports {
+ port@0 {
+- mipi_in_ucam: endpoint@0 {
+- reg = <0>;
++ mipi_in_ucam: endpoint {
+ data-lanes = <1 2>;
+ remote-endpoint = <&ucam_out>;
+ };
+diff --git a/arch/arm64/boot/dts/rockchip/px30.dtsi b/arch/arm64/boot/dts/rockchip/px30.dtsi
+index feabdadfa440..8220c875415f 100644
+--- a/arch/arm64/boot/dts/rockchip/px30.dtsi
++++ b/arch/arm64/boot/dts/rockchip/px30.dtsi
+@@ -1271,8 +1271,6 @@ ports {
+
+ port@0 {
+ reg = <0>;
+- #address-cells = <1>;
+- #size-cells = <0>;
+ };
+ };
+ };
+--
+2.39.5
+
--- /dev/null
+From 87a98e4b8454cc004fe4618c39531f44d94beb9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 19:31:59 +0200
+Subject: arm64: dts: rockchip: fix PHY handling for ROCK 4D
+
+From: Sebastian Reichel <sebastian.reichel@collabora.com>
+
+[ Upstream commit cd803da7c033e376a66793a43ee98e136bc6cc25 ]
+
+Old revisions of the ROCK 4D board have a dedicated crystal to
+supply the RTL8211F PHY's 25MHz clock input. At least some newer
+revisions instead use REFCLKO25M_GMAC0_OUT. The DT already has
+this half-prepared, but there are some issues:
+
+1. The DT relies on auto-selecting the right PHY driver, which
+ requires that it works good enough to read the ID registers.
+ This does not work without the clock, which is handled by
+ the PHY driver. By updating the compatible to contain the
+ RTL8211F IDs, so that the operating system can choose the
+ right PHY driver without relying on a pre-powered PHY.
+
+2. Despite the name REFCLKO25M_GMAC0_OUT could also provide a
+ different frequency, so ensure it is explicitly set to 25
+ MHz as expected by the PHY.
+
+3. While at it switch from deprecated "enable-gpio" to standard
+ "enable-gpios".
+
+Fixes: a0fb7eca9c09 ("arm64: dts: rockchip: Add Radxa ROCK 4D device tree")
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Link: https://lore.kernel.org/r/20250704-rk3576-rock4d-phy-handling-fixes-v1-1-1d64130c4139@kernel.org
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3576-rock-4d.dts | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3576-rock-4d.dts b/arch/arm64/boot/dts/rockchip/rk3576-rock-4d.dts
+index 6756403111e7..0a93853cdf43 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3576-rock-4d.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3576-rock-4d.dts
+@@ -641,14 +641,16 @@ hym8563: rtc@51 {
+
+ &mdio0 {
+ rgmii_phy0: ethernet-phy@1 {
+- compatible = "ethernet-phy-ieee802.3-c22";
++ compatible = "ethernet-phy-id001c.c916";
+ reg = <0x1>;
+ clocks = <&cru REFCLKO25M_GMAC0_OUT>;
++ assigned-clocks = <&cru REFCLKO25M_GMAC0_OUT>;
++ assigned-clock-rates = <25000000>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&rtl8211f_rst>;
+ reset-assert-us = <20000>;
+ reset-deassert-us = <100000>;
+- reset-gpio = <&gpio2 RK_PB5 GPIO_ACTIVE_LOW>;
++ reset-gpios = <&gpio2 RK_PB5 GPIO_ACTIVE_LOW>;
+ };
+ };
+
+--
+2.39.5
+
--- /dev/null
+From bb940b3f865b8107a341aaa583ca6b2e050e6f97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Jun 2025 11:38:57 +0000
+Subject: arm64: dts: rockchip: Fix pinctrl node names for RK3528
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+[ Upstream commit f2792bf1c7a54ef23fb3a84286b66f427bfc4853 ]
+
+Following warnings can be observed with CHECK_DTBS=y for the RK3528:
+
+ rk3528-pinctrl.dtsi:101.36-105.5: Warning (node_name_chars_strict):
+ /pinctrl/fephy/fephym0-led_dpx: Character '_' not recommended in node name
+ rk3528-pinctrl.dtsi:108.38-112.5: Warning (node_name_chars_strict):
+ /pinctrl/fephy/fephym0-led_link: Character '_' not recommended in node name
+ rk3528-pinctrl.dtsi:115.36-119.5: Warning (node_name_chars_strict):
+ /pinctrl/fephy/fephym0-led_spd: Character '_' not recommended in node name
+ rk3528-pinctrl.dtsi:122.36-126.5: Warning (node_name_chars_strict):
+ /pinctrl/fephy/fephym1-led_dpx: Character '_' not recommended in node name
+ rk3528-pinctrl.dtsi:129.38-133.5: Warning (node_name_chars_strict):
+ /pinctrl/fephy/fephym1-led_link: Character '_' not recommended in node name
+ rk3528-pinctrl.dtsi:136.36-140.5: Warning (node_name_chars_strict):
+ /pinctrl/fephy/fephym1-led_spd: Character '_' not recommended in node name
+ rk3528-pinctrl.dtsi:782.32-790.5: Warning (node_name_chars_strict):
+ /pinctrl/rgmii/rgmii-rx_bus2: Character '_' not recommended in node name
+ rk3528-pinctrl.dtsi:793.32-801.5: Warning (node_name_chars_strict):
+ /pinctrl/rgmii/rgmii-tx_bus2: Character '_' not recommended in node name
+ rk3528-pinctrl.dtsi:804.36-810.5: Warning (node_name_chars_strict):
+ /pinctrl/rgmii/rgmii-rgmii_clk: Character '_' not recommended in node name
+ rk3528-pinctrl.dtsi:813.36-823.5: Warning (node_name_chars_strict):
+ /pinctrl/rgmii/rgmii-rgmii_bus: Character '_' not recommended in node name
+
+Rename the affected nodes to fix these warnings.
+
+Fixes: a31fad19ae39 ("arm64: dts: rockchip: Add pinctrl and gpio nodes for RK3528")
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Link: https://lore.kernel.org/r/20250621113859.2146400-1-jonas@kwiboo.se
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/rockchip/rk3528-pinctrl.dtsi | 20 +++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3528-pinctrl.dtsi b/arch/arm64/boot/dts/rockchip/rk3528-pinctrl.dtsi
+index ea051362fb26..59b75c91bbb7 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3528-pinctrl.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3528-pinctrl.dtsi
+@@ -98,42 +98,42 @@ eth_pins: eth-pins {
+
+ fephy {
+ /omit-if-no-ref/
+- fephym0_led_dpx: fephym0-led_dpx {
++ fephym0_led_dpx: fephym0-led-dpx {
+ rockchip,pins =
+ /* fephy_led_dpx_m0 */
+ <4 RK_PB5 2 &pcfg_pull_none>;
+ };
+
+ /omit-if-no-ref/
+- fephym0_led_link: fephym0-led_link {
++ fephym0_led_link: fephym0-led-link {
+ rockchip,pins =
+ /* fephy_led_link_m0 */
+ <4 RK_PC0 2 &pcfg_pull_none>;
+ };
+
+ /omit-if-no-ref/
+- fephym0_led_spd: fephym0-led_spd {
++ fephym0_led_spd: fephym0-led-spd {
+ rockchip,pins =
+ /* fephy_led_spd_m0 */
+ <4 RK_PB7 2 &pcfg_pull_none>;
+ };
+
+ /omit-if-no-ref/
+- fephym1_led_dpx: fephym1-led_dpx {
++ fephym1_led_dpx: fephym1-led-dpx {
+ rockchip,pins =
+ /* fephy_led_dpx_m1 */
+ <2 RK_PA4 5 &pcfg_pull_none>;
+ };
+
+ /omit-if-no-ref/
+- fephym1_led_link: fephym1-led_link {
++ fephym1_led_link: fephym1-led-link {
+ rockchip,pins =
+ /* fephy_led_link_m1 */
+ <2 RK_PA6 5 &pcfg_pull_none>;
+ };
+
+ /omit-if-no-ref/
+- fephym1_led_spd: fephym1-led_spd {
++ fephym1_led_spd: fephym1-led-spd {
+ rockchip,pins =
+ /* fephy_led_spd_m1 */
+ <2 RK_PA5 5 &pcfg_pull_none>;
+@@ -779,7 +779,7 @@ rgmii_miim: rgmii-miim {
+ };
+
+ /omit-if-no-ref/
+- rgmii_rx_bus2: rgmii-rx_bus2 {
++ rgmii_rx_bus2: rgmii-rx-bus2 {
+ rockchip,pins =
+ /* rgmii_rxd0 */
+ <3 RK_PA3 2 &pcfg_pull_none>,
+@@ -790,7 +790,7 @@ rgmii_rx_bus2: rgmii-rx_bus2 {
+ };
+
+ /omit-if-no-ref/
+- rgmii_tx_bus2: rgmii-tx_bus2 {
++ rgmii_tx_bus2: rgmii-tx-bus2 {
+ rockchip,pins =
+ /* rgmii_txd0 */
+ <3 RK_PA1 2 &pcfg_pull_none_drv_level_2>,
+@@ -801,7 +801,7 @@ rgmii_tx_bus2: rgmii-tx_bus2 {
+ };
+
+ /omit-if-no-ref/
+- rgmii_rgmii_clk: rgmii-rgmii_clk {
++ rgmii_rgmii_clk: rgmii-rgmii-clk {
+ rockchip,pins =
+ /* rgmii_rxclk */
+ <3 RK_PA5 2 &pcfg_pull_none>,
+@@ -810,7 +810,7 @@ rgmii_rgmii_clk: rgmii-rgmii_clk {
+ };
+
+ /omit-if-no-ref/
+- rgmii_rgmii_bus: rgmii-rgmii_bus {
++ rgmii_rgmii_bus: rgmii-rgmii-bus {
+ rockchip,pins =
+ /* rgmii_rxd2 */
+ <3 RK_PA7 2 &pcfg_pull_none>,
+--
+2.39.5
+
--- /dev/null
+From cc80416dd0cc5c54be57e55a5513bc8bfd2152da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 21:08:28 +0000
+Subject: arm64: dts: rockchip: Fix UART DMA support for RK3528
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+[ Upstream commit ae019f0bdfbef3e0671e7b954321e92fc24c7e54 ]
+
+Trying to use UART2 DMA for Bluetooth on ArmSoM Sige1 result in tx
+timeout when using dma-names = "tx", "rx" as required by the dt-binding:
+
+ Bluetooth: hci0: command 0x0c03 tx timeout
+ Bluetooth: hci0: BCM: Reset failed (-110)
+
+Change the dmas order to fix UART DMA support on RK3528.
+
+With this fixed Bluetooth can be loaded using DMA on ArmSoM Sige1:
+
+ Bluetooth: hci0: BCM: chip id 159
+ Bluetooth: hci0: BCM: features 0x0f
+ Bluetooth: hci0: BCM4362A2
+ Bluetooth: hci0: BCM4362A2 (000.017.017) build 0000
+ Bluetooth: hci0: BCM4362A2 'brcm/BCM4362A2.hcd' Patch
+ Bluetooth: hci0: BCM: features 0x0f
+ Bluetooth: hci0: BCM43752A2 UART 37.4MHz Ampak AP6398 sLNA iLNA CL1 [Version: 1091.1173]
+ Bluetooth: hci0: BCM4362A2 (000.017.017) build 1173
+
+Fixes: ab6fcb58aedf ("arm64: dts: rockchip: Add UART DMA support for RK3528")
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Link: https://lore.kernel.org/r/20250709210831.3170458-1-jonas@kwiboo.se
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3528.dtsi | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3528.dtsi b/arch/arm64/boot/dts/rockchip/rk3528.dtsi
+index d1c72b52aa4e..7f78409cb558 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3528.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3528.dtsi
+@@ -445,7 +445,7 @@ uart0: serial@ff9f0000 {
+ clocks = <&cru SCLK_UART0>, <&cru PCLK_UART0>;
+ clock-names = "baudclk", "apb_pclk";
+ interrupts = <GIC_SPI 40 IRQ_TYPE_LEVEL_HIGH>;
+- dmas = <&dmac 8>, <&dmac 9>;
++ dmas = <&dmac 9>, <&dmac 8>;
+ reg-io-width = <4>;
+ reg-shift = <2>;
+ status = "disabled";
+@@ -457,7 +457,7 @@ uart1: serial@ff9f8000 {
+ clocks = <&cru SCLK_UART1>, <&cru PCLK_UART1>;
+ clock-names = "baudclk", "apb_pclk";
+ interrupts = <GIC_SPI 41 IRQ_TYPE_LEVEL_HIGH>;
+- dmas = <&dmac 10>, <&dmac 11>;
++ dmas = <&dmac 11>, <&dmac 10>;
+ reg-io-width = <4>;
+ reg-shift = <2>;
+ status = "disabled";
+@@ -469,7 +469,7 @@ uart2: serial@ffa00000 {
+ clocks = <&cru SCLK_UART2>, <&cru PCLK_UART2>;
+ clock-names = "baudclk", "apb_pclk";
+ interrupts = <GIC_SPI 42 IRQ_TYPE_LEVEL_HIGH>;
+- dmas = <&dmac 12>, <&dmac 13>;
++ dmas = <&dmac 13>, <&dmac 12>;
+ reg-io-width = <4>;
+ reg-shift = <2>;
+ status = "disabled";
+@@ -481,7 +481,7 @@ uart3: serial@ffa08000 {
+ clocks = <&cru SCLK_UART3>, <&cru PCLK_UART3>;
+ clock-names = "baudclk", "apb_pclk";
+ interrupts = <GIC_SPI 43 IRQ_TYPE_LEVEL_HIGH>;
+- dmas = <&dmac 14>, <&dmac 15>;
++ dmas = <&dmac 15>, <&dmac 14>;
+ reg-io-width = <4>;
+ reg-shift = <2>;
+ status = "disabled";
+@@ -493,7 +493,7 @@ uart4: serial@ffa10000 {
+ clocks = <&cru SCLK_UART4>, <&cru PCLK_UART4>;
+ clock-names = "baudclk", "apb_pclk";
+ interrupts = <GIC_SPI 44 IRQ_TYPE_LEVEL_HIGH>;
+- dmas = <&dmac 16>, <&dmac 17>;
++ dmas = <&dmac 17>, <&dmac 16>;
+ reg-io-width = <4>;
+ reg-shift = <2>;
+ status = "disabled";
+@@ -505,7 +505,7 @@ uart5: serial@ffa18000 {
+ clocks = <&cru SCLK_UART5>, <&cru PCLK_UART5>;
+ clock-names = "baudclk", "apb_pclk";
+ interrupts = <GIC_SPI 45 IRQ_TYPE_LEVEL_HIGH>;
+- dmas = <&dmac 18>, <&dmac 19>;
++ dmas = <&dmac 19>, <&dmac 18>;
+ reg-io-width = <4>;
+ reg-shift = <2>;
+ status = "disabled";
+@@ -517,7 +517,7 @@ uart6: serial@ffa20000 {
+ clocks = <&cru SCLK_UART6>, <&cru PCLK_UART6>;
+ clock-names = "baudclk", "apb_pclk";
+ interrupts = <GIC_SPI 46 IRQ_TYPE_LEVEL_HIGH>;
+- dmas = <&dmac 20>, <&dmac 21>;
++ dmas = <&dmac 21>, <&dmac 20>;
+ reg-io-width = <4>;
+ reg-shift = <2>;
+ status = "disabled";
+@@ -529,7 +529,7 @@ uart7: serial@ffa28000 {
+ clocks = <&cru SCLK_UART7>, <&cru PCLK_UART7>;
+ clock-names = "baudclk", "apb_pclk";
+ interrupts = <GIC_SPI 47 IRQ_TYPE_LEVEL_HIGH>;
+- dmas = <&dmac 22>, <&dmac 23>;
++ dmas = <&dmac 23>, <&dmac 22>;
+ reg-io-width = <4>;
+ reg-shift = <2>;
+ status = "disabled";
+--
+2.39.5
+
--- /dev/null
+From 6a18742413eff72b87bfe695dff30fa200c4c4f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 15:12:39 +0200
+Subject: arm64: dts: st: fix timer used for ticks
+
+From: Patrick Delaunay <patrick.delaunay@foss.st.com>
+
+[ Upstream commit 9ec406ac4b7de3e8040a503429d1a5d389bfdaf6 ]
+
+Remove always-on on generic ARM timer as the clock source provided by
+STGEN is deactivated in low power mode, STOP1 by example.
+
+Fixes: 5d30d03aaf78 ("arm64: dts: st: introduce stm32mp25 SoCs family")
+Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
+Link: https://lore.kernel.org/r/20250515151238.1.I85271ddb811a7cf73532fec90de7281cb24ce260@changeid
+Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/st/stm32mp251.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/st/stm32mp251.dtsi b/arch/arm64/boot/dts/st/stm32mp251.dtsi
+index 8d87865850a7..74c5f85b800f 100644
+--- a/arch/arm64/boot/dts/st/stm32mp251.dtsi
++++ b/arch/arm64/boot/dts/st/stm32mp251.dtsi
+@@ -150,7 +150,7 @@ timer {
+ <GIC_PPI 14 (GIC_CPU_MASK_SIMPLE(1) | IRQ_TYPE_LEVEL_LOW)>,
+ <GIC_PPI 11 (GIC_CPU_MASK_SIMPLE(1) | IRQ_TYPE_LEVEL_LOW)>,
+ <GIC_PPI 10 (GIC_CPU_MASK_SIMPLE(1) | IRQ_TYPE_LEVEL_LOW)>;
+- always-on;
++ arm,no-tick-in-suspend;
+ };
+
+ soc@0 {
+--
+2.39.5
+
--- /dev/null
+From 08e5ab21dc28249972326c00d6ac3e5bcd8fdd3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 08:52:39 +0200
+Subject: arm64: dts: ti: k3-am62p-j722s: fix pinctrl-single size
+
+From: Michael Walle <mwalle@kernel.org>
+
+[ Upstream commit fdc8ad019ab9a2308b8cef54fbc366f482fb746f ]
+
+Pinmux registers ends at 0x000f42ac (including). Thus, the size argument
+of the pinctrl-single node has to be 0x2b0. Fix it.
+
+This will fix the following error:
+pinctrl-single f4000.pinctrl: mux offset out of range: 0x2ac (0x2ac)
+
+Fixes: 29075cc09f43 ("arm64: dts: ti: Introduce AM62P5 family of SoCs")
+Signed-off-by: Michael Walle <mwalle@kernel.org>
+Link: https://lore.kernel.org/r/20250618065239.1904953-1-mwalle@kernel.org
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-am62p-j722s-common-main.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-am62p-j722s-common-main.dtsi b/arch/arm64/boot/dts/ti/k3-am62p-j722s-common-main.dtsi
+index fa55c43ca28d..2e5e25a8ca86 100644
+--- a/arch/arm64/boot/dts/ti/k3-am62p-j722s-common-main.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-am62p-j722s-common-main.dtsi
+@@ -259,7 +259,7 @@ secure_proxy_sa3: mailbox@43600000 {
+
+ main_pmx0: pinctrl@f4000 {
+ compatible = "pinctrl-single";
+- reg = <0x00 0xf4000 0x00 0x2ac>;
++ reg = <0x00 0xf4000 0x00 0x2b0>;
+ #pinctrl-cells = <1>;
+ pinctrl-single,register-width = <32>;
+ pinctrl-single,function-mask = <0xffffffff>;
+--
+2.39.5
+
--- /dev/null
+From 9ca4bbcd861eb9dfae338f2ac1fdcf4ce875f27c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 10:16:43 +0200
+Subject: arm64: dts: ti: k3-am62p-verdin: add SD_1 CD pull-up
+
+From: Francesco Dolcini <francesco.dolcini@toradex.com>
+
+[ Upstream commit fefaa8d7f8012249729a987d3abce747ffab0ca7 ]
+
+Add internal pull-up to the SD_1 card detect signal, without this the CD
+signal is floating and spurious detects events can happen.
+
+Fixes: 87f95ea316ac ("arm64: dts: ti: Add Toradex Verdin AM62P")
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://lore.kernel.org/r/20250701081643.71406-1-francesco@dolcini.it
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi b/arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi
+index d90d13287076..85c001aef7e3 100644
+--- a/arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi
+@@ -433,7 +433,7 @@ AM62PX_IOPAD(0x01b8, PIN_OUTPUT, 7) /* (E20) SPI0_CS1.GPIO1_16 */ /* SODIMM 19 *
+ /* Verdin SD_1_CD# */
+ pinctrl_sd1_cd: main-gpio1-48-default-pins {
+ pinctrl-single,pins = <
+- AM62PX_IOPAD(0x0240, PIN_INPUT, 7) /* (D23) MMC1_SDCD.GPIO1_48 */ /* SODIMM 84 */
++ AM62PX_IOPAD(0x0240, PIN_INPUT_PULLUP, 7) /* (D23) MMC1_SDCD.GPIO1_48 */ /* SODIMM 84 */
+ >;
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 9749de8f2c04b0c08926f85c3ac66c7c0f878b77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 12:25:54 +0200
+Subject: arm64: dts: ti: k3-am62p-verdin: Enable pull-ups on I2C_3_HDMI
+
+From: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+
+[ Upstream commit cb2d9c00770e2e6c51864704b5d98c9a0ddccaf9 ]
+
+Enable internal bias pull-ups on the SoC-side I2C_3_HDMI that do not have
+external pull resistors populated on the SoM. This ensures proper
+default line levels.
+
+Fixes: 87f95ea316ac ("arm64: dts: ti: Add Toradex Verdin AM62P")
+Signed-off-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://lore.kernel.org/r/20250529102601.452859-1-ghidoliemanuele@gmail.com
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi b/arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi
+index 226398c37fa9..d90d13287076 100644
+--- a/arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi
+@@ -717,8 +717,8 @@ AM62PX_MCU_IOPAD(0x0010, PIN_INPUT, 7) /* (D10) MCU_SPI0_D1.MCU_GPIO0_4 */ /* SO
+ /* Verdin I2C_3_HDMI */
+ pinctrl_mcu_i2c0: mcu-i2c0-default-pins {
+ pinctrl-single,pins = <
+- AM62PX_MCU_IOPAD(0x0044, PIN_INPUT, 0) /* (E11) MCU_I2C0_SCL */ /* SODIMM 59 */
+- AM62PX_MCU_IOPAD(0x0048, PIN_INPUT, 0) /* (D11) MCU_I2C0_SDA */ /* SODIMM 57 */
++ AM62PX_MCU_IOPAD(0x0044, PIN_INPUT_PULLUP, 0) /* (E11) MCU_I2C0_SCL */ /* SODIMM 59 */
++ AM62PX_MCU_IOPAD(0x0048, PIN_INPUT_PULLUP, 0) /* (D11) MCU_I2C0_SDA */ /* SODIMM 57 */
+ >;
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 02926204fe1d735ef3efc64ab5a5bbee01431e57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 10:45:34 +0200
+Subject: arm64: dts: ti: k3-am62p-verdin: fix PWM_3_DSI GPIO direction
+
+From: Parth Pancholi <parth.pancholi@toradex.com>
+
+[ Upstream commit b1a8daa7cf2650637f6cca6aaf014bee89672120 ]
+
+PWM_3_DSI is used as the HDMI Hot-Plug Detect (HPD) GPIO for the Verdin
+DSI-to-HDMI adapter. After the commit 33bab9d84e52 ("arm64: dts: ti:
+k3-am62p: fix pinctrl settings"), the pin was incorrectly set as output
+without RXACTIVE, breaking HPD detection and display functionality.
+The issue was previously hidden and worked by chance before the mentioned
+pinctrl fix.
+
+Fix the pinmux configuration to correctly set PWM_3_DSI GPIO as an input.
+
+Fixes: 87f95ea316ac ("arm64: dts: ti: Add Toradex Verdin AM62P")
+Signed-off-by: Parth Pancholi <parth.pancholi@toradex.com>
+Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://lore.kernel.org/r/20250703084534.1649594-1-parth105105@gmail.com
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi b/arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi
+index 85c001aef7e3..24b233de2bf4 100644
+--- a/arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi
+@@ -426,7 +426,7 @@ AM62PX_IOPAD(0x00f4, PIN_INPUT, 7) /* (Y20) VOUT0_DATA15.GPIO0_60 */ /* WIFI_SPI
+ /* Verdin PWM_3_DSI as GPIO */
+ pinctrl_pwm3_dsi_gpio: main-gpio1-16-default-pins {
+ pinctrl-single,pins = <
+- AM62PX_IOPAD(0x01b8, PIN_OUTPUT, 7) /* (E20) SPI0_CS1.GPIO1_16 */ /* SODIMM 19 */
++ AM62PX_IOPAD(0x01b8, PIN_INPUT, 7) /* (E20) SPI0_CS1.GPIO1_16 */ /* SODIMM 19 */
+ >;
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 0128f6d4af3ab8de4395cc2fc4ba4f7c1296ac1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 07:33:39 +0200
+Subject: arm64: dts: ti: k3-am642-phyboard-electra: Fix PRU-ICSSG Ethernet
+ ports
+
+From: Wadim Egorov <w.egorov@phytec.de>
+
+[ Upstream commit 945e48a39c957924bc84d1a6c137da039e13855b ]
+
+For the ICSSG PHYs to operate correctly, a 25 MHz reference clock must
+be supplied on CLKOUT0. Previously, our bootloader configured this
+clock, which is why the PRU Ethernet ports appeared to work, but the
+change never made it into the device tree.
+
+Add clock properties to make EXT_REFCLK1.CLKOUT0 output a 25MHz clock.
+
+Signed-off-by: Wadim Egorov <w.egorov@phytec.de>
+Fixes: 87adfd1ab03a ("arm64: dts: ti: am642-phyboard-electra: Add PRU-ICSSG nodes")
+Link: https://lore.kernel.org/r/20250521053339.1751844-1-w.egorov@phytec.de
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-rdk.dts | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-rdk.dts b/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-rdk.dts
+index f63c101b7d61..129524eb5b91 100644
+--- a/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-rdk.dts
++++ b/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-rdk.dts
+@@ -322,6 +322,8 @@ AM64X_IOPAD(0x0040, PIN_OUTPUT, 7) /* (U21) GPMC0_AD1.GPIO0_16 */
+ &icssg0_mdio {
+ pinctrl-names = "default";
+ pinctrl-0 = <&icssg0_mdio_pins_default &clkout0_pins_default>;
++ assigned-clocks = <&k3_clks 157 123>;
++ assigned-clock-parents = <&k3_clks 157 125>;
+ status = "okay";
+
+ icssg0_phy1: ethernet-phy@1 {
+--
+2.39.5
+
--- /dev/null
+From f0e5ce4a5a55237291e7d31b154c64f32d656d17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 21:55:20 +0900
+Subject: arm64: fix unnecessary rebuilding when CONFIG_DEBUG_EFI=y
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit 344b6580472451390d070c65c27f59716a1deecb ]
+
+When CONFIG_DEBUG_EFI is enabled, some objects are needlessly rebuilt.
+
+[Steps to reproduce]
+
+ Enable CONFIG_DEBUG_EFI and run 'make' twice in a clean source tree.
+ On the second run, arch/arm64/kernel/head.o is rebuilt even though
+ no files have changed.
+
+ $ make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- clean
+ $ make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu-
+ [ snip ]
+ $ make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu-
+ CALL scripts/checksyscalls.sh
+ AS arch/arm64/kernel/head.o
+ AR arch/arm64/kernel/built-in.a
+ AR arch/arm64/built-in.a
+ AR built-in.a
+ [ snip ]
+
+The issue is caused by the use of the $(realpath ...) function.
+
+At the time arch/arm64/kernel/Makefile is parsed on the first run,
+$(objtree)/vmlinux does not exist. As a result,
+$(realpath $(objtree)/vmlinux) expands to an empty string.
+
+On the second run of Make, $(objtree)/vmlinux already exists, so
+$(realpath $(objtree)/vmlinux) expands to the absolute path of vmlinux.
+However, this change in the command line causes arch/arm64/kernel/head.o
+to be rebuilt.
+
+To address this issue, use $(abspath ...) instead, which does not require
+the file to exist. While $(abspath ...) does not resolve symlinks, this
+should be fine from a debugging perspective.
+
+The GNU Make manual [1] clearly explains the difference between the two:
+
+ $(realpath names...)
+ For each file name in names return the canonical absolute name.
+ A canonical name does not contain any . or .. components, nor any
+ repeated path separators (/) or symlinks. In case of a failure the
+ empty string is returned. Consult the realpath(3) documentation for
+ a list of possible failure causes.
+
+ $(abspath namees...)
+ For each file name in names return an absolute name that does not
+ contain any . or .. components, nor any repeated path separators (/).
+ Note that, in contrast to realpath function, abspath does not resolve
+ symlinks and does not require the file names to refer to an existing
+ file or directory. Use the wildcard function to test for existence.
+
+The same problem exists in drivers/firmware/efi/libstub/Makefile.zboot.
+On the first run of Make, $(obj)/vmlinuz.efi.elf does not exist when the
+Makefile is parsed, so -DZBOOT_EFI_PATH is set to an empty string.
+Replace $(realpath ...) with $(abspath ...) there as well.
+
+[1]: https://www.gnu.org/software/make/manual/make.html#File-Name-Functions
+
+Fixes: 757b435aaabe ("efi: arm64: Add vmlinux debug link to the Image binary")
+Fixes: a050910972bb ("efi/libstub: implement generic EFI zboot")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Link: https://lore.kernel.org/r/20250625125555.2504734-1-masahiroy@kernel.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/Makefile | 2 +-
+ drivers/firmware/efi/libstub/Makefile.zboot | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
+index a2faf0049dab..76f32e424065 100644
+--- a/arch/arm64/kernel/Makefile
++++ b/arch/arm64/kernel/Makefile
+@@ -80,7 +80,7 @@ obj-y += head.o
+ always-$(KBUILD_BUILTIN) += vmlinux.lds
+
+ ifeq ($(CONFIG_DEBUG_EFI),y)
+-AFLAGS_head.o += -DVMLINUX_PATH="\"$(realpath $(objtree)/vmlinux)\""
++AFLAGS_head.o += -DVMLINUX_PATH="\"$(abspath vmlinux)\""
+ endif
+
+ # for cleaning
+diff --git a/drivers/firmware/efi/libstub/Makefile.zboot b/drivers/firmware/efi/libstub/Makefile.zboot
+index 92e3c73502ba..832deee36e48 100644
+--- a/drivers/firmware/efi/libstub/Makefile.zboot
++++ b/drivers/firmware/efi/libstub/Makefile.zboot
+@@ -36,7 +36,7 @@ aflags-zboot-header-$(EFI_ZBOOT_FORWARD_CFI) := \
+ -DPE_DLL_CHAR_EX=IMAGE_DLLCHARACTERISTICS_EX_FORWARD_CFI_COMPAT
+
+ AFLAGS_zboot-header.o += -DMACHINE_TYPE=IMAGE_FILE_MACHINE_$(EFI_ZBOOT_MACH_TYPE) \
+- -DZBOOT_EFI_PATH="\"$(realpath $(obj)/vmlinuz.efi.elf)\"" \
++ -DZBOOT_EFI_PATH="\"$(abspath $(obj)/vmlinuz.efi.elf)\"" \
+ -DZBOOT_SIZE_LEN=$(zboot-size-len-y) \
+ -DCOMP_TYPE="\"$(comp-type-y)\"" \
+ $(aflags-zboot-header-y)
+--
+2.39.5
+
--- /dev/null
+From bb8dddb29422e6d015ea90392a9976c3cd6a33e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jul 2025 23:37:33 -0500
+Subject: arm64/gcs: task_gcs_el0_enable() should use passed task
+
+From: Jeremy Linton <jeremy.linton@arm.com>
+
+[ Upstream commit cbbcfb94c55c02a8c4ce52b5da0770b5591a314c ]
+
+Mark Rutland noticed that the task parameter is ignored and
+'current' is being used instead. Since this is usually
+what its passed, it hasn't yet been causing problems but likely
+will as the code gets more testing.
+
+But, once this is fixed, it creates a new bug in copy_thread_gcs()
+since the gcs_el_mode isn't yet set for the task before its being
+checked. Move gcs_alloc_thread_stack() after the new task's
+gcs_el0_mode initialization to avoid this.
+
+Fixes: fc84bc5378a8 ("arm64/gcs: Context switch GCS state for EL0")
+Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20250719043740.4548-2-jeremy.linton@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/gcs.h | 2 +-
+ arch/arm64/kernel/process.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/include/asm/gcs.h b/arch/arm64/include/asm/gcs.h
+index f50660603ecf..5bc432234d3a 100644
+--- a/arch/arm64/include/asm/gcs.h
++++ b/arch/arm64/include/asm/gcs.h
+@@ -58,7 +58,7 @@ static inline u64 gcsss2(void)
+
+ static inline bool task_gcs_el0_enabled(struct task_struct *task)
+ {
+- return current->thread.gcs_el0_mode & PR_SHADOW_STACK_ENABLE;
++ return task->thread.gcs_el0_mode & PR_SHADOW_STACK_ENABLE;
+ }
+
+ void gcs_set_el0_mode(struct task_struct *task);
+diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
+index 08b7042a2e2d..3e1baff5e88d 100644
+--- a/arch/arm64/kernel/process.c
++++ b/arch/arm64/kernel/process.c
+@@ -307,13 +307,13 @@ static int copy_thread_gcs(struct task_struct *p,
+ p->thread.gcs_base = 0;
+ p->thread.gcs_size = 0;
+
++ p->thread.gcs_el0_mode = current->thread.gcs_el0_mode;
++ p->thread.gcs_el0_locked = current->thread.gcs_el0_locked;
++
+ gcs = gcs_alloc_thread_stack(p, args);
+ if (IS_ERR_VALUE(gcs))
+ return PTR_ERR((void *)gcs);
+
+- p->thread.gcs_el0_mode = current->thread.gcs_el0_mode;
+- p->thread.gcs_el0_locked = current->thread.gcs_el0_locked;
+-
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 093e37c93023b56ad15a94f0ada069bb3f78a885 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 17:42:32 +0530
+Subject: ASoC: amd: acp: Fix pointer assignments for snd_soc_acpi_mach
+ structures
+
+From: Venkata Prasad Potturu <venkataprasad.potturu@amd.com>
+
+[ Upstream commit 0779c0ad2a7cc0ae1865860c9bc8732613cc56b1 ]
+
+This patch modifies the assignment of machine structure pointers in the
+acp_pci_probe function. Previously, the machine pointers were assigned
+using the address-of operator (&), which caused incompatibility issues
+in type assignments.
+
+Additionally, the declarations of the machine arrays in amd.h have been
+updated to reflect that they are indeed arrays (`[]`). The code is
+further cleaned up by declaring the codec structures in
+amd-acpi-mach.c as static, reflecting their intended usage.
+
+error: symbol 'amp_rt1019' was not declared. Should it be static?
+error: symbol 'amp_max' was not declared. Should it be static?
+error: symbol 'snd_soc_acpi_amd_acp_machines' was not declared. Should it be static?
+error: symbol 'snd_soc_acpi_amd_rmb_acp_machines' was not declared. Should it be static?
+error: symbol 'snd_soc_acpi_amd_acp63_acp_machines' was not declared. Should it be static?
+error: symbol 'snd_soc_acpi_amd_acp70_acp_machines' was not declared. Should it be static?
+
+Fixes: 9c2c0ef64009 ("ASoC: amd: acp: Fix snd_soc_acpi_mach id's duplicate symbol error")
+
+Link: https://github.com/thesofproject/linux/issues/5438
+Signed-off-by: Venkata Prasad Potturu <venkataprasad.potturu@amd.com>
+Link: https://patch.msgid.link/20250609121251.639080-1-venkataprasad.potturu@amd.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/acp/acp-pci.c | 8 ++++----
+ sound/soc/amd/acp/amd-acpi-mach.c | 4 ++--
+ sound/soc/amd/acp/amd.h | 8 ++++----
+ 3 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/sound/soc/amd/acp/acp-pci.c b/sound/soc/amd/acp/acp-pci.c
+index 0b2aa33cc426..2591b1a1c5e0 100644
+--- a/sound/soc/amd/acp/acp-pci.c
++++ b/sound/soc/amd/acp/acp-pci.c
+@@ -137,26 +137,26 @@ static int acp_pci_probe(struct pci_dev *pci, const struct pci_device_id *pci_id
+ chip->name = "acp_asoc_renoir";
+ chip->rsrc = &rn_rsrc;
+ chip->acp_hw_ops_init = acp31_hw_ops_init;
+- chip->machines = &snd_soc_acpi_amd_acp_machines;
++ chip->machines = snd_soc_acpi_amd_acp_machines;
+ break;
+ case 0x6f:
+ chip->name = "acp_asoc_rembrandt";
+ chip->rsrc = &rmb_rsrc;
+ chip->acp_hw_ops_init = acp6x_hw_ops_init;
+- chip->machines = &snd_soc_acpi_amd_rmb_acp_machines;
++ chip->machines = snd_soc_acpi_amd_rmb_acp_machines;
+ break;
+ case 0x63:
+ chip->name = "acp_asoc_acp63";
+ chip->rsrc = &acp63_rsrc;
+ chip->acp_hw_ops_init = acp63_hw_ops_init;
+- chip->machines = &snd_soc_acpi_amd_acp63_acp_machines;
++ chip->machines = snd_soc_acpi_amd_acp63_acp_machines;
+ break;
+ case 0x70:
+ case 0x71:
+ chip->name = "acp_asoc_acp70";
+ chip->rsrc = &acp70_rsrc;
+ chip->acp_hw_ops_init = acp70_hw_ops_init;
+- chip->machines = &snd_soc_acpi_amd_acp70_acp_machines;
++ chip->machines = snd_soc_acpi_amd_acp70_acp_machines;
+ break;
+ default:
+ dev_err(dev, "Unsupported device revision:0x%x\n", pci->revision);
+diff --git a/sound/soc/amd/acp/amd-acpi-mach.c b/sound/soc/amd/acp/amd-acpi-mach.c
+index d95047d2ee94..27da2a862f1c 100644
+--- a/sound/soc/amd/acp/amd-acpi-mach.c
++++ b/sound/soc/amd/acp/amd-acpi-mach.c
+@@ -8,12 +8,12 @@
+
+ #include <sound/soc-acpi.h>
+
+-struct snd_soc_acpi_codecs amp_rt1019 = {
++static struct snd_soc_acpi_codecs amp_rt1019 = {
+ .num_codecs = 1,
+ .codecs = {"10EC1019"}
+ };
+
+-struct snd_soc_acpi_codecs amp_max = {
++static struct snd_soc_acpi_codecs amp_max = {
+ .num_codecs = 1,
+ .codecs = {"MX98360A"}
+ };
+diff --git a/sound/soc/amd/acp/amd.h b/sound/soc/amd/acp/amd.h
+index 863e74fcee43..cb8d97122f95 100644
+--- a/sound/soc/amd/acp/amd.h
++++ b/sound/soc/amd/acp/amd.h
+@@ -243,10 +243,10 @@ extern struct acp_resource rmb_rsrc;
+ extern struct acp_resource acp63_rsrc;
+ extern struct acp_resource acp70_rsrc;
+
+-extern struct snd_soc_acpi_mach snd_soc_acpi_amd_acp_machines;
+-extern struct snd_soc_acpi_mach snd_soc_acpi_amd_rmb_acp_machines;
+-extern struct snd_soc_acpi_mach snd_soc_acpi_amd_acp63_acp_machines;
+-extern struct snd_soc_acpi_mach snd_soc_acpi_amd_acp70_acp_machines;
++extern struct snd_soc_acpi_mach snd_soc_acpi_amd_acp_machines[];
++extern struct snd_soc_acpi_mach snd_soc_acpi_amd_rmb_acp_machines[];
++extern struct snd_soc_acpi_mach snd_soc_acpi_amd_acp63_acp_machines[];
++extern struct snd_soc_acpi_mach snd_soc_acpi_amd_acp70_acp_machines[];
+
+ extern const struct snd_soc_dai_ops asoc_acp_cpu_dai_ops;
+ extern const struct snd_soc_dai_ops acp_dmic_dai_ops;
+--
+2.39.5
+
--- /dev/null
+From 2fbd4b52e5f9f59847173de7665c3a407b4c7429 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:04:04 +0800
+Subject: ASoC: fsl_xcvr: get channel status data when PHY is not exists
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit ca592e20659e0304ebd8f4dabb273da4f9385848 ]
+
+There is no PHY for the XCVR module on i.MX93, the channel status needs
+to be obtained from FSL_XCVR_RX_CS_DATA_* registers. And channel status
+acknowledge (CSA) bit should be set once channel status is processed.
+
+Fixes: e240b9329a30 ("ASoC: fsl_xcvr: Add support for i.MX93 platform")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Link: https://patch.msgid.link/20250710030405.3370671-2-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_xcvr.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c
+index e3111dd80be4..405433144515 100644
+--- a/sound/soc/fsl/fsl_xcvr.c
++++ b/sound/soc/fsl/fsl_xcvr.c
+@@ -1423,6 +1423,26 @@ static irqreturn_t irq0_isr(int irq, void *devid)
+ /* clear CS control register */
+ memset_io(reg_ctrl, 0, sizeof(val));
+ }
++ } else {
++ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_0,
++ (u32 *)&xcvr->rx_iec958.status[0]);
++ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_1,
++ (u32 *)&xcvr->rx_iec958.status[4]);
++ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_2,
++ (u32 *)&xcvr->rx_iec958.status[8]);
++ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_3,
++ (u32 *)&xcvr->rx_iec958.status[12]);
++ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_4,
++ (u32 *)&xcvr->rx_iec958.status[16]);
++ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_5,
++ (u32 *)&xcvr->rx_iec958.status[20]);
++ for (i = 0; i < 6; i++) {
++ val = *(u32 *)(xcvr->rx_iec958.status + i * 4);
++ *(u32 *)(xcvr->rx_iec958.status + i * 4) =
++ bitrev32(val);
++ }
++ regmap_set_bits(xcvr->regmap, FSL_XCVR_RX_DPTH_CTRL,
++ FSL_XCVR_RX_DPTH_CTRL_CSA);
+ }
+ }
+ if (isr & FSL_XCVR_IRQ_NEW_UD) {
+--
+2.39.5
+
--- /dev/null
+From 9f3e8b1402bf06d6d08644dfd5e879e8fb889377 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:04:05 +0800
+Subject: ASoC: fsl_xcvr: get channel status data with firmware exists
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit 6776ecc9dd587c08a6bb334542f9f8821a091013 ]
+
+For the XCVR module on i.MX95, even though it only supports SPDIF, the
+channel status needs to be obtained from RAM space, which is processed
+by firmware. Firmware is necessary to trigger the FSL_XCVR_IRQ_NEW_CS
+interrupt.
+
+This change also applies for the SPDIF & ARC function on i.MX8MP which
+has the firmware.
+
+Fixes: e6a9750a346b ("ASoC: fsl_xcvr: Add suspend and resume support")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Link: https://patch.msgid.link/20250710030405.3370671-3-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_xcvr.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c
+index 405433144515..5d804860f7d8 100644
+--- a/sound/soc/fsl/fsl_xcvr.c
++++ b/sound/soc/fsl/fsl_xcvr.c
+@@ -1395,7 +1395,7 @@ static irqreturn_t irq0_isr(int irq, void *devid)
+ if (isr & FSL_XCVR_IRQ_NEW_CS) {
+ dev_dbg(dev, "Received new CS block\n");
+ isr_clr |= FSL_XCVR_IRQ_NEW_CS;
+- if (!xcvr->soc_data->spdif_only) {
++ if (xcvr->soc_data->fw_name) {
+ /* Data RAM is 4KiB, last two pages: 8 and 9. Select page 8. */
+ regmap_update_bits(xcvr->regmap, FSL_XCVR_EXT_CTRL,
+ FSL_XCVR_EXT_CTRL_PAGE_MASK,
+@@ -1517,6 +1517,7 @@ static const struct fsl_xcvr_soc_data fsl_xcvr_imx93_data = {
+ };
+
+ static const struct fsl_xcvr_soc_data fsl_xcvr_imx95_data = {
++ .fw_name = "imx/xcvr/xcvr-imx95.bin",
+ .spdif_only = true,
+ .use_phy = true,
+ .use_edma = true,
+@@ -1806,7 +1807,7 @@ static int fsl_xcvr_runtime_resume(struct device *dev)
+ }
+ }
+
+- if (xcvr->mode == FSL_XCVR_MODE_EARC) {
++ if (xcvr->soc_data->fw_name) {
+ ret = fsl_xcvr_load_firmware(xcvr);
+ if (ret) {
+ dev_err(dev, "failed to load firmware.\n");
+--
+2.39.5
+
--- /dev/null
+From 987a5ddc72c52e5e2a2936af1a7f4ffc58b216de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 15:48:58 +0800
+Subject: ASoC: mediatek: mt8183-afe-pcm: Support >32 bit DMA addresses
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit 9e7bc5cb8d089d9799e17a9ac99c5da9b13b02e3 ]
+
+The AFE DMA hardware supports up to 34 bits for DMA addresses. This is
+missing from the driver and prevents reserved memory regions from
+working properly when the allocated region is above the 4GB line.
+
+Fill in the related register offsets for each DAI, and also set the
+DMA mask. Also fill in the LSB end register offsets for completeness.
+
+Fixes: a94aec035a12 ("ASoC: mediatek: mt8183: add platform driver")
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Link: https://patch.msgid.link/20250612074901.4023253-8-wenst@chromium.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/mediatek/mt8183/mt8183-afe-pcm.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/sound/soc/mediatek/mt8183/mt8183-afe-pcm.c b/sound/soc/mediatek/mt8183/mt8183-afe-pcm.c
+index 9b6b45c646e6..7383184097a4 100644
+--- a/sound/soc/mediatek/mt8183/mt8183-afe-pcm.c
++++ b/sound/soc/mediatek/mt8183/mt8183-afe-pcm.c
+@@ -6,6 +6,7 @@
+ // Author: KaiChieh Chuang <kaichieh.chuang@mediatek.com>
+
+ #include <linux/delay.h>
++#include <linux/dma-mapping.h>
+ #include <linux/module.h>
+ #include <linux/mfd/syscon.h>
+ #include <linux/of.h>
+@@ -432,6 +433,9 @@ static const struct snd_soc_component_driver mt8183_afe_pcm_dai_component = {
+ .reg_ofs_base = AFE_##_id##_BASE, \
+ .reg_ofs_cur = AFE_##_id##_CUR, \
+ .reg_ofs_end = AFE_##_id##_END, \
++ .reg_ofs_base_msb = AFE_##_id##_BASE_MSB, \
++ .reg_ofs_cur_msb = AFE_##_id##_CUR_MSB, \
++ .reg_ofs_end_msb = AFE_##_id##_END_MSB, \
+ .fs_reg = (_fs_reg), \
+ .fs_shift = _id##_MODE_SFT, \
+ .fs_maskbit = _id##_MODE_MASK, \
+@@ -463,11 +467,17 @@ static const struct snd_soc_component_driver mt8183_afe_pcm_dai_component = {
+ #define AFE_VUL12_BASE AFE_VUL_D2_BASE
+ #define AFE_VUL12_CUR AFE_VUL_D2_CUR
+ #define AFE_VUL12_END AFE_VUL_D2_END
++#define AFE_VUL12_BASE_MSB AFE_VUL_D2_BASE_MSB
++#define AFE_VUL12_CUR_MSB AFE_VUL_D2_CUR_MSB
++#define AFE_VUL12_END_MSB AFE_VUL_D2_END_MSB
+ #define AWB2_HD_ALIGN_SFT AWB2_ALIGN_SFT
+ #define VUL12_DATA_SFT VUL12_MONO_SFT
+ #define AFE_HDMI_BASE AFE_HDMI_OUT_BASE
+ #define AFE_HDMI_CUR AFE_HDMI_OUT_CUR
+ #define AFE_HDMI_END AFE_HDMI_OUT_END
++#define AFE_HDMI_BASE_MSB AFE_HDMI_OUT_BASE_MSB
++#define AFE_HDMI_CUR_MSB AFE_HDMI_OUT_CUR_MSB
++#define AFE_HDMI_END_MSB AFE_HDMI_OUT_END_MSB
+
+ static const struct mtk_base_memif_data memif_data[MT8183_MEMIF_NUM] = {
+ MT8183_MEMIF(DL1, AFE_DAC_CON1, AFE_DAC_CON1),
+@@ -764,6 +774,10 @@ static int mt8183_afe_pcm_dev_probe(struct platform_device *pdev)
+ struct reset_control *rstc;
+ int i, irq_id, ret;
+
++ ret = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(34));
++ if (ret)
++ return ret;
++
+ afe = devm_kzalloc(&pdev->dev, sizeof(*afe), GFP_KERNEL);
+ if (!afe)
+ return -ENOMEM;
+--
+2.39.5
+
--- /dev/null
+From 9a3c3b4a3d92350b4f103a57ac0792eb761faffd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 15:48:57 +0800
+Subject: ASoC: mediatek: use reserved memory or enable buffer pre-allocation
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit ec4a10ca4a68ec97f12f4d17d7abb74db34987db ]
+
+In commit 32c9c06adb5b ("ASoC: mediatek: disable buffer pre-allocation")
+buffer pre-allocation was disabled to accommodate newer platforms that
+have a limited reserved memory region for the audio frontend.
+
+Turns out disabling pre-allocation across the board impacts platforms
+that don't have this reserved memory region. Buffer allocation failures
+have been observed on MT8173 and MT8183 based Chromebooks under low
+memory conditions, which results in no audio playback for the user.
+
+Since some MediaTek platforms already have dedicated reserved memory
+pools for the audio frontend, the plan is to enable this for all of
+them. This requires device tree changes. As a fallback, reinstate the
+original policy of pre-allocating audio buffers at probe time of the
+reserved memory pool cannot be found or used.
+
+This patch covers the MT8173, MT8183, MT8186 and MT8192 platforms for
+now, the reason being that existing MediaTek platform drivers that
+supported reserved memory were all platforms that mainly supported
+ChromeOS, and is also the set of devices that I can verify.
+
+Fixes: 32c9c06adb5b ("ASoC: mediatek: disable buffer pre-allocation")
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Link: https://patch.msgid.link/20250612074901.4023253-7-wenst@chromium.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/mediatek/common/mtk-afe-platform-driver.c | 4 +++-
+ sound/soc/mediatek/common/mtk-base-afe.h | 1 +
+ sound/soc/mediatek/mt8173/mt8173-afe-pcm.c | 7 +++++++
+ sound/soc/mediatek/mt8183/mt8183-afe-pcm.c | 7 +++++++
+ sound/soc/mediatek/mt8186/mt8186-afe-pcm.c | 7 +++++++
+ sound/soc/mediatek/mt8192/mt8192-afe-pcm.c | 7 +++++++
+ 6 files changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/mediatek/common/mtk-afe-platform-driver.c b/sound/soc/mediatek/common/mtk-afe-platform-driver.c
+index 6b6330583941..70fd05d5ff48 100644
+--- a/sound/soc/mediatek/common/mtk-afe-platform-driver.c
++++ b/sound/soc/mediatek/common/mtk-afe-platform-driver.c
+@@ -120,7 +120,9 @@ int mtk_afe_pcm_new(struct snd_soc_component *component,
+ struct mtk_base_afe *afe = snd_soc_component_get_drvdata(component);
+
+ size = afe->mtk_afe_hardware->buffer_bytes_max;
+- snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV, afe->dev, 0, size);
++ snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV, afe->dev,
++ afe->preallocate_buffers ? size : 0,
++ size);
+
+ return 0;
+ }
+diff --git a/sound/soc/mediatek/common/mtk-base-afe.h b/sound/soc/mediatek/common/mtk-base-afe.h
+index f51578b6c50a..a406f2e3e7a8 100644
+--- a/sound/soc/mediatek/common/mtk-base-afe.h
++++ b/sound/soc/mediatek/common/mtk-base-afe.h
+@@ -117,6 +117,7 @@ struct mtk_base_afe {
+ struct mtk_base_afe_irq *irqs;
+ int irqs_size;
+ int memif_32bit_supported;
++ bool preallocate_buffers;
+
+ struct list_head sub_dais;
+ struct snd_soc_dai_driver *dai_drivers;
+diff --git a/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c b/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c
+index 04ed0cfec174..f93d6348fdf8 100644
+--- a/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c
++++ b/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c
+@@ -13,6 +13,7 @@
+ #include <linux/module.h>
+ #include <linux/of.h>
+ #include <linux/of_address.h>
++#include <linux/of_reserved_mem.h>
+ #include <linux/dma-mapping.h>
+ #include <linux/pm_runtime.h>
+ #include <sound/soc.h>
+@@ -1070,6 +1071,12 @@ static int mt8173_afe_pcm_dev_probe(struct platform_device *pdev)
+
+ afe->dev = &pdev->dev;
+
++ ret = of_reserved_mem_device_init(&pdev->dev);
++ if (ret) {
++ dev_info(&pdev->dev, "no reserved memory found, pre-allocating buffers instead\n");
++ afe->preallocate_buffers = true;
++ }
++
+ irq_id = platform_get_irq(pdev, 0);
+ if (irq_id <= 0)
+ return irq_id < 0 ? irq_id : -ENXIO;
+diff --git a/sound/soc/mediatek/mt8183/mt8183-afe-pcm.c b/sound/soc/mediatek/mt8183/mt8183-afe-pcm.c
+index e8884354995c..9b6b45c646e6 100644
+--- a/sound/soc/mediatek/mt8183/mt8183-afe-pcm.c
++++ b/sound/soc/mediatek/mt8183/mt8183-afe-pcm.c
+@@ -10,6 +10,7 @@
+ #include <linux/mfd/syscon.h>
+ #include <linux/of.h>
+ #include <linux/of_address.h>
++#include <linux/of_reserved_mem.h>
+ #include <linux/pm_runtime.h>
+ #include <linux/reset.h>
+
+@@ -777,6 +778,12 @@ static int mt8183_afe_pcm_dev_probe(struct platform_device *pdev)
+ afe->dev = &pdev->dev;
+ dev = afe->dev;
+
++ ret = of_reserved_mem_device_init(dev);
++ if (ret) {
++ dev_info(dev, "no reserved memory found, pre-allocating buffers instead\n");
++ afe->preallocate_buffers = true;
++ }
++
+ /* initial audio related clock */
+ ret = mt8183_init_clock(afe);
+ if (ret) {
+diff --git a/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c b/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c
+index db7c93401bee..c73b4664e53e 100644
+--- a/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c
++++ b/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c
+@@ -10,6 +10,7 @@
+ #include <linux/module.h>
+ #include <linux/of.h>
+ #include <linux/of_address.h>
++#include <linux/of_reserved_mem.h>
+ #include <linux/pm_runtime.h>
+ #include <linux/reset.h>
+ #include <sound/soc.h>
+@@ -2835,6 +2836,12 @@ static int mt8186_afe_pcm_dev_probe(struct platform_device *pdev)
+ afe_priv = afe->platform_priv;
+ afe->dev = &pdev->dev;
+
++ ret = of_reserved_mem_device_init(dev);
++ if (ret) {
++ dev_info(dev, "no reserved memory found, pre-allocating buffers instead\n");
++ afe->preallocate_buffers = true;
++ }
++
+ afe->base_addr = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(afe->base_addr))
+ return PTR_ERR(afe->base_addr);
+diff --git a/sound/soc/mediatek/mt8192/mt8192-afe-pcm.c b/sound/soc/mediatek/mt8192/mt8192-afe-pcm.c
+index fd6af74d7995..3d32fe46118e 100644
+--- a/sound/soc/mediatek/mt8192/mt8192-afe-pcm.c
++++ b/sound/soc/mediatek/mt8192/mt8192-afe-pcm.c
+@@ -12,6 +12,7 @@
+ #include <linux/mfd/syscon.h>
+ #include <linux/of.h>
+ #include <linux/of_address.h>
++#include <linux/of_reserved_mem.h>
+ #include <linux/pm_runtime.h>
+ #include <linux/reset.h>
+ #include <sound/soc.h>
+@@ -2179,6 +2180,12 @@ static int mt8192_afe_pcm_dev_probe(struct platform_device *pdev)
+
+ afe->dev = dev;
+
++ ret = of_reserved_mem_device_init(dev);
++ if (ret) {
++ dev_info(dev, "no reserved memory found, pre-allocating buffers instead\n");
++ afe->preallocate_buffers = true;
++ }
++
+ /* init audio related clock */
+ ret = mt8192_init_clock(afe);
+ if (ret) {
+--
+2.39.5
+
--- /dev/null
+From 2f50040a6deb489d6d3e257005abc536db514f14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 11:30:53 +0200
+Subject: ASoC: ops: dynamically allocate struct snd_ctl_elem_value
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 7e10d7242ea8a5947878880b912ffa5806520705 ]
+
+This structure is really too larget to be allocated on the stack:
+
+sound/soc/soc-ops.c:435:5: error: stack frame size (1296) exceeds limit (1280) in 'snd_soc_limit_volume' [-Werror,-Wframe-larger-than]
+
+Change the function to dynamically allocate it instead.
+
+There is probably a better way to do it since only two integer fields
+inside of that structure are actually used, but this is the simplest
+rework for the moment.
+
+Fixes: 783db6851c18 ("ASoC: ops: Enforce platform maximum on initial value")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://patch.msgid.link/20250610093057.2643233-1-arnd@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-ops.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
+index 8d4dd11c9aef..a629e0eacb20 100644
+--- a/sound/soc/soc-ops.c
++++ b/sound/soc/soc-ops.c
+@@ -399,28 +399,32 @@ EXPORT_SYMBOL_GPL(snd_soc_put_volsw_sx);
+ static int snd_soc_clip_to_platform_max(struct snd_kcontrol *kctl)
+ {
+ struct soc_mixer_control *mc = (struct soc_mixer_control *)kctl->private_value;
+- struct snd_ctl_elem_value uctl;
++ struct snd_ctl_elem_value *uctl;
+ int ret;
+
+ if (!mc->platform_max)
+ return 0;
+
+- ret = kctl->get(kctl, &uctl);
++ uctl = kzalloc(sizeof(*uctl), GFP_KERNEL);
++ if (!uctl)
++ return -ENOMEM;
++
++ ret = kctl->get(kctl, uctl);
+ if (ret < 0)
+- return ret;
++ goto out;
+
+- if (uctl.value.integer.value[0] > mc->platform_max)
+- uctl.value.integer.value[0] = mc->platform_max;
++ if (uctl->value.integer.value[0] > mc->platform_max)
++ uctl->value.integer.value[0] = mc->platform_max;
+
+ if (snd_soc_volsw_is_stereo(mc) &&
+- uctl.value.integer.value[1] > mc->platform_max)
+- uctl.value.integer.value[1] = mc->platform_max;
++ uctl->value.integer.value[1] > mc->platform_max)
++ uctl->value.integer.value[1] = mc->platform_max;
+
+- ret = kctl->put(kctl, &uctl);
+- if (ret < 0)
+- return ret;
++ ret = kctl->put(kctl, uctl);
+
+- return 0;
++out:
++ kfree(uctl);
++ return ret;
+ }
+
+ /**
+--
+2.39.5
+
--- /dev/null
+From e336748403ae71b8a56f79d7a2b0e3422c2d9ab7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 17:18:21 +0800
+Subject: ASOC: rockchip: fix capture stream handling in rockchip_sai_xfer_stop
+
+From: Pei Xiao <xiaopei01@kylinos.cn>
+
+[ Upstream commit 5dc302d00807b8916992dd25a7a22b78d07dcd03 ]
+
+Correcting the capture stream handling which was incorrectly setting
+playback=true for capture streams.
+
+The original code mistakenly set playback=true for capture streams,
+causing incorrect behavior.
+
+Fixes: cc78d1eaabad ("ASoC: rockchip: add Serial Audio Interface (SAI) driver")
+Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
+Tested-by: Nicolas Frattaroli <nicolas.frattaroli@collabora.com>
+Acked-by: Nicolas Frattaroli <nicolas.frattaroli@collabora.com>
+Link: https://patch.msgid.link/c374aae92c177aaf42c0f1371eccdbc7e9615786.1749201126.git.xiaopei01@kylinos.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/rockchip/rockchip_sai.c | 16 +++-------------
+ 1 file changed, 3 insertions(+), 13 deletions(-)
+
+diff --git a/sound/soc/rockchip/rockchip_sai.c b/sound/soc/rockchip/rockchip_sai.c
+index 602f1ddfad00..916af63f1c2c 100644
+--- a/sound/soc/rockchip/rockchip_sai.c
++++ b/sound/soc/rockchip/rockchip_sai.c
+@@ -378,19 +378,9 @@ static void rockchip_sai_xfer_start(struct rk_sai_dev *sai, int stream)
+ static void rockchip_sai_xfer_stop(struct rk_sai_dev *sai, int stream)
+ {
+ unsigned int msk = 0, val = 0, clr = 0;
+- bool playback;
+- bool capture;
+-
+- if (stream < 0) {
+- playback = true;
+- capture = true;
+- } else if (stream == SNDRV_PCM_STREAM_PLAYBACK) {
+- playback = true;
+- capture = false;
+- } else {
+- playback = true;
+- capture = false;
+- }
++ bool capture = stream == SNDRV_PCM_STREAM_CAPTURE || stream < 0;
++ bool playback = stream == SNDRV_PCM_STREAM_PLAYBACK || stream < 0;
++ /* could be <= 0 but we don't want to depend on enum values */
+
+ if (playback) {
+ msk |= SAI_XFER_TXS_MASK;
+--
+2.39.5
+
--- /dev/null
+From 3112c87c99bb753943667005ceaf2aff8c400572 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 13:28:39 +0100
+Subject: ASoC: SDCA: Add missing default in switch in entity_pde_event()
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit 2ed526bf04a6d81592b314f81e7719a14048f732 ]
+
+The current code should be safe as the PDE widget only registers for the
+two events handled in the switch statement. However, it is causing a
+smatch warning and also is a little fragile to future code changes, add
+a default case to avoid the warning and make the code more robust.
+
+Fixes: 2c8b3a8e6aa8 ("ASoC: SDCA: Create DAPM widgets and routes from DisCo")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.dev>
+Link: https://patch.msgid.link/20250624122844.2761627-3-ckeepax@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sdca/sdca_asoc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/sdca/sdca_asoc.c b/sound/soc/sdca/sdca_asoc.c
+index 7bc8f6069f3d..e96e696cb107 100644
+--- a/sound/soc/sdca/sdca_asoc.c
++++ b/sound/soc/sdca/sdca_asoc.c
+@@ -397,6 +397,8 @@ static int entity_pde_event(struct snd_soc_dapm_widget *widget,
+ from = widget->off_val;
+ to = widget->on_val;
+ break;
++ default:
++ return 0;
+ }
+
+ for (i = 0; i < entity->pde.num_max_delay; i++) {
+--
+2.39.5
+
--- /dev/null
+From 00a91189e10ca9df9f4911e431d20a50dfe4d975 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 13:41:49 +0100
+Subject: ASoC: SDCA: Allow read-only controls to be deferrable
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit 4eb6ad5d2080681b531db2c1764246f9a868062f ]
+
+The current SDCA Control parsing only checks the deferrable flag for
+Read/Write and Dual Ranked controls. However, reads can defer as well as
+writes so Read Only controls should also check for the deferrable flag.
+Add the handling for this into find_sdca_entity_control().
+
+Fixes: 42b144cb6a2d ("ASoC: SDCA: Add SDCA Control parsing")
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.dev>
+Link: https://patch.msgid.link/20250707124155.2596744-2-ckeepax@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sdca/sdca_functions.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/sdca/sdca_functions.c b/sound/soc/sdca/sdca_functions.c
+index de213a69e0da..28e9e6de6d5d 100644
+--- a/sound/soc/sdca/sdca_functions.c
++++ b/sound/soc/sdca/sdca_functions.c
+@@ -880,7 +880,8 @@ static int find_sdca_entity_control(struct device *dev, struct sdca_entity *enti
+ control->value = tmp;
+ control->has_fixed = true;
+ }
+-
++ fallthrough;
++ case SDCA_ACCESS_MODE_RO:
+ control->deferrable = fwnode_property_read_bool(control_node,
+ "mipi-sdca-control-deferrable");
+ break;
+--
+2.39.5
+
--- /dev/null
+From 3c26571a571930aeb4f6f6d456a52033709d4e75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jul 2025 14:54:31 +0100
+Subject: ASoC: SDCA: Fix some holes in the regmap readable/writeable helpers
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit 061fade7a67f6cdfe918a675270d84107abbef61 ]
+
+The current regmap readable/writeable helper functions always
+allow the Next flag and allows any Control Number. Mask the Next
+flag based on SDCA_ACCESS_MODE_DUAL which is the only Mode that
+supports it. Also check that the Control Number is valid for
+the given control.
+
+Fixes: e3f7caf74b79 ("ASoC: SDCA: Add generic regmap SDCA helpers")
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://patch.msgid.link/20250718135432.1048566-2-ckeepax@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sdca/sdca_regmap.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/sdca/sdca_regmap.c b/sound/soc/sdca/sdca_regmap.c
+index 66e7eee7d7f4..c41c67c2204a 100644
+--- a/sound/soc/sdca/sdca_regmap.c
++++ b/sound/soc/sdca/sdca_regmap.c
+@@ -72,12 +72,18 @@ bool sdca_regmap_readable(struct sdca_function_data *function, unsigned int reg)
+ if (!control)
+ return false;
+
++ if (!(BIT(SDW_SDCA_CTL_CNUM(reg)) & control->cn_list))
++ return false;
++
+ switch (control->mode) {
+ case SDCA_ACCESS_MODE_RW:
+ case SDCA_ACCESS_MODE_RO:
+- case SDCA_ACCESS_MODE_DUAL:
+ case SDCA_ACCESS_MODE_RW1S:
+ case SDCA_ACCESS_MODE_RW1C:
++ if (SDW_SDCA_NEXT_CTL(0) & reg)
++ return false;
++ fallthrough;
++ case SDCA_ACCESS_MODE_DUAL:
+ /* No access to registers marked solely for device use */
+ return control->layers & ~SDCA_ACCESS_LAYER_DEVICE;
+ default:
+@@ -104,11 +110,17 @@ bool sdca_regmap_writeable(struct sdca_function_data *function, unsigned int reg
+ if (!control)
+ return false;
+
++ if (!(BIT(SDW_SDCA_CTL_CNUM(reg)) & control->cn_list))
++ return false;
++
+ switch (control->mode) {
+ case SDCA_ACCESS_MODE_RW:
+- case SDCA_ACCESS_MODE_DUAL:
+ case SDCA_ACCESS_MODE_RW1S:
+ case SDCA_ACCESS_MODE_RW1C:
++ if (SDW_SDCA_NEXT_CTL(0) & reg)
++ return false;
++ fallthrough;
++ case SDCA_ACCESS_MODE_DUAL:
+ /* No access to registers marked solely for device use */
+ return control->layers & ~SDCA_ACCESS_LAYER_DEVICE;
+ default:
+--
+2.39.5
+
--- /dev/null
+From 62ff456833547e59ad127be0294f910714799f07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 16:17:23 +0100
+Subject: ASoC: SDCA: Update memory allocations to zero initialise
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit 15247b5a63f506125360fa45d7aa1fbe8b903b95 ]
+
+All the memory allocations in the SDCA ASoC helpers rely on fields being
+zero initialised, the code should use kzalloc not kmalloc.
+
+Reported-by: Shuming Fan <shumingf@realtek.com>
+Fixes: 2c8b3a8e6aa8 ("ASoC: SDCA: Create DAPM widgets and routes from DisCo")
+Fixes: c3ca24e3fcb6 ("ASoC: SDCA: Create ALSA controls from DisCo")
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://patch.msgid.link/20250715151723.2964336-4-ckeepax@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sdca/sdca_asoc.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/sound/soc/sdca/sdca_asoc.c b/sound/soc/sdca/sdca_asoc.c
+index e96e696cb107..febc57b2a0b5 100644
+--- a/sound/soc/sdca/sdca_asoc.c
++++ b/sound/soc/sdca/sdca_asoc.c
+@@ -229,11 +229,11 @@ static int entity_early_parse_ge(struct device *dev,
+ if (!control_name)
+ return -ENOMEM;
+
+- kctl = devm_kmalloc(dev, sizeof(*kctl), GFP_KERNEL);
++ kctl = devm_kzalloc(dev, sizeof(*kctl), GFP_KERNEL);
+ if (!kctl)
+ return -ENOMEM;
+
+- soc_enum = devm_kmalloc(dev, sizeof(*soc_enum), GFP_KERNEL);
++ soc_enum = devm_kzalloc(dev, sizeof(*soc_enum), GFP_KERNEL);
+ if (!soc_enum)
+ return -ENOMEM;
+
+@@ -560,11 +560,11 @@ static int entity_parse_su_class(struct device *dev,
+ const char **texts;
+ int i;
+
+- kctl = devm_kmalloc(dev, sizeof(*kctl), GFP_KERNEL);
++ kctl = devm_kzalloc(dev, sizeof(*kctl), GFP_KERNEL);
+ if (!kctl)
+ return -ENOMEM;
+
+- soc_enum = devm_kmalloc(dev, sizeof(*soc_enum), GFP_KERNEL);
++ soc_enum = devm_kzalloc(dev, sizeof(*soc_enum), GFP_KERNEL);
+ if (!soc_enum)
+ return -ENOMEM;
+
+@@ -671,7 +671,7 @@ static int entity_parse_mu(struct device *dev,
+ if (!control_name)
+ return -ENOMEM;
+
+- mc = devm_kmalloc(dev, sizeof(*mc), GFP_KERNEL);
++ mc = devm_kzalloc(dev, sizeof(*mc), GFP_KERNEL);
+ if (!mc)
+ return -ENOMEM;
+
+@@ -925,7 +925,7 @@ static int populate_control(struct device *dev,
+ if (!control_name)
+ return -ENOMEM;
+
+- mc = devm_kmalloc(dev, sizeof(*mc), GFP_KERNEL);
++ mc = devm_kzalloc(dev, sizeof(*mc), GFP_KERNEL);
+ if (!mc)
+ return -ENOMEM;
+
+--
+2.39.5
+
--- /dev/null
+From 5004492984ecbcc5ff156048f5a21332d583ce65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 01:59:15 +0000
+Subject: ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit f4c77d5af0a9cd0ee22617baa8b49d0e151fbda7 ]
+
+commit 7f1186a8d738661 ("ASoC: soc-dai: check return value at
+snd_soc_dai_set_tdm_slot()") checks return value of
+xlate_tdm_slot_mask() (A1)(A2).
+
+ /*
+ * ...
+(Y) * TDM mode can be disabled by passing 0 for @slots. In this case @tx_mask,
+ * @rx_mask and @slot_width will be ignored.
+ * ...
+ */
+ int snd_soc_dai_set_tdm_slot(...)
+ {
+ ...
+ if (...)
+(A1) ret = dai->driver->ops->xlate_tdm_slot_mask(...);
+ else
+(A2) ret = snd_soc_xlate_tdm_slot_mask(...);
+ if (ret)
+ goto err;
+ ...
+ }
+
+snd_soc_xlate_tdm_slot_mask() (A2) will return -EINVAL if slots was 0 (X),
+but snd_soc_dai_set_tdm_slot() allow to use it (Y).
+
+(A) static int snd_soc_xlate_tdm_slot_mask(...)
+ {
+ ...
+ if (!slots)
+(X) return -EINVAL;
+ ...
+ }
+
+Call xlate_tdm_slot_mask() only if slots was non zero.
+
+Reported-by: Giedrius Trainavičius <giedrius@blokas.io>
+Closes: https://lore.kernel.org/r/CAMONXLtSL7iKyvH6w=CzPTxQdBECf++hn8RKL6Y4=M_ou2YHow@mail.gmail.com
+Fixes: 7f1186a8d738661 ("ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot()")
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://patch.msgid.link/8734cdfx59.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-dai.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/sound/soc/soc-dai.c b/sound/soc/soc-dai.c
+index a210089747d0..32f46a38682b 100644
+--- a/sound/soc/soc-dai.c
++++ b/sound/soc/soc-dai.c
+@@ -259,13 +259,15 @@ int snd_soc_dai_set_tdm_slot(struct snd_soc_dai *dai,
+ &rx_mask,
+ };
+
+- if (dai->driver->ops &&
+- dai->driver->ops->xlate_tdm_slot_mask)
+- ret = dai->driver->ops->xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask);
+- else
+- ret = snd_soc_xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask);
+- if (ret)
+- goto err;
++ if (slots) {
++ if (dai->driver->ops &&
++ dai->driver->ops->xlate_tdm_slot_mask)
++ ret = dai->driver->ops->xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask);
++ else
++ ret = snd_soc_xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask);
++ if (ret)
++ goto err;
++ }
+
+ for_each_pcm_streams(stream)
+ snd_soc_dai_tdm_mask_set(dai, stream, *tdm_mask[stream]);
+--
+2.39.5
+
--- /dev/null
+From c4ca927f766eaef0ba7dae5646e466566c20da39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 15:58:00 -0400
+Subject: audit,module: restore audit logging in load failure case
+
+From: Richard Guy Briggs <rgb@redhat.com>
+
+[ Upstream commit ae1ae11fb277f1335d6bcd4935ba0ea985af3c32 ]
+
+The move of the module sanity check to earlier skipped the audit logging
+call in the case of failure and to a place where the previously used
+context is unavailable.
+
+Add an audit logging call for the module loading failure case and get
+the module name when possible.
+
+Link: https://issues.redhat.com/browse/RHEL-52839
+Fixes: 02da2cbab452 ("module: move check_modinfo() early to early_mod_check()")
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/audit.h | 9 ++++-----
+ kernel/audit.h | 2 +-
+ kernel/auditsc.c | 2 +-
+ kernel/module/main.c | 6 ++++--
+ 4 files changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/audit.h b/include/linux/audit.h
+index 0050ef288ab3..a394614ccd0b 100644
+--- a/include/linux/audit.h
++++ b/include/linux/audit.h
+@@ -417,7 +417,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
+ extern void __audit_log_capset(const struct cred *new, const struct cred *old);
+ extern void __audit_mmap_fd(int fd, int flags);
+ extern void __audit_openat2_how(struct open_how *how);
+-extern void __audit_log_kern_module(char *name);
++extern void __audit_log_kern_module(const char *name);
+ extern void __audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar);
+ extern void __audit_tk_injoffset(struct timespec64 offset);
+ extern void __audit_ntp_log(const struct audit_ntp_data *ad);
+@@ -519,7 +519,7 @@ static inline void audit_openat2_how(struct open_how *how)
+ __audit_openat2_how(how);
+ }
+
+-static inline void audit_log_kern_module(char *name)
++static inline void audit_log_kern_module(const char *name)
+ {
+ if (!audit_dummy_context())
+ __audit_log_kern_module(name);
+@@ -677,9 +677,8 @@ static inline void audit_mmap_fd(int fd, int flags)
+ static inline void audit_openat2_how(struct open_how *how)
+ { }
+
+-static inline void audit_log_kern_module(char *name)
+-{
+-}
++static inline void audit_log_kern_module(const char *name)
++{ }
+
+ static inline void audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar)
+ { }
+diff --git a/kernel/audit.h b/kernel/audit.h
+index 0211cb307d30..2a24d01c5fb0 100644
+--- a/kernel/audit.h
++++ b/kernel/audit.h
+@@ -200,7 +200,7 @@ struct audit_context {
+ int argc;
+ } execve;
+ struct {
+- char *name;
++ const char *name;
+ } module;
+ struct {
+ struct audit_ntp_data ntp_data;
+diff --git a/kernel/auditsc.c b/kernel/auditsc.c
+index 78fd876a5473..eb98cd6fe91f 100644
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -2864,7 +2864,7 @@ void __audit_openat2_how(struct open_how *how)
+ context->type = AUDIT_OPENAT2;
+ }
+
+-void __audit_log_kern_module(char *name)
++void __audit_log_kern_module(const char *name)
+ {
+ struct audit_context *context = audit_context();
+
+diff --git a/kernel/module/main.c b/kernel/module/main.c
+index c2c08007029d..43df45c39f59 100644
+--- a/kernel/module/main.c
++++ b/kernel/module/main.c
+@@ -3373,7 +3373,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
+
+ module_allocated = true;
+
+- audit_log_kern_module(mod->name);
++ audit_log_kern_module(info->name);
+
+ /* Reserve our place in the list. */
+ err = add_unformed_module(mod);
+@@ -3537,8 +3537,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
+ * failures once the proper module was allocated and
+ * before that.
+ */
+- if (!module_allocated)
++ if (!module_allocated) {
++ audit_log_kern_module(info->name ? info->name : "?");
+ mod_stat_bump_becoming(info, flags);
++ }
+ free_copy(info, flags);
+ return err;
+ }
+--
+2.39.5
+
--- /dev/null
+From 984fa02bce7f109c9f8a1fb2d7c3e2447c9865ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 14:11:19 +0200
+Subject: block: mtip32xx: Fix usage of dma_map_sg()
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 8e1fab9cccc7b806b0cffdceabb09b310b83b553 ]
+
+The dma_map_sg() can fail and, in case of failure, returns 0. If it
+fails, mtip_hw_submit_io() returns an error.
+
+The dma_unmap_sg() requires the nents parameter to be the same as the
+one passed to dma_map_sg(). This patch saves the nents in
+command->scatter_ents.
+
+Fixes: 88523a61558a ("block: Add driver for Micron RealSSD pcie flash cards")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20250627121123.203731-2-fourier.thomas@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/mtip32xx/mtip32xx.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c
+index 66ce6b81c7d9..8fc7761397bd 100644
+--- a/drivers/block/mtip32xx/mtip32xx.c
++++ b/drivers/block/mtip32xx/mtip32xx.c
+@@ -2040,11 +2040,12 @@ static int mtip_hw_ioctl(struct driver_data *dd, unsigned int cmd,
+ * @dir Direction (read or write)
+ *
+ * return value
+- * None
++ * 0 The IO completed successfully.
++ * -ENOMEM The DMA mapping failed.
+ */
+-static void mtip_hw_submit_io(struct driver_data *dd, struct request *rq,
+- struct mtip_cmd *command,
+- struct blk_mq_hw_ctx *hctx)
++static int mtip_hw_submit_io(struct driver_data *dd, struct request *rq,
++ struct mtip_cmd *command,
++ struct blk_mq_hw_ctx *hctx)
+ {
+ struct mtip_cmd_hdr *hdr =
+ dd->port->command_list + sizeof(struct mtip_cmd_hdr) * rq->tag;
+@@ -2056,12 +2057,14 @@ static void mtip_hw_submit_io(struct driver_data *dd, struct request *rq,
+ unsigned int nents;
+
+ /* Map the scatter list for DMA access */
+- nents = blk_rq_map_sg(rq, command->sg);
+- nents = dma_map_sg(&dd->pdev->dev, command->sg, nents, dma_dir);
++ command->scatter_ents = blk_rq_map_sg(rq, command->sg);
++ nents = dma_map_sg(&dd->pdev->dev, command->sg,
++ command->scatter_ents, dma_dir);
++ if (!nents)
++ return -ENOMEM;
+
+- prefetch(&port->flags);
+
+- command->scatter_ents = nents;
++ prefetch(&port->flags);
+
+ /*
+ * The number of retries for this command before it is
+@@ -2112,11 +2115,13 @@ static void mtip_hw_submit_io(struct driver_data *dd, struct request *rq,
+ if (unlikely(port->flags & MTIP_PF_PAUSE_IO)) {
+ set_bit(rq->tag, port->cmds_to_issue);
+ set_bit(MTIP_PF_ISSUE_CMDS_BIT, &port->flags);
+- return;
++ return 0;
+ }
+
+ /* Issue the command to the hardware */
+ mtip_issue_ncq_command(port, rq->tag);
++
++ return 0;
+ }
+
+ /*
+@@ -3315,7 +3320,9 @@ static blk_status_t mtip_queue_rq(struct blk_mq_hw_ctx *hctx,
+
+ blk_mq_start_request(rq);
+
+- mtip_hw_submit_io(dd, rq, cmd, hctx);
++ if (mtip_hw_submit_io(dd, rq, cmd, hctx))
++ return BLK_STS_IOERR;
++
+ return BLK_STS_OK;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From e81788740ad3170a98e8e3257006d5efda905b9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 15:31:51 +0530
+Subject: block: restore two stage elevator switch while running nr_hw_queue
+ update
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nilay Shroff <nilay@linux.ibm.com>
+
+[ Upstream commit 5989bfe6ac6bf230c2c84e118c786be0ed4be3f4 ]
+
+The kmemleak reports memory leaks related to elevator resources that
+were originally allocated in the ->init_hctx() method. The following
+leak traces are observed after running blktests block/040:
+
+unreferenced object 0xffff8881b82f7400 (size 512):
+ comm "check", pid 68454, jiffies 4310588881
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace (crc 5bac8b34):
+ __kvmalloc_node_noprof+0x55d/0x7a0
+ sbitmap_init_node+0x15a/0x6a0
+ kyber_init_hctx+0x316/0xb90
+ blk_mq_init_sched+0x419/0x580
+ elevator_switch+0x18b/0x630
+ elv_update_nr_hw_queues+0x219/0x2c0
+ __blk_mq_update_nr_hw_queues+0x36a/0x6f0
+ blk_mq_update_nr_hw_queues+0x3a/0x60
+ 0xffffffffc09ceb80
+ 0xffffffffc09d7e0b
+ configfs_write_iter+0x2b1/0x470
+ vfs_write+0x527/0xe70
+ ksys_write+0xff/0x200
+ do_syscall_64+0x98/0x3c0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+unreferenced object 0xffff8881b82f6000 (size 512):
+ comm "check", pid 68454, jiffies 4310588881
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace (crc 5bac8b34):
+ __kvmalloc_node_noprof+0x55d/0x7a0
+ sbitmap_init_node+0x15a/0x6a0
+ kyber_init_hctx+0x316/0xb90
+ blk_mq_init_sched+0x419/0x580
+ elevator_switch+0x18b/0x630
+ elv_update_nr_hw_queues+0x219/0x2c0
+ __blk_mq_update_nr_hw_queues+0x36a/0x6f0
+ blk_mq_update_nr_hw_queues+0x3a/0x60
+ 0xffffffffc09ceb80
+ 0xffffffffc09d7e0b
+ configfs_write_iter+0x2b1/0x470
+ vfs_write+0x527/0xe70
+ ksys_write+0xff/0x200
+ do_syscall_64+0x98/0x3c0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+unreferenced object 0xffff8881b82f5800 (size 512):
+ comm "check", pid 68454, jiffies 4310588881
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace (crc 5bac8b34):
+ __kvmalloc_node_noprof+0x55d/0x7a0
+ sbitmap_init_node+0x15a/0x6a0
+ kyber_init_hctx+0x316/0xb90
+ blk_mq_init_sched+0x419/0x580
+ elevator_switch+0x18b/0x630
+ elv_update_nr_hw_queues+0x219/0x2c0
+ __blk_mq_update_nr_hw_queues+0x36a/0x6f0
+ blk_mq_update_nr_hw_queues+0x3a/0x60
+ 0xffffffffc09ceb80
+ 0xffffffffc09d7e0b
+ configfs_write_iter+0x2b1/0x470
+ vfs_write+0x527/0xe70
+
+ ksys_write+0xff/0x200
+ do_syscall_64+0x98/0x3c0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+The issue arises while we run nr_hw_queue update, Specifically, we first
+reallocate hardware contexts (hctx) via __blk_mq_realloc_hw_ctxs(), and
+then later invoke elevator_switch() (assuming q->elevator is not NULL).
+The elevator switch code would first exit old elevator (elevator_exit)
+and then switches to the new elevator. The elevator_exit loops through
+each hctx and invokes the elevator’s per-hctx exit method ->exit_hctx(),
+which releases resources allocated during ->init_hctx().
+
+This memleak manifests when we reduce the num of h/w queues - for example,
+when the initial update sets the number of queues to X, and a later update
+reduces it to Y, where Y < X. In this case, we'd loose the access to old
+hctxs while we get to elevator exit code because __blk_mq_realloc_hw_ctxs
+would have already released the old hctxs. As we don't now have any
+reference left to the old hctxs, we don't have any way to free the
+scheduler resources (which are allocate in ->init_hctx()) and kmemleak
+complains about it.
+
+This issue was caused due to the commit 596dce110b7d ("block: simplify
+elevator reattachment for updating nr_hw_queues"). That change unified
+the two-stage elevator teardown and reattachment into a single call that
+occurs after __blk_mq_realloc_hw_ctxs() has already freed the hctxs.
+
+This patch restores the previous two-stage elevator switch logic during
+nr_hw_queues updates. First, the elevator is switched to 'none', which
+ensures all scheduler resources are properly freed. Then, the hardware
+contexts (hctxs) are reallocated, and the software-to-hardware queue
+mappings are updated. Finally, the original elevator is reattached. This
+sequence prevents loss of references to old hctxs and avoids the scheduler
+resource leaks reported by kmemleak.
+
+Reported-by : Yi Zhang <yi.zhang@redhat.com>
+
+Fixes: 596dce110b7d ("block: simplify elevator reattachment for updating nr_hw_queues")
+Closes: https://lore.kernel.org/all/CAHj4cs8oJFvz=daCvjHM5dYCNQH4UXwSySPPU4v-WHce_kZXZA@mail.gmail.com/
+Signed-off-by: Nilay Shroff <nilay@linux.ibm.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20250724102540.1366308-1-nilay@linux.ibm.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq.c | 84 ++++++++++++++++++++++++++++++++++++++++++------
+ block/blk.h | 2 +-
+ block/elevator.c | 10 +++---
+ 3 files changed, 81 insertions(+), 15 deletions(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index 4806b867e37d..dec1cd4f1f5b 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -4966,6 +4966,60 @@ int blk_mq_update_nr_requests(struct request_queue *q, unsigned int nr)
+ return ret;
+ }
+
++/*
++ * Switch back to the elevator type stored in the xarray.
++ */
++static void blk_mq_elv_switch_back(struct request_queue *q,
++ struct xarray *elv_tbl)
++{
++ struct elevator_type *e = xa_load(elv_tbl, q->id);
++
++ /* The elv_update_nr_hw_queues unfreezes the queue. */
++ elv_update_nr_hw_queues(q, e);
++
++ /* Drop the reference acquired in blk_mq_elv_switch_none. */
++ if (e)
++ elevator_put(e);
++}
++
++/*
++ * Stores elevator type in xarray and set current elevator to none. It uses
++ * q->id as an index to store the elevator type into the xarray.
++ */
++static int blk_mq_elv_switch_none(struct request_queue *q,
++ struct xarray *elv_tbl)
++{
++ int ret = 0;
++
++ lockdep_assert_held_write(&q->tag_set->update_nr_hwq_lock);
++
++ /*
++ * Accessing q->elevator without holding q->elevator_lock is safe here
++ * because we're called from nr_hw_queue update which is protected by
++ * set->update_nr_hwq_lock in the writer context. So, scheduler update/
++ * switch code (which acquires the same lock in the reader context)
++ * can't run concurrently.
++ */
++ if (q->elevator) {
++
++ ret = xa_insert(elv_tbl, q->id, q->elevator->type, GFP_KERNEL);
++ if (WARN_ON_ONCE(ret))
++ return ret;
++
++ /*
++ * Before we switch elevator to 'none', take a reference to
++ * the elevator module so that while nr_hw_queue update is
++ * running, no one can remove elevator module. We'd put the
++ * reference to elevator module later when we switch back
++ * elevator.
++ */
++ __elevator_get(q->elevator->type);
++
++ elevator_set_none(q);
++ }
++ return ret;
++}
++
+ static void __blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set,
+ int nr_hw_queues)
+ {
+@@ -4973,6 +5027,7 @@ static void __blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set,
+ int prev_nr_hw_queues = set->nr_hw_queues;
+ unsigned int memflags;
+ int i;
++ struct xarray elv_tbl;
+
+ lockdep_assert_held(&set->tag_list_lock);
+
+@@ -4984,6 +5039,9 @@ static void __blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set,
+ return;
+
+ memflags = memalloc_noio_save();
++
++ xa_init(&elv_tbl);
++
+ list_for_each_entry(q, &set->tag_list, tag_set_list) {
+ blk_mq_debugfs_unregister_hctxs(q);
+ blk_mq_sysfs_unregister_hctxs(q);
+@@ -4992,11 +5050,17 @@ static void __blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set,
+ list_for_each_entry(q, &set->tag_list, tag_set_list)
+ blk_mq_freeze_queue_nomemsave(q);
+
+- if (blk_mq_realloc_tag_set_tags(set, nr_hw_queues) < 0) {
+- list_for_each_entry(q, &set->tag_list, tag_set_list)
+- blk_mq_unfreeze_queue_nomemrestore(q);
+- goto reregister;
+- }
++ /*
++ * Switch IO scheduler to 'none', cleaning up the data associated
++ * with the previous scheduler. We will switch back once we are done
++ * updating the new sw to hw queue mappings.
++ */
++ list_for_each_entry(q, &set->tag_list, tag_set_list)
++ if (blk_mq_elv_switch_none(q, &elv_tbl))
++ goto switch_back;
++
++ if (blk_mq_realloc_tag_set_tags(set, nr_hw_queues) < 0)
++ goto switch_back;
+
+ fallback:
+ blk_mq_update_queue_map(set);
+@@ -5016,12 +5080,11 @@ static void __blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set,
+ }
+ blk_mq_map_swqueue(q);
+ }
+-
+- /* elv_update_nr_hw_queues() unfreeze queue for us */
++switch_back:
++ /* The blk_mq_elv_switch_back unfreezes queue for us. */
+ list_for_each_entry(q, &set->tag_list, tag_set_list)
+- elv_update_nr_hw_queues(q);
++ blk_mq_elv_switch_back(q, &elv_tbl);
+
+-reregister:
+ list_for_each_entry(q, &set->tag_list, tag_set_list) {
+ blk_mq_sysfs_register_hctxs(q);
+ blk_mq_debugfs_register_hctxs(q);
+@@ -5029,6 +5092,9 @@ static void __blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set,
+ blk_mq_remove_hw_queues_cpuhp(q);
+ blk_mq_add_hw_queues_cpuhp(q);
+ }
++
++ xa_destroy(&elv_tbl);
++
+ memalloc_noio_restore(memflags);
+
+ /* Free the excess tags when nr_hw_queues shrink. */
+diff --git a/block/blk.h b/block/blk.h
+index 37ec459fe656..fae7653a941f 100644
+--- a/block/blk.h
++++ b/block/blk.h
+@@ -321,7 +321,7 @@ bool blk_bio_list_merge(struct request_queue *q, struct list_head *list,
+
+ bool blk_insert_flush(struct request *rq);
+
+-void elv_update_nr_hw_queues(struct request_queue *q);
++void elv_update_nr_hw_queues(struct request_queue *q, struct elevator_type *e);
+ void elevator_set_default(struct request_queue *q);
+ void elevator_set_none(struct request_queue *q);
+
+diff --git a/block/elevator.c b/block/elevator.c
+index a960bdc869bc..88f8f36bed98 100644
+--- a/block/elevator.c
++++ b/block/elevator.c
+@@ -689,21 +689,21 @@ static int elevator_change(struct request_queue *q, struct elv_change_ctx *ctx)
+ * The I/O scheduler depends on the number of hardware queues, this forces a
+ * reattachment when nr_hw_queues changes.
+ */
+-void elv_update_nr_hw_queues(struct request_queue *q)
++void elv_update_nr_hw_queues(struct request_queue *q, struct elevator_type *e)
+ {
+ struct elv_change_ctx ctx = {};
+ int ret = -ENODEV;
+
+ WARN_ON_ONCE(q->mq_freeze_depth == 0);
+
+- mutex_lock(&q->elevator_lock);
+- if (q->elevator && !blk_queue_dying(q) && blk_queue_registered(q)) {
+- ctx.name = q->elevator->type->elevator_name;
++ if (e && !blk_queue_dying(q) && blk_queue_registered(q)) {
++ ctx.name = e->elevator_name;
+
++ mutex_lock(&q->elevator_lock);
+ /* force to reattach elevator after nr_hw_queue is updated */
+ ret = elevator_switch(q, &ctx);
++ mutex_unlock(&q->elevator_lock);
+ }
+- mutex_unlock(&q->elevator_lock);
+ blk_mq_unfreeze_queue_nomemrestore(q);
+ if (!ret)
+ WARN_ON_ONCE(elevator_change_done(q, &ctx));
+--
+2.39.5
+
--- /dev/null
+From 71d489586a5425d577846e6248c3eb7773008146 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 10:52:54 +0000
+Subject: block: sanitize chunk_sectors for atomic write limits
+
+From: John Garry <john.g.garry@oracle.com>
+
+[ Upstream commit 1de67e8e28fc47d71ee06ffa0185da549b378ffb ]
+
+Currently we just ensure that a non-zero value in chunk_sectors aligns
+with any atomic write boundary, as the blk boundary functionality uses
+both these values.
+
+However it is also improper to have atomic write unit max > chunk_sectors
+(for non-zero chunk_sectors), as this would lead to splitting of atomic
+write bios (which is disallowed).
+
+Sanitize atomic write unit max against chunk_sectors to avoid any
+potential problems.
+
+Fixes: d00eea91deaf3 ("block: Add extra checks in blk_validate_atomic_write_limits()")
+Reviewed-by: Nilay Shroff <nilay@linux.ibm.com>
+Signed-off-by: John Garry <john.g.garry@oracle.com>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Link: https://lore.kernel.org/r/20250711105258.3135198-3-john.g.garry@oracle.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-settings.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/block/blk-settings.c b/block/blk-settings.c
+index a000daafbfb4..3425ae1b1f01 100644
+--- a/block/blk-settings.c
++++ b/block/blk-settings.c
+@@ -181,6 +181,8 @@ static void blk_atomic_writes_update_limits(struct queue_limits *lim)
+ static void blk_validate_atomic_write_limits(struct queue_limits *lim)
+ {
+ unsigned int boundary_sectors;
++ unsigned int atomic_write_hw_max_sectors =
++ lim->atomic_write_hw_max >> SECTOR_SHIFT;
+
+ if (!(lim->features & BLK_FEAT_ATOMIC_WRITES))
+ goto unsupported;
+@@ -202,6 +204,10 @@ static void blk_validate_atomic_write_limits(struct queue_limits *lim)
+ lim->atomic_write_hw_max))
+ goto unsupported;
+
++ if (WARN_ON_ONCE(lim->chunk_sectors &&
++ atomic_write_hw_max_sectors > lim->chunk_sectors))
++ goto unsupported;
++
+ boundary_sectors = lim->atomic_write_hw_boundary >> SECTOR_SHIFT;
+
+ if (boundary_sectors) {
+--
+2.39.5
+
--- /dev/null
+From abf619d0e8cd7efc2bf9a1c8aaf83d972802c19f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 15:37:25 +0530
+Subject: Bluetooth: btintel: Define a macro for Intel Reset vendor command
+
+From: Kiran K <kiran.k@intel.com>
+
+[ Upstream commit 15843c7fdba65568704245fd3ea2aa3aa2d50825 ]
+
+Use macro for Intel Reset command (0xfc01) instead of hard coded value.
+
+Signed-off-by: Kiran K <kiran.k@intel.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Stable-dep-of: 69b3d3acf3db ("Bluetooth: btintel_pcie: Make driver wait for alive interrupt")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btintel.c | 4 ++--
+ drivers/bluetooth/btintel.h | 2 ++
+ drivers/bluetooth/btintel_pcie.c | 12 ++++++------
+ drivers/bluetooth/btusb.c | 8 ++++----
+ drivers/bluetooth/hci_intel.c | 10 +++++-----
+ 5 files changed, 19 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
+index 06016ac3965c..6aceecf5a13d 100644
+--- a/drivers/bluetooth/btintel.c
++++ b/drivers/bluetooth/btintel.c
+@@ -889,7 +889,7 @@ int btintel_send_intel_reset(struct hci_dev *hdev, u32 boot_param)
+
+ params.boot_param = cpu_to_le32(boot_param);
+
+- skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), ¶ms,
++ skb = __hci_cmd_sync(hdev, BTINTEL_HCI_OP_RESET, sizeof(params), ¶ms,
+ HCI_INIT_TIMEOUT);
+ if (IS_ERR(skb)) {
+ bt_dev_err(hdev, "Failed to send Intel Reset command");
+@@ -1287,7 +1287,7 @@ static void btintel_reset_to_bootloader(struct hci_dev *hdev)
+ params.boot_option = 0x00;
+ params.boot_param = cpu_to_le32(0x00000000);
+
+- skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params),
++ skb = __hci_cmd_sync(hdev, BTINTEL_HCI_OP_RESET, sizeof(params),
+ ¶ms, HCI_INIT_TIMEOUT);
+ if (IS_ERR(skb)) {
+ bt_dev_err(hdev, "FW download error recovery failed (%ld)",
+diff --git a/drivers/bluetooth/btintel.h b/drivers/bluetooth/btintel.h
+index 1d12c4113c66..431998049e68 100644
+--- a/drivers/bluetooth/btintel.h
++++ b/drivers/bluetooth/btintel.h
+@@ -52,6 +52,8 @@ struct intel_tlv {
+ u8 val[];
+ } __packed;
+
++#define BTINTEL_HCI_OP_RESET 0xfc01
++
+ #define BTINTEL_CNVI_BLAZARI 0x900
+ #define BTINTEL_CNVI_BLAZARIW 0x901
+ #define BTINTEL_CNVI_GAP 0x910
+diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
+index f4e3fb54fe76..1638be0921a3 100644
+--- a/drivers/bluetooth/btintel_pcie.c
++++ b/drivers/bluetooth/btintel_pcie.c
+@@ -1955,12 +1955,12 @@ static int btintel_pcie_send_frame(struct hci_dev *hdev,
+ struct hci_command_hdr *cmd = (void *)skb->data;
+ __u16 opcode = le16_to_cpu(cmd->opcode);
+
+- /* When the 0xfc01 command is issued to boot into
+- * the operational firmware, it will actually not
+- * send a command complete event. To keep the flow
++ /* When the BTINTEL_HCI_OP_RESET command is issued to
++ * boot into the operational firmware, it will actually
++ * not send a command complete event. To keep the flow
+ * control working inject that event here.
+ */
+- if (opcode == 0xfc01)
++ if (opcode == BTINTEL_HCI_OP_RESET)
+ btintel_pcie_inject_cmd_complete(hdev, opcode);
+ }
+ /* Firmware raises alive interrupt on HCI_OP_RESET */
+@@ -1995,10 +1995,10 @@ static int btintel_pcie_send_frame(struct hci_dev *hdev,
+ }
+
+ if (type == BTINTEL_PCIE_HCI_CMD_PKT &&
+- (opcode == HCI_OP_RESET || opcode == 0xfc01)) {
++ (opcode == HCI_OP_RESET || opcode == BTINTEL_HCI_OP_RESET)) {
+ old_ctxt = data->alive_intr_ctxt;
+ data->alive_intr_ctxt =
+- (opcode == 0xfc01 ? BTINTEL_PCIE_INTEL_HCI_RESET1 :
++ (opcode == BTINTEL_HCI_OP_RESET ? BTINTEL_PCIE_INTEL_HCI_RESET1 :
+ BTINTEL_PCIE_HCI_RESET);
+ bt_dev_dbg(data->hdev, "sent cmd: 0x%4.4x alive context changed: %s -> %s",
+ opcode, btintel_pcie_alivectxt_state2str(old_ctxt),
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index db27d28e8a7e..66fd84fbbd22 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -2594,12 +2594,12 @@ static int btusb_send_frame_intel(struct hci_dev *hdev, struct sk_buff *skb)
+ else
+ urb = alloc_ctrl_urb(hdev, skb);
+
+- /* When the 0xfc01 command is issued to boot into
+- * the operational firmware, it will actually not
+- * send a command complete event. To keep the flow
++ /* When the BTINTEL_HCI_OP_RESET command is issued to
++ * boot into the operational firmware, it will actually
++ * not send a command complete event. To keep the flow
+ * control working inject that event here.
+ */
+- if (opcode == 0xfc01)
++ if (opcode == BTINTEL_HCI_OP_RESET)
+ inject_cmd_complete(hdev, opcode);
+ } else {
+ urb = alloc_ctrl_urb(hdev, skb);
+diff --git a/drivers/bluetooth/hci_intel.c b/drivers/bluetooth/hci_intel.c
+index d22fbb7f9fc5..9b353c3d6442 100644
+--- a/drivers/bluetooth/hci_intel.c
++++ b/drivers/bluetooth/hci_intel.c
+@@ -1029,12 +1029,12 @@ static struct sk_buff *intel_dequeue(struct hci_uart *hu)
+ struct hci_command_hdr *cmd = (void *)skb->data;
+ __u16 opcode = le16_to_cpu(cmd->opcode);
+
+- /* When the 0xfc01 command is issued to boot into
+- * the operational firmware, it will actually not
+- * send a command complete event. To keep the flow
+- * control working inject that event here.
++ /* When the BTINTEL_HCI_OP_RESET command is issued to boot into
++ * the operational firmware, it will actually not send a command
++ * complete event. To keep the flow control working inject that
++ * event here.
+ */
+- if (opcode == 0xfc01)
++ if (opcode == BTINTEL_HCI_OP_RESET)
+ inject_cmd_complete(hu->hdev, opcode);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 55be8991f51a83344c3ff7a99ffe636c0f297b43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 15:14:36 +0530
+Subject: Bluetooth: btintel_pcie: Make driver wait for alive interrupt
+
+From: Kiran K <kiran.k@intel.com>
+
+[ Upstream commit 69b3d3acf3dba21e2abad863c80c7114eb110b3d ]
+
+The firmware raises an alive interrupt upon receiving the HCI_RESET or
+BTINTEL_HCI_OP_RESET (Intel reset - 0xfc01) command. This change fixes
+the driver to properly wait for the alive interrupt to avoid driver
+sending commands to firmware before it is ready to process.
+
+For details on the handshake between the driver and firmware, refer to
+commit 05c200c8f029 ("Bluetooth: btintel_pcie: Add handshake between
+driver and firmware").
+
+As the driver needs to handle two interrupts for HCI_OP_RESET and
+BTINTEL_HCI_OP_RESET, the firmware ensures that the TX completion
+interrupt is always followed by the alive interrupt.
+
+Fixes: 05c200c8f029 ("Bluetooth: btintel_pcie: Add handshake between driver and firmware")
+Signed-off-by: Sai Teja Aluvala <aluvala.sai.teja@intel.com>
+Signed-off-by: Kiran K <kiran.k@intel.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btintel_pcie.c | 30 +++++++++++++++++-------------
+ 1 file changed, 17 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
+index 1638be0921a3..7f789937a764 100644
+--- a/drivers/bluetooth/btintel_pcie.c
++++ b/drivers/bluetooth/btintel_pcie.c
+@@ -928,11 +928,13 @@ static void btintel_pcie_msix_gp0_handler(struct btintel_pcie_data *data)
+ case BTINTEL_PCIE_INTEL_HCI_RESET1:
+ if (btintel_pcie_in_op(data)) {
+ submit_rx = true;
++ signal_waitq = true;
+ break;
+ }
+
+ if (btintel_pcie_in_iml(data)) {
+ submit_rx = true;
++ signal_waitq = true;
+ data->alive_intr_ctxt = BTINTEL_PCIE_FW_DL;
+ break;
+ }
+@@ -1963,8 +1965,11 @@ static int btintel_pcie_send_frame(struct hci_dev *hdev,
+ if (opcode == BTINTEL_HCI_OP_RESET)
+ btintel_pcie_inject_cmd_complete(hdev, opcode);
+ }
+- /* Firmware raises alive interrupt on HCI_OP_RESET */
+- if (opcode == HCI_OP_RESET)
++
++ /* Firmware raises alive interrupt on HCI_OP_RESET or
++ * BTINTEL_HCI_OP_RESET
++ */
++ if (opcode == HCI_OP_RESET || opcode == BTINTEL_HCI_OP_RESET)
+ data->gp0_received = false;
+
+ hdev->stat.cmd_tx++;
+@@ -2003,17 +2008,16 @@ static int btintel_pcie_send_frame(struct hci_dev *hdev,
+ bt_dev_dbg(data->hdev, "sent cmd: 0x%4.4x alive context changed: %s -> %s",
+ opcode, btintel_pcie_alivectxt_state2str(old_ctxt),
+ btintel_pcie_alivectxt_state2str(data->alive_intr_ctxt));
+- if (opcode == HCI_OP_RESET) {
+- ret = wait_event_timeout(data->gp0_wait_q,
+- data->gp0_received,
+- msecs_to_jiffies(BTINTEL_DEFAULT_INTR_TIMEOUT_MS));
+- if (!ret) {
+- hdev->stat.err_tx++;
+- bt_dev_err(hdev, "No alive interrupt received for %s",
+- btintel_pcie_alivectxt_state2str(data->alive_intr_ctxt));
+- ret = -ETIME;
+- goto exit_error;
+- }
++ ret = wait_event_timeout(data->gp0_wait_q,
++ data->gp0_received,
++ msecs_to_jiffies(BTINTEL_DEFAULT_INTR_TIMEOUT_MS));
++ if (!ret) {
++ hdev->stat.err_tx++;
++ bt_dev_err(hdev, "Timeout on alive interrupt (%u ms). Alive context: %s",
++ BTINTEL_DEFAULT_INTR_TIMEOUT_MS,
++ btintel_pcie_alivectxt_state2str(data->alive_intr_ctxt));
++ ret = -ETIME;
++ goto exit_error;
+ }
+ }
+ hdev->stat.byte_tx += skb->len;
+--
+2.39.5
+
--- /dev/null
+From 3ba66dff3107195806f7cfbb1dd2ef805fdd3f90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Jul 2025 18:52:46 +0800
+Subject: Bluetooth: btusb: Fix potential NULL dereference on kmalloc failure
+
+From: Zhongqiu Han <quic_zhonhan@quicinc.com>
+
+[ Upstream commit b505902c66a282dcb01bcdc015aa1fdfaaa075db ]
+
+Avoid potential NULL pointer dereference by checking the return value of
+kmalloc and handling allocation failure properly.
+
+Fixes: 7d70989fcea7 ("Bluetooth: btusb: Add HCI Drv commands for configuring altsetting")
+Signed-off-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index f9eeec0aed57..db27d28e8a7e 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -3802,6 +3802,8 @@ static int btusb_hci_drv_supported_altsettings(struct hci_dev *hdev, void *data,
+
+ /* There are at most 7 alt (0 - 6) */
+ rp = kmalloc(sizeof(*rp) + 7, GFP_KERNEL);
++ if (!rp)
++ return -ENOMEM;
+
+ rp->num = 0;
+ if (!drvdata->isoc)
+--
+2.39.5
+
--- /dev/null
+From f0c36ff5fa8693a0fea28560339323fc3872de2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 11:10:52 -0400
+Subject: Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv
+
+From: Ivan Pravdin <ipravdin.official@gmail.com>
+
+[ Upstream commit 7af4d7b53502286c6cf946d397ab183e76d14820 ]
+
+Currently both dev_coredumpv and skb_put_data in hci_devcd_dump use
+hdev->dump.head. However, dev_coredumpv can free the buffer. From
+dev_coredumpm_timeout documentation, which is used by dev_coredumpv:
+
+ > Creates a new device coredump for the given device. If a previous one hasn't
+ > been read yet, the new coredump is discarded. The data lifetime is determined
+ > by the device coredump framework and when it is no longer needed the @free
+ > function will be called to free the data.
+
+If the data has not been read by the userspace yet, dev_coredumpv will
+discard new buffer, freeing hdev->dump.head. This leads to
+vmalloc-out-of-bounds error when skb_put_data tries to access
+hdev->dump.head.
+
+A crash report from syzbot illustrates this:
+
+ ==================================================================
+ BUG: KASAN: vmalloc-out-of-bounds in skb_put_data
+ include/linux/skbuff.h:2752 [inline]
+ BUG: KASAN: vmalloc-out-of-bounds in hci_devcd_dump+0x142/0x240
+ net/bluetooth/coredump.c:258
+ Read of size 140 at addr ffffc90004ed5000 by task kworker/u9:2/5844
+
+ CPU: 1 UID: 0 PID: 5844 Comm: kworker/u9:2 Not tainted
+ 6.14.0-syzkaller-10892-g4e82c87058f4 #0 PREEMPT(full)
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+ Google 02/12/2025
+ Workqueue: hci0 hci_devcd_timeout
+ Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:408 [inline]
+ print_report+0xc3/0x670 mm/kasan/report.c:521
+ kasan_report+0xe0/0x110 mm/kasan/report.c:634
+ check_region_inline mm/kasan/generic.c:183 [inline]
+ kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
+ __asan_memcpy+0x23/0x60 mm/kasan/shadow.c:105
+ skb_put_data include/linux/skbuff.h:2752 [inline]
+ hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258
+ hci_devcd_timeout+0xb5/0x2e0 net/bluetooth/coredump.c:413
+ process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
+ process_scheduled_works kernel/workqueue.c:3319 [inline]
+ worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
+ kthread+0x3c2/0x780 kernel/kthread.c:464
+ ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+ </TASK>
+
+ The buggy address ffffc90004ed5000 belongs to a vmalloc virtual mapping
+ Memory state around the buggy address:
+ ffffc90004ed4f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+ ffffc90004ed4f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+ >ffffc90004ed5000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+ ^
+ ffffc90004ed5080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+ ffffc90004ed5100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+ ==================================================================
+
+To avoid this issue, reorder dev_coredumpv to be called after
+skb_put_data that does not free the data.
+
+Reported-by: syzbot+ac3c79181f6aecc5120c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
+Fixes: b257e02ecc46 ("HCI: coredump: Log devcd dumps into the monitor")
+Tested-by: syzbot+ac3c79181f6aecc5120c@syzkaller.appspotmail.com
+Signed-off-by: Ivan Pravdin <ipravdin.official@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/coredump.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/coredump.c b/net/bluetooth/coredump.c
+index 819eacb38762..720cb79adf96 100644
+--- a/net/bluetooth/coredump.c
++++ b/net/bluetooth/coredump.c
+@@ -249,15 +249,15 @@ static void hci_devcd_dump(struct hci_dev *hdev)
+
+ size = hdev->dump.tail - hdev->dump.head;
+
+- /* Emit a devcoredump with the available data */
+- dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);
+-
+ /* Send a copy to monitor as a diagnostic packet */
+ skb = bt_skb_alloc(size, GFP_ATOMIC);
+ if (skb) {
+ skb_put_data(skb, hdev->dump.head, size);
+ hci_recv_diag(hdev, skb);
+ }
++
++ /* Emit a devcoredump with the available data */
++ dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);
+ }
+
+ static void hci_devcd_handle_pkt_complete(struct hci_dev *hdev,
+--
+2.39.5
+
--- /dev/null
+From 0b57c406fcf9187b7d464f2862a23cf0e5daa547 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 16:30:23 +0100
+Subject: Bluetooth: hci_event: Mask data status from LE ext adv reports
+
+From: Chris Down <chris@chrisdown.name>
+
+[ Upstream commit 0cadf8534f2a727bc3a01e8c583b085d25963ee0 ]
+
+The Event_Type field in an LE Extended Advertising Report uses bits 5
+and 6 for data status (e.g. truncation or fragmentation), not the PDU
+type itself.
+
+The ext_evt_type_to_legacy() function fails to mask these status bits
+before evaluation. This causes valid advertisements with status bits set
+(e.g. a truncated non-connectable advertisement, which ends up showing
+as PDU type 0x40) to be misclassified as unknown and subsequently
+dropped. This is okay for most checks which use bitwise AND on the
+relevant event type bits, but it doesn't work for non-connectable types,
+which are checked with '== LE_EXT_ADV_NON_CONN_IND' (that is, zero).
+
+In terms of behaviour, first the device sends a truncated report:
+
+> HCI Event: LE Meta Event (0x3e) plen 26
+ LE Extended Advertising Report (0x0d)
+ Entry 0
+ Event type: 0x0040
+ Data status: Incomplete, data truncated, no more to come
+ Address type: Random (0x01)
+ Address: 1D:12:46:FA:F8:6E (Non-Resolvable)
+ SID: 0x03
+ RSSI: -98 dBm (0x9e)
+ Data length: 0x00
+
+Then, a few seconds later, it sends the subsequent complete report:
+
+> HCI Event: LE Meta Event (0x3e) plen 122
+ LE Extended Advertising Report (0x0d)
+ Entry 0
+ Event type: 0x0000
+ Data status: Complete
+ Address type: Random (0x01)
+ Address: 1D:12:46:FA:F8:6E (Non-Resolvable)
+ SID: 0x03
+ RSSI: -97 dBm (0x9f)
+ Data length: 0x60
+ Service Data: Google (0xfef3)
+ Data[92]: ...
+
+These devices often send multiple truncated reports per second.
+
+This patch introduces a PDU type mask to ensure only the relevant bits
+are evaluated, allowing for the correct translation of all valid
+extended advertising packets.
+
+Fixes: b2cc9761f144 ("Bluetooth: Handle extended ADV PDU types")
+Signed-off-by: Chris Down <chris@chrisdown.name>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci.h | 1 +
+ net/bluetooth/hci_event.c | 8 ++++++--
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
+index c79901f2dc2a..5796ca9fe5da 100644
+--- a/include/net/bluetooth/hci.h
++++ b/include/net/bluetooth/hci.h
+@@ -2634,6 +2634,7 @@ struct hci_ev_le_conn_complete {
+ #define LE_EXT_ADV_DIRECT_IND 0x0004
+ #define LE_EXT_ADV_SCAN_RSP 0x0008
+ #define LE_EXT_ADV_LEGACY_PDU 0x0010
++#define LE_EXT_ADV_DATA_STATUS_MASK 0x0060
+ #define LE_EXT_ADV_EVT_TYPE_MASK 0x007f
+
+ #define ADDR_LE_DEV_PUBLIC 0x00
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index cf4b30ac9e0e..c1dd8d78701f 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -6239,6 +6239,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
+
+ static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
+ {
++ u16 pdu_type = evt_type & ~LE_EXT_ADV_DATA_STATUS_MASK;
++
++ if (!pdu_type)
++ return LE_ADV_NONCONN_IND;
++
+ if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
+ switch (evt_type) {
+ case LE_LEGACY_ADV_IND:
+@@ -6270,8 +6275,7 @@ static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
+ if (evt_type & LE_EXT_ADV_SCAN_IND)
+ return LE_ADV_SCAN_IND;
+
+- if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
+- evt_type & LE_EXT_ADV_DIRECT_IND)
++ if (evt_type & LE_EXT_ADV_DIRECT_IND)
+ return LE_ADV_NONCONN_IND;
+
+ invalid:
+--
+2.39.5
+
--- /dev/null
+From e8c9fa1b75308d33802194623d2be1ca749226b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jul 2025 22:23:58 +0300
+Subject: Bluetooth: hci_sync: fix double free in
+ 'hci_discovery_filter_clear()'
+
+From: Arseniy Krasnov <avkrasnov@salutedevices.com>
+
+[ Upstream commit 2935e556850e9c94d7a00adf14d3cd7fe406ac03 ]
+
+Function 'hci_discovery_filter_clear()' frees 'uuids' array and then
+sets it to NULL. There is a tiny chance of the following race:
+
+'hci_cmd_sync_work()'
+
+ 'update_passive_scan_sync()'
+
+ 'hci_update_passive_scan_sync()'
+
+ 'hci_discovery_filter_clear()'
+ kfree(uuids);
+
+ <-------------------------preempted-------------------------------->
+ 'start_service_discovery()'
+
+ 'hci_discovery_filter_clear()'
+ kfree(uuids); // DOUBLE FREE
+
+ <-------------------------preempted-------------------------------->
+
+ uuids = NULL;
+
+To fix it let's add locking around 'kfree()' call and NULL pointer
+assignment. Otherwise the following backtrace fires:
+
+[ ] ------------[ cut here ]------------
+[ ] kernel BUG at mm/slub.c:547!
+[ ] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
+[ ] CPU: 3 UID: 0 PID: 246 Comm: bluetoothd Tainted: G O 6.12.19-kernel #1
+[ ] Tainted: [O]=OOT_MODULE
+[ ] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ ] pc : __slab_free+0xf8/0x348
+[ ] lr : __slab_free+0x48/0x348
+...
+[ ] Call trace:
+[ ] __slab_free+0xf8/0x348
+[ ] kfree+0x164/0x27c
+[ ] start_service_discovery+0x1d0/0x2c0
+[ ] hci_sock_sendmsg+0x518/0x924
+[ ] __sock_sendmsg+0x54/0x60
+[ ] sock_write_iter+0x98/0xf8
+[ ] do_iter_readv_writev+0xe4/0x1c8
+[ ] vfs_writev+0x128/0x2b0
+[ ] do_writev+0xfc/0x118
+[ ] __arm64_sys_writev+0x20/0x2c
+[ ] invoke_syscall+0x68/0xf0
+[ ] el0_svc_common.constprop.0+0x40/0xe0
+[ ] do_el0_svc+0x1c/0x28
+[ ] el0_svc+0x30/0xd0
+[ ] el0t_64_sync_handler+0x100/0x12c
+[ ] el0t_64_sync+0x194/0x198
+[ ] Code: 8b0002e6 eb17031f 54fffbe1 d503201f (d4210000)
+[ ] ---[ end trace 0000000000000000 ]---
+
+Fixes: ad383c2c65a5 ("Bluetooth: hci_sync: Enable advertising when LL privacy is enabled")
+Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index f79f59e67114..c371dadc6fa3 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -29,6 +29,7 @@
+ #include <linux/idr.h>
+ #include <linux/leds.h>
+ #include <linux/rculist.h>
++#include <linux/spinlock.h>
+ #include <linux/srcu.h>
+
+ #include <net/bluetooth/hci.h>
+@@ -94,6 +95,7 @@ struct discovery_state {
+ u16 uuid_count;
+ u8 (*uuids)[16];
+ unsigned long name_resolve_timeout;
++ spinlock_t lock;
+ };
+
+ #define SUSPEND_NOTIFIER_TIMEOUT msecs_to_jiffies(2000) /* 2 seconds */
+@@ -889,6 +891,7 @@ static inline void iso_recv(struct hci_conn *hcon, struct sk_buff *skb,
+
+ static inline void discovery_init(struct hci_dev *hdev)
+ {
++ spin_lock_init(&hdev->discovery.lock);
+ hdev->discovery.state = DISCOVERY_STOPPED;
+ INIT_LIST_HEAD(&hdev->discovery.all);
+ INIT_LIST_HEAD(&hdev->discovery.unknown);
+@@ -903,8 +906,11 @@ static inline void hci_discovery_filter_clear(struct hci_dev *hdev)
+ hdev->discovery.report_invalid_rssi = true;
+ hdev->discovery.rssi = HCI_RSSI_INVALID;
+ hdev->discovery.uuid_count = 0;
++
++ spin_lock(&hdev->discovery.lock);
+ kfree(hdev->discovery.uuids);
+ hdev->discovery.uuids = NULL;
++ spin_unlock(&hdev->discovery.lock);
+ }
+
+ bool hci_discovery_active(struct hci_dev *hdev);
+--
+2.39.5
+
--- /dev/null
+From 13c945b4d4305c685bf7c1fb15699d8f5062a74b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Jul 2025 01:47:30 +0200
+Subject: bpf: Add cookie object to bpf maps
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 12df58ad294253ac1d8df0c9bb9cf726397a671d ]
+
+Add a cookie to BPF maps to uniquely identify BPF maps for the timespan
+when the node is up. This is different to comparing a pointer or BPF map
+id which could get rolled over and reused.
+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/r/20250730234733.530041-1-daniel@iogearbox.net
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Stable-dep-of: abad3d0bad72 ("bpf: Fix oob access in cgroup local storage")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf.h | 1 +
+ kernel/bpf/syscall.c | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index 5b25d278409b..f9900a23ca16 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -310,6 +310,7 @@ struct bpf_map {
+ bool free_after_rcu_gp;
+ atomic64_t sleepable_refcnt;
+ s64 __percpu *elem_count;
++ u64 cookie; /* write-once */
+ };
+
+ static inline const char *btf_field_type_name(enum btf_field_type type)
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index dd5304c6ac3c..82ae4fadecf0 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -37,6 +37,7 @@
+ #include <linux/trace_events.h>
+ #include <linux/tracepoint.h>
+ #include <linux/overflow.h>
++#include <linux/cookie.h>
+
+ #include <net/netfilter/nf_bpf_link.h>
+ #include <net/netkit.h>
+@@ -53,6 +54,7 @@
+ #define BPF_OBJ_FLAG_MASK (BPF_F_RDONLY | BPF_F_WRONLY)
+
+ DEFINE_PER_CPU(int, bpf_prog_active);
++DEFINE_COOKIE(bpf_map_cookie);
+ static DEFINE_IDR(prog_idr);
+ static DEFINE_SPINLOCK(prog_idr_lock);
+ static DEFINE_IDR(map_idr);
+@@ -1487,6 +1489,10 @@ static int map_create(union bpf_attr *attr, bool kernel)
+ if (err < 0)
+ goto free_map;
+
++ preempt_disable();
++ map->cookie = gen_cookie_next(&bpf_map_cookie);
++ preempt_enable();
++
+ atomic64_set(&map->refcnt, 1);
+ atomic64_set(&map->usercnt, 1);
+ mutex_init(&map->freeze_mutex);
+--
+2.39.5
+
--- /dev/null
+From f65f791338199adfdd1353d4775a2cf25461d2b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 13:34:09 +0000
+Subject: bpf, arm64: Fix fp initialization for exception boundary
+
+From: Puranjay Mohan <puranjay@kernel.org>
+
+[ Upstream commit b114fcee766d5101eada1aca7bb5fd0a86c89b35 ]
+
+In the ARM64 BPF JIT when prog->aux->exception_boundary is set for a BPF
+program, find_used_callee_regs() is not called because for a program
+acting as exception boundary, all callee saved registers are saved.
+find_used_callee_regs() sets `ctx->fp_used = true;` when it sees FP
+being used in any of the instructions.
+
+For programs acting as exception boundary, ctx->fp_used remains false
+even if frame pointer is used by the program and therefore, FP is not
+set-up for such programs in the prologue. This can cause the kernel to
+crash due to a pagefault.
+
+Fix it by setting ctx->fp_used = true for exception boundary programs as
+fp is always saved in such programs.
+
+Fixes: 5d4fa9ec5643 ("bpf, arm64: Avoid blindly saving/restoring all callee-saved registers")
+Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Xu Kuohai <xukuohai@huawei.com>
+Link: https://lore.kernel.org/bpf/20250722133410.54161-2-puranjay@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/net/bpf_jit_comp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
+index da8b89dd2910..58f838b310bc 100644
+--- a/arch/arm64/net/bpf_jit_comp.c
++++ b/arch/arm64/net/bpf_jit_comp.c
+@@ -412,6 +412,7 @@ static void push_callee_regs(struct jit_ctx *ctx)
+ emit(A64_PUSH(A64_R(23), A64_R(24), A64_SP), ctx);
+ emit(A64_PUSH(A64_R(25), A64_R(26), A64_SP), ctx);
+ emit(A64_PUSH(A64_R(27), A64_R(28), A64_SP), ctx);
++ ctx->fp_used = true;
+ } else {
+ find_used_callee_regs(ctx);
+ for (i = 0; i + 1 < ctx->nr_used_callee_reg; i += 2) {
+--
+2.39.5
+
--- /dev/null
+From d645658576b1d2ee4ac265d960f61cdfd62ac6b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Aug 2025 11:47:23 +0200
+Subject: bpf: Check flow_dissector ctx accesses are aligned
+
+From: Paul Chaignon <paul.chaignon@gmail.com>
+
+[ Upstream commit ead3d7b2b6afa5ee7958620c4329982a7d9c2b78 ]
+
+flow_dissector_is_valid_access doesn't check that the context access is
+aligned. As a consequence, an unaligned access within one of the exposed
+field is considered valid and later rejected by
+flow_dissector_convert_ctx_access when we try to convert it.
+
+The later rejection is problematic because it's reported as a verifier
+bug with a kernel warning and doesn't point to the right instruction in
+verifier logs.
+
+Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook")
+Reported-by: syzbot+ccac90e482b2a81d74aa@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=ccac90e482b2a81d74aa
+Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
+Acked-by: Yonghong Song <yonghong.song@linux.dev>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/cc1b036be484c99be45eddf48bd78cc6f72839b1.1754039605.git.paul.chaignon@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 47073a0180a4..2c3196dadd54 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -9449,6 +9449,9 @@ static bool flow_dissector_is_valid_access(int off, int size,
+ if (off < 0 || off >= sizeof(struct __sk_buff))
+ return false;
+
++ if (off % size != 0)
++ return false;
++
+ if (type == BPF_WRITE)
+ return false;
+
+--
+2.39.5
+
--- /dev/null
+From e334112a0315fc693376e0c540a96d83013db2c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Aug 2025 11:48:15 +0200
+Subject: bpf: Check netfilter ctx accesses are aligned
+
+From: Paul Chaignon <paul.chaignon@gmail.com>
+
+[ Upstream commit 9e6448f7b1efb27f8d508b067ecd33ed664a4246 ]
+
+Similarly to the previous patch fixing the flow_dissector ctx accesses,
+nf_is_valid_access also doesn't check that ctx accesses are aligned.
+Contrary to flow_dissector programs, netfilter programs don't have
+context conversion. The unaligned ctx accesses are therefore allowed by
+the verifier.
+
+Fixes: fd9c663b9ad6 ("bpf: minimal support for programs hooked into netfilter framework")
+Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
+Acked-by: Yonghong Song <yonghong.song@linux.dev>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/853ae9ed5edaa5196e8472ff0f1bb1cc24059214.1754039605.git.paul.chaignon@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_bpf_link.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
+index 25bbac8986c2..c12250e50a8b 100644
+--- a/net/netfilter/nf_bpf_link.c
++++ b/net/netfilter/nf_bpf_link.c
+@@ -295,6 +295,9 @@ static bool nf_is_valid_access(int off, int size, enum bpf_access_type type,
+ if (off < 0 || off >= sizeof(struct bpf_nf_ctx))
+ return false;
+
++ if (off % size != 0)
++ return false;
++
+ if (type == BPF_WRITE)
+ return false;
+
+--
+2.39.5
+
--- /dev/null
+From 857155937fde0aa372400ba69ffc8a2f8b5b16e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 22:40:37 +0000
+Subject: bpf: Disable migration in nf_hook_run_bpf().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 17ce3e5949bc37557305ad46316f41c7875d6366 ]
+
+syzbot reported that the netfilter bpf prog can be called without
+migration disabled in xmit path.
+
+Then the assertion in __bpf_prog_run() fails, triggering the splat
+below. [0]
+
+Let's use bpf_prog_run_pin_on_cpu() in nf_hook_run_bpf().
+
+[0]:
+BUG: assuming non migratable context at ./include/linux/filter.h:703
+in_atomic(): 0, irqs_disabled(): 0, migration_disabled() 0 pid: 5829, name: sshd-session
+3 locks held by sshd-session/5829:
+ #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1667 [inline]
+ #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendmsg+0x20/0x50 net/ipv4/tcp.c:1395
+ #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
+ #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
+ #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: __ip_queue_xmit+0x69/0x26c0 net/ipv4/ip_output.c:470
+ #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
+ #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
+ #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: nf_hook+0xb2/0x680 include/linux/netfilter.h:241
+CPU: 0 UID: 0 PID: 5829 Comm: sshd-session Not tainted 6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
+ __cant_migrate kernel/sched/core.c:8860 [inline]
+ __cant_migrate+0x1c7/0x250 kernel/sched/core.c:8834
+ __bpf_prog_run include/linux/filter.h:703 [inline]
+ bpf_prog_run include/linux/filter.h:725 [inline]
+ nf_hook_run_bpf+0x83/0x1e0 net/netfilter/nf_bpf_link.c:20
+ nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]
+ nf_hook_slow+0xbb/0x200 net/netfilter/core.c:623
+ nf_hook+0x370/0x680 include/linux/netfilter.h:272
+ NF_HOOK_COND include/linux/netfilter.h:305 [inline]
+ ip_output+0x1bc/0x2a0 net/ipv4/ip_output.c:433
+ dst_output include/net/dst.h:459 [inline]
+ ip_local_out net/ipv4/ip_output.c:129 [inline]
+ __ip_queue_xmit+0x1d7d/0x26c0 net/ipv4/ip_output.c:527
+ __tcp_transmit_skb+0x2686/0x3e90 net/ipv4/tcp_output.c:1479
+ tcp_transmit_skb net/ipv4/tcp_output.c:1497 [inline]
+ tcp_write_xmit+0x1274/0x84e0 net/ipv4/tcp_output.c:2838
+ __tcp_push_pending_frames+0xaf/0x390 net/ipv4/tcp_output.c:3021
+ tcp_push+0x225/0x700 net/ipv4/tcp.c:759
+ tcp_sendmsg_locked+0x1870/0x42b0 net/ipv4/tcp.c:1359
+ tcp_sendmsg+0x2e/0x50 net/ipv4/tcp.c:1396
+ inet_sendmsg+0xb9/0x140 net/ipv4/af_inet.c:851
+ sock_sendmsg_nosec net/socket.c:712 [inline]
+ __sock_sendmsg net/socket.c:727 [inline]
+ sock_write_iter+0x4aa/0x5b0 net/socket.c:1131
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0x6c7/0x1150 fs/read_write.c:686
+ ksys_write+0x1f8/0x250 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fe7d365d407
+Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
+RSP:
+
+Fixes: fd9c663b9ad67 ("bpf: minimal support for programs hooked into netfilter framework")
+Reported-by: syzbot+40f772d37250b6d10efc@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/6879466d.a00a0220.3af5df.0022.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Tested-by: syzbot+40f772d37250b6d10efc@syzkaller.appspotmail.com
+Acked-by: Florian Westphal <fw@strlen.de>
+Link: https://patch.msgid.link/20250722224041.112292-1-kuniyu@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_bpf_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
+index 06b084844700..25bbac8986c2 100644
+--- a/net/netfilter/nf_bpf_link.c
++++ b/net/netfilter/nf_bpf_link.c
+@@ -17,7 +17,7 @@ static unsigned int nf_hook_run_bpf(void *bpf_prog, struct sk_buff *skb,
+ .skb = skb,
+ };
+
+- return bpf_prog_run(prog, &ctx);
++ return bpf_prog_run_pin_on_cpu(prog, &ctx);
+ }
+
+ struct bpf_nf_link {
+--
+2.39.5
+
--- /dev/null
+From 7df61c376bd4be8ff90969f4aae49e5dad530695 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 13:48:10 -0700
+Subject: bpf: Ensure RCU lock is held around bpf_prog_ksym_find
+
+From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+
+[ Upstream commit d090326860096df9dac6f27cff76d3f8df44d4f1 ]
+
+Add a warning to ensure RCU lock is held around tree lookup, and then
+fix one of the invocations in bpf_stack_walker. The program has an
+active stack frame and won't disappear. Use the opportunity to remove
+unneeded invocation of is_bpf_text_address.
+
+Fixes: f18b03fabaa9 ("bpf: Implement BPF exceptions")
+Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
+Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Link: https://lore.kernel.org/r/20250703204818.925464-5-memxor@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/core.c | 5 ++++-
+ kernel/bpf/helpers.c | 11 +++++++++--
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index c20babbf998f..93e49b0c218b 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -778,7 +778,10 @@ bool is_bpf_text_address(unsigned long addr)
+
+ struct bpf_prog *bpf_prog_ksym_find(unsigned long addr)
+ {
+- struct bpf_ksym *ksym = bpf_ksym_find(addr);
++ struct bpf_ksym *ksym;
++
++ WARN_ON_ONCE(!rcu_read_lock_held());
++ ksym = bpf_ksym_find(addr);
+
+ return ksym && ksym->prog ?
+ container_of(ksym, struct bpf_prog_aux, ksym)->prog :
+diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
+index ad6df48b540c..fdf8737542ac 100644
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -2943,9 +2943,16 @@ static bool bpf_stack_walker(void *cookie, u64 ip, u64 sp, u64 bp)
+ struct bpf_throw_ctx *ctx = cookie;
+ struct bpf_prog *prog;
+
+- if (!is_bpf_text_address(ip))
+- return !ctx->cnt;
++ /*
++ * The RCU read lock is held to safely traverse the latch tree, but we
++ * don't need its protection when accessing the prog, since it has an
++ * active stack frame on the current stack trace, and won't disappear.
++ */
++ rcu_read_lock();
+ prog = bpf_prog_ksym_find(ip);
++ rcu_read_unlock();
++ if (!prog)
++ return !ctx->cnt;
+ ctx->cnt++;
+ if (bpf_is_subprog(prog))
+ return true;
+--
+2.39.5
+
--- /dev/null
+From aa2ddcd973b64a323e48d424786fc4e4734ce975 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Jul 2025 01:47:33 +0200
+Subject: bpf: Fix oob access in cgroup local storage
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit abad3d0bad72a52137e0c350c59542d75ae4f513 ]
+
+Lonial reported that an out-of-bounds access in cgroup local storage
+can be crafted via tail calls. Given two programs each utilizing a
+cgroup local storage with a different value size, and one program
+doing a tail call into the other. The verifier will validate each of
+the indivial programs just fine. However, in the runtime context
+the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the
+BPF program as well as any cgroup local storage flavor the program
+uses. Helpers such as bpf_get_local_storage() pick this up from the
+runtime context:
+
+ ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx);
+ storage = ctx->prog_item->cgroup_storage[stype];
+
+ if (stype == BPF_CGROUP_STORAGE_SHARED)
+ ptr = &READ_ONCE(storage->buf)->data[0];
+ else
+ ptr = this_cpu_ptr(storage->percpu_buf);
+
+For the second program which was called from the originally attached
+one, this means bpf_get_local_storage() will pick up the former
+program's map, not its own. With mismatching sizes, this can result
+in an unintended out-of-bounds access.
+
+To fix this issue, we need to extend bpf_map_owner with an array of
+storage_cookie[] to match on i) the exact maps from the original
+program if the second program was using bpf_get_local_storage(), or
+ii) allow the tail call combination if the second program was not
+using any of the cgroup local storage maps.
+
+Fixes: 7d9c3427894f ("bpf: Make cgroup storages shared between programs on the same cgroup")
+Reported-by: Lonial Con <kongln9170@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/r/20250730234733.530041-4-daniel@iogearbox.net
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf.h | 1 +
+ kernel/bpf/core.c | 15 +++++++++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index d5f720d6cb81..bcae876a2a60 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -283,6 +283,7 @@ struct bpf_map_owner {
+ enum bpf_prog_type type;
+ bool jited;
+ bool xdp_has_frags;
++ u64 storage_cookie[MAX_BPF_CGROUP_STORAGE_TYPE];
+ const struct btf_type *attach_func_proto;
+ };
+
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index 9abc37739ca5..d966e971893a 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -2366,7 +2366,9 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map,
+ {
+ enum bpf_prog_type prog_type = resolve_prog_type(fp);
+ struct bpf_prog_aux *aux = fp->aux;
++ enum bpf_cgroup_storage_type i;
+ bool ret = false;
++ u64 cookie;
+
+ if (fp->kprobe_override)
+ return ret;
+@@ -2381,11 +2383,24 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map,
+ map->owner->jited = fp->jited;
+ map->owner->xdp_has_frags = aux->xdp_has_frags;
+ map->owner->attach_func_proto = aux->attach_func_proto;
++ for_each_cgroup_storage_type(i) {
++ map->owner->storage_cookie[i] =
++ aux->cgroup_storage[i] ?
++ aux->cgroup_storage[i]->cookie : 0;
++ }
+ ret = true;
+ } else {
+ ret = map->owner->type == prog_type &&
+ map->owner->jited == fp->jited &&
+ map->owner->xdp_has_frags == aux->xdp_has_frags;
++ for_each_cgroup_storage_type(i) {
++ if (!ret)
++ break;
++ cookie = aux->cgroup_storage[i] ?
++ aux->cgroup_storage[i]->cookie : 0;
++ ret = map->owner->storage_cookie[i] == cookie ||
++ !cookie;
++ }
+ if (ret &&
+ map->owner->attach_func_proto != aux->attach_func_proto) {
+ switch (prog_type) {
+--
+2.39.5
+
--- /dev/null
+From adfcb73ddddfc97a13cf3ddd1d14a9b8f34621ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 10:53:30 -0700
+Subject: bpf: handle jset (if a & b ...) as a jump in CFG computation
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit 3157f7e2999616ac91f4d559a8566214f74000a5 ]
+
+BPF_JSET is a conditional jump and currently verifier.c:can_jump()
+does not know about that. This can lead to incorrect live registers
+and SCC computation.
+
+E.g. in the following example:
+
+ 1: r0 = 1;
+ 2: r2 = 2;
+ 3: if r1 & 0x7 goto +1;
+ 4: exit;
+ 5: r0 = r2;
+ 6: exit;
+
+W/o this fix insn_successors(3) will return only (4), a jump to (5)
+would be missed and r2 won't be marked as alive at (3).
+
+Fixes: 14c8552db644 ("bpf: simple DFA-based live registers analysis")
+Reported-by: syzbot+a36aac327960ff474804@syzkaller.appspotmail.com
+Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20250613175331.3238739-1-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 169845710c7e..97e07eb31fec 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -23671,6 +23671,7 @@ static bool can_jump(struct bpf_insn *insn)
+ case BPF_JSLT:
+ case BPF_JSLE:
+ case BPF_JCOND:
++ case BPF_JSET:
+ return true;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 9d12262d8b6453730d7219c9f88729fb12b17922 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 10:08:52 +0800
+Subject: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 178f6a5c8cb3b6be1602de0964cd440243f493c9 ]
+
+When sending plaintext data, we initially calculated the corresponding
+ciphertext length. However, if we later reduced the plaintext data length
+via socket policy, we failed to recalculate the ciphertext length.
+
+This results in transmitting buffers containing uninitialized data during
+ciphertext transmission.
+
+This causes uninitialized bytes to be appended after a complete
+"Application Data" packet, leading to errors on the receiving end when
+parsing TLS record.
+
+Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
+Reported-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/bpf/20250609020910.397930-2-jiayuan.chen@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_sw.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index fc88e34b7f33..549d1ea01a72 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -872,6 +872,19 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
+ delta = msg->sg.size;
+ psock->eval = sk_psock_msg_verdict(sk, psock, msg);
+ delta -= msg->sg.size;
++
++ if ((s32)delta > 0) {
++ /* It indicates that we executed bpf_msg_pop_data(),
++ * causing the plaintext data size to decrease.
++ * Therefore the encrypted data size also needs to
++ * correspondingly decrease. We only need to subtract
++ * delta to calculate the new ciphertext length since
++ * ktls does not support block encryption.
++ */
++ struct sk_msg *enc = &ctx->open_rec->msg_encrypted;
++
++ sk_msg_trim(sk, enc, enc->sg.size - delta);
++ }
+ }
+ if (msg->cork_bytes && msg->cork_bytes > msg->sg.size &&
+ !enospc && !full_record) {
+--
+2.39.5
+
--- /dev/null
+From 46ab138f6248e5c91ccf9fb62aa0132e829606b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Jul 2025 01:47:31 +0200
+Subject: bpf: Move bpf map owner out of common struct
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit fd1c98f0ef5cbcec842209776505d9e70d8fcd53 ]
+
+Given this is only relevant for BPF tail call maps, it is adding up space
+and penalizing other map types. We also need to extend this with further
+objects to track / compare to. Therefore, lets move this out into a separate
+structure and dynamically allocate it only for BPF tail call maps.
+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/r/20250730234733.530041-2-daniel@iogearbox.net
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Stable-dep-of: abad3d0bad72 ("bpf: Fix oob access in cgroup local storage")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf.h | 36 ++++++++++++++++++++++++------------
+ kernel/bpf/core.c | 35 ++++++++++++++++++-----------------
+ kernel/bpf/syscall.c | 13 +++++++------
+ 3 files changed, 49 insertions(+), 35 deletions(-)
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index f9900a23ca16..a2876101f9b6 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -260,6 +260,18 @@ struct bpf_list_node_kern {
+ void *owner;
+ } __attribute__((aligned(8)));
+
++/* 'Ownership' of program-containing map is claimed by the first program
++ * that is going to use this map or by the first program which FD is
++ * stored in the map to make sure that all callers and callees have the
++ * same prog type, JITed flag and xdp_has_frags flag.
++ */
++struct bpf_map_owner {
++ enum bpf_prog_type type;
++ bool jited;
++ bool xdp_has_frags;
++ const struct btf_type *attach_func_proto;
++};
++
+ struct bpf_map {
+ const struct bpf_map_ops *ops;
+ struct bpf_map *inner_map_meta;
+@@ -292,18 +304,8 @@ struct bpf_map {
+ struct rcu_head rcu;
+ };
+ atomic64_t writecnt;
+- /* 'Ownership' of program-containing map is claimed by the first program
+- * that is going to use this map or by the first program which FD is
+- * stored in the map to make sure that all callers and callees have the
+- * same prog type, JITed flag and xdp_has_frags flag.
+- */
+- struct {
+- const struct btf_type *attach_func_proto;
+- spinlock_t lock;
+- enum bpf_prog_type type;
+- bool jited;
+- bool xdp_has_frags;
+- } owner;
++ spinlock_t owner_lock;
++ struct bpf_map_owner *owner;
+ bool bypass_spec_v1;
+ bool frozen; /* write-once; write-protected by freeze_mutex */
+ bool free_after_mult_rcu_gp;
+@@ -2072,6 +2074,16 @@ static inline bool bpf_map_flags_access_ok(u32 access_flags)
+ (BPF_F_RDONLY_PROG | BPF_F_WRONLY_PROG);
+ }
+
++static inline struct bpf_map_owner *bpf_map_owner_alloc(struct bpf_map *map)
++{
++ return kzalloc(sizeof(*map->owner), GFP_ATOMIC);
++}
++
++static inline void bpf_map_owner_free(struct bpf_map *map)
++{
++ kfree(map->owner);
++}
++
+ struct bpf_event_entry {
+ struct perf_event *event;
+ struct file *perf_file;
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index 93e49b0c218b..9abc37739ca5 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -2365,28 +2365,29 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map,
+ const struct bpf_prog *fp)
+ {
+ enum bpf_prog_type prog_type = resolve_prog_type(fp);
+- bool ret;
+ struct bpf_prog_aux *aux = fp->aux;
++ bool ret = false;
+
+ if (fp->kprobe_override)
+- return false;
++ return ret;
+
+- spin_lock(&map->owner.lock);
+- if (!map->owner.type) {
+- /* There's no owner yet where we could check for
+- * compatibility.
+- */
+- map->owner.type = prog_type;
+- map->owner.jited = fp->jited;
+- map->owner.xdp_has_frags = aux->xdp_has_frags;
+- map->owner.attach_func_proto = aux->attach_func_proto;
++ spin_lock(&map->owner_lock);
++ /* There's no owner yet where we could check for compatibility. */
++ if (!map->owner) {
++ map->owner = bpf_map_owner_alloc(map);
++ if (!map->owner)
++ goto err;
++ map->owner->type = prog_type;
++ map->owner->jited = fp->jited;
++ map->owner->xdp_has_frags = aux->xdp_has_frags;
++ map->owner->attach_func_proto = aux->attach_func_proto;
+ ret = true;
+ } else {
+- ret = map->owner.type == prog_type &&
+- map->owner.jited == fp->jited &&
+- map->owner.xdp_has_frags == aux->xdp_has_frags;
++ ret = map->owner->type == prog_type &&
++ map->owner->jited == fp->jited &&
++ map->owner->xdp_has_frags == aux->xdp_has_frags;
+ if (ret &&
+- map->owner.attach_func_proto != aux->attach_func_proto) {
++ map->owner->attach_func_proto != aux->attach_func_proto) {
+ switch (prog_type) {
+ case BPF_PROG_TYPE_TRACING:
+ case BPF_PROG_TYPE_LSM:
+@@ -2399,8 +2400,8 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map,
+ }
+ }
+ }
+- spin_unlock(&map->owner.lock);
+-
++err:
++ spin_unlock(&map->owner_lock);
+ return ret;
+ }
+
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index 82ae4fadecf0..88511a9bc114 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -887,6 +887,7 @@ static void bpf_map_free_deferred(struct work_struct *work)
+
+ security_bpf_map_free(map);
+ bpf_map_release_memcg(map);
++ bpf_map_owner_free(map);
+ bpf_map_free(map);
+ }
+
+@@ -981,12 +982,12 @@ static void bpf_map_show_fdinfo(struct seq_file *m, struct file *filp)
+ struct bpf_map *map = filp->private_data;
+ u32 type = 0, jited = 0;
+
+- if (map_type_contains_progs(map)) {
+- spin_lock(&map->owner.lock);
+- type = map->owner.type;
+- jited = map->owner.jited;
+- spin_unlock(&map->owner.lock);
++ spin_lock(&map->owner_lock);
++ if (map->owner) {
++ type = map->owner->type;
++ jited = map->owner->jited;
+ }
++ spin_unlock(&map->owner_lock);
+
+ seq_printf(m,
+ "map_type:\t%u\n"
+@@ -1496,7 +1497,7 @@ static int map_create(union bpf_attr *attr, bool kernel)
+ atomic64_set(&map->refcnt, 1);
+ atomic64_set(&map->usercnt, 1);
+ mutex_init(&map->freeze_mutex);
+- spin_lock_init(&map->owner.lock);
++ spin_lock_init(&map->owner_lock);
+
+ if (attr->btf_key_type_id || attr->btf_value_type_id ||
+ /* Even the map's value is a kernel's struct,
+--
+2.39.5
+
--- /dev/null
+From 2b9f9c8bde8ba71a4a32e62135cceade99248b0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Jul 2025 01:47:32 +0200
+Subject: bpf: Move cgroup iterator helpers to bpf.h
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 9621e60f59eae87eb9ffe88d90f24f391a1ef0f0 ]
+
+Move them into bpf.h given we also need them in core code.
+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/r/20250730234733.530041-3-daniel@iogearbox.net
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Stable-dep-of: abad3d0bad72 ("bpf: Fix oob access in cgroup local storage")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf-cgroup.h | 5 -----
+ include/linux/bpf.h | 22 ++++++++++++++--------
+ 2 files changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h
+index 70c8b94e797a..501873758ce6 100644
+--- a/include/linux/bpf-cgroup.h
++++ b/include/linux/bpf-cgroup.h
+@@ -77,9 +77,6 @@ to_cgroup_bpf_attach_type(enum bpf_attach_type attach_type)
+ extern struct static_key_false cgroup_bpf_enabled_key[MAX_CGROUP_BPF_ATTACH_TYPE];
+ #define cgroup_bpf_enabled(atype) static_branch_unlikely(&cgroup_bpf_enabled_key[atype])
+
+-#define for_each_cgroup_storage_type(stype) \
+- for (stype = 0; stype < MAX_BPF_CGROUP_STORAGE_TYPE; stype++)
+-
+ struct bpf_cgroup_storage_map;
+
+ struct bpf_storage_buffer {
+@@ -511,8 +508,6 @@ static inline int bpf_percpu_cgroup_storage_update(struct bpf_map *map,
+ #define BPF_CGROUP_RUN_PROG_SETSOCKOPT(sock, level, optname, optval, optlen, \
+ kernel_optval) ({ 0; })
+
+-#define for_each_cgroup_storage_type(stype) for (; false; )
+-
+ #endif /* CONFIG_CGROUP_BPF */
+
+ #endif /* _BPF_CGROUP_H */
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index a2876101f9b6..d5f720d6cb81 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -208,6 +208,20 @@ enum btf_field_type {
+ BPF_RES_SPIN_LOCK = (1 << 12),
+ };
+
++enum bpf_cgroup_storage_type {
++ BPF_CGROUP_STORAGE_SHARED,
++ BPF_CGROUP_STORAGE_PERCPU,
++ __BPF_CGROUP_STORAGE_MAX
++#define MAX_BPF_CGROUP_STORAGE_TYPE __BPF_CGROUP_STORAGE_MAX
++};
++
++#ifdef CONFIG_CGROUP_BPF
++# define for_each_cgroup_storage_type(stype) \
++ for (stype = 0; stype < MAX_BPF_CGROUP_STORAGE_TYPE; stype++)
++#else
++# define for_each_cgroup_storage_type(stype) for (; false; )
++#endif /* CONFIG_CGROUP_BPF */
++
+ typedef void (*btf_dtor_kfunc_t)(void *);
+
+ struct btf_field_kptr {
+@@ -1085,14 +1099,6 @@ struct bpf_prog_offload {
+ u32 jited_len;
+ };
+
+-enum bpf_cgroup_storage_type {
+- BPF_CGROUP_STORAGE_SHARED,
+- BPF_CGROUP_STORAGE_PERCPU,
+- __BPF_CGROUP_STORAGE_MAX
+-};
+-
+-#define MAX_BPF_CGROUP_STORAGE_TYPE __BPF_CGROUP_STORAGE_MAX
+-
+ /* The longest tracepoint has 12 args.
+ * See include/trace/bpf_probe.h
+ */
+--
+2.39.5
+
--- /dev/null
+From d07e7429d72e76bf74b25ea3ad724b8b841eb8a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 11:04:41 +0200
+Subject: bpf/preload: Don't select USERMODE_DRIVER
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+
+[ Upstream commit 2b03164eee20eac7ce0fe3aa4fbda7efc1e5427a ]
+
+The usermode driver framework is not used anymore by the BPF
+preload code.
+
+Fixes: cb80ddc67152 ("bpf: Convert bpf_preload.ko to use light skeleton.")
+Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/bpf/20250721-remove-usermode-driver-v1-1-0d0083334382@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/preload/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/kernel/bpf/preload/Kconfig b/kernel/bpf/preload/Kconfig
+index c9d45c9d6918..f9b11d01c3b5 100644
+--- a/kernel/bpf/preload/Kconfig
++++ b/kernel/bpf/preload/Kconfig
+@@ -10,7 +10,6 @@ menuconfig BPF_PRELOAD
+ # The dependency on !COMPILE_TEST prevents it from being enabled
+ # in allmodconfig or allyesconfig configurations
+ depends on !COMPILE_TEST
+- select USERMODE_DRIVER
+ help
+ This builds kernel module with several embedded BPF programs that are
+ pinned into BPF FS mount point as human readable files that are
+--
+2.39.5
+
--- /dev/null
+From 0fedff5420130e24f60bad682d3a14ad838adb3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 16:32:32 +0200
+Subject: bpf: Reject narrower access to pointer ctx fields
+
+From: Paul Chaignon <paul.chaignon@gmail.com>
+
+[ Upstream commit e09299225d5ba3916c91ef70565f7d2187e4cca0 ]
+
+The following BPF program, simplified from a syzkaller repro, causes a
+kernel warning:
+
+ r0 = *(u8 *)(r1 + 169);
+ exit;
+
+With pointer field sk being at offset 168 in __sk_buff. This access is
+detected as a narrower read in bpf_skb_is_valid_access because it
+doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed
+and later proceeds to bpf_convert_ctx_access. Note that for the
+"is_narrower_load" case in the convert_ctx_accesses(), the insn->off
+is aligned, so the cnt may not be 0 because it matches the
+offsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,
+the target_size stays 0 and the verifier errors with a kernel warning:
+
+ verifier bug: error during ctx access conversion(1)
+
+This patch fixes that to return a proper "invalid bpf_context access
+off=X size=Y" error on the load instruction.
+
+The same issue affects multiple other fields in context structures that
+allow narrow access. Some other non-affected fields (for sk_msg,
+sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for
+consistency.
+
+Note this syzkaller crash was reported in the "Closes" link below, which
+used to be about a different bug, fixed in
+commit fce7bd8e385a ("bpf/verifier: Handle BPF_LOAD_ACQ instructions
+in insn_def_regno()"). Because syzbot somehow confused the two bugs,
+the new crash and repro didn't get reported to the mailing list.
+
+Fixes: f96da09473b52 ("bpf: simplify narrower ctx access")
+Fixes: 0df1a55afa832 ("bpf: Warn on internal verifier errors")
+Reported-by: syzbot+0ef84a7bdf5301d4cbec@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0ef84a7bdf5301d4cbec
+Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://patch.msgid.link/3b8dcee67ff4296903351a974ddd9c4dca768b64.1753194596.git.paul.chaignon@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/cgroup.c | 8 ++++----
+ net/core/filter.c | 20 ++++++++++----------
+ 2 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
+index f4885514f007..deb88fade249 100644
+--- a/kernel/bpf/cgroup.c
++++ b/kernel/bpf/cgroup.c
+@@ -2440,22 +2440,22 @@ static bool cg_sockopt_is_valid_access(int off, int size,
+ }
+
+ switch (off) {
+- case offsetof(struct bpf_sockopt, sk):
++ case bpf_ctx_range_ptr(struct bpf_sockopt, sk):
+ if (size != sizeof(__u64))
+ return false;
+ info->reg_type = PTR_TO_SOCKET;
+ break;
+- case offsetof(struct bpf_sockopt, optval):
++ case bpf_ctx_range_ptr(struct bpf_sockopt, optval):
+ if (size != sizeof(__u64))
+ return false;
+ info->reg_type = PTR_TO_PACKET;
+ break;
+- case offsetof(struct bpf_sockopt, optval_end):
++ case bpf_ctx_range_ptr(struct bpf_sockopt, optval_end):
+ if (size != sizeof(__u64))
+ return false;
+ info->reg_type = PTR_TO_PACKET_END;
+ break;
+- case offsetof(struct bpf_sockopt, retval):
++ case bpf_ctx_range(struct bpf_sockopt, retval):
+ if (size != size_default)
+ return false;
+ return prog->expected_attach_type == BPF_CGROUP_GETSOCKOPT;
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 7a72f766aacf..47073a0180a4 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -8690,7 +8690,7 @@ static bool bpf_skb_is_valid_access(int off, int size, enum bpf_access_type type
+ if (size != sizeof(__u64))
+ return false;
+ break;
+- case offsetof(struct __sk_buff, sk):
++ case bpf_ctx_range_ptr(struct __sk_buff, sk):
+ if (type == BPF_WRITE || size != sizeof(__u64))
+ return false;
+ info->reg_type = PTR_TO_SOCK_COMMON_OR_NULL;
+@@ -9268,7 +9268,7 @@ static bool sock_addr_is_valid_access(int off, int size,
+ return false;
+ }
+ break;
+- case offsetof(struct bpf_sock_addr, sk):
++ case bpf_ctx_range_ptr(struct bpf_sock_addr, sk):
+ if (type != BPF_READ)
+ return false;
+ if (size != sizeof(__u64))
+@@ -9318,17 +9318,17 @@ static bool sock_ops_is_valid_access(int off, int size,
+ if (size != sizeof(__u64))
+ return false;
+ break;
+- case offsetof(struct bpf_sock_ops, sk):
++ case bpf_ctx_range_ptr(struct bpf_sock_ops, sk):
+ if (size != sizeof(__u64))
+ return false;
+ info->reg_type = PTR_TO_SOCKET_OR_NULL;
+ break;
+- case offsetof(struct bpf_sock_ops, skb_data):
++ case bpf_ctx_range_ptr(struct bpf_sock_ops, skb_data):
+ if (size != sizeof(__u64))
+ return false;
+ info->reg_type = PTR_TO_PACKET;
+ break;
+- case offsetof(struct bpf_sock_ops, skb_data_end):
++ case bpf_ctx_range_ptr(struct bpf_sock_ops, skb_data_end):
+ if (size != sizeof(__u64))
+ return false;
+ info->reg_type = PTR_TO_PACKET_END;
+@@ -9337,7 +9337,7 @@ static bool sock_ops_is_valid_access(int off, int size,
+ bpf_ctx_record_field_size(info, size_default);
+ return bpf_ctx_narrow_access_ok(off, size,
+ size_default);
+- case offsetof(struct bpf_sock_ops, skb_hwtstamp):
++ case bpf_ctx_range(struct bpf_sock_ops, skb_hwtstamp):
+ if (size != sizeof(__u64))
+ return false;
+ break;
+@@ -9407,17 +9407,17 @@ static bool sk_msg_is_valid_access(int off, int size,
+ return false;
+
+ switch (off) {
+- case offsetof(struct sk_msg_md, data):
++ case bpf_ctx_range_ptr(struct sk_msg_md, data):
+ info->reg_type = PTR_TO_PACKET;
+ if (size != sizeof(__u64))
+ return false;
+ break;
+- case offsetof(struct sk_msg_md, data_end):
++ case bpf_ctx_range_ptr(struct sk_msg_md, data_end):
+ info->reg_type = PTR_TO_PACKET_END;
+ if (size != sizeof(__u64))
+ return false;
+ break;
+- case offsetof(struct sk_msg_md, sk):
++ case bpf_ctx_range_ptr(struct sk_msg_md, sk):
+ if (size != sizeof(__u64))
+ return false;
+ info->reg_type = PTR_TO_SOCKET;
+@@ -11623,7 +11623,7 @@ static bool sk_lookup_is_valid_access(int off, int size,
+ return false;
+
+ switch (off) {
+- case offsetof(struct bpf_sk_lookup, sk):
++ case bpf_ctx_range_ptr(struct bpf_sk_lookup, sk):
+ info->reg_type = PTR_TO_SOCKET_OR_NULL;
+ return size == sizeof(__u64);
+
+--
+2.39.5
+
--- /dev/null
+From b3c3f7d43432840c44c2ec95ab22aaa85ad63877 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 10:59:08 +0800
+Subject: bpf, sockmap: Fix psock incorrectly pointing to sk
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 76be5fae32febb1fdb848ba09f78c4b2c76cb337 ]
+
+We observed an issue from the latest selftest: sockmap_redir where
+sk_psock(psock->sk) != psock in the backlog. The root cause is the special
+behavior in sockmap_redir - it frequently performs map_update() and
+map_delete() on the same socket. During map_update(), we create a new
+psock and during map_delete(), we eventually free the psock via rcu_work
+in sk_psock_drop(). However, pending workqueues might still exist and not
+be processed yet. If users immediately perform another map_update(), a new
+psock will be allocated for the same sk, resulting in two psocks pointing
+to the same sk.
+
+When the pending workqueue is later triggered, it uses the old psock to
+access sk for I/O operations, which is incorrect.
+
+Timing Diagram:
+
+cpu0 cpu1
+
+map_update(sk):
+ sk->psock = psock1
+ psock1->sk = sk
+map_delete(sk):
+ rcu_work_free(psock1)
+
+map_update(sk):
+ sk->psock = psock2
+ psock2->sk = sk
+ workqueue:
+ wakeup with psock1, but the sk of psock1
+ doesn't belong to psock1
+rcu_handler:
+ clean psock1
+ free(psock1)
+
+Previously, we used reference counting to address the concurrency issue
+between backlog and sock_map_close(). This logic remains necessary as it
+prevents the sk from being freed while processing the backlog. But this
+patch prevents pending backlogs from using a psock after it has been
+stopped.
+
+Note: We cannot call cancel_delayed_work_sync() in map_delete() since this
+might be invoked in BPF context by BPF helper, and the function may sleep.
+
+Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20250609025908.79331-1-jiayuan.chen@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 34c51eb1a14f..83c78379932e 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -656,6 +656,13 @@ static void sk_psock_backlog(struct work_struct *work)
+ bool ingress;
+ int ret;
+
++ /* If sk is quickly removed from the map and then added back, the old
++ * psock should not be scheduled, because there are now two psocks
++ * pointing to the same sk.
++ */
++ if (!sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED))
++ return;
++
+ /* Increment the psock refcnt to synchronize with close(fd) path in
+ * sock_map_close(), ensuring we wait for backlog thread completion
+ * before sk_socket freed. If refcnt increment fails, it indicates
+--
+2.39.5
+
--- /dev/null
+From 8eb17c71601ecc78648f52b7c0d3fb7e5265cc41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 09:21:33 +0800
+Subject: bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure
+
+From: Yuan Chen <chenyuan@kylinos.cn>
+
+[ Upstream commit 99fe8af069a9fa5b09140518b1364e35713a642e ]
+
+In function dump_xx_nlmsg(), when realloc() fails to allocate memory,
+the original pointer to the buffer is overwritten with NULL. This causes
+a memory leak because the previously allocated buffer becomes unreachable
+without being freed.
+
+Fixes: 7900efc19214 ("tools/bpf: bpftool: improve output format for bpftool net")
+Signed-off-by: Yuan Chen <chenyuan@kylinos.cn>
+Reviewed-by: Quentin Monnet <qmo@kernel.org>
+Link: https://lore.kernel.org/r/20250620012133.14819-1-chenyuan_fl@163.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/net.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/tools/bpf/bpftool/net.c b/tools/bpf/bpftool/net.c
+index 64f958f437b0..cfc6f944f7c3 100644
+--- a/tools/bpf/bpftool/net.c
++++ b/tools/bpf/bpftool/net.c
+@@ -366,17 +366,18 @@ static int dump_link_nlmsg(void *cookie, void *msg, struct nlattr **tb)
+ {
+ struct bpf_netdev_t *netinfo = cookie;
+ struct ifinfomsg *ifinfo = msg;
++ struct ip_devname_ifindex *tmp;
+
+ if (netinfo->filter_idx > 0 && netinfo->filter_idx != ifinfo->ifi_index)
+ return 0;
+
+ if (netinfo->used_len == netinfo->array_len) {
+- netinfo->devices = realloc(netinfo->devices,
+- (netinfo->array_len + 16) *
+- sizeof(struct ip_devname_ifindex));
+- if (!netinfo->devices)
++ tmp = realloc(netinfo->devices,
++ (netinfo->array_len + 16) * sizeof(struct ip_devname_ifindex));
++ if (!tmp)
+ return -ENOMEM;
+
++ netinfo->devices = tmp;
+ netinfo->array_len += 16;
+ }
+ netinfo->devices[netinfo->used_len].ifindex = ifinfo->ifi_index;
+@@ -395,6 +396,7 @@ static int dump_class_qdisc_nlmsg(void *cookie, void *msg, struct nlattr **tb)
+ {
+ struct bpf_tcinfo_t *tcinfo = cookie;
+ struct tcmsg *info = msg;
++ struct tc_kind_handle *tmp;
+
+ if (tcinfo->is_qdisc) {
+ /* skip clsact qdisc */
+@@ -406,11 +408,12 @@ static int dump_class_qdisc_nlmsg(void *cookie, void *msg, struct nlattr **tb)
+ }
+
+ if (tcinfo->used_len == tcinfo->array_len) {
+- tcinfo->handle_array = realloc(tcinfo->handle_array,
++ tmp = realloc(tcinfo->handle_array,
+ (tcinfo->array_len + 16) * sizeof(struct tc_kind_handle));
+- if (!tcinfo->handle_array)
++ if (!tmp)
+ return -ENOMEM;
+
++ tcinfo->handle_array = tmp;
+ tcinfo->array_len += 16;
+ }
+ tcinfo->handle_array[tcinfo->used_len].handle = info->tcm_handle;
+--
+2.39.5
+
--- /dev/null
+From 0c61c2a099b50a23c32677a737206c2052ecc03a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 16:32:23 +0800
+Subject: btrfs: remove partial support for lowest level from
+ btrfs_search_forward()
+
+From: Sun YangKai <sunk67188@gmail.com>
+
+[ Upstream commit 27260dd1904bb409cf84709928ba9bc5506fbe8e ]
+
+Commit 323ac95bce44 ("Btrfs: don't read leaf blocks containing only
+checksums during truncate") changed the condition from `level == 0` to
+`level == path->lowest_level`, while its original purpose was just to do
+some leaf node handling (calling btrfs_item_key_to_cpu()) and skip some
+code that doesn't fit leaf nodes.
+
+After changing the condition, the code path:
+
+1. Also handles the non-leaf nodes when path->lowest_level is nonzero,
+ which is wrong. However btrfs_search_forward() is never called with a
+ nonzero path->lowest_level, which makes this bug not found before.
+
+2. Makes the later if block with the same condition, which was originally
+ used to handle non-leaf node (calling btrfs_node_key_to_cpu()) when
+ lowest_level is not zero, dead code.
+
+Since btrfs_search_forward() is never called for a path with a
+lowest_level different from zero, just completely remove the partial
+support for a non-zero lowest_level, simplifying a bit the code, and
+assert that lowest_level is zero at the start of the function.
+
+Suggested-by: Qu Wenruo <wqu@suse.com>
+Fixes: 323ac95bce44 ("Btrfs: don't read leaf blocks containing only checksums during truncate")
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Sun YangKai <sunk67188@gmail.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.c | 18 +++++-------------
+ 1 file changed, 5 insertions(+), 13 deletions(-)
+
+diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
+index a2e7979372cc..648531fe0900 100644
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -4585,16 +4585,13 @@ int btrfs_del_items(struct btrfs_trans_handle *trans, struct btrfs_root *root,
+
+ /*
+ * A helper function to walk down the tree starting at min_key, and looking
+- * for nodes or leaves that are have a minimum transaction id.
++ * for leaves that have a minimum transaction id.
+ * This is used by the btree defrag code, and tree logging
+ *
+ * This does not cow, but it does stuff the starting key it finds back
+ * into min_key, so you can call btrfs_search_slot with cow=1 on the
+ * key and get a writable path.
+ *
+- * This honors path->lowest_level to prevent descent past a given level
+- * of the tree.
+- *
+ * min_trans indicates the oldest transaction that you are interested
+ * in walking through. Any nodes or leaves older than min_trans are
+ * skipped over (without reading them).
+@@ -4615,6 +4612,7 @@ int btrfs_search_forward(struct btrfs_root *root, struct btrfs_key *min_key,
+ int keep_locks = path->keep_locks;
+
+ ASSERT(!path->nowait);
++ ASSERT(path->lowest_level == 0);
+ path->keep_locks = 1;
+ again:
+ cur = btrfs_read_lock_root_node(root);
+@@ -4636,8 +4634,8 @@ int btrfs_search_forward(struct btrfs_root *root, struct btrfs_key *min_key,
+ goto out;
+ }
+
+- /* at the lowest level, we're done, setup the path and exit */
+- if (level == path->lowest_level) {
++ /* At level 0 we're done, setup the path and exit. */
++ if (level == 0) {
+ if (slot >= nritems)
+ goto find_next_key;
+ ret = 0;
+@@ -4678,12 +4676,6 @@ int btrfs_search_forward(struct btrfs_root *root, struct btrfs_key *min_key,
+ goto out;
+ }
+ }
+- if (level == path->lowest_level) {
+- ret = 0;
+- /* Save our key for returning back. */
+- btrfs_node_key_to_cpu(cur, min_key, slot);
+- goto out;
+- }
+ cur = btrfs_read_node_slot(cur, slot);
+ if (IS_ERR(cur)) {
+ ret = PTR_ERR(cur);
+@@ -4699,7 +4691,7 @@ int btrfs_search_forward(struct btrfs_root *root, struct btrfs_key *min_key,
+ out:
+ path->keep_locks = keep_locks;
+ if (ret == 0)
+- btrfs_unlock_up_safe(path, path->lowest_level + 1);
++ btrfs_unlock_up_safe(path, 1);
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From f88d2a83ebab8d64de063d3d013bbda326e30c74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 17:50:19 +0800
+Subject: bus: mhi: host: pci_generic: Fix the modem name of Foxconn T99W640
+
+From: Slark Xiao <slark_xiao@163.com>
+
+[ Upstream commit ae5a34264354087aef38cdd07961827482a51c5a ]
+
+T99W640 was mistakenly mentioned as T99W515. T99W515 is a LGA device, not
+a M.2 modem device. So correct it's name to avoid name mismatch issue.
+
+Fixes: bf30a75e6e00 ("bus: mhi: host: Add support for Foxconn SDX72 modems")
+Signed-off-by: Slark Xiao <slark_xiao@163.com>
+[mani: commit message fixup]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Link: https://patch.msgid.link/20250606095019.383992-1-slark_xiao@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/mhi/host/pci_generic.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/bus/mhi/host/pci_generic.c b/drivers/bus/mhi/host/pci_generic.c
+index 589cb6722316..92bd133e7c45 100644
+--- a/drivers/bus/mhi/host/pci_generic.c
++++ b/drivers/bus/mhi/host/pci_generic.c
+@@ -593,8 +593,8 @@ static const struct mhi_pci_dev_info mhi_foxconn_dw5932e_info = {
+ .sideband_wake = false,
+ };
+
+-static const struct mhi_pci_dev_info mhi_foxconn_t99w515_info = {
+- .name = "foxconn-t99w515",
++static const struct mhi_pci_dev_info mhi_foxconn_t99w640_info = {
++ .name = "foxconn-t99w640",
+ .edl = "qcom/sdx72m/foxconn/edl.mbn",
+ .edl_trigger = true,
+ .config = &modem_foxconn_sdx72_config,
+@@ -920,9 +920,9 @@ static const struct pci_device_id mhi_pci_id_table[] = {
+ /* DW5932e (sdx62), Non-eSIM */
+ { PCI_DEVICE(PCI_VENDOR_ID_FOXCONN, 0xe0f9),
+ .driver_data = (kernel_ulong_t) &mhi_foxconn_dw5932e_info },
+- /* T99W515 (sdx72) */
++ /* T99W640 (sdx72) */
+ { PCI_DEVICE(PCI_VENDOR_ID_FOXCONN, 0xe118),
+- .driver_data = (kernel_ulong_t) &mhi_foxconn_t99w515_info },
++ .driver_data = (kernel_ulong_t) &mhi_foxconn_t99w640_info },
+ /* DW5934e(sdx72), With eSIM */
+ { PCI_DEVICE(PCI_VENDOR_ID_FOXCONN, 0xe11d),
+ .driver_data = (kernel_ulong_t) &mhi_foxconn_dw5934e_info },
+--
+2.39.5
+
--- /dev/null
+From c0801a9cd637ed28af1fd4d1ba72b867905df14f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 13:22:39 +0200
+Subject: caif: reduce stack size, again
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit b630c781bcf6ff87657146661816d0d30a902139 ]
+
+I tried to fix the stack usage in this function a couple of years ago,
+but there is still a problem with the latest gcc versions in some
+configurations:
+
+net/caif/cfctrl.c:553:1: error: the frame size of 1296 bytes is larger than 1280 bytes [-Werror=frame-larger-than=]
+
+Reduce this once again, with a separate cfctrl_link_setup() function that
+holds the bulk of all the local variables. It also turns out that the
+param[] array that takes up a large portion of the stack is write-only
+and can be left out here.
+
+Fixes: ce6289661b14 ("caif: reduce stack size with KASAN")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://patch.msgid.link/20250620112244.3425554-1-arnd@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/caif/cfctrl.c | 294 +++++++++++++++++++++++-----------------------
+ 1 file changed, 144 insertions(+), 150 deletions(-)
+
+diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
+index 20139fa1be1f..06b604cf9d58 100644
+--- a/net/caif/cfctrl.c
++++ b/net/caif/cfctrl.c
+@@ -351,17 +351,154 @@ int cfctrl_cancel_req(struct cflayer *layr, struct cflayer *adap_layer)
+ return found;
+ }
+
++static int cfctrl_link_setup(struct cfctrl *cfctrl, struct cfpkt *pkt, u8 cmdrsp)
++{
++ u8 len;
++ u8 linkid = 0;
++ enum cfctrl_srv serv;
++ enum cfctrl_srv servtype;
++ u8 endpoint;
++ u8 physlinkid;
++ u8 prio;
++ u8 tmp;
++ u8 *cp;
++ int i;
++ struct cfctrl_link_param linkparam;
++ struct cfctrl_request_info rsp, *req;
++
++ memset(&linkparam, 0, sizeof(linkparam));
++
++ tmp = cfpkt_extr_head_u8(pkt);
++
++ serv = tmp & CFCTRL_SRV_MASK;
++ linkparam.linktype = serv;
++
++ servtype = tmp >> 4;
++ linkparam.chtype = servtype;
++
++ tmp = cfpkt_extr_head_u8(pkt);
++ physlinkid = tmp & 0x07;
++ prio = tmp >> 3;
++
++ linkparam.priority = prio;
++ linkparam.phyid = physlinkid;
++ endpoint = cfpkt_extr_head_u8(pkt);
++ linkparam.endpoint = endpoint & 0x03;
++
++ switch (serv) {
++ case CFCTRL_SRV_VEI:
++ case CFCTRL_SRV_DBG:
++ if (CFCTRL_ERR_BIT & cmdrsp)
++ break;
++ /* Link ID */
++ linkid = cfpkt_extr_head_u8(pkt);
++ break;
++ case CFCTRL_SRV_VIDEO:
++ tmp = cfpkt_extr_head_u8(pkt);
++ linkparam.u.video.connid = tmp;
++ if (CFCTRL_ERR_BIT & cmdrsp)
++ break;
++ /* Link ID */
++ linkid = cfpkt_extr_head_u8(pkt);
++ break;
++
++ case CFCTRL_SRV_DATAGRAM:
++ linkparam.u.datagram.connid = cfpkt_extr_head_u32(pkt);
++ if (CFCTRL_ERR_BIT & cmdrsp)
++ break;
++ /* Link ID */
++ linkid = cfpkt_extr_head_u8(pkt);
++ break;
++ case CFCTRL_SRV_RFM:
++ /* Construct a frame, convert
++ * DatagramConnectionID
++ * to network format long and copy it out...
++ */
++ linkparam.u.rfm.connid = cfpkt_extr_head_u32(pkt);
++ cp = (u8 *) linkparam.u.rfm.volume;
++ for (tmp = cfpkt_extr_head_u8(pkt);
++ cfpkt_more(pkt) && tmp != '\0';
++ tmp = cfpkt_extr_head_u8(pkt))
++ *cp++ = tmp;
++ *cp = '\0';
++
++ if (CFCTRL_ERR_BIT & cmdrsp)
++ break;
++ /* Link ID */
++ linkid = cfpkt_extr_head_u8(pkt);
++
++ break;
++ case CFCTRL_SRV_UTIL:
++ /* Construct a frame, convert
++ * DatagramConnectionID
++ * to network format long and copy it out...
++ */
++ /* Fifosize KB */
++ linkparam.u.utility.fifosize_kb = cfpkt_extr_head_u16(pkt);
++ /* Fifosize bufs */
++ linkparam.u.utility.fifosize_bufs = cfpkt_extr_head_u16(pkt);
++ /* name */
++ cp = (u8 *) linkparam.u.utility.name;
++ caif_assert(sizeof(linkparam.u.utility.name)
++ >= UTILITY_NAME_LENGTH);
++ for (i = 0; i < UTILITY_NAME_LENGTH && cfpkt_more(pkt); i++) {
++ tmp = cfpkt_extr_head_u8(pkt);
++ *cp++ = tmp;
++ }
++ /* Length */
++ len = cfpkt_extr_head_u8(pkt);
++ linkparam.u.utility.paramlen = len;
++ /* Param Data */
++ cp = linkparam.u.utility.params;
++ while (cfpkt_more(pkt) && len--) {
++ tmp = cfpkt_extr_head_u8(pkt);
++ *cp++ = tmp;
++ }
++ if (CFCTRL_ERR_BIT & cmdrsp)
++ break;
++ /* Link ID */
++ linkid = cfpkt_extr_head_u8(pkt);
++ /* Length */
++ len = cfpkt_extr_head_u8(pkt);
++ /* Param Data */
++ cfpkt_extr_head(pkt, NULL, len);
++ break;
++ default:
++ pr_warn("Request setup, invalid type (%d)\n", serv);
++ return -1;
++ }
++
++ rsp.cmd = CFCTRL_CMD_LINK_SETUP;
++ rsp.param = linkparam;
++ spin_lock_bh(&cfctrl->info_list_lock);
++ req = cfctrl_remove_req(cfctrl, &rsp);
++
++ if (CFCTRL_ERR_BIT == (CFCTRL_ERR_BIT & cmdrsp) ||
++ cfpkt_erroneous(pkt)) {
++ pr_err("Invalid O/E bit or parse error "
++ "on CAIF control channel\n");
++ cfctrl->res.reject_rsp(cfctrl->serv.layer.up, 0,
++ req ? req->client_layer : NULL);
++ } else {
++ cfctrl->res.linksetup_rsp(cfctrl->serv.layer.up, linkid,
++ serv, physlinkid,
++ req ? req->client_layer : NULL);
++ }
++
++ kfree(req);
++
++ spin_unlock_bh(&cfctrl->info_list_lock);
++
++ return 0;
++}
++
+ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
+ {
+ u8 cmdrsp;
+ u8 cmd;
+- int ret = -1;
+- u8 len;
+- u8 param[255];
++ int ret = 0;
+ u8 linkid = 0;
+ struct cfctrl *cfctrl = container_obj(layer);
+- struct cfctrl_request_info rsp, *req;
+-
+
+ cmdrsp = cfpkt_extr_head_u8(pkt);
+ cmd = cmdrsp & CFCTRL_CMD_MASK;
+@@ -374,150 +511,7 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
+
+ switch (cmd) {
+ case CFCTRL_CMD_LINK_SETUP:
+- {
+- enum cfctrl_srv serv;
+- enum cfctrl_srv servtype;
+- u8 endpoint;
+- u8 physlinkid;
+- u8 prio;
+- u8 tmp;
+- u8 *cp;
+- int i;
+- struct cfctrl_link_param linkparam;
+- memset(&linkparam, 0, sizeof(linkparam));
+-
+- tmp = cfpkt_extr_head_u8(pkt);
+-
+- serv = tmp & CFCTRL_SRV_MASK;
+- linkparam.linktype = serv;
+-
+- servtype = tmp >> 4;
+- linkparam.chtype = servtype;
+-
+- tmp = cfpkt_extr_head_u8(pkt);
+- physlinkid = tmp & 0x07;
+- prio = tmp >> 3;
+-
+- linkparam.priority = prio;
+- linkparam.phyid = physlinkid;
+- endpoint = cfpkt_extr_head_u8(pkt);
+- linkparam.endpoint = endpoint & 0x03;
+-
+- switch (serv) {
+- case CFCTRL_SRV_VEI:
+- case CFCTRL_SRV_DBG:
+- if (CFCTRL_ERR_BIT & cmdrsp)
+- break;
+- /* Link ID */
+- linkid = cfpkt_extr_head_u8(pkt);
+- break;
+- case CFCTRL_SRV_VIDEO:
+- tmp = cfpkt_extr_head_u8(pkt);
+- linkparam.u.video.connid = tmp;
+- if (CFCTRL_ERR_BIT & cmdrsp)
+- break;
+- /* Link ID */
+- linkid = cfpkt_extr_head_u8(pkt);
+- break;
+-
+- case CFCTRL_SRV_DATAGRAM:
+- linkparam.u.datagram.connid =
+- cfpkt_extr_head_u32(pkt);
+- if (CFCTRL_ERR_BIT & cmdrsp)
+- break;
+- /* Link ID */
+- linkid = cfpkt_extr_head_u8(pkt);
+- break;
+- case CFCTRL_SRV_RFM:
+- /* Construct a frame, convert
+- * DatagramConnectionID
+- * to network format long and copy it out...
+- */
+- linkparam.u.rfm.connid =
+- cfpkt_extr_head_u32(pkt);
+- cp = (u8 *) linkparam.u.rfm.volume;
+- for (tmp = cfpkt_extr_head_u8(pkt);
+- cfpkt_more(pkt) && tmp != '\0';
+- tmp = cfpkt_extr_head_u8(pkt))
+- *cp++ = tmp;
+- *cp = '\0';
+-
+- if (CFCTRL_ERR_BIT & cmdrsp)
+- break;
+- /* Link ID */
+- linkid = cfpkt_extr_head_u8(pkt);
+-
+- break;
+- case CFCTRL_SRV_UTIL:
+- /* Construct a frame, convert
+- * DatagramConnectionID
+- * to network format long and copy it out...
+- */
+- /* Fifosize KB */
+- linkparam.u.utility.fifosize_kb =
+- cfpkt_extr_head_u16(pkt);
+- /* Fifosize bufs */
+- linkparam.u.utility.fifosize_bufs =
+- cfpkt_extr_head_u16(pkt);
+- /* name */
+- cp = (u8 *) linkparam.u.utility.name;
+- caif_assert(sizeof(linkparam.u.utility.name)
+- >= UTILITY_NAME_LENGTH);
+- for (i = 0;
+- i < UTILITY_NAME_LENGTH
+- && cfpkt_more(pkt); i++) {
+- tmp = cfpkt_extr_head_u8(pkt);
+- *cp++ = tmp;
+- }
+- /* Length */
+- len = cfpkt_extr_head_u8(pkt);
+- linkparam.u.utility.paramlen = len;
+- /* Param Data */
+- cp = linkparam.u.utility.params;
+- while (cfpkt_more(pkt) && len--) {
+- tmp = cfpkt_extr_head_u8(pkt);
+- *cp++ = tmp;
+- }
+- if (CFCTRL_ERR_BIT & cmdrsp)
+- break;
+- /* Link ID */
+- linkid = cfpkt_extr_head_u8(pkt);
+- /* Length */
+- len = cfpkt_extr_head_u8(pkt);
+- /* Param Data */
+- cfpkt_extr_head(pkt, ¶m, len);
+- break;
+- default:
+- pr_warn("Request setup, invalid type (%d)\n",
+- serv);
+- goto error;
+- }
+-
+- rsp.cmd = cmd;
+- rsp.param = linkparam;
+- spin_lock_bh(&cfctrl->info_list_lock);
+- req = cfctrl_remove_req(cfctrl, &rsp);
+-
+- if (CFCTRL_ERR_BIT == (CFCTRL_ERR_BIT & cmdrsp) ||
+- cfpkt_erroneous(pkt)) {
+- pr_err("Invalid O/E bit or parse error "
+- "on CAIF control channel\n");
+- cfctrl->res.reject_rsp(cfctrl->serv.layer.up,
+- 0,
+- req ? req->client_layer
+- : NULL);
+- } else {
+- cfctrl->res.linksetup_rsp(cfctrl->serv.
+- layer.up, linkid,
+- serv, physlinkid,
+- req ? req->
+- client_layer : NULL);
+- }
+-
+- kfree(req);
+-
+- spin_unlock_bh(&cfctrl->info_list_lock);
+- }
++ ret = cfctrl_link_setup(cfctrl, pkt, cmdrsp);
+ break;
+ case CFCTRL_CMD_LINK_DESTROY:
+ linkid = cfpkt_extr_head_u8(pkt);
+@@ -544,9 +538,9 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
+ break;
+ default:
+ pr_err("Unrecognized Control Frame\n");
++ ret = -1;
+ goto error;
+ }
+- ret = 0;
+ error:
+ cfpkt_destroy(pkt);
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From 155a9aa5cdb5de3647e1bad17e95603732388f16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 14:32:25 +0200
+Subject: can: kvaser_pciefd: Store device channel index
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+[ Upstream commit d54b16b40ddadb7d0a77fff48af7b319a0cd6aae ]
+
+Store device channel index in netdev.dev_port.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://patch.msgid.link/20250725123230.8-6-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/kvaser_pciefd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c
+index 09510663988c..dc748797416e 100644
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -982,6 +982,7 @@ static int kvaser_pciefd_setup_can_ctrls(struct kvaser_pciefd *pcie)
+ can->completed_tx_bytes = 0;
+ can->bec.txerr = 0;
+ can->bec.rxerr = 0;
++ can->can.dev->dev_port = i;
+
+ init_completion(&can->start_comp);
+ init_completion(&can->flush_comp);
+--
+2.39.5
+
--- /dev/null
+From fa84fc2262883d804030b89272ea2153639985be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 14:34:44 +0200
+Subject: can: kvaser_usb: Assign netdev.dev_port based on device channel index
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+[ Upstream commit c151b06a087a61c7a1790b75ee2f1d6edb6a8a45 ]
+
+Assign netdev.dev_port based on the device channel index, to indicate the
+port number of the network device.
+While this driver already uses netdev.dev_id for that purpose, dev_port is
+more appropriate. However, retain dev_id to avoid potential regressions.
+
+Fixes: 3e66d0138c05 ("can: populate netdev::dev_id for udev discrimination")
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://patch.msgid.link/20250725123452.41-4-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+index daf42080f942..e863a9b0e303 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+@@ -852,6 +852,7 @@ static int kvaser_usb_init_one(struct kvaser_usb *dev, int channel)
+ netdev->ethtool_ops = &kvaser_usb_ethtool_ops;
+ SET_NETDEV_DEV(netdev, &dev->intf->dev);
+ netdev->dev_id = channel;
++ netdev->dev_port = channel;
+
+ dev->nets[channel] = priv;
+
+--
+2.39.5
+
--- /dev/null
+From 2c88b2782d7c45c142b280ed8baa34952ad39b9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 10:13:19 +0200
+Subject: can: peak_usb: fix USB FD devices potential malfunction
+
+From: Stephane Grosjean <stephane.grosjean@hms-networks.com>
+
+[ Upstream commit 788199b73b6efe4ee2ade4d7457b50bb45493488 ]
+
+The latest firmware versions of USB CAN FD interfaces export the EP numbers
+to be used to dialog with the device via the "type" field of a response to
+a vendor request structure, particularly when its value is greater than or
+equal to 2.
+
+Correct the driver's test of this field.
+
+Fixes: 4f232482467a ("can: peak_usb: include support for a new MCU")
+Signed-off-by: Stephane Grosjean <stephane.grosjean@hms-networks.com>
+Link: https://patch.msgid.link/20250724081550.11694-1-stephane.grosjean@free.fr
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+[mkl: rephrase commit message]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+index 4d85b29a17b7..ebefc274b50a 100644
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+@@ -49,7 +49,7 @@ struct __packed pcan_ufd_fw_info {
+ __le32 ser_no; /* S/N */
+ __le32 flags; /* special functions */
+
+- /* extended data when type == PCAN_USBFD_TYPE_EXT */
++ /* extended data when type >= PCAN_USBFD_TYPE_EXT */
+ u8 cmd_out_ep; /* ep for cmd */
+ u8 cmd_in_ep; /* ep for replies */
+ u8 data_out_ep[2]; /* ep for CANx TX */
+@@ -982,10 +982,11 @@ static int pcan_usb_fd_init(struct peak_usb_device *dev)
+ dev->can.ctrlmode |= CAN_CTRLMODE_FD_NON_ISO;
+ }
+
+- /* if vendor rsp is of type 2, then it contains EP numbers to
+- * use for cmds pipes. If not, then default EP should be used.
++ /* if vendor rsp type is greater than or equal to 2, then it
++ * contains EP numbers to use for cmds pipes. If not, then
++ * default EP should be used.
+ */
+- if (fw_info->type != cpu_to_le16(PCAN_USBFD_TYPE_EXT)) {
++ if (le16_to_cpu(fw_info->type) < PCAN_USBFD_TYPE_EXT) {
+ fw_info->cmd_out_ep = PCAN_USBPRO_EP_CMDOUT;
+ fw_info->cmd_in_ep = PCAN_USBPRO_EP_CMDIN;
+ }
+@@ -1018,11 +1019,11 @@ static int pcan_usb_fd_init(struct peak_usb_device *dev)
+ dev->can_channel_id =
+ le32_to_cpu(pdev->usb_if->fw_info.dev_id[dev->ctrl_idx]);
+
+- /* if vendor rsp is of type 2, then it contains EP numbers to
+- * use for data pipes. If not, then statically defined EP are used
+- * (see peak_usb_create_dev()).
++ /* if vendor rsp type is greater than or equal to 2, then it contains EP
++ * numbers to use for data pipes. If not, then statically defined EP are
++ * used (see peak_usb_create_dev()).
+ */
+- if (fw_info->type == cpu_to_le16(PCAN_USBFD_TYPE_EXT)) {
++ if (le16_to_cpu(fw_info->type) >= PCAN_USBFD_TYPE_EXT) {
+ dev->ep_msg_in = fw_info->data_in_ep;
+ dev->ep_msg_out = fw_info->data_out_ep[dev->ctrl_idx];
+ }
+--
+2.39.5
+
--- /dev/null
+From 4d4d9b7c98bc73093946495b4400bd6ca5728a32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Jul 2025 17:28:23 -0700
+Subject: can: tscan1: CAN_TSCAN1 can depend on PC104
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit b7d012e59627c1d1bb2ad5d71efc69a070ef767d ]
+
+Add a dependency on PC104 to limit (restrict) this driver kconfig
+prompt to kernel configs that have PC104 set.
+
+Add COMPILE_TEST as a possibility for more complete build coverage.
+I tested this build config on x86_64 5 times without problems.
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://patch.msgid.link/20250721002823.3548945-1-rdunlap@infradead.org
+[mkl: fix conflict, remove Fixes: tag]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/sja1000/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/sja1000/Kconfig b/drivers/net/can/sja1000/Kconfig
+index ba16d7bc09ef..e061e35769bf 100644
+--- a/drivers/net/can/sja1000/Kconfig
++++ b/drivers/net/can/sja1000/Kconfig
+@@ -105,7 +105,7 @@ config CAN_SJA1000_PLATFORM
+
+ config CAN_TSCAN1
+ tristate "TS-CAN1 PC104 boards"
+- depends on ISA || (COMPILE_TEST && HAS_IOPORT)
++ depends on (ISA && PC104) || (COMPILE_TEST && HAS_IOPORT)
+ help
+ This driver is for Technologic Systems' TSCAN-1 PC104 boards.
+ https://www.embeddedts.com/products/TS-CAN1
+--
+2.39.5
+
--- /dev/null
+From 2b03f7cbc49d0f5dbdd235be395e97ba4d7261c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 20:28:13 +0900
+Subject: can: tscan1: Kconfig: add COMPILE_TEST
+
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+
+[ Upstream commit 5323af351e7524497930b7793153ff68ee5c0ec1 ]
+
+tscan1 depends on ISA. It also has a hidden dependency on HAS_IOPORT
+as reported by the kernel test bot [1]. That dependency is implied by
+ISA which explains why this was not an issue so far.
+
+Add both COMPILE_TEST and HAS_IOPORT to the dependency list so that
+this driver can also be built on other platforms.
+
+[1] https://lore.kernel.org/linux-can/202507141417.qAMrchyV-lkp@intel.com/
+
+Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://patch.msgid.link/20250715-can-compile-test-v2-3-f7fd566db86f@wanadoo.fr
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Stable-dep-of: b7d012e59627 ("can: tscan1: CAN_TSCAN1 can depend on PC104")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/sja1000/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/sja1000/Kconfig b/drivers/net/can/sja1000/Kconfig
+index 2f516cc6d22c..ba16d7bc09ef 100644
+--- a/drivers/net/can/sja1000/Kconfig
++++ b/drivers/net/can/sja1000/Kconfig
+@@ -105,7 +105,7 @@ config CAN_SJA1000_PLATFORM
+
+ config CAN_TSCAN1
+ tristate "TS-CAN1 PC104 boards"
+- depends on ISA
++ depends on ISA || (COMPILE_TEST && HAS_IOPORT)
+ help
+ This driver is for Technologic Systems' TSCAN-1 PC104 boards.
+ https://www.embeddedts.com/products/TS-CAN1
+--
+2.39.5
+
--- /dev/null
+From 467a57daf75e0f123faf0624acadf3a2f63b867c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Feb 2025 17:57:17 -0500
+Subject: [ceph] parse_longname(): strrchr() expects NUL-terminated string
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 101841c38346f4ca41dc1802c867da990ffb32eb ]
+
+... and parse_longname() is not guaranteed that. That's the reason
+why it uses kmemdup_nul() to build the argument for kstrtou64();
+the problem is, kstrtou64() is not the only thing that need it.
+
+Just get a NUL-terminated copy of the entire thing and be done
+with that...
+
+Fixes: dd66df0053ef "ceph: add support for encrypted snapshot names"
+Tested-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/crypto.c | 31 ++++++++++++-------------------
+ 1 file changed, 12 insertions(+), 19 deletions(-)
+
+diff --git a/fs/ceph/crypto.c b/fs/ceph/crypto.c
+index 3b3c4d8d401e..9c7062245880 100644
+--- a/fs/ceph/crypto.c
++++ b/fs/ceph/crypto.c
+@@ -215,35 +215,31 @@ static struct inode *parse_longname(const struct inode *parent,
+ struct ceph_client *cl = ceph_inode_to_client(parent);
+ struct inode *dir = NULL;
+ struct ceph_vino vino = { .snap = CEPH_NOSNAP };
+- char *inode_number;
+- char *name_end;
+- int orig_len = *name_len;
++ char *name_end, *inode_number;
+ int ret = -EIO;
+-
++ /* NUL-terminate */
++ char *str __free(kfree) = kmemdup_nul(name, *name_len, GFP_KERNEL);
++ if (!str)
++ return ERR_PTR(-ENOMEM);
+ /* Skip initial '_' */
+- name++;
+- name_end = strrchr(name, '_');
++ str++;
++ name_end = strrchr(str, '_');
+ if (!name_end) {
+- doutc(cl, "failed to parse long snapshot name: %s\n", name);
++ doutc(cl, "failed to parse long snapshot name: %s\n", str);
+ return ERR_PTR(-EIO);
+ }
+- *name_len = (name_end - name);
++ *name_len = (name_end - str);
+ if (*name_len <= 0) {
+ pr_err_client(cl, "failed to parse long snapshot name\n");
+ return ERR_PTR(-EIO);
+ }
+
+ /* Get the inode number */
+- inode_number = kmemdup_nul(name_end + 1,
+- orig_len - *name_len - 2,
+- GFP_KERNEL);
+- if (!inode_number)
+- return ERR_PTR(-ENOMEM);
++ inode_number = name_end + 1;
+ ret = kstrtou64(inode_number, 10, &vino.ino);
+ if (ret) {
+- doutc(cl, "failed to parse inode number: %s\n", name);
+- dir = ERR_PTR(ret);
+- goto out;
++ doutc(cl, "failed to parse inode number: %s\n", str);
++ return ERR_PTR(ret);
+ }
+
+ /* And finally the inode */
+@@ -254,9 +250,6 @@ static struct inode *parse_longname(const struct inode *parent,
+ if (IS_ERR(dir))
+ doutc(cl, "can't find inode %s (%s)\n", inode_number, name);
+ }
+-
+-out:
+- kfree(inode_number);
+ return dir;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From f7ef983f527cd7233764a7c42d978a58147f7a1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jul 2025 11:18:54 +0200
+Subject: cgroup: Add compatibility option for content of /proc/cgroups
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michal Koutný <mkoutny@suse.com>
+
+[ Upstream commit 646faf36d7271c597497ca547a59912fcab49be9 ]
+
+/proc/cgroups lists only v1 controllers by default, however, this is
+only enforced since the commit af000ce85293b ("cgroup: Do not report
+unavailable v1 controllers in /proc/cgroups") and there is software in
+the wild that uses content of /proc/cgroups to decide on availability of
+v2 (sic) controllers.
+
+Add a boottime param that can bring back the previous behavior for
+setups where the check in the software cannot be changed and it causes
+e.g. unintended OOMs.
+
+Also, this patch takes out cgrp_v1_visible from cgroup1_subsys_absent()
+guard since it's only important to check which hierarchy (v1 vs v2) the
+subsys is attached to. This has no effect on the printed message but
+the code is cleaner since cgrp_v1_visible is really about mounted
+hierarchies, not the content of /proc/cgroups.
+
+Link: https://lore.kernel.org/r/b26b60b7d0d2a5ecfd2f3c45f95f32922ed24686.camel@decadent.org.uk
+Fixes: af000ce85293b ("cgroup: Do not report unavailable v1 controllers in /proc/cgroups")
+Fixes: a0ab1453226d8 ("cgroup: Print message when /proc/cgroups is read on v2-only system")
+Signed-off-by: Michal Koutný <mkoutny@suse.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/admin-guide/kernel-parameters.txt | 8 ++++++++
+ kernel/cgroup/cgroup-v1.c | 14 ++++++++++++--
+ 2 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
+index 07e22ba5bfe3..f6d317e1674d 100644
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -633,6 +633,14 @@
+ named mounts. Specifying both "all" and "named" disables
+ all v1 hierarchies.
+
++ cgroup_v1_proc= [KNL] Show also missing controllers in /proc/cgroups
++ Format: { "true" | "false" }
++ /proc/cgroups lists only v1 controllers by default.
++ This compatibility option enables listing also v2
++ controllers (whose v1 code is not compiled!), so that
++ semi-legacy software can check this file to decide
++ about usage of v2 (sic) controllers.
++
+ cgroup_favordynmods= [KNL] Enable or Disable favordynmods.
+ Format: { "true" | "false" }
+ Defaults to the value of CONFIG_CGROUP_FAVOR_DYNMODS.
+diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
+index fa24c032ed6f..2a4a387f867a 100644
+--- a/kernel/cgroup/cgroup-v1.c
++++ b/kernel/cgroup/cgroup-v1.c
+@@ -32,6 +32,9 @@ static u16 cgroup_no_v1_mask;
+ /* disable named v1 mounts */
+ static bool cgroup_no_v1_named;
+
++/* Show unavailable controllers in /proc/cgroups */
++static bool proc_show_all;
++
+ /*
+ * pidlist destructions need to be flushed on cgroup destruction. Use a
+ * separate workqueue as flush domain.
+@@ -683,10 +686,11 @@ int proc_cgroupstats_show(struct seq_file *m, void *v)
+ */
+
+ for_each_subsys(ss, i) {
+- if (cgroup1_subsys_absent(ss))
+- continue;
+ cgrp_v1_visible |= ss->root != &cgrp_dfl_root;
+
++ if (!proc_show_all && cgroup1_subsys_absent(ss))
++ continue;
++
+ seq_printf(m, "%s\t%d\t%d\t%d\n",
+ ss->legacy_name, ss->root->hierarchy_id,
+ atomic_read(&ss->root->nr_cgrps),
+@@ -1359,3 +1363,9 @@ static int __init cgroup_no_v1(char *str)
+ return 1;
+ }
+ __setup("cgroup_no_v1=", cgroup_no_v1);
++
++static int __init cgroup_v1_proc(char *str)
++{
++ return (kstrtobool(str, &proc_show_all) == 0);
++}
++__setup("cgroup_v1_proc=", cgroup_v1_proc);
+--
+2.39.5
+
--- /dev/null
+From 696263b520a188f19e5c9c4c9bc0070d1098b1d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jul 2025 15:05:12 +0530
+Subject: clk: at91: sam9x7: update pll clk ranges
+
+From: Varshini Rajendran <varshini.rajendran@microchip.com>
+
+[ Upstream commit c7f7ddbd27d55fa552a7269b7bae539adc2a3d46 ]
+
+Update the min, max ranges of the PLL clocks according to the latest
+datasheet to be coherent in the driver. This patch solves the issues in
+configuring the clocks related to peripherals with the desired frequency
+within the range.
+
+Fixes: 33013b43e271 ("clk: at91: sam9x7: add sam9x7 pmc driver")
+Suggested-by: Patrice Vilchez <Patrice.Vilchez@microchip.com>
+Signed-off-by: Varshini Rajendran <varshini.rajendran@microchip.com>
+Link: https://lore.kernel.org/r/20250714093512.29944-1-varshini.rajendran@microchip.com
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/at91/sam9x7.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/clk/at91/sam9x7.c b/drivers/clk/at91/sam9x7.c
+index cbb8b220f16b..ffab32b047a0 100644
+--- a/drivers/clk/at91/sam9x7.c
++++ b/drivers/clk/at91/sam9x7.c
+@@ -61,44 +61,44 @@ static const struct clk_master_layout sam9x7_master_layout = {
+
+ /* Fractional PLL core output range. */
+ static const struct clk_range plla_core_outputs[] = {
+- { .min = 375000000, .max = 1600000000 },
++ { .min = 800000000, .max = 1600000000 },
+ };
+
+ static const struct clk_range upll_core_outputs[] = {
+- { .min = 600000000, .max = 1200000000 },
++ { .min = 600000000, .max = 960000000 },
+ };
+
+ static const struct clk_range lvdspll_core_outputs[] = {
+- { .min = 400000000, .max = 800000000 },
++ { .min = 600000000, .max = 1200000000 },
+ };
+
+ static const struct clk_range audiopll_core_outputs[] = {
+- { .min = 400000000, .max = 800000000 },
++ { .min = 600000000, .max = 1200000000 },
+ };
+
+ static const struct clk_range plladiv2_core_outputs[] = {
+- { .min = 375000000, .max = 1600000000 },
++ { .min = 800000000, .max = 1600000000 },
+ };
+
+ /* Fractional PLL output range. */
+ static const struct clk_range plla_outputs[] = {
+- { .min = 732421, .max = 800000000 },
++ { .min = 400000000, .max = 800000000 },
+ };
+
+ static const struct clk_range upll_outputs[] = {
+- { .min = 300000000, .max = 600000000 },
++ { .min = 300000000, .max = 480000000 },
+ };
+
+ static const struct clk_range lvdspll_outputs[] = {
+- { .min = 10000000, .max = 800000000 },
++ { .min = 175000000, .max = 550000000 },
+ };
+
+ static const struct clk_range audiopll_outputs[] = {
+- { .min = 10000000, .max = 800000000 },
++ { .min = 0, .max = 300000000 },
+ };
+
+ static const struct clk_range plladiv2_outputs[] = {
+- { .min = 366210, .max = 400000000 },
++ { .min = 200000000, .max = 400000000 },
+ };
+
+ /* PLL characteristics. */
+--
+2.39.5
+
--- /dev/null
+From 746db7ccd173f992f9e93c425b3137f18789ea48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 May 2025 16:41:06 +0100
+Subject: clk: clk-axi-clkgen: fix fpfd_max frequency for zynq
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nuno Sá <nuno.sa@analog.com>
+
+[ Upstream commit ce8a9096699500e2c5bca09dde27b16edda5f636 ]
+
+The fpfd_max frequency should be set to 450 MHz instead of 300 MHz.
+Well, it actually depends on the platform speed grade but we are being
+conservative for ultrascale so let's be consistent. In a following
+change we will set these limits at runtime.
+
+Fixes: 0e646c52cf0e ("clk: Add axi-clkgen driver")
+Signed-off-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20250519-dev-axi-clkgen-limits-v6-1-bc4b3b61d1d4@analog.com
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-axi-clkgen.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/clk-axi-clkgen.c b/drivers/clk/clk-axi-clkgen.c
+index 934e53a96ddd..00bf799964c6 100644
+--- a/drivers/clk/clk-axi-clkgen.c
++++ b/drivers/clk/clk-axi-clkgen.c
+@@ -118,7 +118,7 @@ static const struct axi_clkgen_limits axi_clkgen_zynqmp_default_limits = {
+
+ static const struct axi_clkgen_limits axi_clkgen_zynq_default_limits = {
+ .fpfd_min = 10000,
+- .fpfd_max = 300000,
++ .fpfd_max = 450000,
+ .fvco_min = 600000,
+ .fvco_max = 1200000,
+ };
+--
+2.39.5
+
--- /dev/null
+From 896b690f9f3c0edf483e1ddceff93ab365804255 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 11:11:14 +0530
+Subject: clk: clocking-wizard: Fix the round rate handling for versal
+
+From: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
+
+[ Upstream commit 7f5e9ca0a424af44a708bb4727624d56f83ecffa ]
+
+Fix the `clk_round_rate` implementation for Versal platforms by calling
+the Versal-specific divider calculation helper. The existing code used
+the generic divider routine, which results in incorrect round rate.
+
+Fixes: 7681f64e6404 ("clk: clocking-wizard: calculate dividers fractional parts")
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
+Link: https://lore.kernel.org/r/20250625054114.28273-1-shubhrajyoti.datta@amd.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/xilinx/clk-xlnx-clock-wizard.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/xilinx/clk-xlnx-clock-wizard.c b/drivers/clk/xilinx/clk-xlnx-clock-wizard.c
+index bbf7714480e7..0295a13a811c 100644
+--- a/drivers/clk/xilinx/clk-xlnx-clock-wizard.c
++++ b/drivers/clk/xilinx/clk-xlnx-clock-wizard.c
+@@ -669,7 +669,7 @@ static long clk_wzrd_ver_round_rate_all(struct clk_hw *hw, unsigned long rate,
+ u32 m, d, o, div, f;
+ int err;
+
+- err = clk_wzrd_get_divisors(hw, rate, *prate);
++ err = clk_wzrd_get_divisors_ver(hw, rate, *prate);
+ if (err)
+ return err;
+
+--
+2.39.5
+
--- /dev/null
+From 5a52c44d24615f34203af07ac6a3d697a75828be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 21:13:41 +0800
+Subject: clk: davinci: Add NULL check in davinci_lpsc_clk_register()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit 13de464f445d42738fe18c9a28bab056ba3a290a ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+davinci_lpsc_clk_register() does not check for this case, which results
+in a NULL pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue and ensuring
+no resources are left allocated.
+
+Fixes: c6ed4d734bc7 ("clk: davinci: New driver for davinci PSC clocks")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Link: https://lore.kernel.org/r/20250401131341.26800-1-bsdhenrymartin@gmail.com
+Reviewed-by: David Lechner <david@lechnology.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/davinci/psc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/clk/davinci/psc.c b/drivers/clk/davinci/psc.c
+index b48322176c21..f3ee9397bb0c 100644
+--- a/drivers/clk/davinci/psc.c
++++ b/drivers/clk/davinci/psc.c
+@@ -277,6 +277,11 @@ davinci_lpsc_clk_register(struct device *dev, const char *name,
+
+ lpsc->pm_domain.name = devm_kasprintf(dev, GFP_KERNEL, "%s: %s",
+ best_dev_name(dev), name);
++ if (!lpsc->pm_domain.name) {
++ clk_hw_unregister(&lpsc->hw);
++ kfree(lpsc);
++ return ERR_PTR(-ENOMEM);
++ }
+ lpsc->pm_domain.attach_dev = davinci_psc_genpd_attach_dev;
+ lpsc->pm_domain.detach_dev = davinci_psc_genpd_detach_dev;
+ lpsc->pm_domain.flags = GENPD_FLAG_PM_CLK;
+--
+2.39.5
+
--- /dev/null
+From 85dc54181a592fc8a680c4c31d953756c8e84dc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 10:24:38 +0800
+Subject: clk: imx95-blk-ctl: Fix synchronous abort
+
+From: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
+
+[ Upstream commit b08217a257215ed9130fce93d35feba66b49bf0a ]
+
+When enabling runtime PM for clock suppliers that also belong to a power
+domain, the following crash is thrown:
+error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP
+Workqueue: events_unbound deferred_probe_work_func
+pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : clk_mux_get_parent+0x60/0x90
+lr : clk_core_reparent_orphans_nolock+0x58/0xd8
+ Call trace:
+ clk_mux_get_parent+0x60/0x90
+ clk_core_reparent_orphans_nolock+0x58/0xd8
+ of_clk_add_hw_provider.part.0+0x90/0x100
+ of_clk_add_hw_provider+0x1c/0x38
+ imx95_bc_probe+0x2e0/0x3f0
+ platform_probe+0x70/0xd8
+
+Enabling runtime PM without explicitly resuming the device caused
+the power domain cut off after clk_register() is called. As a result,
+a crash happens when the clock hardware provider is added and attempts
+to access the BLK_CTL register.
+
+Fix this by using devm_pm_runtime_enable() instead of pm_runtime_enable()
+and getting rid of the pm_runtime_disable() in the cleanup path.
+
+Fixes: 5224b189462f ("clk: imx: add i.MX95 BLK CTL clk driver")
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Link: https://lore.kernel.org/r/20250707-imx95-blk-ctl-7-1-v3-2-c1b676ec13be@nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx95-blk-ctl.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx95-blk-ctl.c b/drivers/clk/imx/clk-imx95-blk-ctl.c
+index cc2ee2be1819..86bdcd217531 100644
+--- a/drivers/clk/imx/clk-imx95-blk-ctl.c
++++ b/drivers/clk/imx/clk-imx95-blk-ctl.c
+@@ -342,8 +342,10 @@ static int imx95_bc_probe(struct platform_device *pdev)
+ if (!clk_hw_data)
+ return -ENOMEM;
+
+- if (bc_data->rpm_enabled)
+- pm_runtime_enable(&pdev->dev);
++ if (bc_data->rpm_enabled) {
++ devm_pm_runtime_enable(&pdev->dev);
++ pm_runtime_resume_and_get(&pdev->dev);
++ }
+
+ clk_hw_data->num = bc_data->num_clks;
+ hws = clk_hw_data->hws;
+@@ -383,8 +385,10 @@ static int imx95_bc_probe(struct platform_device *pdev)
+ goto cleanup;
+ }
+
+- if (pm_runtime_enabled(bc->dev))
++ if (pm_runtime_enabled(bc->dev)) {
++ pm_runtime_put_sync(&pdev->dev);
+ clk_disable_unprepare(bc->clk_apb);
++ }
+
+ return 0;
+
+@@ -395,9 +399,6 @@ static int imx95_bc_probe(struct platform_device *pdev)
+ clk_hw_unregister(hws[i]);
+ }
+
+- if (bc_data->rpm_enabled)
+- pm_runtime_disable(&pdev->dev);
+-
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 282087522e842d07952131e4fcf5454b7e3b5261 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 15:03:41 +0100
+Subject: clk: renesas: rzv2h: Fix missing CLK_SET_RATE_PARENT flag for ddiv
+ clocks
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit 715676d8418062f54d746451294ccce9786c1734 ]
+
+Commit bc4d25fdfadf ("clk: renesas: rzv2h: Add support for dynamic
+switching divider clocks") missed setting the `CLK_SET_RATE_PARENT`
+flag when registering ddiv clocks.
+
+Without this flag, rate changes to the divider clock do not propagate
+to its parent, potentially resulting in incorrect clock configurations.
+
+Fix this by setting `CLK_SET_RATE_PARENT` in the clock init data.
+
+Fixes: bc4d25fdfadfa ("clk: renesas: rzv2h: Add support for dynamic switching divider clocks")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/20250609140341.235919-1-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/renesas/rzv2h-cpg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/renesas/rzv2h-cpg.c b/drivers/clk/renesas/rzv2h-cpg.c
+index bcc496e8cbcd..fb39e6446b26 100644
+--- a/drivers/clk/renesas/rzv2h-cpg.c
++++ b/drivers/clk/renesas/rzv2h-cpg.c
+@@ -381,6 +381,7 @@ rzv2h_cpg_ddiv_clk_register(const struct cpg_core_clk *core,
+ init.ops = &rzv2h_ddiv_clk_divider_ops;
+ init.parent_names = &parent_name;
+ init.num_parents = 1;
++ init.flags = CLK_SET_RATE_PARENT;
+
+ ddiv->priv = priv;
+ ddiv->mon = cfg_ddiv.monbit;
+--
+2.39.5
+
--- /dev/null
+From f9cc31ecd19fc4d47b2ddd4adf3452db57945cf6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 10:59:56 +0530
+Subject: clk: spacemit: ccu_pll: fix error return value in recalc_rate
+ callback
+
+From: Akhilesh Patil <akhilesh@ee.iitb.ac.in>
+
+[ Upstream commit c60b95389d0206a3a3c087c09113315e7084be3f ]
+
+Return 0 instead of -EINVAL if function ccu_pll_recalc_rate() fails to
+get correct rate entry. Follow .recalc_rate callback documentation
+as mentioned in include/linux/clk-provider.h for error return value.
+
+Signed-off-by: Akhilesh Patil <akhilesh@ee.iitb.ac.in>
+Fixes: 1b72c59db0add ("clk: spacemit: Add clock support for SpacemiT K1 SoC")
+Reviewed-by: Haylen Chu <heylenay@4d2.org>
+Reviewed-by: Alex Elder <elder@riscstar.com>
+Link: https://lore.kernel.org/r/aIBzVClNQOBrjIFG@bhairav-test.ee.iitb.ac.in
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/spacemit/ccu_pll.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/spacemit/ccu_pll.c b/drivers/clk/spacemit/ccu_pll.c
+index 4427dcfbbb97..45f540073a65 100644
+--- a/drivers/clk/spacemit/ccu_pll.c
++++ b/drivers/clk/spacemit/ccu_pll.c
+@@ -122,7 +122,7 @@ static unsigned long ccu_pll_recalc_rate(struct clk_hw *hw,
+
+ WARN_ON_ONCE(!entry);
+
+- return entry ? entry->rate : -EINVAL;
++ return entry ? entry->rate : 0;
+ }
+
+ static long ccu_pll_round_rate(struct clk_hw *hw, unsigned long rate,
+--
+2.39.5
+
--- /dev/null
+From f9ee2afb4d2703ce4eaf9157b353b5c92d0a771c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 17:48:55 -0500
+Subject: clk: spacemit: mark K1 pll1_d8 as critical
+
+From: Alex Elder <elder@riscstar.com>
+
+[ Upstream commit 7554729de27daf6d54bcf8689d863bbe267828bf ]
+
+The pll1_d8 clock is enabled by the boot loader, and is ultimately a
+parent for numerous clocks, including those used by APB and AXI buses.
+Guodong Xu discovered that this clock got disabled while responding to
+getting -EPROBE_DEFER when requesting a reset controller.
+
+The needed clock (CLK_DMA, along with its parents) had already been
+enabled. To respond to the probe deferral return, the CLK_DMA clock
+was disabled, and this led to parent clocks also reducing their enable
+count. When the enable count for pll1_d8 was decremented it became 0,
+which caused it to be disabled. This led to a system hang.
+
+Marking that clock critical resolves this by preventing it from being
+disabled.
+
+Define a new macro CCU_FACTOR_GATE_DEFINE() to allow clock flags to
+be supplied for a CCU_FACTOR_GATE clock.
+
+Fixes: 1b72c59db0add ("clk: spacemit: Add clock support for SpacemiT K1 SoC")
+Signed-off-by: Alex Elder <elder@riscstar.com>
+Tested-by: Guodong Xu <guodong@riscstar.com>
+Reviewed-by: Haylen Chu <heylenay@4d2.org>
+Link: https://lore.kernel.org/r/20250612224856.1105924-1-elder@riscstar.com
+Signed-off-by: Yixun Lan <dlan@gentoo.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/spacemit/ccu-k1.c | 3 ++-
+ drivers/clk/spacemit/ccu_mix.h | 11 ++++++++---
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/clk/spacemit/ccu-k1.c b/drivers/clk/spacemit/ccu-k1.c
+index cdde37a05235..df65009a07bb 100644
+--- a/drivers/clk/spacemit/ccu-k1.c
++++ b/drivers/clk/spacemit/ccu-k1.c
+@@ -170,7 +170,8 @@ CCU_FACTOR_GATE_DEFINE(pll1_d4, CCU_PARENT_HW(pll1), APBS_PLL1_SWCR2, BIT(3), 4,
+ CCU_FACTOR_GATE_DEFINE(pll1_d5, CCU_PARENT_HW(pll1), APBS_PLL1_SWCR2, BIT(4), 5, 1);
+ CCU_FACTOR_GATE_DEFINE(pll1_d6, CCU_PARENT_HW(pll1), APBS_PLL1_SWCR2, BIT(5), 6, 1);
+ CCU_FACTOR_GATE_DEFINE(pll1_d7, CCU_PARENT_HW(pll1), APBS_PLL1_SWCR2, BIT(6), 7, 1);
+-CCU_FACTOR_GATE_DEFINE(pll1_d8, CCU_PARENT_HW(pll1), APBS_PLL1_SWCR2, BIT(7), 8, 1);
++CCU_FACTOR_GATE_FLAGS_DEFINE(pll1_d8, CCU_PARENT_HW(pll1), APBS_PLL1_SWCR2, BIT(7), 8, 1,
++ CLK_IS_CRITICAL);
+ CCU_FACTOR_GATE_DEFINE(pll1_d11_223p4, CCU_PARENT_HW(pll1), APBS_PLL1_SWCR2, BIT(15), 11, 1);
+ CCU_FACTOR_GATE_DEFINE(pll1_d13_189, CCU_PARENT_HW(pll1), APBS_PLL1_SWCR2, BIT(16), 13, 1);
+ CCU_FACTOR_GATE_DEFINE(pll1_d23_106p8, CCU_PARENT_HW(pll1), APBS_PLL1_SWCR2, BIT(20), 23, 1);
+diff --git a/drivers/clk/spacemit/ccu_mix.h b/drivers/clk/spacemit/ccu_mix.h
+index 51d19f5d6aac..54d40cd39b27 100644
+--- a/drivers/clk/spacemit/ccu_mix.h
++++ b/drivers/clk/spacemit/ccu_mix.h
+@@ -101,17 +101,22 @@ static struct ccu_mix _name = { \
+ } \
+ }
+
+-#define CCU_FACTOR_GATE_DEFINE(_name, _parent, _reg_ctrl, _mask_gate, _div, \
+- _mul) \
++#define CCU_FACTOR_GATE_FLAGS_DEFINE(_name, _parent, _reg_ctrl, _mask_gate, _div, \
++ _mul, _flags) \
+ static struct ccu_mix _name = { \
+ .gate = CCU_GATE_INIT(_mask_gate), \
+ .factor = CCU_FACTOR_INIT(_div, _mul), \
+ .common = { \
+ .reg_ctrl = _reg_ctrl, \
+- CCU_MIX_INITHW(_name, _parent, spacemit_ccu_factor_gate_ops, 0) \
++ CCU_MIX_INITHW(_name, _parent, spacemit_ccu_factor_gate_ops, _flags) \
+ } \
+ }
+
++#define CCU_FACTOR_GATE_DEFINE(_name, _parent, _reg_ctrl, _mask_gate, _div, \
++ _mul) \
++ CCU_FACTOR_GATE_FLAGS_DEFINE(_name, _parent, _reg_ctrl, _mask_gate, _div, \
++ _mul, 0)
++
+ #define CCU_MUX_GATE_DEFINE(_name, _parents, _reg_ctrl, _shift, _width, \
+ _mask_gate, _flags) \
+ static struct ccu_mix _name = { \
+--
+2.39.5
+
--- /dev/null
+From 696f3f452e78cc90a2091737903bb1d0bc7ca516 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 17:40:07 +0200
+Subject: clk: sunxi-ng: v3s: Fix de clock definition
+
+From: Paul Kocialkowski <paulk@sys-base.io>
+
+[ Upstream commit e8ab346f9907a1a3aa2f0e5decf849925c06ae2e ]
+
+The de clock is marked with CLK_SET_RATE_PARENT, which is really not
+necessary (as confirmed from experimentation) and significantly
+restricts flexibility for other clocks using the same parent.
+
+In addition the source selection (parent) field is marked as using
+2 bits, when it the documentation reports that it uses 3.
+
+Fix both issues in the de clock definition.
+
+Fixes: d0f11d14b0bc ("clk: sunxi-ng: add support for V3s CCU")
+Signed-off-by: Paul Kocialkowski <paulk@sys-base.io>
+Link: https://patch.msgid.link/20250704154008.3463257-1-paulk@sys-base.io
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/sunxi-ng/ccu-sun8i-v3s.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c
+index 52e4369664c5..df345a620d8d 100644
+--- a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c
++++ b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c
+@@ -347,8 +347,7 @@ static SUNXI_CCU_GATE(dram_ohci_clk, "dram-ohci", "dram",
+
+ static const char * const de_parents[] = { "pll-video", "pll-periph0" };
+ static SUNXI_CCU_M_WITH_MUX_GATE(de_clk, "de", de_parents,
+- 0x104, 0, 4, 24, 2, BIT(31),
+- CLK_SET_RATE_PARENT);
++ 0x104, 0, 4, 24, 3, BIT(31), 0);
+
+ static const char * const tcon_parents[] = { "pll-video", "pll-periph0" };
+ static SUNXI_CCU_M_WITH_MUX_GATE(tcon_clk, "tcon", tcon_parents,
+--
+2.39.5
+
--- /dev/null
+From b7beb8d9803c4390a41785cf10e2624d2e340f6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 09:21:34 +0000
+Subject: clk: thead: th1520-ap: Correctly refer the parent of osc_12m
+
+From: Yao Zi <ziyao@disroot.org>
+
+[ Upstream commit d274c77ffa202b70ad01d579f33b73b4de123375 ]
+
+The "osc_12m" fixed factor clock refers the external oscillator by
+setting clk_parent_data.fw_name to osc_24m, which is obviously wrong
+since no clock-names property is allowed for compatible
+thead,th1520-clk-ap.
+
+Refer the oscillator as parent by index instead.
+
+Fixes: ae81b69fd2b1 ("clk: thead: Add support for T-Head TH1520 AP_SUBSYS clocks")
+Signed-off-by: Yao Zi <ziyao@disroot.org>
+Reviewed-by: Drew Fustini <fustini@kernel.org>
+Signed-off-by: Drew Fustini <fustini@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/thead/clk-th1520-ap.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/thead/clk-th1520-ap.c b/drivers/clk/thead/clk-th1520-ap.c
+index ebfb1d59401d..42feb4bb6329 100644
+--- a/drivers/clk/thead/clk-th1520-ap.c
++++ b/drivers/clk/thead/clk-th1520-ap.c
+@@ -582,7 +582,14 @@ static const struct clk_parent_data peri2sys_apb_pclk_pd[] = {
+ { .hw = &peri2sys_apb_pclk.common.hw }
+ };
+
+-static CLK_FIXED_FACTOR_FW_NAME(osc12m_clk, "osc_12m", "osc_24m", 2, 1, 0);
++static struct clk_fixed_factor osc12m_clk = {
++ .div = 2,
++ .mult = 1,
++ .hw.init = CLK_HW_INIT_PARENTS_DATA("osc_12m",
++ osc_24m_clk,
++ &clk_fixed_factor_ops,
++ 0),
++};
+
+ static const char * const out_parents[] = { "osc_24m", "osc_12m" };
+
+--
+2.39.5
+
--- /dev/null
+From 053b77a97a775827310255b6697a69a2c9b40c4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 08:05:36 +0000
+Subject: clk: thead: th1520-ap: Describe mux clocks with clk_mux
+
+From: Yao Zi <ziyao@disroot.org>
+
+[ Upstream commit 54edba916e2913b0893b0f6404b73155d48374ea ]
+
+Mux clocks are now described with a customized ccu_mux structure
+consisting of ccu_internal and ccu_common substructures, and registered
+later with devm_clk_hw_register_mux_parent_data_table(). As this helper
+always allocates a new clk_hw structure, it's extremely hard to use mux
+clocks as parents statically by clk_hw pointers, since CCF has no
+knowledge about the clk_hw structure embedded in ccu_mux.
+
+This scheme already causes issues for clock c910, which takes a mux
+clock, c910-i0, as a possible parent. With mainline U-Boot that
+reparents c910 to c910-i0 at boottime, c910 is considered as an orphan
+by CCF.
+
+This patch refactors handling of mux clocks, embeds a clk_mux structure
+in ccu_mux directly. Instead of calling devm_clk_hw_register_mux_*(),
+we could register mux clocks on our own without allocating any new
+clk_hw pointer, fixing c910 clock's issue.
+
+Fixes: ae81b69fd2b1 ("clk: thead: Add support for T-Head TH1520 AP_SUBSYS clocks")
+Signed-off-by: Yao Zi <ziyao@disroot.org>
+Signed-off-by: Drew Fustini <fustini@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/thead/clk-th1520-ap.c | 95 ++++++++++++-------------------
+ 1 file changed, 37 insertions(+), 58 deletions(-)
+
+diff --git a/drivers/clk/thead/clk-th1520-ap.c b/drivers/clk/thead/clk-th1520-ap.c
+index 42feb4bb6329..485b1d5cfd18 100644
+--- a/drivers/clk/thead/clk-th1520-ap.c
++++ b/drivers/clk/thead/clk-th1520-ap.c
+@@ -42,8 +42,9 @@ struct ccu_common {
+ };
+
+ struct ccu_mux {
+- struct ccu_internal mux;
+- struct ccu_common common;
++ int clkid;
++ u32 reg;
++ struct clk_mux mux;
+ };
+
+ struct ccu_gate {
+@@ -75,6 +76,17 @@ struct ccu_pll {
+ .flags = _flags, \
+ }
+
++#define TH_CCU_MUX(_name, _parents, _shift, _width) \
++ { \
++ .mask = GENMASK(_width - 1, 0), \
++ .shift = _shift, \
++ .hw.init = CLK_HW_INIT_PARENTS_DATA( \
++ _name, \
++ _parents, \
++ &clk_mux_ops, \
++ 0), \
++ }
++
+ #define CCU_GATE(_clkid, _struct, _name, _parent, _reg, _gate, _flags) \
+ struct ccu_gate _struct = { \
+ .enable = _gate, \
+@@ -94,13 +106,6 @@ static inline struct ccu_common *hw_to_ccu_common(struct clk_hw *hw)
+ return container_of(hw, struct ccu_common, hw);
+ }
+
+-static inline struct ccu_mux *hw_to_ccu_mux(struct clk_hw *hw)
+-{
+- struct ccu_common *common = hw_to_ccu_common(hw);
+-
+- return container_of(common, struct ccu_mux, common);
+-}
+-
+ static inline struct ccu_pll *hw_to_ccu_pll(struct clk_hw *hw)
+ {
+ struct ccu_common *common = hw_to_ccu_common(hw);
+@@ -415,32 +420,20 @@ static const struct clk_parent_data c910_i0_parents[] = {
+ };
+
+ static struct ccu_mux c910_i0_clk = {
+- .mux = TH_CCU_ARG(1, 1),
+- .common = {
+- .clkid = CLK_C910_I0,
+- .cfg0 = 0x100,
+- .hw.init = CLK_HW_INIT_PARENTS_DATA("c910-i0",
+- c910_i0_parents,
+- &clk_mux_ops,
+- 0),
+- }
++ .clkid = CLK_C910_I0,
++ .reg = 0x100,
++ .mux = TH_CCU_MUX("c910-i0", c910_i0_parents, 1, 1),
+ };
+
+ static const struct clk_parent_data c910_parents[] = {
+- { .hw = &c910_i0_clk.common.hw },
++ { .hw = &c910_i0_clk.mux.hw },
+ { .hw = &cpu_pll1_clk.common.hw }
+ };
+
+ static struct ccu_mux c910_clk = {
+- .mux = TH_CCU_ARG(0, 1),
+- .common = {
+- .clkid = CLK_C910,
+- .cfg0 = 0x100,
+- .hw.init = CLK_HW_INIT_PARENTS_DATA("c910",
+- c910_parents,
+- &clk_mux_ops,
+- 0),
+- }
++ .clkid = CLK_C910,
++ .reg = 0x100,
++ .mux = TH_CCU_MUX("c910", c910_parents, 0, 1),
+ };
+
+ static const struct clk_parent_data ahb2_cpusys_parents[] = {
+@@ -924,15 +917,9 @@ static const struct clk_parent_data uart_sclk_parents[] = {
+ };
+
+ static struct ccu_mux uart_sclk = {
+- .mux = TH_CCU_ARG(0, 1),
+- .common = {
+- .clkid = CLK_UART_SCLK,
+- .cfg0 = 0x210,
+- .hw.init = CLK_HW_INIT_PARENTS_DATA("uart-sclk",
+- uart_sclk_parents,
+- &clk_mux_ops,
+- 0),
+- }
++ .clkid = CLK_UART_SCLK,
++ .reg = 0x210,
++ .mux = TH_CCU_MUX("uart-sclk", uart_sclk_parents, 0, 1),
+ };
+
+ static struct ccu_common *th1520_pll_clks[] = {
+@@ -969,10 +956,10 @@ static struct ccu_common *th1520_div_clks[] = {
+ &dpu1_clk.common,
+ };
+
+-static struct ccu_common *th1520_mux_clks[] = {
+- &c910_i0_clk.common,
+- &c910_clk.common,
+- &uart_sclk.common,
++static struct ccu_mux *th1520_mux_clks[] = {
++ &c910_i0_clk,
++ &c910_clk,
++ &uart_sclk,
+ };
+
+ static struct ccu_common *th1520_gate_clks[] = {
+@@ -1074,7 +1061,7 @@ static const struct regmap_config th1520_clk_regmap_config = {
+ struct th1520_plat_data {
+ struct ccu_common **th1520_pll_clks;
+ struct ccu_common **th1520_div_clks;
+- struct ccu_common **th1520_mux_clks;
++ struct ccu_mux **th1520_mux_clks;
+ struct ccu_common **th1520_gate_clks;
+
+ int nr_clks;
+@@ -1161,23 +1148,15 @@ static int th1520_clk_probe(struct platform_device *pdev)
+ }
+
+ for (i = 0; i < plat_data->nr_mux_clks; i++) {
+- struct ccu_mux *cm = hw_to_ccu_mux(&plat_data->th1520_mux_clks[i]->hw);
+- const struct clk_init_data *init = cm->common.hw.init;
+-
+- plat_data->th1520_mux_clks[i]->map = map;
+- hw = devm_clk_hw_register_mux_parent_data_table(dev,
+- init->name,
+- init->parent_data,
+- init->num_parents,
+- 0,
+- base + cm->common.cfg0,
+- cm->mux.shift,
+- cm->mux.width,
+- 0, NULL, NULL);
+- if (IS_ERR(hw))
+- return PTR_ERR(hw);
++ struct ccu_mux *cm = plat_data->th1520_mux_clks[i];
++
++ cm->mux.reg = base + cm->reg;
++
++ ret = devm_clk_hw_register(dev, &cm->mux.hw);
++ if (ret)
++ return ret;
+
+- priv->hws[cm->common.clkid] = hw;
++ priv->hws[cm->clkid] = &cm->mux.hw;
+ }
+
+ for (i = 0; i < plat_data->nr_gate_clks; i++) {
+--
+2.39.5
+
--- /dev/null
+From 7a1deeeea08f51049211e4661d65790f2def4549 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Feb 2025 03:36:13 -0800
+Subject: clk: xilinx: vcu: unregister pll_post only if registered correctly
+
+From: Rohit Visavalia <rohit.visavalia@amd.com>
+
+[ Upstream commit 3b0abc443ac22f7d4f61ddbbbbc5dbb06c87139d ]
+
+If registration of pll_post is failed, it will be set to NULL or ERR,
+unregistering same will fail with following call trace:
+
+Unable to handle kernel NULL pointer dereference at virtual address 008
+pc : clk_hw_unregister+0xc/0x20
+lr : clk_hw_unregister_fixed_factor+0x18/0x30
+sp : ffff800011923850
+...
+Call trace:
+ clk_hw_unregister+0xc/0x20
+ clk_hw_unregister_fixed_factor+0x18/0x30
+ xvcu_unregister_clock_provider+0xcc/0xf4 [xlnx_vcu]
+ xvcu_probe+0x2bc/0x53c [xlnx_vcu]
+
+Fixes: 4472e1849db7 ("soc: xilinx: vcu: make pll post divider explicit")
+Signed-off-by: Rohit Visavalia <rohit.visavalia@amd.com>
+Link: https://lore.kernel.org/r/20250210113614.4149050-2-rohit.visavalia@amd.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/xilinx/xlnx_vcu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/xilinx/xlnx_vcu.c b/drivers/clk/xilinx/xlnx_vcu.c
+index 81501b48412e..88b3fd8250c2 100644
+--- a/drivers/clk/xilinx/xlnx_vcu.c
++++ b/drivers/clk/xilinx/xlnx_vcu.c
+@@ -587,8 +587,8 @@ static void xvcu_unregister_clock_provider(struct xvcu_device *xvcu)
+ xvcu_clk_hw_unregister_leaf(hws[CLK_XVCU_ENC_MCU]);
+ if (!IS_ERR_OR_NULL(hws[CLK_XVCU_ENC_CORE]))
+ xvcu_clk_hw_unregister_leaf(hws[CLK_XVCU_ENC_CORE]);
+-
+- clk_hw_unregister_fixed_factor(xvcu->pll_post);
++ if (!IS_ERR_OR_NULL(xvcu->pll_post))
++ clk_hw_unregister_fixed_factor(xvcu->pll_post);
+ }
+
+ /**
+--
+2.39.5
+
--- /dev/null
+From 75ad14e5fcbde3cbb7e7170dcd29e7812920c43b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 13:14:53 +0200
+Subject: cpufreq: armada-8k: make both cpu masks static
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit b1b41bc072baf7301b1ae95fe417de09a5ad47e2 ]
+
+An earlier patch marked one of the two CPU masks as 'static' to reduce stack
+usage, but if CONFIG_NR_CPUS is large enough, the function still produces
+a warning for compile testing:
+
+drivers/cpufreq/armada-8k-cpufreq.c: In function 'armada_8k_cpufreq_init':
+drivers/cpufreq/armada-8k-cpufreq.c:203:1: error: the frame size of 1416 bytes is larger than 1408 bytes [-Werror=frame-larger-than=]
+
+Normally this should be done using alloc_cpumask_var(), but since the
+driver already has a static mask and the probe function is not called
+concurrently, use the same trick for both.
+
+Fixes: 1ffec650d07f ("cpufreq: armada-8k: Avoid excessive stack usage")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/armada-8k-cpufreq.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/cpufreq/armada-8k-cpufreq.c b/drivers/cpufreq/armada-8k-cpufreq.c
+index 5a3545bd0d8d..006f4c554dd7 100644
+--- a/drivers/cpufreq/armada-8k-cpufreq.c
++++ b/drivers/cpufreq/armada-8k-cpufreq.c
+@@ -132,7 +132,7 @@ static int __init armada_8k_cpufreq_init(void)
+ int ret = 0, opps_index = 0, cpu, nb_cpus;
+ struct freq_table *freq_tables;
+ struct device_node *node;
+- static struct cpumask cpus;
++ static struct cpumask cpus, shared_cpus;
+
+ node = of_find_matching_node_and_match(NULL, armada_8k_cpufreq_of_match,
+ NULL);
+@@ -154,7 +154,6 @@ static int __init armada_8k_cpufreq_init(void)
+ * divisions of it).
+ */
+ for_each_cpu(cpu, &cpus) {
+- struct cpumask shared_cpus;
+ struct device *cpu_dev;
+ struct clk *clk;
+
+--
+2.39.5
+
--- /dev/null
+From 9b0b82612137e3b4a53ad33e4b13d4849dc176b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 18:41:43 +0800
+Subject: cpufreq: Init policy->rwsem before it may be possibly used
+
+From: Lifeng Zheng <zhenglifeng1@huawei.com>
+
+[ Upstream commit d1378d1d7edb3a4c4935a44fe834ae135be03564 ]
+
+In cpufreq_policy_put_kobj(), policy->rwsem is used. But in
+cpufreq_policy_alloc(), if freq_qos_add_notifier() returns an error, error
+path via err_kobj_remove or err_min_qos_notifier will be reached and
+cpufreq_policy_put_kobj() will be called before policy->rwsem is
+initialized. Thus, the calling of init_rwsem() should be moved to where
+before these two error paths can be reached.
+
+Fixes: 67d874c3b2c6 ("cpufreq: Register notifiers with the PM QoS framework")
+Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Link: https://patch.msgid.link/20250709104145.2348017-3-zhenglifeng1@huawei.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+index 189e2166ddef..c1c6f11ac551 100644
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -1284,6 +1284,8 @@ static struct cpufreq_policy *cpufreq_policy_alloc(unsigned int cpu)
+ goto err_free_real_cpus;
+ }
+
++ init_rwsem(&policy->rwsem);
++
+ freq_constraints_init(&policy->constraints);
+
+ policy->nb_min.notifier_call = cpufreq_notifier_min;
+@@ -1306,7 +1308,6 @@ static struct cpufreq_policy *cpufreq_policy_alloc(unsigned int cpu)
+ }
+
+ INIT_LIST_HEAD(&policy->policy_list);
+- init_rwsem(&policy->rwsem);
+ spin_lock_init(&policy->transition_lock);
+ init_waitqueue_head(&policy->transition_wait);
+ INIT_WORK(&policy->update, handle_update);
+--
+2.39.5
+
--- /dev/null
+From 218d6c3b10852e50f9dc36a4a75ae5ec626c0fb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 18:41:42 +0800
+Subject: cpufreq: Initialize cpufreq-based frequency-invariance later
+
+From: Lifeng Zheng <zhenglifeng1@huawei.com>
+
+[ Upstream commit 2a6c727387062a2ea79eb6cf5004820cb1b0afe2 ]
+
+The cpufreq-based invariance is enabled in cpufreq_register_driver(),
+but never disabled after registration fails. Move the invariance
+initialization to where all other initializations have been successfully
+done to solve this problem.
+
+Fixes: 874f63531064 ("cpufreq: report whether cpufreq supports Frequency Invariance (FI)")
+Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Link: https://patch.msgid.link/20250709104145.2348017-2-zhenglifeng1@huawei.com
+[ rjw: New subject ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+index d7426e1d8bdd..189e2166ddef 100644
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -2944,15 +2944,6 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
+ cpufreq_driver = driver_data;
+ write_unlock_irqrestore(&cpufreq_driver_lock, flags);
+
+- /*
+- * Mark support for the scheduler's frequency invariance engine for
+- * drivers that implement target(), target_index() or fast_switch().
+- */
+- if (!cpufreq_driver->setpolicy) {
+- static_branch_enable_cpuslocked(&cpufreq_freq_invariance);
+- pr_debug("supports frequency invariance");
+- }
+-
+ if (driver_data->setpolicy)
+ driver_data->flags |= CPUFREQ_CONST_LOOPS;
+
+@@ -2983,6 +2974,15 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
+ hp_online = ret;
+ ret = 0;
+
++ /*
++ * Mark support for the scheduler's frequency invariance engine for
++ * drivers that implement target(), target_index() or fast_switch().
++ */
++ if (!cpufreq_driver->setpolicy) {
++ static_branch_enable_cpuslocked(&cpufreq_freq_invariance);
++ pr_debug("supports frequency invariance");
++ }
++
+ pr_debug("driver %s up and running\n", driver_data->name);
+ goto out;
+
+--
+2.39.5
+
--- /dev/null
+From 40a6bc523d80e36a8b6be84e349d9e074e2ec38d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 20:19:19 +0200
+Subject: cpufreq: intel_pstate: Always use HWP_DESIRED_PERF in passive mode
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 1cefe495cacba5fb0417da3a75a1a76e3546d176 ]
+
+In the passive mode, intel_cpufreq_update_pstate() sets HWP_MIN_PERF in
+accordance with the target frequency to ensure delivering adequate
+performance, but it sets HWP_DESIRED_PERF to 0, so the processor has no
+indication that the desired performance level is actually equal to the
+floor one. This may cause it to choose a performance point way above
+the desired level.
+
+Moreover, this is inconsistent with intel_cpufreq_adjust_perf() which
+actually sets HWP_DESIRED_PERF in accordance with the target performance
+value.
+
+Address this by adjusting intel_cpufreq_update_pstate() to pass
+target_pstate as both the minimum and the desired performance levels
+to intel_cpufreq_hwp_update().
+
+Fixes: a365ab6b9dfb ("cpufreq: intel_pstate: Implement the ->adjust_perf() callback")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Tested-by: Shashank Balaji <shashank.mahadasyam@sony.com>
+Link: https://patch.msgid.link/6173276.lOV4Wx5bFT@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/intel_pstate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
+index 64587d318267..60326ab5475f 100644
+--- a/drivers/cpufreq/intel_pstate.c
++++ b/drivers/cpufreq/intel_pstate.c
+@@ -3249,8 +3249,8 @@ static int intel_cpufreq_update_pstate(struct cpufreq_policy *policy,
+ int max_pstate = policy->strict_target ?
+ target_pstate : cpu->max_perf_ratio;
+
+- intel_cpufreq_hwp_update(cpu, target_pstate, max_pstate, 0,
+- fast_switch);
++ intel_cpufreq_hwp_update(cpu, target_pstate, max_pstate,
++ target_pstate, fast_switch);
+ } else if (target_pstate != old_pstate) {
+ intel_cpufreq_perf_ctl_update(cpu, target_pstate, fast_switch);
+ }
+--
+2.39.5
+
--- /dev/null
+From ace6208dd48025edfb5975474833f14a588d4887 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 17:54:41 +0800
+Subject: crypto: ahash - Add support for drivers with no fallback
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 4ccd065a69df163cd9fe0dd8e0f609f1eeb4723d ]
+
+Some drivers cannot have a fallback, e.g., because the key is held
+in hardware. Allow these to be used with ahash by adding the bit
+CRYPTO_ALG_NO_FALLBACK.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Tested-by: Harald Freudenberger <freude@linux.ibm.com>
+Stable-dep-of: 1e2b7fcd3f07 ("crypto: ahash - Stop legacy tfms from using the set_virt fallback path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/ahash.c | 10 +++++++++-
+ include/linux/crypto.h | 3 +++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/ahash.c b/crypto/ahash.c
+index bc84a07c924c..3878b4da3cfd 100644
+--- a/crypto/ahash.c
++++ b/crypto/ahash.c
+@@ -347,6 +347,9 @@ static int ahash_do_req_chain(struct ahash_request *req,
+ if (crypto_ahash_statesize(tfm) > HASH_MAX_STATESIZE)
+ return -ENOSYS;
+
++ if (!crypto_ahash_need_fallback(tfm))
++ return -ENOSYS;
++
+ {
+ u8 state[HASH_MAX_STATESIZE];
+
+@@ -954,6 +957,10 @@ static int ahash_prepare_alg(struct ahash_alg *alg)
+ base->cra_reqsize > MAX_SYNC_HASH_REQSIZE)
+ return -EINVAL;
+
++ if (base->cra_flags & CRYPTO_ALG_NEED_FALLBACK &&
++ base->cra_flags & CRYPTO_ALG_NO_FALLBACK)
++ return -EINVAL;
++
+ err = hash_prepare_alg(&alg->halg);
+ if (err)
+ return err;
+@@ -962,7 +969,8 @@ static int ahash_prepare_alg(struct ahash_alg *alg)
+ base->cra_flags |= CRYPTO_ALG_TYPE_AHASH;
+
+ if ((base->cra_flags ^ CRYPTO_ALG_REQ_VIRT) &
+- (CRYPTO_ALG_ASYNC | CRYPTO_ALG_REQ_VIRT))
++ (CRYPTO_ALG_ASYNC | CRYPTO_ALG_REQ_VIRT) &&
++ !(base->cra_flags & CRYPTO_ALG_NO_FALLBACK))
+ base->cra_flags |= CRYPTO_ALG_NEED_FALLBACK;
+
+ if (!alg->setkey)
+diff --git a/include/linux/crypto.h b/include/linux/crypto.h
+index b50f1954d1bb..a2137e19be7d 100644
+--- a/include/linux/crypto.h
++++ b/include/linux/crypto.h
+@@ -136,6 +136,9 @@
+ /* Set if the algorithm supports virtual addresses. */
+ #define CRYPTO_ALG_REQ_VIRT 0x00040000
+
++/* Set if the algorithm cannot have a fallback (e.g., phmac). */
++#define CRYPTO_ALG_NO_FALLBACK 0x00080000
++
+ /* The high bits 0xff000000 are reserved for type-specific flags. */
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From 594b108ab76b42a36624fc082650dc40fce4c7c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 16:51:38 +0800
+Subject: crypto: ahash - Stop legacy tfms from using the set_virt fallback
+ path
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 1e2b7fcd3f075ff8c5b0e4474fe145d1c685f54f ]
+
+Ensure that drivers that have not been converted to the ahash API
+do not use the ahash_request_set_virt fallback path as they cannot
+use the software fallback.
+
+Reported-by: Eric Biggers <ebiggers@kernel.org>
+Fixes: 9d7a0ab1c753 ("crypto: ahash - Handle partial blocks in API")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/ahash.c | 3 +++
+ include/crypto/internal/hash.h | 6 ++++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/crypto/ahash.c b/crypto/ahash.c
+index 3878b4da3cfd..2f06e6b4f601 100644
+--- a/crypto/ahash.c
++++ b/crypto/ahash.c
+@@ -350,6 +350,9 @@ static int ahash_do_req_chain(struct ahash_request *req,
+ if (!crypto_ahash_need_fallback(tfm))
+ return -ENOSYS;
+
++ if (crypto_hash_no_export_core(tfm))
++ return -ENOSYS;
++
+ {
+ u8 state[HASH_MAX_STATESIZE];
+
+diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h
+index 0f85c543f80b..f052afa6e7b0 100644
+--- a/include/crypto/internal/hash.h
++++ b/include/crypto/internal/hash.h
+@@ -91,6 +91,12 @@ static inline bool crypto_hash_alg_needs_key(struct hash_alg_common *alg)
+ !(alg->base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY);
+ }
+
++static inline bool crypto_hash_no_export_core(struct crypto_ahash *tfm)
++{
++ return crypto_hash_alg_common(tfm)->base.cra_flags &
++ CRYPTO_AHASH_ALG_NO_EXPORT_CORE;
++}
++
+ int crypto_grab_ahash(struct crypto_ahash_spawn *spawn,
+ struct crypto_instance *inst,
+ const char *name, u32 type, u32 mask);
+--
+2.39.5
+
--- /dev/null
+From c7dd3b721d5173df00da3f830d2f51ea28cdc605 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 11:32:52 +0200
+Subject: crypto: arm/aes-neonbs - work around gcc-15 warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit d5fa96dc5590915f060fee3209143313e4f5b03b ]
+
+I get a very rare -Wstringop-overread warning with gcc-15 for one function
+in aesbs_ctr_encrypt():
+
+arch/arm/crypto/aes-neonbs-glue.c: In function 'ctr_encrypt':
+arch/arm/crypto/aes-neonbs-glue.c:212:1446: error: '__builtin_memcpy' offset [17, 2147483647] is out of the bounds [0, 16] of object 'buf' with type 'u8[16]' {aka 'unsigned char[16]'} [-Werror=array-bounds=]
+ 212 | src = dst = memcpy(buf + sizeof(buf) - bytes,
+arch/arm/crypto/aes-neonbs-glue.c: In function 'ctr_encrypt':
+arch/arm/crypto/aes-neonbs-glue.c:218:17: error: 'aesbs_ctr_encrypt' reading 1 byte from a region of size 0 [-Werror=stringop-overread]
+ 218 | aesbs_ctr_encrypt(dst, src, ctx->rk, ctx->rounds, bytes, walk.iv);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+arch/arm/crypto/aes-neonbs-glue.c:218:17: note: referencing argument 2 of type 'const u8[0]' {aka 'const unsigned char[]'}
+arch/arm/crypto/aes-neonbs-glue.c:218:17: note: referencing argument 3 of type 'const u8[0]' {aka 'const unsigned char[]'}
+arch/arm/crypto/aes-neonbs-glue.c:218:17: note: referencing argument 6 of type 'u8[0]' {aka 'unsigned char[]'}
+arch/arm/crypto/aes-neonbs-glue.c:36:17: note: in a call to function 'aesbs_ctr_encrypt'
+ 36 | asmlinkage void aesbs_ctr_encrypt(u8 out[], u8 const in[], u8 const rk[],
+
+This could happen in theory if walk.nbytes is larger than INT_MAX and gets
+converted to a negative local variable.
+
+Keep the type unsigned like the orignal nbytes to be sure there is no
+integer overflow.
+
+Fixes: c8bf850e991a ("crypto: arm/aes-neonbs-ctr - deal with non-multiples of AES block size")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/crypto/aes-neonbs-glue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/crypto/aes-neonbs-glue.c b/arch/arm/crypto/aes-neonbs-glue.c
+index c60104dc1585..df5afe601e4a 100644
+--- a/arch/arm/crypto/aes-neonbs-glue.c
++++ b/arch/arm/crypto/aes-neonbs-glue.c
+@@ -206,7 +206,7 @@ static int ctr_encrypt(struct skcipher_request *req)
+ while (walk.nbytes > 0) {
+ const u8 *src = walk.src.virt.addr;
+ u8 *dst = walk.dst.virt.addr;
+- int bytes = walk.nbytes;
++ unsigned int bytes = walk.nbytes;
+
+ if (unlikely(bytes < AES_BLOCK_SIZE))
+ src = dst = memcpy(buf + sizeof(buf) - bytes,
+--
+2.39.5
+
--- /dev/null
+From 69d4bc7bd8631cba522cb3e82542191f9c80280e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 14:54:18 +0800
+Subject: crypto: ccp - Fix crash when rebind ccp device for ccp.ko
+
+From: Mengbiao Xiong <xisme1998@gmail.com>
+
+[ Upstream commit 181698af38d3f93381229ad89c09b5bd0496661a ]
+
+When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding
+the ccp device causes the following crash:
+
+$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind
+$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind
+
+[ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098
+[ 204.978026] #PF: supervisor write access in kernel mode
+[ 204.979126] #PF: error_code(0x0002) - not-present page
+[ 204.980226] PGD 0 P4D 0
+[ 204.981317] Oops: Oops: 0002 [#1] SMP NOPTI
+...
+[ 204.997852] Call Trace:
+[ 204.999074] <TASK>
+[ 205.000297] start_creating+0x9f/0x1c0
+[ 205.001533] debugfs_create_dir+0x1f/0x170
+[ 205.002769] ? srso_return_thunk+0x5/0x5f
+[ 205.004000] ccp5_debugfs_setup+0x87/0x170 [ccp]
+[ 205.005241] ccp5_init+0x8b2/0x960 [ccp]
+[ 205.006469] ccp_dev_init+0xd4/0x150 [ccp]
+[ 205.007709] sp_init+0x5f/0x80 [ccp]
+[ 205.008942] sp_pci_probe+0x283/0x2e0 [ccp]
+[ 205.010165] ? srso_return_thunk+0x5/0x5f
+[ 205.011376] local_pci_probe+0x4f/0xb0
+[ 205.012584] pci_device_probe+0xdb/0x230
+[ 205.013810] really_probe+0xed/0x380
+[ 205.015024] __driver_probe_device+0x7e/0x160
+[ 205.016240] device_driver_attach+0x2f/0x60
+[ 205.017457] bind_store+0x7c/0xb0
+[ 205.018663] drv_attr_store+0x28/0x40
+[ 205.019868] sysfs_kf_write+0x5f/0x70
+[ 205.021065] kernfs_fop_write_iter+0x145/0x1d0
+[ 205.022267] vfs_write+0x308/0x440
+[ 205.023453] ksys_write+0x6d/0xe0
+[ 205.024616] __x64_sys_write+0x1e/0x30
+[ 205.025778] x64_sys_call+0x16ba/0x2150
+[ 205.026942] do_syscall_64+0x56/0x1e0
+[ 205.028108] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[ 205.029276] RIP: 0033:0x7fbc36f10104
+[ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5
+
+This patch sets ccp_debugfs_dir to NULL after destroying it in
+ccp5_debugfs_destroy, allowing the directory dentry to be
+recreated when rebinding the ccp device.
+
+Tested on AMD Ryzen 7 1700X.
+
+Fixes: 3cdbe346ed3f ("crypto: ccp - Add debugfs entries for CCP information")
+Signed-off-by: Mengbiao Xiong <xisme1998@gmail.com>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/ccp-debugfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/crypto/ccp/ccp-debugfs.c b/drivers/crypto/ccp/ccp-debugfs.c
+index a1055554b47a..dc26bc22c91d 100644
+--- a/drivers/crypto/ccp/ccp-debugfs.c
++++ b/drivers/crypto/ccp/ccp-debugfs.c
+@@ -319,5 +319,8 @@ void ccp5_debugfs_setup(struct ccp_device *ccp)
+
+ void ccp5_debugfs_destroy(void)
+ {
++ mutex_lock(&ccp_debugfs_lock);
+ debugfs_remove_recursive(ccp_debugfs_dir);
++ ccp_debugfs_dir = NULL;
++ mutex_unlock(&ccp_debugfs_lock);
+ }
+--
+2.39.5
+
--- /dev/null
+From 0025b896f6ca33d0f67321c78acc42254536971e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 20:20:18 +0000
+Subject: crypto: ccp - Fix dereferencing uninitialized error pointer
+
+From: Ashish Kalra <ashish.kalra@amd.com>
+
+[ Upstream commit 0fa766726c091ff0ec7d26874f6e4724d23ecb0e ]
+
+Fix below smatch warnings:
+drivers/crypto/ccp/sev-dev.c:1312 __sev_platform_init_locked()
+error: we previously assumed 'error' could be null
+
+Fixes: 9770b428b1a2 ("crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/r/202505071746.eWOx5QgC-lkp@intel.com/
+Signed-off-by: Ashish Kalra <ashish.kalra@amd.com>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/sev-dev.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
+index 3451bada884e..8fb94c5f006a 100644
+--- a/drivers/crypto/ccp/sev-dev.c
++++ b/drivers/crypto/ccp/sev-dev.c
+@@ -1276,9 +1276,11 @@ static int __sev_platform_init_handle_init_ex_path(struct sev_device *sev)
+
+ static int __sev_platform_init_locked(int *error)
+ {
+- int rc, psp_ret = SEV_RET_NO_FW_CALL;
++ int rc, psp_ret, dfflush_error;
+ struct sev_device *sev;
+
++ psp_ret = dfflush_error = SEV_RET_NO_FW_CALL;
++
+ if (!psp_master || !psp_master->sev_data)
+ return -ENODEV;
+
+@@ -1320,10 +1322,10 @@ static int __sev_platform_init_locked(int *error)
+
+ /* Prepare for first SEV guest launch after INIT */
+ wbinvd_on_all_cpus();
+- rc = __sev_do_cmd_locked(SEV_CMD_DF_FLUSH, NULL, error);
++ rc = __sev_do_cmd_locked(SEV_CMD_DF_FLUSH, NULL, &dfflush_error);
+ if (rc) {
+ dev_err(sev->dev, "SEV: DF_FLUSH failed %#x, rc %d\n",
+- *error, rc);
++ dfflush_error, rc);
+ return rc;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From ef108a58c2a86001c47523e03b40d52c26235296 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 19:43:54 +1000
+Subject: crypto: ccp - Fix locking on alloc failure handling
+
+From: Alexey Kardashevskiy <aik@amd.com>
+
+[ Upstream commit b4abeccb8d39db7d9b51cb0098d6458760b30a75 ]
+
+The __snp_alloc_firmware_pages() helper allocates pages in the firmware
+state (alloc + rmpupdate). In case of failed rmpupdate, it tries
+reclaiming pages with already changed state. This requires calling
+the PSP firmware and since there is sev_cmd_mutex to guard such calls,
+the helper takes a "locked" parameter so specify if the lock needs to
+be held.
+
+Most calls happen from snp_alloc_firmware_page() which executes without
+the lock. However
+
+commit 24512afa4336 ("crypto: ccp: Handle the legacy TMR allocation when SNP is enabled")
+
+switched sev_fw_alloc() from alloc_pages() (which does not call the PSP) to
+__snp_alloc_firmware_pages() (which does) but did not account for the fact
+that sev_fw_alloc() is called from __sev_platform_init_locked()
+(via __sev_platform_init_handle_tmr()) and executes with the lock held.
+
+Add a "locked" parameter to __snp_alloc_firmware_pages().
+Make sev_fw_alloc() use the new parameter to prevent potential deadlock in
+rmp_mark_pages_firmware() if rmpupdate() failed.
+
+Fixes: 24512afa4336 ("crypto: ccp: Handle the legacy TMR allocation when SNP is enabled")
+Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Reviewed-by: Pratik R. Sampat <prsampat@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/sev-dev.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
+index 8fb94c5f006a..539c303beb3a 100644
+--- a/drivers/crypto/ccp/sev-dev.c
++++ b/drivers/crypto/ccp/sev-dev.c
+@@ -434,7 +434,7 @@ static int rmp_mark_pages_firmware(unsigned long paddr, unsigned int npages, boo
+ return rc;
+ }
+
+-static struct page *__snp_alloc_firmware_pages(gfp_t gfp_mask, int order)
++static struct page *__snp_alloc_firmware_pages(gfp_t gfp_mask, int order, bool locked)
+ {
+ unsigned long npages = 1ul << order, paddr;
+ struct sev_device *sev;
+@@ -453,7 +453,7 @@ static struct page *__snp_alloc_firmware_pages(gfp_t gfp_mask, int order)
+ return page;
+
+ paddr = __pa((unsigned long)page_address(page));
+- if (rmp_mark_pages_firmware(paddr, npages, false))
++ if (rmp_mark_pages_firmware(paddr, npages, locked))
+ return NULL;
+
+ return page;
+@@ -463,7 +463,7 @@ void *snp_alloc_firmware_page(gfp_t gfp_mask)
+ {
+ struct page *page;
+
+- page = __snp_alloc_firmware_pages(gfp_mask, 0);
++ page = __snp_alloc_firmware_pages(gfp_mask, 0, false);
+
+ return page ? page_address(page) : NULL;
+ }
+@@ -498,7 +498,7 @@ static void *sev_fw_alloc(unsigned long len)
+ {
+ struct page *page;
+
+- page = __snp_alloc_firmware_pages(GFP_KERNEL, get_order(len));
++ page = __snp_alloc_firmware_pages(GFP_KERNEL, get_order(len), true);
+ if (!page)
+ return NULL;
+
+--
+2.39.5
+
--- /dev/null
+From 011f6bed68ee74e36959324d6b8e233d4e15c2c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 11:16:22 +0200
+Subject: crypto: img-hash - Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 34b283636181ce02c52633551f594fec9876bec7 ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: d358f1abbf71 ("crypto: img-hash - Add Imagination Technologies hw hash accelerator")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/img-hash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/img-hash.c b/drivers/crypto/img-hash.c
+index e050f5ff5efb..c527cd75b6fe 100644
+--- a/drivers/crypto/img-hash.c
++++ b/drivers/crypto/img-hash.c
+@@ -436,7 +436,7 @@ static int img_hash_write_via_dma_stop(struct img_hash_dev *hdev)
+ struct img_hash_request_ctx *ctx = ahash_request_ctx(hdev->req);
+
+ if (ctx->flags & DRIVER_FLAGS_SG)
+- dma_unmap_sg(hdev->dev, ctx->sg, ctx->dma_ct, DMA_TO_DEVICE);
++ dma_unmap_sg(hdev->dev, ctx->sg, 1, DMA_TO_DEVICE);
+
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 048a33752b192298e88cf5630d7ed86e4c1d84bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 09:29:26 +0200
+Subject: crypto: inside-secure - Fix `dma_unmap_sg()` nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit cb7fa6b6fc71e0c801e271aa498e2f19e6df2931 ]
+
+The `dma_unmap_sg()` functions should be called with the same nents as the
+`dma_map_sg()`, not the value the map function returned.
+
+Fixes: c957f8b3e2e5 ("crypto: inside-secure - avoid unmapping DMA memory that was not mapped")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Antoine Tenart <atenart@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/inside-secure/safexcel_hash.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/inside-secure/safexcel_hash.c b/drivers/crypto/inside-secure/safexcel_hash.c
+index d2b632193beb..5baf4bd2fcee 100644
+--- a/drivers/crypto/inside-secure/safexcel_hash.c
++++ b/drivers/crypto/inside-secure/safexcel_hash.c
+@@ -249,7 +249,9 @@ static int safexcel_handle_req_result(struct safexcel_crypto_priv *priv,
+ safexcel_complete(priv, ring);
+
+ if (sreq->nents) {
+- dma_unmap_sg(priv->dev, areq->src, sreq->nents, DMA_TO_DEVICE);
++ dma_unmap_sg(priv->dev, areq->src,
++ sg_nents_for_len(areq->src, areq->nbytes),
++ DMA_TO_DEVICE);
+ sreq->nents = 0;
+ }
+
+@@ -497,7 +499,9 @@ static int safexcel_ahash_send_req(struct crypto_async_request *async, int ring,
+ DMA_FROM_DEVICE);
+ unmap_sg:
+ if (req->nents) {
+- dma_unmap_sg(priv->dev, areq->src, req->nents, DMA_TO_DEVICE);
++ dma_unmap_sg(priv->dev, areq->src,
++ sg_nents_for_len(areq->src, areq->nbytes),
++ DMA_TO_DEVICE);
+ req->nents = 0;
+ }
+ cdesc_rollback:
+--
+2.39.5
+
--- /dev/null
+From 9d74ca07185a2a88513a76ccbe6255b72f9b878e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 10:57:06 +0200
+Subject: crypto: keembay - Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 01951a7dc5ac1a37e5fb7d86ea7eb2dfbf96e8b6 ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: 472b04444cd3 ("crypto: keembay - Add Keem Bay OCS HCU driver")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/keembay/keembay-ocs-hcu-core.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/intel/keembay/keembay-ocs-hcu-core.c b/drivers/crypto/intel/keembay/keembay-ocs-hcu-core.c
+index 95dc8979918d..8f9e21ced0fe 100644
+--- a/drivers/crypto/intel/keembay/keembay-ocs-hcu-core.c
++++ b/drivers/crypto/intel/keembay/keembay-ocs-hcu-core.c
+@@ -68,6 +68,7 @@ struct ocs_hcu_ctx {
+ * @sg_data_total: Total data in the SG list at any time.
+ * @sg_data_offset: Offset into the data of the current individual SG node.
+ * @sg_dma_nents: Number of sg entries mapped in dma_list.
++ * @nents: Number of entries in the scatterlist.
+ */
+ struct ocs_hcu_rctx {
+ struct ocs_hcu_dev *hcu_dev;
+@@ -91,6 +92,7 @@ struct ocs_hcu_rctx {
+ unsigned int sg_data_total;
+ unsigned int sg_data_offset;
+ unsigned int sg_dma_nents;
++ unsigned int nents;
+ };
+
+ /**
+@@ -199,7 +201,7 @@ static void kmb_ocs_hcu_dma_cleanup(struct ahash_request *req,
+
+ /* Unmap req->src (if mapped). */
+ if (rctx->sg_dma_nents) {
+- dma_unmap_sg(dev, req->src, rctx->sg_dma_nents, DMA_TO_DEVICE);
++ dma_unmap_sg(dev, req->src, rctx->nents, DMA_TO_DEVICE);
+ rctx->sg_dma_nents = 0;
+ }
+
+@@ -260,6 +262,10 @@ static int kmb_ocs_dma_prepare(struct ahash_request *req)
+ rc = -ENOMEM;
+ goto cleanup;
+ }
++
++ /* Save the value of nents to pass to dma_unmap_sg. */
++ rctx->nents = nents;
++
+ /*
+ * The value returned by dma_map_sg() can be < nents; so update
+ * nents accordingly.
+--
+2.39.5
+
--- /dev/null
+From ba89356f9d6a23cd7c9d85f311e1363a5d5ddd9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 00:11:40 -0700
+Subject: crypto: krb5 - Fix memory leak in krb5_test_one_prf()
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+[ Upstream commit b19f1ab8d5bf417e00d5855c62e061fb449b13c5 ]
+
+Fix a leak reported by kmemleak:
+
+ unreferenced object 0xffff8880093bf7a0 (size 32):
+ comm "swapper/0", pid 1, jiffies 4294877529
+ hex dump (first 32 bytes):
+ 9d 18 86 16 f6 38 52 fe 86 91 5b b8 40 b4 a8 86 .....8R...[.@...
+ ff 3e 6b b0 f8 19 b4 9b 89 33 93 d3 93 85 42 95 .>k......3....B.
+ backtrace (crc 8ba12f3b):
+ kmemleak_alloc+0x8d/0xa0
+ __kmalloc_noprof+0x3cd/0x4d0
+ prep_buf+0x36/0x70
+ load_buf+0x10d/0x1c0
+ krb5_test_one_prf+0x1e1/0x3c0
+ krb5_selftest.cold+0x7c/0x54c
+ crypto_krb5_init+0xd/0x20
+ do_one_initcall+0xa5/0x230
+ do_initcalls+0x213/0x250
+ kernel_init_freeable+0x220/0x260
+ kernel_init+0x1d/0x170
+ ret_from_fork+0x301/0x410
+ ret_from_fork_asm+0x1a/0x30
+
+Fixes: fc0cf10c04f4 ("crypto/krb5: Implement crypto self-testing")
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/krb5/selftest.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/crypto/krb5/selftest.c b/crypto/krb5/selftest.c
+index 2a81a6315a0d..4519c572d37e 100644
+--- a/crypto/krb5/selftest.c
++++ b/crypto/krb5/selftest.c
+@@ -152,6 +152,7 @@ static int krb5_test_one_prf(const struct krb5_prf_test *test)
+
+ out:
+ clear_buf(&result);
++ clear_buf(&prf);
+ clear_buf(&octet);
+ clear_buf(&key);
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From 9586e94817c0d0e1be0023a0ecfb4c65e7863d25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 20:41:28 +0800
+Subject: crypto: marvell/cesa - Fix engine load inaccuracy
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 442134ab30e75b7229c4bfc1ac5641d245cffe27 ]
+
+If an error occurs during queueing the engine load will never be
+decremented. Fix this by moving the engine load adjustment into
+the cleanup function.
+
+Fixes: bf8f91e71192 ("crypto: marvell - Add load balancing between engines")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/marvell/cesa/cipher.c | 4 +++-
+ drivers/crypto/marvell/cesa/hash.c | 5 +++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/marvell/cesa/cipher.c b/drivers/crypto/marvell/cesa/cipher.c
+index 48c5c8ea8c43..3fe0fd9226cf 100644
+--- a/drivers/crypto/marvell/cesa/cipher.c
++++ b/drivers/crypto/marvell/cesa/cipher.c
+@@ -75,9 +75,12 @@ mv_cesa_skcipher_dma_cleanup(struct skcipher_request *req)
+ static inline void mv_cesa_skcipher_cleanup(struct skcipher_request *req)
+ {
+ struct mv_cesa_skcipher_req *creq = skcipher_request_ctx(req);
++ struct mv_cesa_engine *engine = creq->base.engine;
+
+ if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ)
+ mv_cesa_skcipher_dma_cleanup(req);
++
++ atomic_sub(req->cryptlen, &engine->load);
+ }
+
+ static void mv_cesa_skcipher_std_step(struct skcipher_request *req)
+@@ -212,7 +215,6 @@ mv_cesa_skcipher_complete(struct crypto_async_request *req)
+ struct mv_cesa_engine *engine = creq->base.engine;
+ unsigned int ivsize;
+
+- atomic_sub(skreq->cryptlen, &engine->load);
+ ivsize = crypto_skcipher_ivsize(crypto_skcipher_reqtfm(skreq));
+
+ if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ) {
+diff --git a/drivers/crypto/marvell/cesa/hash.c b/drivers/crypto/marvell/cesa/hash.c
+index 6815eddc9068..e339ce7ad533 100644
+--- a/drivers/crypto/marvell/cesa/hash.c
++++ b/drivers/crypto/marvell/cesa/hash.c
+@@ -110,9 +110,12 @@ static inline void mv_cesa_ahash_dma_cleanup(struct ahash_request *req)
+ static inline void mv_cesa_ahash_cleanup(struct ahash_request *req)
+ {
+ struct mv_cesa_ahash_req *creq = ahash_request_ctx(req);
++ struct mv_cesa_engine *engine = creq->base.engine;
+
+ if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ)
+ mv_cesa_ahash_dma_cleanup(req);
++
++ atomic_sub(req->nbytes, &engine->load);
+ }
+
+ static void mv_cesa_ahash_last_cleanup(struct ahash_request *req)
+@@ -395,8 +398,6 @@ static void mv_cesa_ahash_complete(struct crypto_async_request *req)
+ }
+ }
+ }
+-
+- atomic_sub(ahashreq->nbytes, &engine->load);
+ }
+
+ static void mv_cesa_ahash_prepare(struct crypto_async_request *req,
+--
+2.39.5
+
--- /dev/null
+From 5a25e46574472b3bc5d8a757430cd8e87c6fdd89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 09:23:43 +0100
+Subject: crypto: qat - allow enabling VFs in the absence of IOMMU
+
+From: Ahsan Atta <ahsan.atta@intel.com>
+
+[ Upstream commit 53669ff591d4deb2d80eed4c07593ad0c0b45899 ]
+
+The commit ca88a2bdd4dd ("crypto: qat - allow disabling SR-IOV VFs")
+introduced an unnecessary change that prevented enabling SR-IOV when
+IOMMU is disabled. In certain scenarios, it is desirable to enable
+SR-IOV even in the absence of IOMMU. Thus, restoring the previous
+functionality to allow VFs to be enumerated in the absence of IOMMU.
+
+Fixes: ca88a2bdd4dd ("crypto: qat - allow disabling SR-IOV VFs")
+Signed-off-by: Ahsan Atta <ahsan.atta@intel.com>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Michal Witwicki <michal.witwicki@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/qat/qat_common/adf_sriov.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/crypto/intel/qat/qat_common/adf_sriov.c b/drivers/crypto/intel/qat/qat_common/adf_sriov.c
+index c75d0b6cb0ad..31d1ef0cb1f5 100644
+--- a/drivers/crypto/intel/qat/qat_common/adf_sriov.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_sriov.c
+@@ -155,7 +155,6 @@ static int adf_do_enable_sriov(struct adf_accel_dev *accel_dev)
+ if (!device_iommu_mapped(&GET_DEV(accel_dev))) {
+ dev_warn(&GET_DEV(accel_dev),
+ "IOMMU should be enabled for SR-IOV to work correctly\n");
+- return -EINVAL;
+ }
+
+ if (adf_dev_started(accel_dev)) {
+--
+2.39.5
+
--- /dev/null
+From 29a62d94c9e5a58380e39c59110fd39e88140ecd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 10:20:49 +0100
+Subject: crypto: qat - disable ZUC-256 capability for QAT GEN5
+
+From: Bairavi Alagappan <bairavix.alagappan@intel.com>
+
+[ Upstream commit d956692c7dd523b331d4556ee03def8dd02609dc ]
+
+The ZUC-256 EEA (encryption) and EIA (integrity) algorithms are not
+supported on QAT GEN5 devices, as their current implementation does not
+align with the NIST specification. Earlier versions of the ZUC-256
+specification used a different initialization scheme, which has since
+been revised to comply with the 5G specification.
+
+Due to this misalignment with the updated specification, remove support
+for ZUC-256 EEA and EIA for QAT GEN5 by masking out the ZUC-256
+capability.
+
+Fixes: fcf60f4bcf549 ("crypto: qat - add support for 420xx devices")
+Signed-off-by: Bairavi Alagappan <bairavix.alagappan@intel.com>
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c b/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c
+index 7c3c0f561c95..8340b5e8a947 100644
+--- a/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c
++++ b/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c
+@@ -191,7 +191,6 @@ static u32 get_accel_cap(struct adf_accel_dev *accel_dev)
+ ICP_ACCEL_CAPABILITIES_SM4 |
+ ICP_ACCEL_CAPABILITIES_AES_V2 |
+ ICP_ACCEL_CAPABILITIES_ZUC |
+- ICP_ACCEL_CAPABILITIES_ZUC_256 |
+ ICP_ACCEL_CAPABILITIES_WIRELESS_CRYPTO_EXT |
+ ICP_ACCEL_CAPABILITIES_EXT_ALGCHAIN;
+
+@@ -223,17 +222,11 @@ static u32 get_accel_cap(struct adf_accel_dev *accel_dev)
+
+ if (fusectl1 & ICP_ACCEL_GEN4_MASK_WCP_WAT_SLICE) {
+ capabilities_sym &= ~ICP_ACCEL_CAPABILITIES_ZUC;
+- capabilities_sym &= ~ICP_ACCEL_CAPABILITIES_ZUC_256;
+ capabilities_sym &= ~ICP_ACCEL_CAPABILITIES_WIRELESS_CRYPTO_EXT;
+ }
+
+- if (fusectl1 & ICP_ACCEL_GEN4_MASK_EIA3_SLICE) {
++ if (fusectl1 & ICP_ACCEL_GEN4_MASK_EIA3_SLICE)
+ capabilities_sym &= ~ICP_ACCEL_CAPABILITIES_ZUC;
+- capabilities_sym &= ~ICP_ACCEL_CAPABILITIES_ZUC_256;
+- }
+-
+- if (fusectl1 & ICP_ACCEL_GEN4_MASK_ZUC_256_SLICE)
+- capabilities_sym &= ~ICP_ACCEL_CAPABILITIES_ZUC_256;
+
+ capabilities_asym = ICP_ACCEL_CAPABILITIES_CRYPTO_ASYMMETRIC |
+ ICP_ACCEL_CAPABILITIES_SM2 |
+--
+2.39.5
+
--- /dev/null
+From 2e72cb471e867f87e530f6f6a977dbe81f24e69b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jul 2025 08:07:49 +0100
+Subject: crypto: qat - fix DMA direction for compression on GEN2 devices
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit d41d75fe1b751ee6b347bf1cb1cfe9accc4fcb12 ]
+
+QAT devices perform an additional integrity check during compression by
+decompressing the output. Starting from QAT GEN4, this verification is
+done in-line by the hardware. However, on GEN2 devices, the hardware
+reads back the compressed output from the destination buffer and performs
+a decompression operation using it as the source.
+
+In the current QAT driver, destination buffers are always marked as
+write-only. This is incorrect for QAT GEN2 compression, where the buffer
+is also read during verification. Since commit 6f5dc7658094
+("iommu/vt-d: Restore WO permissions on second-level paging entries"),
+merged in v6.16-rc1, write-only permissions are strictly enforced, leading
+to DMAR errors when using QAT GEN2 devices for compression, if VT-d is
+enabled.
+
+Mark the destination buffers as DMA_BIDIRECTIONAL. This ensures
+compatibility with GEN2 devices, even though it is not required for
+QAT GEN4 and later.
+
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Fixes: cf5bb835b7c8 ("crypto: qat - fix DMA transfer direction")
+Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/qat/qat_common/qat_bl.c | 6 +++---
+ drivers/crypto/intel/qat/qat_common/qat_compression.c | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/crypto/intel/qat/qat_common/qat_bl.c b/drivers/crypto/intel/qat/qat_common/qat_bl.c
+index 5e4dad4693ca..9b2338f58d97 100644
+--- a/drivers/crypto/intel/qat/qat_common/qat_bl.c
++++ b/drivers/crypto/intel/qat/qat_common/qat_bl.c
+@@ -38,7 +38,7 @@ void qat_bl_free_bufl(struct adf_accel_dev *accel_dev,
+ for (i = 0; i < blout->num_mapped_bufs; i++) {
+ dma_unmap_single(dev, blout->buffers[i].addr,
+ blout->buffers[i].len,
+- DMA_FROM_DEVICE);
++ DMA_BIDIRECTIONAL);
+ }
+ dma_unmap_single(dev, blpout, sz_out, DMA_TO_DEVICE);
+
+@@ -162,7 +162,7 @@ static int __qat_bl_sgl_to_bufl(struct adf_accel_dev *accel_dev,
+ }
+ buffers[y].addr = dma_map_single(dev, sg_virt(sg) + left,
+ sg->length - left,
+- DMA_FROM_DEVICE);
++ DMA_BIDIRECTIONAL);
+ if (unlikely(dma_mapping_error(dev, buffers[y].addr)))
+ goto err_out;
+ buffers[y].len = sg->length;
+@@ -204,7 +204,7 @@ static int __qat_bl_sgl_to_bufl(struct adf_accel_dev *accel_dev,
+ if (!dma_mapping_error(dev, buflout->buffers[i].addr))
+ dma_unmap_single(dev, buflout->buffers[i].addr,
+ buflout->buffers[i].len,
+- DMA_FROM_DEVICE);
++ DMA_BIDIRECTIONAL);
+ }
+
+ if (!buf->sgl_dst_valid)
+diff --git a/drivers/crypto/intel/qat/qat_common/qat_compression.c b/drivers/crypto/intel/qat/qat_common/qat_compression.c
+index 0a77ca65c8d4..53a4db5507ec 100644
+--- a/drivers/crypto/intel/qat/qat_common/qat_compression.c
++++ b/drivers/crypto/intel/qat/qat_common/qat_compression.c
+@@ -204,7 +204,7 @@ static int qat_compression_alloc_dc_data(struct adf_accel_dev *accel_dev)
+ if (!obuff)
+ goto err;
+
+- obuff_p = dma_map_single(dev, obuff, ovf_buff_sz, DMA_FROM_DEVICE);
++ obuff_p = dma_map_single(dev, obuff, ovf_buff_sz, DMA_BIDIRECTIONAL);
+ if (unlikely(dma_mapping_error(dev, obuff_p)))
+ goto err;
+
+@@ -232,7 +232,7 @@ static void qat_free_dc_data(struct adf_accel_dev *accel_dev)
+ return;
+
+ dma_unmap_single(dev, dc_data->ovf_buff_p, dc_data->ovf_buff_sz,
+- DMA_FROM_DEVICE);
++ DMA_BIDIRECTIONAL);
+ kfree_sensitive(dc_data->ovf_buff);
+ kfree(dc_data);
+ accel_dev->dc_data = NULL;
+--
+2.39.5
+
--- /dev/null
+From 453a93b2b46598196e6c33bcd31dfe3b375e3039 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jul 2025 08:10:29 +0100
+Subject: crypto: qat - fix seq_file position update in adf_ring_next()
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 6908c5f4f066a0412c3d9a6f543a09fa7d87824b ]
+
+The `adf_ring_next()` function in the QAT debug transport interface
+fails to correctly update the position index when reaching the end of
+the ring elements. This triggers the following kernel warning when
+reading ring files, such as
+/sys/kernel/debug/qat_c6xx_<D:B:D:F>/transport/bank_00/ring_00:
+
+ [27725.022965] seq_file: buggy .next function adf_ring_next [intel_qat] did not update position index
+
+Ensure that the `*pos` index is incremented before returning NULL when
+after the last element in the ring is found, satisfying the seq_file API
+requirements and preventing the warning.
+
+Fixes: a672a9dc872e ("crypto: qat - Intel(R) QAT transport code")
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/qat/qat_common/adf_transport_debug.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/intel/qat/qat_common/adf_transport_debug.c b/drivers/crypto/intel/qat/qat_common/adf_transport_debug.c
+index e2dd568b87b5..621b5d3dfcef 100644
+--- a/drivers/crypto/intel/qat/qat_common/adf_transport_debug.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_transport_debug.c
+@@ -31,8 +31,10 @@ static void *adf_ring_next(struct seq_file *sfile, void *v, loff_t *pos)
+ struct adf_etr_ring_data *ring = sfile->private;
+
+ if (*pos >= (ADF_SIZE_TO_RING_SIZE_IN_BYTES(ring->ring_size) /
+- ADF_MSG_SIZE_TO_BYTES(ring->msg_size)))
++ ADF_MSG_SIZE_TO_BYTES(ring->msg_size))) {
++ (*pos)++;
+ return NULL;
++ }
+
+ return ring->base_addr +
+ (ADF_MSG_SIZE_TO_BYTES(ring->msg_size) * (*pos)++);
+--
+2.39.5
+
--- /dev/null
+From f8bd9fd28b22aa415f29d68714cc0053a1bb7849 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 16:59:56 +0100
+Subject: crypto: qat - fix state restore for banks with exceptions
+
+From: Svyatoslav Pankratov <svyatoslav.pankratov@intel.com>
+
+[ Upstream commit 254923ca8715f623704378266815b6d14eb26194 ]
+
+Change the logic in the restore function to properly handle bank
+exceptions.
+
+The check for exceptions in the saved state should be performed before
+conducting any other ringstat register checks.
+If a bank was saved with an exception, the ringstat will have the
+appropriate rp_halt/rp_exception bits set, causing the driver to exit
+the restore process with an error. Instead, the restore routine should
+first check the ringexpstat register, and if any exception was raised,
+it should stop further checks and return without any error. In other
+words, if a ring pair is in an exception state at the source, it should
+be restored the same way at the destination but without raising an error.
+
+Even though this approach might lead to losing the exception state
+during migration, the driver will log the exception from the saved state
+during the restore process.
+
+Signed-off-by: Svyatoslav Pankratov <svyatoslav.pankratov@intel.com>
+Fixes: bbfdde7d195f ("crypto: qat - add bank save and restore flows")
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../intel/qat/qat_common/adf_gen4_hw_data.c | 29 ++++++++++++++-----
+ 1 file changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.c b/drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.c
+index 0406cb09c5bb..14d0fdd66a4b 100644
+--- a/drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.c
+@@ -581,6 +581,28 @@ static int bank_state_restore(struct adf_hw_csr_ops *ops, void __iomem *base,
+ ops->write_csr_int_srcsel_w_val(base, bank, state->iaintflagsrcsel0);
+ ops->write_csr_exp_int_en(base, bank, state->ringexpintenable);
+ ops->write_csr_int_col_ctl(base, bank, state->iaintcolctl);
++
++ /*
++ * Verify whether any exceptions were raised during the bank save process.
++ * If exceptions occurred, the status and exception registers cannot
++ * be directly restored. Consequently, further restoration is not
++ * feasible, and the current state of the ring should be maintained.
++ */
++ val = state->ringexpstat;
++ if (val) {
++ pr_info("QAT: Bank %u state not fully restored due to exception in saved state (%#x)\n",
++ bank, val);
++ return 0;
++ }
++
++ /* Ensure that the restoration process completed without exceptions */
++ tmp_val = ops->read_csr_exp_stat(base, bank);
++ if (tmp_val) {
++ pr_err("QAT: Bank %u restored with exception: %#x\n",
++ bank, tmp_val);
++ return -EFAULT;
++ }
++
+ ops->write_csr_ring_srv_arb_en(base, bank, state->ringsrvarben);
+
+ /* Check that all ring statuses match the saved state. */
+@@ -614,13 +636,6 @@ static int bank_state_restore(struct adf_hw_csr_ops *ops, void __iomem *base,
+ if (ret)
+ return ret;
+
+- tmp_val = ops->read_csr_exp_stat(base, bank);
+- val = state->ringexpstat;
+- if (tmp_val && !val) {
+- pr_err("QAT: Bank was restored with exception: 0x%x\n", val);
+- return -EINVAL;
+- }
+-
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 383a1c21d3fd49cc685f151f42ac7d163989de64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 09:54:17 +0100
+Subject: crypto: qat - fix virtual channel configuration for GEN6 devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
+
+[ Upstream commit e83cfb8ff1433cc832d31b8cac967a1eb79d5b44 ]
+
+The TCVCMAP (Traffic Class to Virtual Channel Mapping) field in the
+PVC0CTL and PVC1CTL register controls how traffic classes are mapped to
+virtual channels in QAT GEN6 hardware.
+
+The driver previously wrote a default TCVCMAP value to this register, but
+this configuration was incorrect.
+
+Modify the TCVCMAP configuration to explicitly enable both VC0 and VC1,
+and map Traffic Classes 0 to 7 → VC0 and Traffic Class 8 → VC1.
+Replace FIELD_PREP() with FIELD_MODIFY() to ensure that only the intended
+TCVCMAP field is updated, preserving other bits in the register. This
+prevents unintended overwrites of unrelated configuration fields when
+modifying TC to VC mappings.
+
+Fixes: 17fd7514ae68 ("crypto: qat - add qat_6xxx driver")
+Signed-off-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/qat/qat_6xxx/adf_6xxx_hw_data.c | 10 +++++-----
+ drivers/crypto/intel/qat/qat_6xxx/adf_6xxx_hw_data.h | 2 +-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/crypto/intel/qat/qat_6xxx/adf_6xxx_hw_data.c b/drivers/crypto/intel/qat/qat_6xxx/adf_6xxx_hw_data.c
+index 185a7ab92b7b..2207e5e576b2 100644
+--- a/drivers/crypto/intel/qat/qat_6xxx/adf_6xxx_hw_data.c
++++ b/drivers/crypto/intel/qat/qat_6xxx/adf_6xxx_hw_data.c
+@@ -520,8 +520,8 @@ static void set_vc_csr_for_bank(void __iomem *csr, u32 bank_number)
+ * driver must program the ringmodectl CSRs.
+ */
+ value = ADF_CSR_RD(csr, ADF_GEN6_CSR_RINGMODECTL(bank_number));
+- value |= FIELD_PREP(ADF_GEN6_RINGMODECTL_TC_MASK, ADF_GEN6_RINGMODECTL_TC_DEFAULT);
+- value |= FIELD_PREP(ADF_GEN6_RINGMODECTL_TC_EN_MASK, ADF_GEN6_RINGMODECTL_TC_EN_OP1);
++ FIELD_MODIFY(ADF_GEN6_RINGMODECTL_TC_MASK, &value, ADF_GEN6_RINGMODECTL_TC_DEFAULT);
++ FIELD_MODIFY(ADF_GEN6_RINGMODECTL_TC_EN_MASK, &value, ADF_GEN6_RINGMODECTL_TC_EN_OP1);
+ ADF_CSR_WR(csr, ADF_GEN6_CSR_RINGMODECTL(bank_number), value);
+ }
+
+@@ -537,7 +537,7 @@ static int set_vc_config(struct adf_accel_dev *accel_dev)
+ * Read PVC0CTL then write the masked values.
+ */
+ pci_read_config_dword(pdev, ADF_GEN6_PVC0CTL_OFFSET, &value);
+- value |= FIELD_PREP(ADF_GEN6_PVC0CTL_TCVCMAP_MASK, ADF_GEN6_PVC0CTL_TCVCMAP_DEFAULT);
++ FIELD_MODIFY(ADF_GEN6_PVC0CTL_TCVCMAP_MASK, &value, ADF_GEN6_PVC0CTL_TCVCMAP_DEFAULT);
+ err = pci_write_config_dword(pdev, ADF_GEN6_PVC0CTL_OFFSET, value);
+ if (err) {
+ dev_err(&GET_DEV(accel_dev), "pci write to PVC0CTL failed\n");
+@@ -546,8 +546,8 @@ static int set_vc_config(struct adf_accel_dev *accel_dev)
+
+ /* Read PVC1CTL then write masked values */
+ pci_read_config_dword(pdev, ADF_GEN6_PVC1CTL_OFFSET, &value);
+- value |= FIELD_PREP(ADF_GEN6_PVC1CTL_TCVCMAP_MASK, ADF_GEN6_PVC1CTL_TCVCMAP_DEFAULT);
+- value |= FIELD_PREP(ADF_GEN6_PVC1CTL_VCEN_MASK, ADF_GEN6_PVC1CTL_VCEN_ON);
++ FIELD_MODIFY(ADF_GEN6_PVC1CTL_TCVCMAP_MASK, &value, ADF_GEN6_PVC1CTL_TCVCMAP_DEFAULT);
++ FIELD_MODIFY(ADF_GEN6_PVC1CTL_VCEN_MASK, &value, ADF_GEN6_PVC1CTL_VCEN_ON);
+ err = pci_write_config_dword(pdev, ADF_GEN6_PVC1CTL_OFFSET, value);
+ if (err)
+ dev_err(&GET_DEV(accel_dev), "pci write to PVC1CTL failed\n");
+diff --git a/drivers/crypto/intel/qat/qat_6xxx/adf_6xxx_hw_data.h b/drivers/crypto/intel/qat/qat_6xxx/adf_6xxx_hw_data.h
+index 78e2e2c5816e..8824958527c4 100644
+--- a/drivers/crypto/intel/qat/qat_6xxx/adf_6xxx_hw_data.h
++++ b/drivers/crypto/intel/qat/qat_6xxx/adf_6xxx_hw_data.h
+@@ -99,7 +99,7 @@
+ #define ADF_GEN6_PVC0CTL_OFFSET 0x204
+ #define ADF_GEN6_PVC0CTL_TCVCMAP_OFFSET 1
+ #define ADF_GEN6_PVC0CTL_TCVCMAP_MASK GENMASK(7, 1)
+-#define ADF_GEN6_PVC0CTL_TCVCMAP_DEFAULT 0x7F
++#define ADF_GEN6_PVC0CTL_TCVCMAP_DEFAULT 0x3F
+
+ /* VC1 Resource Control Register */
+ #define ADF_GEN6_PVC1CTL_OFFSET 0x210
+--
+2.39.5
+
--- /dev/null
+From 6ae825b824dd54d91efa4193ddfb5d41b1c731aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 12:27:12 +0100
+Subject: crypto: qat - restore ASYM service support for GEN6 devices
+
+From: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
+
+[ Upstream commit 4e55a929ff4d973206879a997a47a188353b3cd6 ]
+
+Support for asymmetric crypto services was not included in the qat_6xxx
+by explicitly setting the asymmetric capabilities to 0 to allow for
+additional testing.
+
+Enable asymmetric crypto services on QAT GEN6 devices by setting the
+appropriate capability flags.
+
+Fixes: 17fd7514ae68 ("crypto: qat - add qat_6xxx driver")
+Signed-off-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/qat/qat_6xxx/adf_6xxx_hw_data.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/intel/qat/qat_6xxx/adf_6xxx_hw_data.c b/drivers/crypto/intel/qat/qat_6xxx/adf_6xxx_hw_data.c
+index 359a6447ccb8..185a7ab92b7b 100644
+--- a/drivers/crypto/intel/qat/qat_6xxx/adf_6xxx_hw_data.c
++++ b/drivers/crypto/intel/qat/qat_6xxx/adf_6xxx_hw_data.c
+@@ -627,7 +627,15 @@ static u32 get_accel_cap(struct adf_accel_dev *accel_dev)
+ capabilities_sym &= ~ICP_ACCEL_CAPABILITIES_CIPHER;
+ }
+
+- capabilities_asym = 0;
++ capabilities_asym = ICP_ACCEL_CAPABILITIES_CRYPTO_ASYMMETRIC |
++ ICP_ACCEL_CAPABILITIES_SM2 |
++ ICP_ACCEL_CAPABILITIES_ECEDMONT;
++
++ if (fusectl1 & ICP_ACCEL_GEN6_MASK_PKE_SLICE) {
++ capabilities_asym &= ~ICP_ACCEL_CAPABILITIES_CRYPTO_ASYMMETRIC;
++ capabilities_asym &= ~ICP_ACCEL_CAPABILITIES_SM2;
++ capabilities_asym &= ~ICP_ACCEL_CAPABILITIES_ECEDMONT;
++ }
+
+ capabilities_dc = ICP_ACCEL_CAPABILITIES_COMPRESSION |
+ ICP_ACCEL_CAPABILITIES_LZ4_COMPRESSION |
+--
+2.39.5
+
--- /dev/null
+From ac56764d5787b268a61a236a60c8ae1553337f55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 09:21:41 +0100
+Subject: crypto: qat - use unmanaged allocation for dc_data
+
+From: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
+
+[ Upstream commit 4cc871ad0173e8bc22f80e3609e34d546d30ef1a ]
+
+The dc_data structure holds data required for handling compression
+operations, such as overflow buffers. In this context, the use of
+managed memory allocation APIs (devm_kzalloc() and devm_kfree())
+is not necessary, as these data structures are freed and
+re-allocated when a device is restarted in adf_dev_down() and
+adf_dev_up().
+
+Additionally, managed APIs automatically handle memory cleanup when the
+device is detached, which can lead to conflicts with manual cleanup
+processes. Specifically, if a device driver invokes the adf_dev_down()
+function as part of the cleanup registered with
+devm_add_action_or_reset(), it may attempt to free memory that is also
+managed by the device's resource management system, potentially leading
+to a double-free.
+
+This might result in a warning similar to the following when unloading
+the device specific driver, for example qat_6xxx.ko:
+
+ qat_free_dc_data+0x4f/0x60 [intel_qat]
+ qat_compression_event_handler+0x3d/0x1d0 [intel_qat]
+ adf_dev_shutdown+0x6d/0x1a0 [intel_qat]
+ adf_dev_down+0x32/0x50 [intel_qat]
+ devres_release_all+0xb8/0x110
+ device_unbind_cleanup+0xe/0x70
+ device_release_driver_internal+0x1c1/0x200
+ driver_detach+0x48/0x90
+ bus_remove_driver+0x74/0xf0
+ pci_unregister_driver+0x2e/0xb0
+
+Use unmanaged memory allocation APIs (kzalloc_node() and kfree()) for
+the dc_data structure. This ensures that memory is explicitly allocated
+and freed under the control of the driver code, preventing manual
+deallocation from interfering with automatic cleanup.
+
+Fixes: 1198ae56c9a5 ("crypto: qat - expose deflate through acomp api for QAT GEN2")
+Signed-off-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/qat/qat_common/qat_compression.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/intel/qat/qat_common/qat_compression.c b/drivers/crypto/intel/qat/qat_common/qat_compression.c
+index c285b45b8679..0a77ca65c8d4 100644
+--- a/drivers/crypto/intel/qat/qat_common/qat_compression.c
++++ b/drivers/crypto/intel/qat/qat_common/qat_compression.c
+@@ -196,7 +196,7 @@ static int qat_compression_alloc_dc_data(struct adf_accel_dev *accel_dev)
+ struct adf_dc_data *dc_data = NULL;
+ u8 *obuff = NULL;
+
+- dc_data = devm_kzalloc(dev, sizeof(*dc_data), GFP_KERNEL);
++ dc_data = kzalloc_node(sizeof(*dc_data), GFP_KERNEL, dev_to_node(dev));
+ if (!dc_data)
+ goto err;
+
+@@ -234,7 +234,7 @@ static void qat_free_dc_data(struct adf_accel_dev *accel_dev)
+ dma_unmap_single(dev, dc_data->ovf_buff_p, dc_data->ovf_buff_sz,
+ DMA_FROM_DEVICE);
+ kfree_sensitive(dc_data->ovf_buff);
+- devm_kfree(dev, dc_data);
++ kfree(dc_data);
+ accel_dev->dc_data = NULL;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From a74aa62afecdbf7e9ea9e6aa820fae176f9733ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 19:24:34 +0800
+Subject: crypto: s390/hmac - Fix counter in export state
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 1b39bc4a703a63a22c08232015540adfb31f22ba ]
+
+The hmac export state needs to be one block-size bigger to account
+for the ipad.
+
+Reported-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Fixes: 08811169ac01 ("crypto: s390/hmac - Use API partial block handling")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/crypto/hmac_s390.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/arch/s390/crypto/hmac_s390.c b/arch/s390/crypto/hmac_s390.c
+index 93a1098d9f8d..58444da9b004 100644
+--- a/arch/s390/crypto/hmac_s390.c
++++ b/arch/s390/crypto/hmac_s390.c
+@@ -290,6 +290,7 @@ static int s390_hmac_export(struct shash_desc *desc, void *out)
+ struct s390_kmac_sha2_ctx *ctx = shash_desc_ctx(desc);
+ unsigned int bs = crypto_shash_blocksize(desc->tfm);
+ unsigned int ds = bs / 2;
++ u64 lo = ctx->buflen[0];
+ union {
+ u8 *u8;
+ u64 *u64;
+@@ -301,9 +302,10 @@ static int s390_hmac_export(struct shash_desc *desc, void *out)
+ else
+ memcpy(p.u8, ctx->param, ds);
+ p.u8 += ds;
+- put_unaligned(ctx->buflen[0], p.u64++);
++ lo += bs;
++ put_unaligned(lo, p.u64++);
+ if (ds == SHA512_DIGEST_SIZE)
+- put_unaligned(ctx->buflen[1], p.u64);
++ put_unaligned(ctx->buflen[1] + (lo < bs), p.u64);
+ return err;
+ }
+
+@@ -316,14 +318,16 @@ static int s390_hmac_import(struct shash_desc *desc, const void *in)
+ const u8 *u8;
+ const u64 *u64;
+ } p = { .u8 = in };
++ u64 lo;
+ int err;
+
+ err = s390_hmac_sha2_init(desc);
+ memcpy(ctx->param, p.u8, ds);
+ p.u8 += ds;
+- ctx->buflen[0] = get_unaligned(p.u64++);
++ lo = get_unaligned(p.u64++);
++ ctx->buflen[0] = lo - bs;
+ if (ds == SHA512_DIGEST_SIZE)
+- ctx->buflen[1] = get_unaligned(p.u64);
++ ctx->buflen[1] = get_unaligned(p.u64) - (lo < bs);
+ if (ctx->buflen[0] | ctx->buflen[1])
+ ctx->gr0.ikp = 1;
+ return err;
+--
+2.39.5
+
--- /dev/null
+From 59626ca6d553a5476b087b4dfc684eee12d49abc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 20:28:56 +0800
+Subject: crypto: s390/sha3 - Use cpu byte-order when exporting
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 73c2437109c3eab274258a6430ae5dafac1ef43e ]
+
+The sha3 partial hash on s390 is in little-endian just like the
+final hash. However the generic implementation produces native
+or big-endian partial hashes.
+
+Make s390 sha3 conform to that by doing the byte-swap on export
+and import.
+
+Reported-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Fixes: 6f90ba706551 ("crypto: s390/sha3 - Use API partial block handling")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/crypto/sha.h | 3 +++
+ arch/s390/crypto/sha3_256_s390.c | 24 +++++++++++++++++-------
+ arch/s390/crypto/sha3_512_s390.c | 25 +++++++++++++++++--------
+ 3 files changed, 37 insertions(+), 15 deletions(-)
+
+diff --git a/arch/s390/crypto/sha.h b/arch/s390/crypto/sha.h
+index d757ccbce2b4..cadb4b13622a 100644
+--- a/arch/s390/crypto/sha.h
++++ b/arch/s390/crypto/sha.h
+@@ -27,6 +27,9 @@ struct s390_sha_ctx {
+ u64 state[SHA512_DIGEST_SIZE / sizeof(u64)];
+ u64 count_hi;
+ } sha512;
++ struct {
++ __le64 state[SHA3_STATE_SIZE / sizeof(u64)];
++ } sha3;
+ };
+ int func; /* KIMD function to use */
+ bool first_message_part;
+diff --git a/arch/s390/crypto/sha3_256_s390.c b/arch/s390/crypto/sha3_256_s390.c
+index 4a7731ac6bcd..03bb4f4bab70 100644
+--- a/arch/s390/crypto/sha3_256_s390.c
++++ b/arch/s390/crypto/sha3_256_s390.c
+@@ -35,23 +35,33 @@ static int sha3_256_init(struct shash_desc *desc)
+ static int sha3_256_export(struct shash_desc *desc, void *out)
+ {
+ struct s390_sha_ctx *sctx = shash_desc_ctx(desc);
+- struct sha3_state *octx = out;
++ union {
++ u8 *u8;
++ u64 *u64;
++ } p = { .u8 = out };
++ int i;
+
+ if (sctx->first_message_part) {
+- memset(sctx->state, 0, sizeof(sctx->state));
+- sctx->first_message_part = 0;
++ memset(out, 0, SHA3_STATE_SIZE);
++ return 0;
+ }
+- memcpy(octx->st, sctx->state, sizeof(octx->st));
++ for (i = 0; i < SHA3_STATE_SIZE / 8; i++)
++ put_unaligned(le64_to_cpu(sctx->sha3.state[i]), p.u64++);
+ return 0;
+ }
+
+ static int sha3_256_import(struct shash_desc *desc, const void *in)
+ {
+ struct s390_sha_ctx *sctx = shash_desc_ctx(desc);
+- const struct sha3_state *ictx = in;
+-
++ union {
++ const u8 *u8;
++ const u64 *u64;
++ } p = { .u8 = in };
++ int i;
++
++ for (i = 0; i < SHA3_STATE_SIZE / 8; i++)
++ sctx->sha3.state[i] = cpu_to_le64(get_unaligned(p.u64++));
+ sctx->count = 0;
+- memcpy(sctx->state, ictx->st, sizeof(ictx->st));
+ sctx->first_message_part = 0;
+ sctx->func = CPACF_KIMD_SHA3_256;
+
+diff --git a/arch/s390/crypto/sha3_512_s390.c b/arch/s390/crypto/sha3_512_s390.c
+index 018f02fff444..a5c9690eecb1 100644
+--- a/arch/s390/crypto/sha3_512_s390.c
++++ b/arch/s390/crypto/sha3_512_s390.c
+@@ -34,24 +34,33 @@ static int sha3_512_init(struct shash_desc *desc)
+ static int sha3_512_export(struct shash_desc *desc, void *out)
+ {
+ struct s390_sha_ctx *sctx = shash_desc_ctx(desc);
+- struct sha3_state *octx = out;
+-
++ union {
++ u8 *u8;
++ u64 *u64;
++ } p = { .u8 = out };
++ int i;
+
+ if (sctx->first_message_part) {
+- memset(sctx->state, 0, sizeof(sctx->state));
+- sctx->first_message_part = 0;
++ memset(out, 0, SHA3_STATE_SIZE);
++ return 0;
+ }
+- memcpy(octx->st, sctx->state, sizeof(octx->st));
++ for (i = 0; i < SHA3_STATE_SIZE / 8; i++)
++ put_unaligned(le64_to_cpu(sctx->sha3.state[i]), p.u64++);
+ return 0;
+ }
+
+ static int sha3_512_import(struct shash_desc *desc, const void *in)
+ {
+ struct s390_sha_ctx *sctx = shash_desc_ctx(desc);
+- const struct sha3_state *ictx = in;
+-
++ union {
++ const u8 *u8;
++ const u64 *u64;
++ } p = { .u8 = in };
++ int i;
++
++ for (i = 0; i < SHA3_STATE_SIZE / 8; i++)
++ sctx->sha3.state[i] = cpu_to_le64(get_unaligned(p.u64++));
+ sctx->count = 0;
+- memcpy(sctx->state, ictx->st, sizeof(ictx->st));
+ sctx->first_message_part = 0;
+ sctx->func = CPACF_KIMD_SHA3_512;
+
+--
+2.39.5
+
--- /dev/null
+From c87b6846a4a3cae04dc90001a73884ad7602017b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 May 2025 18:13:48 +0300
+Subject: crypto: sun8i-ce - fix nents passed to dma_unmap_sg()
+
+From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+
+[ Upstream commit b6cd3cfb5afe49952f8f6be947aeeca9ba0faebb ]
+
+In sun8i_ce_cipher_unprepare(), dma_unmap_sg() is incorrectly called with
+the number of entries returned by dma_map_sg(), rather than using the
+original number of entries passed when mapping the scatterlist.
+
+To fix this, stash the original number of entries passed to dma_map_sg()
+in the request context.
+
+Fixes: 0605fa0f7826 ("crypto: sun8i-ce - split into prepare/run/unprepare")
+Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+Acked-by: Corentin LABBE <clabbe.montjoie@gmail.com>
+Tested-by: Corentin LABBE <clabbe.montjoie@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
+index f9cf00d690e2..7cd3b13f3bdc 100644
+--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
+@@ -278,8 +278,8 @@ static int sun8i_ce_cipher_prepare(struct crypto_engine *engine, void *async_req
+ }
+
+ chan->timeout = areq->cryptlen;
+- rctx->nr_sgs = nr_sgs;
+- rctx->nr_sgd = nr_sgd;
++ rctx->nr_sgs = ns;
++ rctx->nr_sgd = nd;
+ return 0;
+
+ theend_sgs:
+--
+2.39.5
+
--- /dev/null
+From eb8bf17098b0ea5f2304f1d8e1f6203873485939 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 11:23:55 +0800
+Subject: cxl/core: Introduce a new helper cxl_resource_contains_addr()
+
+From: Li Ming <ming.li@zohomail.com>
+
+[ Upstream commit 5b6031c832c2747d58d3f0130098d965ef050b9a ]
+
+In CXL subsystem, many functions need to check an address availability
+by checking if the resource range contains the address. Providing a new
+helper function cxl_resource_contains_addr() to check if the resource
+range contains the input address.
+
+Suggested-by: Alison Schofield <alison.schofield@intel.com>
+Signed-off-by: Li Ming <ming.li@zohomail.com>
+Tested-by: Shiju Jose <shiju.jose@huawei.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
+Reviewed-by: Alison Schofield <alison.schofield@intel.com>
+Link: https://patch.msgid.link/20250711032357.127355-2-ming.li@zohomail.com
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Stable-dep-of: 03ff65c02559 ("cxl/edac: Fix wrong dpa checking for PPR operation")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cxl/core/core.h | 1 +
+ drivers/cxl/core/hdm.c | 7 +++++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/drivers/cxl/core/core.h b/drivers/cxl/core/core.h
+index 29b61828a847..6b78b10da3e1 100644
+--- a/drivers/cxl/core/core.h
++++ b/drivers/cxl/core/core.h
+@@ -80,6 +80,7 @@ int cxl_dpa_alloc(struct cxl_endpoint_decoder *cxled, u64 size);
+ int cxl_dpa_free(struct cxl_endpoint_decoder *cxled);
+ resource_size_t cxl_dpa_size(struct cxl_endpoint_decoder *cxled);
+ resource_size_t cxl_dpa_resource_start(struct cxl_endpoint_decoder *cxled);
++bool cxl_resource_contains_addr(const struct resource *res, const resource_size_t addr);
+
+ enum cxl_rcrb {
+ CXL_RCRB_DOWNSTREAM,
+diff --git a/drivers/cxl/core/hdm.c b/drivers/cxl/core/hdm.c
+index ab1007495f6b..088caa6b6f74 100644
+--- a/drivers/cxl/core/hdm.c
++++ b/drivers/cxl/core/hdm.c
+@@ -547,6 +547,13 @@ resource_size_t cxl_dpa_resource_start(struct cxl_endpoint_decoder *cxled)
+ return base;
+ }
+
++bool cxl_resource_contains_addr(const struct resource *res, const resource_size_t addr)
++{
++ struct resource _addr = DEFINE_RES_MEM(addr, 1);
++
++ return resource_contains(res, &_addr);
++}
++
+ int cxl_dpa_free(struct cxl_endpoint_decoder *cxled)
+ {
+ struct cxl_port *port = cxled_to_port(cxled);
+--
+2.39.5
+
--- /dev/null
+From 3e63e4956fe17bea8d7b3c874b90d676d8fe12f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 11:23:56 +0800
+Subject: cxl/edac: Fix wrong dpa checking for PPR operation
+
+From: Li Ming <ming.li@zohomail.com>
+
+[ Upstream commit 03ff65c02559e8da32be231d7f10fe899233ceae ]
+
+Per Table 8-143. "Get Partition Info Output Payload" in CXL r3.2 section
+8.2.10.9.2.1 "Get Partition Info(Opcode 4100h)", DPA 0 is a valid
+address of a CXL device. However, cxl_do_ppr() considers it as an
+invalid address, so that user will get an -EINVAL when user calls the
+sysfs interface of the edac driver to trigger a Post Package Repair(PPR)
+operation for DPA 0 on a CXL device. The correct implementation should
+be checking if the input DPA is in the DPA range of the CXL device.
+
+Fixes: be9b359e056a ("cxl/edac: Add CXL memory device soft PPR control feature")
+Signed-off-by: Li Ming <ming.li@zohomail.com>
+Tested-by: Shiju Jose <shiju.jose@huawei.com>
+Reviewed-by: Shiju Jose <shiju.jose@huawei.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Reviewed-by: Alison Schofield <alison.schofield@intel.com>
+Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
+Link: https://patch.msgid.link/20250711032357.127355-3-ming.li@zohomail.com
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cxl/core/edac.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/cxl/core/edac.c b/drivers/cxl/core/edac.c
+index 623aaa4439c4..991fa3e70522 100644
+--- a/drivers/cxl/core/edac.c
++++ b/drivers/cxl/core/edac.c
+@@ -1923,8 +1923,11 @@ static int cxl_ppr_set_nibble_mask(struct device *dev, void *drv_data,
+ static int cxl_do_ppr(struct device *dev, void *drv_data, u32 val)
+ {
+ struct cxl_ppr_context *cxl_ppr_ctx = drv_data;
++ struct cxl_memdev *cxlmd = cxl_ppr_ctx->cxlmd;
++ struct cxl_dev_state *cxlds = cxlmd->cxlds;
+
+- if (!cxl_ppr_ctx->dpa || val != EDAC_DO_MEM_REPAIR)
++ if (val != EDAC_DO_MEM_REPAIR ||
++ !cxl_resource_contains_addr(&cxlds->dpa_res, cxl_ppr_ctx->dpa))
+ return -EINVAL;
+
+ return cxl_mem_perform_ppr(cxl_ppr_ctx);
+--
+2.39.5
+
--- /dev/null
+From d7d628e150c711cde91f1406b5266fb5719d4aed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 15:12:20 -0400
+Subject: dm-flakey: Fix corrupt_bio_byte setup checks
+
+From: Kent Overstreet <kent.overstreet@linux.dev>
+
+[ Upstream commit 75227ed6812cb869380c8fb6d41a845ae571781e ]
+
+Fix the error_reads mode - it's incompatible with corrupt_bio_byte, but
+that's only enabled if corrupt_bio_byte is nonzero.
+
+Cc: Benjamin Marzinski <bmarzins@redhat.com>
+Cc: Mikulas Patocka <mpatocka@redhat.com>
+Cc: Mike Snitzer <snitzer@kernel.org>
+Cc: dm-devel@lists.linux.dev
+Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
+Reviewed-by: Benjamin Marzinski <bmarzins@redhat.com>
+Fixes: 19da6b2c9e8e ("dm-flakey: Clean up parsing messages")
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-flakey.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c
+index c711db6f8f5c..cf17fd46e255 100644
+--- a/drivers/md/dm-flakey.c
++++ b/drivers/md/dm-flakey.c
+@@ -215,16 +215,19 @@ static int parse_features(struct dm_arg_set *as, struct flakey_c *fc,
+ }
+
+ if (test_bit(DROP_WRITES, &fc->flags) &&
+- (fc->corrupt_bio_rw == WRITE || fc->random_write_corrupt)) {
++ ((fc->corrupt_bio_byte && fc->corrupt_bio_rw == WRITE) ||
++ fc->random_write_corrupt)) {
+ ti->error = "drop_writes is incompatible with random_write_corrupt or corrupt_bio_byte with the WRITE flag set";
+ return -EINVAL;
+
+ } else if (test_bit(ERROR_WRITES, &fc->flags) &&
+- (fc->corrupt_bio_rw == WRITE || fc->random_write_corrupt)) {
++ ((fc->corrupt_bio_byte && fc->corrupt_bio_rw == WRITE) ||
++ fc->random_write_corrupt)) {
+ ti->error = "error_writes is incompatible with random_write_corrupt or corrupt_bio_byte with the WRITE flag set";
+ return -EINVAL;
+ } else if (test_bit(ERROR_READS, &fc->flags) &&
+- (fc->corrupt_bio_rw == READ || fc->random_read_corrupt)) {
++ ((fc->corrupt_bio_byte && fc->corrupt_bio_rw == READ) ||
++ fc->random_read_corrupt)) {
+ ti->error = "error_reads is incompatible with random_read_corrupt or corrupt_bio_byte with the READ flag set";
+ return -EINVAL;
+ }
+--
+2.39.5
+
--- /dev/null
+From a2a1e0a998079d0d15109bf18f4b3f57215881ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 May 2025 21:26:05 +0200
+Subject: dmaengine: mmp: Fix again Wvoid-pointer-to-enum-cast warning
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit a0b1589b62e2fcfb112996e0f4d5593bd2edf069 ]
+
+This was fixed and re-introduced. 'type' is an enum, thus cast of
+pointer on 64-bit compile test with W=1 causes:
+
+ mmp_tdma.c:644:9: error: cast to smaller integer type 'enum mmp_tdma_type' from 'const void *' [-Werror,-Wvoid-pointer-to-enum-cast]
+
+Fixes: a67ba97dfb30 ("dmaengine: Use device_get_match_data()")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20250525-dma-fixes-v1-5-89d06dac9bcb@linaro.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/mmp_tdma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/mmp_tdma.c b/drivers/dma/mmp_tdma.c
+index c8dc504510f1..b7fb843c67a6 100644
+--- a/drivers/dma/mmp_tdma.c
++++ b/drivers/dma/mmp_tdma.c
+@@ -641,7 +641,7 @@ static int mmp_tdma_probe(struct platform_device *pdev)
+ int chan_num = TDMA_CHANNEL_NUM;
+ struct gen_pool *pool = NULL;
+
+- type = (enum mmp_tdma_type)device_get_match_data(&pdev->dev);
++ type = (kernel_ulong_t)device_get_match_data(&pdev->dev);
+
+ /* always have couple channels */
+ tdev = devm_kzalloc(&pdev->dev, sizeof(*tdev), GFP_KERNEL);
+--
+2.39.5
+
--- /dev/null
+From 3291f3738425dfb1218d212063f1d61b727b6425 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 14:37:52 +0200
+Subject: dmaengine: mv_xor: Fix missing check after DMA map and missing unmap
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 60095aca6b471b7b7a79c80b7395f7e4e414b479 ]
+
+The DMA map functions can fail and should be tested for errors.
+
+In case of error, unmap the already mapped regions.
+
+Fixes: 22843545b200 ("dma: mv_xor: Add support for DMA_INTERRUPT")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250701123753.46935-2-fourier.thomas@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/mv_xor.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/mv_xor.c b/drivers/dma/mv_xor.c
+index fa6e4646fdc2..1fdcb0f5c9e7 100644
+--- a/drivers/dma/mv_xor.c
++++ b/drivers/dma/mv_xor.c
+@@ -1061,8 +1061,16 @@ mv_xor_channel_add(struct mv_xor_device *xordev,
+ */
+ mv_chan->dummy_src_addr = dma_map_single(dma_dev->dev,
+ mv_chan->dummy_src, MV_XOR_MIN_BYTE_COUNT, DMA_FROM_DEVICE);
++ if (dma_mapping_error(dma_dev->dev, mv_chan->dummy_src_addr))
++ return ERR_PTR(-ENOMEM);
++
+ mv_chan->dummy_dst_addr = dma_map_single(dma_dev->dev,
+ mv_chan->dummy_dst, MV_XOR_MIN_BYTE_COUNT, DMA_TO_DEVICE);
++ if (dma_mapping_error(dma_dev->dev, mv_chan->dummy_dst_addr)) {
++ ret = -ENOMEM;
++ goto err_unmap_src;
++ }
++
+
+ /* allocate coherent memory for hardware descriptors
+ * note: writecombine gives slightly better performance, but
+@@ -1071,8 +1079,10 @@ mv_xor_channel_add(struct mv_xor_device *xordev,
+ mv_chan->dma_desc_pool_virt =
+ dma_alloc_wc(&pdev->dev, MV_XOR_POOL_SIZE, &mv_chan->dma_desc_pool,
+ GFP_KERNEL);
+- if (!mv_chan->dma_desc_pool_virt)
+- return ERR_PTR(-ENOMEM);
++ if (!mv_chan->dma_desc_pool_virt) {
++ ret = -ENOMEM;
++ goto err_unmap_dst;
++ }
+
+ /* discover transaction capabilities from the platform data */
+ dma_dev->cap_mask = cap_mask;
+@@ -1155,6 +1165,13 @@ mv_xor_channel_add(struct mv_xor_device *xordev,
+ err_free_dma:
+ dma_free_coherent(&pdev->dev, MV_XOR_POOL_SIZE,
+ mv_chan->dma_desc_pool_virt, mv_chan->dma_desc_pool);
++err_unmap_dst:
++ dma_unmap_single(dma_dev->dev, mv_chan->dummy_dst_addr,
++ MV_XOR_MIN_BYTE_COUNT, DMA_TO_DEVICE);
++err_unmap_src:
++ dma_unmap_single(dma_dev->dev, mv_chan->dummy_src_addr,
++ MV_XOR_MIN_BYTE_COUNT, DMA_FROM_DEVICE);
++
+ return ERR_PTR(ret);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 80a6087ae989f5de513bbb4754413c15d620ccfd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 09:57:16 +0200
+Subject: dmaengine: nbpfaxi: Add missing check after DMA map
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit c6ee78fc8f3e653bec427cfd06fec7877ee782bd ]
+
+The DMA map functions can fail and should be tested for errors.
+If the mapping fails, unmap and return an error.
+
+Fixes: b45b262cefd5 ("dmaengine: add a driver for AMBA AXI NBPF DMAC IP cores")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250707075752.28674-2-fourier.thomas@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/nbpfaxi.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/drivers/dma/nbpfaxi.c b/drivers/dma/nbpfaxi.c
+index 7a2488a0d6a3..765462303de0 100644
+--- a/drivers/dma/nbpfaxi.c
++++ b/drivers/dma/nbpfaxi.c
+@@ -711,6 +711,9 @@ static int nbpf_desc_page_alloc(struct nbpf_channel *chan)
+ list_add_tail(&ldesc->node, &lhead);
+ ldesc->hwdesc_dma_addr = dma_map_single(dchan->device->dev,
+ hwdesc, sizeof(*hwdesc), DMA_TO_DEVICE);
++ if (dma_mapping_error(dchan->device->dev,
++ ldesc->hwdesc_dma_addr))
++ goto unmap_error;
+
+ dev_dbg(dev, "%s(): mapped 0x%p to %pad\n", __func__,
+ hwdesc, &ldesc->hwdesc_dma_addr);
+@@ -737,6 +740,16 @@ static int nbpf_desc_page_alloc(struct nbpf_channel *chan)
+ spin_unlock_irq(&chan->lock);
+
+ return ARRAY_SIZE(dpage->desc);
++
++unmap_error:
++ while (i--) {
++ ldesc--; hwdesc--;
++
++ dma_unmap_single(dchan->device->dev, ldesc->hwdesc_dma_addr,
++ sizeof(hwdesc), DMA_TO_DEVICE);
++ }
++
++ return -ENOMEM;
+ }
+
+ static void nbpf_desc_put(struct nbpf_desc *desc)
+--
+2.39.5
+
--- /dev/null
+From 322758f51365b414493b64af2231232ad9e217d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 10:46:54 +0200
+Subject: driver core: auxiliary bus: fix OF node leak
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 6beb4ec0f9fdff4c4c6eb8ed8654fe8396c2b6e0 ]
+
+Make sure to drop the OF node reference taken when creating an auxiliary
+device using auxiliary_device_create() when the device is later
+released.
+
+Fixes: eaa0d30216c1 ("driver core: auxiliary bus: add device creation helpers")
+Cc: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Danilo Krummrich <dakr@kernel.org>
+Reviewed-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://lore.kernel.org/r/20250708084654.15145-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/auxiliary.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/base/auxiliary.c b/drivers/base/auxiliary.c
+index dba7c8e13a53..6bdefebf3609 100644
+--- a/drivers/base/auxiliary.c
++++ b/drivers/base/auxiliary.c
+@@ -399,6 +399,7 @@ static void auxiliary_device_release(struct device *dev)
+ {
+ struct auxiliary_device *auxdev = to_auxiliary_dev(dev);
+
++ of_node_put(dev->of_node);
+ kfree(auxdev);
+ }
+
+@@ -435,6 +436,7 @@ struct auxiliary_device *auxiliary_device_create(struct device *dev,
+
+ ret = auxiliary_device_init(auxdev);
+ if (ret) {
++ of_node_put(auxdev->dev.of_node);
+ kfree(auxdev);
+ return NULL;
+ }
+--
+2.39.5
+
--- /dev/null
+From 46b948531c048c86766e5d1f7c6871ba411d0050 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 16:16:26 +0200
+Subject: drivers: misc: sram: fix up some const issues with recent attribute
+ changes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit bf7b4a0e25569ce39c6749afe363aefe5723d326 ]
+
+The binary attribute const changes recently for the sram driver were
+made in a way that hid the fact that we would be casting a const pointer
+to a non-const one. So explicitly make the cast so that it is obvious
+and preserve the const pointer in the sram_reserve_cmp() function.
+
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Thomas Weißschuh <linux@weissschuh.net>
+Fixes: c3b8c358c4f3 ("misc: sram: constify 'struct bin_attribute'")
+Link: https://lore.kernel.org/r/2025052125-squid-sandstorm-a418@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/sram.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/misc/sram.c b/drivers/misc/sram.c
+index e5069882457e..c69644be4176 100644
+--- a/drivers/misc/sram.c
++++ b/drivers/misc/sram.c
+@@ -28,7 +28,8 @@ static ssize_t sram_read(struct file *filp, struct kobject *kobj,
+ {
+ struct sram_partition *part;
+
+- part = container_of(attr, struct sram_partition, battr);
++ /* Cast away the const as the attribute is part of a larger structure */
++ part = (struct sram_partition *)container_of(attr, struct sram_partition, battr);
+
+ mutex_lock(&part->lock);
+ memcpy_fromio(buf, part->base + pos, count);
+@@ -43,7 +44,8 @@ static ssize_t sram_write(struct file *filp, struct kobject *kobj,
+ {
+ struct sram_partition *part;
+
+- part = container_of(attr, struct sram_partition, battr);
++ /* Cast away the const as the attribute is part of a larger structure */
++ part = (struct sram_partition *)container_of(attr, struct sram_partition, battr);
+
+ mutex_lock(&part->lock);
+ memcpy_toio(part->base + pos, buf, count);
+@@ -164,8 +166,8 @@ static void sram_free_partitions(struct sram_dev *sram)
+ static int sram_reserve_cmp(void *priv, const struct list_head *a,
+ const struct list_head *b)
+ {
+- struct sram_reserve *ra = list_entry(a, struct sram_reserve, list);
+- struct sram_reserve *rb = list_entry(b, struct sram_reserve, list);
++ const struct sram_reserve *ra = list_entry(a, struct sram_reserve, list);
++ const struct sram_reserve *rb = list_entry(b, struct sram_reserve, list);
+
+ return ra->start - rb->start;
+ }
+--
+2.39.5
+
--- /dev/null
+From e83dd29ca5aabf4a468f7f93655e8892d46bbf95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 23:26:17 +0300
+Subject: drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit a54e4639c4ef37a0241bac7d2a77f2e6ffb57099 ]
+
+There is a small typo in phm_wait_on_indirect_register().
+
+Swap mask and value arguments provided to phm_wait_on_register() so that
+they satisfy the function signature and actual usage scheme.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace static
+analysis tool.
+
+In practice this doesn't fix any issues because the only place this
+function is used uses the same value for the value and mask.
+
+Fixes: 3bace3591493 ("drm/amd/powerplay: add hardware manager sub-component")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c
+index 79a566f3564a..c305ea4ec17d 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c
+@@ -149,7 +149,7 @@ int phm_wait_on_indirect_register(struct pp_hwmgr *hwmgr,
+ }
+
+ cgs_write_register(hwmgr->device, indirect_port, index);
+- return phm_wait_on_register(hwmgr, indirect_port + 1, mask, value);
++ return phm_wait_on_register(hwmgr, indirect_port + 1, value, mask);
+ }
+
+ int phm_wait_for_register_unequal(struct pp_hwmgr *hwmgr,
+--
+2.39.5
+
--- /dev/null
+From 3f38b8720e37a811c7f398a777702510734047cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 19:35:21 -0400
+Subject: drm/amdgpu: fix slab-use-after-free in amdgpu_userq_mgr_fini+0x70c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vitaly Prosyak <vitaly.prosyak@amd.com>
+
+[ Upstream commit 5fb90421fa0fbe0a968274912101fe917bf1c47b ]
+
+The issue was reproduced on NV10 using IGT pci_unplug test.
+It is expected that `amdgpu_driver_postclose_kms()` is called prior to `amdgpu_drm_release()`.
+However, the bug is that `amdgpu_fpriv` was freed in `amdgpu_driver_postclose_kms()`, and then
+later accessed in `amdgpu_drm_release()` via a call to `amdgpu_userq_mgr_fini()`.
+As a result, KASAN detected a use-after-free condition, as shown in the log below.
+The proposed fix is to move the calls to `amdgpu_eviction_fence_destroy()` and
+`amdgpu_userq_mgr_fini()` into `amdgpu_driver_postclose_kms()`, so they are invoked before
+`amdgpu_fpriv` is freed.
+
+This also ensures symmetry with the initialization path in `amdgpu_driver_open_kms()`,
+where the following components are initialized:
+- `amdgpu_userq_mgr_init()`
+- `amdgpu_eviction_fence_init()`
+- `amdgpu_ctx_mgr_init()`
+
+Correspondingly, in `amdgpu_driver_postclose_kms()` we should clean up using:
+- `amdgpu_userq_mgr_fini()`
+- `amdgpu_eviction_fence_destroy()`
+- `amdgpu_ctx_mgr_fini()`
+
+This change eliminates the use-after-free and improves consistency in resource management between open and close paths.
+
+[ +0.094367] ==================================================================
+[ +0.000026] BUG: KASAN: slab-use-after-free in amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]
+[ +0.000866] Write of size 8 at addr ffff88811c068c60 by task amd_pci_unplug/1737
+[ +0.000026] CPU: 3 UID: 0 PID: 1737 Comm: amd_pci_unplug Not tainted 6.14.0+ #2
+[ +0.000008] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020
+[ +0.000004] Call Trace:
+[ +0.000004] <TASK>
+[ +0.000003] dump_stack_lvl+0x76/0xa0
+[ +0.000010] print_report+0xce/0x600
+[ +0.000009] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]
+[ +0.000790] ? srso_return_thunk+0x5/0x5f
+[ +0.000007] ? kasan_complete_mode_report_info+0x76/0x200
+[ +0.000008] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]
+[ +0.000684] kasan_report+0xbe/0x110
+[ +0.000007] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]
+[ +0.000601] __asan_report_store8_noabort+0x17/0x30
+[ +0.000007] amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]
+[ +0.000801] ? __pfx_amdgpu_userq_mgr_fini+0x10/0x10 [amdgpu]
+[ +0.000819] ? srso_return_thunk+0x5/0x5f
+[ +0.000008] amdgpu_drm_release+0xa3/0xe0 [amdgpu]
+[ +0.000604] __fput+0x354/0xa90
+[ +0.000010] __fput_sync+0x59/0x80
+[ +0.000005] __x64_sys_close+0x7d/0xe0
+[ +0.000006] x64_sys_call+0x2505/0x26f0
+[ +0.000006] do_syscall_64+0x7c/0x170
+[ +0.000004] ? kasan_record_aux_stack+0xae/0xd0
+[ +0.000005] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? kmem_cache_free+0x398/0x580
+[ +0.000006] ? __fput+0x543/0xa90
+[ +0.000006] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? __fput+0x543/0xa90
+[ +0.000004] ? __kasan_check_read+0x11/0x20
+[ +0.000007] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? __kasan_check_read+0x11/0x20
+[ +0.000003] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? fpregs_assert_state_consistent+0x21/0xb0
+[ +0.000006] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? syscall_exit_to_user_mode+0x4e/0x240
+[ +0.000005] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? do_syscall_64+0x88/0x170
+[ +0.000003] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? do_syscall_64+0x88/0x170
+[ +0.000004] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? irqentry_exit+0x43/0x50
+[ +0.000004] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? exc_page_fault+0x7c/0x110
+[ +0.000006] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[ +0.000005] RIP: 0033:0x7ffff7b14f67
+[ +0.000005] Code: ff e8 0d 16 02 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 73 ba f7 ff
+[ +0.000004] RSP: 002b:00007fffffffe358 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
+[ +0.000006] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffff7b14f67
+[ +0.000003] RDX: 0000000000000000 RSI: 00007ffff7f5755a RDI: 0000000000000003
+[ +0.000003] RBP: 00007fffffffe380 R08: 0000555555568170 R09: 0000000000000000
+[ +0.000003] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffffffe5c8
+[ +0.000003] R13: 00005555555552a9 R14: 0000555555557d48 R15: 00007ffff7ffd040
+[ +0.000007] </TASK>
+
+[ +0.000286] Allocated by task 425 on cpu 11 at 29.751192s:
+[ +0.000013] kasan_save_stack+0x28/0x60
+[ +0.000008] kasan_save_track+0x18/0x70
+[ +0.000006] kasan_save_alloc_info+0x38/0x60
+[ +0.000006] __kasan_kmalloc+0xc1/0xd0
+[ +0.000005] __kmalloc_cache_noprof+0x1bd/0x430
+[ +0.000006] amdgpu_driver_open_kms+0x172/0x760 [amdgpu]
+[ +0.000521] drm_file_alloc+0x569/0x9a0
+[ +0.000008] drm_client_init+0x1b7/0x410
+[ +0.000007] drm_fbdev_client_setup+0x174/0x470
+[ +0.000007] drm_client_setup+0x8a/0xf0
+[ +0.000006] amdgpu_pci_probe+0x50b/0x10d0 [amdgpu]
+[ +0.000482] local_pci_probe+0xe7/0x1b0
+[ +0.000008] pci_device_probe+0x5bf/0x890
+[ +0.000005] really_probe+0x1fd/0x950
+[ +0.000007] __driver_probe_device+0x307/0x410
+[ +0.000005] driver_probe_device+0x4e/0x150
+[ +0.000006] __driver_attach+0x223/0x510
+[ +0.000005] bus_for_each_dev+0x102/0x1a0
+[ +0.000006] driver_attach+0x3d/0x60
+[ +0.000005] bus_add_driver+0x309/0x650
+[ +0.000005] driver_register+0x13d/0x490
+[ +0.000006] __pci_register_driver+0x1ee/0x2b0
+[ +0.000006] xfrm_ealg_get_byidx+0x43/0x50 [xfrm_algo]
+[ +0.000008] do_one_initcall+0x9c/0x3e0
+[ +0.000007] do_init_module+0x29e/0x7f0
+[ +0.000006] load_module+0x5c75/0x7c80
+[ +0.000006] init_module_from_file+0x106/0x180
+[ +0.000007] idempotent_init_module+0x377/0x740
+[ +0.000006] __x64_sys_finit_module+0xd7/0x180
+[ +0.000006] x64_sys_call+0x1f0b/0x26f0
+[ +0.000006] do_syscall_64+0x7c/0x170
+[ +0.000005] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+[ +0.000013] Freed by task 1737 on cpu 9 at 76.455063s:
+[ +0.000010] kasan_save_stack+0x28/0x60
+[ +0.000006] kasan_save_track+0x18/0x70
+[ +0.000005] kasan_save_free_info+0x3b/0x60
+[ +0.000006] __kasan_slab_free+0x54/0x80
+[ +0.000005] kfree+0x127/0x470
+[ +0.000006] amdgpu_driver_postclose_kms+0x455/0x760 [amdgpu]
+[ +0.000485] drm_file_free.part.0+0x5b1/0xba0
+[ +0.000007] drm_file_free+0x13/0x30
+[ +0.000006] drm_client_release+0x1c4/0x2b0
+[ +0.000006] drm_fbdev_ttm_fb_destroy+0xd2/0x120 [drm_ttm_helper]
+[ +0.000007] put_fb_info+0x97/0xe0
+[ +0.000006] unregister_framebuffer+0x197/0x380
+[ +0.000005] drm_fb_helper_unregister_info+0x94/0x100
+[ +0.000005] drm_fbdev_client_unregister+0x3c/0x80
+[ +0.000007] drm_client_dev_unregister+0x144/0x330
+[ +0.000006] drm_dev_unregister+0x49/0x1b0
+[ +0.000006] drm_dev_unplug+0x4c/0xd0
+[ +0.000006] amdgpu_pci_remove+0x58/0x130 [amdgpu]
+[ +0.000482] pci_device_remove+0xae/0x1e0
+[ +0.000006] device_remove+0xc7/0x180
+[ +0.000006] device_release_driver_internal+0x3d4/0x5a0
+[ +0.000007] device_release_driver+0x12/0x20
+[ +0.000006] pci_stop_bus_device+0x104/0x150
+[ +0.000006] pci_stop_and_remove_bus_device_locked+0x1b/0x40
+[ +0.000005] remove_store+0xd7/0xf0
+[ +0.000007] dev_attr_store+0x3f/0x80
+[ +0.000006] sysfs_kf_write+0x125/0x1d0
+[ +0.000005] kernfs_fop_write_iter+0x2ea/0x490
+[ +0.000007] vfs_write+0x90d/0xe70
+[ +0.000006] ksys_write+0x119/0x220
+[ +0.000006] __x64_sys_write+0x72/0xc0
+[ +0.000006] x64_sys_call+0x18ab/0x26f0
+[ +0.000005] do_syscall_64+0x7c/0x170
+[ +0.000005] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+[ +0.000013] The buggy address belongs to the object at ffff88811c068000
+ which belongs to the cache kmalloc-rnd-01-4k of size 4096
+[ +0.000016] The buggy address is located 3168 bytes inside of
+ freed 4096-byte region [ffff88811c068000, ffff88811c069000)
+
+[ +0.000022] The buggy address belongs to the physical page:
+[ +0.000010] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88811c06e000 pfn:0x11c068
+[ +0.000006] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+[ +0.000006] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
+[ +0.000007] page_type: f5(slab)
+[ +0.000007] raw: 0017ffffc0000040 ffff88810004c140 dead000000000122 0000000000000000
+[ +0.000005] raw: ffff88811c06e000 0000000080040002 00000000f5000000 0000000000000000
+[ +0.000006] head: 0017ffffc0000040 ffff88810004c140 dead000000000122 0000000000000000
+[ +0.000005] head: ffff88811c06e000 0000000080040002 00000000f5000000 0000000000000000
+[ +0.000006] head: 0017ffffc0000003 ffffea0004701a01 ffffffffffffffff 0000000000000000
+[ +0.000005] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
+[ +0.000004] page dumped because: kasan: bad access detected
+
+[ +0.000011] Memory state around the buggy address:
+[ +0.000009] ffff88811c068b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000012] ffff88811c068b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000011] >ffff88811c068c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000011] ^
+[ +0.000010] ffff88811c068c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000011] ffff88811c068d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000011] ==================================================================
+
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: Christian König <christian.koenig@amd.com>
+Cc: Lijo Lazar <lijo.lazar@amd.com>
+Cc: Jesse Zhang <Jesse.Zhang@amd.com>
+Cc: Arvind Yadav <arvind.yadav@amd.com>
+
+v2: drop amdgpu_drm_release() and assign drm_release()
+ as the callback directly.(Alex)
+
+Fixes: adba0929736a ("drm/amdgpu: Fix Illegal opcode in command stream Error")
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 16 +---------------
+ drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 3 +++
+ 2 files changed, 4 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+index 4db92e0a60da..501bb82f2a37 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+@@ -2906,20 +2906,6 @@ static int amdgpu_pmops_runtime_idle(struct device *dev)
+ return ret;
+ }
+
+-static int amdgpu_drm_release(struct inode *inode, struct file *filp)
+-{
+- struct drm_file *file_priv = filp->private_data;
+- struct amdgpu_fpriv *fpriv = file_priv->driver_priv;
+-
+- if (fpriv) {
+- fpriv->evf_mgr.fd_closing = true;
+- amdgpu_eviction_fence_destroy(&fpriv->evf_mgr);
+- amdgpu_userq_mgr_fini(&fpriv->userq_mgr);
+- }
+-
+- return drm_release(inode, filp);
+-}
+-
+ long amdgpu_drm_ioctl(struct file *filp,
+ unsigned int cmd, unsigned long arg)
+ {
+@@ -2971,7 +2957,7 @@ static const struct file_operations amdgpu_driver_kms_fops = {
+ .owner = THIS_MODULE,
+ .open = drm_open,
+ .flush = amdgpu_flush,
+- .release = amdgpu_drm_release,
++ .release = drm_release,
+ .unlocked_ioctl = amdgpu_drm_ioctl,
+ .mmap = drm_gem_mmap,
+ .poll = drm_poll,
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+index d2ce7d86dbc8..195ed81d39ff 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+@@ -1501,6 +1501,9 @@ void amdgpu_driver_postclose_kms(struct drm_device *dev,
+ amdgpu_vm_bo_del(adev, fpriv->prt_va);
+ amdgpu_bo_unreserve(pd);
+ }
++ fpriv->evf_mgr.fd_closing = true;
++ amdgpu_eviction_fence_destroy(&fpriv->evf_mgr);
++ amdgpu_userq_mgr_fini(&fpriv->userq_mgr);
+
+ amdgpu_ctx_mgr_fini(&fpriv->ctx_mgr);
+ amdgpu_vm_fini(adev, &fpriv->vm);
+--
+2.39.5
+
--- /dev/null
+From 0f556f41d11539a3ba8ad364d2d0e617e1844131 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 08:35:30 -0400
+Subject: drm/amdgpu: fix use-after-free in amdgpu_userq_suspend+0x51a/0x5a0
+
+From: Vitaly Prosyak <vitaly.prosyak@amd.com>
+
+[ Upstream commit a886d26f2c8f9e3f3c1869ae368d09c75daac553 ]
+
+[ +0.000020] BUG: KASAN: slab-use-after-free in amdgpu_userq_suspend+0x51a/0x5a0 [amdgpu]
+[ +0.000817] Read of size 8 at addr ffff88812eec8c58 by task amd_pci_unplug/1733
+
+[ +0.000027] CPU: 10 UID: 0 PID: 1733 Comm: amd_pci_unplug Tainted: G W 6.14.0+ #2
+[ +0.000009] Tainted: [W]=WARN
+[ +0.000003] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020
+[ +0.000004] Call Trace:
+[ +0.000004] <TASK>
+[ +0.000003] dump_stack_lvl+0x76/0xa0
+[ +0.000011] print_report+0xce/0x600
+[ +0.000009] ? srso_return_thunk+0x5/0x5f
+[ +0.000006] ? kasan_complete_mode_report_info+0x76/0x200
+[ +0.000007] ? kasan_addr_to_slab+0xd/0xb0
+[ +0.000006] ? amdgpu_userq_suspend+0x51a/0x5a0 [amdgpu]
+[ +0.000707] kasan_report+0xbe/0x110
+[ +0.000006] ? amdgpu_userq_suspend+0x51a/0x5a0 [amdgpu]
+[ +0.000541] __asan_report_load8_noabort+0x14/0x30
+[ +0.000005] amdgpu_userq_suspend+0x51a/0x5a0 [amdgpu]
+[ +0.000535] ? stop_cpsch+0x396/0x600 [amdgpu]
+[ +0.000556] ? stop_cpsch+0x429/0x600 [amdgpu]
+[ +0.000536] ? __pfx_amdgpu_userq_suspend+0x10/0x10 [amdgpu]
+[ +0.000536] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? kgd2kfd_suspend+0x132/0x1d0 [amdgpu]
+[ +0.000542] amdgpu_device_fini_hw+0x581/0xe90 [amdgpu]
+[ +0.000485] ? down_write+0xbb/0x140
+[ +0.000007] ? __mutex_unlock_slowpath.constprop.0+0x317/0x360
+[ +0.000005] ? __pfx_amdgpu_device_fini_hw+0x10/0x10 [amdgpu]
+[ +0.000482] ? __kasan_check_write+0x14/0x30
+[ +0.000004] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? up_write+0x55/0xb0
+[ +0.000007] ? srso_return_thunk+0x5/0x5f
+[ +0.000005] ? blocking_notifier_chain_unregister+0x6c/0xc0
+[ +0.000008] amdgpu_driver_unload_kms+0x69/0x90 [amdgpu]
+[ +0.000484] amdgpu_pci_remove+0x93/0x130 [amdgpu]
+[ +0.000482] pci_device_remove+0xae/0x1e0
+[ +0.000008] device_remove+0xc7/0x180
+[ +0.000008] device_release_driver_internal+0x3d4/0x5a0
+[ +0.000007] device_release_driver+0x12/0x20
+[ +0.000004] pci_stop_bus_device+0x104/0x150
+[ +0.000006] pci_stop_and_remove_bus_device_locked+0x1b/0x40
+[ +0.000005] remove_store+0xd7/0xf0
+[ +0.000005] ? __pfx_remove_store+0x10/0x10
+[ +0.000006] ? __pfx__copy_from_iter+0x10/0x10
+[ +0.000006] ? __pfx_dev_attr_store+0x10/0x10
+[ +0.000006] dev_attr_store+0x3f/0x80
+[ +0.000006] sysfs_kf_write+0x125/0x1d0
+[ +0.000004] ? srso_return_thunk+0x5/0x5f
+[ +0.000005] ? __kasan_check_write+0x14/0x30
+[ +0.000005] kernfs_fop_write_iter+0x2ea/0x490
+[ +0.000005] ? rw_verify_area+0x70/0x420
+[ +0.000005] ? __pfx_kernfs_fop_write_iter+0x10/0x10
+[ +0.000006] vfs_write+0x90d/0xe70
+[ +0.000005] ? srso_return_thunk+0x5/0x5f
+[ +0.000005] ? __pfx_vfs_write+0x10/0x10
+[ +0.000004] ? local_clock+0x15/0x30
+[ +0.000008] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? __kasan_slab_free+0x5f/0x80
+[ +0.000005] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? __kasan_check_read+0x11/0x20
+[ +0.000004] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? fdget_pos+0x1d3/0x500
+[ +0.000007] ksys_write+0x119/0x220
+[ +0.000005] ? putname+0x1c/0x30
+[ +0.000006] ? __pfx_ksys_write+0x10/0x10
+[ +0.000007] __x64_sys_write+0x72/0xc0
+[ +0.000006] x64_sys_call+0x18ab/0x26f0
+[ +0.000006] do_syscall_64+0x7c/0x170
+[ +0.000004] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? __pfx___x64_sys_openat+0x10/0x10
+[ +0.000006] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? __kasan_check_read+0x11/0x20
+[ +0.000003] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? fpregs_assert_state_consistent+0x21/0xb0
+[ +0.000006] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? syscall_exit_to_user_mode+0x4e/0x240
+[ +0.000005] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? do_syscall_64+0x88/0x170
+[ +0.000003] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? irqentry_exit+0x43/0x50
+[ +0.000004] ? srso_return_thunk+0x5/0x5f
+[ +0.000004] ? exc_page_fault+0x7c/0x110
+[ +0.000006] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[ +0.000006] RIP: 0033:0x7480c0b14887
+[ +0.000005] Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
+[ +0.000005] RSP: 002b:00007fff142b0058 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+[ +0.000006] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007480c0b14887
+[ +0.000003] RDX: 0000000000000001 RSI: 00007480c0e7365a RDI: 0000000000000004
+[ +0.000003] RBP: 00007fff142b0080 R08: 0000563b2e73c170 R09: 0000000000000000
+[ +0.000003] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff142b02f8
+[ +0.000003] R13: 0000563b159a72a9 R14: 0000563b159a9d48 R15: 00007480c0f19040
+[ +0.000008] </TASK>
+
+[ +0.000445] Allocated by task 427 on cpu 5 at 29.342331s:
+[ +0.000011] kasan_save_stack+0x28/0x60
+[ +0.000006] kasan_save_track+0x18/0x70
+[ +0.000006] kasan_save_alloc_info+0x38/0x60
+[ +0.000005] __kasan_kmalloc+0xc1/0xd0
+[ +0.000006] __kmalloc_cache_noprof+0x1bd/0x430
+[ +0.000007] amdgpu_driver_open_kms+0x172/0x760 [amdgpu]
+[ +0.000493] drm_file_alloc+0x569/0x9a0
+[ +0.000007] drm_client_init+0x1b7/0x410
+[ +0.000007] drm_fbdev_client_setup+0x174/0x470
+[ +0.000006] drm_client_setup+0x8a/0xf0
+[ +0.000006] amdgpu_pci_probe+0x510/0x10c0 [amdgpu]
+[ +0.000483] local_pci_probe+0xe7/0x1b0
+[ +0.000006] pci_device_probe+0x5bf/0x890
+[ +0.000006] really_probe+0x1fd/0x950
+[ +0.000005] __driver_probe_device+0x307/0x410
+[ +0.000006] driver_probe_device+0x4e/0x150
+[ +0.000005] __driver_attach+0x223/0x510
+[ +0.000006] bus_for_each_dev+0x102/0x1a0
+[ +0.000005] driver_attach+0x3d/0x60
+[ +0.000006] bus_add_driver+0x309/0x650
+[ +0.000005] driver_register+0x13d/0x490
+[ +0.000006] __pci_register_driver+0x1ee/0x2b0
+[ +0.000006] rfcomm_dlc_clear_state+0x69/0x220 [rfcomm]
+[ +0.000011] do_one_initcall+0x9c/0x3e0
+[ +0.000007] do_init_module+0x29e/0x7f0
+[ +0.000006] load_module+0x5c75/0x7c80
+[ +0.000006] init_module_from_file+0x106/0x180
+[ +0.000006] idempotent_init_module+0x377/0x740
+[ +0.000006] __x64_sys_finit_module+0xd7/0x180
+[ +0.000006] x64_sys_call+0x1f0b/0x26f0
+[ +0.000006] do_syscall_64+0x7c/0x170
+[ +0.000005] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+[ +0.000013] Freed by task 1733 on cpu 5 at 59.907086s:
+[ +0.000011] kasan_save_stack+0x28/0x60
+[ +0.000006] kasan_save_track+0x18/0x70
+[ +0.000005] kasan_save_free_info+0x3b/0x60
+[ +0.000005] __kasan_slab_free+0x54/0x80
+[ +0.000006] kfree+0x127/0x470
+[ +0.000006] amdgpu_driver_postclose_kms+0x455/0x760 [amdgpu]
+[ +0.000493] drm_file_free.part.0+0x5b1/0xba0
+[ +0.000006] drm_file_free+0x13/0x30
+[ +0.000006] drm_client_release+0x1c4/0x2b0
+[ +0.000006] drm_fbdev_ttm_fb_destroy+0xd2/0x120 [drm_ttm_helper]
+[ +0.000007] put_fb_info+0x97/0xe0
+[ +0.000007] unregister_framebuffer+0x197/0x380
+[ +0.000005] drm_fb_helper_unregister_info+0x94/0x100
+[ +0.000005] drm_fbdev_client_unregister+0x3c/0x80
+[ +0.000007] drm_client_dev_unregister+0x144/0x330
+[ +0.000006] drm_dev_unregister+0x49/0x1b0
+[ +0.000006] drm_dev_unplug+0x4c/0xd0
+[ +0.000006] amdgpu_pci_remove+0x58/0x130 [amdgpu]
+[ +0.000484] pci_device_remove+0xae/0x1e0
+[ +0.000008] device_remove+0xc7/0x180
+[ +0.000007] device_release_driver_internal+0x3d4/0x5a0
+[ +0.000006] device_release_driver+0x12/0x20
+[ +0.000007] pci_stop_bus_device+0x104/0x150
+[ +0.000006] pci_stop_and_remove_bus_device_locked+0x1b/0x40
+[ +0.000006] remove_store+0xd7/0xf0
+[ +0.000006] dev_attr_store+0x3f/0x80
+[ +0.000005] sysfs_kf_write+0x125/0x1d0
+[ +0.000006] kernfs_fop_write_iter+0x2ea/0x490
+[ +0.000006] vfs_write+0x90d/0xe70
+[ +0.000006] ksys_write+0x119/0x220
+[ +0.000006] __x64_sys_write+0x72/0xc0
+[ +0.000006] x64_sys_call+0x18ab/0x26f0
+[ +0.000005] do_syscall_64+0x7c/0x170
+[ +0.000006] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+[ +0.000012] The buggy address belongs to the object at ffff88812eec8000
+ which belongs to the cache kmalloc-rnd-07-4k of size 4096
+[ +0.000016] The buggy address is located 3160 bytes inside of
+ freed 4096-byte region [ffff88812eec8000, ffff88812eec9000)
+
+[ +0.000023] The buggy address belongs to the physical page:
+[ +0.000009] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12eec8
+[ +0.000007] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+[ +0.000005] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
+[ +0.000007] page_type: f5(slab)
+[ +0.000008] raw: 0017ffffc0000040 ffff888100054500 dead000000000122 0000000000000000
+[ +0.000005] raw: 0000000000000000 0000000080040004 00000000f5000000 0000000000000000
+[ +0.000006] head: 0017ffffc0000040 ffff888100054500 dead000000000122 0000000000000000
+[ +0.000005] head: 0000000000000000 0000000080040004 00000000f5000000 0000000000000000
+[ +0.000006] head: 0017ffffc0000003 ffffea0004bbb201 ffffffffffffffff 0000000000000000
+[ +0.000005] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
+[ +0.000005] page dumped because: kasan: bad access detected
+
+[ +0.000010] Memory state around the buggy address:
+[ +0.000009] ffff88812eec8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000012] ffff88812eec8b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000011] >ffff88812eec8c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000011] ^
+[ +0.000010] ffff88812eec8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000011] ffff88812eec8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000011] ==================================================================
+
+The use-after-free occurs because a delayed work item (`suspend_work`) may still
+be pending or running when resources it accesses are freed during device removal
+or file close. The previous code used `flush_work(&fpriv->evf_mgr.suspend_work.work)`,
+which does not wait for delayed work that has not yet started. As a result, the
+delayed work could run after its memory was freed, causing a use-after-free.
+By switching to `flush_delayed_work(&fpriv->evf_mgr.suspend_work)`, we ensure that
+the kernel waits for both queued and delayed work to finish before
+freeing memory, closing this race.
+
+Fixes: adba0929736a ("drm/amdgpu: Fix Illegal opcode in command stream Error")
+Signed-off-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
+index 295e7186e156..aac0de86f3e8 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
+@@ -664,7 +664,7 @@ static void amdgpu_userq_restore_worker(struct work_struct *work)
+ struct amdgpu_fpriv *fpriv = uq_mgr_to_fpriv(uq_mgr);
+ int ret;
+
+- flush_work(&fpriv->evf_mgr.suspend_work.work);
++ flush_delayed_work(&fpriv->evf_mgr.suspend_work);
+
+ mutex_lock(&uq_mgr->userq_mutex);
+
+--
+2.39.5
+
--- /dev/null
+From da6ed7dd0af5d3d849742552469f96fb7e6ee6e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 17:51:02 -0400
+Subject: drm/amdgpu/gfx10: fix KGQ reset sequence
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 14b2d71a9a24727f1b9f2131ed5eb2e345840a3a ]
+
+Need to reinit the ring before remapping it and all of
+the KIQ handling needs to be within the kiq lock.
+
+Fixes: 1741281a157f ("drm/amdgpu/gfx10: add ring reset callbacks")
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+index 777e383d75e2..e7df0487eaae 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+@@ -9540,7 +9540,7 @@ static int gfx_v10_0_reset_kgq(struct amdgpu_ring *ring, unsigned int vmid)
+
+ spin_lock_irqsave(&kiq->ring_lock, flags);
+
+- if (amdgpu_ring_alloc(kiq_ring, 5 + 7 + 7 + kiq->pmf->map_queues_size)) {
++ if (amdgpu_ring_alloc(kiq_ring, 5 + 7 + 7)) {
+ spin_unlock_irqrestore(&kiq->ring_lock, flags);
+ return -ENOMEM;
+ }
+@@ -9560,12 +9560,9 @@ static int gfx_v10_0_reset_kgq(struct amdgpu_ring *ring, unsigned int vmid)
+ 0, 1, 0x20);
+ gfx_v10_0_ring_emit_reg_wait(kiq_ring,
+ SOC15_REG_OFFSET(GC, 0, mmCP_VMID_RESET), 0, 0xffffffff);
+- kiq->pmf->kiq_map_queues(kiq_ring, ring);
+ amdgpu_ring_commit(kiq_ring);
+-
+- spin_unlock_irqrestore(&kiq->ring_lock, flags);
+-
+ r = amdgpu_ring_test_ring(kiq_ring);
++ spin_unlock_irqrestore(&kiq->ring_lock, flags);
+ if (r)
+ return r;
+
+@@ -9575,6 +9572,19 @@ static int gfx_v10_0_reset_kgq(struct amdgpu_ring *ring, unsigned int vmid)
+ return r;
+ }
+
++ spin_lock_irqsave(&kiq->ring_lock, flags);
++
++ if (amdgpu_ring_alloc(kiq_ring, kiq->pmf->map_queues_size)) {
++ spin_unlock_irqrestore(&kiq->ring_lock, flags);
++ return -ENOMEM;
++ }
++ kiq->pmf->kiq_map_queues(kiq_ring, ring);
++ amdgpu_ring_commit(kiq_ring);
++ r = amdgpu_ring_test_ring(kiq_ring);
++ spin_unlock_irqrestore(&kiq->ring_lock, flags);
++ if (r)
++ return r;
++
+ r = amdgpu_ring_test_ring(ring);
+ if (r)
+ return r;
+--
+2.39.5
+
--- /dev/null
+From 0f1df80662b7fe899b47305372ad5ec18d899ecf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 09:56:35 -0400
+Subject: drm/amdgpu/gfx10: fix kiq locking in KCQ reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit a4b2ba8f631d3e44b30b9b46ee290fbfe608b7d0 ]
+
+The ring test needs to be inside the lock.
+
+Fixes: 097af47d3cfb ("drm/amdgpu/gfx10: wait for reset done before remap")
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: Jiadong Zhu <Jiadong.Zhu@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+index e7df0487eaae..961d5e0af052 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+@@ -9617,9 +9617,8 @@ static int gfx_v10_0_reset_kcq(struct amdgpu_ring *ring,
+ kiq->pmf->kiq_unmap_queues(kiq_ring, ring, RESET_QUEUES,
+ 0, 0);
+ amdgpu_ring_commit(kiq_ring);
+- spin_unlock_irqrestore(&kiq->ring_lock, flags);
+-
+ r = amdgpu_ring_test_ring(kiq_ring);
++ spin_unlock_irqrestore(&kiq->ring_lock, flags);
+ if (r)
+ return r;
+
+@@ -9655,9 +9654,8 @@ static int gfx_v10_0_reset_kcq(struct amdgpu_ring *ring,
+ }
+ kiq->pmf->kiq_map_queues(kiq_ring, ring);
+ amdgpu_ring_commit(kiq_ring);
+- spin_unlock_irqrestore(&kiq->ring_lock, flags);
+-
+ r = amdgpu_ring_test_ring(kiq_ring);
++ spin_unlock_irqrestore(&kiq->ring_lock, flags);
+ if (r)
+ return r;
+
+--
+2.39.5
+
--- /dev/null
+From a3d715e7c588533b60877fde96f7946b0e04e800 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 09:38:27 -0400
+Subject: drm/amdgpu/gfx9: fix kiq locking in KCQ reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 730ea5074dac1b105717316be5d9c18b09829385 ]
+
+The ring test needs to be inside the lock.
+
+Fixes: fdbd69486b46 ("drm/amdgpu/gfx9: wait for reset done before remap")
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: Jiadong Zhu <Jiadong.Zhu@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+index 23f998181561..f768c407771a 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+@@ -7280,8 +7280,8 @@ static int gfx_v9_0_reset_kcq(struct amdgpu_ring *ring,
+ }
+ kiq->pmf->kiq_map_queues(kiq_ring, ring);
+ amdgpu_ring_commit(kiq_ring);
+- spin_unlock_irqrestore(&kiq->ring_lock, flags);
+ r = amdgpu_ring_test_ring(kiq_ring);
++ spin_unlock_irqrestore(&kiq->ring_lock, flags);
+ if (r) {
+ DRM_ERROR("fail to remap queue\n");
+ return r;
+--
+2.39.5
+
--- /dev/null
+From b66e601841bf0259ec92fdb17aed308d7886ddc8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 09:42:23 -0400
+Subject: drm/amdgpu/gfx9.4.3: fix kiq locking in KCQ reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 08f116c59310728ea8b7e9dc3086569006c861cf ]
+
+The ring test needs to be inside the lock.
+
+Fixes: 4c953e53cc34 ("drm/amdgpu/gfx_9.4.3: wait for reset done before remap")
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: Jiadong Zhu <Jiadong.Zhu@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c
+index 264b37e85696..b3c842ec17ee 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c
+@@ -3612,9 +3612,8 @@ static int gfx_v9_4_3_reset_kcq(struct amdgpu_ring *ring,
+ }
+ kiq->pmf->kiq_map_queues(kiq_ring, ring);
+ amdgpu_ring_commit(kiq_ring);
+- spin_unlock_irqrestore(&kiq->ring_lock, flags);
+-
+ r = amdgpu_ring_test_ring(kiq_ring);
++ spin_unlock_irqrestore(&kiq->ring_lock, flags);
+ if (r) {
+ dev_err(adev->dev, "fail to remap queue\n");
+ return r;
+--
+2.39.5
+
--- /dev/null
+From b3d50494538909c467f873996b58f2eea40a37ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 12:58:53 -0400
+Subject: drm/amdgpu: move force completion into ring resets
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 2dee58ca471dae05c473270d0fb74efe01a78ccb ]
+
+Move the force completion handling into each ring
+reset function so that each engine can determine
+whether or not it needs to force completion on the
+jobs in the ring.
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Stable-dep-of: 14b2d71a9a24 ("drm/amdgpu/gfx10: fix KGQ reset sequence")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 4 +--
+ drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 12 +++++++--
+ drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 12 +++++++--
+ drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 12 +++++++--
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 7 +++++-
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 7 +++++-
+ drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 8 +++++-
+ drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c | 8 +++++-
+ drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c | 8 +++++-
+ drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c | 8 +++++-
+ drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 8 +++++-
+ drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c | 8 +++++-
+ drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c | 31 +++++++++++++++++++++---
+ drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c | 5 +++-
+ drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c | 5 +++-
+ drivers/gpu/drm/amd/amdgpu/sdma_v6_0.c | 6 ++++-
+ drivers/gpu/drm/amd/amdgpu/sdma_v7_0.c | 6 ++++-
+ drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 7 +++++-
+ drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c | 6 +++--
+ drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c | 7 +++++-
+ drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c | 7 +++++-
+ 21 files changed, 152 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c
+index 9ea3bce01faf..3528a27c7c1d 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c
+@@ -161,10 +161,8 @@ static enum drm_gpu_sched_stat amdgpu_job_timedout(struct drm_sched_job *s_job)
+
+ r = amdgpu_ring_reset(ring, job->vmid);
+ if (!r) {
+- if (is_guilty) {
++ if (is_guilty)
+ atomic_inc(&ring->adev->gpu_reset_counter);
+- amdgpu_fence_driver_force_completion(ring);
+- }
+ drm_sched_wqueue_start(&ring->sched);
+ dev_err(adev->dev, "Ring %s reset succeeded\n",
+ ring->sched.name);
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+index 75ea071744eb..777e383d75e2 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+@@ -9575,7 +9575,11 @@ static int gfx_v10_0_reset_kgq(struct amdgpu_ring *ring, unsigned int vmid)
+ return r;
+ }
+
+- return amdgpu_ring_test_ring(ring);
++ r = amdgpu_ring_test_ring(ring);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static int gfx_v10_0_reset_kcq(struct amdgpu_ring *ring,
+@@ -9647,7 +9651,11 @@ static int gfx_v10_0_reset_kcq(struct amdgpu_ring *ring,
+ if (r)
+ return r;
+
+- return amdgpu_ring_test_ring(ring);
++ r = amdgpu_ring_test_ring(ring);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static void gfx_v10_ip_print(struct amdgpu_ip_block *ip_block, struct drm_printer *p)
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
+index ec9b84f92d46..e632e97d63be 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
+@@ -6840,7 +6840,11 @@ static int gfx_v11_0_reset_kgq(struct amdgpu_ring *ring, unsigned int vmid)
+ return r;
+ }
+
+- return amdgpu_ring_test_ring(ring);
++ r = amdgpu_ring_test_ring(ring);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static int gfx_v11_0_reset_compute_pipe(struct amdgpu_ring *ring)
+@@ -7000,7 +7004,11 @@ static int gfx_v11_0_reset_kcq(struct amdgpu_ring *ring, unsigned int vmid)
+ return r;
+ }
+
+- return amdgpu_ring_test_ring(ring);
++ r = amdgpu_ring_test_ring(ring);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static void gfx_v11_ip_print(struct amdgpu_ip_block *ip_block, struct drm_printer *p)
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c
+index 1234c8d64e20..50f04c2c0b8c 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c
+@@ -5335,7 +5335,11 @@ static int gfx_v12_0_reset_kgq(struct amdgpu_ring *ring, unsigned int vmid)
+ return r;
+ }
+
+- return amdgpu_ring_test_ring(ring);
++ r = amdgpu_ring_test_ring(ring);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static int gfx_v12_0_reset_compute_pipe(struct amdgpu_ring *ring)
+@@ -5448,7 +5452,11 @@ static int gfx_v12_0_reset_kcq(struct amdgpu_ring *ring, unsigned int vmid)
+ return r;
+ }
+
+- return amdgpu_ring_test_ring(ring);
++ r = amdgpu_ring_test_ring(ring);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static void gfx_v12_0_ring_begin_use(struct amdgpu_ring *ring)
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+index ad9be3656653..23f998181561 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+@@ -7286,7 +7286,12 @@ static int gfx_v9_0_reset_kcq(struct amdgpu_ring *ring,
+ DRM_ERROR("fail to remap queue\n");
+ return r;
+ }
+- return amdgpu_ring_test_ring(ring);
++
++ r = amdgpu_ring_test_ring(ring);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static void gfx_v9_ip_print(struct amdgpu_ip_block *ip_block, struct drm_printer *p)
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c
+index c233edf60569..264b37e85696 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c
+@@ -3619,7 +3619,12 @@ static int gfx_v9_4_3_reset_kcq(struct amdgpu_ring *ring,
+ dev_err(adev->dev, "fail to remap queue\n");
+ return r;
+ }
+- return amdgpu_ring_test_ring(ring);
++
++ r = amdgpu_ring_test_ring(ring);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ enum amdgpu_gfx_cp_ras_mem_id {
+diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c
+index 4cde8a8bcc83..49620fbf6c7a 100644
+--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c
+@@ -766,9 +766,15 @@ static int jpeg_v2_0_process_interrupt(struct amdgpu_device *adev,
+
+ static int jpeg_v2_0_ring_reset(struct amdgpu_ring *ring, unsigned int vmid)
+ {
++ int r;
++
+ jpeg_v2_0_stop(ring->adev);
+ jpeg_v2_0_start(ring->adev);
+- return amdgpu_ring_test_helper(ring);
++ r = amdgpu_ring_test_helper(ring);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static const struct amd_ip_funcs jpeg_v2_0_ip_funcs = {
+diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c
+index 8b39e114f3be..98ae9c0e83f7 100644
+--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c
++++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c
+@@ -645,9 +645,15 @@ static int jpeg_v2_5_process_interrupt(struct amdgpu_device *adev,
+
+ static int jpeg_v2_5_ring_reset(struct amdgpu_ring *ring, unsigned int vmid)
+ {
++ int r;
++
+ jpeg_v2_5_stop_inst(ring->adev, ring->me);
+ jpeg_v2_5_start_inst(ring->adev, ring->me);
+- return amdgpu_ring_test_helper(ring);
++ r = amdgpu_ring_test_helper(ring);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static const struct amd_ip_funcs jpeg_v2_5_ip_funcs = {
+diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c
+index 2f8510c2986b..7fb599430365 100644
+--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c
+@@ -557,9 +557,15 @@ static int jpeg_v3_0_process_interrupt(struct amdgpu_device *adev,
+
+ static int jpeg_v3_0_ring_reset(struct amdgpu_ring *ring, unsigned int vmid)
+ {
++ int r;
++
+ jpeg_v3_0_stop(ring->adev);
+ jpeg_v3_0_start(ring->adev);
+- return amdgpu_ring_test_helper(ring);
++ r = amdgpu_ring_test_helper(ring);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static const struct amd_ip_funcs jpeg_v3_0_ip_funcs = {
+diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c
+index f17ec5414fd6..a6612c942b93 100644
+--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c
+@@ -722,12 +722,18 @@ static int jpeg_v4_0_process_interrupt(struct amdgpu_device *adev,
+
+ static int jpeg_v4_0_ring_reset(struct amdgpu_ring *ring, unsigned int vmid)
+ {
++ int r;
++
+ if (amdgpu_sriov_vf(ring->adev))
+ return -EINVAL;
+
+ jpeg_v4_0_stop(ring->adev);
+ jpeg_v4_0_start(ring->adev);
+- return amdgpu_ring_test_helper(ring);
++ r = amdgpu_ring_test_helper(ring);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static const struct amd_ip_funcs jpeg_v4_0_ip_funcs = {
+diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c
+index 79e342d5ab28..90d773dbe337 100644
+--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c
++++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c
+@@ -1145,12 +1145,18 @@ static void jpeg_v4_0_3_core_stall_reset(struct amdgpu_ring *ring)
+
+ static int jpeg_v4_0_3_ring_reset(struct amdgpu_ring *ring, unsigned int vmid)
+ {
++ int r;
++
+ if (amdgpu_sriov_vf(ring->adev))
+ return -EOPNOTSUPP;
+
+ jpeg_v4_0_3_core_stall_reset(ring);
+ jpeg_v4_0_3_start_jrbc(ring);
+- return amdgpu_ring_test_helper(ring);
++ r = amdgpu_ring_test_helper(ring);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static const struct amd_ip_funcs jpeg_v4_0_3_ip_funcs = {
+diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c
+index 3b6f65a25646..7cad77a968f1 100644
+--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c
++++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c
+@@ -836,12 +836,18 @@ static void jpeg_v5_0_1_core_stall_reset(struct amdgpu_ring *ring)
+
+ static int jpeg_v5_0_1_ring_reset(struct amdgpu_ring *ring, unsigned int vmid)
+ {
++ int r;
++
+ if (amdgpu_sriov_vf(ring->adev))
+ return -EOPNOTSUPP;
+
+ jpeg_v5_0_1_core_stall_reset(ring);
+ jpeg_v5_0_1_init_jrbc(ring);
+- return amdgpu_ring_test_helper(ring);
++ r = amdgpu_ring_test_helper(ring);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static const struct amd_ip_funcs jpeg_v5_0_1_ip_funcs = {
+diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c b/drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c
+index 5de2f047c534..9f0ad1199431 100644
+--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c
++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c
+@@ -1674,6 +1674,7 @@ static bool sdma_v4_4_2_page_ring_is_guilty(struct amdgpu_ring *ring)
+
+ static int sdma_v4_4_2_reset_queue(struct amdgpu_ring *ring, unsigned int vmid)
+ {
++ bool is_guilty = ring->funcs->is_guilty(ring);
+ struct amdgpu_device *adev = ring->adev;
+ u32 id = ring->me;
+ int r;
+@@ -1684,8 +1685,13 @@ static int sdma_v4_4_2_reset_queue(struct amdgpu_ring *ring, unsigned int vmid)
+ amdgpu_amdkfd_suspend(adev, true);
+ r = amdgpu_sdma_reset_engine(adev, id);
+ amdgpu_amdkfd_resume(adev, true);
++ if (r)
++ return r;
+
+- return r;
++ if (is_guilty)
++ amdgpu_fence_driver_force_completion(ring);
++
++ return 0;
+ }
+
+ static int sdma_v4_4_2_stop_queue(struct amdgpu_ring *ring)
+@@ -1729,8 +1735,8 @@ static int sdma_v4_4_2_stop_queue(struct amdgpu_ring *ring)
+ static int sdma_v4_4_2_restore_queue(struct amdgpu_ring *ring)
+ {
+ struct amdgpu_device *adev = ring->adev;
+- u32 inst_mask;
+- int i;
++ u32 inst_mask, tmp_mask;
++ int i, r;
+
+ inst_mask = 1 << ring->me;
+ udelay(50);
+@@ -1747,7 +1753,24 @@ static int sdma_v4_4_2_restore_queue(struct amdgpu_ring *ring)
+ return -ETIMEDOUT;
+ }
+
+- return sdma_v4_4_2_inst_start(adev, inst_mask, true);
++ r = sdma_v4_4_2_inst_start(adev, inst_mask, true);
++ if (r)
++ return r;
++
++ tmp_mask = inst_mask;
++ for_each_inst(i, tmp_mask) {
++ ring = &adev->sdma.instance[i].ring;
++
++ amdgpu_fence_driver_force_completion(ring);
++
++ if (adev->sdma.has_page_queue) {
++ struct amdgpu_ring *page = &adev->sdma.instance[i].page;
++
++ amdgpu_fence_driver_force_completion(page);
++ }
++ }
++
++ return r;
+ }
+
+ static int sdma_v4_4_2_set_trap_irq_state(struct amdgpu_device *adev,
+diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c
+index 37f4b5b4a098..b43d6cb8a0d4 100644
+--- a/drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c
+@@ -1616,7 +1616,10 @@ static int sdma_v5_0_restore_queue(struct amdgpu_ring *ring)
+
+ r = sdma_v5_0_gfx_resume_instance(adev, inst_id, true);
+ amdgpu_gfx_rlc_exit_safe_mode(adev, 0);
+- return r;
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static int sdma_v5_0_ring_preempt_ib(struct amdgpu_ring *ring)
+diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c b/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c
+index 0b40411b92a0..a88aa53e887c 100644
+--- a/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c
++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c
+@@ -1532,7 +1532,10 @@ static int sdma_v5_2_restore_queue(struct amdgpu_ring *ring)
+ r = sdma_v5_2_gfx_resume_instance(adev, inst_id, true);
+
+ amdgpu_gfx_rlc_exit_safe_mode(adev, 0);
+- return r;
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static int sdma_v5_2_ring_preempt_ib(struct amdgpu_ring *ring)
+diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v6_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v6_0.c
+index a9bdf8d61d6c..041bca58add5 100644
+--- a/drivers/gpu/drm/amd/amdgpu/sdma_v6_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v6_0.c
+@@ -1572,7 +1572,11 @@ static int sdma_v6_0_reset_queue(struct amdgpu_ring *ring, unsigned int vmid)
+ if (r)
+ return r;
+
+- return sdma_v6_0_gfx_resume_instance(adev, i, true);
++ r = sdma_v6_0_gfx_resume_instance(adev, i, true);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static int sdma_v6_0_set_trap_irq_state(struct amdgpu_device *adev,
+diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v7_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v7_0.c
+index 86903eccbd4e..b4167f23c02d 100644
+--- a/drivers/gpu/drm/amd/amdgpu/sdma_v7_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v7_0.c
+@@ -824,7 +824,11 @@ static int sdma_v7_0_reset_queue(struct amdgpu_ring *ring, unsigned int vmid)
+ if (r)
+ return r;
+
+- return sdma_v7_0_gfx_resume_instance(adev, i, true);
++ r = sdma_v7_0_gfx_resume_instance(adev, i, true);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ /**
+diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+index b5071f77f78d..46c329a1b2f5 100644
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+@@ -1971,6 +1971,7 @@ static int vcn_v4_0_ring_reset(struct amdgpu_ring *ring, unsigned int vmid)
+ {
+ struct amdgpu_device *adev = ring->adev;
+ struct amdgpu_vcn_inst *vinst = &adev->vcn.inst[ring->me];
++ int r;
+
+ if (!(adev->vcn.supported_reset & AMDGPU_RESET_TYPE_PER_QUEUE))
+ return -EOPNOTSUPP;
+@@ -1978,7 +1979,11 @@ static int vcn_v4_0_ring_reset(struct amdgpu_ring *ring, unsigned int vmid)
+ vcn_v4_0_stop(vinst);
+ vcn_v4_0_start(vinst);
+
+- return amdgpu_ring_test_helper(ring);
++ r = amdgpu_ring_test_helper(ring);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static struct amdgpu_ring_funcs vcn_v4_0_unified_ring_vm_funcs = {
+diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c
+index 5a33140f5723..faba11166efb 100644
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c
+@@ -1621,8 +1621,10 @@ static int vcn_v4_0_3_ring_reset(struct amdgpu_ring *ring, unsigned int vmid)
+ vcn_v4_0_3_hw_init_inst(vinst);
+ vcn_v4_0_3_start_dpg_mode(vinst, adev->vcn.inst[ring->me].indirect_sram);
+ r = amdgpu_ring_test_helper(ring);
+-
+- return r;
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static const struct amdgpu_ring_funcs vcn_v4_0_3_unified_ring_vm_funcs = {
+diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c
+index 16ade84facc7..af29a8e141a4 100644
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c
+@@ -1469,6 +1469,7 @@ static int vcn_v4_0_5_ring_reset(struct amdgpu_ring *ring, unsigned int vmid)
+ {
+ struct amdgpu_device *adev = ring->adev;
+ struct amdgpu_vcn_inst *vinst = &adev->vcn.inst[ring->me];
++ int r;
+
+ if (!(adev->vcn.supported_reset & AMDGPU_RESET_TYPE_PER_QUEUE))
+ return -EOPNOTSUPP;
+@@ -1476,7 +1477,11 @@ static int vcn_v4_0_5_ring_reset(struct amdgpu_ring *ring, unsigned int vmid)
+ vcn_v4_0_5_stop(vinst);
+ vcn_v4_0_5_start(vinst);
+
+- return amdgpu_ring_test_helper(ring);
++ r = amdgpu_ring_test_helper(ring);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static struct amdgpu_ring_funcs vcn_v4_0_5_unified_ring_vm_funcs = {
+diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c
+index f8e3f0b882da..216324f6da85 100644
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c
+@@ -1196,6 +1196,7 @@ static int vcn_v5_0_0_ring_reset(struct amdgpu_ring *ring, unsigned int vmid)
+ {
+ struct amdgpu_device *adev = ring->adev;
+ struct amdgpu_vcn_inst *vinst = &adev->vcn.inst[ring->me];
++ int r;
+
+ if (!(adev->vcn.supported_reset & AMDGPU_RESET_TYPE_PER_QUEUE))
+ return -EOPNOTSUPP;
+@@ -1203,7 +1204,11 @@ static int vcn_v5_0_0_ring_reset(struct amdgpu_ring *ring, unsigned int vmid)
+ vcn_v5_0_0_stop(vinst);
+ vcn_v5_0_0_start(vinst);
+
+- return amdgpu_ring_test_helper(ring);
++ r = amdgpu_ring_test_helper(ring);
++ if (r)
++ return r;
++ amdgpu_fence_driver_force_completion(ring);
++ return 0;
+ }
+
+ static const struct amdgpu_ring_funcs vcn_v5_0_0_unified_ring_vm_funcs = {
+--
+2.39.5
+
--- /dev/null
+From 35996da78de459b7183d86aded4d12af95bc27e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 13:29:11 +0530
+Subject: drm/amdgpu: Remove nbiov7.9 replay count reporting
+
+From: Lijo Lazar <lijo.lazar@amd.com>
+
+[ Upstream commit 0f566f0e9c614aa3d95082246f5b8c9e8a09c8b3 ]
+
+Direct pcie replay count reporting is not available on nbio v7.9.
+Reporting is done through firmware.
+
+Signed-off-by: Lijo Lazar <lijo.lazar@amd.com>
+Acked-by: Mangesh Gadre <Mangesh.Gadre@amd.com>
+Reviewed-by: Asad Kamal <asad.kamal@amd.com>
+Fixes: 50709d18f4a6 ("drm/amdgpu: Add pci replay count to nbio v7.9")
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/nbio_v7_9.c | 20 --------------------
+ 1 file changed, 20 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/nbio_v7_9.c b/drivers/gpu/drm/amd/amdgpu/nbio_v7_9.c
+index a376f072700d..1c22bc11c1f8 100644
+--- a/drivers/gpu/drm/amd/amdgpu/nbio_v7_9.c
++++ b/drivers/gpu/drm/amd/amdgpu/nbio_v7_9.c
+@@ -31,9 +31,6 @@
+
+ #define NPS_MODE_MASK 0x000000FFL
+
+-/* Core 0 Port 0 counter */
+-#define smnPCIEP_NAK_COUNTER 0x1A340218
+-
+ static void nbio_v7_9_remap_hdp_registers(struct amdgpu_device *adev)
+ {
+ WREG32_SOC15(NBIO, 0, regBIF_BX0_REMAP_HDP_MEM_FLUSH_CNTL,
+@@ -467,22 +464,6 @@ static void nbio_v7_9_init_registers(struct amdgpu_device *adev)
+ }
+ }
+
+-static u64 nbio_v7_9_get_pcie_replay_count(struct amdgpu_device *adev)
+-{
+- u32 val, nak_r, nak_g;
+-
+- if (adev->flags & AMD_IS_APU)
+- return 0;
+-
+- /* Get the number of NAKs received and generated */
+- val = RREG32_PCIE(smnPCIEP_NAK_COUNTER);
+- nak_r = val & 0xFFFF;
+- nak_g = val >> 16;
+-
+- /* Add the total number of NAKs, i.e the number of replays */
+- return (nak_r + nak_g);
+-}
+-
+ #define MMIO_REG_HOLE_OFFSET 0x1A000
+
+ static void nbio_v7_9_set_reg_remap(struct amdgpu_device *adev)
+@@ -524,7 +505,6 @@ const struct amdgpu_nbio_funcs nbio_v7_9_funcs = {
+ .get_memory_partition_mode = nbio_v7_9_get_memory_partition_mode,
+ .is_nps_switch_requested = nbio_v7_9_is_nps_switch_requested,
+ .init_registers = nbio_v7_9_init_registers,
+- .get_pcie_replay_count = nbio_v7_9_get_pcie_replay_count,
+ .set_reg_remap = nbio_v7_9_set_reg_remap,
+ };
+
+--
+2.39.5
+
--- /dev/null
+From c3163a02bfe88c772d0ce32f475b7fe60f95a468 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 May 2025 18:17:16 +0200
+Subject: drm/amdgpu: rework queue reset scheduler interaction
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian König <ckoenig.leichtzumerken@gmail.com>
+
+[ Upstream commit 821aacb2dcf0d1fbc3c0f7803b6089b01addb8bf ]
+
+Stopping the scheduler for queue reset is generally a good idea because
+it prevents any worker from touching the ring buffer.
+
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Stable-dep-of: 14b2d71a9a24 ("drm/amdgpu/gfx10: fix KGQ reset sequence")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 35 ++++++++++++++-----------
+ 1 file changed, 20 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c
+index ddb9d3269357..9ea3bce01faf 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c
+@@ -91,8 +91,8 @@ static enum drm_gpu_sched_stat amdgpu_job_timedout(struct drm_sched_job *s_job)
+ struct amdgpu_job *job = to_amdgpu_job(s_job);
+ struct amdgpu_task_info *ti;
+ struct amdgpu_device *adev = ring->adev;
+- int idx;
+- int r;
++ bool set_error = false;
++ int idx, r;
+
+ if (!drm_dev_enter(adev_to_drm(adev), &idx)) {
+ dev_info(adev->dev, "%s - device unplugged skipping recovery on scheduler:%s",
+@@ -136,10 +136,12 @@ static enum drm_gpu_sched_stat amdgpu_job_timedout(struct drm_sched_job *s_job)
+ } else if (amdgpu_gpu_recovery && ring->funcs->reset) {
+ bool is_guilty;
+
+- dev_err(adev->dev, "Starting %s ring reset\n", s_job->sched->name);
+- /* stop the scheduler, but don't mess with the
+- * bad job yet because if ring reset fails
+- * we'll fall back to full GPU reset.
++ dev_err(adev->dev, "Starting %s ring reset\n",
++ s_job->sched->name);
++
++ /*
++ * Stop the scheduler to prevent anybody else from touching the
++ * ring buffer.
+ */
+ drm_sched_wqueue_stop(&ring->sched);
+
+@@ -152,26 +154,29 @@ static enum drm_gpu_sched_stat amdgpu_job_timedout(struct drm_sched_job *s_job)
+ else
+ is_guilty = true;
+
+- if (is_guilty)
++ if (is_guilty) {
+ dma_fence_set_error(&s_job->s_fence->finished, -ETIME);
++ set_error = true;
++ }
+
+ r = amdgpu_ring_reset(ring, job->vmid);
+ if (!r) {
+- if (amdgpu_ring_sched_ready(ring))
+- drm_sched_stop(&ring->sched, s_job);
+ if (is_guilty) {
+ atomic_inc(&ring->adev->gpu_reset_counter);
+ amdgpu_fence_driver_force_completion(ring);
+ }
+- if (amdgpu_ring_sched_ready(ring))
+- drm_sched_start(&ring->sched, 0);
+- dev_err(adev->dev, "Ring %s reset succeeded\n", ring->sched.name);
+- drm_dev_wedged_event(adev_to_drm(adev), DRM_WEDGE_RECOVERY_NONE);
++ drm_sched_wqueue_start(&ring->sched);
++ dev_err(adev->dev, "Ring %s reset succeeded\n",
++ ring->sched.name);
++ drm_dev_wedged_event(adev_to_drm(adev),
++ DRM_WEDGE_RECOVERY_NONE);
+ goto exit;
+ }
+- dev_err(adev->dev, "Ring %s reset failure\n", ring->sched.name);
++ dev_err(adev->dev, "Ring %s reset failed\n", ring->sched.name);
+ }
+- dma_fence_set_error(&s_job->s_fence->finished, -ETIME);
++
++ if (!set_error)
++ dma_fence_set_error(&s_job->s_fence->finished, -ETIME);
+
+ if (amdgpu_device_should_recover_gpu(ring->adev)) {
+ struct amdgpu_reset_context reset_context;
+--
+2.39.5
+
--- /dev/null
+From d2694d4f77e72d489fb9d7c60803ae05b6e459af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 12:13:04 -0400
+Subject: drm/amdgpu/sdma: handle paging queues in amdgpu_sdma_reset_engine()
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 9a9e87d15297ce72507178e93cbb773510c061cd ]
+
+Need to properly start and stop paging queues if they are present.
+
+This is not an issue today since we don't support a paging queue
+on any chips with queue reset.
+
+Fixes: b22659d5d352 ("drm/amdgpu: switch amdgpu_sdma_reset_engine to use the new sdma function pointers")
+Reviewed-by: Jesse Zhang <Jesse.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_sdma.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_sdma.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_sdma.c
+index 9b54a1ece447..f7decf533bae 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_sdma.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_sdma.c
+@@ -597,8 +597,11 @@ int amdgpu_sdma_reset_engine(struct amdgpu_device *adev, uint32_t instance_id)
+ page_sched_stopped = true;
+ }
+
+- if (sdma_instance->funcs->stop_kernel_queue)
++ if (sdma_instance->funcs->stop_kernel_queue) {
+ sdma_instance->funcs->stop_kernel_queue(gfx_ring);
++ if (adev->sdma.has_page_queue)
++ sdma_instance->funcs->stop_kernel_queue(page_ring);
++ }
+
+ /* Perform the SDMA reset for the specified instance */
+ ret = amdgpu_sdma_soft_reset(adev, instance_id);
+@@ -607,8 +610,11 @@ int amdgpu_sdma_reset_engine(struct amdgpu_device *adev, uint32_t instance_id)
+ goto exit;
+ }
+
+- if (sdma_instance->funcs->start_kernel_queue)
++ if (sdma_instance->funcs->start_kernel_queue) {
+ sdma_instance->funcs->start_kernel_queue(gfx_ring);
++ if (adev->sdma.has_page_queue)
++ sdma_instance->funcs->start_kernel_queue(page_ring);
++ }
+
+ exit:
+ /* Restart the scheduler's work queue for the GFX and page rings
+--
+2.39.5
+
--- /dev/null
+From 42cfa99ff6ce6cf463751e7a02ca7b1eb4b6eed6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 11:42:11 +0800
+Subject: drm/amdkfd: Move the process suspend and resume out of full access
+
+From: Emily Deng <Emily.Deng@amd.com>
+
+[ Upstream commit 54f7a24e1437d66c9ff36d727a9dff1beeeab429 ]
+
+For the suspend and resume process, exclusive access is not required.
+Therefore, it can be moved out of the full access section to reduce the
+duration of exclusive access.
+
+v3:
+Move suspend processes before hardware fini.
+Remove twice call for bare metal.
+
+v4:
+Refine code
+
+Signed-off-by: Emily Deng <Emily.Deng@amd.com>
+Acked-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Stable-dep-of: 14b2d71a9a24 ("drm/amdgpu/gfx10: fix KGQ reset sequence")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 24 +++++++--
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 25 ++++++---
+ .../drm/amd/amdgpu/amdgpu_amdkfd_arcturus.c | 4 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 11 ++--
+ drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c | 4 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_device.c | 54 ++++++++++++-------
+ 6 files changed, 86 insertions(+), 36 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
+index d8ac4b1051a8..fe282b855734 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
+@@ -248,18 +248,34 @@ void amdgpu_amdkfd_interrupt(struct amdgpu_device *adev,
+ kgd2kfd_interrupt(adev->kfd.dev, ih_ring_entry);
+ }
+
+-void amdgpu_amdkfd_suspend(struct amdgpu_device *adev, bool run_pm)
++void amdgpu_amdkfd_suspend(struct amdgpu_device *adev, bool suspend_proc)
+ {
+ if (adev->kfd.dev)
+- kgd2kfd_suspend(adev->kfd.dev, run_pm);
++ kgd2kfd_suspend(adev->kfd.dev, suspend_proc);
+ }
+
+-int amdgpu_amdkfd_resume(struct amdgpu_device *adev, bool run_pm)
++int amdgpu_amdkfd_resume(struct amdgpu_device *adev, bool resume_proc)
+ {
+ int r = 0;
+
+ if (adev->kfd.dev)
+- r = kgd2kfd_resume(adev->kfd.dev, run_pm);
++ r = kgd2kfd_resume(adev->kfd.dev, resume_proc);
++
++ return r;
++}
++
++void amdgpu_amdkfd_suspend_process(struct amdgpu_device *adev)
++{
++ if (adev->kfd.dev)
++ kgd2kfd_suspend_process(adev->kfd.dev);
++}
++
++int amdgpu_amdkfd_resume_process(struct amdgpu_device *adev)
++{
++ int r = 0;
++
++ if (adev->kfd.dev)
++ r = kgd2kfd_resume_process(adev->kfd.dev);
+
+ return r;
+ }
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
+index b6ca41859b53..b7c3ec483407 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
+@@ -154,8 +154,10 @@ struct amdkfd_process_info {
+ int amdgpu_amdkfd_init(void);
+ void amdgpu_amdkfd_fini(void);
+
+-void amdgpu_amdkfd_suspend(struct amdgpu_device *adev, bool run_pm);
+-int amdgpu_amdkfd_resume(struct amdgpu_device *adev, bool run_pm);
++void amdgpu_amdkfd_suspend(struct amdgpu_device *adev, bool suspend_proc);
++int amdgpu_amdkfd_resume(struct amdgpu_device *adev, bool resume_proc);
++void amdgpu_amdkfd_suspend_process(struct amdgpu_device *adev);
++int amdgpu_amdkfd_resume_process(struct amdgpu_device *adev);
+ void amdgpu_amdkfd_interrupt(struct amdgpu_device *adev,
+ const void *ih_ring_entry);
+ void amdgpu_amdkfd_device_probe(struct amdgpu_device *adev);
+@@ -411,8 +413,10 @@ struct kfd_dev *kgd2kfd_probe(struct amdgpu_device *adev, bool vf);
+ bool kgd2kfd_device_init(struct kfd_dev *kfd,
+ const struct kgd2kfd_shared_resources *gpu_resources);
+ void kgd2kfd_device_exit(struct kfd_dev *kfd);
+-void kgd2kfd_suspend(struct kfd_dev *kfd, bool run_pm);
+-int kgd2kfd_resume(struct kfd_dev *kfd, bool run_pm);
++void kgd2kfd_suspend(struct kfd_dev *kfd, bool suspend_proc);
++int kgd2kfd_resume(struct kfd_dev *kfd, bool resume_proc);
++void kgd2kfd_suspend_process(struct kfd_dev *kfd);
++int kgd2kfd_resume_process(struct kfd_dev *kfd);
+ int kgd2kfd_pre_reset(struct kfd_dev *kfd,
+ struct amdgpu_reset_context *reset_context);
+ int kgd2kfd_post_reset(struct kfd_dev *kfd);
+@@ -454,11 +458,20 @@ static inline void kgd2kfd_device_exit(struct kfd_dev *kfd)
+ {
+ }
+
+-static inline void kgd2kfd_suspend(struct kfd_dev *kfd, bool run_pm)
++static inline void kgd2kfd_suspend(struct kfd_dev *kfd, bool suspend_proc)
+ {
+ }
+
+-static inline int kgd2kfd_resume(struct kfd_dev *kfd, bool run_pm)
++static inline int kgd2kfd_resume(struct kfd_dev *kfd, bool resume_proc)
++{
++ return 0;
++}
++
++static inline void kgd2kfd_suspend_process(struct kfd_dev *kfd)
++{
++}
++
++static inline int kgd2kfd_resume_process(struct kfd_dev *kfd)
+ {
+ return 0;
+ }
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_arcturus.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_arcturus.c
+index ffbaa8bc5eea..1105a09e55dc 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_arcturus.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_arcturus.c
+@@ -320,7 +320,7 @@ static void set_barrier_auto_waitcnt(struct amdgpu_device *adev, bool enable_wai
+ if (!down_read_trylock(&adev->reset_domain->sem))
+ return;
+
+- amdgpu_amdkfd_suspend(adev, false);
++ amdgpu_amdkfd_suspend(adev, true);
+
+ if (suspend_resume_compute_scheduler(adev, true))
+ goto out;
+@@ -333,7 +333,7 @@ static void set_barrier_auto_waitcnt(struct amdgpu_device *adev, bool enable_wai
+ out:
+ suspend_resume_compute_scheduler(adev, false);
+
+- amdgpu_amdkfd_resume(adev, false);
++ amdgpu_amdkfd_resume(adev, true);
+
+ up_read(&adev->reset_domain->sem);
+ }
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+index aa32df7e2fb2..54ea8e8d7812 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -3518,7 +3518,7 @@ static int amdgpu_device_ip_fini_early(struct amdgpu_device *adev)
+ amdgpu_device_set_pg_state(adev, AMD_PG_STATE_UNGATE);
+ amdgpu_device_set_cg_state(adev, AMD_CG_STATE_UNGATE);
+
+- amdgpu_amdkfd_suspend(adev, false);
++ amdgpu_amdkfd_suspend(adev, true);
+ amdgpu_userq_suspend(adev);
+
+ /* Workaround for ASICs need to disable SMC first */
+@@ -5055,6 +5055,8 @@ int amdgpu_device_suspend(struct drm_device *dev, bool notify_clients)
+ adev->in_suspend = true;
+
+ if (amdgpu_sriov_vf(adev)) {
++ if (!adev->in_s0ix && !adev->in_runpm)
++ amdgpu_amdkfd_suspend_process(adev);
+ amdgpu_virt_fini_data_exchange(adev);
+ r = amdgpu_virt_request_full_gpu(adev, false);
+ if (r)
+@@ -5074,7 +5076,7 @@ int amdgpu_device_suspend(struct drm_device *dev, bool notify_clients)
+ amdgpu_device_ip_suspend_phase1(adev);
+
+ if (!adev->in_s0ix) {
+- amdgpu_amdkfd_suspend(adev, adev->in_runpm);
++ amdgpu_amdkfd_suspend(adev, !amdgpu_sriov_vf(adev) && !adev->in_runpm);
+ amdgpu_userq_suspend(adev);
+ }
+
+@@ -5140,7 +5142,7 @@ int amdgpu_device_resume(struct drm_device *dev, bool notify_clients)
+ }
+
+ if (!adev->in_s0ix) {
+- r = amdgpu_amdkfd_resume(adev, adev->in_runpm);
++ r = amdgpu_amdkfd_resume(adev, !amdgpu_sriov_vf(adev) && !adev->in_runpm);
+ if (r)
+ goto exit;
+
+@@ -5159,6 +5161,9 @@ int amdgpu_device_resume(struct drm_device *dev, bool notify_clients)
+ if (amdgpu_sriov_vf(adev)) {
+ amdgpu_virt_init_data_exchange(adev);
+ amdgpu_virt_release_full_gpu(adev, true);
++
++ if (!adev->in_s0ix && !r && !adev->in_runpm)
++ r = amdgpu_amdkfd_resume_process(adev);
+ }
+
+ if (r)
+diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c b/drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c
+index bb82c652e4c0..5de2f047c534 100644
+--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c
++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c
+@@ -1681,9 +1681,9 @@ static int sdma_v4_4_2_reset_queue(struct amdgpu_ring *ring, unsigned int vmid)
+ if (!(adev->sdma.supported_reset & AMDGPU_RESET_TYPE_PER_QUEUE))
+ return -EOPNOTSUPP;
+
+- amdgpu_amdkfd_suspend(adev, false);
++ amdgpu_amdkfd_suspend(adev, true);
+ r = amdgpu_sdma_reset_engine(adev, id);
+- amdgpu_amdkfd_resume(adev, false);
++ amdgpu_amdkfd_resume(adev, true);
+
+ return r;
+ }
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device.c b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
+index bf0854bd5555..097bf6753782 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
+@@ -971,7 +971,7 @@ int kgd2kfd_pre_reset(struct kfd_dev *kfd,
+ kfd_smi_event_update_gpu_reset(node, false, reset_context);
+ }
+
+- kgd2kfd_suspend(kfd, false);
++ kgd2kfd_suspend(kfd, true);
+
+ for (i = 0; i < kfd->num_nodes; i++)
+ kfd_signal_reset_event(kfd->nodes[i]);
+@@ -1019,7 +1019,7 @@ bool kfd_is_locked(void)
+ return (kfd_locked > 0);
+ }
+
+-void kgd2kfd_suspend(struct kfd_dev *kfd, bool run_pm)
++void kgd2kfd_suspend(struct kfd_dev *kfd, bool suspend_proc)
+ {
+ struct kfd_node *node;
+ int i;
+@@ -1027,14 +1027,8 @@ void kgd2kfd_suspend(struct kfd_dev *kfd, bool run_pm)
+ if (!kfd->init_complete)
+ return;
+
+- /* for runtime suspend, skip locking kfd */
+- if (!run_pm) {
+- mutex_lock(&kfd_processes_mutex);
+- /* For first KFD device suspend all the KFD processes */
+- if (++kfd_locked == 1)
+- kfd_suspend_all_processes();
+- mutex_unlock(&kfd_processes_mutex);
+- }
++ if (suspend_proc)
++ kgd2kfd_suspend_process(kfd);
+
+ for (i = 0; i < kfd->num_nodes; i++) {
+ node = kfd->nodes[i];
+@@ -1042,7 +1036,7 @@ void kgd2kfd_suspend(struct kfd_dev *kfd, bool run_pm)
+ }
+ }
+
+-int kgd2kfd_resume(struct kfd_dev *kfd, bool run_pm)
++int kgd2kfd_resume(struct kfd_dev *kfd, bool resume_proc)
+ {
+ int ret, i;
+
+@@ -1055,14 +1049,36 @@ int kgd2kfd_resume(struct kfd_dev *kfd, bool run_pm)
+ return ret;
+ }
+
+- /* for runtime resume, skip unlocking kfd */
+- if (!run_pm) {
+- mutex_lock(&kfd_processes_mutex);
+- if (--kfd_locked == 0)
+- ret = kfd_resume_all_processes();
+- WARN_ONCE(kfd_locked < 0, "KFD suspend / resume ref. error");
+- mutex_unlock(&kfd_processes_mutex);
+- }
++ if (resume_proc)
++ ret = kgd2kfd_resume_process(kfd);
++
++ return ret;
++}
++
++void kgd2kfd_suspend_process(struct kfd_dev *kfd)
++{
++ if (!kfd->init_complete)
++ return;
++
++ mutex_lock(&kfd_processes_mutex);
++ /* For first KFD device suspend all the KFD processes */
++ if (++kfd_locked == 1)
++ kfd_suspend_all_processes();
++ mutex_unlock(&kfd_processes_mutex);
++}
++
++int kgd2kfd_resume_process(struct kfd_dev *kfd)
++{
++ int ret = 0;
++
++ if (!kfd->init_complete)
++ return 0;
++
++ mutex_lock(&kfd_processes_mutex);
++ if (--kfd_locked == 0)
++ ret = kfd_resume_all_processes();
++ WARN_ONCE(kfd_locked < 0, "KFD suspend / resume ref. error");
++ mutex_unlock(&kfd_processes_mutex);
+
+ return ret;
+ }
+--
+2.39.5
+
--- /dev/null
+From 8d422ed017496b3014475dbccecf0be66dcad416 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 15:11:09 +0300
+Subject: drm/connector: hdmi: Evaluate limited range after computing format
+
+From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+
+[ Upstream commit 21f627139652dd8329a88e281df6600f3866d238 ]
+
+Evaluating the requirement to use a limited RGB quantization range
+involves a verification of the output format, among others, but this is
+currently performed before actually computing the format, hence relying
+on the old connector state.
+
+Move the call to hdmi_is_limited_range() after hdmi_compute_config() to
+ensure the verification is done on the updated output format.
+
+Fixes: 027d43590649 ("drm/connector: hdmi: Add RGB Quantization Range to the connector state")
+Reviewed-by: Dmitry Baryshkov <lumag@kernel.org>
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+Acked-by: Maxime Ripard <mripard@kernel.org>
+Link: https://lore.kernel.org/r/20250527-hdmi-conn-yuv-v5-1-74c9c4a8ac0c@collabora.com
+Signed-off-by: Maxime Ripard <mripard@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/display/drm_hdmi_state_helper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/display/drm_hdmi_state_helper.c b/drivers/gpu/drm/display/drm_hdmi_state_helper.c
+index d9d9948b29e9..45b154c8abb2 100644
+--- a/drivers/gpu/drm/display/drm_hdmi_state_helper.c
++++ b/drivers/gpu/drm/display/drm_hdmi_state_helper.c
+@@ -798,12 +798,12 @@ int drm_atomic_helper_connector_hdmi_check(struct drm_connector *connector,
+ if (!new_conn_state->crtc || !new_conn_state->best_encoder)
+ return 0;
+
+- new_conn_state->hdmi.is_limited_range = hdmi_is_limited_range(connector, new_conn_state);
+-
+ ret = hdmi_compute_config(connector, new_conn_state, mode);
+ if (ret)
+ return ret;
+
++ new_conn_state->hdmi.is_limited_range = hdmi_is_limited_range(connector, new_conn_state);
++
+ ret = hdmi_generate_infoframes(connector, new_conn_state);
+ if (ret)
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From 14b81018163013355d60e2ca23f48361312ac404 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 14:50:03 +0200
+Subject: drm/msm/dpu: Fill in min_prefill_lines for SC8180X
+
+From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+
+[ Upstream commit 5136acc40afc0261802e5cb01b04f871bf6d876b ]
+
+Based on the downstream release, predictably same value as for SM8150.
+
+Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Fixes: f3af2d6ee9ab ("drm/msm/dpu: Add SC8180x to hw catalog")
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Patchwork: https://patchwork.freedesktop.org/patch/657794/
+Link: https://lore.kernel.org/r/20250610-topic-dpu_8180_mpl-v1-1-f480cd22f11c@oss.qualcomm.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h
+index d6f8b1030c68..6c04f41f9bac 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h
++++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h
+@@ -383,6 +383,7 @@ static const struct dpu_perf_cfg sc8180x_perf_data = {
+ .min_core_ib = 2400000,
+ .min_llcc_ib = 800000,
+ .min_dram_ib = 800000,
++ .min_prefill_lines = 24,
+ .danger_lut_tbl = {0xf, 0xffff, 0x0},
+ .safe_lut_tbl = {0xfff0, 0xf000, 0xffff},
+ .qos_lut_tbl = {
+--
+2.39.5
+
--- /dev/null
+From 6ebbad88faccdeb012e24a3d01a9c37ffa1a488a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 May 2025 18:44:02 +0100
+Subject: drm/panfrost: Fix panfrost device variable name in devfreq
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Adrián Larumbe <adrian.larumbe@collabora.com>
+
+[ Upstream commit 6048f5587614bb4919c54966913452c1a0a43138 ]
+
+Commit 64111a0e22a9 ("drm/panfrost: Fix incorrect updating of current
+device frequency") was a Panfrost port of a similar fix in Panthor.
+
+Fix the Panfrost device pointer variable name so that it follows
+Panfrost naming conventions.
+
+Signed-off-by: Adrián Larumbe <adrian.larumbe@collabora.com>
+Fixes: 64111a0e22a9 ("drm/panfrost: Fix incorrect updating of current device frequency")
+Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Signed-off-by: Steven Price <steven.price@arm.com>
+Link: https://lore.kernel.org/r/20250520174634.353267-6-adrian.larumbe@collabora.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panfrost/panfrost_devfreq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/panfrost/panfrost_devfreq.c b/drivers/gpu/drm/panfrost/panfrost_devfreq.c
+index 3385fd3ef41a..5d0dce10336b 100644
+--- a/drivers/gpu/drm/panfrost/panfrost_devfreq.c
++++ b/drivers/gpu/drm/panfrost/panfrost_devfreq.c
+@@ -29,7 +29,7 @@ static void panfrost_devfreq_update_utilization(struct panfrost_devfreq *pfdevfr
+ static int panfrost_devfreq_target(struct device *dev, unsigned long *freq,
+ u32 flags)
+ {
+- struct panfrost_device *ptdev = dev_get_drvdata(dev);
++ struct panfrost_device *pfdev = dev_get_drvdata(dev);
+ struct dev_pm_opp *opp;
+ int err;
+
+@@ -40,7 +40,7 @@ static int panfrost_devfreq_target(struct device *dev, unsigned long *freq,
+
+ err = dev_pm_opp_set_rate(dev, *freq);
+ if (!err)
+- ptdev->pfdevfreq.current_frequency = *freq;
++ pfdev->pfdevfreq.current_frequency = *freq;
+
+ return err;
+ }
+--
+2.39.5
+
--- /dev/null
+From cee54c3a339a49f0ba38fe3d16b4b026d6912ac0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 10:09:31 +0200
+Subject: drm/panthor: Add missing explicit padding in drm_panthor_gpu_info
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Boris Brezillon <boris.brezillon@collabora.com>
+
+[ Upstream commit 95cbab48782bf62e4093837dc15ac6133902c12f ]
+
+drm_panthor_gpu_info::shader_present is currently automatically offset
+by 4 byte to meet Arm's 32-bit/64-bit field alignment rules, but those
+constraints don't stand on 32-bit x86 and cause a mismatch when running
+an x86 binary in a user emulated environment like FEX. It's also
+generally agreed that uAPIs should explicitly pad their struct fields,
+which we originally intended to do, but a mistake slipped through during
+the submission process, leading drm_panthor_gpu_info::shader_present to
+be misaligned.
+
+This uAPI change doesn't break any of the existing users of panthor
+which are either arm32 or arm64 where the 64-bit alignment of
+u64 fields is already enforced a the compiler level.
+
+Changes in v2:
+- Rename the garbage field into pad0 and adjust the comment accordingly
+- Add Liviu's A-b
+
+Changes in v3:
+- Add R-bs
+
+Fixes: 0f25e493a246 ("drm/panthor: Add uAPI")
+Acked-by: Liviu Dudau <liviu.dudau@arm.com>
+Reviewed-by: Adrián Larumbe <adrian.larumbe@collabora.com>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Link: https://lore.kernel.org/r/20250606080932.4140010-2-boris.brezillon@collabora.com
+Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/drm/panthor_drm.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/include/uapi/drm/panthor_drm.h b/include/uapi/drm/panthor_drm.h
+index ad9a70afea6c..3a76c4f2882b 100644
+--- a/include/uapi/drm/panthor_drm.h
++++ b/include/uapi/drm/panthor_drm.h
+@@ -296,6 +296,9 @@ struct drm_panthor_gpu_info {
+ /** @as_present: Bitmask encoding the number of address-space exposed by the MMU. */
+ __u32 as_present;
+
++ /** @pad0: MBZ. */
++ __u32 pad0;
++
+ /** @shader_present: Bitmask encoding the shader cores exposed by the GPU. */
+ __u64 shader_present;
+
+--
+2.39.5
+
--- /dev/null
+From b260145954f0f8fcd3fc726ec2883e3281c26a66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 15:52:20 +0200
+Subject: drm/panthor: Fix UAF in panthor_gem_create_with_handle() debugfs code
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Simona Vetter <simona.vetter@ffwll.ch>
+
+[ Upstream commit fe69a391808404977b1f002a6e7447de3de7a88e ]
+
+The object is potentially already gone after the drm_gem_object_put().
+In general the object should be fully constructed before calling
+drm_gem_handle_create(), except the debugfs tracking uses a separate
+lock and list and separate flag to denotate whether the object is
+actually initialized.
+
+Since I'm touching this all anyway simplify this by only adding the
+object to the debugfs when it's ready for that, which allows us to
+delete that separate flag. panthor_gem_debugfs_bo_rm() already checks
+whether we've actually been added to the list or this is some error
+path cleanup.
+
+v2: Fix build issues for !CONFIG_DEBUGFS (Adrián)
+
+v3: Add linebreak and remove outdated comment (Liviu)
+
+Fixes: a3707f53eb3f ("drm/panthor: show device-wide list of DRM GEM objects over DebugFS")
+Cc: Adrián Larumbe <adrian.larumbe@collabora.com>
+Cc: Boris Brezillon <boris.brezillon@collabora.com>
+Cc: Steven Price <steven.price@arm.com>
+Cc: Liviu Dudau <liviu.dudau@arm.com>
+Reviewed-by: Liviu Dudau <liviu.dudau@arm.com>
+Signed-off-by: Simona Vetter <simona.vetter@intel.com>
+Signed-off-by: Simona Vetter <simona.vetter@ffwll.ch>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Signed-off-by: Steven Price <steven.price@arm.com>
+Link: https://lore.kernel.org/r/20250709135220.1428931-1-simona.vetter@ffwll.ch
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panthor/panthor_gem.c | 31 +++++++++++++--------------
+ drivers/gpu/drm/panthor/panthor_gem.h | 3 ---
+ 2 files changed, 15 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/gpu/drm/panthor/panthor_gem.c b/drivers/gpu/drm/panthor/panthor_gem.c
+index 7c00fd77758b..a123bc740ba1 100644
+--- a/drivers/gpu/drm/panthor/panthor_gem.c
++++ b/drivers/gpu/drm/panthor/panthor_gem.c
+@@ -16,10 +16,15 @@
+ #include "panthor_mmu.h"
+
+ #ifdef CONFIG_DEBUG_FS
+-static void panthor_gem_debugfs_bo_add(struct panthor_device *ptdev,
+- struct panthor_gem_object *bo)
++static void panthor_gem_debugfs_bo_init(struct panthor_gem_object *bo)
+ {
+ INIT_LIST_HEAD(&bo->debugfs.node);
++}
++
++static void panthor_gem_debugfs_bo_add(struct panthor_gem_object *bo)
++{
++ struct panthor_device *ptdev = container_of(bo->base.base.dev,
++ struct panthor_device, base);
+
+ bo->debugfs.creator.tgid = current->group_leader->pid;
+ get_task_comm(bo->debugfs.creator.process_name, current->group_leader);
+@@ -44,14 +49,13 @@ static void panthor_gem_debugfs_bo_rm(struct panthor_gem_object *bo)
+
+ static void panthor_gem_debugfs_set_usage_flags(struct panthor_gem_object *bo, u32 usage_flags)
+ {
+- bo->debugfs.flags = usage_flags | PANTHOR_DEBUGFS_GEM_USAGE_FLAG_INITIALIZED;
++ bo->debugfs.flags = usage_flags;
++ panthor_gem_debugfs_bo_add(bo);
+ }
+ #else
+-static void panthor_gem_debugfs_bo_add(struct panthor_device *ptdev,
+- struct panthor_gem_object *bo)
+-{}
+ static void panthor_gem_debugfs_bo_rm(struct panthor_gem_object *bo) {}
+ static void panthor_gem_debugfs_set_usage_flags(struct panthor_gem_object *bo, u32 usage_flags) {}
++static void panthor_gem_debugfs_bo_init(struct panthor_gem_object *bo) {}
+ #endif
+
+ static void panthor_gem_free_object(struct drm_gem_object *obj)
+@@ -246,7 +250,7 @@ struct drm_gem_object *panthor_gem_create_object(struct drm_device *ddev, size_t
+ drm_gem_gpuva_set_lock(&obj->base.base, &obj->gpuva_list_lock);
+ mutex_init(&obj->label.lock);
+
+- panthor_gem_debugfs_bo_add(ptdev, obj);
++ panthor_gem_debugfs_bo_init(obj);
+
+ return &obj->base.base;
+ }
+@@ -285,6 +289,8 @@ panthor_gem_create_with_handle(struct drm_file *file,
+ bo->base.base.resv = bo->exclusive_vm_root_gem->resv;
+ }
+
++ panthor_gem_debugfs_set_usage_flags(bo, 0);
++
+ /*
+ * Allocate an id of idr table where the obj is registered
+ * and handle has the id what user can see.
+@@ -296,12 +302,6 @@ panthor_gem_create_with_handle(struct drm_file *file,
+ /* drop reference from allocate - handle holds it now. */
+ drm_gem_object_put(&shmem->base);
+
+- /*
+- * No explicit flags are needed in the call below, since the
+- * function internally sets the INITIALIZED bit for us.
+- */
+- panthor_gem_debugfs_set_usage_flags(bo, 0);
+-
+ return ret;
+ }
+
+@@ -387,7 +387,7 @@ static void panthor_gem_debugfs_bo_print(struct panthor_gem_object *bo,
+ unsigned int refcount = kref_read(&bo->base.base.refcount);
+ char creator_info[32] = {};
+ size_t resident_size;
+- u32 gem_usage_flags = bo->debugfs.flags & (u32)~PANTHOR_DEBUGFS_GEM_USAGE_FLAG_INITIALIZED;
++ u32 gem_usage_flags = bo->debugfs.flags;
+ u32 gem_state_flags = 0;
+
+ /* Skip BOs being destroyed. */
+@@ -436,8 +436,7 @@ void panthor_gem_debugfs_print_bos(struct panthor_device *ptdev,
+
+ scoped_guard(mutex, &ptdev->gems.lock) {
+ list_for_each_entry(bo, &ptdev->gems.node, debugfs.node) {
+- if (bo->debugfs.flags & PANTHOR_DEBUGFS_GEM_USAGE_FLAG_INITIALIZED)
+- panthor_gem_debugfs_bo_print(bo, m, &totals);
++ panthor_gem_debugfs_bo_print(bo, m, &totals);
+ }
+ }
+
+diff --git a/drivers/gpu/drm/panthor/panthor_gem.h b/drivers/gpu/drm/panthor/panthor_gem.h
+index 4dd732dcd59f..8fc7215e9b90 100644
+--- a/drivers/gpu/drm/panthor/panthor_gem.h
++++ b/drivers/gpu/drm/panthor/panthor_gem.h
+@@ -35,9 +35,6 @@ enum panthor_debugfs_gem_usage_flags {
+
+ /** @PANTHOR_DEBUGFS_GEM_USAGE_FLAG_FW_MAPPED: BO is mapped on the FW VM. */
+ PANTHOR_DEBUGFS_GEM_USAGE_FLAG_FW_MAPPED = BIT(PANTHOR_DEBUGFS_GEM_USAGE_FW_MAPPED_BIT),
+-
+- /** @PANTHOR_DEBUGFS_GEM_USAGE_FLAG_INITIALIZED: BO is ready for DebugFS display. */
+- PANTHOR_DEBUGFS_GEM_USAGE_FLAG_INITIALIZED = BIT(31),
+ };
+
+ /**
+--
+2.39.5
+
--- /dev/null
+From 38de330ab32d97ca34385e799de953604465e194 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 May 2025 11:15:59 +0800
+Subject: drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed
+
+From: Andy Yan <andy.yan@rock-chips.com>
+
+[ Upstream commit 099593a28138b48feea5be8ce700e5bc4565e31d ]
+
+In the function drm_gem_fb_init_with_funcs, the framebuffer (fb)
+and its corresponding object ID have already been registered.
+
+So we need to cleanup the drm framebuffer if the subsequent
+execution of drm_gem_fb_afbc_init fails.
+
+Directly call drm_framebuffer_put to ensure that all fb related
+resources are cleanup.
+
+Fixes: 7707f7227f09 ("drm/rockchip: Add support for afbc")
+Signed-off-by: Andy Yan <andy.yan@rock-chips.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20250509031607.2542187-1-andyshrk@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_fb.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_fb.c b/drivers/gpu/drm/rockchip/rockchip_drm_fb.c
+index dcc1f07632c3..5829ee061c61 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_fb.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_fb.c
+@@ -52,16 +52,9 @@ rockchip_fb_create(struct drm_device *dev, struct drm_file *file,
+ }
+
+ if (drm_is_afbc(mode_cmd->modifier[0])) {
+- int ret, i;
+-
+ ret = drm_gem_fb_afbc_init(dev, mode_cmd, afbc_fb);
+ if (ret) {
+- struct drm_gem_object **obj = afbc_fb->base.obj;
+-
+- for (i = 0; i < info->num_planes; ++i)
+- drm_gem_object_put(obj[i]);
+-
+- kfree(afbc_fb);
++ drm_framebuffer_put(&afbc_fb->base);
+ return ERR_PTR(ret);
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From c6567a7d3b4cb22c145c292b41345104b612c3a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 23:27:48 +0200
+Subject: drm/rockchip: vop2: fail cleanly if missing a primary plane for a
+ video-port
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+[ Upstream commit f9f68bf1d0efeadb6c427c9dbb30f307a7def19b ]
+
+Each window of a vop2 is usable by a specific set of video ports, so while
+binding the vop2, we look through the list of available windows trying to
+find one designated as primary-plane and usable by that specific port.
+
+The code later wants to use drm_crtc_init_with_planes with that found
+primary plane, but nothing has checked so far if a primary plane was
+actually found.
+
+For whatever reason, the rk3576 vp2 does not have a usable primary window
+(if vp0 is also in use) which brought the issue to light and ended in a
+null-pointer dereference further down.
+
+As we expect a primary-plane to exist for a video-port, add a check at
+the end of the window-iteration and fail probing if none was found.
+
+Fixes: 604be85547ce ("drm/rockchip: Add VOP2 driver")
+Reviewed-by: Andy Yan <andy.yan@rock-chips.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20250610212748.1062375-1-heiko@sntech.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
+index d0f5fea15e21..6b37ce3ee60b 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
+@@ -2422,6 +2422,10 @@ static int vop2_create_crtcs(struct vop2 *vop2)
+ break;
+ }
+ }
++
++ if (!vp->primary_plane)
++ return dev_err_probe(drm->dev, -ENOENT,
++ "no primary plane for vp %d\n", i);
+ }
+
+ /* Register all unused window as overlay plane */
+--
+2.39.5
+
--- /dev/null
+From cedb623a101b134881bcd692fe7daac347d3dd2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Apr 2025 18:21:54 +0800
+Subject: drm/rockchip: vop2: Fix the update of LAYER/PORT select registers
+ when there are multi display output on rk3588/rk3568
+
+From: Andy Yan <andy.yan@rock-chips.com>
+
+[ Upstream commit 3e89a8c6835476aa782da80585dee9ddae651eea ]
+
+The all video ports of rk3568/rk3588 share the same OVL_LAYER_SEL
+and OVL_PORT_SEL registers, and the configuration of these two registers
+can be set to take effect when the vsync signal arrives at a certain Video
+Port.
+
+If two threads for two display output choose to update these two registers
+simultaneously to meet their own plane adjustment requirements(change plane
+zpos or switch plane from one crtc to another), then no matter which Video
+Port'svsync signal we choose to follow for these two registers, the display
+output of the other Video Port will be abnormal.
+This is because the configuration of this Video Port does not take
+effect at the right time (its configuration should take effect when its
+VSYNC signal arrives).
+
+In order to solve this problem, when performing plane migration or
+change the zpos of planes, there are two things to be observed and
+followed:
+
+1. When a plane is migrated from one VP to another, the configuration of
+ the layer can only take effect after the Port mux configuration is
+ enabled.
+
+2. When change the zpos of planes, we must ensure that the change for
+ the previous VP takes effect before we proceed to change the next VP.
+ Otherwise, the new configuration might overwrite the previous one for
+ the previous VP, or it could lead to the configuration of the previous
+ VP being take effect along with the VSYNC of the new VP.
+
+This issue only occurs in scenarios where multi-display output is enabled.
+
+Fixes: c5996e4ab109 ("drm/rockchip: vop2: Make overlay layer select register configuration take effect by vsync")
+Signed-off-by: Andy Yan <andy.yan@rock-chips.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20250421102156.424480-1-andyshrk@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 25 ++----
+ drivers/gpu/drm/rockchip/rockchip_drm_vop2.h | 33 ++++++++
+ drivers/gpu/drm/rockchip/rockchip_vop2_reg.c | 89 ++++++++++++++++++--
+ 3 files changed, 122 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
+index 6b37ce3ee60b..186f6452a7d3 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
+@@ -146,25 +146,6 @@ static void vop2_unlock(struct vop2 *vop2)
+ mutex_unlock(&vop2->vop2_lock);
+ }
+
+-/*
+- * Note:
+- * The write mask function is documented but missing on rk3566/8, writes
+- * to these bits have no effect. For newer soc(rk3588 and following) the
+- * write mask is needed for register writes.
+- *
+- * GLB_CFG_DONE_EN has no write mask bit.
+- *
+- */
+-static void vop2_cfg_done(struct vop2_video_port *vp)
+-{
+- struct vop2 *vop2 = vp->vop2;
+- u32 val = RK3568_REG_CFG_DONE__GLB_CFG_DONE_EN;
+-
+- val |= BIT(vp->id) | (BIT(vp->id) << 16);
+-
+- regmap_set_bits(vop2->map, RK3568_REG_CFG_DONE, val);
+-}
+-
+ static void vop2_win_disable(struct vop2_win *win)
+ {
+ vop2_win_write(win, VOP2_WIN_ENABLE, 0);
+@@ -854,6 +835,11 @@ static void vop2_enable(struct vop2 *vop2)
+ if (vop2->version == VOP_VERSION_RK3588)
+ rk3588_vop2_power_domain_enable_all(vop2);
+
++ if (vop2->version <= VOP_VERSION_RK3588) {
++ vop2->old_layer_sel = vop2_readl(vop2, RK3568_OVL_LAYER_SEL);
++ vop2->old_port_sel = vop2_readl(vop2, RK3568_OVL_PORT_SEL);
++ }
++
+ vop2_writel(vop2, RK3568_REG_CFG_DONE, RK3568_REG_CFG_DONE__GLB_CFG_DONE_EN);
+
+ /*
+@@ -2728,6 +2714,7 @@ static int vop2_bind(struct device *dev, struct device *master, void *data)
+ return dev_err_probe(drm->dev, vop2->irq, "cannot find irq for vop2\n");
+
+ mutex_init(&vop2->vop2_lock);
++ mutex_init(&vop2->ovl_lock);
+
+ ret = devm_request_irq(dev, vop2->irq, vop2_isr, IRQF_SHARED, dev_name(dev), vop2);
+ if (ret)
+diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.h b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.h
+index fc3ecb9fcd95..fa5c56f16047 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.h
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.h
+@@ -334,6 +334,19 @@ struct vop2 {
+ /* optional internal rgb encoder */
+ struct rockchip_rgb *rgb;
+
++ /*
++ * Used to record layer selection configuration on rk356x/rk3588
++ * as register RK3568_OVL_LAYER_SEL and RK3568_OVL_PORT_SEL are
++ * shared for all the Video Ports.
++ */
++ u32 old_layer_sel;
++ u32 old_port_sel;
++ /*
++ * Ensure that the updates to these two registers(RKK3568_OVL_LAYER_SEL/RK3568_OVL_PORT_SEL)
++ * take effect in sequence.
++ */
++ struct mutex ovl_lock;
++
+ /* must be put at the end of the struct */
+ struct vop2_win win[];
+ };
+@@ -727,6 +740,7 @@ enum dst_factor_mode {
+ #define RK3588_OVL_PORT_SEL__CLUSTER2 GENMASK(21, 20)
+ #define RK3568_OVL_PORT_SEL__CLUSTER1 GENMASK(19, 18)
+ #define RK3568_OVL_PORT_SEL__CLUSTER0 GENMASK(17, 16)
++#define RK3588_OVL_PORT_SET__PORT3_MUX GENMASK(15, 12)
+ #define RK3568_OVL_PORT_SET__PORT2_MUX GENMASK(11, 8)
+ #define RK3568_OVL_PORT_SET__PORT1_MUX GENMASK(7, 4)
+ #define RK3568_OVL_PORT_SET__PORT0_MUX GENMASK(3, 0)
+@@ -831,4 +845,23 @@ static inline struct vop2_win *to_vop2_win(struct drm_plane *p)
+ return container_of(p, struct vop2_win, base);
+ }
+
++/*
++ * Note:
++ * The write mask function is documented but missing on rk3566/8, writes
++ * to these bits have no effect. For newer soc(rk3588 and following) the
++ * write mask is needed for register writes.
++ *
++ * GLB_CFG_DONE_EN has no write mask bit.
++ *
++ */
++static inline void vop2_cfg_done(struct vop2_video_port *vp)
++{
++ struct vop2 *vop2 = vp->vop2;
++ u32 val = RK3568_REG_CFG_DONE__GLB_CFG_DONE_EN;
++
++ val |= BIT(vp->id) | (BIT(vp->id) << 16);
++
++ regmap_set_bits(vop2->map, RK3568_REG_CFG_DONE, val);
++}
++
+ #endif /* _ROCKCHIP_DRM_VOP2_H */
+diff --git a/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c b/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c
+index 32c4ed685739..45c5e3987813 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c
++++ b/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c
+@@ -2052,12 +2052,55 @@ static void vop2_setup_alpha(struct vop2_video_port *vp)
+ }
+ }
+
++static u32 rk3568_vop2_read_port_mux(struct vop2 *vop2)
++{
++ return vop2_readl(vop2, RK3568_OVL_PORT_SEL);
++}
++
++static void rk3568_vop2_wait_for_port_mux_done(struct vop2 *vop2)
++{
++ u32 port_mux_sel;
++ int ret;
++
++ /*
++ * Spin until the previous port_mux figuration is done.
++ */
++ ret = readx_poll_timeout_atomic(rk3568_vop2_read_port_mux, vop2, port_mux_sel,
++ port_mux_sel == vop2->old_port_sel, 0, 50 * 1000);
++ if (ret)
++ DRM_DEV_ERROR(vop2->dev, "wait port_mux done timeout: 0x%x--0x%x\n",
++ port_mux_sel, vop2->old_port_sel);
++}
++
++static u32 rk3568_vop2_read_layer_cfg(struct vop2 *vop2)
++{
++ return vop2_readl(vop2, RK3568_OVL_LAYER_SEL);
++}
++
++static void rk3568_vop2_wait_for_layer_cfg_done(struct vop2 *vop2, u32 cfg)
++{
++ u32 atv_layer_cfg;
++ int ret;
++
++ /*
++ * Spin until the previous layer configuration is done.
++ */
++ ret = readx_poll_timeout_atomic(rk3568_vop2_read_layer_cfg, vop2, atv_layer_cfg,
++ atv_layer_cfg == cfg, 0, 50 * 1000);
++ if (ret)
++ DRM_DEV_ERROR(vop2->dev, "wait layer cfg done timeout: 0x%x--0x%x\n",
++ atv_layer_cfg, cfg);
++}
++
+ static void rk3568_vop2_setup_layer_mixer(struct vop2_video_port *vp)
+ {
+ struct vop2 *vop2 = vp->vop2;
+ struct drm_plane *plane;
+ u32 layer_sel = 0;
+ u32 port_sel;
++ u32 old_layer_sel = 0;
++ u32 atv_layer_sel = 0;
++ u32 old_port_sel = 0;
+ u8 layer_id;
+ u8 old_layer_id;
+ u8 layer_sel_id;
+@@ -2069,19 +2112,18 @@ static void rk3568_vop2_setup_layer_mixer(struct vop2_video_port *vp)
+ struct vop2_video_port *vp2 = &vop2->vps[2];
+ struct rockchip_crtc_state *vcstate = to_rockchip_crtc_state(vp->crtc.state);
+
++ mutex_lock(&vop2->ovl_lock);
+ ovl_ctrl = vop2_readl(vop2, RK3568_OVL_CTRL);
+ ovl_ctrl &= ~RK3568_OVL_CTRL__LAYERSEL_REGDONE_IMD;
+ ovl_ctrl &= ~RK3568_OVL_CTRL__LAYERSEL_REGDONE_SEL;
+- ovl_ctrl |= FIELD_PREP(RK3568_OVL_CTRL__LAYERSEL_REGDONE_SEL, vp->id);
+
+ if (vcstate->yuv_overlay)
+ ovl_ctrl |= RK3568_OVL_CTRL__YUV_MODE(vp->id);
+ else
+ ovl_ctrl &= ~RK3568_OVL_CTRL__YUV_MODE(vp->id);
+
+- vop2_writel(vop2, RK3568_OVL_CTRL, ovl_ctrl);
+-
+- port_sel = vop2_readl(vop2, RK3568_OVL_PORT_SEL);
++ old_port_sel = vop2->old_port_sel;
++ port_sel = old_port_sel;
+ port_sel &= RK3568_OVL_PORT_SEL__SEL_PORT;
+
+ if (vp0->nlayers)
+@@ -2102,7 +2144,13 @@ static void rk3568_vop2_setup_layer_mixer(struct vop2_video_port *vp)
+ else
+ port_sel |= FIELD_PREP(RK3568_OVL_PORT_SET__PORT2_MUX, 8);
+
+- layer_sel = vop2_readl(vop2, RK3568_OVL_LAYER_SEL);
++ /* Fixed value for rk3588 */
++ if (vop2->version == VOP_VERSION_RK3588)
++ port_sel |= FIELD_PREP(RK3588_OVL_PORT_SET__PORT3_MUX, 7);
++
++ atv_layer_sel = vop2_readl(vop2, RK3568_OVL_LAYER_SEL);
++ old_layer_sel = vop2->old_layer_sel;
++ layer_sel = old_layer_sel;
+
+ ofs = 0;
+ for (i = 0; i < vp->id; i++)
+@@ -2186,8 +2234,37 @@ static void rk3568_vop2_setup_layer_mixer(struct vop2_video_port *vp)
+ old_win->data->layer_sel_id[vp->id]);
+ }
+
++ vop2->old_layer_sel = layer_sel;
++ vop2->old_port_sel = port_sel;
++ /*
++ * As the RK3568_OVL_LAYER_SEL and RK3568_OVL_PORT_SEL are shared by all Video Ports,
++ * and the configuration take effect by one Video Port's vsync.
++ * When performing layer migration or change the zpos of layers, there are two things
++ * to be observed and followed:
++ * 1. When a layer is migrated from one VP to another, the configuration of the layer
++ * can only take effect after the Port mux configuration is enabled.
++ *
++ * 2. When we change the zpos of layers, we must ensure that the change for the previous
++ * VP takes effect before we proceed to change the next VP. Otherwise, the new
++ * configuration might overwrite the previous one for the previous VP, or it could
++ * lead to the configuration of the previous VP being take effect along with the VSYNC
++ * of the new VP.
++ */
++ if (layer_sel != old_layer_sel || port_sel != old_port_sel)
++ ovl_ctrl |= FIELD_PREP(RK3568_OVL_CTRL__LAYERSEL_REGDONE_SEL, vp->id);
++ vop2_writel(vop2, RK3568_OVL_CTRL, ovl_ctrl);
++
++ if (port_sel != old_port_sel) {
++ vop2_writel(vop2, RK3568_OVL_PORT_SEL, port_sel);
++ vop2_cfg_done(vp);
++ rk3568_vop2_wait_for_port_mux_done(vop2);
++ }
++
++ if (layer_sel != old_layer_sel && atv_layer_sel != old_layer_sel)
++ rk3568_vop2_wait_for_layer_cfg_done(vop2, vop2->old_layer_sel);
++
+ vop2_writel(vop2, RK3568_OVL_LAYER_SEL, layer_sel);
+- vop2_writel(vop2, RK3568_OVL_PORT_SEL, port_sel);
++ mutex_unlock(&vop2->ovl_lock);
+ }
+
+ static void rk3568_vop2_setup_dly_for_windows(struct vop2_video_port *vp)
+--
+2.39.5
+
--- /dev/null
+From 7d7b881d68636bafd9223094eb7fb7c7214262b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 May 2025 16:33:59 +0200
+Subject: drm/sitronix: Remove broken backwards-compatibility layer
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit a3f7d26dfce9e2d547a58f4941881843a391a6cc ]
+
+When moving the Sitronix DRM drivers and renaming their Kconfig symbols,
+the old symbols were kept, aiming to provide a seamless migration path
+when running "make olddefconfig" or "make oldconfig".
+
+However, the old compatibility symbols are not visible. Hence unless
+they are selected by another symbol (which they are not), they can never
+be enabled, and no backwards compatibility is provided.
+
+Drop the broken mechanism and the old symbols.
+
+Fixes: 9b8f32002cddf792 ("drm/sitronix: move tiny Sitronix drivers to their own subdir")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Javier Martinez Canillas <javierm@redhat.com>
+Link: https://lore.kernel.org/r/20395b14effe5e2e05a4f0856fdcda51c410329d.1747751592.git.geert+renesas@glider.be
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/sitronix/Kconfig | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/sitronix/Kconfig b/drivers/gpu/drm/sitronix/Kconfig
+index 741d1bb4b83f..6de7d92d9b74 100644
+--- a/drivers/gpu/drm/sitronix/Kconfig
++++ b/drivers/gpu/drm/sitronix/Kconfig
+@@ -11,10 +11,6 @@ config DRM_ST7571_I2C
+
+ if M is selected the module will be called st7571-i2c.
+
+-config TINYDRM_ST7586
+- tristate
+- default n
+-
+ config DRM_ST7586
+ tristate "DRM support for Sitronix ST7586 display panels"
+ depends on DRM && SPI
+@@ -22,17 +18,12 @@ config DRM_ST7586
+ select DRM_KMS_HELPER
+ select DRM_GEM_DMA_HELPER
+ select DRM_MIPI_DBI
+- default TINYDRM_ST7586
+ help
+ DRM driver for the following Sitronix ST7586 panels:
+ * LEGO MINDSTORMS EV3
+
+ If M is selected the module will be called st7586.
+
+-config TINYDRM_ST7735R
+- tristate
+- default n
+-
+ config DRM_ST7735R
+ tristate "DRM support for Sitronix ST7715R/ST7735R display panels"
+ depends on DRM && SPI
+@@ -41,7 +32,6 @@ config DRM_ST7735R
+ select DRM_GEM_DMA_HELPER
+ select DRM_MIPI_DBI
+ select BACKLIGHT_CLASS_DEVICE
+- default TINYDRM_ST7735R
+ help
+ DRM driver for Sitronix ST7715R/ST7735R with one of the following
+ LCDs:
+--
+2.39.5
+
--- /dev/null
+From 26f804ca264c77633fb9225b21ba3c7d20ba12af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Apr 2025 15:34:27 -0500
+Subject: drm/vmwgfx: Fix Host-Backed userspace on Guest-Backed kernel
+
+From: Ian Forbes <ian.forbes@broadcom.com>
+
+[ Upstream commit 7872997c048e989c7689c2995d230fdca7798000 ]
+
+Running 3D applications with SVGA_FORCE_HOST_BACKED=1 or using an
+ancient version of mesa was broken because the buffer was pinned in
+VMW_BO_DOMAIN_SYS and could not be moved to VMW_BO_DOMAIN_MOB during
+validation.
+
+The compat_shader buffer should not pinned.
+
+Fixes: 668b206601c5 ("drm/vmwgfx: Stop using raw ttm_buffer_object's")
+Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
+Reviewed-by: Maaz Mombasawala <maaz.mombasawala@broadcom.com>
+Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
+Link: https://lore.kernel.org/r/20250429203427.1742331-1-ian.forbes@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c b/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c
+index 7fb1c88bcc47..69dfe69ce0f8 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c
+@@ -896,7 +896,7 @@ int vmw_compat_shader_add(struct vmw_private *dev_priv,
+ .busy_domain = VMW_BO_DOMAIN_SYS,
+ .bo_type = ttm_bo_type_device,
+ .size = size,
+- .pin = true,
++ .pin = false,
+ .keep_resv = true,
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 47b04473a5484dd692193cd919bbfae64e2cee4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 16:10:54 +0200
+Subject: drm/xe/configfs: Fix pci_dev reference leak
+
+From: Michal Wajdeczko <michal.wajdeczko@intel.com>
+
+[ Upstream commit 942ac8da6388c25fe62b2792c78715e0ea6e649b ]
+
+We are using pci_get_domain_bus_and_slot() function to verify if
+the given config directory name matches any existing PCI device,
+but we missed to call matching pci_dev_put() to release reference.
+
+While around, also change error code in case of no device match,
+to make it more specific than generic formatting error.
+
+Fixes: 16280ded45fb ("drm/xe: Add configfs to enable survivability mode")
+Signed-off-by: Michal Wajdeczko <michal.wajdeczko@intel.com>
+Cc: Lucas De Marchi <lucas.demarchi@intel.com>
+Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Reviewed-by: Jonathan Cavitt <jonathan.cavitt@intel.com>
+Link: https://lore.kernel.org/r/20250722141059.30707-2-michal.wajdeczko@intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+(cherry picked from commit 0bdd05c2a82bbf2419415d012fd4f5faeca7f1af)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_configfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_configfs.c b/drivers/gpu/drm/xe/xe_configfs.c
+index cb9f175c89a1..9a2b96b111ef 100644
+--- a/drivers/gpu/drm/xe/xe_configfs.c
++++ b/drivers/gpu/drm/xe/xe_configfs.c
+@@ -133,7 +133,8 @@ static struct config_group *xe_config_make_device_group(struct config_group *gro
+
+ pdev = pci_get_domain_bus_and_slot(domain, bus, PCI_DEVFN(slot, function));
+ if (!pdev)
+- return ERR_PTR(-EINVAL);
++ return ERR_PTR(-ENODEV);
++ pci_dev_put(pdev);
+
+ dev = kzalloc(sizeof(*dev), GFP_KERNEL);
+ if (!dev)
+--
+2.39.5
+
--- /dev/null
+From cff4108bfc09513a6bd9f87b8ffcda3573f278bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Jul 2025 13:29:33 -0400
+Subject: drm/xe: Correct BMG VSEC header sizing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michael J. Ruhl <michael.j.ruhl@intel.com>
+
+[ Upstream commit 5b27388171a18cf6842c700520086ec50194e858 ]
+
+The intel_vsec_header information for the crashlog feature is
+incorrect.
+
+Update the VSEC header with correct sizing and count.
+
+Since the crashlog entries are "merged" (num_entries = 2), the
+separate capabilities entries must be merged as well.
+
+Fixes: 0c45e76fcc62 ("drm/xe/vsec: Support BMG devices")
+Acked-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Reviewed-by: David E. Box <david.e.box@linux.intel.com>
+Link: https://lore.kernel.org/r/20250713172943.7335-4-michael.j.ruhl@intel.com
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_vsec.c | 19 ++++---------------
+ 1 file changed, 4 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_vsec.c b/drivers/gpu/drm/xe/xe_vsec.c
+index 1bf7e709e110..56930ad42962 100644
+--- a/drivers/gpu/drm/xe/xe_vsec.c
++++ b/drivers/gpu/drm/xe/xe_vsec.c
+@@ -33,30 +33,19 @@ static struct intel_vsec_header bmg_telemetry = {
+ .offset = BMG_DISCOVERY_OFFSET,
+ };
+
+-static struct intel_vsec_header bmg_punit_crashlog = {
++static struct intel_vsec_header bmg_crashlog = {
+ .rev = 1,
+ .length = 0x10,
+ .id = VSEC_ID_CRASHLOG,
+- .num_entries = 1,
+- .entry_size = 4,
++ .num_entries = 2,
++ .entry_size = 6,
+ .tbir = 0,
+ .offset = BMG_DISCOVERY_OFFSET + 0x60,
+ };
+
+-static struct intel_vsec_header bmg_oobmsm_crashlog = {
+- .rev = 1,
+- .length = 0x10,
+- .id = VSEC_ID_CRASHLOG,
+- .num_entries = 1,
+- .entry_size = 4,
+- .tbir = 0,
+- .offset = BMG_DISCOVERY_OFFSET + 0x78,
+-};
+-
+ static struct intel_vsec_header *bmg_capabilities[] = {
+ &bmg_telemetry,
+- &bmg_punit_crashlog,
+- &bmg_oobmsm_crashlog,
++ &bmg_crashlog,
+ NULL
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 39040d6bbf5427fa4d52a678c5ede3a42c310d59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Jul 2025 13:29:32 -0400
+Subject: drm/xe: Correct the rev value for the DVSEC entries
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michael J. Ruhl <michael.j.ruhl@intel.com>
+
+[ Upstream commit 0ba9e9cf76f2487654bc9bca38218780fa53030e ]
+
+By definition, the Designated Vendor Specific Extended Capability
+(DVSEC) revision should be 1.
+
+Add the rev value to be correct.
+
+Fixes: 0c45e76fcc62 ("drm/xe/vsec: Support BMG devices")
+Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Reviewed-by: David E. Box <david.e.box@linux.intel.com>
+Link: https://lore.kernel.org/r/20250713172943.7335-3-michael.j.ruhl@intel.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_vsec.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/xe/xe_vsec.c b/drivers/gpu/drm/xe/xe_vsec.c
+index b378848d3b7b..1bf7e709e110 100644
+--- a/drivers/gpu/drm/xe/xe_vsec.c
++++ b/drivers/gpu/drm/xe/xe_vsec.c
+@@ -24,6 +24,7 @@
+ #define BMG_DEVICE_ID 0xE2F8
+
+ static struct intel_vsec_header bmg_telemetry = {
++ .rev = 1,
+ .length = 0x10,
+ .id = VSEC_ID_TELEMETRY,
+ .num_entries = 2,
+@@ -33,6 +34,7 @@ static struct intel_vsec_header bmg_telemetry = {
+ };
+
+ static struct intel_vsec_header bmg_punit_crashlog = {
++ .rev = 1,
+ .length = 0x10,
+ .id = VSEC_ID_CRASHLOG,
+ .num_entries = 1,
+@@ -42,6 +44,7 @@ static struct intel_vsec_header bmg_punit_crashlog = {
+ };
+
+ static struct intel_vsec_header bmg_oobmsm_crashlog = {
++ .rev = 1,
+ .length = 0x10,
+ .id = VSEC_ID_CRASHLOG,
+ .num_entries = 1,
+--
+2.39.5
+
--- /dev/null
+From 98943d9f67b8a3761749ffa78fe3ab1c096e9983 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Jun 2025 23:01:33 +0000
+Subject: drm/xe/uapi: Correct sync type definition in comments
+
+From: Shuicheng Lin <shuicheng.lin@intel.com>
+
+[ Upstream commit 771f002ef1d6f6c2b9bddf779abd31da6b9ccd25 ]
+
+Commit 37d078e51b4c ("drm/xe/uapi: Split xe_sync types from flags") renamed some DRM_XE_SYNC_*
+defines but later commits kept using the old names. Correct them with the new definition.
+
+v2: correct fixes tag and update commit message to explain why (Lucas)
+
+Fixes: 9329f0667215 ("drm/xe/uapi: Use LR abbrev for long-running vms")
+Fixes: 4b437893a826 ("drm/xe/uapi: More uAPI documentation additions and cosmetic updates")
+Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: Francois Dugast <francois.dugast@intel.com>
+Cc: Zongyao Bai <zongyao.bai@intel.com>
+Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
+Link: https://lore.kernel.org/r/20250608230133.1250849-1-shuicheng.lin@intel.com
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/drm/xe_drm.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/include/uapi/drm/xe_drm.h b/include/uapi/drm/xe_drm.h
+index 6a702ba7817c..5f1524f466a7 100644
+--- a/include/uapi/drm/xe_drm.h
++++ b/include/uapi/drm/xe_drm.h
+@@ -925,9 +925,9 @@ struct drm_xe_gem_mmap_offset {
+ * - %DRM_XE_VM_CREATE_FLAG_LR_MODE - An LR, or Long Running VM accepts
+ * exec submissions to its exec_queues that don't have an upper time
+ * limit on the job execution time. But exec submissions to these
+- * don't allow any of the flags DRM_XE_SYNC_FLAG_SYNCOBJ,
+- * DRM_XE_SYNC_FLAG_TIMELINE_SYNCOBJ, DRM_XE_SYNC_FLAG_DMA_BUF,
+- * used as out-syncobjs, that is, together with DRM_XE_SYNC_FLAG_SIGNAL.
++ * don't allow any of the sync types DRM_XE_SYNC_TYPE_SYNCOBJ,
++ * DRM_XE_SYNC_TYPE_TIMELINE_SYNCOBJ, used as out-syncobjs, that is,
++ * together with sync flag DRM_XE_SYNC_FLAG_SIGNAL.
+ * LR VMs can be created in recoverable page-fault mode using
+ * DRM_XE_VM_CREATE_FLAG_FAULT_MODE, if the device supports it.
+ * If that flag is omitted, the UMD can not rely on the slightly
+@@ -1394,7 +1394,7 @@ struct drm_xe_sync {
+
+ /**
+ * @timeline_value: Input for the timeline sync object. Needs to be
+- * different than 0 when used with %DRM_XE_SYNC_FLAG_TIMELINE_SYNCOBJ.
++ * different than 0 when used with %DRM_XE_SYNC_TYPE_TIMELINE_SYNCOBJ.
+ */
+ __u64 timeline_value;
+
+--
+2.39.5
+
--- /dev/null
+From 67608e3040ab4e7f5ee9635192346dedfb78afc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 14:34:37 +0200
+Subject: drm/xe/vf: Disable CSC support on VF
+
+From: Lukasz Laguna <lukasz.laguna@intel.com>
+
+[ Upstream commit f62408efc8669b82541295a4611494c8c8c52684 ]
+
+CSC is not accessible by VF drivers, so disable its support flag on VF
+to prevent further initialization attempts.
+
+Fixes: e02cea83d32d ("drm/xe/gsc: add Battlemage support")
+Signed-off-by: Lukasz Laguna <lukasz.laguna@intel.com>
+Cc: Alexander Usyskin <alexander.usyskin@intel.com>
+Cc: Michal Wajdeczko <michal.wajdeczko@intel.com>
+Reviewed-by: Michal Wajdeczko <michal.wajdeczko@intel.com>
+Signed-off-by: Michal Wajdeczko <michal.wajdeczko@intel.com>
+Link: https://lore.kernel.org/r/20250729123437.5933-1-lukasz.laguna@intel.com
+(cherry picked from commit 552dbba1caaf0cb40ce961806d757615e26ec668)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/xe/xe_device.c b/drivers/gpu/drm/xe/xe_device.c
+index e9f3c1a53db2..7f839c3b9a14 100644
+--- a/drivers/gpu/drm/xe/xe_device.c
++++ b/drivers/gpu/drm/xe/xe_device.c
+@@ -685,6 +685,7 @@ static void sriov_update_device_info(struct xe_device *xe)
+ /* disable features that are not available/applicable to VFs */
+ if (IS_SRIOV_VF(xe)) {
+ xe->info.probe_display = 0;
++ xe->info.has_heci_cscfi = 0;
+ xe->info.has_heci_gscfi = 0;
+ xe->info.skip_guc_pc = 1;
+ xe->info.skip_pcode = 1;
+--
+2.39.5
+
--- /dev/null
+From 4533981c0089f2621ac5ce876c6fb3ae93d4ab44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 23:30:39 -0400
+Subject: erofs: fix build error with CONFIG_EROFS_FS_ZIP_ACCEL=y
+
+From: Bo Liu (OpenAnolis) <liubo03@inspur.com>
+
+[ Upstream commit 5e0bf36fd156b8d9b09f8481ee6daa6cdba1b064 ]
+
+fix build err:
+ ld.lld: error: undefined symbol: crypto_req_done
+ referenced by decompressor_crypto.c
+ fs/erofs/decompressor_crypto.o:(z_erofs_crypto_decompress) in archive vmlinux.a
+ referenced by decompressor_crypto.c
+ fs/erofs/decompressor_crypto.o:(z_erofs_crypto_decompress) in archive vmlinux.a
+
+ ld.lld: error: undefined symbol: crypto_acomp_decompress
+ referenced by decompressor_crypto.c
+ fs/erofs/decompressor_crypto.o:(z_erofs_crypto_decompress) in archive vmlinux.a
+
+ ld.lld: error: undefined symbol: crypto_alloc_acomp
+ referenced by decompressor_crypto.c
+ fs/erofs/decompressor_crypto.o:(z_erofs_crypto_enable_engine) in archive vmlinux.a
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202507161032.QholMPtn-lkp@intel.com/
+Fixes: b4a29efc5146 ("erofs: support DEFLATE decompression by using Intel QAT")
+Signed-off-by: Bo Liu (OpenAnolis) <liubo03@inspur.com>
+Link: https://lore.kernel.org/r/20250718033039.3609-1-liubo03@inspur.com
+Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/erofs/Kconfig b/fs/erofs/Kconfig
+index 6beeb7063871..7b26efc271ee 100644
+--- a/fs/erofs/Kconfig
++++ b/fs/erofs/Kconfig
+@@ -147,6 +147,8 @@ config EROFS_FS_ZIP_ZSTD
+ config EROFS_FS_ZIP_ACCEL
+ bool "EROFS hardware decompression support"
+ depends on EROFS_FS_ZIP
++ select CRYPTO
++ select CRYPTO_DEFLATE
+ help
+ Saying Y here includes hardware accelerator support for reading
+ EROFS file systems containing compressed data. It gives better
+--
+2.39.5
+
--- /dev/null
+From d496a4402179263ba38880f2f17b5528c326773c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 18:33:36 +0200
+Subject: eventpoll: Fix semi-unbounded recursion
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit f2e467a48287c868818085aa35389a224d226732 ]
+
+Ensure that epoll instances can never form a graph deeper than
+EP_MAX_NESTS+1 links.
+
+Currently, ep_loop_check_proc() ensures that the graph is loop-free and
+does some recursion depth checks, but those recursion depth checks don't
+limit the depth of the resulting tree for two reasons:
+
+ - They don't look upwards in the tree.
+ - If there are multiple downwards paths of different lengths, only one of
+ the paths is actually considered for the depth check since commit
+ 28d82dc1c4ed ("epoll: limit paths").
+
+Essentially, the current recursion depth check in ep_loop_check_proc() just
+serves to prevent it from recursing too deeply while checking for loops.
+
+A more thorough check is done in reverse_path_check() after the new graph
+edge has already been created; this checks, among other things, that no
+paths going upwards from any non-epoll file with a length of more than 5
+edges exist. However, this check does not apply to non-epoll files.
+
+As a result, it is possible to recurse to a depth of at least roughly 500,
+tested on v6.15. (I am unsure if deeper recursion is possible; and this may
+have changed with commit 8c44dac8add7 ("eventpoll: Fix priority inversion
+problem").)
+
+To fix it:
+
+1. In ep_loop_check_proc(), note the subtree depth of each visited node,
+and use subtree depths for the total depth calculation even when a subtree
+has already been visited.
+2. Add ep_get_upwards_depth_proc() for similarly determining the maximum
+depth of an upwards walk.
+3. In ep_loop_check(), use these values to limit the total path length
+between epoll nodes to EP_MAX_NESTS edges.
+
+Fixes: 22bacca48a17 ("epoll: prevent creating circular epoll structures")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Link: https://lore.kernel.org/20250711-epoll-recursion-fix-v1-1-fb2457c33292@google.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Stable-dep-of: ecb6cc0fd8cd ("eventpoll: fix sphinx documentation build warning")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/eventpoll.c | 60 ++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 46 insertions(+), 14 deletions(-)
+
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index 0fbf5dfedb24..7a7b044daadc 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -218,6 +218,7 @@ struct eventpoll {
+ /* used to optimize loop detection check */
+ u64 gen;
+ struct hlist_head refs;
++ u8 loop_check_depth;
+
+ /*
+ * usage count, used together with epitem->dying to
+@@ -2140,23 +2141,24 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events,
+ }
+
+ /**
+- * ep_loop_check_proc - verify that adding an epoll file inside another
+- * epoll structure does not violate the constraints, in
+- * terms of closed loops, or too deep chains (which can
+- * result in excessive stack usage).
++ * ep_loop_check_proc - verify that adding an epoll file @ep inside another
++ * epoll file does not create closed loops, and
++ * determine the depth of the subtree starting at @ep
+ *
+ * @ep: the &struct eventpoll to be currently checked.
+ * @depth: Current depth of the path being checked.
+ *
+- * Return: %zero if adding the epoll @file inside current epoll
+- * structure @ep does not violate the constraints, or %-1 otherwise.
++ * Return: depth of the subtree, or INT_MAX if we found a loop or went too deep.
+ */
+ static int ep_loop_check_proc(struct eventpoll *ep, int depth)
+ {
+- int error = 0;
++ int result = 0;
+ struct rb_node *rbp;
+ struct epitem *epi;
+
++ if (ep->gen == loop_check_gen)
++ return ep->loop_check_depth;
++
+ mutex_lock_nested(&ep->mtx, depth + 1);
+ ep->gen = loop_check_gen;
+ for (rbp = rb_first_cached(&ep->rbr); rbp; rbp = rb_next(rbp)) {
+@@ -2164,13 +2166,11 @@ static int ep_loop_check_proc(struct eventpoll *ep, int depth)
+ if (unlikely(is_file_epoll(epi->ffd.file))) {
+ struct eventpoll *ep_tovisit;
+ ep_tovisit = epi->ffd.file->private_data;
+- if (ep_tovisit->gen == loop_check_gen)
+- continue;
+ if (ep_tovisit == inserting_into || depth > EP_MAX_NESTS)
+- error = -1;
++ result = INT_MAX;
+ else
+- error = ep_loop_check_proc(ep_tovisit, depth + 1);
+- if (error != 0)
++ result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1);
++ if (result > EP_MAX_NESTS)
+ break;
+ } else {
+ /*
+@@ -2184,9 +2184,27 @@ static int ep_loop_check_proc(struct eventpoll *ep, int depth)
+ list_file(epi->ffd.file);
+ }
+ }
++ ep->loop_check_depth = result;
+ mutex_unlock(&ep->mtx);
+
+- return error;
++ return result;
++}
++
++/**
++ * ep_get_upwards_depth_proc - determine depth of @ep when traversed upwards
++ */
++static int ep_get_upwards_depth_proc(struct eventpoll *ep, int depth)
++{
++ int result = 0;
++ struct epitem *epi;
++
++ if (ep->gen == loop_check_gen)
++ return ep->loop_check_depth;
++ hlist_for_each_entry_rcu(epi, &ep->refs, fllink)
++ result = max(result, ep_get_upwards_depth_proc(epi->ep, depth + 1) + 1);
++ ep->gen = loop_check_gen;
++ ep->loop_check_depth = result;
++ return result;
+ }
+
+ /**
+@@ -2202,8 +2220,22 @@ static int ep_loop_check_proc(struct eventpoll *ep, int depth)
+ */
+ static int ep_loop_check(struct eventpoll *ep, struct eventpoll *to)
+ {
++ int depth, upwards_depth;
++
+ inserting_into = ep;
+- return ep_loop_check_proc(to, 0);
++ /*
++ * Check how deep down we can get from @to, and whether it is possible
++ * to loop up to @ep.
++ */
++ depth = ep_loop_check_proc(to, 0);
++ if (depth > EP_MAX_NESTS)
++ return -1;
++ /* Check how far up we can go from @ep. */
++ rcu_read_lock();
++ upwards_depth = ep_get_upwards_depth_proc(ep, 0);
++ rcu_read_unlock();
++
++ return (depth+1+upwards_depth > EP_MAX_NESTS) ? -1 : 0;
+ }
+
+ static void clear_tfile_check_list(void)
+--
+2.39.5
+
--- /dev/null
+From c8487d49ed8f1a3b03ca7b7bc302e3a80d920317 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 19:09:55 +0200
+Subject: eventpoll: fix sphinx documentation build warning
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit ecb6cc0fd8cd2d34b983e118aa61dd8c9b052d0d ]
+
+Sphinx complains that ep_get_upwards_depth_proc() has a kerneldoc-style
+comment without documenting its parameters.
+This is an internal function that was not meant to show up in kernel
+documentation, so fix the warning by changing the comment to a
+non-kerneldoc one.
+
+Fixes: 22bacca48a17 ("epoll: prevent creating circular epoll structures")
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Closes: https://lore.kernel.org/r/20250717173655.10ecdce6@canb.auug.org.au
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202507171958.aMcW08Cn-lkp@intel.com/
+Signed-off-by: Jann Horn <jannh@google.com>
+Link: https://lore.kernel.org/20250721-epoll-sphinx-fix-v1-1-b695c92bf009@google.com
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/eventpoll.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index 7a7b044daadc..b22d6f819f78 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -2190,9 +2190,7 @@ static int ep_loop_check_proc(struct eventpoll *ep, int depth)
+ return result;
+ }
+
+-/**
+- * ep_get_upwards_depth_proc - determine depth of @ep when traversed upwards
+- */
++/* ep_get_upwards_depth_proc - determine depth of @ep when traversed upwards */
+ static int ep_get_upwards_depth_proc(struct eventpoll *ep, int depth)
+ {
+ int result = 0;
+--
+2.39.5
+
--- /dev/null
+From 599f48caba2b3ab5f522a70d652c13f0ef09fe62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 09:33:31 +0800
+Subject: exfat: fdatasync flag should be same like generic_write_sync()
+
+From: Zhengxu Zhang <zhengxu.zhang@unisoc.com>
+
+[ Upstream commit 2f2d42a17b5a6711378d39df74f1f69a831c5d4e ]
+
+Test: androbench by default setting, use 64GB sdcard.
+ the random write speed:
+ without this patch 3.5MB/s
+ with this patch 7MB/s
+
+After patch "11a347fb6cef", the random write speed decreased significantly.
+the .write_iter() interface had been modified, and check the differences
+with generic_file_write_iter(), when calling generic_write_sync() and
+exfat_file_write_iter() to call vfs_fsync_range(), the fdatasync flag is
+wrong, and make not use the fdatasync mode, and make random write speed
+decreased. So use generic_write_sync() instead of vfs_fsync_range().
+
+Fixes: 11a347fb6cef ("exfat: change to get file size from DataLength")
+Signed-off-by: Zhengxu Zhang <zhengxu.zhang@unisoc.com>
+Acked-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/exfat/file.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/fs/exfat/file.c b/fs/exfat/file.c
+index 841a5b18e3df..7ac5126aa4f1 100644
+--- a/fs/exfat/file.c
++++ b/fs/exfat/file.c
+@@ -623,9 +623,8 @@ static ssize_t exfat_file_write_iter(struct kiocb *iocb, struct iov_iter *iter)
+ if (pos > valid_size)
+ pos = valid_size;
+
+- if (iocb_is_dsync(iocb) && iocb->ki_pos > pos) {
+- ssize_t err = vfs_fsync_range(file, pos, iocb->ki_pos - 1,
+- iocb->ki_flags & IOCB_SYNC);
++ if (iocb->ki_pos > pos) {
++ ssize_t err = generic_write_sync(iocb, iocb->ki_pos - pos);
+ if (err < 0)
+ return err;
+ }
+--
+2.39.5
+
--- /dev/null
+From 66977ac3c7dedd8c2ef9cffc182e7b316e475bb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 22:08:10 +0800
+Subject: ext4: correct the reserved credits for extent conversion
+
+From: Zhang Yi <yi.zhang@huawei.com>
+
+[ Upstream commit 95ad8ee45cdbc321c135a2db895d48b374ef0f87 ]
+
+Now, we reserve journal credits for converting extents in only one page
+to written state when the I/O operation is complete. This is
+insufficient when large folio is enabled.
+
+Fix this by reserving credits for converting up to one extent per block in
+the largest 2MB folio, this calculation should only involve extents index
+and leaf blocks, so it should not estimate too many credits.
+
+Fixes: 7ac67301e82f ("ext4: enable large folio for regular file")
+Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Baokun Li <libaokun1@huawei.com>
+Link: https://patch.msgid.link/20250707140814.542883-8-yi.zhang@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/inode.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index be9a4cba35fd..91da3ae0bbc6 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -2771,12 +2771,12 @@ static int ext4_do_writepages(struct mpage_da_data *mpd)
+ mpd->journalled_more_data = 0;
+
+ if (ext4_should_dioread_nolock(inode)) {
++ int bpf = ext4_journal_blocks_per_folio(inode);
+ /*
+ * We may need to convert up to one extent per block in
+- * the page and we may dirty the inode.
++ * the folio and we may dirty the inode.
+ */
+- rsv_blocks = 1 + ext4_chunk_trans_blocks(inode,
+- PAGE_SIZE >> inode->i_blkbits);
++ rsv_blocks = 1 + ext4_ext_index_trans_blocks(inode, bpf);
+ }
+
+ if (wbc->range_start == 0 && wbc->range_end == LLONG_MAX)
+--
+2.39.5
+
--- /dev/null
+From fbef3a99f83215d9b21c368f2aab2398769cf574 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 19:15:04 +0800
+Subject: ext4: fix inode use after free in ext4_end_io_rsv_work()
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit c678bdc998754589cea2e6afab9401d7d8312ac4 ]
+
+In ext4_io_end_defer_completion(), check if io_end->list_vec is empty to
+avoid adding an io_end that requires no conversion to the
+i_rsv_conversion_list, which in turn prevents starting an unnecessary
+worker. An ext4_emergency_state() check is also added to avoid attempting
+to abort the journal in an emergency state.
+
+Additionally, ext4_put_io_end_defer() is refactored to call
+ext4_io_end_defer_completion() directly instead of being open-coded.
+This also prevents starting an unnecessary worker when EXT4_IO_END_FAILED
+is set but data_err=abort is not enabled.
+
+This ensures that the check in ext4_put_io_end_defer() is consistent with
+the check in ext4_end_bio(). Otherwise, we might add an io_end to the
+i_rsv_conversion_list and then call ext4_finish_bio(), after which the
+inode could be freed before ext4_end_io_rsv_work() is called, triggering
+a use-after-free issue.
+
+Fixes: ce51afb8cc5e ("ext4: abort journal on data writeback failure if in data_err=abort mode")
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20250708111504.3208660-1-libaokun@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/page-io.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c
+index 179e54f3a3b6..3d8b0f6d2dea 100644
+--- a/fs/ext4/page-io.c
++++ b/fs/ext4/page-io.c
+@@ -236,10 +236,12 @@ static void dump_completed_IO(struct inode *inode, struct list_head *head)
+
+ static bool ext4_io_end_defer_completion(ext4_io_end_t *io_end)
+ {
+- if (io_end->flag & EXT4_IO_END_UNWRITTEN)
++ if (io_end->flag & EXT4_IO_END_UNWRITTEN &&
++ !list_empty(&io_end->list_vec))
+ return true;
+ if (test_opt(io_end->inode->i_sb, DATA_ERR_ABORT) &&
+- io_end->flag & EXT4_IO_END_FAILED)
++ io_end->flag & EXT4_IO_END_FAILED &&
++ !ext4_emergency_state(io_end->inode->i_sb))
+ return true;
+ return false;
+ }
+@@ -256,6 +258,7 @@ static void ext4_add_complete_io(ext4_io_end_t *io_end)
+ WARN_ON(!(io_end->flag & EXT4_IO_END_DEFER_COMPLETION));
+ WARN_ON(io_end->flag & EXT4_IO_END_UNWRITTEN &&
+ !io_end->handle && sbi->s_journal);
++ WARN_ON(!io_end->bio);
+
+ spin_lock_irqsave(&ei->i_completed_io_lock, flags);
+ wq = sbi->rsv_conversion_wq;
+@@ -318,12 +321,9 @@ ext4_io_end_t *ext4_init_io_end(struct inode *inode, gfp_t flags)
+ void ext4_put_io_end_defer(ext4_io_end_t *io_end)
+ {
+ if (refcount_dec_and_test(&io_end->count)) {
+- if (io_end->flag & EXT4_IO_END_FAILED ||
+- (io_end->flag & EXT4_IO_END_UNWRITTEN &&
+- !list_empty(&io_end->list_vec))) {
+- ext4_add_complete_io(io_end);
+- return;
+- }
++ if (ext4_io_end_defer_completion(io_end))
++ return ext4_add_complete_io(io_end);
++
+ ext4_release_io_end(io_end);
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From 42146ccb53b4efc0bb0878ad597fa4b2e399ac37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 22:08:13 +0800
+Subject: ext4: fix insufficient credits calculation in
+ ext4_meta_trans_blocks()
+
+From: Zhang Yi <yi.zhang@huawei.com>
+
+[ Upstream commit 5137d6c8906b55b3c7b5d1aa5a549753ec8520f5 ]
+
+The calculation of journal credits in ext4_meta_trans_blocks() should
+include pextents, as each extent separately may be allocated from a
+different group and thus need to update different bitmap and group
+descriptor block.
+
+Fixes: 0e32d8617012 ("ext4: correct the journal credits calculations of allocating blocks")
+Reported-by: Jan Kara <jack@suse.cz>
+Closes: https://lore.kernel.org/linux-ext4/nhxfuu53wyacsrq7xqgxvgzcggyscu2tbabginahcygvmc45hy@t4fvmyeky33e/
+Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Baokun Li <libaokun1@huawei.com>
+Link: https://patch.msgid.link/20250707140814.542883-11-yi.zhang@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/inode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index 91da3ae0bbc6..8997a5f096b4 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -6139,7 +6139,7 @@ int ext4_meta_trans_blocks(struct inode *inode, int lblocks, int pextents)
+ int ret;
+
+ /*
+- * How many index and lead blocks need to touch to map @lblocks
++ * How many index and leaf blocks need to touch to map @lblocks
+ * logical blocks to @pextents physical extents?
+ */
+ idxblocks = ext4_index_trans_blocks(inode, lblocks, pextents);
+@@ -6148,7 +6148,7 @@ int ext4_meta_trans_blocks(struct inode *inode, int lblocks, int pextents)
+ * Now let's see how many group bitmaps and group descriptors need
+ * to account
+ */
+- groups = idxblocks;
++ groups = idxblocks + pextents;
+ gdpblocks = groups;
+ if (groups > ngroups)
+ groups = ngroups;
+--
+2.39.5
+
--- /dev/null
+From 98271fe43a33b0bcab43c610a83960be8c6ddfbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 10:48:32 +0200
+Subject: ext4: Make sure BH_New bit is cleared in ->write_end handler
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 91b8ca8b26729b729dda8a4eddb9aceaea706f37 ]
+
+Currently we clear BH_New bit in case of error and also in the standard
+ext4_write_end() handler (in block_commit_write()). However
+ext4_journalled_write_end() misses this clearing and thus we are leaving
+stale BH_New bits behind. Generally ext4_block_write_begin() clears
+these bits before any harm can be done but in case blocksize < pagesize
+and we hit some error when processing a page with these stale bits,
+we'll try to zero buffers with these stale BH_New bits and jbd2 will
+complain (as buffers were not prepared for writing in this transaction).
+Fix the problem by clearing BH_New bits in ext4_journalled_write_end()
+and WARN if ext4_block_write_begin() sees stale BH_New bits.
+
+Reported-by: Baolin Liu <liubaolin12138@163.com>
+Reported-by: Zhi Long <longzhi@sangfor.com.cn>
+Fixes: 3910b513fcdf ("ext4: persist the new uptodate buffers in ext4_journalled_zero_new_buffers")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20250709084831.23876-2-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/inline.c | 2 ++
+ fs/ext4/inode.c | 3 ++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
+index a1bbcdf40824..1545846e0e3e 100644
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -612,6 +612,7 @@ static int ext4_convert_inline_data_to_extent(struct address_space *mapping,
+ } else
+ ret = ext4_block_write_begin(handle, folio, from, to,
+ ext4_get_block);
++ clear_buffer_new(folio_buffers(folio));
+
+ if (!ret && ext4_should_journal_data(inode)) {
+ ret = ext4_walk_page_buffers(handle, inode,
+@@ -891,6 +892,7 @@ static int ext4_da_convert_inline_data_to_extent(struct address_space *mapping,
+ return ret;
+ }
+
++ clear_buffer_new(folio_buffers(folio));
+ folio_mark_dirty(folio);
+ folio_mark_uptodate(folio);
+ ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index 8997a5f096b4..2509389badf3 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -1171,7 +1171,7 @@ int ext4_block_write_begin(handle_t *handle, struct folio *folio,
+ }
+ continue;
+ }
+- if (buffer_new(bh))
++ if (WARN_ON_ONCE(buffer_new(bh)))
+ clear_buffer_new(bh);
+ if (!buffer_mapped(bh)) {
+ WARN_ON(bh->b_size != blocksize);
+@@ -1395,6 +1395,7 @@ static int write_end_fn(handle_t *handle, struct inode *inode,
+ ret = ext4_dirty_journalled_data(handle, bh);
+ clear_buffer_meta(bh);
+ clear_buffer_prio(bh);
++ clear_buffer_new(bh);
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From edbde074d4c857d6799188e8d44dd4c8ad4089ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 09:50:44 +0800
+Subject: f2fs: compress: change the first parameter of page_array_{alloc,free}
+ to sbi
+
+From: Zhiguo Niu <zhiguo.niu@unisoc.com>
+
+[ Upstream commit 8e2a9b656474d67c55010f2c003ea2cf889a19ff ]
+
+No logic changes, just cleanup and prepare for fixing the UAF issue
+in f2fs_free_dic.
+
+Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Signed-off-by: Baocong Liu <baocong.liu@unisoc.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Stable-dep-of: 39868685c2a9 ("f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/compress.c | 40 ++++++++++++++++++++--------------------
+ 1 file changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c
+index b3c1df93a163..832a484963b7 100644
+--- a/fs/f2fs/compress.c
++++ b/fs/f2fs/compress.c
+@@ -23,20 +23,18 @@
+ static struct kmem_cache *cic_entry_slab;
+ static struct kmem_cache *dic_entry_slab;
+
+-static void *page_array_alloc(struct inode *inode, int nr)
++static void *page_array_alloc(struct f2fs_sb_info *sbi, int nr)
+ {
+- struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+ unsigned int size = sizeof(struct page *) * nr;
+
+ if (likely(size <= sbi->page_array_slab_size))
+ return f2fs_kmem_cache_alloc(sbi->page_array_slab,
+- GFP_F2FS_ZERO, false, F2FS_I_SB(inode));
++ GFP_F2FS_ZERO, false, sbi);
+ return f2fs_kzalloc(sbi, size, GFP_NOFS);
+ }
+
+-static void page_array_free(struct inode *inode, void *pages, int nr)
++static void page_array_free(struct f2fs_sb_info *sbi, void *pages, int nr)
+ {
+- struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+ unsigned int size = sizeof(struct page *) * nr;
+
+ if (!pages)
+@@ -149,13 +147,13 @@ int f2fs_init_compress_ctx(struct compress_ctx *cc)
+ if (cc->rpages)
+ return 0;
+
+- cc->rpages = page_array_alloc(cc->inode, cc->cluster_size);
++ cc->rpages = page_array_alloc(F2FS_I_SB(cc->inode), cc->cluster_size);
+ return cc->rpages ? 0 : -ENOMEM;
+ }
+
+ void f2fs_destroy_compress_ctx(struct compress_ctx *cc, bool reuse)
+ {
+- page_array_free(cc->inode, cc->rpages, cc->cluster_size);
++ page_array_free(F2FS_I_SB(cc->inode), cc->rpages, cc->cluster_size);
+ cc->rpages = NULL;
+ cc->nr_rpages = 0;
+ cc->nr_cpages = 0;
+@@ -622,6 +620,7 @@ static void *f2fs_vmap(struct page **pages, unsigned int count)
+
+ static int f2fs_compress_pages(struct compress_ctx *cc)
+ {
++ struct f2fs_sb_info *sbi = F2FS_I_SB(cc->inode);
+ struct f2fs_inode_info *fi = F2FS_I(cc->inode);
+ const struct f2fs_compress_ops *cops =
+ f2fs_cops[fi->i_compress_algorithm];
+@@ -642,7 +641,7 @@ static int f2fs_compress_pages(struct compress_ctx *cc)
+ cc->nr_cpages = DIV_ROUND_UP(max_len, PAGE_SIZE);
+ cc->valid_nr_cpages = cc->nr_cpages;
+
+- cc->cpages = page_array_alloc(cc->inode, cc->nr_cpages);
++ cc->cpages = page_array_alloc(sbi, cc->nr_cpages);
+ if (!cc->cpages) {
+ ret = -ENOMEM;
+ goto destroy_compress_ctx;
+@@ -716,7 +715,7 @@ static int f2fs_compress_pages(struct compress_ctx *cc)
+ if (cc->cpages[i])
+ f2fs_compress_free_page(cc->cpages[i]);
+ }
+- page_array_free(cc->inode, cc->cpages, cc->nr_cpages);
++ page_array_free(sbi, cc->cpages, cc->nr_cpages);
+ cc->cpages = NULL;
+ destroy_compress_ctx:
+ if (cops->destroy_compress_ctx)
+@@ -1340,7 +1339,7 @@ static int f2fs_write_compressed_pages(struct compress_ctx *cc,
+ cic->magic = F2FS_COMPRESSED_PAGE_MAGIC;
+ cic->inode = inode;
+ atomic_set(&cic->pending_pages, cc->valid_nr_cpages);
+- cic->rpages = page_array_alloc(cc->inode, cc->cluster_size);
++ cic->rpages = page_array_alloc(sbi, cc->cluster_size);
+ if (!cic->rpages)
+ goto out_put_cic;
+
+@@ -1442,13 +1441,13 @@ static int f2fs_write_compressed_pages(struct compress_ctx *cc,
+ spin_unlock(&fi->i_size_lock);
+
+ f2fs_put_rpages(cc);
+- page_array_free(cc->inode, cc->cpages, cc->nr_cpages);
++ page_array_free(sbi, cc->cpages, cc->nr_cpages);
+ cc->cpages = NULL;
+ f2fs_destroy_compress_ctx(cc, false);
+ return 0;
+
+ out_destroy_crypt:
+- page_array_free(cc->inode, cic->rpages, cc->cluster_size);
++ page_array_free(sbi, cic->rpages, cc->cluster_size);
+
+ for (--i; i >= 0; i--) {
+ if (!cc->cpages[i])
+@@ -1469,7 +1468,7 @@ static int f2fs_write_compressed_pages(struct compress_ctx *cc,
+ f2fs_compress_free_page(cc->cpages[i]);
+ cc->cpages[i] = NULL;
+ }
+- page_array_free(cc->inode, cc->cpages, cc->nr_cpages);
++ page_array_free(sbi, cc->cpages, cc->nr_cpages);
+ cc->cpages = NULL;
+ return -EAGAIN;
+ }
+@@ -1499,7 +1498,7 @@ void f2fs_compress_write_end_io(struct bio *bio, struct page *page)
+ end_page_writeback(cic->rpages[i]);
+ }
+
+- page_array_free(cic->inode, cic->rpages, cic->nr_rpages);
++ page_array_free(sbi, cic->rpages, cic->nr_rpages);
+ kmem_cache_free(cic_entry_slab, cic);
+ }
+
+@@ -1640,7 +1639,7 @@ static int f2fs_prepare_decomp_mem(struct decompress_io_ctx *dic,
+ if (!allow_memalloc_for_decomp(F2FS_I_SB(dic->inode), pre_alloc))
+ return 0;
+
+- dic->tpages = page_array_alloc(dic->inode, dic->cluster_size);
++ dic->tpages = page_array_alloc(F2FS_I_SB(dic->inode), dic->cluster_size);
+ if (!dic->tpages)
+ return -ENOMEM;
+
+@@ -1700,7 +1699,7 @@ struct decompress_io_ctx *f2fs_alloc_dic(struct compress_ctx *cc)
+ if (!dic)
+ return ERR_PTR(-ENOMEM);
+
+- dic->rpages = page_array_alloc(cc->inode, cc->cluster_size);
++ dic->rpages = page_array_alloc(sbi, cc->cluster_size);
+ if (!dic->rpages) {
+ kmem_cache_free(dic_entry_slab, dic);
+ return ERR_PTR(-ENOMEM);
+@@ -1721,7 +1720,7 @@ struct decompress_io_ctx *f2fs_alloc_dic(struct compress_ctx *cc)
+ dic->rpages[i] = cc->rpages[i];
+ dic->nr_rpages = cc->cluster_size;
+
+- dic->cpages = page_array_alloc(dic->inode, dic->nr_cpages);
++ dic->cpages = page_array_alloc(sbi, dic->nr_cpages);
+ if (!dic->cpages) {
+ ret = -ENOMEM;
+ goto out_free;
+@@ -1751,6 +1750,7 @@ static void f2fs_free_dic(struct decompress_io_ctx *dic,
+ bool bypass_destroy_callback)
+ {
+ int i;
++ struct f2fs_sb_info *sbi = F2FS_I_SB(dic->inode);
+
+ f2fs_release_decomp_mem(dic, bypass_destroy_callback, true);
+
+@@ -1762,7 +1762,7 @@ static void f2fs_free_dic(struct decompress_io_ctx *dic,
+ continue;
+ f2fs_compress_free_page(dic->tpages[i]);
+ }
+- page_array_free(dic->inode, dic->tpages, dic->cluster_size);
++ page_array_free(sbi, dic->tpages, dic->cluster_size);
+ }
+
+ if (dic->cpages) {
+@@ -1771,10 +1771,10 @@ static void f2fs_free_dic(struct decompress_io_ctx *dic,
+ continue;
+ f2fs_compress_free_page(dic->cpages[i]);
+ }
+- page_array_free(dic->inode, dic->cpages, dic->nr_cpages);
++ page_array_free(sbi, dic->cpages, dic->nr_cpages);
+ }
+
+- page_array_free(dic->inode, dic->rpages, dic->nr_rpages);
++ page_array_free(sbi, dic->rpages, dic->nr_rpages);
+ kmem_cache_free(dic_entry_slab, dic);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 918a9b96fcf9d1197b62406a4ac6e7b9654f4701 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 09:50:45 +0800
+Subject: f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic
+
+From: Zhiguo Niu <zhiguo.niu@unisoc.com>
+
+[ Upstream commit 39868685c2a94a70762bc6d77dc81d781d05bff5 ]
+
+The decompress_io_ctx may be released asynchronously after
+I/O completion. If this file is deleted immediately after read,
+and the kworker of processing post_read_wq has not been executed yet
+due to high workloads, It is possible that the inode(f2fs_inode_info)
+is evicted and freed before it is used f2fs_free_dic.
+
+ The UAF case as below:
+ Thread A Thread B
+ - f2fs_decompress_end_io
+ - f2fs_put_dic
+ - queue_work
+ add free_dic work to post_read_wq
+ - do_unlink
+ - iput
+ - evict
+ - call_rcu
+ This file is deleted after read.
+
+ Thread C kworker to process post_read_wq
+ - rcu_do_batch
+ - f2fs_free_inode
+ - kmem_cache_free
+ inode is freed by rcu
+ - process_scheduled_works
+ - f2fs_late_free_dic
+ - f2fs_free_dic
+ - f2fs_release_decomp_mem
+ read (dic->inode)->i_compress_algorithm
+
+This patch store compress_algorithm and sbi in dic to avoid inode UAF.
+
+In addition, the previous solution is deprecated in [1] may cause system hang.
+[1] https://lore.kernel.org/all/c36ab955-c8db-4a8b-a9d0-f07b5f426c3f@kernel.org
+
+Cc: Daeho Jeong <daehojeong@google.com>
+Fixes: bff139b49d9f ("f2fs: handle decompress only post processing in softirq")
+Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Signed-off-by: Baocong Liu <baocong.liu@unisoc.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/compress.c | 40 ++++++++++++++++++++--------------------
+ fs/f2fs/f2fs.h | 2 ++
+ 2 files changed, 22 insertions(+), 20 deletions(-)
+
+diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c
+index 832a484963b7..8cbb8038bc72 100644
+--- a/fs/f2fs/compress.c
++++ b/fs/f2fs/compress.c
+@@ -214,13 +214,13 @@ static int lzo_decompress_pages(struct decompress_io_ctx *dic)
+ ret = lzo1x_decompress_safe(dic->cbuf->cdata, dic->clen,
+ dic->rbuf, &dic->rlen);
+ if (ret != LZO_E_OK) {
+- f2fs_err_ratelimited(F2FS_I_SB(dic->inode),
++ f2fs_err_ratelimited(dic->sbi,
+ "lzo decompress failed, ret:%d", ret);
+ return -EIO;
+ }
+
+ if (dic->rlen != PAGE_SIZE << dic->log_cluster_size) {
+- f2fs_err_ratelimited(F2FS_I_SB(dic->inode),
++ f2fs_err_ratelimited(dic->sbi,
+ "lzo invalid rlen:%zu, expected:%lu",
+ dic->rlen, PAGE_SIZE << dic->log_cluster_size);
+ return -EIO;
+@@ -294,13 +294,13 @@ static int lz4_decompress_pages(struct decompress_io_ctx *dic)
+ ret = LZ4_decompress_safe(dic->cbuf->cdata, dic->rbuf,
+ dic->clen, dic->rlen);
+ if (ret < 0) {
+- f2fs_err_ratelimited(F2FS_I_SB(dic->inode),
++ f2fs_err_ratelimited(dic->sbi,
+ "lz4 decompress failed, ret:%d", ret);
+ return -EIO;
+ }
+
+ if (ret != PAGE_SIZE << dic->log_cluster_size) {
+- f2fs_err_ratelimited(F2FS_I_SB(dic->inode),
++ f2fs_err_ratelimited(dic->sbi,
+ "lz4 invalid ret:%d, expected:%lu",
+ ret, PAGE_SIZE << dic->log_cluster_size);
+ return -EIO;
+@@ -422,13 +422,13 @@ static int zstd_init_decompress_ctx(struct decompress_io_ctx *dic)
+
+ workspace_size = zstd_dstream_workspace_bound(max_window_size);
+
+- workspace = f2fs_vmalloc(F2FS_I_SB(dic->inode), workspace_size);
++ workspace = f2fs_vmalloc(dic->sbi, workspace_size);
+ if (!workspace)
+ return -ENOMEM;
+
+ stream = zstd_init_dstream(max_window_size, workspace, workspace_size);
+ if (!stream) {
+- f2fs_err_ratelimited(F2FS_I_SB(dic->inode),
++ f2fs_err_ratelimited(dic->sbi,
+ "%s zstd_init_dstream failed", __func__);
+ vfree(workspace);
+ return -EIO;
+@@ -464,14 +464,14 @@ static int zstd_decompress_pages(struct decompress_io_ctx *dic)
+
+ ret = zstd_decompress_stream(stream, &outbuf, &inbuf);
+ if (zstd_is_error(ret)) {
+- f2fs_err_ratelimited(F2FS_I_SB(dic->inode),
++ f2fs_err_ratelimited(dic->sbi,
+ "%s zstd_decompress_stream failed, ret: %d",
+ __func__, zstd_get_error_code(ret));
+ return -EIO;
+ }
+
+ if (dic->rlen != outbuf.pos) {
+- f2fs_err_ratelimited(F2FS_I_SB(dic->inode),
++ f2fs_err_ratelimited(dic->sbi,
+ "%s ZSTD invalid rlen:%zu, expected:%lu",
+ __func__, dic->rlen,
+ PAGE_SIZE << dic->log_cluster_size);
+@@ -733,7 +733,7 @@ static void f2fs_release_decomp_mem(struct decompress_io_ctx *dic,
+
+ void f2fs_decompress_cluster(struct decompress_io_ctx *dic, bool in_task)
+ {
+- struct f2fs_sb_info *sbi = F2FS_I_SB(dic->inode);
++ struct f2fs_sb_info *sbi = dic->sbi;
+ struct f2fs_inode_info *fi = F2FS_I(dic->inode);
+ const struct f2fs_compress_ops *cops =
+ f2fs_cops[fi->i_compress_algorithm];
+@@ -806,7 +806,7 @@ void f2fs_end_read_compressed_page(struct page *page, bool failed,
+ {
+ struct decompress_io_ctx *dic =
+ (struct decompress_io_ctx *)page_private(page);
+- struct f2fs_sb_info *sbi = F2FS_I_SB(dic->inode);
++ struct f2fs_sb_info *sbi = dic->sbi;
+
+ dec_page_count(sbi, F2FS_RD_DATA);
+
+@@ -1632,14 +1632,13 @@ static inline bool allow_memalloc_for_decomp(struct f2fs_sb_info *sbi,
+ static int f2fs_prepare_decomp_mem(struct decompress_io_ctx *dic,
+ bool pre_alloc)
+ {
+- const struct f2fs_compress_ops *cops =
+- f2fs_cops[F2FS_I(dic->inode)->i_compress_algorithm];
++ const struct f2fs_compress_ops *cops = f2fs_cops[dic->compress_algorithm];
+ int i;
+
+- if (!allow_memalloc_for_decomp(F2FS_I_SB(dic->inode), pre_alloc))
++ if (!allow_memalloc_for_decomp(dic->sbi, pre_alloc))
+ return 0;
+
+- dic->tpages = page_array_alloc(F2FS_I_SB(dic->inode), dic->cluster_size);
++ dic->tpages = page_array_alloc(dic->sbi, dic->cluster_size);
+ if (!dic->tpages)
+ return -ENOMEM;
+
+@@ -1669,10 +1668,9 @@ static int f2fs_prepare_decomp_mem(struct decompress_io_ctx *dic,
+ static void f2fs_release_decomp_mem(struct decompress_io_ctx *dic,
+ bool bypass_destroy_callback, bool pre_alloc)
+ {
+- const struct f2fs_compress_ops *cops =
+- f2fs_cops[F2FS_I(dic->inode)->i_compress_algorithm];
++ const struct f2fs_compress_ops *cops = f2fs_cops[dic->compress_algorithm];
+
+- if (!allow_memalloc_for_decomp(F2FS_I_SB(dic->inode), pre_alloc))
++ if (!allow_memalloc_for_decomp(dic->sbi, pre_alloc))
+ return;
+
+ if (!bypass_destroy_callback && cops->destroy_decompress_ctx)
+@@ -1707,6 +1705,8 @@ struct decompress_io_ctx *f2fs_alloc_dic(struct compress_ctx *cc)
+
+ dic->magic = F2FS_COMPRESSED_PAGE_MAGIC;
+ dic->inode = cc->inode;
++ dic->sbi = sbi;
++ dic->compress_algorithm = F2FS_I(cc->inode)->i_compress_algorithm;
+ atomic_set(&dic->remaining_pages, cc->nr_cpages);
+ dic->cluster_idx = cc->cluster_idx;
+ dic->cluster_size = cc->cluster_size;
+@@ -1750,7 +1750,8 @@ static void f2fs_free_dic(struct decompress_io_ctx *dic,
+ bool bypass_destroy_callback)
+ {
+ int i;
+- struct f2fs_sb_info *sbi = F2FS_I_SB(dic->inode);
++ /* use sbi in dic to avoid UFA of dic->inode*/
++ struct f2fs_sb_info *sbi = dic->sbi;
+
+ f2fs_release_decomp_mem(dic, bypass_destroy_callback, true);
+
+@@ -1793,8 +1794,7 @@ static void f2fs_put_dic(struct decompress_io_ctx *dic, bool in_task)
+ f2fs_free_dic(dic, false);
+ } else {
+ INIT_WORK(&dic->free_work, f2fs_late_free_dic);
+- queue_work(F2FS_I_SB(dic->inode)->post_read_wq,
+- &dic->free_work);
++ queue_work(dic->sbi->post_read_wq, &dic->free_work);
+ }
+ }
+ }
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index 9333a22b9a01..da2137e9d03f 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -1536,6 +1536,7 @@ struct compress_io_ctx {
+ struct decompress_io_ctx {
+ u32 magic; /* magic number to indicate page is compressed */
+ struct inode *inode; /* inode the context belong to */
++ struct f2fs_sb_info *sbi; /* f2fs_sb_info pointer */
+ pgoff_t cluster_idx; /* cluster index number */
+ unsigned int cluster_size; /* page count in cluster */
+ unsigned int log_cluster_size; /* log of cluster size */
+@@ -1576,6 +1577,7 @@ struct decompress_io_ctx {
+
+ bool failed; /* IO error occurred before decompression? */
+ bool need_verity; /* need fs-verity verification after decompression? */
++ unsigned char compress_algorithm; /* backup algorithm type */
+ void *private; /* payload buffer for specified decompression algorithm */
+ void *private2; /* extra payload buffer */
+ struct work_struct verity_work; /* work to verify the decompressed pages */
+--
+2.39.5
+
--- /dev/null
+From d4dede91650960ceace062a966a92c249464ccde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 14:49:25 +0800
+Subject: f2fs: doc: fix wrong quota mount option description
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 81b6ecca2f15922e8d653dc037df5871e754be6e ]
+
+We should use "{usr,grp,prj}jquota=" to disable journaled quota,
+rather than using off{usr,grp,prj}jquota.
+
+Fixes: 4b2414d04e99 ("f2fs: support journalled quota")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/filesystems/f2fs.rst | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Documentation/filesystems/f2fs.rst b/Documentation/filesystems/f2fs.rst
+index 440e4ae74e44..03b1efa6d3b2 100644
+--- a/Documentation/filesystems/f2fs.rst
++++ b/Documentation/filesystems/f2fs.rst
+@@ -238,9 +238,9 @@ usrjquota=<file> Appoint specified file and type during mount, so that quota
+ grpjquota=<file> information can be properly updated during recovery flow,
+ prjjquota=<file> <quota file>: must be in root directory;
+ jqfmt=<quota type> <quota type>: [vfsold,vfsv0,vfsv1].
+-offusrjquota Turn off user journalled quota.
+-offgrpjquota Turn off group journalled quota.
+-offprjjquota Turn off project journalled quota.
++usrjquota= Turn off user journalled quota.
++grpjquota= Turn off group journalled quota.
++prjjquota= Turn off project journalled quota.
+ quota Enable plain user disk quota accounting.
+ noquota Disable all plain disk quota option.
+ alloc_mode=%s Adjust block allocation policy, which supports "reuse"
+--
+2.39.5
+
--- /dev/null
+From 82fe7e23d6c35511190dcbc403bbe849350ce5f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Jun 2025 14:41:16 +0800
+Subject: f2fs: fix bio memleak when committing super block
+
+From: Sheng Yong <shengyong1@xiaomi.com>
+
+[ Upstream commit 554d9b7242a73d701ce121ac81bb578a3fca538e ]
+
+When committing new super block, bio is allocated but not freed, and
+kmemleak complains:
+
+ unreferenced object 0xffff88801d185600 (size 192):
+ comm "kworker/3:2", pid 128, jiffies 4298624992
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 80 67 c3 00 81 88 ff ff .........g......
+ 01 08 06 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
+ backtrace (crc 650ecdb1):
+ kmem_cache_alloc_noprof+0x3a9/0x460
+ mempool_alloc_noprof+0x12f/0x310
+ bio_alloc_bioset+0x1e2/0x7e0
+ __f2fs_commit_super+0xe0/0x370
+ f2fs_commit_super+0x4ed/0x8c0
+ f2fs_record_error_work+0xc7/0x190
+ process_one_work+0x7db/0x1970
+ worker_thread+0x518/0xea0
+ kthread+0x359/0x690
+ ret_from_fork+0x34/0x70
+ ret_from_fork_asm+0x1a/0x30
+
+The issue can be reproduced by:
+
+ mount /dev/vda /mnt
+ i=0
+ while :; do
+ echo '[h]abc' > /sys/fs/f2fs/vda/extension_list
+ echo '[h]!abc' > /sys/fs/f2fs/vda/extension_list
+ echo scan > /sys/kernel/debug/kmemleak
+ dmesg | grep "new suspected memory leaks"
+ [ $? -eq 0 ] && break
+ i=$((i + 1))
+ echo "$i"
+ done
+ umount /mnt
+
+Fixes: 5bcde4557862 ("f2fs: get rid of buffer_head use")
+Signed-off-by: Sheng Yong <shengyong1@xiaomi.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/super.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index bbf1dad6843f..4cbf3a133474 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -3451,6 +3451,7 @@ static int __f2fs_commit_super(struct f2fs_sb_info *sbi, struct folio *folio,
+ f2fs_bug_on(sbi, 1);
+
+ ret = submit_bio_wait(bio);
++ bio_put(bio);
+ folio_end_writeback(folio);
+
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From ad4408f208425761aac533161473328f5f32a420 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 16:35:37 +0530
+Subject: f2fs: fix KMSAN uninit-value in extent_info usage
+
+From: Abinash Singh <abinashlalotra@gmail.com>
+
+[ Upstream commit 154467f4ad033473e5c903a03e7b9bca7df9a0fa ]
+
+KMSAN reported a use of uninitialized value in `__is_extent_mergeable()`
+ and `__is_back_mergeable()` via the read extent tree path.
+
+The root cause is that `get_read_extent_info()` only initializes three
+fields (`fofs`, `blk`, `len`) of `struct extent_info`, leaving the
+remaining fields uninitialized. This leads to undefined behavior
+when those fields are accessed later, especially during
+extent merging.
+
+Fix it by zero-initializing the `extent_info` struct before population.
+
+Reported-by: syzbot+b8c1d60e95df65e827d4@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b8c1d60e95df65e827d4
+Fixes: 94afd6d6e525 ("f2fs: extent cache: support unaligned extent")
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Abinash Singh <abinashsinghlalotra@gmail.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/extent_cache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c
+index cfe925a3d555..4ce19a310f38 100644
+--- a/fs/f2fs/extent_cache.c
++++ b/fs/f2fs/extent_cache.c
+@@ -414,7 +414,7 @@ void f2fs_init_read_extent_tree(struct inode *inode, struct folio *ifolio)
+ struct f2fs_extent *i_ext = &F2FS_INODE(&ifolio->page)->i_ext;
+ struct extent_tree *et;
+ struct extent_node *en;
+- struct extent_info ei;
++ struct extent_info ei = {0};
+
+ if (!__may_extent_tree(inode, EX_READ)) {
+ /* drop largest read extent */
+--
+2.39.5
+
--- /dev/null
+From 5b30c1bfd853db167d4e1536609c7395c43e5407 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 16:42:18 +0800
+Subject: f2fs: fix to avoid invalid wait context issue
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 90d5c9ba3ed91950f1546bf123a7a57cd958b452 ]
+
+=============================
+[ BUG: Invalid wait context ]
+6.13.0-rc1 #84 Tainted: G O
+-----------------------------
+cat/56160 is trying to lock:
+ffff888105c86648 (&cprc->stat_lock){+.+.}-{3:3}, at: update_general_status+0x32a/0x8c0 [f2fs]
+other info that might help us debug this:
+context-{5:5}
+2 locks held by cat/56160:
+ #0: ffff88810a002a98 (&p->lock){+.+.}-{4:4}, at: seq_read_iter+0x56/0x4c0
+ #1: ffffffffa0462638 (f2fs_stat_lock){....}-{2:2}, at: stat_show+0x29/0x1020 [f2fs]
+stack backtrace:
+CPU: 0 UID: 0 PID: 56160 Comm: cat Tainted: G O 6.13.0-rc1 #84
+Tainted: [O]=OOT_MODULE
+Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x88/0xd0
+ dump_stack+0x14/0x20
+ __lock_acquire+0x8d4/0xbb0
+ lock_acquire+0xd6/0x300
+ _raw_spin_lock+0x38/0x50
+ update_general_status+0x32a/0x8c0 [f2fs]
+ stat_show+0x50/0x1020 [f2fs]
+ seq_read_iter+0x116/0x4c0
+ seq_read+0xfa/0x130
+ full_proxy_read+0x66/0x90
+ vfs_read+0xc4/0x350
+ ksys_read+0x74/0xf0
+ __x64_sys_read+0x1d/0x20
+ x64_sys_call+0x17d9/0x1b80
+ do_syscall_64+0x68/0x130
+ entry_SYSCALL_64_after_hwframe+0x67/0x6f
+RIP: 0033:0x7f2ca53147e2
+
+- seq_read
+ - stat_show
+ - raw_spin_lock_irqsave(&f2fs_stat_lock, flags)
+ : f2fs_stat_lock is raw_spinlock_t type variable
+ - update_general_status
+ - spin_lock(&sbi->cprc_info.stat_lock);
+ : stat_lock is spinlock_t type variable
+
+The root cause is the lock order is incorrect [1], we should not acquire
+spinlock_t lock after raw_spinlock_t lock, as if CONFIG_PREEMPT_LOCK is
+on, spinlock_t is implemented based on rtmutex, which can sleep after
+holding the lock.
+
+To fix this issue, let's use change f2fs_stat_lock lock type from
+raw_spinlock_t to spinlock_t, it's safe due to:
+- we don't need to use raw version of spinlock as the path is not
+performance sensitive.
+- we don't need to use irqsave version of spinlock as it won't be
+used in irq context.
+
+Quoted from [1]:
+
+"Extend lockdep to validate lock wait-type context.
+
+The current wait-types are:
+
+ LD_WAIT_FREE, /* wait free, rcu etc.. */
+ LD_WAIT_SPIN, /* spin loops, raw_spinlock_t etc.. */
+ LD_WAIT_CONFIG, /* CONFIG_PREEMPT_LOCK, spinlock_t etc.. */
+ LD_WAIT_SLEEP, /* sleeping locks, mutex_t etc.. */
+
+Where lockdep validates that the current lock (the one being acquired)
+fits in the current wait-context (as generated by the held stack).
+
+This ensures that there is no attempt to acquire mutexes while holding
+spinlocks, to acquire spinlocks while holding raw_spinlocks and so on. In
+other words, its a more fancy might_sleep()."
+
+[1] https://lore.kernel.org/all/20200321113242.427089655@linutronix.de
+
+Fixes: 98237fcda4a2 ("f2fs: use spin_lock to avoid hang")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/debug.c | 17 +++++++----------
+ 1 file changed, 7 insertions(+), 10 deletions(-)
+
+diff --git a/fs/f2fs/debug.c b/fs/f2fs/debug.c
+index 16c2dfb4f595..3417e7e550b2 100644
+--- a/fs/f2fs/debug.c
++++ b/fs/f2fs/debug.c
+@@ -21,7 +21,7 @@
+ #include "gc.h"
+
+ static LIST_HEAD(f2fs_stat_list);
+-static DEFINE_RAW_SPINLOCK(f2fs_stat_lock);
++static DEFINE_SPINLOCK(f2fs_stat_lock);
+ #ifdef CONFIG_DEBUG_FS
+ static struct dentry *f2fs_debugfs_root;
+ #endif
+@@ -439,9 +439,8 @@ static int stat_show(struct seq_file *s, void *v)
+ {
+ struct f2fs_stat_info *si;
+ int i = 0, j = 0;
+- unsigned long flags;
+
+- raw_spin_lock_irqsave(&f2fs_stat_lock, flags);
++ spin_lock(&f2fs_stat_lock);
+ list_for_each_entry(si, &f2fs_stat_list, stat_list) {
+ struct f2fs_sb_info *sbi = si->sbi;
+
+@@ -753,7 +752,7 @@ static int stat_show(struct seq_file *s, void *v)
+ seq_printf(s, " - paged : %llu KB\n",
+ si->page_mem >> 10);
+ }
+- raw_spin_unlock_irqrestore(&f2fs_stat_lock, flags);
++ spin_unlock(&f2fs_stat_lock);
+ return 0;
+ }
+
+@@ -765,7 +764,6 @@ int f2fs_build_stats(struct f2fs_sb_info *sbi)
+ struct f2fs_super_block *raw_super = F2FS_RAW_SUPER(sbi);
+ struct f2fs_stat_info *si;
+ struct f2fs_dev_stats *dev_stats;
+- unsigned long flags;
+ int i;
+
+ si = f2fs_kzalloc(sbi, sizeof(struct f2fs_stat_info), GFP_KERNEL);
+@@ -817,9 +815,9 @@ int f2fs_build_stats(struct f2fs_sb_info *sbi)
+
+ atomic_set(&sbi->max_aw_cnt, 0);
+
+- raw_spin_lock_irqsave(&f2fs_stat_lock, flags);
++ spin_lock(&f2fs_stat_lock);
+ list_add_tail(&si->stat_list, &f2fs_stat_list);
+- raw_spin_unlock_irqrestore(&f2fs_stat_lock, flags);
++ spin_unlock(&f2fs_stat_lock);
+
+ return 0;
+ }
+@@ -827,11 +825,10 @@ int f2fs_build_stats(struct f2fs_sb_info *sbi)
+ void f2fs_destroy_stats(struct f2fs_sb_info *sbi)
+ {
+ struct f2fs_stat_info *si = F2FS_STAT(sbi);
+- unsigned long flags;
+
+- raw_spin_lock_irqsave(&f2fs_stat_lock, flags);
++ spin_lock(&f2fs_stat_lock);
+ list_del(&si->stat_list);
+- raw_spin_unlock_irqrestore(&f2fs_stat_lock, flags);
++ spin_unlock(&f2fs_stat_lock);
+
+ kfree(si->dev_stats);
+ kfree(si);
+--
+2.39.5
+
--- /dev/null
+From 0531c43205cc30029056f9697a41107e548804dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 15:14:50 +0800
+Subject: f2fs: fix to avoid out-of-boundary access in devs.path
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 5661998536af52848cc4d52a377e90368196edea ]
+
+- touch /mnt/f2fs/012345678901234567890123456789012345678901234567890123
+- truncate -s $((1024*1024*1024)) \
+ /mnt/f2fs/012345678901234567890123456789012345678901234567890123
+- touch /mnt/f2fs/file
+- truncate -s $((1024*1024*1024)) /mnt/f2fs/file
+- mkfs.f2fs /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \
+ -c /mnt/f2fs/file
+- mount /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \
+ /mnt/f2fs/loop
+
+[16937.192225] F2FS-fs (loop0): Mount Device [ 0]: /mnt/f2fs/012345678901234567890123456789012345678901234567890123\xff\x01, 511, 0 - 3ffff
+[16937.192268] F2FS-fs (loop0): Failed to find devices
+
+If device path length equals to MAX_PATH_LEN, sbi->devs.path[] may
+not end up w/ null character due to path array is fully filled, So
+accidently, fields locate after path[] may be treated as part of
+device path, result in parsing wrong device path.
+
+struct f2fs_dev_info {
+...
+ char path[MAX_PATH_LEN];
+...
+};
+
+Let's add one byte space for sbi->devs.path[] to store null
+character of device path string.
+
+Fixes: 3c62be17d4f5 ("f2fs: support multiple devices")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index da2137e9d03f..e084b96f1109 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -1286,7 +1286,7 @@ struct f2fs_bio_info {
+ struct f2fs_dev_info {
+ struct file *bdev_file;
+ struct block_device *bdev;
+- char path[MAX_PATH_LEN];
++ char path[MAX_PATH_LEN + 1];
+ unsigned int total_segments;
+ block_t start_blk;
+ block_t end_blk;
+--
+2.39.5
+
--- /dev/null
+From 8f6c164da8ada487e3f51bdb07403321bb1c6d80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 17:56:57 +0800
+Subject: f2fs: fix to avoid panic in f2fs_evict_inode
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit a509a55f8eecc8970b3980c6f06886bbff0e2f68 ]
+
+As syzbot [1] reported as below:
+
+R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe17473450
+R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520
+ </TASK>
+---[ end trace 0000000000000000 ]---
+==================================================================
+BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62
+Read of size 8 at addr ffff88812d962278 by task syz-executor/564
+
+CPU: 1 PID: 564 Comm: syz-executor Tainted: G W 6.1.129-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
+Call Trace:
+ <TASK>
+ __dump_stack+0x21/0x24 lib/dump_stack.c:88
+ dump_stack_lvl+0xee/0x158 lib/dump_stack.c:106
+ print_address_description+0x71/0x210 mm/kasan/report.c:316
+ print_report+0x4a/0x60 mm/kasan/report.c:427
+ kasan_report+0x122/0x150 mm/kasan/report.c:531
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351
+ __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62
+ __list_del_entry include/linux/list.h:134 [inline]
+ list_del_init include/linux/list.h:206 [inline]
+ f2fs_inode_synced+0xf7/0x2e0 fs/f2fs/super.c:1531
+ f2fs_update_inode+0x74/0x1c40 fs/f2fs/inode.c:585
+ f2fs_update_inode_page+0x137/0x170 fs/f2fs/inode.c:703
+ f2fs_write_inode+0x4ec/0x770 fs/f2fs/inode.c:731
+ write_inode fs/fs-writeback.c:1460 [inline]
+ __writeback_single_inode+0x4a0/0xab0 fs/fs-writeback.c:1677
+ writeback_single_inode+0x221/0x8b0 fs/fs-writeback.c:1733
+ sync_inode_metadata+0xb6/0x110 fs/fs-writeback.c:2789
+ f2fs_sync_inode_meta+0x16d/0x2a0 fs/f2fs/checkpoint.c:1159
+ block_operations fs/f2fs/checkpoint.c:1269 [inline]
+ f2fs_write_checkpoint+0xca3/0x2100 fs/f2fs/checkpoint.c:1658
+ kill_f2fs_super+0x231/0x390 fs/f2fs/super.c:4668
+ deactivate_locked_super+0x98/0x100 fs/super.c:332
+ deactivate_super+0xaf/0xe0 fs/super.c:363
+ cleanup_mnt+0x45f/0x4e0 fs/namespace.c:1186
+ __cleanup_mnt+0x19/0x20 fs/namespace.c:1193
+ task_work_run+0x1c6/0x230 kernel/task_work.c:203
+ exit_task_work include/linux/task_work.h:39 [inline]
+ do_exit+0x9fb/0x2410 kernel/exit.c:871
+ do_group_exit+0x210/0x2d0 kernel/exit.c:1021
+ __do_sys_exit_group kernel/exit.c:1032 [inline]
+ __se_sys_exit_group kernel/exit.c:1030 [inline]
+ __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1030
+ x64_sys_call+0x7b4/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:232
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x68/0xd2
+RIP: 0033:0x7f28b1b8e169
+Code: Unable to access opcode bytes at 0x7f28b1b8e13f.
+RSP: 002b:00007ffe174710a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 00007f28b1c10879 RCX: 00007f28b1b8e169
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
+RBP: 0000000000000002 R08: 00007ffe1746ee47 R09: 00007ffe17472360
+R10: 0000000000000009 R11: 0000000000000246 R12: 00007ffe17472360
+R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520
+ </TASK>
+
+Allocated by task 569:
+ kasan_save_stack mm/kasan/common.c:45 [inline]
+ kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
+ kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505
+ __kasan_slab_alloc+0x72/0x80 mm/kasan/common.c:328
+ kasan_slab_alloc include/linux/kasan.h:201 [inline]
+ slab_post_alloc_hook+0x4f/0x2c0 mm/slab.h:737
+ slab_alloc_node mm/slub.c:3398 [inline]
+ slab_alloc mm/slub.c:3406 [inline]
+ __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
+ kmem_cache_alloc_lru+0x104/0x220 mm/slub.c:3429
+ alloc_inode_sb include/linux/fs.h:3245 [inline]
+ f2fs_alloc_inode+0x2d/0x340 fs/f2fs/super.c:1419
+ alloc_inode fs/inode.c:261 [inline]
+ iget_locked+0x186/0x880 fs/inode.c:1373
+ f2fs_iget+0x55/0x4c60 fs/f2fs/inode.c:483
+ f2fs_lookup+0x366/0xab0 fs/f2fs/namei.c:487
+ __lookup_slow+0x2a3/0x3d0 fs/namei.c:1690
+ lookup_slow+0x57/0x70 fs/namei.c:1707
+ walk_component+0x2e6/0x410 fs/namei.c:1998
+ lookup_last fs/namei.c:2455 [inline]
+ path_lookupat+0x180/0x490 fs/namei.c:2479
+ filename_lookup+0x1f0/0x500 fs/namei.c:2508
+ vfs_statx+0x10b/0x660 fs/stat.c:229
+ vfs_fstatat fs/stat.c:267 [inline]
+ vfs_lstat include/linux/fs.h:3424 [inline]
+ __do_sys_newlstat fs/stat.c:423 [inline]
+ __se_sys_newlstat+0xd5/0x350 fs/stat.c:417
+ __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417
+ x64_sys_call+0x393/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x68/0xd2
+
+Freed by task 13:
+ kasan_save_stack mm/kasan/common.c:45 [inline]
+ kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
+ kasan_save_free_info+0x31/0x50 mm/kasan/generic.c:516
+ ____kasan_slab_free+0x132/0x180 mm/kasan/common.c:236
+ __kasan_slab_free+0x11/0x20 mm/kasan/common.c:244
+ kasan_slab_free include/linux/kasan.h:177 [inline]
+ slab_free_hook mm/slub.c:1724 [inline]
+ slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1750
+ slab_free mm/slub.c:3661 [inline]
+ kmem_cache_free+0x12d/0x2a0 mm/slub.c:3683
+ f2fs_free_inode+0x24/0x30 fs/f2fs/super.c:1562
+ i_callback+0x4c/0x70 fs/inode.c:250
+ rcu_do_batch+0x503/0xb80 kernel/rcu/tree.c:2297
+ rcu_core+0x5a2/0xe70 kernel/rcu/tree.c:2557
+ rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2574
+ handle_softirqs+0x178/0x500 kernel/softirq.c:578
+ run_ksoftirqd+0x28/0x30 kernel/softirq.c:945
+ smpboot_thread_fn+0x45a/0x8c0 kernel/smpboot.c:164
+ kthread+0x270/0x310 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
+
+Last potentially related work creation:
+ kasan_save_stack+0x3a/0x60 mm/kasan/common.c:45
+ __kasan_record_aux_stack+0xb6/0xc0 mm/kasan/generic.c:486
+ kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:496
+ call_rcu+0xd4/0xf70 kernel/rcu/tree.c:2845
+ destroy_inode fs/inode.c:316 [inline]
+ evict+0x7da/0x870 fs/inode.c:720
+ iput_final fs/inode.c:1834 [inline]
+ iput+0x62b/0x830 fs/inode.c:1860
+ do_unlinkat+0x356/0x540 fs/namei.c:4397
+ __do_sys_unlink fs/namei.c:4438 [inline]
+ __se_sys_unlink fs/namei.c:4436 [inline]
+ __x64_sys_unlink+0x49/0x50 fs/namei.c:4436
+ x64_sys_call+0x958/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:88
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x68/0xd2
+
+The buggy address belongs to the object at ffff88812d961f20
+ which belongs to the cache f2fs_inode_cache of size 1200
+The buggy address is located 856 bytes inside of
+ 1200-byte region [ffff88812d961f20, ffff88812d9623d0)
+
+The buggy address belongs to the physical page:
+page:ffffea0004b65800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12d960
+head:ffffea0004b65800 order:2 compound_mapcount:0 compound_pincount:0
+flags: 0x4000000000010200(slab|head|zone=1)
+raw: 4000000000010200 0000000000000000 dead000000000122 ffff88810a94c500
+raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 2, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 569, tgid 568 (syz.2.16), ts 55943246141, free_ts 0
+ set_page_owner include/linux/page_owner.h:31 [inline]
+ post_alloc_hook+0x1d0/0x1f0 mm/page_alloc.c:2532
+ prep_new_page mm/page_alloc.c:2539 [inline]
+ get_page_from_freelist+0x2e63/0x2ef0 mm/page_alloc.c:4328
+ __alloc_pages+0x235/0x4b0 mm/page_alloc.c:5605
+ alloc_slab_page include/linux/gfp.h:-1 [inline]
+ allocate_slab mm/slub.c:1939 [inline]
+ new_slab+0xec/0x4b0 mm/slub.c:1992
+ ___slab_alloc+0x6f6/0xb50 mm/slub.c:3180
+ __slab_alloc+0x5e/0xa0 mm/slub.c:3279
+ slab_alloc_node mm/slub.c:3364 [inline]
+ slab_alloc mm/slub.c:3406 [inline]
+ __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
+ kmem_cache_alloc_lru+0x13f/0x220 mm/slub.c:3429
+ alloc_inode_sb include/linux/fs.h:3245 [inline]
+ f2fs_alloc_inode+0x2d/0x340 fs/f2fs/super.c:1419
+ alloc_inode fs/inode.c:261 [inline]
+ iget_locked+0x186/0x880 fs/inode.c:1373
+ f2fs_iget+0x55/0x4c60 fs/f2fs/inode.c:483
+ f2fs_fill_super+0x3ad7/0x6bb0 fs/f2fs/super.c:4293
+ mount_bdev+0x2ae/0x3e0 fs/super.c:1443
+ f2fs_mount+0x34/0x40 fs/f2fs/super.c:4642
+ legacy_get_tree+0xea/0x190 fs/fs_context.c:632
+ vfs_get_tree+0x89/0x260 fs/super.c:1573
+ do_new_mount+0x25a/0xa20 fs/namespace.c:3056
+page_owner free stack trace missing
+
+Memory state around the buggy address:
+ ffff88812d962100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88812d962180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff88812d962200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff88812d962280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88812d962300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+[1] https://syzkaller.appspot.com/x/report.txt?x=13448368580000
+
+This bug can be reproduced w/ the reproducer [2], once we enable
+CONFIG_F2FS_CHECK_FS config, the reproducer will trigger panic as below,
+so the direct reason of this bug is the same as the one below patch [3]
+fixed.
+
+kernel BUG at fs/f2fs/inode.c:857!
+RIP: 0010:f2fs_evict_inode+0x1204/0x1a20
+Call Trace:
+ <TASK>
+ evict+0x32a/0x7a0
+ do_unlinkat+0x37b/0x5b0
+ __x64_sys_unlink+0xad/0x100
+ do_syscall_64+0x5a/0xb0
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+RIP: 0010:f2fs_evict_inode+0x1204/0x1a20
+
+[2] https://syzkaller.appspot.com/x/repro.c?x=17495ccc580000
+[3] https://lore.kernel.org/linux-f2fs-devel/20250702120321.1080759-1-chao@kernel.org
+
+Tracepoints before panic:
+
+f2fs_unlink_enter: dev = (7,0), dir ino = 3, i_size = 4096, i_blocks = 8, name = file1
+f2fs_unlink_exit: dev = (7,0), ino = 7, ret = 0
+f2fs_evict_inode: dev = (7,0), ino = 7, pino = 3, i_mode = 0x81ed, i_size = 10, i_nlink = 0, i_blocks = 0, i_advise = 0x0
+f2fs_truncate_node: dev = (7,0), ino = 7, nid = 8, block_address = 0x3c05
+
+f2fs_unlink_enter: dev = (7,0), dir ino = 3, i_size = 4096, i_blocks = 8, name = file3
+f2fs_unlink_exit: dev = (7,0), ino = 8, ret = 0
+f2fs_evict_inode: dev = (7,0), ino = 8, pino = 3, i_mode = 0x81ed, i_size = 9000, i_nlink = 0, i_blocks = 24, i_advise = 0x4
+f2fs_truncate: dev = (7,0), ino = 8, pino = 3, i_mode = 0x81ed, i_size = 0, i_nlink = 0, i_blocks = 24, i_advise = 0x4
+f2fs_truncate_blocks_enter: dev = (7,0), ino = 8, i_size = 0, i_blocks = 24, start file offset = 0
+f2fs_truncate_blocks_exit: dev = (7,0), ino = 8, ret = -2
+
+The root cause is: in the fuzzed image, dnode #8 belongs to inode #7,
+after inode #7 eviction, dnode #8 was dropped.
+
+However there is dirent that has ino #8, so, once we unlink file3, in
+f2fs_evict_inode(), both f2fs_truncate() and f2fs_update_inode_page()
+will fail due to we can not load node #8, result in we missed to call
+f2fs_inode_synced() to clear inode dirty status.
+
+Let's fix this by calling f2fs_inode_synced() in error path of
+f2fs_evict_inode().
+
+PS: As I verified, the reproducer [2] can trigger this bug in v6.1.129,
+but it failed in v6.16-rc4, this is because the testcase will stop due to
+other corruption has been detected by f2fs:
+
+F2FS-fs (loop0): inconsistent node block, node_type:2, nid:8, node_footer[nid:8,ino:8,ofs:0,cpver:5013063228981249506,blkaddr:15366]
+F2FS-fs (loop0): f2fs_lookup: inode (ino=9) has zero i_nlink
+
+Fixes: 0f18b462b2e5 ("f2fs: flush inode metadata when checkpoint is doing")
+Closes: https://syzkaller.appspot.com/x/report.txt?x=13448368580000
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/inode.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
+index d3c6f3202b69..fc774de1c752 100644
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -933,6 +933,19 @@ void f2fs_evict_inode(struct inode *inode)
+ f2fs_update_inode_page(inode);
+ if (dquot_initialize_needed(inode))
+ set_sbi_flag(sbi, SBI_QUOTA_NEED_REPAIR);
++
++ /*
++ * If both f2fs_truncate() and f2fs_update_inode_page() failed
++ * due to fuzzed corrupted inode, call f2fs_inode_synced() to
++ * avoid triggering later f2fs_bug_on().
++ */
++ if (is_inode_flag_set(inode, FI_DIRTY_INODE)) {
++ f2fs_warn(sbi,
++ "f2fs_evict_inode: inode is dirty, ino:%lu",
++ inode->i_ino);
++ f2fs_inode_synced(inode);
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
++ }
+ }
+ if (freeze_protected)
+ sb_end_intwrite(inode->i_sb);
+--
+2.39.5
+
--- /dev/null
+From 65a159288a8782f6372f316dd26071b48e761192 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 17:53:39 +0800
+Subject: f2fs: fix to avoid UAF in f2fs_sync_inode_meta()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 7c30d79930132466f5be7d0b57add14d1a016bda ]
+
+syzbot reported an UAF issue as below: [1] [2]
+
+[1] https://syzkaller.appspot.com/text?tag=CrashReport&x=16594c60580000
+
+==================================================================
+BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62
+Read of size 8 at addr ffff888100567dc8 by task kworker/u4:0/8
+
+CPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G W 6.1.129-syzkaller-00017-g642656a36791 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
+Workqueue: writeback wb_workfn (flush-7:0)
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:316 [inline]
+ print_report+0x158/0x4e0 mm/kasan/report.c:427
+ kasan_report+0x13c/0x170 mm/kasan/report.c:531
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351
+ __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62
+ __list_del_entry include/linux/list.h:134 [inline]
+ list_del_init include/linux/list.h:206 [inline]
+ f2fs_inode_synced+0x100/0x2e0 fs/f2fs/super.c:1553
+ f2fs_update_inode+0x72/0x1c40 fs/f2fs/inode.c:588
+ f2fs_update_inode_page+0x135/0x170 fs/f2fs/inode.c:706
+ f2fs_write_inode+0x416/0x790 fs/f2fs/inode.c:734
+ write_inode fs/fs-writeback.c:1460 [inline]
+ __writeback_single_inode+0x4cf/0xb80 fs/fs-writeback.c:1677
+ writeback_sb_inodes+0xb32/0x1910 fs/fs-writeback.c:1903
+ __writeback_inodes_wb+0x118/0x3f0 fs/fs-writeback.c:1974
+ wb_writeback+0x3da/0xa00 fs/fs-writeback.c:2081
+ wb_check_background_flush fs/fs-writeback.c:2151 [inline]
+ wb_do_writeback fs/fs-writeback.c:2239 [inline]
+ wb_workfn+0xbba/0x1030 fs/fs-writeback.c:2266
+ process_one_work+0x73d/0xcb0 kernel/workqueue.c:2299
+ worker_thread+0xa60/0x1260 kernel/workqueue.c:2446
+ kthread+0x26d/0x300 kernel/kthread.c:386
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
+ </TASK>
+
+Allocated by task 298:
+ kasan_save_stack mm/kasan/common.c:45 [inline]
+ kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
+ kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505
+ __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:333
+ kasan_slab_alloc include/linux/kasan.h:202 [inline]
+ slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:768
+ slab_alloc_node mm/slub.c:3421 [inline]
+ slab_alloc mm/slub.c:3431 [inline]
+ __kmem_cache_alloc_lru mm/slub.c:3438 [inline]
+ kmem_cache_alloc_lru+0x102/0x270 mm/slub.c:3454
+ alloc_inode_sb include/linux/fs.h:3255 [inline]
+ f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437
+ alloc_inode fs/inode.c:261 [inline]
+ iget_locked+0x18c/0x7e0 fs/inode.c:1373
+ f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486
+ f2fs_lookup+0x3c1/0xb50 fs/f2fs/namei.c:484
+ __lookup_slow+0x2b9/0x3e0 fs/namei.c:1689
+ lookup_slow+0x5a/0x80 fs/namei.c:1706
+ walk_component+0x2e7/0x410 fs/namei.c:1997
+ lookup_last fs/namei.c:2454 [inline]
+ path_lookupat+0x16d/0x450 fs/namei.c:2478
+ filename_lookup+0x251/0x600 fs/namei.c:2507
+ vfs_statx+0x107/0x4b0 fs/stat.c:229
+ vfs_fstatat fs/stat.c:267 [inline]
+ vfs_lstat include/linux/fs.h:3434 [inline]
+ __do_sys_newlstat fs/stat.c:423 [inline]
+ __se_sys_newlstat+0xda/0x7c0 fs/stat.c:417
+ __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417
+ x64_sys_call+0x52/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x68/0xd2
+
+Freed by task 0:
+ kasan_save_stack mm/kasan/common.c:45 [inline]
+ kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
+ kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516
+ ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241
+ __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249
+ kasan_slab_free include/linux/kasan.h:178 [inline]
+ slab_free_hook mm/slub.c:1745 [inline]
+ slab_free_freelist_hook mm/slub.c:1771 [inline]
+ slab_free mm/slub.c:3686 [inline]
+ kmem_cache_free+0x291/0x560 mm/slub.c:3711
+ f2fs_free_inode+0x24/0x30 fs/f2fs/super.c:1584
+ i_callback+0x4b/0x70 fs/inode.c:250
+ rcu_do_batch+0x552/0xbe0 kernel/rcu/tree.c:2297
+ rcu_core+0x502/0xf40 kernel/rcu/tree.c:2557
+ rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2574
+ handle_softirqs+0x1db/0x650 kernel/softirq.c:624
+ __do_softirq kernel/softirq.c:662 [inline]
+ invoke_softirq kernel/softirq.c:479 [inline]
+ __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:711
+ irq_exit_rcu+0x9/0x10 kernel/softirq.c:723
+ instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
+ sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
+ asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
+
+Last potentially related work creation:
+ kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45
+ __kasan_record_aux_stack+0xb4/0xc0 mm/kasan/generic.c:486
+ kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:496
+ __call_rcu_common kernel/rcu/tree.c:2807 [inline]
+ call_rcu+0xdc/0x10f0 kernel/rcu/tree.c:2926
+ destroy_inode fs/inode.c:316 [inline]
+ evict+0x87d/0x930 fs/inode.c:720
+ iput_final fs/inode.c:1834 [inline]
+ iput+0x616/0x690 fs/inode.c:1860
+ do_unlinkat+0x4e1/0x920 fs/namei.c:4396
+ __do_sys_unlink fs/namei.c:4437 [inline]
+ __se_sys_unlink fs/namei.c:4435 [inline]
+ __x64_sys_unlink+0x49/0x50 fs/namei.c:4435
+ x64_sys_call+0x289/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:88
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x68/0xd2
+
+The buggy address belongs to the object at ffff888100567a10
+ which belongs to the cache f2fs_inode_cache of size 1360
+The buggy address is located 952 bytes inside of
+ 1360-byte region [ffff888100567a10, ffff888100567f60)
+
+The buggy address belongs to the physical page:
+page:ffffea0004015800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100560
+head:ffffea0004015800 order:3 compound_mapcount:0 compound_pincount:0
+flags: 0x4000000000010200(slab|head|zone=1)
+raw: 4000000000010200 0000000000000000 dead000000000122 ffff8881002c4d80
+raw: 0000000000000000 0000000080160016 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 298, tgid 298 (syz-executor330), ts 26489303743, free_ts 0
+ set_page_owner include/linux/page_owner.h:33 [inline]
+ post_alloc_hook+0x213/0x220 mm/page_alloc.c:2637
+ prep_new_page+0x1b/0x110 mm/page_alloc.c:2644
+ get_page_from_freelist+0x3a98/0x3b10 mm/page_alloc.c:4539
+ __alloc_pages+0x234/0x610 mm/page_alloc.c:5837
+ alloc_slab_page+0x6c/0xf0 include/linux/gfp.h:-1
+ allocate_slab mm/slub.c:1962 [inline]
+ new_slab+0x90/0x3e0 mm/slub.c:2015
+ ___slab_alloc+0x6f9/0xb80 mm/slub.c:3203
+ __slab_alloc+0x5d/0xa0 mm/slub.c:3302
+ slab_alloc_node mm/slub.c:3387 [inline]
+ slab_alloc mm/slub.c:3431 [inline]
+ __kmem_cache_alloc_lru mm/slub.c:3438 [inline]
+ kmem_cache_alloc_lru+0x149/0x270 mm/slub.c:3454
+ alloc_inode_sb include/linux/fs.h:3255 [inline]
+ f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437
+ alloc_inode fs/inode.c:261 [inline]
+ iget_locked+0x18c/0x7e0 fs/inode.c:1373
+ f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486
+ f2fs_fill_super+0x5360/0x6dc0 fs/f2fs/super.c:4488
+ mount_bdev+0x282/0x3b0 fs/super.c:1445
+ f2fs_mount+0x34/0x40 fs/f2fs/super.c:4743
+ legacy_get_tree+0xf1/0x190 fs/fs_context.c:632
+page_owner free stack trace missing
+
+Memory state around the buggy address:
+ ffff888100567c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888100567d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff888100567d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888100567e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888100567e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+[2] https://syzkaller.appspot.com/text?tag=CrashLog&x=13654c60580000
+
+[ 24.675720][ T28] audit: type=1400 audit(1745327318.732:72): avc: denied { write } for pid=298 comm="syz-executor399" name="/" dev="loop0" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
+[ 24.705426][ T296] ------------[ cut here ]------------
+[ 24.706608][ T28] audit: type=1400 audit(1745327318.732:73): avc: denied { remove_name } for pid=298 comm="syz-executor399" name="file0" dev="loop0" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
+[ 24.711550][ T296] WARNING: CPU: 0 PID: 296 at fs/f2fs/inode.c:847 f2fs_evict_inode+0x1262/0x1540
+[ 24.734141][ T28] audit: type=1400 audit(1745327318.732:74): avc: denied { rename } for pid=298 comm="syz-executor399" name="file0" dev="loop0" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
+[ 24.742969][ T296] Modules linked in:
+[ 24.765201][ T28] audit: type=1400 audit(1745327318.732:75): avc: denied { add_name } for pid=298 comm="syz-executor399" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
+[ 24.768847][ T296] CPU: 0 PID: 296 Comm: syz-executor399 Not tainted 6.1.129-syzkaller-00017-g642656a36791 #0
+[ 24.799506][ T296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
+[ 24.809401][ T296] RIP: 0010:f2fs_evict_inode+0x1262/0x1540
+[ 24.815018][ T296] Code: 34 70 4a ff eb 0d e8 2d 70 4a ff 4d 89 e5 4c 8b 64 24 18 48 8b 5c 24 28 4c 89 e7 e8 78 38 03 00 e9 84 fc ff ff e8 0e 70 4a ff <0f> 0b 4c 89 f7 be 08 00 00 00 e8 7f 21 92 ff f0 41 80 0e 04 e9 61
+[ 24.834584][ T296] RSP: 0018:ffffc90000db7a40 EFLAGS: 00010293
+[ 24.840465][ T296] RAX: ffffffff822aca42 RBX: 0000000000000002 RCX: ffff888110948000
+[ 24.848291][ T296] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
+[ 24.856064][ T296] RBP: ffffc90000db7bb0 R08: ffffffff822ac6a8 R09: ffffed10200b005d
+[ 24.864073][ T296] R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888100580000
+[ 24.871812][ T296] R13: dffffc0000000000 R14: ffff88810fef4078 R15: 1ffff920001b6f5c
+
+The root cause is w/ a fuzzed image, f2fs may missed to clear FI_DIRTY_INODE
+flag for target inode, after f2fs_evict_inode(), the inode is still linked in
+sbi->inode_list[DIRTY_META] global list, once it triggers checkpoint,
+f2fs_sync_inode_meta() may access the released inode.
+
+In f2fs_evict_inode(), let's always call f2fs_inode_synced() to clear
+FI_DIRTY_INODE flag and drop inode from global dirty list to avoid this
+UAF issue.
+
+Fixes: 0f18b462b2e5 ("f2fs: flush inode metadata when checkpoint is doing")
+Closes: https://syzkaller.appspot.com/bug?extid=849174b2efaf0d8be6ba
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/inode.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
+index 083d52a42bfb..d3c6f3202b69 100644
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -949,8 +949,12 @@ void f2fs_evict_inode(struct inode *inode)
+ if (likely(!f2fs_cp_error(sbi) &&
+ !is_sbi_flag_set(sbi, SBI_CP_DISABLED)))
+ f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE));
+- else
+- f2fs_inode_synced(inode);
++
++ /*
++ * anyway, it needs to remove the inode from sbi->inode_list[DIRTY_META]
++ * list to avoid UAF in f2fs_sync_inode_meta() during checkpoint.
++ */
++ f2fs_inode_synced(inode);
+
+ /* for the case f2fs_new_inode() was failed, .i_ino is zero, skip it */
+ if (inode->i_ino)
+--
+2.39.5
+
--- /dev/null
+From 064de286e7d9601f809d2c2c292c164744b450a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 16:01:43 +0800
+Subject: f2fs: fix to calculate dirty data during has_not_enough_free_secs()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit e194e140ab7de2ce2782e64b9e086a43ca6ff4f2 ]
+
+In lfs mode, dirty data needs OPU, we'd better calculate lower_p and
+upper_p w/ them during has_not_enough_free_secs(), otherwise we may
+encounter out-of-space issue due to we missed to reclaim enough
+free section w/ foreground gc.
+
+Fixes: 36abef4e796d ("f2fs: introduce mode=lfs mount option")
+Cc: Daeho Jeong <daehojeong@google.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h
+index f11822ec3fec..a8ac5309bd90 100644
+--- a/fs/f2fs/segment.h
++++ b/fs/f2fs/segment.h
+@@ -674,8 +674,7 @@ static inline void __get_secs_required(struct f2fs_sb_info *sbi,
+ unsigned int dent_blocks = total_dent_blocks % CAP_BLKS_PER_SEC(sbi);
+ unsigned int data_blocks = 0;
+
+- if (f2fs_lfs_mode(sbi) &&
+- unlikely(is_sbi_flag_set(sbi, SBI_CP_DISABLED))) {
++ if (f2fs_lfs_mode(sbi)) {
+ total_data_blocks = get_pages(sbi, F2FS_DIRTY_DATA);
+ data_secs = total_data_blocks / CAP_BLKS_PER_SEC(sbi);
+ data_blocks = total_data_blocks % CAP_BLKS_PER_SEC(sbi);
+--
+2.39.5
+
--- /dev/null
+From d359c2085ebeac34654b4f005db3da85858d5dce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 10:38:18 +0800
+Subject: f2fs: fix to check upper boundary for gc_no_zoned_gc_percent
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit a919ae794ad2dc6d04b3eea2f9bc86332c1630cc ]
+
+This patch adds missing upper boundary check while setting
+gc_no_zoned_gc_percent via sysfs.
+
+Fixes: 9a481a1c16f4 ("f2fs: create gc_no_zoned_gc_percent and gc_boost_zoned_gc_percent")
+Cc: Daeho Jeong <daehojeong@google.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/sysfs.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c
+index 173ad1a72746..5da0254e2057 100644
+--- a/fs/f2fs/sysfs.c
++++ b/fs/f2fs/sysfs.c
+@@ -628,6 +628,13 @@ static ssize_t __sbi_store(struct f2fs_attr *a,
+ return count;
+ }
+
++ if (!strcmp(a->attr.name, "gc_no_zoned_gc_percent")) {
++ if (t > 100)
++ return -EINVAL;
++ *ui = (unsigned int)t;
++ return count;
++ }
++
+ if (!strcmp(a->attr.name, "gc_boost_zoned_gc_percent")) {
+ if (t > 100)
+ return -EINVAL;
+--
+2.39.5
+
--- /dev/null
+From bbd909d2ec9836e3b0f28315e722812718560319 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 10:38:17 +0800
+Subject: f2fs: fix to check upper boundary for gc_valid_thresh_ratio
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 7a96d1d73ce9de5041e891a623b722f900651561 ]
+
+This patch adds missing upper boundary check while setting
+gc_valid_thresh_ratio via sysfs.
+
+Fixes: e791d00bd06c ("f2fs: add valid block ratio not to do excessive GC for one time GC")
+Cc: Daeho Jeong <daehojeong@google.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/sysfs.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c
+index d0ec9963ff1b..173ad1a72746 100644
+--- a/fs/f2fs/sysfs.c
++++ b/fs/f2fs/sysfs.c
+@@ -635,6 +635,13 @@ static ssize_t __sbi_store(struct f2fs_attr *a,
+ return count;
+ }
+
++ if (!strcmp(a->attr.name, "gc_valid_thresh_ratio")) {
++ if (t > 100)
++ return -EINVAL;
++ *ui = (unsigned int)t;
++ return count;
++ }
++
+ #ifdef CONFIG_F2FS_IOSTAT
+ if (!strcmp(a->attr.name, "iostat_enable")) {
+ sbi->iostat_enable = !!t;
+--
+2.39.5
+
--- /dev/null
+From 7960a5914ed9a1507441f348d6e722e15220f065 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 09:14:07 +0900
+Subject: f2fs: fix to check upper boundary for value of
+ gc_boost_zoned_gc_percent
+
+From: yohan.joung <yohan.joung@sk.com>
+
+[ Upstream commit 10dcaa56ef93f2a45e4c3fec27d8e1594edad110 ]
+
+to check the upper boundary when setting gc_boost_zoned_gc_percent
+
+Fixes: 9a481a1c16f4 ("f2fs: create gc_no_zoned_gc_percent and gc_boost_zoned_gc_percent")
+Signed-off-by: yohan.joung <yohan.joung@sk.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/sysfs.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c
+index 75134d69a0bd..d0ec9963ff1b 100644
+--- a/fs/f2fs/sysfs.c
++++ b/fs/f2fs/sysfs.c
+@@ -628,6 +628,13 @@ static ssize_t __sbi_store(struct f2fs_attr *a,
+ return count;
+ }
+
++ if (!strcmp(a->attr.name, "gc_boost_zoned_gc_percent")) {
++ if (t > 100)
++ return -EINVAL;
++ *ui = (unsigned int)t;
++ return count;
++ }
++
+ #ifdef CONFIG_F2FS_IOSTAT
+ if (!strcmp(a->attr.name, "iostat_enable")) {
+ sbi->iostat_enable = !!t;
+--
+2.39.5
+
--- /dev/null
+From 475872e4074840501c98d6fdc54aab77af4d2380 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 16:01:44 +0800
+Subject: f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs
+ mode
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 1005a3ca28e90c7a64fa43023f866b960a60f791 ]
+
+w/ "mode=lfs" mount option, generic/299 will cause system panic as below:
+
+------------[ cut here ]------------
+kernel BUG at fs/f2fs/segment.c:2835!
+Call Trace:
+ <TASK>
+ f2fs_allocate_data_block+0x6f4/0xc50
+ f2fs_map_blocks+0x970/0x1550
+ f2fs_iomap_begin+0xb2/0x1e0
+ iomap_iter+0x1d6/0x430
+ __iomap_dio_rw+0x208/0x9a0
+ f2fs_file_write_iter+0x6b3/0xfa0
+ aio_write+0x15d/0x2e0
+ io_submit_one+0x55e/0xab0
+ __x64_sys_io_submit+0xa5/0x230
+ do_syscall_64+0x84/0x2f0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+RIP: 0010:new_curseg+0x70f/0x720
+
+The root cause of we run out-of-space is: in f2fs_map_blocks(), f2fs may
+trigger foreground gc only if it allocates any physical block, it will be
+a little bit later when there is multiple threads writing data w/
+aio/dio/bufio method in parallel, since we always use OPU in lfs mode, so
+f2fs_map_blocks() does block allocations aggressively.
+
+In order to fix this issue, let's give a chance to trigger foreground
+gc in prior to block allocation in f2fs_map_blocks().
+
+Fixes: 36abef4e796d ("f2fs: introduce mode=lfs mount option")
+Cc: Daeho Jeong <daehojeong@google.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/data.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
+index 718e0b81a02f..53b64f4ff2d7 100644
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -1572,8 +1572,11 @@ int f2fs_map_blocks(struct inode *inode, struct f2fs_map_blocks *map, int flag)
+ end = pgofs + maxblocks;
+
+ next_dnode:
+- if (map->m_may_create)
++ if (map->m_may_create) {
++ if (f2fs_lfs_mode(sbi))
++ f2fs_balance_fs(sbi, true);
+ f2fs_map_lock(sbi, flag);
++ }
+
+ /* When reading holes, we need its node page */
+ set_new_dnode(&dn, inode, NULL, NULL, 0);
+--
+2.39.5
+
--- /dev/null
+From 17d0173cc5cca8b609b2a7081e7f1ad93f5de99d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 16:01:42 +0800
+Subject: f2fs: fix to update upper_p in __get_secs_required() correctly
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 6840faddb65683b4e7bd8196f177b038a1e19faf ]
+
+Commit 1acd73edbbfe ("f2fs: fix to account dirty data in __get_secs_required()")
+missed to calculate upper_p w/ data_secs, fix it.
+
+Fixes: 1acd73edbbfe ("f2fs: fix to account dirty data in __get_secs_required()")
+Cc: Daeho Jeong <daehojeong@google.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h
+index db619fd2f51a..f11822ec3fec 100644
+--- a/fs/f2fs/segment.h
++++ b/fs/f2fs/segment.h
+@@ -684,7 +684,7 @@ static inline void __get_secs_required(struct f2fs_sb_info *sbi,
+ if (lower_p)
+ *lower_p = node_secs + dent_secs + data_secs;
+ if (upper_p)
+- *upper_p = node_secs + dent_secs +
++ *upper_p = node_secs + dent_secs + data_secs +
+ (node_blocks ? 1 : 0) + (dent_blocks ? 1 : 0) +
+ (data_blocks ? 1 : 0);
+ if (curseg_p)
+--
+2.39.5
+
--- /dev/null
+From 9fc06419b94f938b9d4c595be0e3568becaa2564 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 11:49:04 -0700
+Subject: f2fs: turn off one_time when forcibly set to foreground GC
+
+From: Daeho Jeong <daehojeong@google.com>
+
+[ Upstream commit 8142daf8a53806689186ee255cc02f89af7f8890 ]
+
+one_time mode is only for background GC. So, we need to set it back to
+false when foreground GC is enforced.
+
+Fixes: 9748c2ddea4a ("f2fs: do FG_GC when GC boosting is required for zoned devices")
+Signed-off-by: Daeho Jeong <daehojeong@google.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/gc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
+index 3cb5242f4ddf..d915b54392b8 100644
+--- a/fs/f2fs/gc.c
++++ b/fs/f2fs/gc.c
+@@ -1891,6 +1891,7 @@ int f2fs_gc(struct f2fs_sb_info *sbi, struct f2fs_gc_control *gc_control)
+ /* Let's run FG_GC, if we don't have enough space. */
+ if (has_not_enough_free_secs(sbi, 0, 0)) {
+ gc_type = FG_GC;
++ gc_control->one_time = false;
+
+ /*
+ * For example, if there are many prefree_segments below given
+--
+2.39.5
+
--- /dev/null
+From 202f7f4bc6679cb86cbb1befabe3004198832d46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 17:31:15 +0200
+Subject: f2fs: vm_unmap_ram() may be called from an invalid context
+
+From: Jan Prusakowski <jprusakowski@google.com>
+
+[ Upstream commit 08a7efc5b02a0620ae16aa9584060e980a69cb55 ]
+
+When testing F2FS with xfstests using UFS backed virtual disks the
+kernel complains sometimes that f2fs_release_decomp_mem() calls
+vm_unmap_ram() from an invalid context. Example trace from
+f2fs/007 test:
+
+f2fs/007 5s ... [12:59:38][ 8.902525] run fstests f2fs/007
+[ 11.468026] BUG: sleeping function called from invalid context at mm/vmalloc.c:2978
+[ 11.471849] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 68, name: irq/22-ufshcd
+[ 11.475357] preempt_count: 1, expected: 0
+[ 11.476970] RCU nest depth: 0, expected: 0
+[ 11.478531] CPU: 0 UID: 0 PID: 68 Comm: irq/22-ufshcd Tainted: G W 6.16.0-rc5-xfstests-ufs-g40f92e79b0aa #9 PREEMPT(none)
+[ 11.478535] Tainted: [W]=WARN
+[ 11.478536] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 11.478537] Call Trace:
+[ 11.478543] <TASK>
+[ 11.478545] dump_stack_lvl+0x4e/0x70
+[ 11.478554] __might_resched.cold+0xaf/0xbe
+[ 11.478557] vm_unmap_ram+0x21/0xb0
+[ 11.478560] f2fs_release_decomp_mem+0x59/0x80
+[ 11.478563] f2fs_free_dic+0x18/0x1a0
+[ 11.478565] f2fs_finish_read_bio+0xd7/0x290
+[ 11.478570] blk_update_request+0xec/0x3b0
+[ 11.478574] ? sbitmap_queue_clear+0x3b/0x60
+[ 11.478576] scsi_end_request+0x27/0x1a0
+[ 11.478582] scsi_io_completion+0x40/0x300
+[ 11.478583] ufshcd_mcq_poll_cqe_lock+0xa3/0xe0
+[ 11.478588] ufshcd_sl_intr+0x194/0x1f0
+[ 11.478592] ufshcd_threaded_intr+0x68/0xb0
+[ 11.478594] ? __pfx_irq_thread_fn+0x10/0x10
+[ 11.478599] irq_thread_fn+0x20/0x60
+[ 11.478602] ? __pfx_irq_thread_fn+0x10/0x10
+[ 11.478603] irq_thread+0xb9/0x180
+[ 11.478605] ? __pfx_irq_thread_dtor+0x10/0x10
+[ 11.478607] ? __pfx_irq_thread+0x10/0x10
+[ 11.478609] kthread+0x10a/0x230
+[ 11.478614] ? __pfx_kthread+0x10/0x10
+[ 11.478615] ret_from_fork+0x7e/0xd0
+[ 11.478619] ? __pfx_kthread+0x10/0x10
+[ 11.478621] ret_from_fork_asm+0x1a/0x30
+[ 11.478623] </TASK>
+
+This patch modifies in_task() check inside f2fs_read_end_io() to also
+check if interrupts are disabled. This ensures that pages are unmapped
+asynchronously in an interrupt handler.
+
+Fixes: bff139b49d9f ("f2fs: handle decompress only post processing in softirq")
+Signed-off-by: Jan Prusakowski <jprusakowski@google.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
+index 31e892842625..718e0b81a02f 100644
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -282,7 +282,7 @@ static void f2fs_read_end_io(struct bio *bio)
+ {
+ struct f2fs_sb_info *sbi = F2FS_P_SB(bio_first_page_all(bio));
+ struct bio_post_read_ctx *ctx;
+- bool intask = in_task();
++ bool intask = in_task() && !irqs_disabled();
+
+ iostat_update_and_unbind_ctx(bio);
+ ctx = bio->bi_private;
+--
+2.39.5
+
--- /dev/null
+From 11272cf366d0a793df08e327bf9d1adefdd179c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 12:48:35 +0200
+Subject: fanotify: sanitize handle_type values when reporting fid
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+[ Upstream commit 8631e01c2c5d1fe6705bcc0d733a0b7a17d3daac ]
+
+Unlike file_handle, type and len of struct fanotify_fh are u8.
+Traditionally, filesystem return handle_type < 0xff, but there
+is no enforecement for that in vfs.
+
+Add a sanity check in fanotify to avoid truncating handle_type
+if its value is > 0xff.
+
+Fixes: 7cdafe6cc4a6 ("exportfs: check for error return value from exportfs_encode_*()")
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20250627104835.184495-1-amir73il@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/notify/fanotify/fanotify.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
+index 3083643b864b..bfe884d624e7 100644
+--- a/fs/notify/fanotify/fanotify.c
++++ b/fs/notify/fanotify/fanotify.c
+@@ -454,7 +454,13 @@ static int fanotify_encode_fh(struct fanotify_fh *fh, struct inode *inode,
+ dwords = fh_len >> 2;
+ type = exportfs_encode_fid(inode, buf, &dwords);
+ err = -EINVAL;
+- if (type <= 0 || type == FILEID_INVALID || fh_len != dwords << 2)
++ /*
++ * Unlike file_handle, type and len of struct fanotify_fh are u8.
++ * Traditionally, filesystem return handle_type < 0xff, but there
++ * is no enforecement for that in vfs.
++ */
++ BUILD_BUG_ON(MAX_HANDLE_SZ > 0xff || FILEID_INVALID > 0xff);
++ if (type <= 0 || type >= FILEID_INVALID || fh_len != dwords << 2)
+ goto out_err;
+
+ fh->type = type;
+--
+2.39.5
+
--- /dev/null
+From 94b725e628574d7bfe12a0ee0447498bbb78eeac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 18:34:38 +0800
+Subject: fbcon: Fix outdated registered_fb reference in comment
+
+From: Shixiong Ou <oushixiong@kylinos.cn>
+
+[ Upstream commit 0f168e7be696a17487e83d1d47e5a408a181080f ]
+
+The variable was renamed to fbcon_registered_fb, but this comment was
+not updated along with the change. Correct it to avoid confusion.
+
+Signed-off-by: Shixiong Ou <oushixiong@kylinos.cn>
+Fixes: efc3acbc105a ("fbcon: Maintain a private array of fb_info")
+[sima: Add Fixes: line.]
+Signed-off-by: Simona Vetter <simona.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250709103438.572309-1-oushixiong1025@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/core/fbcon.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
+index 2df48037688d..2b2d36c021ba 100644
+--- a/drivers/video/fbdev/core/fbcon.c
++++ b/drivers/video/fbdev/core/fbcon.c
+@@ -952,13 +952,13 @@ static const char *fbcon_startup(void)
+ int rows, cols;
+
+ /*
+- * If num_registered_fb is zero, this is a call for the dummy part.
++ * If fbcon_num_registered_fb is zero, this is a call for the dummy part.
+ * The frame buffer devices weren't initialized yet.
+ */
+ if (!fbcon_num_registered_fb || info_idx == -1)
+ return display_desc;
+ /*
+- * Instead of blindly using registered_fb[0], we use info_idx, set by
++ * Instead of blindly using fbcon_registered_fb[0], we use info_idx, set by
+ * fbcon_fb_registered();
+ */
+ info = fbcon_registered_fb[info_idx];
+--
+2.39.5
+
--- /dev/null
+From d9694c748e3cad33aeaa64b89c4c528f56a6ad6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 22:25:34 -0500
+Subject: fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref
+
+From: Chenyuan Yang <chenyuan0y@gmail.com>
+
+[ Upstream commit da11e6a30e0bb8e911288bdc443b3dc8f6a7cac7 ]
+
+fb_add_videomode() can fail with -ENOMEM when its internal kmalloc() cannot
+allocate a struct fb_modelist. If that happens, the modelist stays empty but
+the driver continues to register. Add a check for its return value to prevent
+poteintial null-ptr-deref, which is similar to the commit 17186f1f90d3 ("fbdev:
+Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var").
+
+Fixes: 1b6c79361ba5 ("video: imxfb: Add DT support")
+Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/imxfb.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c
+index f30da32cdaed..a077bf346bdf 100644
+--- a/drivers/video/fbdev/imxfb.c
++++ b/drivers/video/fbdev/imxfb.c
+@@ -996,8 +996,13 @@ static int imxfb_probe(struct platform_device *pdev)
+ info->fix.smem_start = fbi->map_dma;
+
+ INIT_LIST_HEAD(&info->modelist);
+- for (i = 0; i < fbi->num_modes; i++)
+- fb_add_videomode(&fbi->mode[i].mode, &info->modelist);
++ for (i = 0; i < fbi->num_modes; i++) {
++ ret = fb_add_videomode(&fbi->mode[i].mode, &info->modelist);
++ if (ret) {
++ dev_err(&pdev->dev, "Failed to add videomode\n");
++ goto failed_cmap;
++ }
++ }
+
+ /*
+ * This makes sure that our colour bitfield
+--
+2.39.5
+
--- /dev/null
+From aab5be434199a2370b14712628c6cf2c4b022544 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 03:17:19 +0530
+Subject: firmware: arm_scmi: Fix up turbo frequencies selection
+
+From: Sibi Sankar <quic_sibis@quicinc.com>
+
+[ Upstream commit ad28fc31dd702871764e9294d4f2314ad78d24a9 ]
+
+Sustained frequency when greater than or equal to 4Ghz on 64-bit devices
+currently result in marking all frequencies as turbo. Address the turbo
+frequency selection bug by fixing the truncation.
+
+Fixes: a897575e79d7 ("firmware: arm_scmi: Add support for marking certain frequencies as turbo")
+Signed-off-by: Sibi Sankar <quic_sibis@quicinc.com>
+Message-Id: <20250514214719.203607-1-quic_sibis@quicinc.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scmi/perf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/arm_scmi/perf.c b/drivers/firmware/arm_scmi/perf.c
+index c7e5a34b254b..683fd9b85c5c 100644
+--- a/drivers/firmware/arm_scmi/perf.c
++++ b/drivers/firmware/arm_scmi/perf.c
+@@ -892,7 +892,7 @@ static int scmi_dvfs_device_opps_add(const struct scmi_protocol_handle *ph,
+ freq = dom->opp[idx].indicative_freq * dom->mult_factor;
+
+ /* All OPPs above the sustained frequency are treated as turbo */
+- data.turbo = freq > dom->sustained_freq_khz * 1000;
++ data.turbo = freq > dom->sustained_freq_khz * 1000UL;
+
+ data.level = dom->opp[idx].perf;
+ data.freq = freq;
+--
+2.39.5
+
--- /dev/null
+From dec2b28e0452d891aacd7af74240a44fa8582f22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 11:23:46 +0200
+Subject: Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 1db50f7b7a793670adcf062df9ff27798829d963 ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: ed10435d3583 ("RDMA/erdma: Implement hierarchical MTT")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20250630092346.81017-2-fourier.thomas@gmail.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/erdma/erdma_verbs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/erdma/erdma_verbs.c b/drivers/infiniband/hw/erdma/erdma_verbs.c
+index af36a8d2df22..ec0ad4086066 100644
+--- a/drivers/infiniband/hw/erdma/erdma_verbs.c
++++ b/drivers/infiniband/hw/erdma/erdma_verbs.c
+@@ -629,7 +629,8 @@ static struct erdma_mtt *erdma_create_cont_mtt(struct erdma_dev *dev,
+ static void erdma_destroy_mtt_buf_sg(struct erdma_dev *dev,
+ struct erdma_mtt *mtt)
+ {
+- dma_unmap_sg(&dev->pdev->dev, mtt->sglist, mtt->nsg, DMA_TO_DEVICE);
++ dma_unmap_sg(&dev->pdev->dev, mtt->sglist,
++ DIV_ROUND_UP(mtt->size, PAGE_SIZE), DMA_TO_DEVICE);
+ vfree(mtt->sglist);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 03d914b50ceb61ff9302c6744d2186743ae8280c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 16:18:25 -0700
+Subject: fortify: Fix incorrect reporting of read buffer size
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 94fd44648dae2a5b6149a41faa0b07928c3e1963 ]
+
+When FORTIFY_SOURCE reports about a run-time buffer overread, the wrong
+buffer size was being shown in the error message. (The bounds checking
+was correct.)
+
+Fixes: 3d965b33e40d ("fortify: Improve buffer overflow reporting")
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Link: https://lore.kernel.org/r/20250729231817.work.023-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/fortify-string.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
+index e4ce1cae03bf..b3b53f8c1b28 100644
+--- a/include/linux/fortify-string.h
++++ b/include/linux/fortify-string.h
+@@ -596,7 +596,7 @@ __FORTIFY_INLINE bool fortify_memcpy_chk(__kernel_size_t size,
+ if (p_size != SIZE_MAX && p_size < size)
+ fortify_panic(func, FORTIFY_WRITE, p_size, size, true);
+ else if (q_size != SIZE_MAX && q_size < size)
+- fortify_panic(func, FORTIFY_READ, p_size, size, true);
++ fortify_panic(func, FORTIFY_READ, q_size, size, true);
+
+ /*
+ * Warn when writing beyond destination field size.
+--
+2.39.5
+
--- /dev/null
+From ef84808bf3118b3aa0f1076626ca2799d1eceeb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 15:31:57 +0800
+Subject: fs/ntfs3: cancle set bad inode after removing name fails
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit d99208b91933fd2a58ed9ed321af07dacd06ddc3 ]
+
+The reproducer uses a file0 on a ntfs3 file system with a corrupted i_link.
+When renaming, the file0's inode is marked as a bad inode because the file
+name cannot be deleted.
+
+The underlying bug is that make_bad_inode() is called on a live inode.
+In some cases it's "icache lookup finds a normal inode, d_splice_alias()
+is called to attach it to dentry, while another thread decides to call
+make_bad_inode() on it - that would evict it from icache, but we'd already
+found it there earlier".
+In some it's outright "we have an inode attached to dentry - that's how we
+got it in the first place; let's call make_bad_inode() on it just for shits
+and giggles".
+
+Fixes: 78ab59fee07f ("fs/ntfs3: Rework file operations")
+Reported-by: syzbot+1aa90f0eb1fc3e77d969@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=1aa90f0eb1fc3e77d969
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/frecord.c | 7 +++----
+ fs/ntfs3/namei.c | 10 +++-------
+ fs/ntfs3/ntfs_fs.h | 3 +--
+ 3 files changed, 7 insertions(+), 13 deletions(-)
+
+diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
+index 756e1306fe6c..7afbb4418eb2 100644
+--- a/fs/ntfs3/frecord.c
++++ b/fs/ntfs3/frecord.c
+@@ -3003,8 +3003,7 @@ int ni_add_name(struct ntfs_inode *dir_ni, struct ntfs_inode *ni,
+ * ni_rename - Remove one name and insert new name.
+ */
+ int ni_rename(struct ntfs_inode *dir_ni, struct ntfs_inode *new_dir_ni,
+- struct ntfs_inode *ni, struct NTFS_DE *de, struct NTFS_DE *new_de,
+- bool *is_bad)
++ struct ntfs_inode *ni, struct NTFS_DE *de, struct NTFS_DE *new_de)
+ {
+ int err;
+ struct NTFS_DE *de2 = NULL;
+@@ -3027,8 +3026,8 @@ int ni_rename(struct ntfs_inode *dir_ni, struct ntfs_inode *new_dir_ni,
+ err = ni_add_name(new_dir_ni, ni, new_de);
+ if (!err) {
+ err = ni_remove_name(dir_ni, ni, de, &de2, &undo);
+- if (err && ni_remove_name(new_dir_ni, ni, new_de, &de2, &undo))
+- *is_bad = true;
++ WARN_ON(err && ni_remove_name(new_dir_ni, ni, new_de, &de2,
++ &undo));
+ }
+
+ /*
+diff --git a/fs/ntfs3/namei.c b/fs/ntfs3/namei.c
+index b807744fc6a9..0db7ca3b64ea 100644
+--- a/fs/ntfs3/namei.c
++++ b/fs/ntfs3/namei.c
+@@ -244,7 +244,7 @@ static int ntfs_rename(struct mnt_idmap *idmap, struct inode *dir,
+ struct ntfs_inode *ni = ntfs_i(inode);
+ struct inode *new_inode = d_inode(new_dentry);
+ struct NTFS_DE *de, *new_de;
+- bool is_same, is_bad;
++ bool is_same;
+ /*
+ * de - memory of PATH_MAX bytes:
+ * [0-1024) - original name (dentry->d_name)
+@@ -313,12 +313,8 @@ static int ntfs_rename(struct mnt_idmap *idmap, struct inode *dir,
+ if (dir_ni != new_dir_ni)
+ ni_lock_dir2(new_dir_ni);
+
+- is_bad = false;
+- err = ni_rename(dir_ni, new_dir_ni, ni, de, new_de, &is_bad);
+- if (is_bad) {
+- /* Restore after failed rename failed too. */
+- _ntfs_bad_inode(inode);
+- } else if (!err) {
++ err = ni_rename(dir_ni, new_dir_ni, ni, de, new_de);
++ if (!err) {
+ simple_rename_timestamp(dir, dentry, new_dir, new_dentry);
+ mark_inode_dirty(inode);
+ mark_inode_dirty(dir);
+diff --git a/fs/ntfs3/ntfs_fs.h b/fs/ntfs3/ntfs_fs.h
+index 36b8052660d5..f54635df18fa 100644
+--- a/fs/ntfs3/ntfs_fs.h
++++ b/fs/ntfs3/ntfs_fs.h
+@@ -577,8 +577,7 @@ int ni_add_name(struct ntfs_inode *dir_ni, struct ntfs_inode *ni,
+ struct NTFS_DE *de);
+
+ int ni_rename(struct ntfs_inode *dir_ni, struct ntfs_inode *new_dir_ni,
+- struct ntfs_inode *ni, struct NTFS_DE *de, struct NTFS_DE *new_de,
+- bool *is_bad);
++ struct ntfs_inode *ni, struct NTFS_DE *de, struct NTFS_DE *new_de);
+
+ bool ni_is_dirty(struct inode *inode);
+
+--
+2.39.5
+
--- /dev/null
+From 6c24cd0bab394b492c129ce3becf99fbac11afb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Jul 2025 09:19:10 -0500
+Subject: fs/orangefs: Allow 2 more characters in do_c_string()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 2138e89cb066b40386b1d9ddd61253347d356474 ]
+
+The do_k_string() and do_c_string() functions do essentially the same
+thing which is they add a string and a comma onto the end of an existing
+string. At the end, the caller will overwrite the last comma with a
+newline. Later, in orangefs_kernel_debug_init(), we add a newline to
+the string.
+
+The change to do_k_string() is just cosmetic. I moved the "- 1" to
+the other side of the comparison and made it "+ 1". This has no
+effect on runtime, I just wanted the functions to match each other
+and the rest of the file.
+
+However in do_c_string(), I removed the "- 2" which allows us to print
+two extra characters. I noticed this issue while reviewing the code
+and I doubt affects anything in real life. My guess is that this was
+double counting the comma and the newline. The "+ 1" accounts for
+the newline, and the caller will delete the final comma which ensures
+there is enough space for the newline.
+
+Removing the "- 2" lets us print 2 more characters, but mainly it makes
+the code more consistent and understandable for reviewers.
+
+Fixes: 44f4641073f1 ("orangefs: clean up debugfs globals")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/orangefs/orangefs-debugfs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
+index f7095c91660c..e8e3badbc2ec 100644
+--- a/fs/orangefs/orangefs-debugfs.c
++++ b/fs/orangefs/orangefs-debugfs.c
+@@ -769,8 +769,8 @@ static void do_k_string(void *k_mask, int index)
+
+ if (*mask & s_kmod_keyword_mask_map[index].mask_val) {
+ if ((strlen(kernel_debug_string) +
+- strlen(s_kmod_keyword_mask_map[index].keyword))
+- < ORANGEFS_MAX_DEBUG_STRING_LEN - 1) {
++ strlen(s_kmod_keyword_mask_map[index].keyword) + 1)
++ < ORANGEFS_MAX_DEBUG_STRING_LEN) {
+ strcat(kernel_debug_string,
+ s_kmod_keyword_mask_map[index].keyword);
+ strcat(kernel_debug_string, ",");
+@@ -797,7 +797,7 @@ static void do_c_string(void *c_mask, int index)
+ (mask->mask2 & cdm_array[index].mask2)) {
+ if ((strlen(client_debug_string) +
+ strlen(cdm_array[index].keyword) + 1)
+- < ORANGEFS_MAX_DEBUG_STRING_LEN - 2) {
++ < ORANGEFS_MAX_DEBUG_STRING_LEN) {
+ strcat(client_debug_string,
+ cdm_array[index].keyword);
+ strcat(client_debug_string, ",");
+--
+2.39.5
+
--- /dev/null
+From 0e52670fb88c080f945f21170876f2bd679751fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 01:09:27 +0200
+Subject: fs_context: fix parameter name in infofc() macro
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: RubenKelevra <rubenkelevra@gmail.com>
+
+[ Upstream commit ffaf1bf3737f706e4e9be876de4bc3c8fc578091 ]
+
+The macro takes a parameter called "p" but references "fc" internally.
+This happens to compile as long as callers pass a variable named fc,
+but breaks otherwise. Rename the first parameter to “fc” to match the
+usage and to be consistent with warnfc() / errorfc().
+
+Fixes: a3ff937b33d9 ("prefix-handling analogues of errorf() and friends")
+Signed-off-by: RubenKelevra <rubenkelevra@gmail.com>
+Link: https://lore.kernel.org/20250617230927.1790401-1-rubenkelevra@gmail.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/fs_context.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/fs_context.h b/include/linux/fs_context.h
+index a19e4bd32e4d..7773eb870039 100644
+--- a/include/linux/fs_context.h
++++ b/include/linux/fs_context.h
+@@ -200,7 +200,7 @@ void logfc(struct fc_log *log, const char *prefix, char level, const char *fmt,
+ */
+ #define infof(fc, fmt, ...) __logfc(fc, 'i', fmt, ## __VA_ARGS__)
+ #define info_plog(p, fmt, ...) __plog(p, 'i', fmt, ## __VA_ARGS__)
+-#define infofc(p, fmt, ...) __plog((&(fc)->log), 'i', fmt, ## __VA_ARGS__)
++#define infofc(fc, fmt, ...) __plog((&(fc)->log), 'i', fmt, ## __VA_ARGS__)
+
+ /**
+ * warnf - Store supplementary warning message
+--
+2.39.5
+
--- /dev/null
+From 6f583527543466bd7a25bb31b14003202f3174ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 21:21:27 +0200
+Subject: gfs2: Minor do_xmote cancelation fix
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit 75bb2ddea9640b663e4b2eaa06e15196f6f11a95 ]
+
+Commit 6cb3b1c2df87 changed how finish_xmote() clears the GLF_LOCK flag,
+but it failed to adjust the equivalent code in do_xmote(). Fix that.
+
+Fixes: 6cb3b1c2df87 ("gfs2: Fix additional unlikely request cancelation race")
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/glock.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
+index ba25b884169e..ea96113edbe3 100644
+--- a/fs/gfs2/glock.c
++++ b/fs/gfs2/glock.c
+@@ -802,7 +802,8 @@ __acquires(&gl->gl_lockref.lock)
+ * We skip telling dlm to do the locking, so we won't get a
+ * reply that would otherwise clear GLF_LOCK. So we clear it here.
+ */
+- clear_bit(GLF_LOCK, &gl->gl_flags);
++ if (!test_bit(GLF_CANCELING, &gl->gl_flags))
++ clear_bit(GLF_LOCK, &gl->gl_flags);
+ clear_bit(GLF_DEMOTE_IN_PROGRESS, &gl->gl_flags);
+ gfs2_glock_queue_work(gl, GL_GLOCK_DFT_HOLD);
+ return;
+--
+2.39.5
+
--- /dev/null
+From 69ddd3167522d403af3d7a13e33bd7f7917df9dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jul 2025 23:30:32 +0200
+Subject: gfs2: No more self recovery
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit deb016c1669002e48c431d6fd32ea1c20ef41756 ]
+
+When a node withdraws and it turns out that it is the only node that has
+the filesystem mounted, gfs2 currently tries to replay the local journal
+to bring the filesystem back into a consistent state. Not only is that
+a very bad idea, it has also never worked because gfs2_recover_func()
+will refuse to do anything during a withdraw.
+
+However, before even getting to this point, gfs2_recover_func()
+dereferences sdp->sd_jdesc->jd_inode. This was a use-after-free before
+commit 04133b607a78 ("gfs2: Prevent double iput for journal on error")
+and is a NULL pointer dereference since then.
+
+Simply get rid of self recovery to fix that.
+
+Fixes: 601ef0d52e96 ("gfs2: Force withdraw to replay journals and wait for it to finish")
+Reported-by: Chunjie Zhu <chunjie.zhu@cloud.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/util.c | 31 +++++++++++--------------------
+ 1 file changed, 11 insertions(+), 20 deletions(-)
+
+diff --git a/fs/gfs2/util.c b/fs/gfs2/util.c
+index d5a1e63fa257..24864a66074b 100644
+--- a/fs/gfs2/util.c
++++ b/fs/gfs2/util.c
+@@ -232,32 +232,23 @@ static void signal_our_withdraw(struct gfs2_sbd *sdp)
+ */
+ ret = gfs2_glock_nq(&sdp->sd_live_gh);
+
++ gfs2_glock_put(live_gl); /* drop extra reference we acquired */
++ clear_bit(SDF_WITHDRAW_RECOVERY, &sdp->sd_flags);
++
+ /*
+ * If we actually got the "live" lock in EX mode, there are no other
+- * nodes available to replay our journal. So we try to replay it
+- * ourselves. We hold the "live" glock to prevent other mounters
+- * during recovery, then just dequeue it and reacquire it in our
+- * normal SH mode. Just in case the problem that caused us to
+- * withdraw prevents us from recovering our journal (e.g. io errors
+- * and such) we still check if the journal is clean before proceeding
+- * but we may wait forever until another mounter does the recovery.
++ * nodes available to replay our journal.
+ */
+ if (ret == 0) {
+- fs_warn(sdp, "No other mounters found. Trying to recover our "
+- "own journal jid %d.\n", sdp->sd_lockstruct.ls_jid);
+- if (gfs2_recover_journal(sdp->sd_jdesc, 1))
+- fs_warn(sdp, "Unable to recover our journal jid %d.\n",
+- sdp->sd_lockstruct.ls_jid);
+- gfs2_glock_dq_wait(&sdp->sd_live_gh);
+- gfs2_holder_reinit(LM_ST_SHARED,
+- LM_FLAG_NOEXP | GL_EXACT | GL_NOPID,
+- &sdp->sd_live_gh);
+- gfs2_glock_nq(&sdp->sd_live_gh);
++ fs_warn(sdp, "No other mounters found.\n");
++ /*
++ * We are about to release the lockspace. By keeping live_gl
++ * locked here, we ensure that the next mounter coming along
++ * will be a "first" mounter which will perform recovery.
++ */
++ goto skip_recovery;
+ }
+
+- gfs2_glock_put(live_gl); /* drop extra reference we acquired */
+- clear_bit(SDF_WITHDRAW_RECOVERY, &sdp->sd_flags);
+-
+ /*
+ * At this point our journal is evicted, so we need to get a new inode
+ * for it. Once done, we need to call gfs2_find_jhead which
+--
+2.39.5
+
--- /dev/null
+From 90403ed334e4a892e4c1fb8ac8eab65f817f3cb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 15:19:33 +0800
+Subject: gitignore: allow .pylintrc to be tracked
+
+From: WangYuli <wangyuli@uniontech.com>
+
+[ Upstream commit 38d573a624a54ccde1384ead8af0780fe4005c2b ]
+
+The .pylintrc file was introduced by commit 02df8e3b333c ("docs: add a
+.pylintrc file with sys path for docs scripts") to provide Python path
+configuration for documentation scripts. However, the generic ".*" rule
+in .gitignore causes this tracked file to be ignored, leading to warnings
+during kernel builds.
+
+Add !.pylintrc to the exception list to explicitly allow this
+configuration file to be tracked by git, consistent with other
+development tool configuration files like .clang-format and .rustfmt.toml.
+
+This resolves the build warning:
+ .pylintrc: warning: ignored by one of the .gitignore files
+
+Fixes: 02df8e3b333c ("docs: add a .pylintrc file with sys path for docs scripts")
+Signed-off-by: WangYuli <wangyuli@uniontech.com>
+Reviewed-by: Miguel Ojeda <ojeda@kernel.org>
+Reviewed-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Link: https://lore.kernel.org/r/1A357750FF71847E+20250623071933.311947-1-wangyuli@uniontech.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .gitignore | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/.gitignore b/.gitignore
+index bf5ee6e01cd4..929054df5212 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -114,6 +114,7 @@ modules.order
+ !.gitignore
+ !.kunitconfig
+ !.mailmap
++!.pylintrc
+ !.rustfmt.toml
+
+ #
+--
+2.39.5
+
--- /dev/null
+From 38c6ae254573f75b059f854cbb0820787d7a61f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 08:00:32 -0600
+Subject: hfs: make splice write available again
+
+From: Yangtao Li <frank.li@vivo.com>
+
+[ Upstream commit 4c831f30475a222046ded25560c3810117a6cff6 ]
+
+Since 5.10, splice() or sendfile() return EINVAL. This was
+caused by commit 36e2c7421f02 ("fs: don't allow splice read/write
+without explicit ops").
+
+This patch initializes the splice_write field in file_operations, like
+most file systems do, to restore the functionality.
+
+Fixes: 36e2c7421f02 ("fs: don't allow splice read/write without explicit ops")
+Signed-off-by: Yangtao Li <frank.li@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250529140033.2296791-2-frank.li@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/inode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
+index a81ce7a740b9..451115360f73 100644
+--- a/fs/hfs/inode.c
++++ b/fs/hfs/inode.c
+@@ -692,6 +692,7 @@ static const struct file_operations hfs_file_operations = {
+ .write_iter = generic_file_write_iter,
+ .mmap = generic_file_mmap,
+ .splice_read = filemap_splice_read,
++ .splice_write = iter_file_splice_write,
+ .fsync = hfs_file_fsync,
+ .open = hfs_file_open,
+ .release = hfs_file_release,
+--
+2.39.5
+
--- /dev/null
+From 447f1381077b633a72be470e7d33262516551a29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 08:00:31 -0600
+Subject: hfsplus: make splice write available again
+
+From: Yangtao Li <frank.li@vivo.com>
+
+[ Upstream commit 2eafb669da0bf71fac0838bff13594970674e2b4 ]
+
+Since 5.10, splice() or sendfile() return EINVAL. This was
+caused by commit 36e2c7421f02 ("fs: don't allow splice read/write
+without explicit ops").
+
+This patch initializes the splice_write field in file_operations, like
+most file systems do, to restore the functionality.
+
+Fixes: 36e2c7421f02 ("fs: don't allow splice read/write without explicit ops")
+Signed-off-by: Yangtao Li <frank.li@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250529140033.2296791-1-frank.li@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/inode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c
+index f331e9574217..c85b5802ec0f 100644
+--- a/fs/hfsplus/inode.c
++++ b/fs/hfsplus/inode.c
+@@ -368,6 +368,7 @@ static const struct file_operations hfsplus_file_operations = {
+ .write_iter = generic_file_write_iter,
+ .mmap = generic_file_mmap,
+ .splice_read = filemap_splice_read,
++ .splice_write = iter_file_splice_write,
+ .fsync = hfsplus_file_fsync,
+ .open = hfsplus_file_open,
+ .release = hfsplus_file_release,
+--
+2.39.5
+
--- /dev/null
+From 877d87bfb22d2156fd5e74ff3e2c993414254f83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 00:18:06 -0600
+Subject: hfsplus: remove mutex_lock check in hfsplus_free_extents
+
+From: Yangtao Li <frank.li@vivo.com>
+
+[ Upstream commit fcb96956c921f1aae7e7b477f2435c56f77a31b4 ]
+
+Syzbot reported an issue in hfsplus filesystem:
+
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346
+ hfsplus_free_extents+0x700/0xad0
+Call Trace:
+<TASK>
+hfsplus_file_truncate+0x768/0xbb0 fs/hfsplus/extents.c:606
+hfsplus_write_begin+0xc2/0xd0 fs/hfsplus/inode.c:56
+cont_expand_zero fs/buffer.c:2383 [inline]
+cont_write_begin+0x2cf/0x860 fs/buffer.c:2446
+hfsplus_write_begin+0x86/0xd0 fs/hfsplus/inode.c:52
+generic_cont_expand_simple+0x151/0x250 fs/buffer.c:2347
+hfsplus_setattr+0x168/0x280 fs/hfsplus/inode.c:263
+notify_change+0xe38/0x10f0 fs/attr.c:420
+do_truncate+0x1fb/0x2e0 fs/open.c:65
+do_sys_ftruncate+0x2eb/0x380 fs/open.c:193
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+To avoid deadlock, Commit 31651c607151 ("hfsplus: avoid deadlock
+on file truncation") unlock extree before hfsplus_free_extents(),
+and add check wheather extree is locked in hfsplus_free_extents().
+
+However, when operations such as hfsplus_file_release,
+hfsplus_setattr, hfsplus_unlink, and hfsplus_get_block are executed
+concurrently in different files, it is very likely to trigger the
+WARN_ON, which will lead syzbot and xfstest to consider it as an
+abnormality.
+
+The comment above this warning also describes one of the easy
+triggering situations, which can easily trigger and cause
+xfstest&syzbot to report errors.
+
+[task A] [task B]
+->hfsplus_file_release
+ ->hfsplus_file_truncate
+ ->hfs_find_init
+ ->mutex_lock
+ ->mutex_unlock
+ ->hfsplus_write_begin
+ ->hfsplus_get_block
+ ->hfsplus_file_extend
+ ->hfsplus_ext_read_extent
+ ->hfs_find_init
+ ->mutex_lock
+ ->hfsplus_free_extents
+ WARN_ON(mutex_is_locked) !!!
+
+Several threads could try to lock the shared extents tree.
+And warning can be triggered in one thread when another thread
+has locked the tree. This is the wrong behavior of the code and
+we need to remove the warning.
+
+Fixes: 31651c607151f ("hfsplus: avoid deadlock on file truncation")
+Reported-by: syzbot+8c0bc9f818702ff75b76@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/00000000000057fa4605ef101c4c@google.com/
+Signed-off-by: Yangtao Li <frank.li@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250529061807.2213498-1-frank.li@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/extents.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/fs/hfsplus/extents.c b/fs/hfsplus/extents.c
+index a6d61685ae79..b1699b3c246a 100644
+--- a/fs/hfsplus/extents.c
++++ b/fs/hfsplus/extents.c
+@@ -342,9 +342,6 @@ static int hfsplus_free_extents(struct super_block *sb,
+ int i;
+ int err = 0;
+
+- /* Mapping the allocation file may lock the extent tree */
+- WARN_ON(mutex_is_locked(&HFSPLUS_SB(sb)->ext_tree->tree_lock));
+-
+ hfsplus_dump_extent(extent);
+ for (i = 0; i < 8; extent++, i++) {
+ count = be32_to_cpu(extent->block_count);
+--
+2.39.5
+
--- /dev/null
+From dc7ec2ebf40c4e1467e11e574dc5113283a3c7aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Jun 2025 20:31:41 +0300
+Subject: hwrng: mtk - handle devm_pm_runtime_enable errors
+
+From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+
+[ Upstream commit 522a242a18adc5c63a24836715dbeec4dc3faee1 ]
+
+Although unlikely, devm_pm_runtime_enable() call might fail, so handle
+the return value.
+
+Fixes: 78cb66caa6ab ("hwrng: mtk - Use devm_pm_runtime_enable")
+Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/mtk-rng.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/hw_random/mtk-rng.c b/drivers/char/hw_random/mtk-rng.c
+index b7fa1bc1122b..d09a4d813766 100644
+--- a/drivers/char/hw_random/mtk-rng.c
++++ b/drivers/char/hw_random/mtk-rng.c
+@@ -143,7 +143,9 @@ static int mtk_rng_probe(struct platform_device *pdev)
+ dev_set_drvdata(&pdev->dev, priv);
+ pm_runtime_set_autosuspend_delay(&pdev->dev, RNG_AUTOSUSPEND_TIMEOUT);
+ pm_runtime_use_autosuspend(&pdev->dev);
+- devm_pm_runtime_enable(&pdev->dev);
++ ret = devm_pm_runtime_enable(&pdev->dev);
++ if (ret)
++ return ret;
+
+ dev_info(&pdev->dev, "registered RNG driver\n");
+
+--
+2.39.5
+
--- /dev/null
+From 2c8926c0118b76635e99dade844d0f2a4617e055 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jul 2025 21:38:02 +0200
+Subject: i2c: muxes: mule: Fix an error handling path in mule_i2c_mux_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 33ac5155891cab165c93b51b0e22e153eacc2ee7 ]
+
+If an error occurs in the loop that creates the device adapters, then a
+reference to 'dev' still needs to be released.
+
+Use for_each_child_of_node_scoped() to both fix the issue and save one line
+of code.
+
+Fixes: d0f8e97866bf ("i2c: muxes: add support for tsd,mule-i2c multiplexer")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/muxes/i2c-mux-mule.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/i2c/muxes/i2c-mux-mule.c b/drivers/i2c/muxes/i2c-mux-mule.c
+index 284ff4afeeac..d3b32b794172 100644
+--- a/drivers/i2c/muxes/i2c-mux-mule.c
++++ b/drivers/i2c/muxes/i2c-mux-mule.c
+@@ -47,7 +47,6 @@ static int mule_i2c_mux_probe(struct platform_device *pdev)
+ struct mule_i2c_reg_mux *priv;
+ struct i2c_client *client;
+ struct i2c_mux_core *muxc;
+- struct device_node *dev;
+ unsigned int readback;
+ int ndev, ret;
+ bool old_fw;
+@@ -95,7 +94,7 @@ static int mule_i2c_mux_probe(struct platform_device *pdev)
+ "Failed to register mux remove\n");
+
+ /* Create device adapters */
+- for_each_child_of_node(mux_dev->of_node, dev) {
++ for_each_child_of_node_scoped(mux_dev->of_node, dev) {
+ u32 reg;
+
+ ret = of_property_read_u32(dev, "reg", ®);
+--
+2.39.5
+
--- /dev/null
+From e90bdbb2637b677b04566026d84ecca7c9b06399 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 11:06:03 +0200
+Subject: i3c: fix module_i3c_i2c_driver() with I3C=n
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 5523a466e905b6287b94654ddb364536f2f948cf ]
+
+When CONFIG_I3C is disabled and the i3c_i2c_driver_register() happens
+to not be inlined, any driver calling it still references the i3c_driver
+instance, which then causes a link failure:
+
+x86_64-linux-ld: drivers/hwmon/lm75.o: in function `lm75_i3c_reg_read':
+lm75.c:(.text+0xc61): undefined reference to `i3cdev_to_dev'
+x86_64-linux-ld: lm75.c:(.text+0xd25): undefined reference to `i3c_device_do_priv_xfers'
+x86_64-linux-ld: lm75.c:(.text+0xdd8): undefined reference to `i3c_device_do_priv_xfers'
+
+This issue was part of the original i3c code, but only now caused problems
+when i3c support got added to lm75.
+
+Change the 'inline' annotations in the header to '__always_inline' to
+ensure that the dead-code-elimination pass in the compiler can optimize
+it out as intended.
+
+Fixes: 6071d10413ff ("hwmon: (lm75) add I3C support for P3T1755")
+Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20250725090609.2456262-1-arnd@kernel.org
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/i3c/device.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/i3c/device.h b/include/linux/i3c/device.h
+index b674f64d0822..7f136de4b73e 100644
+--- a/include/linux/i3c/device.h
++++ b/include/linux/i3c/device.h
+@@ -245,7 +245,7 @@ void i3c_driver_unregister(struct i3c_driver *drv);
+ *
+ * Return: 0 if both registrations succeeds, a negative error code otherwise.
+ */
+-static inline int i3c_i2c_driver_register(struct i3c_driver *i3cdrv,
++static __always_inline int i3c_i2c_driver_register(struct i3c_driver *i3cdrv,
+ struct i2c_driver *i2cdrv)
+ {
+ int ret;
+@@ -270,7 +270,7 @@ static inline int i3c_i2c_driver_register(struct i3c_driver *i3cdrv,
+ * Note that when CONFIG_I3C is not enabled, this function only unregisters the
+ * @i2cdrv.
+ */
+-static inline void i3c_i2c_driver_unregister(struct i3c_driver *i3cdrv,
++static __always_inline void i3c_i2c_driver_unregister(struct i3c_driver *i3cdrv,
+ struct i2c_driver *i2cdrv)
+ {
+ if (IS_ENABLED(CONFIG_I3C))
+--
+2.39.5
+
--- /dev/null
+From 8dcad628031103888cb65e850e7e36316c0afb09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jul 2025 08:37:19 +0800
+Subject: i3c: master: svc: Fix npcm845 FIFO_EMPTY quirk
+
+From: Stanley Chu <yschu@nuvoton.com>
+
+[ Upstream commit bc4a09d8e79cadccdd505f47b01903a80bc666e7 ]
+
+In a private write transfer, the driver pre-fills the FIFO to work around
+the FIFO_EMPTY quirk. However, if an IBIWON event occurs, the hardware
+emits a NACK and the driver initiates a retry. During the retry, driver
+attempts to pre-fill the FIFO again if there is remaining data, but since
+the FIFO is already full, this leads to data loss.
+
+Check available space in FIFO to prevent overflow.
+
+Fixes: 4008a74e0f9b ("i3c: master: svc: Fix npcm845 FIFO empty issue")
+Signed-off-by: Stanley Chu <yschu@nuvoton.com>
+Link: https://lore.kernel.org/r/20250730003719.1825593-1-yschu@nuvoton.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i3c/master/svc-i3c-master.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/i3c/master/svc-i3c-master.c b/drivers/i3c/master/svc-i3c-master.c
+index 7e1a7cb94b43..ece563353895 100644
+--- a/drivers/i3c/master/svc-i3c-master.c
++++ b/drivers/i3c/master/svc-i3c-master.c
+@@ -104,6 +104,7 @@
+ #define SVC_I3C_MDATACTRL_TXTRIG_FIFO_NOT_FULL GENMASK(5, 4)
+ #define SVC_I3C_MDATACTRL_RXTRIG_FIFO_NOT_EMPTY 0
+ #define SVC_I3C_MDATACTRL_RXCOUNT(x) FIELD_GET(GENMASK(28, 24), (x))
++#define SVC_I3C_MDATACTRL_TXCOUNT(x) FIELD_GET(GENMASK(20, 16), (x))
+ #define SVC_I3C_MDATACTRL_TXFULL BIT(30)
+ #define SVC_I3C_MDATACTRL_RXEMPTY BIT(31)
+
+@@ -1304,14 +1305,19 @@ static int svc_i3c_master_xfer(struct svc_i3c_master *master,
+ * FIFO start filling as soon as possible after EmitStartAddr.
+ */
+ if (svc_has_quirk(master, SVC_I3C_QUIRK_FIFO_EMPTY) && !rnw && xfer_len) {
+- u32 end = xfer_len > SVC_I3C_FIFO_SIZE ? 0 : SVC_I3C_MWDATAB_END;
+- u32 len = min_t(u32, xfer_len, SVC_I3C_FIFO_SIZE);
+-
+- writesb(master->regs + SVC_I3C_MWDATAB1, out, len - 1);
+- /* Mark END bit if this is the last byte */
+- writel(out[len - 1] | end, master->regs + SVC_I3C_MWDATAB);
+- xfer_len -= len;
+- out += len;
++ u32 space, end, len;
++
++ reg = readl(master->regs + SVC_I3C_MDATACTRL);
++ space = SVC_I3C_FIFO_SIZE - SVC_I3C_MDATACTRL_TXCOUNT(reg);
++ if (space) {
++ end = xfer_len > space ? 0 : SVC_I3C_MWDATAB_END;
++ len = min_t(u32, xfer_len, space);
++ writesb(master->regs + SVC_I3C_MWDATAB1, out, len - 1);
++ /* Mark END bit if this is the last byte */
++ writel(out[len - 1] | end, master->regs + SVC_I3C_MWDATAB);
++ xfer_len -= len;
++ out += len;
++ }
+ }
+
+ ret = readl_poll_timeout(master->regs + SVC_I3C_MSTATUS, reg,
+--
+2.39.5
+
--- /dev/null
+From 1904e202773544a9159defc8b10a62b31facb735 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 22:23:27 +0800
+Subject: igb: xsk: solve negative overflow of nb_pkts in zerocopy mode
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit 3b7c13dfdcc26a78756cc17a23cdf4310c5a24a9 ]
+
+There is no break time in the while() loop, so every time at the end of
+igb_xmit_zc(), negative overflow of nb_pkts will occur, which renders
+the return value always false. But theoretically, the result should be
+set after calling xsk_tx_peek_release_desc_batch(). We can take
+i40e_xmit_zc() as a good example.
+
+Returning false means we're not done with transmission and we need one
+more poll, which is exactly what igb_xmit_zc() always did before this
+patch. After this patch, the return value depends on the nb_pkts value.
+Two cases might happen then:
+1. if (nb_pkts < budget), it means we process all the possible data, so
+ return true and no more necessary poll will be triggered because of
+ this.
+2. if (nb_pkts == budget), it means we might have more data, so return
+ false to let another poll run again.
+
+Fixes: f8e284a02afc ("igb: Add AF_XDP zero-copy Tx support")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Link: https://patch.msgid.link/20250723142327.85187-3-kerneljasonxing@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_xsk.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_xsk.c b/drivers/net/ethernet/intel/igb/igb_xsk.c
+index 5cf67ba29269..30ce5fbb5b77 100644
+--- a/drivers/net/ethernet/intel/igb/igb_xsk.c
++++ b/drivers/net/ethernet/intel/igb/igb_xsk.c
+@@ -482,7 +482,7 @@ bool igb_xmit_zc(struct igb_ring *tx_ring, struct xsk_buff_pool *xsk_pool)
+ if (!nb_pkts)
+ return true;
+
+- while (nb_pkts-- > 0) {
++ for (; i < nb_pkts; i++) {
+ dma = xsk_buff_raw_get_dma(xsk_pool, descs[i].addr);
+ xsk_buff_raw_dma_sync_for_device(xsk_pool, dma, descs[i].len);
+
+@@ -512,7 +512,6 @@ bool igb_xmit_zc(struct igb_ring *tx_ring, struct xsk_buff_pool *xsk_pool)
+
+ total_bytes += descs[i].len;
+
+- i++;
+ tx_ring->next_to_use++;
+ tx_buffer_info->next_to_watch = tx_desc;
+ if (tx_ring->next_to_use == tx_ring->count)
+--
+2.39.5
+
--- /dev/null
+From 08002a0f074f6f612beca5ff685f4c5786dc98df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 21:37:56 +0200
+Subject: interconnect: qcom: qcs615: Drop IP0 interconnects
+
+From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+
+[ Upstream commit cbabc73e85be9e706a5051c9416de4a8d391cf57 ]
+
+In the same spirit as e.g. Commit b136d257ee0b ("interconnect: qcom:
+sc8280xp: Drop IP0 interconnects"), drop the resources that should be
+taken care of through the clk-rpmh driver.
+
+Fixes: 77d79677b04b ("interconnect: qcom: add QCS615 interconnect provider driver")
+Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250627-topic-qcs615_icc_ipa-v1-2-dc47596cde69@oss.qualcomm.com
+Signed-off-by: Georgi Djakov <djakov@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/interconnect/qcom/qcs615.c | 42 ------------------------------
+ 1 file changed, 42 deletions(-)
+
+diff --git a/drivers/interconnect/qcom/qcs615.c b/drivers/interconnect/qcom/qcs615.c
+index 7e59e91ce886..0549cfcbac64 100644
+--- a/drivers/interconnect/qcom/qcs615.c
++++ b/drivers/interconnect/qcom/qcs615.c
+@@ -342,15 +342,6 @@ static struct qcom_icc_node qnm_snoc_sf = {
+ .links = { QCS615_SLAVE_LLCC },
+ };
+
+-static struct qcom_icc_node ipa_core_master = {
+- .name = "ipa_core_master",
+- .id = QCS615_MASTER_IPA_CORE,
+- .channels = 1,
+- .buswidth = 8,
+- .num_links = 1,
+- .links = { QCS615_SLAVE_IPA_CORE },
+-};
+-
+ static struct qcom_icc_node llcc_mc = {
+ .name = "llcc_mc",
+ .id = QCS615_MASTER_LLCC,
+@@ -942,14 +933,6 @@ static struct qcom_icc_node srvc_gemnoc = {
+ .num_links = 0,
+ };
+
+-static struct qcom_icc_node ipa_core_slave = {
+- .name = "ipa_core_slave",
+- .id = QCS615_SLAVE_IPA_CORE,
+- .channels = 1,
+- .buswidth = 8,
+- .num_links = 0,
+-};
+-
+ static struct qcom_icc_node ebi = {
+ .name = "ebi",
+ .id = QCS615_SLAVE_EBI1,
+@@ -1113,12 +1096,6 @@ static struct qcom_icc_bcm bcm_cn1 = {
+ &qhs_sdc1, &qhs_sdc2 },
+ };
+
+-static struct qcom_icc_bcm bcm_ip0 = {
+- .name = "IP0",
+- .num_nodes = 1,
+- .nodes = { &ipa_core_slave },
+-};
+-
+ static struct qcom_icc_bcm bcm_mc0 = {
+ .name = "MC0",
+ .keepalive = true,
+@@ -1260,7 +1237,6 @@ static struct qcom_icc_bcm * const aggre1_noc_bcms[] = {
+ &bcm_qup0,
+ &bcm_sn3,
+ &bcm_sn14,
+- &bcm_ip0,
+ };
+
+ static struct qcom_icc_node * const aggre1_noc_nodes[] = {
+@@ -1411,22 +1387,6 @@ static const struct qcom_icc_desc qcs615_gem_noc = {
+ .num_bcms = ARRAY_SIZE(gem_noc_bcms),
+ };
+
+-static struct qcom_icc_bcm * const ipa_virt_bcms[] = {
+- &bcm_ip0,
+-};
+-
+-static struct qcom_icc_node * const ipa_virt_nodes[] = {
+- [MASTER_IPA_CORE] = &ipa_core_master,
+- [SLAVE_IPA_CORE] = &ipa_core_slave,
+-};
+-
+-static const struct qcom_icc_desc qcs615_ipa_virt = {
+- .nodes = ipa_virt_nodes,
+- .num_nodes = ARRAY_SIZE(ipa_virt_nodes),
+- .bcms = ipa_virt_bcms,
+- .num_bcms = ARRAY_SIZE(ipa_virt_bcms),
+-};
+-
+ static struct qcom_icc_bcm * const mc_virt_bcms[] = {
+ &bcm_acv,
+ &bcm_mc0,
+@@ -1525,8 +1485,6 @@ static const struct of_device_id qnoc_of_match[] = {
+ .data = &qcs615_dc_noc},
+ { .compatible = "qcom,qcs615-gem-noc",
+ .data = &qcs615_gem_noc},
+- { .compatible = "qcom,qcs615-ipa-virt",
+- .data = &qcs615_ipa_virt},
+ { .compatible = "qcom,qcs615-mc-virt",
+ .data = &qcs615_mc_virt},
+ { .compatible = "qcom,qcs615-mmss-noc",
+--
+2.39.5
+
--- /dev/null
+From fe55d1c06474fc1a1a7afcb2ed01492d84fc8252 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 19:35:14 +0300
+Subject: interconnect: qcom: sc8180x: specify num_nodes
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit 7e0b59496a02d25828612721e846ea4b717a97b9 ]
+
+Specify .num_nodes for several BCMs which missed this declaration.
+
+Fixes: 04548d4e2798 ("interconnect: qcom: sc8180x: Reformat node and bcm definitions")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250704-rework-icc-v2-2-875fac996ef5@oss.qualcomm.com
+Signed-off-by: Georgi Djakov <djakov@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/interconnect/qcom/sc8180x.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/interconnect/qcom/sc8180x.c b/drivers/interconnect/qcom/sc8180x.c
+index a741badaa966..4dd1d2f2e821 100644
+--- a/drivers/interconnect/qcom/sc8180x.c
++++ b/drivers/interconnect/qcom/sc8180x.c
+@@ -1492,34 +1492,40 @@ static struct qcom_icc_bcm bcm_sh3 = {
+
+ static struct qcom_icc_bcm bcm_sn0 = {
+ .name = "SN0",
++ .num_nodes = 1,
+ .nodes = { &slv_qns_gemnoc_sf }
+ };
+
+ static struct qcom_icc_bcm bcm_sn1 = {
+ .name = "SN1",
++ .num_nodes = 1,
+ .nodes = { &slv_qxs_imem }
+ };
+
+ static struct qcom_icc_bcm bcm_sn2 = {
+ .name = "SN2",
+ .keepalive = true,
++ .num_nodes = 1,
+ .nodes = { &slv_qns_gemnoc_gc }
+ };
+
+ static struct qcom_icc_bcm bcm_co2 = {
+ .name = "CO2",
++ .num_nodes = 1,
+ .nodes = { &mas_qnm_npu }
+ };
+
+ static struct qcom_icc_bcm bcm_sn3 = {
+ .name = "SN3",
+ .keepalive = true,
++ .num_nodes = 2,
+ .nodes = { &slv_srvc_aggre1_noc,
+ &slv_qns_cnoc }
+ };
+
+ static struct qcom_icc_bcm bcm_sn4 = {
+ .name = "SN4",
++ .num_nodes = 1,
+ .nodes = { &slv_qxs_pimem }
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 8dfac6c03ac51118cd3b82a7a47b6e34f3ce5bbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 19:35:13 +0300
+Subject: interconnect: qcom: sc8280xp: specify num_links for qnm_a1noc_cfg
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit 02ee375506dceb7d32007821a2bff31504d64b99 ]
+
+The qnm_a1noc_cfg declaration didn't include .num_links definition, fix
+it.
+
+Fixes: f29dabda7917 ("interconnect: qcom: Add SC8280XP interconnect provider")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250704-rework-icc-v2-1-875fac996ef5@oss.qualcomm.com
+Signed-off-by: Georgi Djakov <djakov@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/interconnect/qcom/sc8280xp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/interconnect/qcom/sc8280xp.c b/drivers/interconnect/qcom/sc8280xp.c
+index 0270f6c64481..c646cdf8a19b 100644
+--- a/drivers/interconnect/qcom/sc8280xp.c
++++ b/drivers/interconnect/qcom/sc8280xp.c
+@@ -48,6 +48,7 @@ static struct qcom_icc_node qnm_a1noc_cfg = {
+ .id = SC8280XP_MASTER_A1NOC_CFG,
+ .channels = 1,
+ .buswidth = 4,
++ .num_links = 1,
+ .links = { SC8280XP_SLAVE_SERVICE_A1NOC },
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 84443984a3f012717f56718935ecd8b555e0bde5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Jul 2025 18:04:56 -0700
+Subject: io_uring: fix breakage in EXPERT menu
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit d1fbe1ebf4a12cabd7945335d5e47718cb2bef99 ]
+
+Add a dependency for IO_URING for the GCOV_PROFILE_URING symbol.
+
+Without this patch the EXPERT config menu ends with
+"Enable IO uring support" and the menu prompts for
+GCOV_PROFILE_URING and IO_URING_MOCK_FILE are not subordinate to it.
+This causes all of the EXPERT Kconfig options that follow
+GCOV_PROFILE_URING to be display in the "upper" menu (General setup),
+just following the EXPERT menu.
+
+Fixes: 1802656ef890 ("io_uring: add GCOV_PROFILE_URING Kconfig option")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Masahiro Yamada <masahiroy@kernel.org>
+Cc: io-uring@vger.kernel.org
+Link: https://lore.kernel.org/r/20250720010456.2945344-1-rdunlap@infradead.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ init/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/init/Kconfig b/init/Kconfig
+index 666783eb50ab..2e15b4a8478e 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1794,7 +1794,7 @@ config IO_URING
+
+ config GCOV_PROFILE_URING
+ bool "Enable GCOV profiling on the io_uring subsystem"
+- depends on GCOV_KERNEL
++ depends on IO_URING && GCOV_KERNEL
+ help
+ Enable GCOV profiling on the io_uring subsystem, to facilitate
+ code coverage testing.
+--
+2.39.5
+
--- /dev/null
+From fcbd6c851c82333e749951099104b0fbc9083f37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 08:54:33 -0700
+Subject: iommu/amd: Enable PASID and ATS capabilities in the correct order
+
+From: Easwar Hariharan <eahariha@linux.microsoft.com>
+
+[ Upstream commit c694bc8b612ddd0dd70e122a00f39cb1e2e6927f ]
+
+Per the PCIe spec, behavior of the PASID capability is undefined if the
+value of the PASID Enable bit changes while the Enable bit of the
+function's ATS control register is Set. Unfortunately,
+pdev_enable_caps() does exactly that by ordering enabling ATS for the
+device before enabling PASID.
+
+Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Cc: Vasant Hegde <vasant.hegde@amd.com>
+Cc: Jason Gunthorpe <jgg@nvidia.com>
+Cc: Jerry Snitselaar <jsnitsel@redhat.com>
+Fixes: eda8c2860ab679 ("iommu/amd: Enable device ATS/PASID/PRI capabilities independently")
+Signed-off-by: Easwar Hariharan <eahariha@linux.microsoft.com>
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/20250703155433.6221-1-eahariha@linux.microsoft.com
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
+index 3117d99cf83d..8b8d3e843743 100644
+--- a/drivers/iommu/amd/iommu.c
++++ b/drivers/iommu/amd/iommu.c
+@@ -634,8 +634,8 @@ static inline void pdev_disable_cap_pasid(struct pci_dev *pdev)
+
+ static void pdev_enable_caps(struct pci_dev *pdev)
+ {
+- pdev_enable_cap_ats(pdev);
+ pdev_enable_cap_pasid(pdev);
++ pdev_enable_cap_ats(pdev);
+ pdev_enable_cap_pri(pdev);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From ba0c3a57f0858f15fd8723dcbe21a3a0a7330b48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 20:58:05 -0300
+Subject: iommu/amd: Fix geometry.aperture_end for V2 tables
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 8637afa79cfa6123f602408cfafe8c9a73620ff1 ]
+
+The AMD IOMMU documentation seems pretty clear that the V2 table follows
+the normal CPU expectation of sign extension. This is shown in
+
+ Figure 25: AMD64 Long Mode 4-Kbyte Page Address Translation
+
+Where bits Sign-Extend [63:57] == [56]. This is typical for x86 which
+would have three regions in the page table: lower, non-canonical, upper.
+
+The manual describes that the V1 table does not sign extend in section
+2.2.4 Sharing AMD64 Processor and IOMMU Page Tables GPA-to-SPA
+
+Further, Vasant has checked this and indicates the HW has an addtional
+behavior that the manual does not yet describe. The AMDv2 table does not
+have the sign extended behavior when attached to PASID 0, which may
+explain why this has gone unnoticed.
+
+The iommu domain geometry does not directly support sign extended page
+tables. The driver should report only one of the lower/upper spaces. Solve
+this by removing the top VA bit from the geometry to use only the lower
+space.
+
+This will also make the iommu_domain work consistently on all PASID 0 and
+PASID != 1.
+
+Adjust dma_max_address() to remove the top VA bit. It now returns:
+
+5 Level:
+ Before 0x1ffffffffffffff
+ After 0x0ffffffffffffff
+4 Level:
+ Before 0xffffffffffff
+ After 0x7fffffffffff
+
+Fixes: 11c439a19466 ("iommu/amd/pgtbl_v2: Fix domain max address")
+Link: https://lore.kernel.org/all/8858d4d6-d360-4ef0-935c-bfd13ea54f42@amd.com/
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/0-v2-0615cc99b88a+1ce-amdv2_geo_jgg@nvidia.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/iommu.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
+index 8b8d3e843743..aea061f26de3 100644
+--- a/drivers/iommu/amd/iommu.c
++++ b/drivers/iommu/amd/iommu.c
+@@ -2526,8 +2526,21 @@ static inline u64 dma_max_address(enum protection_domain_mode pgtable)
+ if (pgtable == PD_MODE_V1)
+ return ~0ULL;
+
+- /* V2 with 4/5 level page table */
+- return ((1ULL << PM_LEVEL_SHIFT(amd_iommu_gpt_level)) - 1);
++ /*
++ * V2 with 4/5 level page table. Note that "2.2.6.5 AMD64 4-Kbyte Page
++ * Translation" shows that the V2 table sign extends the top of the
++ * address space creating a reserved region in the middle of the
++ * translation, just like the CPU does. Further Vasant says the docs are
++ * incomplete and this only applies to non-zero PASIDs. If the AMDv2
++ * page table is assigned to the 0 PASID then there is no sign extension
++ * check.
++ *
++ * Since the IOMMU must have a fixed geometry, and the core code does
++ * not understand sign extended addressing, we have to chop off the high
++ * bit to get consistent behavior with attachments of the domain to any
++ * PASID.
++ */
++ return ((1ULL << (PM_LEVEL_SHIFT(amd_iommu_gpt_level) - 1)) - 1);
+ }
+
+ static bool amd_iommu_hd_support(struct amd_iommu *iommu)
+--
+2.39.5
+
--- /dev/null
+From f9a9f52c92756915706824069582f2504de6ab64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Jul 2025 19:08:33 +0300
+Subject: iommu/arm-smmu: disable PRR on SM8250
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit b9bb7e814cd0c3633791327a96749a1f9b7f3ef4 ]
+
+On SM8250 / QRB5165-RB5 using PRR bits resets the device, most likely
+because of the hyp limitations. Disable PRR support on that platform.
+
+Fixes: 7f2ef1bfc758 ("iommu/arm-smmu: Add support for PRR bit setup")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
+Reviewed-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250705-iommu-fix-prr-v2-1-406fecc37cf8@oss.qualcomm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+index 62874b18f645..53d88646476e 100644
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+@@ -355,7 +355,8 @@ static int qcom_adreno_smmu_init_context(struct arm_smmu_domain *smmu_domain,
+ priv->set_prr_addr = NULL;
+
+ if (of_device_is_compatible(np, "qcom,smmu-500") &&
+- of_device_is_compatible(np, "qcom,adreno-smmu")) {
++ !of_device_is_compatible(np, "qcom,sm8250-smmu-500") &&
++ of_device_is_compatible(np, "qcom,adreno-smmu")) {
+ priv->set_prr_bit = qcom_adreno_smmu_set_prr_bit;
+ priv->set_prr_addr = qcom_adreno_smmu_set_prr_addr;
+ }
+--
+2.39.5
+
--- /dev/null
+From 4816e28df4d7794bb75806076f5473a4802e38d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jul 2025 12:50:22 +0800
+Subject: iommu/vt-d: Do not wipe out the page table NID when devices detach
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 5c3687d5789cfff8d285a2c76bceb47f145bf01f ]
+
+The NID is used to control which NUMA node memory for the page table is
+allocated it from. It should be a permanent property of the page table
+when it was allocated and not change during attach/detach of devices.
+
+Reviewed-by: Wei Wang <wei.w.wang@intel.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/3-v3-dbbe6f7e7ae3+124ffe-vtd_prep_jgg@nvidia.com
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Fixes: 7c204426b818 ("iommu/vt-d: Add domain_alloc_paging support")
+Link: https://lore.kernel.org/r/20250714045028.958850-6-baolu.lu@linux.intel.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel/iommu.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
+index 148b944143b8..72b477911fdb 100644
+--- a/drivers/iommu/intel/iommu.c
++++ b/drivers/iommu/intel/iommu.c
+@@ -1391,7 +1391,6 @@ void domain_detach_iommu(struct dmar_domain *domain, struct intel_iommu *iommu)
+ if (--info->refcnt == 0) {
+ ida_free(&iommu->domain_ida, info->did);
+ xa_erase(&domain->iommu_array, iommu->seq_id);
+- domain->nid = NUMA_NO_NODE;
+ kfree(info);
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From 2ce8808f83bde6701249c8ba989c3d83d67fb616 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jul 2025 12:50:27 +0800
+Subject: iommu/vt-d: Fix missing PASID in dev TLB flush with
+ cache_tag_flush_all
+
+From: Ethan Milon <ethan.milon@eviden.com>
+
+[ Upstream commit 3141153816bf4f0257747bd4dda176d38f1a9a49 ]
+
+The function cache_tag_flush_all() was originally implemented with
+incorrect device TLB invalidation logic that does not handle PASID, in
+commit c4d27ffaa8eb ("iommu/vt-d: Add cache tag invalidation helpers")
+
+This causes regressions where full address space TLB invalidations occur
+with a PASID attached, such as during transparent hugepage unmapping in
+SVA configurations or when calling iommu_flush_iotlb_all(). In these
+cases, the device receives a TLB invalidation that lacks PASID.
+
+This incorrect logic was later extracted into
+cache_tag_flush_devtlb_all(), in commit 3297d047cd7f ("iommu/vt-d:
+Refactor IOTLB and Dev-IOTLB flush for batching")
+
+The fix replaces the call to cache_tag_flush_devtlb_all() with
+cache_tag_flush_devtlb_psi(), which properly handles PASID.
+
+Fixes: 4f609dbff51b ("iommu/vt-d: Use cache helpers in arch_invalidate_secondary_tlbs")
+Fixes: 4e589a53685c ("iommu/vt-d: Use cache_tag_flush_all() in flush_iotlb_all")
+Signed-off-by: Ethan Milon <ethan.milon@eviden.com>
+Link: https://lore.kernel.org/r/20250708214821.30967-1-ethan.milon@eviden.com
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/20250714045028.958850-11-baolu.lu@linux.intel.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel/cache.c | 18 +-----------------
+ 1 file changed, 1 insertion(+), 17 deletions(-)
+
+diff --git a/drivers/iommu/intel/cache.c b/drivers/iommu/intel/cache.c
+index 47692cbfaabd..c8b79de84d3f 100644
+--- a/drivers/iommu/intel/cache.c
++++ b/drivers/iommu/intel/cache.c
+@@ -422,22 +422,6 @@ static void cache_tag_flush_devtlb_psi(struct dmar_domain *domain, struct cache_
+ domain->qi_batch);
+ }
+
+-static void cache_tag_flush_devtlb_all(struct dmar_domain *domain, struct cache_tag *tag)
+-{
+- struct intel_iommu *iommu = tag->iommu;
+- struct device_domain_info *info;
+- u16 sid;
+-
+- info = dev_iommu_priv_get(tag->dev);
+- sid = PCI_DEVID(info->bus, info->devfn);
+-
+- qi_batch_add_dev_iotlb(iommu, sid, info->pfsid, info->ats_qdep, 0,
+- MAX_AGAW_PFN_WIDTH, domain->qi_batch);
+- if (info->dtlb_extra_inval)
+- qi_batch_add_dev_iotlb(iommu, sid, info->pfsid, info->ats_qdep, 0,
+- MAX_AGAW_PFN_WIDTH, domain->qi_batch);
+-}
+-
+ /*
+ * Invalidates a range of IOVA from @start (inclusive) to @end (inclusive)
+ * when the memory mappings in the target domain have been modified.
+@@ -508,7 +492,7 @@ void cache_tag_flush_all(struct dmar_domain *domain)
+ break;
+ case CACHE_TAG_DEVTLB:
+ case CACHE_TAG_NESTING_DEVTLB:
+- cache_tag_flush_devtlb_all(domain, tag);
++ cache_tag_flush_devtlb_psi(domain, tag, 0, MAX_AGAW_PFN_WIDTH);
+ break;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 5930b4fbaff79c9b60c9fe654f5f77a24630e194 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 15:20:45 +0800
+Subject: iommu/vt-d: Fix UAF on sva unbind with pending IOPFs
+
+From: Lu Baolu <baolu.lu@linux.intel.com>
+
+[ Upstream commit f0b9d31c6edd50a6207489cd1bd4ddac814b9cd2 ]
+
+Commit 17fce9d2336d ("iommu/vt-d: Put iopf enablement in domain attach
+path") disables IOPF on device by removing the device from its IOMMU's
+IOPF queue when the last IOPF-capable domain is detached from the device.
+Unfortunately, it did this in a wrong place where there are still pending
+IOPFs. As a result, a use-after-free error is potentially triggered and
+eventually a kernel panic with a kernel trace similar to the following:
+
+ refcount_t: underflow; use-after-free.
+ WARNING: CPU: 3 PID: 313 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0
+ Workqueue: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf
+ Call Trace:
+ <TASK>
+ iopf_free_group+0xe/0x20
+ process_one_work+0x197/0x3d0
+ worker_thread+0x23a/0x350
+ ? rescuer_thread+0x4a0/0x4a0
+ kthread+0xf8/0x230
+ ? finish_task_switch.isra.0+0x81/0x260
+ ? kthreads_online_cpu+0x110/0x110
+ ? kthreads_online_cpu+0x110/0x110
+ ret_from_fork+0x13b/0x170
+ ? kthreads_online_cpu+0x110/0x110
+ ret_from_fork_asm+0x11/0x20
+ </TASK>
+ ---[ end trace 0000000000000000 ]---
+
+The intel_pasid_tear_down_entry() function is responsible for blocking
+hardware from generating new page faults and flushing all in-flight
+ones. Therefore, moving iopf_for_domain_remove() after this function
+should resolve this.
+
+Fixes: 17fce9d2336d ("iommu/vt-d: Put iopf enablement in domain attach path")
+Reported-by: Ethan Milon <ethan.milon@eviden.com>
+Closes: https://lore.kernel.org/r/e8b37f3e-8539-40d4-8993-43a1f3ffe5aa@eviden.com
+Suggested-by: Ethan Milon <ethan.milon@eviden.com>
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/20250723072045.1853328-1-baolu.lu@linux.intel.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel/iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
+index 72b477911fdb..c0be0b64e4c7 100644
+--- a/drivers/iommu/intel/iommu.c
++++ b/drivers/iommu/intel/iommu.c
+@@ -3999,8 +3999,8 @@ static int blocking_domain_set_dev_pasid(struct iommu_domain *domain,
+ {
+ struct device_domain_info *info = dev_iommu_priv_get(dev);
+
+- iopf_for_domain_remove(old, dev);
+ intel_pasid_tear_down_entry(info->iommu, dev, pasid, false);
++ iopf_for_domain_remove(old, dev);
+ domain_remove_dev_pasid(old, dev, pasid);
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 9d870deffda40eff7b578880b77cac66f9056dfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 14:07:22 +0000
+Subject: ipv6: add a retry logic in net6_rt_notify()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit ea2f921db7a483a526058c5b5b8162edd88dabe5 ]
+
+inet6_rt_notify() can be called under RCU protection only.
+This means the route could be changed concurrently
+and rt6_fill_node() could return -EMSGSIZE.
+
+Re-size the skb when this happens and retry, removing
+one WARN_ON() that syzbot was able to trigger:
+
+WARNING: CPU: 3 PID: 6291 at net/ipv6/route.c:6342 inet6_rt_notify+0x475/0x4b0 net/ipv6/route.c:6342
+Modules linked in:
+CPU: 3 UID: 0 PID: 6291 Comm: syz.0.77 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+ RIP: 0010:inet6_rt_notify+0x475/0x4b0 net/ipv6/route.c:6342
+Code: fc ff ff e8 6d 52 ea f7 e9 47 fc ff ff 48 8b 7c 24 08 4c 89 04 24 e8 5a 52 ea f7 4c 8b 04 24 e9 94 fd ff ff e8 9c fe 84 f7 90 <0f> 0b 90 e9 bd fd ff ff e8 6e 52 ea f7 e9 bb fb ff ff 48 89 df e8
+RSP: 0018:ffffc900035cf1d8 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: ffffc900035cf540 RCX: ffffffff8a36e790
+RDX: ffff88802f7e8000 RSI: ffffffff8a36e9d4 RDI: 0000000000000005
+RBP: ffff88803c230f00 R08: 0000000000000005 R09: 00000000ffffffa6
+R10: 00000000ffffffa6 R11: 0000000000000001 R12: 00000000ffffffa6
+R13: 0000000000000900 R14: ffff888032ea4100 R15: 0000000000000000
+FS: 00007fac7b89a6c0(0000) GS:ffff8880d6a20000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fac7b899f98 CR3: 0000000034b3f000 CR4: 0000000000352ef0
+Call Trace:
+ <TASK>
+ ip6_route_mpath_notify+0xde/0x280 net/ipv6/route.c:5356
+ ip6_route_multipath_add+0x1181/0x1bd0 net/ipv6/route.c:5536
+ inet6_rtm_newroute+0xe4/0x1a0 net/ipv6/route.c:5647
+ rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6944
+ netlink_rcv_skb+0x155/0x420 net/netlink/af_netlink.c:2552
+ netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
+ netlink_unicast+0x58d/0x850 net/netlink/af_netlink.c:1346
+ netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896
+ sock_sendmsg_nosec net/socket.c:712 [inline]
+ __sock_sendmsg net/socket.c:727 [inline]
+ ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566
+ ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620
+
+Fixes: 169fd62799e8 ("ipv6: Get rid of RTNL for SIOCADDRT and RTM_NEWROUTE.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://patch.msgid.link/20250725140725.3626540-2-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 7b9e49be7164..38016f5b2291 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -6321,8 +6321,9 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
+ void inet6_rt_notify(int event, struct fib6_info *rt, struct nl_info *info,
+ unsigned int nlm_flags)
+ {
+- struct sk_buff *skb;
+ struct net *net = info->nl_net;
++ struct sk_buff *skb;
++ size_t sz;
+ u32 seq;
+ int err;
+
+@@ -6330,17 +6331,21 @@ void inet6_rt_notify(int event, struct fib6_info *rt, struct nl_info *info,
+ seq = info->nlh ? info->nlh->nlmsg_seq : 0;
+
+ rcu_read_lock();
+-
+- skb = nlmsg_new(rt6_nlmsg_size(rt), GFP_ATOMIC);
++ sz = rt6_nlmsg_size(rt);
++retry:
++ skb = nlmsg_new(sz, GFP_ATOMIC);
+ if (!skb)
+ goto errout;
+
+ err = rt6_fill_node(net, skb, rt, NULL, NULL, NULL, 0,
+ event, info->portid, seq, nlm_flags);
+ if (err < 0) {
+- /* -EMSGSIZE implies BUG in rt6_nlmsg_size() */
+- WARN_ON(err == -EMSGSIZE);
+ kfree_skb(skb);
++ /* -EMSGSIZE implies needed space grew under us. */
++ if (err == -EMSGSIZE) {
++ sz = max(rt6_nlmsg_size(rt), sz << 1);
++ goto retry;
++ }
+ goto errout;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 366c3f378ea68784e8d6c6fb89793d11da52acf1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 14:07:25 +0000
+Subject: ipv6: annotate data-races around rt->fib6_nsiblings
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 31d7d67ba1274f42494256d52e86da80ed09f3cb ]
+
+rt->fib6_nsiblings can be read locklessly, add corresponding
+READ_ONCE() and WRITE_ONCE() annotations.
+
+Fixes: 66f5d6ce53e6 ("ipv6: replace rwlock with rcu and spinlock in fib6_table")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250725140725.3626540-5-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_fib.c | 20 +++++++++++++-------
+ net/ipv6/route.c | 5 +++--
+ 2 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
+index af7db69d9eac..4d68bd853dba 100644
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -445,15 +445,17 @@ struct fib6_dump_arg {
+ static int fib6_rt_dump(struct fib6_info *rt, struct fib6_dump_arg *arg)
+ {
+ enum fib_event_type fib_event = FIB_EVENT_ENTRY_REPLACE;
++ unsigned int nsiblings;
+ int err;
+
+ if (!rt || rt == arg->net->ipv6.fib6_null_entry)
+ return 0;
+
+- if (rt->fib6_nsiblings)
++ nsiblings = READ_ONCE(rt->fib6_nsiblings);
++ if (nsiblings)
+ err = call_fib6_multipath_entry_notifier(arg->nb, fib_event,
+ rt,
+- rt->fib6_nsiblings,
++ nsiblings,
+ arg->extack);
+ else
+ err = call_fib6_entry_notifier(arg->nb, fib_event, rt,
+@@ -1138,7 +1140,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt,
+
+ if (rt6_duplicate_nexthop(iter, rt)) {
+ if (rt->fib6_nsiblings)
+- rt->fib6_nsiblings = 0;
++ WRITE_ONCE(rt->fib6_nsiblings, 0);
+ if (!(iter->fib6_flags & RTF_EXPIRES))
+ return -EEXIST;
+ if (!(rt->fib6_flags & RTF_EXPIRES)) {
+@@ -1167,7 +1169,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt,
+ */
+ if (rt_can_ecmp &&
+ rt6_qualify_for_ecmp(iter))
+- rt->fib6_nsiblings++;
++ WRITE_ONCE(rt->fib6_nsiblings,
++ rt->fib6_nsiblings + 1);
+ }
+
+ if (iter->fib6_metric > rt->fib6_metric)
+@@ -1217,7 +1220,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt,
+ fib6_nsiblings = 0;
+ list_for_each_entry_safe(sibling, temp_sibling,
+ &rt->fib6_siblings, fib6_siblings) {
+- sibling->fib6_nsiblings++;
++ WRITE_ONCE(sibling->fib6_nsiblings,
++ sibling->fib6_nsiblings + 1);
+ BUG_ON(sibling->fib6_nsiblings != rt->fib6_nsiblings);
+ fib6_nsiblings++;
+ }
+@@ -1264,7 +1268,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt,
+ list_for_each_entry_safe(sibling, next_sibling,
+ &rt->fib6_siblings,
+ fib6_siblings)
+- sibling->fib6_nsiblings--;
++ WRITE_ONCE(sibling->fib6_nsiblings,
++ sibling->fib6_nsiblings - 1);
+ WRITE_ONCE(rt->fib6_nsiblings, 0);
+ list_del_rcu(&rt->fib6_siblings);
+ rcu_read_lock();
+@@ -2014,7 +2019,8 @@ static void fib6_del_route(struct fib6_table *table, struct fib6_node *fn,
+ notify_del = true;
+ list_for_each_entry_safe(sibling, next_sibling,
+ &rt->fib6_siblings, fib6_siblings)
+- sibling->fib6_nsiblings--;
++ WRITE_ONCE(sibling->fib6_nsiblings,
++ sibling->fib6_nsiblings - 1);
+ WRITE_ONCE(rt->fib6_nsiblings, 0);
+ list_del_rcu(&rt->fib6_siblings);
+ rt6_multipath_rebalance(next_sibling);
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index bf71c8ce002f..8adae86fbe72 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -5346,7 +5346,8 @@ static void ip6_route_mpath_notify(struct fib6_info *rt,
+ */
+ rcu_read_lock();
+
+- if ((nlflags & NLM_F_APPEND) && rt_last && rt_last->fib6_nsiblings) {
++ if ((nlflags & NLM_F_APPEND) && rt_last &&
++ READ_ONCE(rt_last->fib6_nsiblings)) {
+ rt = list_first_or_null_rcu(&rt_last->fib6_siblings,
+ struct fib6_info,
+ fib6_siblings);
+@@ -5856,7 +5857,7 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb,
+ if (dst->lwtstate &&
+ lwtunnel_fill_encap(skb, dst->lwtstate, RTA_ENCAP, RTA_ENCAP_TYPE) < 0)
+ goto nla_put_failure;
+- } else if (rt->fib6_nsiblings) {
++ } else if (READ_ONCE(rt->fib6_nsiblings)) {
+ struct fib6_info *sibling;
+ struct nlattr *mp;
+
+--
+2.39.5
+
--- /dev/null
+From 4a760a45cf32ee50c3b301184f5b6ddaf25e6557 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 14:07:24 +0000
+Subject: ipv6: fix possible infinite loop in fib6_info_uses_dev()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f8d8ce1b515a0a6af72b30502670a406cfb75073 ]
+
+fib6_info_uses_dev() seems to rely on RCU without an explicit
+protection.
+
+Like the prior fix in rt6_nlmsg_size(),
+we need to make sure fib6_del_route() or fib6_add_rt2node()
+have not removed the anchor from the list, or we risk an infinite loop.
+
+Fixes: d9ccb18f83ea ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250725140725.3626540-4-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 2aeca451aab3..bf71c8ce002f 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -5958,16 +5958,21 @@ static bool fib6_info_uses_dev(const struct fib6_info *f6i,
+ if (f6i->fib6_nh->fib_nh_dev == dev)
+ return true;
+
+- if (f6i->fib6_nsiblings) {
+- struct fib6_info *sibling, *next_sibling;
++ if (READ_ONCE(f6i->fib6_nsiblings)) {
++ const struct fib6_info *sibling;
+
+- list_for_each_entry_safe(sibling, next_sibling,
+- &f6i->fib6_siblings, fib6_siblings) {
+- if (sibling->fib6_nh->fib_nh_dev == dev)
++ rcu_read_lock();
++ list_for_each_entry_rcu(sibling, &f6i->fib6_siblings,
++ fib6_siblings) {
++ if (sibling->fib6_nh->fib_nh_dev == dev) {
++ rcu_read_unlock();
+ return true;
++ }
++ if (!READ_ONCE(f6i->fib6_nsiblings))
++ break;
+ }
++ rcu_read_unlock();
+ }
+-
+ return false;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 34fddb9b10ebd6d3f21bb6f97659e7c7cfb0f34a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 14:07:23 +0000
+Subject: ipv6: prevent infinite loop in rt6_nlmsg_size()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 54e6fe9dd3b0e7c481c2228782c9494d653546da ]
+
+While testing prior patch, I was able to trigger
+an infinite loop in rt6_nlmsg_size() in the following place:
+
+list_for_each_entry_rcu(sibling, &f6i->fib6_siblings,
+ fib6_siblings) {
+ rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len);
+}
+
+This is because fib6_del_route() and fib6_add_rt2node()
+uses list_del_rcu(), which can confuse rcu readers,
+because they might no longer see the head of the list.
+
+Restart the loop if f6i->fib6_nsiblings is zero.
+
+Fixes: d9ccb18f83ea ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250725140725.3626540-3-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_fib.c | 4 ++--
+ net/ipv6/route.c | 34 ++++++++++++++++++----------------
+ 2 files changed, 20 insertions(+), 18 deletions(-)
+
+diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
+index 93578b2ec35f..af7db69d9eac 100644
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -1265,7 +1265,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt,
+ &rt->fib6_siblings,
+ fib6_siblings)
+ sibling->fib6_nsiblings--;
+- rt->fib6_nsiblings = 0;
++ WRITE_ONCE(rt->fib6_nsiblings, 0);
+ list_del_rcu(&rt->fib6_siblings);
+ rcu_read_lock();
+ rt6_multipath_rebalance(next_sibling);
+@@ -2015,7 +2015,7 @@ static void fib6_del_route(struct fib6_table *table, struct fib6_node *fn,
+ list_for_each_entry_safe(sibling, next_sibling,
+ &rt->fib6_siblings, fib6_siblings)
+ sibling->fib6_nsiblings--;
+- rt->fib6_nsiblings = 0;
++ WRITE_ONCE(rt->fib6_nsiblings, 0);
+ list_del_rcu(&rt->fib6_siblings);
+ rt6_multipath_rebalance(next_sibling);
+ }
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 38016f5b2291..2aeca451aab3 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -5670,32 +5670,34 @@ static int rt6_nh_nlmsg_size(struct fib6_nh *nh, void *arg)
+
+ static size_t rt6_nlmsg_size(struct fib6_info *f6i)
+ {
++ struct fib6_info *sibling;
++ struct fib6_nh *nh;
+ int nexthop_len;
+
+ if (f6i->nh) {
+ nexthop_len = nla_total_size(4); /* RTA_NH_ID */
+ nexthop_for_each_fib6_nh(f6i->nh, rt6_nh_nlmsg_size,
+ &nexthop_len);
+- } else {
+- struct fib6_nh *nh = f6i->fib6_nh;
+- struct fib6_info *sibling;
+-
+- nexthop_len = 0;
+- if (f6i->fib6_nsiblings) {
+- rt6_nh_nlmsg_size(nh, &nexthop_len);
+-
+- rcu_read_lock();
++ goto common;
++ }
+
+- list_for_each_entry_rcu(sibling, &f6i->fib6_siblings,
+- fib6_siblings) {
+- rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len);
+- }
++ rcu_read_lock();
++retry:
++ nh = f6i->fib6_nh;
++ nexthop_len = 0;
++ if (READ_ONCE(f6i->fib6_nsiblings)) {
++ rt6_nh_nlmsg_size(nh, &nexthop_len);
+
+- rcu_read_unlock();
++ list_for_each_entry_rcu(sibling, &f6i->fib6_siblings,
++ fib6_siblings) {
++ rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len);
++ if (!READ_ONCE(f6i->fib6_nsiblings))
++ goto retry;
+ }
+- nexthop_len += lwtunnel_get_encap_size(nh->fib_nh_lws);
+ }
+-
++ rcu_read_unlock();
++ nexthop_len += lwtunnel_get_encap_size(nh->fib_nh_lws);
++common:
+ return NLMSG_ALIGN(sizeof(struct rtmsg))
+ + nla_total_size(16) /* RTA_SRC */
+ + nla_total_size(16) /* RTA_DST */
+--
+2.39.5
+
--- /dev/null
+From 28b352e6b6d764dfd9fd228c160765236a0bdb0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jan 2023 09:48:48 +0800
+Subject: iwlwifi: Add missing check for alloc_ordered_workqueue
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 90a0d9f339960448a3acc1437a46730f975efd6a ]
+
+Add check for the return value of alloc_ordered_workqueue since it may
+return NULL pointer.
+
+Fixes: b481de9ca074 ("[IWLWIFI]: add iwlwifi wireless drivers")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Link: https://patch.msgid.link/20230110014848.28226-1-jiasheng@iscas.ac.cn
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/dvm/main.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/main.c b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+index 66211426aa3a..e015b83bb6e9 100644
+--- a/drivers/net/wireless/intel/iwlwifi/dvm/main.c
++++ b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+@@ -1049,9 +1049,11 @@ static void iwl_bg_restart(struct work_struct *data)
+ *
+ *****************************************************************************/
+
+-static void iwl_setup_deferred_work(struct iwl_priv *priv)
++static int iwl_setup_deferred_work(struct iwl_priv *priv)
+ {
+ priv->workqueue = alloc_ordered_workqueue(DRV_NAME, 0);
++ if (!priv->workqueue)
++ return -ENOMEM;
+
+ INIT_WORK(&priv->restart, iwl_bg_restart);
+ INIT_WORK(&priv->beacon_update, iwl_bg_beacon_update);
+@@ -1068,6 +1070,8 @@ static void iwl_setup_deferred_work(struct iwl_priv *priv)
+ timer_setup(&priv->statistics_periodic, iwl_bg_statistics_periodic, 0);
+
+ timer_setup(&priv->ucode_trace, iwl_bg_ucode_trace, 0);
++
++ return 0;
+ }
+
+ void iwl_cancel_deferred_work(struct iwl_priv *priv)
+@@ -1463,7 +1467,9 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ /********************
+ * 6. Setup services
+ ********************/
+- iwl_setup_deferred_work(priv);
++ if (iwl_setup_deferred_work(priv))
++ goto out_uninit_drv;
++
+ iwl_setup_rx_handlers(priv);
+
+ iwl_power_initialize(priv);
+@@ -1502,6 +1508,7 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ iwl_cancel_deferred_work(priv);
+ destroy_workqueue(priv->workqueue);
+ priv->workqueue = NULL;
++out_uninit_drv:
+ iwl_uninit_drv(priv);
+ out_free_eeprom_blob:
+ kfree(priv->eeprom_blob);
+--
+2.39.5
+
--- /dev/null
+From fa39de9c139f5bd5e6d78c461db27e518116a55e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 01:22:14 +0000
+Subject: jfs: fix metapage reference count leak in dbAllocCtl
+
+From: Zheng Yu <zheng.yu@northwestern.edu>
+
+[ Upstream commit 856db37592021e9155384094e331e2d4589f28b1 ]
+
+In dbAllocCtl(), read_metapage() increases the reference count of the
+metapage. However, when dp->tree.budmin < 0, the function returns -EIO
+without calling release_metapage() to decrease the reference count,
+leading to a memory leak.
+
+Add release_metapage(mp) before the error return to properly manage
+the metapage reference count and prevent the leak.
+
+Fixes: a5f5e4698f8abbb25fe4959814093fb5bfa1aa9d ("jfs: fix shift-out-of-bounds in dbSplit")
+
+Signed-off-by: Zheng Yu <zheng.yu@northwestern.edu>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index 35e063c9f3a4..5a877261c3fe 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -1809,8 +1809,10 @@ dbAllocCtl(struct bmap * bmp, s64 nblocks, int l2nb, s64 blkno, s64 * results)
+ return -EIO;
+ dp = (struct dmap *) mp->data;
+
+- if (dp->tree.budmin < 0)
++ if (dp->tree.budmin < 0) {
++ release_metapage(mp);
+ return -EIO;
++ }
+
+ /* try to allocate the blocks.
+ */
+--
+2.39.5
+
--- /dev/null
+From e3e3c68bdf1b0e8467e6a1b16d0c6c5dd9dbe5c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 03:48:56 +0900
+Subject: kconfig: qconf: fix ConfigList::updateListAllforAll()
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit 721bfe583c52ba1ea74b3736a31a9dcfe6dd6d95 ]
+
+ConfigList::updateListForAll() and ConfigList::updateListAllforAll()
+are identical.
+
+Commit f9b918fae678 ("kconfig: qconf: move ConfigView::updateList(All)
+to ConfigList class") was a misconversion.
+
+Fixes: f9b918fae678 ("kconfig: qconf: move ConfigView::updateList(All) to ConfigList class")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/qconf.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/kconfig/qconf.cc b/scripts/kconfig/qconf.cc
+index eaa465b0ccf9..49607555d343 100644
+--- a/scripts/kconfig/qconf.cc
++++ b/scripts/kconfig/qconf.cc
+@@ -478,7 +478,7 @@ void ConfigList::updateListAllForAll()
+ while (it.hasNext()) {
+ ConfigList *list = it.next();
+
+- list->updateList();
++ list->updateListAll();
+ }
+ }
+
+--
+2.39.5
+
--- /dev/null
+From baadbd17ce6d0234e18d639c22bdc8b18281159d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 20:19:17 +0200
+Subject: kcsan: test: Initialize dummy variable
+
+From: Marco Elver <elver@google.com>
+
+[ Upstream commit 9872916ad1a1a5e7d089e05166c85dbd65e5b0e8 ]
+
+Newer compiler versions rightfully point out:
+
+ kernel/kcsan/kcsan_test.c:591:41: error: variable 'dummy' is
+ uninitialized when passed as a const pointer argument here
+ [-Werror,-Wuninitialized-const-pointer]
+ 591 | KCSAN_EXPECT_READ_BARRIER(atomic_read(&dummy), false);
+ | ^~~~~
+ 1 error generated.
+
+Although this particular test does not care about the value stored in
+the dummy atomic variable, let's silence the warning.
+
+Link: https://lkml.kernel.org/r/CA+G9fYu8JY=k-r0hnBRSkQQrFJ1Bz+ShdXNwC1TNeMt0eXaxeA@mail.gmail.com
+Fixes: 8bc32b348178 ("kcsan: test: Add test cases for memory barrier instrumentation")
+Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Reviewed-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: Marco Elver <elver@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kcsan/kcsan_test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/kcsan/kcsan_test.c b/kernel/kcsan/kcsan_test.c
+index c2871180edcc..49ab81faaed9 100644
+--- a/kernel/kcsan/kcsan_test.c
++++ b/kernel/kcsan/kcsan_test.c
+@@ -533,7 +533,7 @@ static void test_barrier_nothreads(struct kunit *test)
+ struct kcsan_scoped_access *reorder_access = NULL;
+ #endif
+ arch_spinlock_t arch_spinlock = __ARCH_SPIN_LOCK_UNLOCKED;
+- atomic_t dummy;
++ atomic_t dummy = ATOMIC_INIT(0);
+
+ KCSAN_TEST_REQUIRES(test, reorder_access != NULL);
+ KCSAN_TEST_REQUIRES(test, IS_ENABLED(CONFIG_SMP));
+--
+2.39.5
+
--- /dev/null
+From 3013ea9a1700ef12b3fcaf7e7ceae9d267ffa436 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 13:12:12 +0200
+Subject: kernel: trace: preemptirq_delay_test: use offstack cpu mask
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit adc353c0bfb243ebfd29b6222fa3bf149169a6de ]
+
+A CPU mask on the stack is broken for large values of CONFIG_NR_CPUS:
+
+kernel/trace/preemptirq_delay_test.c: In function ‘preemptirq_delay_run’:
+kernel/trace/preemptirq_delay_test.c:143:1: error: the frame size of 8512 bytes is larger than 1536 bytes [-Werror=frame-larger-than=]
+
+Fall back to dynamic allocation here.
+
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Song Chen <chensong_2000@189.cn>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Link: https://lore.kernel.org/20250620111215.3365305-1-arnd@kernel.org
+Fixes: 4b9091e1c194 ("kernel: trace: preemptirq_delay_test: add cpu affinity")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/preemptirq_delay_test.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/trace/preemptirq_delay_test.c b/kernel/trace/preemptirq_delay_test.c
+index 314ffc143039..acb0c971a408 100644
+--- a/kernel/trace/preemptirq_delay_test.c
++++ b/kernel/trace/preemptirq_delay_test.c
+@@ -117,12 +117,15 @@ static int preemptirq_delay_run(void *data)
+ {
+ int i;
+ int s = MIN(burst_size, NR_TEST_FUNCS);
+- struct cpumask cpu_mask;
++ cpumask_var_t cpu_mask;
++
++ if (!alloc_cpumask_var(&cpu_mask, GFP_KERNEL))
++ return -ENOMEM;
+
+ if (cpu_affinity > -1) {
+- cpumask_clear(&cpu_mask);
+- cpumask_set_cpu(cpu_affinity, &cpu_mask);
+- if (set_cpus_allowed_ptr(current, &cpu_mask))
++ cpumask_clear(cpu_mask);
++ cpumask_set_cpu(cpu_affinity, cpu_mask);
++ if (set_cpus_allowed_ptr(current, cpu_mask))
+ pr_err("cpu_affinity:%d, failed\n", cpu_affinity);
+ }
+
+@@ -139,6 +142,8 @@ static int preemptirq_delay_run(void *data)
+
+ __set_current_state(TASK_RUNNING);
+
++ free_cpumask_var(cpu_mask);
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From f34994a4c27881f99354d6a2b96bdf1cd6aa7a1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 15:10:41 +0200
+Subject: kexec_core: Fix error code path in the KEXEC_JUMP flow
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 996afb6efd1a345736f9a888e4d6c7d4f3752aa5 ]
+
+If dpm_suspend_start() fails, dpm_resume_end() must be called to
+recover devices whose suspend callbacks have been called, but this
+does not happen in the KEXEC_JUMP flow's error path due to a confused
+goto target label.
+
+Address this by using the correct target label in the goto statement in
+question and drop the Resume_console label that is not used any more.
+
+Fixes: 2965faa5e03d ("kexec: split kexec_load syscall from kexec core code")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Baoquan He <bhe@redhat.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://patch.msgid.link/2396879.ElGaqSPkdT@rjwysocki.net
+[ rjw: Drop unused label and amend the changelog ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kexec_core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
+index 3a9a9f240dbc..554369595298 100644
+--- a/kernel/kexec_core.c
++++ b/kernel/kexec_core.c
+@@ -1080,7 +1080,7 @@ int kernel_kexec(void)
+ console_suspend_all();
+ error = dpm_suspend_start(PMSG_FREEZE);
+ if (error)
+- goto Resume_console;
++ goto Resume_devices;
+ /*
+ * dpm_suspend_end() must be called after dpm_suspend_start()
+ * to complete the transition, like in the hibernation flows
+@@ -1135,7 +1135,6 @@ int kernel_kexec(void)
+ dpm_resume_start(PMSG_RESTORE);
+ Resume_devices:
+ dpm_resume_end(PMSG_RESTORE);
+- Resume_console:
+ pm_restore_gfp_mask();
+ console_resume_all();
+ thaw_processes();
+--
+2.39.5
+
--- /dev/null
+From 7ce9091e2a3f90241b5b75520368278aa252a882 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 16:25:31 +0100
+Subject: kselftest/arm64: Fix check for setting new VLs in sve-ptrace
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit 867446f090589626497638f70b10be5e61a0b925 ]
+
+The check that the new vector length we set was the expected one was typoed
+to an assignment statement which for some reason the compilers didn't spot,
+most likely due to the macros involved.
+
+Fixes: a1d7111257cd ("selftests: arm64: More comprehensively test the SVE ptrace interface")
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Acked-by: Dev Jain <dev.jain@arm.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20250609-kselftest-arm64-ssve-fixups-v2-1-998fcfa6f240@kernel.org
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/arm64/fp/sve-ptrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/arm64/fp/sve-ptrace.c b/tools/testing/selftests/arm64/fp/sve-ptrace.c
+index 577b6e05e860..c499d5789dd5 100644
+--- a/tools/testing/selftests/arm64/fp/sve-ptrace.c
++++ b/tools/testing/selftests/arm64/fp/sve-ptrace.c
+@@ -253,7 +253,7 @@ static void ptrace_set_get_vl(pid_t child, const struct vec_type *type,
+ return;
+ }
+
+- ksft_test_result(new_sve->vl = prctl_vl, "Set %s VL %u\n",
++ ksft_test_result(new_sve->vl == prctl_vl, "Set %s VL %u\n",
+ type->name, vl);
+
+ free(new_sve);
+--
+2.39.5
+
--- /dev/null
+From cdc6be93b794f817374926c173cce8f350d574ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Jun 2025 16:40:38 -0700
+Subject: kunit/fortify: Add back "volatile" for sizeof() constants
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 10299c07c94aa0997fa43523b53301e713a6415d ]
+
+It seems the Clang can see through OPTIMIZER_HIDE_VAR when the constant
+is coming from sizeof. Adding "volatile" back to these variables solves
+this false positive without reintroducing the issues that originally led
+to switching to OPTIMIZER_HIDE_VAR in the first place[1].
+
+Reported-by: Nathan Chancellor <nathan@kernel.org>
+Closes: https://github.com/ClangBuiltLinux/linux/issues/2075 [1]
+Cc: Jannik Glückert <jannik.glueckert@gmail.com>
+Suggested-by: Nathan Chancellor <nathan@kernel.org>
+Fixes: 6ee149f61bcc ("kunit/fortify: Replace "volatile" with OPTIMIZER_HIDE_VAR()")
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://lore.kernel.org/r/20250628234034.work.800-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/tests/fortify_kunit.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/tests/fortify_kunit.c b/lib/tests/fortify_kunit.c
+index 29ffc62a71e3..fc9c76f026d6 100644
+--- a/lib/tests/fortify_kunit.c
++++ b/lib/tests/fortify_kunit.c
+@@ -1003,8 +1003,8 @@ static void fortify_test_memcmp(struct kunit *test)
+ {
+ char one[] = "My mind is going ...";
+ char two[] = "My mind is going ... I can feel it.";
+- size_t one_len = sizeof(one) - 1;
+- size_t two_len = sizeof(two) - 1;
++ volatile size_t one_len = sizeof(one) - 1;
++ volatile size_t two_len = sizeof(two) - 1;
+
+ OPTIMIZER_HIDE_VAR(one_len);
+ OPTIMIZER_HIDE_VAR(two_len);
+--
+2.39.5
+
--- /dev/null
+From 5d349135352dd4cefacfa0739316ae0b53d31c1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Jun 2025 17:09:36 +0100
+Subject: landlock: Fix warning from KUnit tests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tingmao Wang <m@maowtm.org>
+
+[ Upstream commit e0a69cf2c03e61bd8069becb97f66c173d0d1fa1 ]
+
+get_id_range() expects a positive value as first argument but
+get_random_u8() can return 0. Fix this by clamping it.
+
+Validated by running the test in a for loop for 1000 times.
+
+Note that MAX() is wrong as it is only supposed to be used for
+constants, but max() is good here.
+
+ [..] ok 9 test_range2_rand1
+ [..] ok 10 test_range2_rand2
+ [..] ok 11 test_range2_rand15
+ [..] ------------[ cut here ]------------
+ [..] WARNING: CPU: 6 PID: 104 at security/landlock/id.c:99 test_range2_rand16 (security/landlock/id.c:99 (discriminator 1) security/landlock/id.c:234 (discriminator 1))
+ [..] Modules linked in:
+ [..] CPU: 6 UID: 0 PID: 104 Comm: kunit_try_catch Tainted: G N 6.16.0-rc1-dev-00001-g314a2f98b65f #1 PREEMPT(undef)
+ [..] Tainted: [N]=TEST
+ [..] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+ [..] RIP: 0010:test_range2_rand16 (security/landlock/id.c:99 (discriminator 1) security/landlock/id.c:234 (discriminator 1))
+ [..] Code: 49 c7 c0 10 70 30 82 4c 89 ff 48 c7 c6 a0 63 1e 83 49 c7 45 a0 e0 63 1e 83 e8 3f 95 17 00 e9 1f ff ff ff 0f 0b e9 df fd ff ff <0f> 0b ba 01 00 00 00 e9 68 fe ff ff 49 89 45 a8 49 8d 4d a0 45 31
+
+ [..] RSP: 0000:ffff888104eb7c78 EFLAGS: 00010246
+ [..] RAX: 0000000000000000 RBX: 000000000870822c RCX: 0000000000000000
+ ^^^^^^^^^^^^^^^^
+ [..]
+ [..] Call Trace:
+ [..]
+ [..] ---[ end trace 0000000000000000 ]---
+ [..] ok 12 test_range2_rand16
+ [..] # landlock_id: pass:12 fail:0 skip:0 total:12
+ [..] # Totals: pass:12 fail:0 skip:0 total:12
+ [..] ok 1 landlock_id
+
+Fixes: d9d2a68ed44b ("landlock: Add unique ID generator")
+Signed-off-by: Tingmao Wang <m@maowtm.org>
+Link: https://lore.kernel.org/r/73e28efc5b8cc394608b99d5bc2596ca917d7c4a.1750003733.git.m@maowtm.org
+[mic: Minor cosmetic improvements]
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/landlock/id.c | 69 +++++++++++++++++++++++++-----------------
+ 1 file changed, 42 insertions(+), 27 deletions(-)
+
+diff --git a/security/landlock/id.c b/security/landlock/id.c
+index 56f7cc0fc744..838c3ed7bb82 100644
+--- a/security/landlock/id.c
++++ b/security/landlock/id.c
+@@ -119,6 +119,12 @@ static u64 get_id_range(size_t number_of_ids, atomic64_t *const counter,
+
+ #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST
+
++static u8 get_random_u8_positive(void)
++{
++ /* max() evaluates its arguments once. */
++ return max(1, get_random_u8());
++}
++
+ static void test_range1_rand0(struct kunit *const test)
+ {
+ atomic64_t counter;
+@@ -127,9 +133,10 @@ static void test_range1_rand0(struct kunit *const test)
+ init = get_random_u32();
+ atomic64_set(&counter, init);
+ KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 0), init);
+- KUNIT_EXPECT_EQ(
+- test, get_id_range(get_random_u8(), &counter, get_random_u8()),
+- init + 1);
++ KUNIT_EXPECT_EQ(test,
++ get_id_range(get_random_u8_positive(), &counter,
++ get_random_u8()),
++ init + 1);
+ }
+
+ static void test_range1_rand1(struct kunit *const test)
+@@ -140,9 +147,10 @@ static void test_range1_rand1(struct kunit *const test)
+ init = get_random_u32();
+ atomic64_set(&counter, init);
+ KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 1), init);
+- KUNIT_EXPECT_EQ(
+- test, get_id_range(get_random_u8(), &counter, get_random_u8()),
+- init + 2);
++ KUNIT_EXPECT_EQ(test,
++ get_id_range(get_random_u8_positive(), &counter,
++ get_random_u8()),
++ init + 2);
+ }
+
+ static void test_range1_rand15(struct kunit *const test)
+@@ -153,9 +161,10 @@ static void test_range1_rand15(struct kunit *const test)
+ init = get_random_u32();
+ atomic64_set(&counter, init);
+ KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 15), init);
+- KUNIT_EXPECT_EQ(
+- test, get_id_range(get_random_u8(), &counter, get_random_u8()),
+- init + 16);
++ KUNIT_EXPECT_EQ(test,
++ get_id_range(get_random_u8_positive(), &counter,
++ get_random_u8()),
++ init + 16);
+ }
+
+ static void test_range1_rand16(struct kunit *const test)
+@@ -166,9 +175,10 @@ static void test_range1_rand16(struct kunit *const test)
+ init = get_random_u32();
+ atomic64_set(&counter, init);
+ KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 16), init);
+- KUNIT_EXPECT_EQ(
+- test, get_id_range(get_random_u8(), &counter, get_random_u8()),
+- init + 1);
++ KUNIT_EXPECT_EQ(test,
++ get_id_range(get_random_u8_positive(), &counter,
++ get_random_u8()),
++ init + 1);
+ }
+
+ static void test_range2_rand0(struct kunit *const test)
+@@ -179,9 +189,10 @@ static void test_range2_rand0(struct kunit *const test)
+ init = get_random_u32();
+ atomic64_set(&counter, init);
+ KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 0), init);
+- KUNIT_EXPECT_EQ(
+- test, get_id_range(get_random_u8(), &counter, get_random_u8()),
+- init + 2);
++ KUNIT_EXPECT_EQ(test,
++ get_id_range(get_random_u8_positive(), &counter,
++ get_random_u8()),
++ init + 2);
+ }
+
+ static void test_range2_rand1(struct kunit *const test)
+@@ -192,9 +203,10 @@ static void test_range2_rand1(struct kunit *const test)
+ init = get_random_u32();
+ atomic64_set(&counter, init);
+ KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 1), init);
+- KUNIT_EXPECT_EQ(
+- test, get_id_range(get_random_u8(), &counter, get_random_u8()),
+- init + 3);
++ KUNIT_EXPECT_EQ(test,
++ get_id_range(get_random_u8_positive(), &counter,
++ get_random_u8()),
++ init + 3);
+ }
+
+ static void test_range2_rand2(struct kunit *const test)
+@@ -205,9 +217,10 @@ static void test_range2_rand2(struct kunit *const test)
+ init = get_random_u32();
+ atomic64_set(&counter, init);
+ KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 2), init);
+- KUNIT_EXPECT_EQ(
+- test, get_id_range(get_random_u8(), &counter, get_random_u8()),
+- init + 4);
++ KUNIT_EXPECT_EQ(test,
++ get_id_range(get_random_u8_positive(), &counter,
++ get_random_u8()),
++ init + 4);
+ }
+
+ static void test_range2_rand15(struct kunit *const test)
+@@ -218,9 +231,10 @@ static void test_range2_rand15(struct kunit *const test)
+ init = get_random_u32();
+ atomic64_set(&counter, init);
+ KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 15), init);
+- KUNIT_EXPECT_EQ(
+- test, get_id_range(get_random_u8(), &counter, get_random_u8()),
+- init + 17);
++ KUNIT_EXPECT_EQ(test,
++ get_id_range(get_random_u8_positive(), &counter,
++ get_random_u8()),
++ init + 17);
+ }
+
+ static void test_range2_rand16(struct kunit *const test)
+@@ -231,9 +245,10 @@ static void test_range2_rand16(struct kunit *const test)
+ init = get_random_u32();
+ atomic64_set(&counter, init);
+ KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 16), init);
+- KUNIT_EXPECT_EQ(
+- test, get_id_range(get_random_u8(), &counter, get_random_u8()),
+- init + 2);
++ KUNIT_EXPECT_EQ(test,
++ get_id_range(get_random_u8_positive(), &counter,
++ get_random_u8()),
++ init + 2);
+ }
+
+ #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */
+--
+2.39.5
+
--- /dev/null
+From a168fd8261393bbc97e48d23799103d5a5ca72ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 19:08:13 +0200
+Subject: leds: lp8860: Check return value of devm_mutex_init()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit 3b07bb900af7f43f13f9ff398b4c6ca1dee217cd ]
+
+devm_mutex_init() can fail. With CONFIG_DEBUG_MUTEXES=y the mutex will be
+marked as unusable and trigger errors on usage.
+
+Add the missed check.
+
+Fixes: 87a59548af95 ("leds: lp8860: Use new mutex guards to cleanup function exits")
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Acked-by: Andrew Davis <afd@ti.com>
+Acked-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
+Link: https://lore.kernel.org/r/20250617-must_check-devm_mutex_init-v7-2-d9e449f4d224@weissschuh.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-lp8860.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/leds/leds-lp8860.c b/drivers/leds/leds-lp8860.c
+index 52b97c9f2a03..0962c00c215a 100644
+--- a/drivers/leds/leds-lp8860.c
++++ b/drivers/leds/leds-lp8860.c
+@@ -307,7 +307,9 @@ static int lp8860_probe(struct i2c_client *client)
+ led->client = client;
+ led->led_dev.brightness_set_blocking = lp8860_brightness_set;
+
+- devm_mutex_init(&client->dev, &led->lock);
++ ret = devm_mutex_init(&client->dev, &led->lock);
++ if (ret)
++ return dev_err_probe(&client->dev, ret, "Failed to initialize lock\n");
+
+ led->regmap = devm_regmap_init_i2c(client, &lp8860_regmap_config);
+ if (IS_ERR(led->regmap)) {
+--
+2.39.5
+
--- /dev/null
+From 9404637c091fc22231b7dc4cd7beeb3937129079 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 12:39:06 +0300
+Subject: leds: pca955x: Avoid potential overflow when filling default_label
+ (take 2)
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 239afba8b9f3b0fcfd464d5ffeaed0ed4441c5a4 ]
+
+GCC compiler v8.5.0 is not happy about printing
+into a too short buffer (when build with `make W=1`):
+
+ drivers/leds/leds-pca955x.c:696:5: note: 'snprintf' output between 2 and 11 bytes into a destination of size 8
+
+Unfortunately this is a false positive from the old GCC versions,
+but we may still improve the code by using '%hhu' format specifier
+and reduce buffer size by 4 bytes.
+
+Fixes: bd3d14932923 ("leds: pca955x: Avoid potential overflow when filling default_label")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202506282159.TXfvorYl-lkp@intel.com/
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20250630093906.1715800-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-pca955x.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/leds/leds-pca955x.c b/drivers/leds/leds-pca955x.c
+index 42fe056b1c74..70d109246088 100644
+--- a/drivers/leds/leds-pca955x.c
++++ b/drivers/leds/leds-pca955x.c
+@@ -587,7 +587,7 @@ static int pca955x_probe(struct i2c_client *client)
+ struct pca955x_platform_data *pdata;
+ bool keep_psc0 = false;
+ bool set_default_label = false;
+- char default_label[8];
++ char default_label[4];
+ int bit, err, reg;
+
+ chip = i2c_get_match_data(client);
+@@ -693,7 +693,7 @@ static int pca955x_probe(struct i2c_client *client)
+ }
+
+ if (set_default_label) {
+- snprintf(default_label, sizeof(default_label), "%u", i);
++ snprintf(default_label, sizeof(default_label), "%hhu", i);
+ init_data.default_label = default_label;
+ } else {
+ init_data.default_label = NULL;
+--
+2.39.5
+
--- /dev/null
+From be9fc755cf1a67e5f45286a664aafef31ba760a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 13:43:58 +0200
+Subject: leds: tps6131x: Add V4L2_FLASH_LED_CLASS dependency
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit c3c38e80016548685e439b23999b4f0bd0ad7e05 ]
+
+This driver can optionally use the v4l2_flash infrastructure, but fails to
+link built=in if that is in a loadable module:
+
+ld.lld-21: error: undefined symbol: v4l2_flash_release
+>>> referenced by leds-tps6131x.c:792 (drivers/leds/flash/leds-tps6131x.c:792)
+
+Add the usual Kconfig dependency for it, still allowing it to be built when
+CONFIG_V4L2_FLASH_LED_CLASS is disabled.
+
+Fixes: b338a2ae9b31 ("leds: tps6131x: Add support for Texas Instruments TPS6131X flash LED driver")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Link: https://lore.kernel.org/r/20250620114440.4080938-1-arnd@kernel.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/flash/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/leds/flash/Kconfig b/drivers/leds/flash/Kconfig
+index 55ca663ca506..5e08102a6784 100644
+--- a/drivers/leds/flash/Kconfig
++++ b/drivers/leds/flash/Kconfig
+@@ -136,6 +136,7 @@ config LEDS_TPS6131X
+ tristate "LED support for TI TPS6131x flash LED driver"
+ depends on I2C && OF
+ depends on GPIOLIB
++ depends on V4L2_FLASH_LED_CLASS || !V4L2_FLASH_LED_CLASS
+ select REGMAP_I2C
+ help
+ This option enables support for Texas Instruments TPS61310/TPS61311
+--
+2.39.5
+
--- /dev/null
+From 908a512bf4fcf21ccd9d806810e58e25ee0d57c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 11:26:44 +1100
+Subject: m68k: Don't unregister boot console needlessly
+
+From: Finn Thain <fthain@linux-m68k.org>
+
+[ Upstream commit 83f672a7f69ec38b1bbb27221e342937f68c11c7 ]
+
+When MACH_IS_MVME147, the boot console calls mvme147_scc_write() to
+generate console output. That will continue to work even after
+debug_cons_nputs() becomes unavailable so there's no need to
+unregister the boot console.
+
+Take the opportunity to remove a repeated MACH_IS_* test. Use the
+actual .write method (instead of a wrapper) and test that pointer
+instead. This means adding an unused parameter to debug_cons_nputs() for
+consistency with the struct console API.
+
+early_printk.c is only built when CONFIG_EARLY_PRINTK=y. As of late,
+head.S is only built when CONFIG_MMU_MOTOROLA=y. So let the former symbol
+depend on the latter, to obviate some ifdef conditionals.
+
+Cc: Daniel Palmer <daniel@0x0f.com>
+Fixes: 077b33b9e283 ("m68k: mvme147: Reinstate early console")
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/d1d4328e5aa9a87bd8352529ce62b767731c0530.1743467205.git.fthain@linux-m68k.org
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/Kconfig.debug | 2 +-
+ arch/m68k/kernel/early_printk.c | 42 +++++++++++----------------------
+ arch/m68k/kernel/head.S | 8 +++----
+ 3 files changed, 19 insertions(+), 33 deletions(-)
+
+diff --git a/arch/m68k/Kconfig.debug b/arch/m68k/Kconfig.debug
+index 30638a6e8edc..d036f903864c 100644
+--- a/arch/m68k/Kconfig.debug
++++ b/arch/m68k/Kconfig.debug
+@@ -10,7 +10,7 @@ config BOOTPARAM_STRING
+
+ config EARLY_PRINTK
+ bool "Early printk"
+- depends on !(SUN3 || M68000 || COLDFIRE)
++ depends on MMU_MOTOROLA
+ help
+ Write kernel log output directly to a serial port.
+ Where implemented, output goes to the framebuffer as well.
+diff --git a/arch/m68k/kernel/early_printk.c b/arch/m68k/kernel/early_printk.c
+index f11ef9f1f56f..521cbb8a150c 100644
+--- a/arch/m68k/kernel/early_printk.c
++++ b/arch/m68k/kernel/early_printk.c
+@@ -16,25 +16,10 @@
+ #include "../mvme147/mvme147.h"
+ #include "../mvme16x/mvme16x.h"
+
+-asmlinkage void __init debug_cons_nputs(const char *s, unsigned n);
+-
+-static void __ref debug_cons_write(struct console *c,
+- const char *s, unsigned n)
+-{
+-#if !(defined(CONFIG_SUN3) || defined(CONFIG_M68000) || \
+- defined(CONFIG_COLDFIRE))
+- if (MACH_IS_MVME147)
+- mvme147_scc_write(c, s, n);
+- else if (MACH_IS_MVME16x)
+- mvme16x_cons_write(c, s, n);
+- else
+- debug_cons_nputs(s, n);
+-#endif
+-}
++asmlinkage void __init debug_cons_nputs(struct console *c, const char *s, unsigned int n);
+
+ static struct console early_console_instance = {
+ .name = "debug",
+- .write = debug_cons_write,
+ .flags = CON_PRINTBUFFER | CON_BOOT,
+ .index = -1
+ };
+@@ -44,6 +29,12 @@ static int __init setup_early_printk(char *buf)
+ if (early_console || buf)
+ return 0;
+
++ if (MACH_IS_MVME147)
++ early_console_instance.write = mvme147_scc_write;
++ else if (MACH_IS_MVME16x)
++ early_console_instance.write = mvme16x_cons_write;
++ else
++ early_console_instance.write = debug_cons_nputs;
+ early_console = &early_console_instance;
+ register_console(early_console);
+
+@@ -51,20 +42,15 @@ static int __init setup_early_printk(char *buf)
+ }
+ early_param("earlyprintk", setup_early_printk);
+
+-/*
+- * debug_cons_nputs() defined in arch/m68k/kernel/head.S cannot be called
+- * after init sections are discarded (for platforms that use it).
+- */
+-#if !(defined(CONFIG_SUN3) || defined(CONFIG_M68000) || \
+- defined(CONFIG_COLDFIRE))
+-
+ static int __init unregister_early_console(void)
+ {
+- if (!early_console || MACH_IS_MVME16x)
+- return 0;
++ /*
++ * debug_cons_nputs() defined in arch/m68k/kernel/head.S cannot be
++ * called after init sections are discarded (for platforms that use it).
++ */
++ if (early_console && early_console->write == debug_cons_nputs)
++ return unregister_console(early_console);
+
+- return unregister_console(early_console);
++ return 0;
+ }
+ late_initcall(unregister_early_console);
+-
+-#endif
+diff --git a/arch/m68k/kernel/head.S b/arch/m68k/kernel/head.S
+index 852255cf60de..ba22bc2f3d6d 100644
+--- a/arch/m68k/kernel/head.S
++++ b/arch/m68k/kernel/head.S
+@@ -3263,8 +3263,8 @@ func_return putn
+ * turns around and calls the internal routines. This routine
+ * is used by the boot console.
+ *
+- * The calling parameters are:
+- * void debug_cons_nputs(const char *str, unsigned length)
++ * The function signature is -
++ * void debug_cons_nputs(struct console *c, const char *s, unsigned int n)
+ *
+ * This routine does NOT understand variable arguments only
+ * simple strings!
+@@ -3273,8 +3273,8 @@ ENTRY(debug_cons_nputs)
+ moveml %d0/%d1/%a0,%sp@-
+ movew %sr,%sp@-
+ ori #0x0700,%sr
+- movel %sp@(18),%a0 /* fetch parameter */
+- movel %sp@(22),%d1 /* fetch parameter */
++ movel %sp@(22),%a0 /* char *s */
++ movel %sp@(26),%d1 /* unsigned int n */
+ jra 2f
+ 1:
+ #ifdef CONSOLE_DEBUG
+--
+2.39.5
+
--- /dev/null
+From d2ea12b4bc039b75224d93e7758219bfe808f8ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 15:47:14 -0700
+Subject: macsec: set IFF_UNICAST_FLT priv flag
+
+From: Stanislav Fomichev <sdf@fomichev.me>
+
+[ Upstream commit 0349659fd72f662c054ff20d432559bfaa228ce4 ]
+
+Cosmin reports the following locking issue:
+
+ # BUG: sleeping function called from invalid context at
+ kernel/locking/mutex.c:275
+ # dump_stack_lvl+0x4f/0x60
+ # __might_resched+0xeb/0x140
+ # mutex_lock+0x1a/0x40
+ # dev_set_promiscuity+0x26/0x90
+ # __dev_set_promiscuity+0x85/0x170
+ # __dev_set_rx_mode+0x69/0xa0
+ # dev_uc_add+0x6d/0x80
+ # vlan_dev_open+0x5f/0x120 [8021q]
+ # __dev_open+0x10c/0x2a0
+ # __dev_change_flags+0x1a4/0x210
+ # netif_change_flags+0x22/0x60
+ # do_setlink.isra.0+0xdb0/0x10f0
+ # rtnl_newlink+0x797/0xb00
+ # rtnetlink_rcv_msg+0x1cb/0x3f0
+ # netlink_rcv_skb+0x53/0x100
+ # netlink_unicast+0x273/0x3b0
+ # netlink_sendmsg+0x1f2/0x430
+
+Which is similar to recent syzkaller reports in [0] and [1] and triggers
+because macsec does not advertise IFF_UNICAST_FLT although it has proper
+ndo_set_rx_mode callback that takes care of pushing uc/mc addresses
+down to the real device.
+
+In general, dev_uc_add call path is problematic for stacking
+non-IFF_UNICAST_FLT because we might grab netdev instance lock under
+addr_list_lock spinlock, so this is not a systemic fix.
+
+0: https://lore.kernel.org/netdev/686d55b4.050a0220.1ffab7.0014.GAE@google.com
+1: https://lore.kernel.org/netdev/68712acf.a00a0220.26a83e.0051.GAE@google.com/
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/netdev/2aff4342b0f5b1539c02ffd8df4c7e58dd9746e7.camel@nvidia.com
+Fixes: 7e4d784f5810 ("net: hold netdev instance lock during rtnetlink operations")
+Reported-by: Cosmin Ratiu <cratiu@nvidia.com>
+Tested-by: Cosmin Ratiu <cratiu@nvidia.com>
+Signed-off-by: Stanislav Fomichev <sdf@fomichev.me>
+Link: https://patch.msgid.link/20250723224715.1341121-1-sdf@fomichev.me
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 7edbe76b5455..4c75d1fea552 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -3868,7 +3868,7 @@ static void macsec_setup(struct net_device *dev)
+ ether_setup(dev);
+ dev->min_mtu = 0;
+ dev->max_mtu = ETH_MAX_MTU;
+- dev->priv_flags |= IFF_NO_QUEUE;
++ dev->priv_flags |= IFF_NO_QUEUE | IFF_UNICAST_FLT;
+ dev->netdev_ops = &macsec_netdev_ops;
+ dev->needs_free_netdev = true;
+ dev->priv_destructor = macsec_free_netdev;
+--
+2.39.5
+
--- /dev/null
+From 68975eeeaf688f9561377da5eb3f7f83e9cc570c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 15:54:12 +0800
+Subject: md: allow removing faulty rdev during resync
+
+From: Zheng Qixing <zhengqixing@huawei.com>
+
+[ Upstream commit c0ffeb648000acdc932da7a9d33fd65e9263c54c ]
+
+During RAID resync, faulty rdev cannot be removed and will result in
+"Device or resource busy" error when attempting hot removal.
+
+Reproduction steps:
+ mdadm -Cv /dev/md0 -l1 -n3 -e1.2 /dev/sd{b..d}
+ mdadm /dev/md0 -f /dev/sdb
+ mdadm /dev/md0 -r /dev/sdb
+ -> mdadm: hot remove failed for /dev/sdb: Device or resource busy
+
+After commit 4b10a3bc67c1 ("md: ensure resync is prioritized over
+recovery"), when a device becomes faulty during resync, the
+md_choose_sync_action() function returns early without calling
+remove_and_add_spares(), preventing faulty device removal.
+
+This patch extracts a helper function remove_spares() to support
+removing faulty devices during RAID resync operations.
+
+Fixes: 4b10a3bc67c1 ("md: ensure resync is prioritized over recovery")
+Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
+Reviewed-by: Li Nan <linan122@huawei.com>
+Link: https://lore.kernel.org/linux-raid/20250707075412.150301-1-zhengqixing@huaweicloud.com
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 0f03b21e66e4..7f5e5a16243a 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -9456,17 +9456,11 @@ static bool md_spares_need_change(struct mddev *mddev)
+ return false;
+ }
+
+-static int remove_and_add_spares(struct mddev *mddev,
+- struct md_rdev *this)
++static int remove_spares(struct mddev *mddev, struct md_rdev *this)
+ {
+ struct md_rdev *rdev;
+- int spares = 0;
+ int removed = 0;
+
+- if (this && test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))
+- /* Mustn't remove devices when resync thread is running */
+- return 0;
+-
+ rdev_for_each(rdev, mddev) {
+ if ((this == NULL || rdev == this) && rdev_removeable(rdev) &&
+ !mddev->pers->hot_remove_disk(mddev, rdev)) {
+@@ -9480,6 +9474,21 @@ static int remove_and_add_spares(struct mddev *mddev,
+ if (removed && mddev->kobj.sd)
+ sysfs_notify_dirent_safe(mddev->sysfs_degraded);
+
++ return removed;
++}
++
++static int remove_and_add_spares(struct mddev *mddev,
++ struct md_rdev *this)
++{
++ struct md_rdev *rdev;
++ int spares = 0;
++ int removed = 0;
++
++ if (this && test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))
++ /* Mustn't remove devices when resync thread is running */
++ return 0;
++
++ removed = remove_spares(mddev, this);
+ if (this && removed)
+ goto no_add;
+
+@@ -9522,6 +9531,7 @@ static bool md_choose_sync_action(struct mddev *mddev, int *spares)
+
+ /* Check if resync is in progress. */
+ if (mddev->recovery_cp < MaxSector) {
++ remove_spares(mddev, NULL);
+ set_bit(MD_RECOVERY_SYNC, &mddev->recovery);
+ clear_bit(MD_RECOVERY_RECOVER, &mddev->recovery);
+ return true;
+--
+2.39.5
+
--- /dev/null
+From 9f1ffa3b120f026df1d6f4980db0e500cfd50cdf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 10:48:14 +0000
+Subject: md/raid10: fix set but not used variable in sync_request_write()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John Garry <john.g.garry@oracle.com>
+
+[ Upstream commit bc1c2f0ae355f7e30b5baecdfb89d2b148aa0515 ]
+
+Building with W=1 reports the following:
+
+drivers/md/raid10.c: In function ‘sync_request_write’:
+drivers/md/raid10.c:2441:21: error: variable ‘d’ set but not used [-Werror=unused-but-set-variable]
+ 2441 | int d;
+ | ^
+cc1: all warnings being treated as errors
+
+Remove the usage of that variable.
+
+Fixes: 752d0464b78a ("md: clean up accounting for issued sync IO")
+Signed-off-by: John Garry <john.g.garry@oracle.com>
+Link: https://lore.kernel.org/linux-raid/20250709104814.2307276-1-john.g.garry@oracle.com
+Signed-off-by: Yu Kuai <yukuai@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid10.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
+index c9bd2005bfd0..d2b237652d7e 100644
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -2446,15 +2446,12 @@ static void sync_request_write(struct mddev *mddev, struct r10bio *r10_bio)
+ * that are active
+ */
+ for (i = 0; i < conf->copies; i++) {
+- int d;
+-
+ tbio = r10_bio->devs[i].repl_bio;
+ if (!tbio || !tbio->bi_end_io)
+ continue;
+ if (r10_bio->devs[i].bio->bi_end_io != end_sync_write
+ && r10_bio->devs[i].bio != fbio)
+ bio_copy_data(tbio, fbio);
+- d = r10_bio->devs[i].devnum;
+ atomic_inc(&r10_bio->remaining);
+ submit_bio_noacct(tbio);
+ }
+--
+2.39.5
+
--- /dev/null
+From 17ee5602fce8cf8fdd2740234342279ac930d6ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 09:54:07 +0800
+Subject: media: imx-jpeg: Account for data_offset when getting image address
+
+From: Ming Qian <ming.qian@oss.nxp.com>
+
+[ Upstream commit 51ad3b570ea7b1916ff4db993f1aa22bb48fdac6 ]
+
+Applications may set data_offset when it refers to an output queue. So
+driver need to account for it when getting the start address of input
+image in the plane.
+
+Meanwhile the mxc-jpeg codec requires the address (plane address +
+data_offset) to be 16-aligned.
+
+Fixes: 2db16c6ed72c ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder")
+Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../media/platform/nxp/imx-jpeg/mxc-jpeg.c | 47 ++++++++++++++-----
+ .../media/platform/nxp/imx-jpeg/mxc-jpeg.h | 1 +
+ 2 files changed, 37 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
+index 5c17bc58181e..8681dd193033 100644
+--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
++++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
+@@ -598,6 +598,27 @@ static void _bswap16(u16 *a)
+ *a = ((*a & 0x00FF) << 8) | ((*a & 0xFF00) >> 8);
+ }
+
++static dma_addr_t mxc_jpeg_get_plane_dma_addr(struct vb2_buffer *buf, unsigned int plane_no)
++{
++ if (plane_no >= buf->num_planes)
++ return 0;
++ return vb2_dma_contig_plane_dma_addr(buf, plane_no) + buf->planes[plane_no].data_offset;
++}
++
++static void *mxc_jpeg_get_plane_vaddr(struct vb2_buffer *buf, unsigned int plane_no)
++{
++ if (plane_no >= buf->num_planes)
++ return NULL;
++ return vb2_plane_vaddr(buf, plane_no) + buf->planes[plane_no].data_offset;
++}
++
++static unsigned long mxc_jpeg_get_plane_payload(struct vb2_buffer *buf, unsigned int plane_no)
++{
++ if (plane_no >= buf->num_planes)
++ return 0;
++ return vb2_get_plane_payload(buf, plane_no) - buf->planes[plane_no].data_offset;
++}
++
+ static void print_mxc_buf(struct mxc_jpeg_dev *jpeg, struct vb2_buffer *buf,
+ unsigned long len)
+ {
+@@ -610,11 +631,11 @@ static void print_mxc_buf(struct mxc_jpeg_dev *jpeg, struct vb2_buffer *buf,
+ return;
+
+ for (plane_no = 0; plane_no < buf->num_planes; plane_no++) {
+- payload = vb2_get_plane_payload(buf, plane_no);
++ payload = mxc_jpeg_get_plane_payload(buf, plane_no);
+ if (len == 0)
+ len = payload;
+- dma_addr = vb2_dma_contig_plane_dma_addr(buf, plane_no);
+- vaddr = vb2_plane_vaddr(buf, plane_no);
++ dma_addr = mxc_jpeg_get_plane_dma_addr(buf, plane_no);
++ vaddr = mxc_jpeg_get_plane_vaddr(buf, plane_no);
+ v4l2_dbg(3, debug, &jpeg->v4l2_dev,
+ "plane %d (vaddr=%p dma_addr=%x payload=%ld):",
+ plane_no, vaddr, dma_addr, payload);
+@@ -712,16 +733,15 @@ static void mxc_jpeg_addrs(struct mxc_jpeg_desc *desc,
+ struct mxc_jpeg_q_data *q_data;
+
+ q_data = mxc_jpeg_get_q_data(ctx, raw_buf->type);
+- desc->buf_base0 = vb2_dma_contig_plane_dma_addr(raw_buf, 0);
++ desc->buf_base0 = mxc_jpeg_get_plane_dma_addr(raw_buf, 0);
+ desc->buf_base1 = 0;
+ if (img_fmt == STM_CTRL_IMAGE_FORMAT(MXC_JPEG_YUV420)) {
+ if (raw_buf->num_planes == 2)
+- desc->buf_base1 = vb2_dma_contig_plane_dma_addr(raw_buf, 1);
++ desc->buf_base1 = mxc_jpeg_get_plane_dma_addr(raw_buf, 1);
+ else
+ desc->buf_base1 = desc->buf_base0 + q_data->sizeimage[0];
+ }
+- desc->stm_bufbase = vb2_dma_contig_plane_dma_addr(jpeg_buf, 0) +
+- offset;
++ desc->stm_bufbase = mxc_jpeg_get_plane_dma_addr(jpeg_buf, 0) + offset;
+ }
+
+ static bool mxc_jpeg_is_extended_sequential(const struct mxc_jpeg_fmt *fmt)
+@@ -1029,8 +1049,8 @@ static irqreturn_t mxc_jpeg_dec_irq(int irq, void *priv)
+ vb2_set_plane_payload(&dst_buf->vb2_buf, 1, payload);
+ }
+ dev_dbg(dev, "Decoding finished, payload size: %ld + %ld\n",
+- vb2_get_plane_payload(&dst_buf->vb2_buf, 0),
+- vb2_get_plane_payload(&dst_buf->vb2_buf, 1));
++ mxc_jpeg_get_plane_payload(&dst_buf->vb2_buf, 0),
++ mxc_jpeg_get_plane_payload(&dst_buf->vb2_buf, 1));
+ }
+
+ /* short preview of the results */
+@@ -1889,8 +1909,8 @@ static int mxc_jpeg_parse(struct mxc_jpeg_ctx *ctx, struct vb2_buffer *vb)
+ struct mxc_jpeg_sof *psof = NULL;
+ struct mxc_jpeg_sos *psos = NULL;
+ struct mxc_jpeg_src_buf *jpeg_src_buf = vb2_to_mxc_buf(vb);
+- u8 *src_addr = (u8 *)vb2_plane_vaddr(vb, 0);
+- u32 size = vb2_get_plane_payload(vb, 0);
++ u8 *src_addr = (u8 *)mxc_jpeg_get_plane_vaddr(vb, 0);
++ u32 size = mxc_jpeg_get_plane_payload(vb, 0);
+ int ret;
+
+ memset(&header, 0, sizeof(header));
+@@ -2027,6 +2047,11 @@ static int mxc_jpeg_buf_prepare(struct vb2_buffer *vb)
+ i, vb2_plane_size(vb, i), sizeimage);
+ return -EINVAL;
+ }
++ if (!IS_ALIGNED(mxc_jpeg_get_plane_dma_addr(vb, i), MXC_JPEG_ADDR_ALIGNMENT)) {
++ dev_err(dev, "planes[%d] address is not %d aligned\n",
++ i, MXC_JPEG_ADDR_ALIGNMENT);
++ return -EINVAL;
++ }
+ }
+ if (V4L2_TYPE_IS_CAPTURE(vb->vb2_queue->type)) {
+ vb2_set_plane_payload(vb, 0, 0);
+diff --git a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.h b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.h
+index fdde45f7e163..44e46face6d1 100644
+--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.h
++++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.h
+@@ -30,6 +30,7 @@
+ #define MXC_JPEG_MAX_PLANES 2
+ #define MXC_JPEG_PATTERN_WIDTH 128
+ #define MXC_JPEG_PATTERN_HEIGHT 64
++#define MXC_JPEG_ADDR_ALIGNMENT 16
+
+ enum mxc_jpeg_enc_state {
+ MXC_JPEG_ENCODING = 0, /* jpeg encode phase */
+--
+2.39.5
+
--- /dev/null
+From f93f794962e36b46709445a7d19caa1892c5a2c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 14:38:48 +0000
+Subject: media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check
+
+From: James Cowgill <james.cowgill@blaize.com>
+
+[ Upstream commit 803b9eabc649c778986449eb0596e5ffeb7a8aed ]
+
+The `separate_colour_plane_flag` element is only present in the SPS if
+`chroma_format_idc == 3`, so the corresponding flag should be disabled
+whenever that is not the case and not just on profiles where
+`chroma_format_idc` is not present.
+
+Fixes: b32e48503df0 ("media: controls: Validate H264 stateless controls")
+Signed-off-by: James Cowgill <james.cowgill@blaize.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/v4l2-ctrls-core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/v4l2-core/v4l2-ctrls-core.c b/drivers/media/v4l2-core/v4l2-ctrls-core.c
+index 90d25329661e..b45809a82f9a 100644
+--- a/drivers/media/v4l2-core/v4l2-ctrls-core.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls-core.c
+@@ -968,12 +968,12 @@ static int std_validate_compound(const struct v4l2_ctrl *ctrl, u32 idx,
+
+ p_h264_sps->flags &=
+ ~V4L2_H264_SPS_FLAG_QPPRIME_Y_ZERO_TRANSFORM_BYPASS;
+-
+- if (p_h264_sps->chroma_format_idc < 3)
+- p_h264_sps->flags &=
+- ~V4L2_H264_SPS_FLAG_SEPARATE_COLOUR_PLANE;
+ }
+
++ if (p_h264_sps->chroma_format_idc < 3)
++ p_h264_sps->flags &=
++ ~V4L2_H264_SPS_FLAG_SEPARATE_COLOUR_PLANE;
++
+ if (p_h264_sps->flags & V4L2_H264_SPS_FLAG_FRAME_MBS_ONLY)
+ p_h264_sps->flags &=
+ ~V4L2_H264_SPS_FLAG_MB_ADAPTIVE_FRAME_FIELD;
+--
+2.39.5
+
--- /dev/null
+From dd3893d5e0e67781fd71b17af523e2262d9f5132 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 10:50:47 +0200
+Subject: mei: vsc: Destroy mutex after freeing the IRQ
+
+From: Hans de Goede <hansg@kernel.org>
+
+[ Upstream commit 35b7f3525fe0a7283de7116e3c75ee3ccb3b14c9 ]
+
+The event_notify callback which runs from vsc_tp_thread_isr may call
+vsc_tp_xfer() which locks the mutex. So the ISR depends on the mutex.
+
+Move the mutex_destroy() call to after free_irq() to ensure that the ISR
+is not running while the mutex is destroyed.
+
+Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device")
+Signed-off-by: Hans de Goede <hansg@kernel.org>
+Link: https://lore.kernel.org/r/20250623085052.12347-6-hansg@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/mei/vsc-tp.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c
+index 267d0de5fade..66b41b86ea7d 100644
+--- a/drivers/misc/mei/vsc-tp.c
++++ b/drivers/misc/mei/vsc-tp.c
+@@ -552,10 +552,10 @@ static int vsc_tp_probe(struct spi_device *spi)
+ return 0;
+
+ err_destroy_lock:
+- mutex_destroy(&tp->mutex);
+-
+ free_irq(spi->irq, tp);
+
++ mutex_destroy(&tp->mutex);
++
+ return ret;
+ }
+
+@@ -565,9 +565,9 @@ static void vsc_tp_remove(struct spi_device *spi)
+
+ platform_device_unregister(tp->pdev);
+
+- mutex_destroy(&tp->mutex);
+-
+ free_irq(spi->irq, tp);
++
++ mutex_destroy(&tp->mutex);
+ }
+
+ static void vsc_tp_shutdown(struct spi_device *spi)
+--
+2.39.5
+
--- /dev/null
+From 3834ae53701d736c5b34268ec98d7bb6bf39066b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 10:50:44 +0200
+Subject: mei: vsc: Don't re-init VSC from mei_vsc_hw_reset() on stop
+
+From: Hans de Goede <hansg@kernel.org>
+
+[ Upstream commit 880af854d6343b796f05b9a8b52b68a88535625b ]
+
+mei_vsc_hw_reset() gets called from mei_start() and mei_stop() in
+the latter case we do not need to re-init the VSC by calling vsc_tp_init().
+
+mei_stop() only happens on shutdown and driver unbind. On shutdown we
+don't need to load + boot the firmware and if the driver later is
+bound to the device again then mei_start() will do another reset.
+
+The intr_enable flag is true when called from mei_start() and false on
+mei_stop(). Skip vsc_tp_init() when intr_enable is false.
+
+This avoids unnecessarily uploading the firmware, which takes 11 seconds.
+This change reduces the poweroff/reboot time by 11 seconds.
+
+Fixes: 386a766c4169 ("mei: Add MEI hardware support for IVSC device")
+Signed-off-by: Hans de Goede <hansg@kernel.org>
+Reviewed-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Link: https://lore.kernel.org/r/20250623085052.12347-3-hansg@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/mei/platform-vsc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/misc/mei/platform-vsc.c b/drivers/misc/mei/platform-vsc.c
+index 435760b1e86f..1ac85f0251c5 100644
+--- a/drivers/misc/mei/platform-vsc.c
++++ b/drivers/misc/mei/platform-vsc.c
+@@ -256,6 +256,9 @@ static int mei_vsc_hw_reset(struct mei_device *mei_dev, bool intr_enable)
+
+ vsc_tp_reset(hw->tp);
+
++ if (!intr_enable)
++ return 0;
++
+ return vsc_tp_init(hw->tp, mei_dev->dev);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From b72876b96ec2db72cc3afc88db863a5fc5c5115e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 10:50:43 +0200
+Subject: mei: vsc: Drop unused vsc_tp_request_irq() and vsc_tp_free_irq()
+
+From: Hans de Goede <hansg@kernel.org>
+
+[ Upstream commit a49159aa80207d49569b7453b4838f2f9501a17c ]
+
+Drop the unused vsc_tp_request_irq() and vsc_tp_free_irq() functions.
+
+Signed-off-by: Hans de Goede <hansg@kernel.org>
+Link: https://lore.kernel.org/r/20250623085052.12347-2-hansg@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: de88b02c94db ("mei: vsc: Run event callback from a workqueue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/mei/vsc-tp.c | 31 -------------------------------
+ drivers/misc/mei/vsc-tp.h | 3 ---
+ 2 files changed, 34 deletions(-)
+
+diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c
+index 97df3077175d..d0450c80316c 100644
+--- a/drivers/misc/mei/vsc-tp.c
++++ b/drivers/misc/mei/vsc-tp.c
+@@ -409,37 +409,6 @@ int vsc_tp_register_event_cb(struct vsc_tp *tp, vsc_tp_event_cb_t event_cb,
+ }
+ EXPORT_SYMBOL_NS_GPL(vsc_tp_register_event_cb, "VSC_TP");
+
+-/**
+- * vsc_tp_request_irq - request irq for vsc_tp device
+- * @tp: vsc_tp device handle
+- */
+-int vsc_tp_request_irq(struct vsc_tp *tp)
+-{
+- struct spi_device *spi = tp->spi;
+- struct device *dev = &spi->dev;
+- int ret;
+-
+- irq_set_status_flags(spi->irq, IRQ_DISABLE_UNLAZY);
+- ret = request_threaded_irq(spi->irq, vsc_tp_isr, vsc_tp_thread_isr,
+- IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
+- dev_name(dev), tp);
+- if (ret)
+- return ret;
+-
+- return 0;
+-}
+-EXPORT_SYMBOL_NS_GPL(vsc_tp_request_irq, "VSC_TP");
+-
+-/**
+- * vsc_tp_free_irq - free irq for vsc_tp device
+- * @tp: vsc_tp device handle
+- */
+-void vsc_tp_free_irq(struct vsc_tp *tp)
+-{
+- free_irq(tp->spi->irq, tp);
+-}
+-EXPORT_SYMBOL_NS_GPL(vsc_tp_free_irq, "VSC_TP");
+-
+ /**
+ * vsc_tp_intr_synchronize - synchronize vsc_tp interrupt
+ * @tp: vsc_tp device handle
+diff --git a/drivers/misc/mei/vsc-tp.h b/drivers/misc/mei/vsc-tp.h
+index 14ca195cbddc..f9513ddc3e40 100644
+--- a/drivers/misc/mei/vsc-tp.h
++++ b/drivers/misc/mei/vsc-tp.h
+@@ -37,9 +37,6 @@ int vsc_tp_xfer(struct vsc_tp *tp, u8 cmd, const void *obuf, size_t olen,
+ int vsc_tp_register_event_cb(struct vsc_tp *tp, vsc_tp_event_cb_t event_cb,
+ void *context);
+
+-int vsc_tp_request_irq(struct vsc_tp *tp);
+-void vsc_tp_free_irq(struct vsc_tp *tp);
+-
+ void vsc_tp_intr_enable(struct vsc_tp *tp);
+ void vsc_tp_intr_disable(struct vsc_tp *tp);
+ void vsc_tp_intr_synchronize(struct vsc_tp *tp);
+--
+2.39.5
+
--- /dev/null
+From 335284d19db764ae579f8df3d34fe2470a29eeda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 10:50:48 +0200
+Subject: mei: vsc: Event notifier fixes
+
+From: Hans de Goede <hansg@kernel.org>
+
+[ Upstream commit 18f14b2e7f73c7ec272d833d570b632286467c7d ]
+
+vsc_tp_register_event_cb() can race with vsc_tp_thread_isr(), add a mutex
+to protect against this.
+
+Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device")
+Signed-off-by: Hans de Goede <hansg@kernel.org>
+Link: https://lore.kernel.org/r/20250623085052.12347-7-hansg@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/mei/vsc-tp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c
+index 66b41b86ea7d..97df3077175d 100644
+--- a/drivers/misc/mei/vsc-tp.c
++++ b/drivers/misc/mei/vsc-tp.c
+@@ -79,9 +79,8 @@ struct vsc_tp {
+
+ vsc_tp_event_cb_t event_notify;
+ void *event_notify_context;
+-
+- /* used to protect command download */
+- struct mutex mutex;
++ struct mutex event_notify_mutex; /* protects event_notify + context */
++ struct mutex mutex; /* protects command download */
+ };
+
+ /* GPIO resources */
+@@ -113,6 +112,8 @@ static irqreturn_t vsc_tp_thread_isr(int irq, void *data)
+ {
+ struct vsc_tp *tp = data;
+
++ guard(mutex)(&tp->event_notify_mutex);
++
+ if (tp->event_notify)
+ tp->event_notify(tp->event_notify_context);
+
+@@ -399,6 +400,8 @@ EXPORT_SYMBOL_NS_GPL(vsc_tp_need_read, "VSC_TP");
+ int vsc_tp_register_event_cb(struct vsc_tp *tp, vsc_tp_event_cb_t event_cb,
+ void *context)
+ {
++ guard(mutex)(&tp->event_notify_mutex);
++
+ tp->event_notify = event_cb;
+ tp->event_notify_context = context;
+
+@@ -530,6 +533,7 @@ static int vsc_tp_probe(struct spi_device *spi)
+ return ret;
+
+ mutex_init(&tp->mutex);
++ mutex_init(&tp->event_notify_mutex);
+
+ /* only one child acpi device */
+ ret = acpi_dev_for_each_child(ACPI_COMPANION(dev),
+@@ -554,6 +558,7 @@ static int vsc_tp_probe(struct spi_device *spi)
+ err_destroy_lock:
+ free_irq(spi->irq, tp);
+
++ mutex_destroy(&tp->event_notify_mutex);
+ mutex_destroy(&tp->mutex);
+
+ return ret;
+@@ -567,6 +572,7 @@ static void vsc_tp_remove(struct spi_device *spi)
+
+ free_irq(spi->irq, tp);
+
++ mutex_destroy(&tp->event_notify_mutex);
+ mutex_destroy(&tp->mutex);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From e921c95e39988e76ded1d4ad4d060577590f3f45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 10:50:51 +0200
+Subject: mei: vsc: Fix "BUG: Invalid wait context" lockdep error
+
+From: Hans de Goede <hansg@kernel.org>
+
+[ Upstream commit cee3dba7b7416c02ff3cd27489f82859cc852532 ]
+
+Kernels build with CONFIG_PROVE_RAW_LOCK_NESTING report the following
+tp-vsc lockdep error:
+
+=============================
+ [ BUG: Invalid wait context ]
+ ...
+ swapper/10/0 is trying to lock:
+ ffff88819c271888 (&tp->xfer_wait){....}-{3:3},
+ at: __wake_up (kernel/sched/wait.c:106 kernel/sched/wait.c:127)
+ ...
+ Call Trace:
+ <IRQ>
+ ...
+ __raw_spin_lock_irqsave (./include/linux/spinlock_api_smp.h:111)
+ __wake_up (kernel/sched/wait.c:106 kernel/sched/wait.c:127)
+ vsc_tp_isr (drivers/misc/mei/vsc-tp.c:110) mei_vsc_hw
+ __handle_irq_event_percpu (kernel/irq/handle.c:158)
+ handle_irq_event (kernel/irq/handle.c:195 kernel/irq/handle.c:210)
+ handle_edge_irq (kernel/irq/chip.c:833)
+ ...
+ </IRQ>
+
+The root-cause of this is the IRQF_NO_THREAD flag used by the intel-pinctrl
+code. Setting IRQF_NO_THREAD requires all interrupt handlers for GPIO ISRs
+to use raw-spinlocks only since normal spinlocks can sleep in PREEMPT-RT
+kernels and with IRQF_NO_THREAD the interrupt handlers will always run in
+an atomic context [1].
+
+vsc_tp_isr() calls wake_up(&tp->xfer_wait), which uses a regular spinlock,
+breaking the raw-spinlocks only rule for Intel GPIO ISRs.
+
+Make vsc_tp_isr() run as threaded ISR instead of as hard ISR to fix this.
+
+Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device")
+Link: https://lore.kernel.org/linux-gpio/18ab52bd-9171-4667-a600-0f52ab7017ac@kernel.org/ [1]
+Signed-off-by: Hans de Goede <hansg@kernel.org>
+Link: https://lore.kernel.org/r/20250623085052.12347-10-hansg@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/mei/vsc-tp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c
+index b654ea59f305..0de5acc33b74 100644
+--- a/drivers/misc/mei/vsc-tp.c
++++ b/drivers/misc/mei/vsc-tp.c
+@@ -497,7 +497,7 @@ static int vsc_tp_probe(struct spi_device *spi)
+ tp->spi = spi;
+
+ irq_set_status_flags(spi->irq, IRQ_DISABLE_UNLAZY);
+- ret = request_threaded_irq(spi->irq, vsc_tp_isr, NULL,
++ ret = request_threaded_irq(spi->irq, NULL, vsc_tp_isr,
+ IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
+ dev_name(dev), tp);
+ if (ret)
+--
+2.39.5
+
--- /dev/null
+From 74dcc001d7c51a0eff177bc14c451902638723a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 10:50:50 +0200
+Subject: mei: vsc: Run event callback from a workqueue
+
+From: Hans de Goede <hansg@kernel.org>
+
+[ Upstream commit de88b02c94db7f3c115eb5bfdc1ec444934f277a ]
+
+The event_notify callback in some cases calls vsc_tp_xfer(), which checks
+tp->assert_cnt and waits for it through the tp->xfer_wait wait-queue.
+
+And tp->assert_cnt is increased and the tp->xfer_wait queue is woken o
+from the interrupt handler.
+
+So the interrupt handler which is running the event callback is waiting for
+itself to signal that it can continue.
+
+This happens to work because the event callback runs from the threaded
+ISR handler and while that is running the hard ISR handler will still
+get called a second / third time for further interrupts and it is the hard
+ISR handler which does the atomic_inc() and wake_up() calls.
+
+But having the threaded ISR handler wait for its own interrupt to trigger
+again is not how a threaded ISR handler is supposed to be used.
+
+Move the running of the event callback from a threaded interrupt handler
+to a workqueue since a threaded ISR should not wait for events from its
+own interrupt.
+
+This is a preparation patch for moving the atomic_inc() and wake_up() calls
+to the threaded ISR handler, which is necessary to fix a locking issue.
+
+Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device")
+Signed-off-by: Hans de Goede <hansg@kernel.org>
+Link: https://lore.kernel.org/r/20250623085052.12347-9-hansg@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/mei/vsc-tp.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c
+index d0450c80316c..b654ea59f305 100644
+--- a/drivers/misc/mei/vsc-tp.c
++++ b/drivers/misc/mei/vsc-tp.c
+@@ -18,6 +18,7 @@
+ #include <linux/platform_device.h>
+ #include <linux/spi/spi.h>
+ #include <linux/types.h>
++#include <linux/workqueue.h>
+
+ #include "vsc-tp.h"
+
+@@ -76,6 +77,7 @@ struct vsc_tp {
+
+ atomic_t assert_cnt;
+ wait_queue_head_t xfer_wait;
++ struct work_struct event_work;
+
+ vsc_tp_event_cb_t event_notify;
+ void *event_notify_context;
+@@ -105,19 +107,19 @@ static irqreturn_t vsc_tp_isr(int irq, void *data)
+
+ wake_up(&tp->xfer_wait);
+
+- return IRQ_WAKE_THREAD;
++ schedule_work(&tp->event_work);
++
++ return IRQ_HANDLED;
+ }
+
+-static irqreturn_t vsc_tp_thread_isr(int irq, void *data)
++static void vsc_tp_event_work(struct work_struct *work)
+ {
+- struct vsc_tp *tp = data;
++ struct vsc_tp *tp = container_of(work, struct vsc_tp, event_work);
+
+ guard(mutex)(&tp->event_notify_mutex);
+
+ if (tp->event_notify)
+ tp->event_notify(tp->event_notify_context);
+-
+- return IRQ_HANDLED;
+ }
+
+ /* wakeup firmware and wait for response */
+@@ -495,7 +497,7 @@ static int vsc_tp_probe(struct spi_device *spi)
+ tp->spi = spi;
+
+ irq_set_status_flags(spi->irq, IRQ_DISABLE_UNLAZY);
+- ret = request_threaded_irq(spi->irq, vsc_tp_isr, vsc_tp_thread_isr,
++ ret = request_threaded_irq(spi->irq, vsc_tp_isr, NULL,
+ IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
+ dev_name(dev), tp);
+ if (ret)
+@@ -503,6 +505,7 @@ static int vsc_tp_probe(struct spi_device *spi)
+
+ mutex_init(&tp->mutex);
+ mutex_init(&tp->event_notify_mutex);
++ INIT_WORK(&tp->event_work, vsc_tp_event_work);
+
+ /* only one child acpi device */
+ ret = acpi_dev_for_each_child(ACPI_COMPANION(dev),
+@@ -527,6 +530,7 @@ static int vsc_tp_probe(struct spi_device *spi)
+ err_destroy_lock:
+ free_irq(spi->irq, tp);
+
++ cancel_work_sync(&tp->event_work);
+ mutex_destroy(&tp->event_notify_mutex);
+ mutex_destroy(&tp->mutex);
+
+@@ -541,6 +545,7 @@ static void vsc_tp_remove(struct spi_device *spi)
+
+ free_irq(spi->irq, tp);
+
++ cancel_work_sync(&tp->event_work);
+ mutex_destroy(&tp->event_notify_mutex);
+ mutex_destroy(&tp->mutex);
+ }
+--
+2.39.5
+
--- /dev/null
+From 5b621072a0febe3b86c573fc0bb155575005d5d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 10:50:49 +0200
+Subject: mei: vsc: Unset the event callback on remove and probe errors
+
+From: Hans de Goede <hansg@kernel.org>
+
+[ Upstream commit 6175c6974095f8ca7e5f8d593171512f3e5bd453 ]
+
+Make mei_vsc_remove() properly unset the callback to avoid a dead callback
+sticking around after probe errors or unbinding of the platform driver.
+
+Fixes: 386a766c4169 ("mei: Add MEI hardware support for IVSC device")
+Signed-off-by: Hans de Goede <hansg@kernel.org>
+Link: https://lore.kernel.org/r/20250623085052.12347-8-hansg@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/mei/platform-vsc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/misc/mei/platform-vsc.c b/drivers/misc/mei/platform-vsc.c
+index 1ac85f0251c5..b2b5a20ae3fa 100644
+--- a/drivers/misc/mei/platform-vsc.c
++++ b/drivers/misc/mei/platform-vsc.c
+@@ -380,6 +380,8 @@ static int mei_vsc_probe(struct platform_device *pdev)
+ err_cancel:
+ mei_cancel_work(mei_dev);
+
++ vsc_tp_register_event_cb(tp, NULL, NULL);
++
+ mei_disable_interrupts(mei_dev);
+
+ return ret;
+@@ -388,11 +390,14 @@ static int mei_vsc_probe(struct platform_device *pdev)
+ static void mei_vsc_remove(struct platform_device *pdev)
+ {
+ struct mei_device *mei_dev = platform_get_drvdata(pdev);
++ struct mei_vsc_hw *hw = mei_dev_to_vsc_hw(mei_dev);
+
+ pm_runtime_disable(mei_dev->dev);
+
+ mei_stop(mei_dev);
+
++ vsc_tp_register_event_cb(hw->tp, NULL, NULL);
++
+ mei_disable_interrupts(mei_dev);
+
+ mei_deregister(mei_dev);
+--
+2.39.5
+
--- /dev/null
+From ce561b840dae0c99840d6f849ac53fbf16e47518 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 16:59:13 +0100
+Subject: memcg_slabinfo: Fix use of PG_slab
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit 7f770e94d7936e8e35d4b4d5fa4618301b03ea33 ]
+
+Check PGTY_slab instead of PG_slab.
+
+Fixes: 4ffca5a96678 (mm: support only one page_type per page)
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Tested-by: Roman Gushchin <roman.gushchin@linux.dev>
+Reviewed-by: Roman Gushchin <roman.gushchin@linux.dev>
+Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
+Link: https://patch.msgid.link/20250611155916.2579160-11-willy@infradead.org
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/cgroup/memcg_slabinfo.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/cgroup/memcg_slabinfo.py b/tools/cgroup/memcg_slabinfo.py
+index 270c28a0d098..6bf4bde77903 100644
+--- a/tools/cgroup/memcg_slabinfo.py
++++ b/tools/cgroup/memcg_slabinfo.py
+@@ -146,11 +146,11 @@ def detect_kernel_config():
+
+
+ def for_each_slab(prog):
+- PGSlab = ~prog.constant('PG_slab')
++ slabtype = prog.constant('PGTY_slab')
+
+ for page in for_each_page(prog):
+ try:
+- if page.page_type.value_() == PGSlab:
++ if (page.page_type.value_() >> 24) == slabtype:
+ yield cast('struct slab *', page)
+ except FaultError:
+ pass
+--
+2.39.5
+
--- /dev/null
+From 38cac4324a35e6815297d8f1f7bd6184ed01d0a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 14:04:54 -0500
+Subject: mfd: tps65219: Update TPS65214 MFD cell's GPIO compatible string
+
+From: Shree Ramamoorthy <s-ramamoorthy@ti.com>
+
+[ Upstream commit 6f27d26e363a41fc651be852094823ce47a43243 ]
+
+This patch reflects the change made to move TPS65215 from 1 GPO and 1 GPIO
+to 2 GPOs and 1 GPIO. TPS65215 and TPS65219 both have 2 GPOs and 1 GPIO.
+TPS65214 has 1 GPO and 1 GPIO. TPS65215 will reuse the TPS65219 GPIO
+compatible string.
+
+TPS65214 TRM: https://www.ti.com/lit/pdf/slvud30
+TPS65215 TRM: https://www.ti.com/lit/pdf/slvucw5/
+
+Fixes: 7947219ab1a2 ("mfd: tps65219: Add support for TI TPS65214 PMIC")
+Signed-off-by: Shree Ramamoorthy <s-ramamoorthy@ti.com>
+Link: https://lore.kernel.org/r/20250527190455.169772-2-s-ramamoorthy@ti.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/tps65219.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/tps65219.c b/drivers/mfd/tps65219.c
+index fd390600fbf0..297511025dd4 100644
+--- a/drivers/mfd/tps65219.c
++++ b/drivers/mfd/tps65219.c
+@@ -190,7 +190,7 @@ static const struct resource tps65219_regulator_resources[] = {
+
+ static const struct mfd_cell tps65214_cells[] = {
+ MFD_CELL_RES("tps65214-regulator", tps65214_regulator_resources),
+- MFD_CELL_NAME("tps65215-gpio"),
++ MFD_CELL_NAME("tps65214-gpio"),
+ };
+
+ static const struct mfd_cell tps65215_cells[] = {
+--
+2.39.5
+
--- /dev/null
+From da339eff487b53f42f9079bd270a37a2bc3f9227 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Jul 2025 10:24:42 +0200
+Subject: MIPS: alchemy: gpio: use new GPIO line value setter callbacks for the
+ remaining chips
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+[ Upstream commit 6b94bf976f9f9e6d4a6bf3218968a506c049702e ]
+
+Previous commit missed two other places that need converting, it only
+came out in tests on autobuilders now. Convert the rest of the driver.
+
+Fixes: 68bdc4dc1130 ("MIPS: alchemy: gpio: use new line value setter callbacks")
+Acked-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Link: https://lore.kernel.org/r/20250727082442.13182-1-brgl@bgdev.pl
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/alchemy/common/gpiolib.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/arch/mips/alchemy/common/gpiolib.c b/arch/mips/alchemy/common/gpiolib.c
+index 411f70ceb762..194034eba75f 100644
+--- a/arch/mips/alchemy/common/gpiolib.c
++++ b/arch/mips/alchemy/common/gpiolib.c
+@@ -40,9 +40,11 @@ static int gpio2_get(struct gpio_chip *chip, unsigned offset)
+ return !!alchemy_gpio2_get_value(offset + ALCHEMY_GPIO2_BASE);
+ }
+
+-static void gpio2_set(struct gpio_chip *chip, unsigned offset, int value)
++static int gpio2_set(struct gpio_chip *chip, unsigned offset, int value)
+ {
+ alchemy_gpio2_set_value(offset + ALCHEMY_GPIO2_BASE, value);
++
++ return 0;
+ }
+
+ static int gpio2_direction_input(struct gpio_chip *chip, unsigned offset)
+@@ -68,10 +70,12 @@ static int gpio1_get(struct gpio_chip *chip, unsigned offset)
+ return !!alchemy_gpio1_get_value(offset + ALCHEMY_GPIO1_BASE);
+ }
+
+-static void gpio1_set(struct gpio_chip *chip,
++static int gpio1_set(struct gpio_chip *chip,
+ unsigned offset, int value)
+ {
+ alchemy_gpio1_set_value(offset + ALCHEMY_GPIO1_BASE, value);
++
++ return 0;
+ }
+
+ static int gpio1_direction_input(struct gpio_chip *chip, unsigned offset)
+@@ -97,7 +101,7 @@ struct gpio_chip alchemy_gpio_chip[] = {
+ .direction_input = gpio1_direction_input,
+ .direction_output = gpio1_direction_output,
+ .get = gpio1_get,
+- .set = gpio1_set,
++ .set_rv = gpio1_set,
+ .to_irq = gpio1_to_irq,
+ .base = ALCHEMY_GPIO1_BASE,
+ .ngpio = ALCHEMY_GPIO1_NUM,
+@@ -107,7 +111,7 @@ struct gpio_chip alchemy_gpio_chip[] = {
+ .direction_input = gpio2_direction_input,
+ .direction_output = gpio2_direction_output,
+ .get = gpio2_get,
+- .set = gpio2_set,
++ .set_rv = gpio2_set,
+ .to_irq = gpio2_to_irq,
+ .base = ALCHEMY_GPIO2_BASE,
+ .ngpio = ALCHEMY_GPIO2_NUM,
+--
+2.39.5
+
--- /dev/null
+From 2904d05f1c702ec7089f155af8e20db8f859d616 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 16:32:34 +0200
+Subject: module: Restore the moduleparam prefix length check
+
+From: Petr Pavlu <petr.pavlu@suse.com>
+
+[ Upstream commit bdc877ba6b7ff1b6d2ebeff11e63da4a50a54854 ]
+
+The moduleparam code allows modules to provide their own definition of
+MODULE_PARAM_PREFIX, instead of using the default KBUILD_MODNAME ".".
+
+Commit 730b69d22525 ("module: check kernel param length at compile time,
+not runtime") added a check to ensure the prefix doesn't exceed
+MODULE_NAME_LEN, as this is what param_sysfs_builtin() expects.
+
+Later, commit 58f86cc89c33 ("VERIFY_OCTAL_PERMISSIONS: stricter checking
+for sysfs perms.") removed this check, but there is no indication this was
+intentional.
+
+Since the check is still useful for param_sysfs_builtin() to function
+properly, reintroduce it in __module_param_call(), but in a modernized form
+using static_assert().
+
+While here, clean up the __module_param_call() comments. In particular,
+remove the comment "Default value instead of permissions?", which comes
+from commit 9774a1f54f17 ("[PATCH] Compile-time check re world-writeable
+module params"). This comment was related to the test variable
+__param_perm_check_##name, which was removed in the previously mentioned
+commit 58f86cc89c33.
+
+Fixes: 58f86cc89c33 ("VERIFY_OCTAL_PERMISSIONS: stricter checking for sysfs perms.")
+Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
+Reviewed-by: Daniel Gomez <da.gomez@samsung.com>
+Link: https://lore.kernel.org/r/20250630143535.267745-4-petr.pavlu@suse.com
+Signed-off-by: Daniel Gomez <da.gomez@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/moduleparam.h | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h
+index bfb85fd13e1f..110e9d09de24 100644
+--- a/include/linux/moduleparam.h
++++ b/include/linux/moduleparam.h
+@@ -282,10 +282,9 @@ struct kparam_array
+ #define __moduleparam_const const
+ #endif
+
+-/* This is the fundamental function for registering boot/module
+- parameters. */
++/* This is the fundamental function for registering boot/module parameters. */
+ #define __module_param_call(prefix, name, ops, arg, perm, level, flags) \
+- /* Default value instead of permissions? */ \
++ static_assert(sizeof(""prefix) - 1 <= MAX_PARAM_PREFIX_LEN); \
+ static const char __param_str_##name[] = prefix #name; \
+ static struct kernel_param __moduleparam_const __param_##name \
+ __used __section("__param") \
+--
+2.39.5
+
--- /dev/null
+From cc70bc1ac102914bfc82791e0ee9ed51e4e36633 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 17:53:13 +0300
+Subject: mtd: fix possible integer overflow in erase_xfer()
+
+From: Ivan Stepchenko <sid@itb.spb.ru>
+
+[ Upstream commit 9358bdb9f9f54d94ceafc650deffefd737d19fdd ]
+
+The expression '1 << EraseUnitSize' is evaluated in int, which causes
+a negative result when shifting by 31 - the upper bound of the valid
+range [10, 31], enforced by scan_header(). This leads to incorrect
+extension when storing the result in 'erase->len' (uint64_t), producing
+a large unexpected value.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Ivan Stepchenko <sid@itb.spb.ru>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ftl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/ftl.c b/drivers/mtd/ftl.c
+index 8c22064ead38..f2bd1984609c 100644
+--- a/drivers/mtd/ftl.c
++++ b/drivers/mtd/ftl.c
+@@ -344,7 +344,7 @@ static int erase_xfer(partition_t *part,
+ return -ENOMEM;
+
+ erase->addr = xfer->Offset;
+- erase->len = 1 << part->header.EraseUnitSize;
++ erase->len = 1ULL << part->header.EraseUnitSize;
+
+ ret = mtd_erase(part->mbd.mtd, erase);
+ if (!ret) {
+--
+2.39.5
+
--- /dev/null
+From 6026704d92afeef6286ef353926ed9798501757d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 08:45:11 +0200
+Subject: mtd: rawnand: atmel: Fix dma_mapping_error() address
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit e1e6b933c56b1e9fda93caa0b8bae39f3f421e5c ]
+
+It seems like what was intended is to test if the dma_map of the
+previous line failed but the wrong dma address was passed.
+
+Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Rule: add
+Link: https://lore.kernel.org/stable/20250702064515.18145-2-fourier.thomas%40gmail.com
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/atmel/nand-controller.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/raw/atmel/nand-controller.c b/drivers/mtd/nand/raw/atmel/nand-controller.c
+index dedcca87defc..84ab4a83cbd6 100644
+--- a/drivers/mtd/nand/raw/atmel/nand-controller.c
++++ b/drivers/mtd/nand/raw/atmel/nand-controller.c
+@@ -373,7 +373,7 @@ static int atmel_nand_dma_transfer(struct atmel_nand_controller *nc,
+ dma_cookie_t cookie;
+
+ buf_dma = dma_map_single(nc->dev, buf, len, dir);
+- if (dma_mapping_error(nc->dev, dev_dma)) {
++ if (dma_mapping_error(nc->dev, buf_dma)) {
+ dev_err(nc->dev,
+ "Failed to prepare a buffer for DMA access\n");
+ goto err;
+--
+2.39.5
+
--- /dev/null
+From 592b92c252f3e2005be95f22f595bcb292c64a6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 16:13:40 +0530
+Subject: mtd: rawnand: atmel: set pmecc data setup time
+
+From: Balamanikandan Gunasundar <balamanikandan.gunasundar@microchip.com>
+
+[ Upstream commit f552a7c7e0a14215cb8a6fd89e60fa3932a74786 ]
+
+Setup the pmecc data setup time as 3 clock cycles for 133MHz as recommended
+by the datasheet.
+
+Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
+Reported-by: Zixun LI <admin@hifiphile.com>
+Closes: https://lore.kernel.org/all/c015bb20-6a57-4f63-8102-34b3d83e0f5b@microchip.com
+Suggested-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
+Signed-off-by: Balamanikandan Gunasundar <balamanikandan.gunasundar@microchip.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/atmel/pmecc.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/mtd/nand/raw/atmel/pmecc.c b/drivers/mtd/nand/raw/atmel/pmecc.c
+index 3c7dee1be21d..0b402823b619 100644
+--- a/drivers/mtd/nand/raw/atmel/pmecc.c
++++ b/drivers/mtd/nand/raw/atmel/pmecc.c
+@@ -143,6 +143,7 @@ struct atmel_pmecc_caps {
+ int nstrengths;
+ int el_offset;
+ bool correct_erased_chunks;
++ bool clk_ctrl;
+ };
+
+ struct atmel_pmecc {
+@@ -843,6 +844,10 @@ static struct atmel_pmecc *atmel_pmecc_create(struct platform_device *pdev,
+ if (IS_ERR(pmecc->regs.errloc))
+ return ERR_CAST(pmecc->regs.errloc);
+
++ /* pmecc data setup time */
++ if (caps->clk_ctrl)
++ writel(PMECC_CLK_133MHZ, pmecc->regs.base + ATMEL_PMECC_CLK);
++
+ /* Disable all interrupts before registering the PMECC handler. */
+ writel(0xffffffff, pmecc->regs.base + ATMEL_PMECC_IDR);
+ atmel_pmecc_reset(pmecc);
+@@ -896,6 +901,7 @@ static struct atmel_pmecc_caps at91sam9g45_caps = {
+ .strengths = atmel_pmecc_strengths,
+ .nstrengths = 5,
+ .el_offset = 0x8c,
++ .clk_ctrl = true,
+ };
+
+ static struct atmel_pmecc_caps sama5d4_caps = {
+--
+2.39.5
+
--- /dev/null
+From 90c82ef630517e75c233f0c30ccca7bd66bc81eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 09:15:50 +0200
+Subject: mtd: rawnand: rockchip: Add missing check after DMA map
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 3b36f86dc47261828f96f826077131a35dd825fd ]
+
+The DMA map functions can fail and should be tested for errors.
+
+Fixes: 058e0e847d54 ("mtd: rawnand: rockchip: NFC driver for RK3308, RK2928 and others")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/rockchip-nand-controller.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/drivers/mtd/nand/raw/rockchip-nand-controller.c b/drivers/mtd/nand/raw/rockchip-nand-controller.c
+index 63e7b9e39a5a..c5d7cd8a6cab 100644
+--- a/drivers/mtd/nand/raw/rockchip-nand-controller.c
++++ b/drivers/mtd/nand/raw/rockchip-nand-controller.c
+@@ -656,9 +656,16 @@ static int rk_nfc_write_page_hwecc(struct nand_chip *chip, const u8 *buf,
+
+ dma_data = dma_map_single(nfc->dev, (void *)nfc->page_buf,
+ mtd->writesize, DMA_TO_DEVICE);
++ if (dma_mapping_error(nfc->dev, dma_data))
++ return -ENOMEM;
++
+ dma_oob = dma_map_single(nfc->dev, nfc->oob_buf,
+ ecc->steps * oob_step,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(nfc->dev, dma_oob)) {
++ dma_unmap_single(nfc->dev, dma_data, mtd->writesize, DMA_TO_DEVICE);
++ return -ENOMEM;
++ }
+
+ reinit_completion(&nfc->done);
+ writel(INT_DMA, nfc->regs + nfc->cfg->int_en_off);
+@@ -772,9 +779,17 @@ static int rk_nfc_read_page_hwecc(struct nand_chip *chip, u8 *buf, int oob_on,
+ dma_data = dma_map_single(nfc->dev, nfc->page_buf,
+ mtd->writesize,
+ DMA_FROM_DEVICE);
++ if (dma_mapping_error(nfc->dev, dma_data))
++ return -ENOMEM;
++
+ dma_oob = dma_map_single(nfc->dev, nfc->oob_buf,
+ ecc->steps * oob_step,
+ DMA_FROM_DEVICE);
++ if (dma_mapping_error(nfc->dev, dma_oob)) {
++ dma_unmap_single(nfc->dev, dma_data, mtd->writesize,
++ DMA_FROM_DEVICE);
++ return -ENOMEM;
++ }
+
+ /*
+ * The first blocks (4, 8 or 16 depending on the device)
+--
+2.39.5
+
--- /dev/null
+From e53ba4b258750b8b8598f3266d04d56cec11d12d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 16:44:27 +0900
+Subject: mtd: spi-nor: spansion: Fixup params->set_4byte_addr_mode for SEMPER
+
+From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+
+[ Upstream commit a45ab839f52f3f00ac3dae18a50e902efd216de2 ]
+
+Infineon SEMPER flash family does not support E9h opcode as Exit 4-byte
+mode (EX4B). Therefore, params->set_4byte_addr_mode is not determined by
+BFPT parse. Fixup it up by introducing vendor specific EX4B opcode (B8h)
+and function.
+
+Fixes: c87c9b11c53ce ("mtd: spi-nor: spansion: Determine current address mode")
+Signed-off-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+Acked-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Acked-by: Pratyush Yadav <pratyush@kernel.org>
+Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
+Link: https://lore.kernel.org/r/20250612074427.22263-1-Takahiro.Kuwano@infineon.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/spi-nor/spansion.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/drivers/mtd/spi-nor/spansion.c b/drivers/mtd/spi-nor/spansion.c
+index bf08dbf5e742..b9f156c0f8bc 100644
+--- a/drivers/mtd/spi-nor/spansion.c
++++ b/drivers/mtd/spi-nor/spansion.c
+@@ -17,6 +17,7 @@
+
+ #define SPINOR_OP_CLSR 0x30 /* Clear status register 1 */
+ #define SPINOR_OP_CLPEF 0x82 /* Clear program/erase failure flags */
++#define SPINOR_OP_CYPRESS_EX4B 0xB8 /* Exit 4-byte address mode */
+ #define SPINOR_OP_CYPRESS_DIE_ERASE 0x61 /* Chip (die) erase */
+ #define SPINOR_OP_RD_ANY_REG 0x65 /* Read any register */
+ #define SPINOR_OP_WR_ANY_REG 0x71 /* Write any register */
+@@ -58,6 +59,13 @@
+ SPI_MEM_OP_DUMMY(ndummy, 0), \
+ SPI_MEM_OP_DATA_IN(1, buf, 0))
+
++#define CYPRESS_NOR_EN4B_EX4B_OP(enable) \
++ SPI_MEM_OP(SPI_MEM_OP_CMD(enable ? SPINOR_OP_EN4B : \
++ SPINOR_OP_CYPRESS_EX4B, 0), \
++ SPI_MEM_OP_NO_ADDR, \
++ SPI_MEM_OP_NO_DUMMY, \
++ SPI_MEM_OP_NO_DATA)
++
+ #define SPANSION_OP(opcode) \
+ SPI_MEM_OP(SPI_MEM_OP_CMD(opcode, 0), \
+ SPI_MEM_OP_NO_ADDR, \
+@@ -356,6 +364,20 @@ static int cypress_nor_quad_enable_volatile(struct spi_nor *nor)
+ return 0;
+ }
+
++static int cypress_nor_set_4byte_addr_mode(struct spi_nor *nor, bool enable)
++{
++ int ret;
++ struct spi_mem_op op = CYPRESS_NOR_EN4B_EX4B_OP(enable);
++
++ spi_nor_spimem_setup_op(nor, &op, nor->reg_proto);
++
++ ret = spi_mem_exec_op(nor->spimem, &op);
++ if (ret)
++ dev_dbg(nor->dev, "error %d setting 4-byte mode\n", ret);
++
++ return ret;
++}
++
+ /**
+ * cypress_nor_determine_addr_mode_by_sr1() - Determine current address mode
+ * (3 or 4-byte) by querying status
+@@ -526,6 +548,9 @@ s25fs256t_post_bfpt_fixup(struct spi_nor *nor,
+ struct spi_mem_op op;
+ int ret;
+
++ /* Assign 4-byte address mode method that is not determined in BFPT */
++ nor->params->set_4byte_addr_mode = cypress_nor_set_4byte_addr_mode;
++
+ ret = cypress_nor_set_addr_mode_nbytes(nor);
+ if (ret)
+ return ret;
+@@ -591,6 +616,9 @@ s25hx_t_post_bfpt_fixup(struct spi_nor *nor,
+ {
+ int ret;
+
++ /* Assign 4-byte address mode method that is not determined in BFPT */
++ nor->params->set_4byte_addr_mode = cypress_nor_set_4byte_addr_mode;
++
+ ret = cypress_nor_set_addr_mode_nbytes(nor);
+ if (ret)
+ return ret;
+@@ -718,6 +746,9 @@ static int s28hx_t_post_bfpt_fixup(struct spi_nor *nor,
+ const struct sfdp_parameter_header *bfpt_header,
+ const struct sfdp_bfpt *bfpt)
+ {
++ /* Assign 4-byte address mode method that is not determined in BFPT */
++ nor->params->set_4byte_addr_mode = cypress_nor_set_4byte_addr_mode;
++
+ return cypress_nor_set_addr_mode_nbytes(nor);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From acc74ce200facd3e1710598f76278a4c5ad979d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 13:13:34 +0200
+Subject: mwl8k: Add missing check after DMA map
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 50459501b9a212dbe7a673727589ee105a8a9954 ]
+
+The DMA map functions can fail and should be tested for errors.
+If the mapping fails, unmap and return an error.
+
+Fixes: 788838ebe8a4 ("mwl8k: use pci_unmap_addr{,set}() to keep track of unmap addresses on rx")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20250709111339.25360-2-fourier.thomas@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwl8k.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c
+index bab9ef37a1ab..8bcb1d0dd618 100644
+--- a/drivers/net/wireless/marvell/mwl8k.c
++++ b/drivers/net/wireless/marvell/mwl8k.c
+@@ -1227,6 +1227,10 @@ static int rxq_refill(struct ieee80211_hw *hw, int index, int limit)
+
+ addr = dma_map_single(&priv->pdev->dev, skb->data,
+ MWL8K_RX_MAXSZ, DMA_FROM_DEVICE);
++ if (dma_mapping_error(&priv->pdev->dev, addr)) {
++ kfree_skb(skb);
++ break;
++ }
+
+ rxq->rxd_count++;
+ rx = rxq->tail++;
+--
+2.39.5
+
--- /dev/null
+From f3c905e1593b7b88117026f02cf5b0c51a34b1e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 19:17:44 +0800
+Subject: nbd: fix lockdep deadlock warning
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 8b428f42f3edfd62422aa7ad87049ab232a2eaa9 ]
+
+nbd grabs device lock nbd->config_lock for updating nr_hw_queues, this
+ways cause the following lock dependency:
+
+-> #2 (&disk->open_mutex){+.+.}-{4:4}:
+ lock_acquire kernel/locking/lockdep.c:5871 [inline]
+ lock_acquire+0x1ac/0x448 kernel/locking/lockdep.c:5828
+ __mutex_lock_common kernel/locking/mutex.c:602 [inline]
+ __mutex_lock+0x166/0x1292 kernel/locking/mutex.c:747
+ mutex_lock_nested+0x14/0x1c kernel/locking/mutex.c:799
+ __del_gendisk+0x132/0xac6 block/genhd.c:706
+ del_gendisk+0xf6/0x19a block/genhd.c:819
+ nbd_dev_remove+0x3c/0xf2 drivers/block/nbd.c:268
+ nbd_dev_remove_work+0x1c/0x26 drivers/block/nbd.c:284
+ process_one_work+0x96a/0x1f32 kernel/workqueue.c:3238
+ process_scheduled_works kernel/workqueue.c:3321 [inline]
+ worker_thread+0x5ce/0xde8 kernel/workqueue.c:3402
+ kthread+0x39c/0x7d4 kernel/kthread.c:464
+ ret_from_fork_kernel+0x2a/0xbb2 arch/riscv/kernel/process.c:214
+ ret_from_fork_kernel_asm+0x16/0x18 arch/riscv/kernel/entry.S:327
+
+-> #1 (&set->update_nr_hwq_lock){++++}-{4:4}:
+ lock_acquire kernel/locking/lockdep.c:5871 [inline]
+ lock_acquire+0x1ac/0x448 kernel/locking/lockdep.c:5828
+ down_write+0x9c/0x19a kernel/locking/rwsem.c:1577
+ blk_mq_update_nr_hw_queues+0x3e/0xb86 block/blk-mq.c:5041
+ nbd_start_device+0x140/0xb2c drivers/block/nbd.c:1476
+ nbd_genl_connect+0xae0/0x1b24 drivers/block/nbd.c:2201
+ genl_family_rcv_msg_doit+0x206/0x2e6 net/netlink/genetlink.c:1115
+ genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
+ genl_rcv_msg+0x514/0x78e net/netlink/genetlink.c:1210
+ netlink_rcv_skb+0x206/0x3be net/netlink/af_netlink.c:2534
+ genl_rcv+0x36/0x4c net/netlink/genetlink.c:1219
+ netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
+ netlink_unicast+0x4f0/0x82c net/netlink/af_netlink.c:1339
+ netlink_sendmsg+0x85e/0xdd6 net/netlink/af_netlink.c:1883
+ sock_sendmsg_nosec net/socket.c:712 [inline]
+ __sock_sendmsg+0xcc/0x160 net/socket.c:727
+ ____sys_sendmsg+0x63e/0x79c net/socket.c:2566
+ ___sys_sendmsg+0x144/0x1e6 net/socket.c:2620
+ __sys_sendmsg+0x188/0x246 net/socket.c:2652
+ __do_sys_sendmsg net/socket.c:2657 [inline]
+ __se_sys_sendmsg net/socket.c:2655 [inline]
+ __riscv_sys_sendmsg+0x70/0xa2 net/socket.c:2655
+ syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:112
+ do_trap_ecall_u+0x396/0x530 arch/riscv/kernel/traps.c:341
+ handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
+
+-> #0 (&nbd->config_lock){+.+.}-{4:4}:
+ check_noncircular+0x132/0x146 kernel/locking/lockdep.c:2178
+ check_prev_add kernel/locking/lockdep.c:3168 [inline]
+ check_prevs_add kernel/locking/lockdep.c:3287 [inline]
+ validate_chain kernel/locking/lockdep.c:3911 [inline]
+ __lock_acquire+0x12b2/0x24ea kernel/locking/lockdep.c:5240
+ lock_acquire kernel/locking/lockdep.c:5871 [inline]
+ lock_acquire+0x1ac/0x448 kernel/locking/lockdep.c:5828
+ __mutex_lock_common kernel/locking/mutex.c:602 [inline]
+ __mutex_lock+0x166/0x1292 kernel/locking/mutex.c:747
+ mutex_lock_nested+0x14/0x1c kernel/locking/mutex.c:799
+ refcount_dec_and_mutex_lock+0x60/0xd8 lib/refcount.c:118
+ nbd_config_put+0x3a/0x610 drivers/block/nbd.c:1423
+ nbd_release+0x94/0x15c drivers/block/nbd.c:1735
+ blkdev_put_whole+0xac/0xee block/bdev.c:721
+ bdev_release+0x3fe/0x600 block/bdev.c:1144
+ blkdev_release+0x1a/0x26 block/fops.c:684
+ __fput+0x382/0xa8c fs/file_table.c:465
+ ____fput+0x1c/0x26 fs/file_table.c:493
+ task_work_run+0x16a/0x25e kernel/task_work.c:227
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop+0x118/0x134 kernel/entry/common.c:114
+ exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
+ do_trap_ecall_u+0x3f0/0x530 arch/riscv/kernel/traps.c:355
+ handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
+
+Also it isn't necessary to require nbd->config_lock, because
+blk_mq_update_nr_hw_queues() does grab tagset lock for sync everything.
+
+Fixes the issue by releasing ->config_lock & retry in case of concurrent
+updating nr_hw_queues.
+
+Fixes: 98e68f67020c ("block: prevent adding/deleting disk during updating nr_hw_queues")
+Reported-by: syzbot+2bcecf3c38cb3e8fdc8d@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/6855034f.a00a0220.137b3.0031.GAE@google.com
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Cc: Nilay Shroff <nilay@linux.ibm.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Nilay Shroff <nilay@linux.ibm.com>
+Link: https://lore.kernel.org/r/20250709111744.2353050-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 2592bd19ebc1..6463d0e8d0ce 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -1473,7 +1473,17 @@ static int nbd_start_device(struct nbd_device *nbd)
+ return -EINVAL;
+ }
+
+- blk_mq_update_nr_hw_queues(&nbd->tag_set, config->num_connections);
++retry:
++ mutex_unlock(&nbd->config_lock);
++ blk_mq_update_nr_hw_queues(&nbd->tag_set, num_connections);
++ mutex_lock(&nbd->config_lock);
++
++ /* if another code path updated nr_hw_queues, retry until succeed */
++ if (num_connections != config->num_connections) {
++ num_connections = config->num_connections;
++ goto retry;
++ }
++
+ nbd->pid = task_pid_nr(current);
+
+ nbd_parse_flags(nbd);
+--
+2.39.5
+
--- /dev/null
+From de56748b1693f9514be126332eefb2e1734f7d9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 19:53:59 +0000
+Subject: neighbour: Fix null-ptr-deref in neigh_flush_dev().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 1bbb76a899486827394530916f01214d049931b3 ]
+
+kernel test robot reported null-ptr-deref in neigh_flush_dev(). [0]
+
+The cited commit introduced per-netdev neighbour list and converted
+neigh_flush_dev() to use it instead of the global hash table.
+
+One thing we missed is that neigh_table_clear() calls neigh_ifdown()
+with NULL dev.
+
+Let's restore the hash table iteration.
+
+Note that IPv6 module is no longer unloadable, so neigh_table_clear()
+is called only when IPv6 fails to initialise, which is unlikely to
+happen.
+
+[0]:
+IPv6: Attempt to unregister permanent protocol 136
+IPv6: Attempt to unregister permanent protocol 17
+Oops: general protection fault, probably for non-canonical address 0xdffffc00000001a0: 0000 [#1] SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000d00-0x0000000000000d07]
+CPU: 1 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.12.0-rc6-01246-gf7f52738637f #1
+Tainted: [T]=RANDSTRUCT
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
+RIP: 0010:neigh_flush_dev.llvm.6395807810224103582+0x52/0x570
+Code: c1 e8 03 42 8a 04 38 84 c0 0f 85 15 05 00 00 31 c0 41 83 3e 0a 0f 94 c0 48 8d 1c c3 48 81 c3 f8 0c 00 00 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 f7 49 93 fe 4c 8b 3b 4d 85 ff 0f
+RSP: 0000:ffff88810026f408 EFLAGS: 00010206
+RAX: 00000000000001a0 RBX: 0000000000000d00 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffc0631640
+RBP: ffff88810026f470 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: ffffffffc0625250 R14: ffffffffc0631640 R15: dffffc0000000000
+FS: 00007f575cb83940(0000) GS:ffff8883aee00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f575db40008 CR3: 00000002bf936000 CR4: 00000000000406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ __neigh_ifdown.llvm.6395807810224103582+0x44/0x390
+ neigh_table_clear+0xb1/0x268
+ ndisc_cleanup+0x21/0x38 [ipv6]
+ init_module+0x2f5/0x468 [ipv6]
+ do_one_initcall+0x1ba/0x628
+ do_init_module+0x21a/0x530
+ load_module+0x2550/0x2ea0
+ __se_sys_finit_module+0x3d2/0x620
+ __x64_sys_finit_module+0x76/0x88
+ x64_sys_call+0x7ff/0xde8
+ do_syscall_64+0xfb/0x1e8
+ entry_SYSCALL_64_after_hwframe+0x67/0x6f
+RIP: 0033:0x7f575d6f2719
+Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48
+RSP: 002b:00007fff82a2a268 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+RAX: ffffffffffffffda RBX: 0000557827b45310 RCX: 00007f575d6f2719
+RDX: 0000000000000000 RSI: 00007f575d584efd RDI: 0000000000000004
+RBP: 00007f575d584efd R08: 0000000000000000 R09: 0000557827b47b00
+R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000020000
+R13: 0000000000000000 R14: 0000557827b470e0 R15: 00007f575dbb4270
+ </TASK>
+Modules linked in: ipv6(+)
+
+Fixes: f7f52738637f4 ("neighbour: Create netdev->neighbour association")
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202507200931.7a89ecd8-lkp@intel.com
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250723195443.448163-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/neighbour.c | 88 ++++++++++++++++++++++++++++++--------------
+ 1 file changed, 61 insertions(+), 27 deletions(-)
+
+diff --git a/net/core/neighbour.c b/net/core/neighbour.c
+index 49dce9a82295..a8dc72eda202 100644
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -368,6 +368,43 @@ static void pneigh_queue_purge(struct sk_buff_head *list, struct net *net,
+ }
+ }
+
++static void neigh_flush_one(struct neighbour *n)
++{
++ hlist_del_rcu(&n->hash);
++ hlist_del_rcu(&n->dev_list);
++
++ write_lock(&n->lock);
++
++ neigh_del_timer(n);
++ neigh_mark_dead(n);
++
++ if (refcount_read(&n->refcnt) != 1) {
++ /* The most unpleasant situation.
++ * We must destroy neighbour entry,
++ * but someone still uses it.
++ *
++ * The destroy will be delayed until
++ * the last user releases us, but
++ * we must kill timers etc. and move
++ * it to safe state.
++ */
++ __skb_queue_purge(&n->arp_queue);
++ n->arp_queue_len_bytes = 0;
++ WRITE_ONCE(n->output, neigh_blackhole);
++
++ if (n->nud_state & NUD_VALID)
++ n->nud_state = NUD_NOARP;
++ else
++ n->nud_state = NUD_NONE;
++
++ neigh_dbg(2, "neigh %p is stray\n", n);
++ }
++
++ write_unlock(&n->lock);
++
++ neigh_cleanup_and_release(n);
++}
++
+ static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev,
+ bool skip_perm)
+ {
+@@ -381,32 +418,24 @@ static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev,
+ if (skip_perm && n->nud_state & NUD_PERMANENT)
+ continue;
+
+- hlist_del_rcu(&n->hash);
+- hlist_del_rcu(&n->dev_list);
+- write_lock(&n->lock);
+- neigh_del_timer(n);
+- neigh_mark_dead(n);
+- if (refcount_read(&n->refcnt) != 1) {
+- /* The most unpleasant situation.
+- * We must destroy neighbour entry,
+- * but someone still uses it.
+- *
+- * The destroy will be delayed until
+- * the last user releases us, but
+- * we must kill timers etc. and move
+- * it to safe state.
+- */
+- __skb_queue_purge(&n->arp_queue);
+- n->arp_queue_len_bytes = 0;
+- WRITE_ONCE(n->output, neigh_blackhole);
+- if (n->nud_state & NUD_VALID)
+- n->nud_state = NUD_NOARP;
+- else
+- n->nud_state = NUD_NONE;
+- neigh_dbg(2, "neigh %p is stray\n", n);
+- }
+- write_unlock(&n->lock);
+- neigh_cleanup_and_release(n);
++ neigh_flush_one(n);
++ }
++}
++
++static void neigh_flush_table(struct neigh_table *tbl)
++{
++ struct neigh_hash_table *nht;
++ int i;
++
++ nht = rcu_dereference_protected(tbl->nht,
++ lockdep_is_held(&tbl->lock));
++
++ for (i = 0; i < (1 << nht->hash_shift); i++) {
++ struct hlist_node *tmp;
++ struct neighbour *n;
++
++ neigh_for_each_in_bucket_safe(n, tmp, &nht->hash_heads[i])
++ neigh_flush_one(n);
+ }
+ }
+
+@@ -422,7 +451,12 @@ static int __neigh_ifdown(struct neigh_table *tbl, struct net_device *dev,
+ bool skip_perm)
+ {
+ write_lock_bh(&tbl->lock);
+- neigh_flush_dev(tbl, dev, skip_perm);
++ if (likely(dev)) {
++ neigh_flush_dev(tbl, dev, skip_perm);
++ } else {
++ DEBUG_NET_WARN_ON_ONCE(skip_perm);
++ neigh_flush_table(tbl);
++ }
+ pneigh_ifdown_and_unlock(tbl, dev);
+ pneigh_queue_purge(&tbl->proxy_queue, dev ? dev_net(dev) : NULL,
+ tbl->family);
+--
+2.39.5
+
--- /dev/null
+From 662b3908ded2f7d0fd207500ba05549386a192e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 13:30:00 +0000
+Subject: net: annotate races around sk->sk_uid
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e84a4927a404f369c842c19de93b216627fcc690 ]
+
+sk->sk_uid can be read while another thread changes its
+value in sockfs_setattr().
+
+Add sk_uid(const struct sock *sk) helper to factorize the needed
+READ_ONCE() annotations, and add corresponding WRITE_ONCE()
+where needed.
+
+Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Reviewed-by: Maciej Żenczykowski <maze@google.com>
+Link: https://patch.msgid.link/20250620133001.4090592-2-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/route.h | 4 ++--
+ include/net/sock.h | 12 ++++++++++--
+ net/ipv4/inet_connection_sock.c | 4 ++--
+ net/ipv4/ping.c | 2 +-
+ net/ipv4/raw.c | 2 +-
+ net/ipv4/route.c | 3 ++-
+ net/ipv4/syncookies.c | 3 ++-
+ net/ipv4/udp.c | 3 ++-
+ net/ipv6/af_inet6.c | 2 +-
+ net/ipv6/datagram.c | 2 +-
+ net/ipv6/inet6_connection_sock.c | 4 ++--
+ net/ipv6/ping.c | 2 +-
+ net/ipv6/raw.c | 2 +-
+ net/ipv6/route.c | 4 ++--
+ net/ipv6/syncookies.c | 2 +-
+ net/ipv6/tcp_ipv6.c | 2 +-
+ net/ipv6/udp.c | 5 +++--
+ net/l2tp/l2tp_ip6.c | 2 +-
+ net/mptcp/protocol.c | 2 +-
+ net/socket.c | 8 +++++---
+ 20 files changed, 42 insertions(+), 28 deletions(-)
+
+diff --git a/include/net/route.h b/include/net/route.h
+index 8e39aa822cf9..3d3d6048ffca 100644
+--- a/include/net/route.h
++++ b/include/net/route.h
+@@ -153,7 +153,7 @@ static inline void inet_sk_init_flowi4(const struct inet_sock *inet,
+ ip_sock_rt_tos(sk), ip_sock_rt_scope(sk),
+ sk->sk_protocol, inet_sk_flowi_flags(sk), daddr,
+ inet->inet_saddr, inet->inet_dport,
+- inet->inet_sport, sk->sk_uid);
++ inet->inet_sport, sk_uid(sk));
+ security_sk_classify_flow(sk, flowi4_to_flowi_common(fl4));
+ }
+
+@@ -331,7 +331,7 @@ static inline void ip_route_connect_init(struct flowi4 *fl4, __be32 dst,
+
+ flowi4_init_output(fl4, oif, READ_ONCE(sk->sk_mark), ip_sock_rt_tos(sk),
+ ip_sock_rt_scope(sk), protocol, flow_flags, dst,
+- src, dport, sport, sk->sk_uid);
++ src, dport, sport, sk_uid(sk));
+ }
+
+ static inline struct rtable *ip_route_connect(struct flowi4 *fl4, __be32 dst,
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 4c37015b7cf7..e3ab20345685 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -2076,6 +2076,7 @@ static inline void sock_orphan(struct sock *sk)
+ sock_set_flag(sk, SOCK_DEAD);
+ sk_set_socket(sk, NULL);
+ sk->sk_wq = NULL;
++ /* Note: sk_uid is unchanged. */
+ write_unlock_bh(&sk->sk_callback_lock);
+ }
+
+@@ -2086,18 +2087,25 @@ static inline void sock_graft(struct sock *sk, struct socket *parent)
+ rcu_assign_pointer(sk->sk_wq, &parent->wq);
+ parent->sk = sk;
+ sk_set_socket(sk, parent);
+- sk->sk_uid = SOCK_INODE(parent)->i_uid;
++ WRITE_ONCE(sk->sk_uid, SOCK_INODE(parent)->i_uid);
+ security_sock_graft(sk, parent);
+ write_unlock_bh(&sk->sk_callback_lock);
+ }
+
+ kuid_t sock_i_uid(struct sock *sk);
++
++static inline kuid_t sk_uid(const struct sock *sk)
++{
++ /* Paired with WRITE_ONCE() in sockfs_setattr() */
++ return READ_ONCE(sk->sk_uid);
++}
++
+ unsigned long __sock_i_ino(struct sock *sk);
+ unsigned long sock_i_ino(struct sock *sk);
+
+ static inline kuid_t sock_net_uid(const struct net *net, const struct sock *sk)
+ {
+- return sk ? sk->sk_uid : make_kuid(net->user_ns, 0);
++ return sk ? sk_uid(sk) : make_kuid(net->user_ns, 0);
+ }
+
+ static inline u32 net_tx_rndhash(void)
+diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
+index 6906bedad19a..46750c96d08e 100644
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -812,7 +812,7 @@ struct dst_entry *inet_csk_route_req(const struct sock *sk,
+ sk->sk_protocol, inet_sk_flowi_flags(sk),
+ (opt && opt->opt.srr) ? opt->opt.faddr : ireq->ir_rmt_addr,
+ ireq->ir_loc_addr, ireq->ir_rmt_port,
+- htons(ireq->ir_num), sk->sk_uid);
++ htons(ireq->ir_num), sk_uid(sk));
+ security_req_classify_flow(req, flowi4_to_flowi_common(fl4));
+ rt = ip_route_output_flow(net, fl4, sk);
+ if (IS_ERR(rt))
+@@ -849,7 +849,7 @@ struct dst_entry *inet_csk_route_child_sock(const struct sock *sk,
+ sk->sk_protocol, inet_sk_flowi_flags(sk),
+ (opt && opt->opt.srr) ? opt->opt.faddr : ireq->ir_rmt_addr,
+ ireq->ir_loc_addr, ireq->ir_rmt_port,
+- htons(ireq->ir_num), sk->sk_uid);
++ htons(ireq->ir_num), sk_uid(sk));
+ security_req_classify_flow(req, flowi4_to_flowi_common(fl4));
+ rt = ip_route_output_flow(net, fl4, sk);
+ if (IS_ERR(rt))
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index c14baa6589c7..4eacaf00e2e9 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -781,7 +781,7 @@ static int ping_v4_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ flowi4_init_output(&fl4, ipc.oif, ipc.sockc.mark,
+ ipc.tos & INET_DSCP_MASK, scope,
+ sk->sk_protocol, inet_sk_flowi_flags(sk), faddr,
+- saddr, 0, 0, sk->sk_uid);
++ saddr, 0, 0, sk_uid(sk));
+
+ fl4.fl4_icmp_type = user_icmph.type;
+ fl4.fl4_icmp_code = user_icmph.code;
+diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
+index 6aace4d55733..32f942d0f944 100644
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -610,7 +610,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ hdrincl ? ipc.protocol : sk->sk_protocol,
+ inet_sk_flowi_flags(sk) |
+ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
+- daddr, saddr, 0, 0, sk->sk_uid);
++ daddr, saddr, 0, 0, sk_uid(sk));
+
+ fl4.fl4_icmp_type = 0;
+ fl4.fl4_icmp_code = 0;
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index fccb05fb3a79..64ac20c27f1b 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -556,7 +556,8 @@ static void build_sk_flow_key(struct flowi4 *fl4, const struct sock *sk)
+ inet_test_bit(HDRINCL, sk) ?
+ IPPROTO_RAW : sk->sk_protocol,
+ inet_sk_flowi_flags(sk),
+- daddr, inet->inet_saddr, 0, 0, sk->sk_uid);
++ daddr, inet->inet_saddr, 0, 0,
++ sk_uid(sk));
+ rcu_read_unlock();
+ }
+
+diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
+index 5459a78b9809..eb0819463fae 100644
+--- a/net/ipv4/syncookies.c
++++ b/net/ipv4/syncookies.c
+@@ -454,7 +454,8 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
+ ip_sock_rt_tos(sk), ip_sock_rt_scope(sk),
+ IPPROTO_TCP, inet_sk_flowi_flags(sk),
+ opt->srr ? opt->faddr : ireq->ir_rmt_addr,
+- ireq->ir_loc_addr, th->source, th->dest, sk->sk_uid);
++ ireq->ir_loc_addr, th->source, th->dest,
++ sk_uid(sk));
+ security_req_classify_flow(req, flowi4_to_flowi_common(&fl4));
+ rt = ip_route_output_key(net, &fl4);
+ if (IS_ERR(rt)) {
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index dde52b8050b8..f94bb222aa2d 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1445,7 +1445,8 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ flowi4_init_output(fl4, ipc.oif, ipc.sockc.mark,
+ ipc.tos & INET_DSCP_MASK, scope,
+ sk->sk_protocol, flow_flags, faddr, saddr,
+- dport, inet->inet_sport, sk->sk_uid);
++ dport, inet->inet_sport,
++ sk_uid(sk));
+
+ security_sk_classify_flow(sk, flowi4_to_flowi_common(fl4));
+ rt = ip_route_output_flow(net, fl4, sk);
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index acaff1296783..1992621e3f3f 100644
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -842,7 +842,7 @@ int inet6_sk_rebuild_header(struct sock *sk)
+ fl6.flowi6_mark = sk->sk_mark;
+ fl6.fl6_dport = inet->inet_dport;
+ fl6.fl6_sport = inet->inet_sport;
+- fl6.flowi6_uid = sk->sk_uid;
++ fl6.flowi6_uid = sk_uid(sk);
+ security_sk_classify_flow(sk, flowi6_to_flowi_common(&fl6));
+
+ rcu_read_lock();
+diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
+index fff78496803d..83f5aa5e133a 100644
+--- a/net/ipv6/datagram.c
++++ b/net/ipv6/datagram.c
+@@ -53,7 +53,7 @@ static void ip6_datagram_flow_key_init(struct flowi6 *fl6,
+ fl6->fl6_dport = inet->inet_dport;
+ fl6->fl6_sport = inet->inet_sport;
+ fl6->flowlabel = ip6_make_flowinfo(np->tclass, np->flow_label);
+- fl6->flowi6_uid = sk->sk_uid;
++ fl6->flowi6_uid = sk_uid(sk);
+
+ if (!oif)
+ oif = np->sticky_pktinfo.ipi6_ifindex;
+diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
+index 8f500eaf33cf..333e43434dd7 100644
+--- a/net/ipv6/inet6_connection_sock.c
++++ b/net/ipv6/inet6_connection_sock.c
+@@ -45,7 +45,7 @@ struct dst_entry *inet6_csk_route_req(const struct sock *sk,
+ fl6->flowi6_mark = ireq->ir_mark;
+ fl6->fl6_dport = ireq->ir_rmt_port;
+ fl6->fl6_sport = htons(ireq->ir_num);
+- fl6->flowi6_uid = sk->sk_uid;
++ fl6->flowi6_uid = sk_uid(sk);
+ security_req_classify_flow(req, flowi6_to_flowi_common(fl6));
+
+ dst = ip6_dst_lookup_flow(sock_net(sk), sk, fl6, final_p);
+@@ -79,7 +79,7 @@ static struct dst_entry *inet6_csk_route_socket(struct sock *sk,
+ fl6->flowi6_mark = sk->sk_mark;
+ fl6->fl6_sport = inet->inet_sport;
+ fl6->fl6_dport = inet->inet_dport;
+- fl6->flowi6_uid = sk->sk_uid;
++ fl6->flowi6_uid = sk_uid(sk);
+ security_sk_classify_flow(sk, flowi6_to_flowi_common(fl6));
+
+ rcu_read_lock();
+diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c
+index 84d90dd8b3f0..82b0492923d4 100644
+--- a/net/ipv6/ping.c
++++ b/net/ipv6/ping.c
+@@ -142,7 +142,7 @@ static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ fl6.saddr = np->saddr;
+ fl6.daddr = *daddr;
+ fl6.flowi6_mark = ipc6.sockc.mark;
+- fl6.flowi6_uid = sk->sk_uid;
++ fl6.flowi6_uid = sk_uid(sk);
+ fl6.fl6_icmp_type = user_icmph.icmp6_type;
+ fl6.fl6_icmp_code = user_icmph.icmp6_code;
+ security_sk_classify_flow(sk, flowi6_to_flowi_common(&fl6));
+diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
+index fda640ebd53f..4c3f8245c40f 100644
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -777,7 +777,7 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ memset(&fl6, 0, sizeof(fl6));
+
+ fl6.flowi6_mark = ipc6.sockc.mark;
+- fl6.flowi6_uid = sk->sk_uid;
++ fl6.flowi6_uid = sk_uid(sk);
+
+ if (sin6) {
+ if (addr_len < SIN6_LEN_RFC2133)
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 79c8f1acf8a3..7b9e49be7164 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -3010,7 +3010,7 @@ void ip6_sk_update_pmtu(struct sk_buff *skb, struct sock *sk, __be32 mtu)
+ oif = l3mdev_master_ifindex(skb->dev);
+
+ ip6_update_pmtu(skb, sock_net(sk), mtu, oif, READ_ONCE(sk->sk_mark),
+- sk->sk_uid);
++ sk_uid(sk));
+
+ dst = __sk_dst_get(sk);
+ if (!dst || !dst->obsolete ||
+@@ -3232,7 +3232,7 @@ void ip6_redirect_no_header(struct sk_buff *skb, struct net *net, int oif)
+ void ip6_sk_redirect(struct sk_buff *skb, struct sock *sk)
+ {
+ ip6_redirect(skb, sock_net(sk), sk->sk_bound_dev_if,
+- READ_ONCE(sk->sk_mark), sk->sk_uid);
++ READ_ONCE(sk->sk_mark), sk_uid(sk));
+ }
+ EXPORT_SYMBOL_GPL(ip6_sk_redirect);
+
+diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
+index 9d83eadd308b..f0ee1a909771 100644
+--- a/net/ipv6/syncookies.c
++++ b/net/ipv6/syncookies.c
+@@ -236,7 +236,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
+ fl6.flowi6_mark = ireq->ir_mark;
+ fl6.fl6_dport = ireq->ir_rmt_port;
+ fl6.fl6_sport = inet_sk(sk)->inet_sport;
+- fl6.flowi6_uid = sk->sk_uid;
++ fl6.flowi6_uid = sk_uid(sk);
+ security_req_classify_flow(req, flowi6_to_flowi_common(&fl6));
+
+ dst = ip6_dst_lookup_flow(net, sk, &fl6, final_p);
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index e8e68a142649..f61b0396ef6b 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -269,7 +269,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
+ fl6.fl6_sport = inet->inet_sport;
+ if (IS_ENABLED(CONFIG_IP_ROUTE_MULTIPATH) && !fl6.fl6_sport)
+ fl6.flowi6_flags = FLOWI_FLAG_ANY_SPORT;
+- fl6.flowi6_uid = sk->sk_uid;
++ fl6.flowi6_uid = sk_uid(sk);
+
+ opt = rcu_dereference_protected(np->opt, lockdep_sock_is_held(sk));
+ final_p = fl6_update_dst(&fl6, opt, &final);
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 7317f8e053f1..ebb95d8bc681 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -750,7 +750,8 @@ int __udp6_lib_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
+ if (type == NDISC_REDIRECT) {
+ if (tunnel) {
+ ip6_redirect(skb, sock_net(sk), inet6_iif(skb),
+- READ_ONCE(sk->sk_mark), sk->sk_uid);
++ READ_ONCE(sk->sk_mark),
++ sk_uid(sk));
+ } else {
+ ip6_sk_redirect(skb, sk);
+ }
+@@ -1620,7 +1621,7 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ if (!fl6->flowi6_oif)
+ fl6->flowi6_oif = np->sticky_pktinfo.ipi6_ifindex;
+
+- fl6->flowi6_uid = sk->sk_uid;
++ fl6->flowi6_uid = sk_uid(sk);
+
+ if (msg->msg_controllen) {
+ opt = &opt_space;
+diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
+index b98d13584c81..ea232f338dcb 100644
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -545,7 +545,7 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ memset(&fl6, 0, sizeof(fl6));
+
+ fl6.flowi6_mark = READ_ONCE(sk->sk_mark);
+- fl6.flowi6_uid = sk->sk_uid;
++ fl6.flowi6_uid = sk_uid(sk);
+
+ ipcm6_init_sk(&ipc6, sk);
+
+diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
+index 6a817a13b154..76cb699885b3 100644
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -3537,7 +3537,7 @@ void mptcp_sock_graft(struct sock *sk, struct socket *parent)
+ write_lock_bh(&sk->sk_callback_lock);
+ rcu_assign_pointer(sk->sk_wq, &parent->wq);
+ sk_set_socket(sk, parent);
+- sk->sk_uid = SOCK_INODE(parent)->i_uid;
++ WRITE_ONCE(sk->sk_uid, SOCK_INODE(parent)->i_uid);
+ write_unlock_bh(&sk->sk_callback_lock);
+ }
+
+diff --git a/net/socket.c b/net/socket.c
+index 9a0e720f0859..c706601a4c16 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -592,10 +592,12 @@ static int sockfs_setattr(struct mnt_idmap *idmap,
+ if (!err && (iattr->ia_valid & ATTR_UID)) {
+ struct socket *sock = SOCKET_I(d_inode(dentry));
+
+- if (sock->sk)
+- sock->sk->sk_uid = iattr->ia_uid;
+- else
++ if (sock->sk) {
++ /* Paired with READ_ONCE() in sk_uid() */
++ WRITE_ONCE(sock->sk->sk_uid, iattr->ia_uid);
++ } else {
+ err = -ENOENT;
++ }
+ }
+
+ return err;
+--
+2.39.5
+
--- /dev/null
+From 87b4d703d912609bce2cda462982de83cc35770c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 17:20:43 +0000
+Subject: net, bpf: Fix RCU usage in task_cls_state() for BPF programs
+
+From: Charalampos Mitrodimas <charmitro@posteo.net>
+
+[ Upstream commit 7f12c33850482521c961c5c15a50ebe9b9a88d1e ]
+
+The commit ee971630f20f ("bpf: Allow some trace helpers for all prog
+types") made bpf_get_cgroup_classid_curr helper available to all BPF
+program types, not just networking programs.
+
+This helper calls __task_get_classid() which internally calls
+task_cls_state() requiring rcu_read_lock_bh_held(). This works
+in networking/tc context where RCU BH is held, but triggers an RCU
+warning when called from other contexts like BPF syscall programs
+that run under rcu_read_lock_trace():
+
+ WARNING: suspicious RCU usage
+ 6.15.0-rc4-syzkaller-g079e5c56a5c4 #0 Not tainted
+ -----------------------------
+ net/core/netclassid_cgroup.c:24 suspicious rcu_dereference_check() usage!
+
+Fix this by also accepting rcu_read_lock_held() and
+rcu_read_lock_trace_held() as valid RCU contexts in the
+task_cls_state() function. This ensures the helper works correctly
+in all needed RCU contexts where it might be called, regular RCU,
+RCU BH (for networking), and RCU trace (for BPF syscall programs).
+
+Fixes: ee971630f20f ("bpf: Allow some trace helpers for all prog types")
+Reported-by: syzbot+b4169a1cfb945d2ed0ec@syzkaller.appspotmail.com
+Signed-off-by: Charalampos Mitrodimas <charmitro@posteo.net>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20250611-rcu-fix-task_cls_state-v3-1-3d30e1de753f@posteo.net
+Closes: https://syzkaller.appspot.com/bug?extid=b4169a1cfb945d2ed0ec
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/netclassid_cgroup.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/netclassid_cgroup.c b/net/core/netclassid_cgroup.c
+index d22f0919821e..dff66d8fb325 100644
+--- a/net/core/netclassid_cgroup.c
++++ b/net/core/netclassid_cgroup.c
+@@ -21,7 +21,9 @@ static inline struct cgroup_cls_state *css_cls_state(struct cgroup_subsys_state
+ struct cgroup_cls_state *task_cls_state(struct task_struct *p)
+ {
+ return css_cls_state(task_css_check(p, net_cls_cgrp_id,
+- rcu_read_lock_bh_held()));
++ rcu_read_lock_held() ||
++ rcu_read_lock_bh_held() ||
++ rcu_read_lock_trace_held()));
+ }
+ EXPORT_SYMBOL_GPL(task_cls_state);
+
+--
+2.39.5
+
--- /dev/null
+From 6b965109f1ecc92e61337b5987b14bc72f18f968 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 20:04:03 -0700
+Subject: net: dsa: microchip: Fix wrong rx drop MIB counter for KSZ8863
+
+From: Tristram Ha <tristram.ha@microchip.com>
+
+[ Upstream commit 165a7f5db919ab68a45ae755cceb751e067273ef ]
+
+When KSZ8863 support was first added to KSZ driver the RX drop MIB
+counter was somehow defined as 0x105. The TX drop MIB counter
+starts at 0x100 for port 1, 0x101 for port 2, and 0x102 for port 3, so
+the RX drop MIB counter should start at 0x103 for port 1, 0x104 for
+port 2, and 0x105 for port 3.
+
+There are 5 ports for KSZ8895, so its RX drop MIB counter starts at
+0x105.
+
+Fixes: 4b20a07e103f ("net: dsa: microchip: ksz8795: add support for ksz88xx chips")
+Signed-off-by: Tristram Ha <tristram.ha@microchip.com>
+Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://patch.msgid.link/20250723030403.56878-1-Tristram.Ha@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/microchip/ksz8.c | 3 +++
+ drivers/net/dsa/microchip/ksz8_reg.h | 4 +++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/microchip/ksz8.c b/drivers/net/dsa/microchip/ksz8.c
+index be433b4e2b1c..8f55be89f8bf 100644
+--- a/drivers/net/dsa/microchip/ksz8.c
++++ b/drivers/net/dsa/microchip/ksz8.c
+@@ -371,6 +371,9 @@ static void ksz8863_r_mib_pkt(struct ksz_device *dev, int port, u16 addr,
+ addr -= dev->info->reg_mib_cnt;
+ ctrl_addr = addr ? KSZ8863_MIB_PACKET_DROPPED_TX_0 :
+ KSZ8863_MIB_PACKET_DROPPED_RX_0;
++ if (ksz_is_8895_family(dev) &&
++ ctrl_addr == KSZ8863_MIB_PACKET_DROPPED_RX_0)
++ ctrl_addr = KSZ8895_MIB_PACKET_DROPPED_RX_0;
+ ctrl_addr += port;
+ ctrl_addr |= IND_ACC_TABLE(TABLE_MIB | TABLE_READ);
+
+diff --git a/drivers/net/dsa/microchip/ksz8_reg.h b/drivers/net/dsa/microchip/ksz8_reg.h
+index 329688603a58..da80e659c648 100644
+--- a/drivers/net/dsa/microchip/ksz8_reg.h
++++ b/drivers/net/dsa/microchip/ksz8_reg.h
+@@ -784,7 +784,9 @@
+ #define KSZ8795_MIB_TOTAL_TX_1 0x105
+
+ #define KSZ8863_MIB_PACKET_DROPPED_TX_0 0x100
+-#define KSZ8863_MIB_PACKET_DROPPED_RX_0 0x105
++#define KSZ8863_MIB_PACKET_DROPPED_RX_0 0x103
++
++#define KSZ8895_MIB_PACKET_DROPPED_RX_0 0x105
+
+ #define MIB_PACKET_DROPPED 0x0000FFFF
+
+--
+2.39.5
+
--- /dev/null
+From 082b9bdcb1367fccfbcbec2b5921477cc6f884af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 12:19:30 +0000
+Subject: net: dst: add four helpers to annotate data-races around dst->dev
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 88fe14253e181878c2ddb51a298ae8c468a63010 ]
+
+dst->dev is read locklessly in many contexts,
+and written in dst_dev_put().
+
+Fixing all the races is going to need many changes.
+
+We probably will have to add full RCU protection.
+
+Add three helpers to ease this painful process.
+
+static inline struct net_device *dst_dev(const struct dst_entry *dst)
+{
+ return READ_ONCE(dst->dev);
+}
+
+static inline struct net_device *skb_dst_dev(const struct sk_buff *skb)
+{
+ return dst_dev(skb_dst(skb));
+}
+
+static inline struct net *skb_dst_dev_net(const struct sk_buff *skb)
+{
+ return dev_net(skb_dst_dev(skb));
+}
+
+static inline struct net *skb_dst_dev_net_rcu(const struct sk_buff *skb)
+{
+ return dev_net_rcu(skb_dst_dev(skb));
+}
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250630121934.3399505-7-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/dst.h | 20 ++++++++++++++++++++
+ net/core/dst.c | 4 ++--
+ net/core/sock.c | 8 ++++----
+ 3 files changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/include/net/dst.h b/include/net/dst.h
+index 2caf85e2ce86..32dafbab4cd0 100644
+--- a/include/net/dst.h
++++ b/include/net/dst.h
+@@ -561,6 +561,26 @@ static inline void skb_dst_update_pmtu_no_confirm(struct sk_buff *skb, u32 mtu)
+ dst->ops->update_pmtu(dst, NULL, skb, mtu, false);
+ }
+
++static inline struct net_device *dst_dev(const struct dst_entry *dst)
++{
++ return READ_ONCE(dst->dev);
++}
++
++static inline struct net_device *skb_dst_dev(const struct sk_buff *skb)
++{
++ return dst_dev(skb_dst(skb));
++}
++
++static inline struct net *skb_dst_dev_net(const struct sk_buff *skb)
++{
++ return dev_net(skb_dst_dev(skb));
++}
++
++static inline struct net *skb_dst_dev_net_rcu(const struct sk_buff *skb)
++{
++ return dev_net_rcu(skb_dst_dev(skb));
++}
++
+ struct dst_entry *dst_blackhole_check(struct dst_entry *dst, u32 cookie);
+ void dst_blackhole_update_pmtu(struct dst_entry *dst, struct sock *sk,
+ struct sk_buff *skb, u32 mtu, bool confirm_neigh);
+diff --git a/net/core/dst.c b/net/core/dst.c
+index e483daf17666..b3a12c7c08af 100644
+--- a/net/core/dst.c
++++ b/net/core/dst.c
+@@ -150,7 +150,7 @@ void dst_dev_put(struct dst_entry *dst)
+ dst->ops->ifdown(dst, dev);
+ WRITE_ONCE(dst->input, dst_discard);
+ WRITE_ONCE(dst->output, dst_discard_out);
+- dst->dev = blackhole_netdev;
++ WRITE_ONCE(dst->dev, blackhole_netdev);
+ netdev_ref_replace(dev, blackhole_netdev, &dst->dev_tracker,
+ GFP_ATOMIC);
+ }
+@@ -263,7 +263,7 @@ unsigned int dst_blackhole_mtu(const struct dst_entry *dst)
+ {
+ unsigned int mtu = dst_metric_raw(dst, RTAX_MTU);
+
+- return mtu ? : dst->dev->mtu;
++ return mtu ? : dst_dev(dst)->mtu;
+ }
+ EXPORT_SYMBOL_GPL(dst_blackhole_mtu);
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 3b409bc8ef6d..9fae9239f939 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2602,8 +2602,8 @@ static u32 sk_dst_gso_max_size(struct sock *sk, struct dst_entry *dst)
+ !ipv6_addr_v4mapped(&sk->sk_v6_rcv_saddr));
+ #endif
+ /* pairs with the WRITE_ONCE() in netif_set_gso(_ipv4)_max_size() */
+- max_size = is_ipv6 ? READ_ONCE(dst->dev->gso_max_size) :
+- READ_ONCE(dst->dev->gso_ipv4_max_size);
++ max_size = is_ipv6 ? READ_ONCE(dst_dev(dst)->gso_max_size) :
++ READ_ONCE(dst_dev(dst)->gso_ipv4_max_size);
+ if (max_size > GSO_LEGACY_MAX_SIZE && !sk_is_tcp(sk))
+ max_size = GSO_LEGACY_MAX_SIZE;
+
+@@ -2614,7 +2614,7 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst)
+ {
+ u32 max_segs = 1;
+
+- sk->sk_route_caps = dst->dev->features;
++ sk->sk_route_caps = dst_dev(dst)->features;
+ if (sk_is_tcp(sk)) {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+
+@@ -2632,7 +2632,7 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst)
+ sk->sk_route_caps |= NETIF_F_SG | NETIF_F_HW_CSUM;
+ sk->sk_gso_max_size = sk_dst_gso_max_size(sk, dst);
+ /* pairs with the WRITE_ONCE() in netif_set_gso_max_segs() */
+- max_segs = max_t(u32, READ_ONCE(dst->dev->gso_max_segs), 1);
++ max_segs = max_t(u32, READ_ONCE(dst_dev(dst)->gso_max_segs), 1);
+ }
+ }
+ sk->sk_gso_max_segs = max_segs;
+--
+2.39.5
+
--- /dev/null
+From a5885e8ee81a5a4dab2f03cc94b6628b0e83adb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 12:19:28 +0000
+Subject: net: dst: annotate data-races around dst->input
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f1c5fd34891a1c242885f48c2e4dc52df180f311 ]
+
+dst_dev_put() can overwrite dst->input while other
+cpus might read this field (for instance from dst_input())
+
+Add READ_ONCE()/WRITE_ONCE() annotations to suppress
+potential issues.
+
+We will likely need full RCU protection later.
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250630121934.3399505-5-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/dst.h | 2 +-
+ include/net/lwtunnel.h | 4 ++--
+ net/core/dst.c | 2 +-
+ net/ipv4/route.c | 2 +-
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/include/net/dst.h b/include/net/dst.h
+index 78c78cdce0e9..65d81116d6bf 100644
+--- a/include/net/dst.h
++++ b/include/net/dst.h
+@@ -466,7 +466,7 @@ INDIRECT_CALLABLE_DECLARE(int ip_local_deliver(struct sk_buff *));
+ /* Input packet from network to transport. */
+ static inline int dst_input(struct sk_buff *skb)
+ {
+- return INDIRECT_CALL_INET(skb_dst(skb)->input,
++ return INDIRECT_CALL_INET(READ_ONCE(skb_dst(skb)->input),
+ ip6_input, ip_local_deliver, skb);
+ }
+
+diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h
+index c306ebe379a0..eaac07d50595 100644
+--- a/include/net/lwtunnel.h
++++ b/include/net/lwtunnel.h
+@@ -142,8 +142,8 @@ static inline void lwtunnel_set_redirect(struct dst_entry *dst)
+ dst->output = lwtunnel_output;
+ }
+ if (lwtunnel_input_redirect(dst->lwtstate)) {
+- dst->lwtstate->orig_input = dst->input;
+- dst->input = lwtunnel_input;
++ dst->lwtstate->orig_input = READ_ONCE(dst->input);
++ WRITE_ONCE(dst->input, lwtunnel_input);
+ }
+ }
+ #else
+diff --git a/net/core/dst.c b/net/core/dst.c
+index 795ca07e28a4..b46f7722a1b6 100644
+--- a/net/core/dst.c
++++ b/net/core/dst.c
+@@ -148,7 +148,7 @@ void dst_dev_put(struct dst_entry *dst)
+ dst->obsolete = DST_OBSOLETE_DEAD;
+ if (dst->ops->ifdown)
+ dst->ops->ifdown(dst, dev);
+- dst->input = dst_discard;
++ WRITE_ONCE(dst->input, dst_discard);
+ dst->output = dst_discard_out;
+ dst->dev = blackhole_netdev;
+ netdev_ref_replace(dev, blackhole_netdev, &dst->dev_tracker,
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 64ac20c27f1b..2cc88f8c3bc6 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1685,7 +1685,7 @@ struct rtable *rt_dst_clone(struct net_device *dev, struct rtable *rt)
+ else if (rt->rt_gw_family == AF_INET6)
+ new_rt->rt_gw6 = rt->rt_gw6;
+
+- new_rt->dst.input = rt->dst.input;
++ new_rt->dst.input = READ_ONCE(rt->dst.input);
+ new_rt->dst.output = rt->dst.output;
+ new_rt->dst.error = rt->dst.error;
+ new_rt->dst.lastuse = jiffies;
+--
+2.39.5
+
--- /dev/null
+From 1dd9ff647ff3ddde4ee46c05edaf1ddebfaad243 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 12:19:29 +0000
+Subject: net: dst: annotate data-races around dst->output
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2dce8c52a98995c4719def6f88629ab1581c0b82 ]
+
+dst_dev_put() can overwrite dst->output while other
+cpus might read this field (for instance from dst_output())
+
+Add READ_ONCE()/WRITE_ONCE() annotations to suppress
+potential issues.
+
+We will likely need RCU protection in the future.
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250630121934.3399505-6-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/dst.h | 2 +-
+ include/net/lwtunnel.h | 4 ++--
+ net/core/dst.c | 2 +-
+ net/ipv4/route.c | 2 +-
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/include/net/dst.h b/include/net/dst.h
+index 65d81116d6bf..2caf85e2ce86 100644
+--- a/include/net/dst.h
++++ b/include/net/dst.h
+@@ -456,7 +456,7 @@ INDIRECT_CALLABLE_DECLARE(int ip_output(struct net *, struct sock *,
+ /* Output packet to network from transport. */
+ static inline int dst_output(struct net *net, struct sock *sk, struct sk_buff *skb)
+ {
+- return INDIRECT_CALL_INET(skb_dst(skb)->output,
++ return INDIRECT_CALL_INET(READ_ONCE(skb_dst(skb)->output),
+ ip6_output, ip_output,
+ net, sk, skb);
+ }
+diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h
+index eaac07d50595..26232f603e33 100644
+--- a/include/net/lwtunnel.h
++++ b/include/net/lwtunnel.h
+@@ -138,8 +138,8 @@ int bpf_lwt_push_ip_encap(struct sk_buff *skb, void *hdr, u32 len,
+ static inline void lwtunnel_set_redirect(struct dst_entry *dst)
+ {
+ if (lwtunnel_output_redirect(dst->lwtstate)) {
+- dst->lwtstate->orig_output = dst->output;
+- dst->output = lwtunnel_output;
++ dst->lwtstate->orig_output = READ_ONCE(dst->output);
++ WRITE_ONCE(dst->output, lwtunnel_output);
+ }
+ if (lwtunnel_input_redirect(dst->lwtstate)) {
+ dst->lwtstate->orig_input = READ_ONCE(dst->input);
+diff --git a/net/core/dst.c b/net/core/dst.c
+index b46f7722a1b6..e483daf17666 100644
+--- a/net/core/dst.c
++++ b/net/core/dst.c
+@@ -149,7 +149,7 @@ void dst_dev_put(struct dst_entry *dst)
+ if (dst->ops->ifdown)
+ dst->ops->ifdown(dst, dev);
+ WRITE_ONCE(dst->input, dst_discard);
+- dst->output = dst_discard_out;
++ WRITE_ONCE(dst->output, dst_discard_out);
+ dst->dev = blackhole_netdev;
+ netdev_ref_replace(dev, blackhole_netdev, &dst->dev_tracker,
+ GFP_ATOMIC);
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 2cc88f8c3bc6..bd5d48fdd62a 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1686,7 +1686,7 @@ struct rtable *rt_dst_clone(struct net_device *dev, struct rtable *rt)
+ new_rt->rt_gw6 = rt->rt_gw6;
+
+ new_rt->dst.input = READ_ONCE(rt->dst.input);
+- new_rt->dst.output = rt->dst.output;
++ new_rt->dst.output = READ_ONCE(rt->dst.output);
+ new_rt->dst.error = rt->dst.error;
+ new_rt->dst.lastuse = jiffies;
+ new_rt->dst.lwtstate = lwtstate_get(rt->dst.lwtstate);
+--
+2.39.5
+
--- /dev/null
+From 35eb89881c3ace44e352de577db1dd89fb2dfaeb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 00:44:15 +0200
+Subject: net: ipv6: ip6mr: Fix in/out netdev to pass to the FORWARD chain
+
+From: Petr Machata <petrm@nvidia.com>
+
+[ Upstream commit 3365afd3abda5f6a54f4a822dad5c9314e94c3fc ]
+
+The netfilter hook is invoked with skb->dev for input netdevice, and
+vif_dev for output netdevice. However at the point of invocation, skb->dev
+is already set to vif_dev, and MR-forwarded packets are reported with
+in=out:
+
+ # ip6tables -A FORWARD -j LOG --log-prefix '[forw]'
+ # cd tools/testing/selftests/net/forwarding
+ # ./router_multicast.sh
+ # dmesg | fgrep '[forw]'
+ [ 1670.248245] [forw]IN=v5 OUT=v5 [...]
+
+For reference, IPv4 MR code shows in and out as appropriate.
+Fix by caching skb->dev and using the updated value for output netdev.
+
+Fixes: 7bc570c8b4f7 ("[IPV6] MROUTE: Support multicast forwarding.")
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/3141ae8386fbe13fef4b793faa75e6bae58d798a.1750113335.git.petrm@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6mr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
+index 9db31e5b998c..426859cd3409 100644
+--- a/net/ipv6/ip6mr.c
++++ b/net/ipv6/ip6mr.c
+@@ -2039,6 +2039,7 @@ static int ip6mr_forward2(struct net *net, struct mr_table *mrt,
+ struct sk_buff *skb, int vifi)
+ {
+ struct vif_device *vif = &mrt->vif_table[vifi];
++ struct net_device *indev = skb->dev;
+ struct net_device *vif_dev;
+ struct ipv6hdr *ipv6h;
+ struct dst_entry *dst;
+@@ -2101,7 +2102,7 @@ static int ip6mr_forward2(struct net *net, struct mr_table *mrt,
+ IP6CB(skb)->flags |= IP6SKB_FORWARDED;
+
+ return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD,
+- net, NULL, skb, skb->dev, vif_dev,
++ net, NULL, skb, indev, skb->dev,
+ ip6mr_forward2_finish);
+
+ out_free:
+--
+2.39.5
+
--- /dev/null
+From 6a281784a94a9f5110492d5242c06520506038f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 00:17:33 -0700
+Subject: net: mana: Fix potential deadlocks in mana napi ops
+
+From: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
+
+[ Upstream commit d5c8f0e4e0cb0ac2a4a4e015f2f5b1ba39e5e583 ]
+
+When net_shaper_ops are enabled for MANA, netdev_ops_lock
+becomes active.
+
+MANA VF setup/teardown by netvsc follows this call chain:
+
+netvsc_vf_setup()
+ dev_change_flags()
+ ...
+ __dev_open() OR __dev_close()
+
+dev_change_flags() holds the netdev mutex via netdev_lock_ops.
+
+Meanwhile, mana_create_txq() and mana_create_rxq() in mana_open()
+path call NAPI APIs (netif_napi_add_tx(), netif_napi_add_weight(),
+napi_enable()), which also try to acquire the same lock, risking
+deadlock.
+
+Similarly in the teardown path (mana_close()), netif_napi_disable()
+and netif_napi_del(), contend for the same lock.
+
+Switch to the _locked variants of these APIs to avoid deadlocks
+when the netdev_ops_lock is held.
+
+Fixes: d4c22ec680c8 ("net: hold netdev instance lock during ndo_open/ndo_stop")
+Signed-off-by: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Reviewed-by: Shradha Gupta <shradhagupta@linux.microsoft.com>
+Reviewed-by: Saurabh Singh Sengar <ssengar@linux.microsoft.com>
+Reviewed-by: Long Li <longli@microsoft.com>
+Link: https://patch.msgid.link/1750144656-2021-2-git-send-email-ernis@linux.microsoft.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microsoft/mana/mana_en.c | 28 +++++++++++++------
+ 1 file changed, 19 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
+index faad1cb880f8..2dd14d97cc98 100644
+--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
+@@ -1912,8 +1912,10 @@ static void mana_destroy_txq(struct mana_port_context *apc)
+ napi = &apc->tx_qp[i].tx_cq.napi;
+ if (apc->tx_qp[i].txq.napi_initialized) {
+ napi_synchronize(napi);
+- napi_disable(napi);
+- netif_napi_del(napi);
++ netdev_lock_ops_to_full(napi->dev);
++ napi_disable_locked(napi);
++ netif_napi_del_locked(napi);
++ netdev_unlock_full_to_ops(napi->dev);
+ apc->tx_qp[i].txq.napi_initialized = false;
+ }
+ mana_destroy_wq_obj(apc, GDMA_SQ, apc->tx_qp[i].tx_object);
+@@ -2065,8 +2067,11 @@ static int mana_create_txq(struct mana_port_context *apc,
+
+ mana_create_txq_debugfs(apc, i);
+
+- netif_napi_add_tx(net, &cq->napi, mana_poll);
+- napi_enable(&cq->napi);
++ set_bit(NAPI_STATE_NO_BUSY_POLL, &cq->napi.state);
++ netdev_lock_ops_to_full(net);
++ netif_napi_add_locked(net, &cq->napi, mana_poll);
++ napi_enable_locked(&cq->napi);
++ netdev_unlock_full_to_ops(net);
+ txq->napi_initialized = true;
+
+ mana_gd_ring_cq(cq->gdma_cq, SET_ARM_BIT);
+@@ -2102,9 +2107,10 @@ static void mana_destroy_rxq(struct mana_port_context *apc,
+ if (napi_initialized) {
+ napi_synchronize(napi);
+
+- napi_disable(napi);
+-
+- netif_napi_del(napi);
++ netdev_lock_ops_to_full(napi->dev);
++ napi_disable_locked(napi);
++ netif_napi_del_locked(napi);
++ netdev_unlock_full_to_ops(napi->dev);
+ }
+ xdp_rxq_info_unreg(&rxq->xdp_rxq);
+
+@@ -2355,14 +2361,18 @@ static struct mana_rxq *mana_create_rxq(struct mana_port_context *apc,
+
+ gc->cq_table[cq->gdma_id] = cq->gdma_cq;
+
+- netif_napi_add_weight(ndev, &cq->napi, mana_poll, 1);
++ netdev_lock_ops_to_full(ndev);
++ netif_napi_add_weight_locked(ndev, &cq->napi, mana_poll, 1);
++ netdev_unlock_full_to_ops(ndev);
+
+ WARN_ON(xdp_rxq_info_reg(&rxq->xdp_rxq, ndev, rxq_idx,
+ cq->napi.napi_id));
+ WARN_ON(xdp_rxq_info_reg_mem_model(&rxq->xdp_rxq, MEM_TYPE_PAGE_POOL,
+ rxq->page_pool));
+
+- napi_enable(&cq->napi);
++ netdev_lock_ops_to_full(ndev);
++ napi_enable_locked(&cq->napi);
++ netdev_unlock_full_to_ops(ndev);
+
+ mana_gd_ring_cq(cq->gdma_cq, SET_ARM_BIT);
+ out:
+--
+2.39.5
+
--- /dev/null
+From 560debfd91a6012ac978fcd920fd08eb88583dfd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 15:08:12 +0300
+Subject: net/mlx5: Check device memory pointer before usage
+
+From: Stav Aviram <saviram@nvidia.com>
+
+[ Upstream commit 70f238c902b8c0461ae6fbb8d1a0bbddc4350eea ]
+
+Add a NULL check before accessing device memory to prevent a crash if
+dev->dm allocation in mlx5_init_once() fails.
+
+Fixes: c9b9dcb430b3 ("net/mlx5: Move device memory management to mlx5_core")
+Signed-off-by: Stav Aviram <saviram@nvidia.com>
+Link: https://patch.msgid.link/c88711327f4d74d5cebc730dc629607e989ca187.1751370035.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/dm.c | 2 +-
+ drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c | 4 ++--
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 3 ---
+ 3 files changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/dm.c b/drivers/infiniband/hw/mlx5/dm.c
+index b4c97fb62abf..9ded2b7c1e31 100644
+--- a/drivers/infiniband/hw/mlx5/dm.c
++++ b/drivers/infiniband/hw/mlx5/dm.c
+@@ -282,7 +282,7 @@ static struct ib_dm *handle_alloc_dm_memic(struct ib_ucontext *ctx,
+ int err;
+ u64 address;
+
+- if (!MLX5_CAP_DEV_MEM(dm_db->dev, memic))
++ if (!dm_db || !MLX5_CAP_DEV_MEM(dm_db->dev, memic))
+ return ERR_PTR(-EOPNOTSUPP);
+
+ dm = kzalloc(sizeof(*dm), GFP_KERNEL);
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c
+index 7c5516b0a844..8115071c34a4 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c
+@@ -30,7 +30,7 @@ struct mlx5_dm *mlx5_dm_create(struct mlx5_core_dev *dev)
+
+ dm = kzalloc(sizeof(*dm), GFP_KERNEL);
+ if (!dm)
+- return ERR_PTR(-ENOMEM);
++ return NULL;
+
+ spin_lock_init(&dm->lock);
+
+@@ -96,7 +96,7 @@ struct mlx5_dm *mlx5_dm_create(struct mlx5_core_dev *dev)
+ err_steering:
+ kfree(dm);
+
+- return ERR_PTR(-ENOMEM);
++ return NULL;
+ }
+
+ void mlx5_dm_cleanup(struct mlx5_core_dev *dev)
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+index 9c1504d29d34..e7bcd0f0a709 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1102,9 +1102,6 @@ static int mlx5_init_once(struct mlx5_core_dev *dev)
+ }
+
+ dev->dm = mlx5_dm_create(dev);
+- if (IS_ERR(dev->dm))
+- mlx5_core_warn(dev, "Failed to init device memory %ld\n", PTR_ERR(dev->dm));
+-
+ dev->tracer = mlx5_fw_tracer_create(dev);
+ dev->hv_vhca = mlx5_hv_vhca_create(dev);
+ dev->rsc_dump = mlx5_rsc_dump_create(dev);
+--
+2.39.5
+
--- /dev/null
+From d21d8299df1532683741a48687c9c66a44d15649 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 10:44:30 +0300
+Subject: net/mlx5e: Clear Read-Only port buffer size in PBMC before update
+
+From: Alexei Lazar <alazar@nvidia.com>
+
+[ Upstream commit fd4b97246a23c1149479b88490946bcfbd28de63 ]
+
+When updating the PBMC register, we read its current value,
+modify desired fields, then write it back.
+
+The port_buffer_size field within PBMC is Read-Only (RO).
+If this RO field contains a non-zero value when read,
+attempting to write it back will cause the entire PBMC
+register update to fail.
+
+This commit ensures port_buffer_size is explicitly cleared
+to zero after reading the PBMC register but before writing
+back the modified value.
+This allows updates to other fields in the PBMC register to succeed.
+
+Fixes: 0696d60853d5 ("net/mlx5e: Receive buffer configuration")
+Signed-off-by: Alexei Lazar <alazar@nvidia.com>
+Reviewed-by: Yael Chemla <ychemla@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1753256672-337784-2-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c
+index 8e25f4ef5ccc..5ae787656a7c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c
+@@ -331,6 +331,9 @@ static int port_set_buffer(struct mlx5e_priv *priv,
+ if (err)
+ goto out;
+
++ /* RO bits should be set to 0 on write */
++ MLX5_SET(pbmc_reg, in, port_buffer_size, 0);
++
+ err = mlx5e_port_set_pbmc(mdev, in);
+ out:
+ kfree(in);
+--
+2.39.5
+
--- /dev/null
+From 4c199ca1d5e5713f2d48b8bded0fa61a4726d3cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 10:44:32 +0300
+Subject: net/mlx5e: Fix potential deadlock by deferring RX timeout recovery
+
+From: Shahar Shitrit <shshitrit@nvidia.com>
+
+[ Upstream commit e80d65561571db5024fbdd5ec3f5472cfc485d21 ]
+
+mlx5e_reporter_rx_timeout() is currently invoked synchronously
+in the driver's open error flow. This causes the thread holding
+priv->state_lock to attempt acquiring the devlink lock, which
+can result in a circular dependency with other devlink operations.
+
+For example:
+
+- Devlink health diagnose flow:
+ - __devlink_nl_pre_doit() acquires the devlink lock.
+ - devlink_nl_health_reporter_diagnose_doit() invokes the
+ driver's diagnose callback.
+ - mlx5e_rx_reporter_diagnose() then attempts to acquire
+ priv->state_lock.
+
+- Driver open flow:
+ - mlx5e_open() acquires priv->state_lock.
+ - If an error occurs, devlink_health_reporter may be called,
+ attempting to acquire the devlink lock.
+
+To prevent this circular locking scenario, defer the RX timeout
+recovery by scheduling it via a workqueue. This ensures that the
+recovery work acquires locks in a consistent order: first the
+devlink lock, then priv->state_lock.
+
+Additionally, make the recovery work acquire the netdev instance
+lock to safely synchronize with the open/close channel flows,
+similar to mlx5e_tx_timeout_work. Repeatedly attempt to acquire
+the netdev instance lock until it is taken or the target RQ is no
+longer active, as indicated by the MLX5E_STATE_CHANNELS_ACTIVE bit.
+
+Fixes: 32c57fb26863 ("net/mlx5e: Report and recover from rx timeout")
+Signed-off-by: Shahar Shitrit <shshitrit@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1753256672-337784-4-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en.h | 1 +
+ .../mellanox/mlx5/core/en/reporter_rx.c | 7 +++++
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 26 ++++++++++++++++++-
+ 3 files changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+index 5b0d03b3efe8..48bcd6813aff 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+@@ -728,6 +728,7 @@ struct mlx5e_rq {
+ struct xsk_buff_pool *xsk_pool;
+
+ struct work_struct recover_work;
++ struct work_struct rx_timeout_work;
+
+ /* control */
+ struct mlx5_wq_ctrl wq_ctrl;
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_rx.c
+index e75759533ae0..16c44d628eda 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_rx.c
+@@ -170,16 +170,23 @@ static int mlx5e_rx_reporter_err_rq_cqe_recover(void *ctx)
+ static int mlx5e_rx_reporter_timeout_recover(void *ctx)
+ {
+ struct mlx5_eq_comp *eq;
++ struct mlx5e_priv *priv;
+ struct mlx5e_rq *rq;
+ int err;
+
+ rq = ctx;
++ priv = rq->priv;
++
++ mutex_lock(&priv->state_lock);
++
+ eq = rq->cq.mcq.eq;
+
+ err = mlx5e_health_channel_eq_recover(rq->netdev, eq, rq->cq.ch_stats);
+ if (err && rq->icosq)
+ clear_bit(MLX5E_SQ_STATE_ENABLED, &rq->icosq->state);
+
++ mutex_unlock(&priv->state_lock);
++
+ return err;
+ }
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index ea822c69d137..16d818943487 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -707,6 +707,27 @@ static void mlx5e_rq_err_cqe_work(struct work_struct *recover_work)
+ mlx5e_reporter_rq_cqe_err(rq);
+ }
+
++static void mlx5e_rq_timeout_work(struct work_struct *timeout_work)
++{
++ struct mlx5e_rq *rq = container_of(timeout_work,
++ struct mlx5e_rq,
++ rx_timeout_work);
++
++ /* Acquire netdev instance lock to synchronize with channel close and
++ * reopen flows. Either successfully obtain the lock, or detect that
++ * channels are closing for another reason, making this work no longer
++ * necessary.
++ */
++ while (!netdev_trylock(rq->netdev)) {
++ if (!test_bit(MLX5E_STATE_CHANNELS_ACTIVE, &rq->priv->state))
++ return;
++ msleep(20);
++ }
++
++ mlx5e_reporter_rx_timeout(rq);
++ netdev_unlock(rq->netdev);
++}
++
+ static int mlx5e_alloc_mpwqe_rq_drop_page(struct mlx5e_rq *rq)
+ {
+ rq->wqe_overflow.page = alloc_page(GFP_KERNEL);
+@@ -830,6 +851,7 @@ static int mlx5e_alloc_rq(struct mlx5e_params *params,
+
+ rqp->wq.db_numa_node = node;
+ INIT_WORK(&rq->recover_work, mlx5e_rq_err_cqe_work);
++ INIT_WORK(&rq->rx_timeout_work, mlx5e_rq_timeout_work);
+
+ if (params->xdp_prog)
+ bpf_prog_inc(params->xdp_prog);
+@@ -1204,7 +1226,8 @@ int mlx5e_wait_for_min_rx_wqes(struct mlx5e_rq *rq, int wait_time)
+ netdev_warn(rq->netdev, "Failed to get min RX wqes on Channel[%d] RQN[0x%x] wq cur_sz(%d) min_rx_wqes(%d)\n",
+ rq->ix, rq->rqn, mlx5e_rqwq_get_cur_sz(rq), min_wqes);
+
+- mlx5e_reporter_rx_timeout(rq);
++ queue_work(rq->priv->wq, &rq->rx_timeout_work);
++
+ return -ETIMEDOUT;
+ }
+
+@@ -1375,6 +1398,7 @@ void mlx5e_close_rq(struct mlx5e_rq *rq)
+ if (rq->dim)
+ cancel_work_sync(&rq->dim->work);
+ cancel_work_sync(&rq->recover_work);
++ cancel_work_sync(&rq->rx_timeout_work);
+ mlx5e_destroy_rq(rq);
+ mlx5e_free_rx_descs(rq);
+ mlx5e_free_rq(rq);
+--
+2.39.5
+
--- /dev/null
+From e5b4b2e8de2cba3241dbdec398c5bac090270d9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 10:44:31 +0300
+Subject: net/mlx5e: Remove skb secpath if xfrm state is not found
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 6d19c44b5c6dd72f9a357d0399604ec16a77de3c ]
+
+Hardware returns a unique identifier for a decrypted packet's xfrm
+state, this state is looked up in an xarray. However, the state might
+have been freed by the time of this lookup.
+
+Currently, if the state is not found, only a counter is incremented.
+The secpath (sp) extension on the skb is not removed, resulting in
+sp->len becoming 0.
+
+Subsequently, functions like __xfrm_policy_check() attempt to access
+fields such as xfrm_input_state(skb)->xso.type (which dereferences
+sp->xvec[sp->len - 1]) without first validating sp->len. This leads to
+a crash when dereferencing an invalid state pointer.
+
+This patch prevents the crash by explicitly removing the secpath
+extension from the skb if the xfrm state is not found after hardware
+decryption. This ensures downstream functions do not operate on a
+zero-length secpath.
+
+ BUG: unable to handle page fault for address: ffffffff000002c8
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 282e067 P4D 282e067 PUD 0
+ Oops: Oops: 0000 [#1] SMP
+ CPU: 12 UID: 0 PID: 0 Comm: swapper/12 Not tainted 6.15.0-rc7_for_upstream_min_debug_2025_05_27_22_44 #1 NONE
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:__xfrm_policy_check+0x61a/0xa30
+ Code: b6 77 7f 83 e6 02 74 14 4d 8b af d8 00 00 00 41 0f b6 45 05 c1 e0 03 48 98 49 01 c5 41 8b 45 00 83 e8 01 48 98 49 8b 44 c5 10 <0f> b6 80 c8 02 00 00 83 e0 0c 3c 04 0f 84 0c 02 00 00 31 ff 80 fa
+ RSP: 0018:ffff88885fb04918 EFLAGS: 00010297
+ RAX: ffffffff00000000 RBX: 0000000000000002 RCX: 0000000000000000
+ RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000000
+ RBP: ffffffff8311af80 R08: 0000000000000020 R09: 00000000c2eda353
+ R10: ffff88812be2bbc8 R11: 000000001faab533 R12: ffff88885fb049c8
+ R13: ffff88812be2bbc8 R14: 0000000000000000 R15: ffff88811896ae00
+ FS: 0000000000000000(0000) GS:ffff8888dca82000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: ffffffff000002c8 CR3: 0000000243050002 CR4: 0000000000372eb0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ <IRQ>
+ ? try_to_wake_up+0x108/0x4c0
+ ? udp4_lib_lookup2+0xbe/0x150
+ ? udp_lib_lport_inuse+0x100/0x100
+ ? __udp4_lib_lookup+0x2b0/0x410
+ __xfrm_policy_check2.constprop.0+0x11e/0x130
+ udp_queue_rcv_one_skb+0x1d/0x530
+ udp_unicast_rcv_skb+0x76/0x90
+ __udp4_lib_rcv+0xa64/0xe90
+ ip_protocol_deliver_rcu+0x20/0x130
+ ip_local_deliver_finish+0x75/0xa0
+ ip_local_deliver+0xc1/0xd0
+ ? ip_protocol_deliver_rcu+0x130/0x130
+ ip_sublist_rcv+0x1f9/0x240
+ ? ip_rcv_finish_core+0x430/0x430
+ ip_list_rcv+0xfc/0x130
+ __netif_receive_skb_list_core+0x181/0x1e0
+ netif_receive_skb_list_internal+0x200/0x360
+ ? mlx5e_build_rx_skb+0x1bc/0xda0 [mlx5_core]
+ gro_receive_skb+0xfd/0x210
+ mlx5e_handle_rx_cqe_mpwrq+0x141/0x280 [mlx5_core]
+ mlx5e_poll_rx_cq+0xcc/0x8e0 [mlx5_core]
+ ? mlx5e_handle_rx_dim+0x91/0xd0 [mlx5_core]
+ mlx5e_napi_poll+0x114/0xab0 [mlx5_core]
+ __napi_poll+0x25/0x170
+ net_rx_action+0x32d/0x3a0
+ ? mlx5_eq_comp_int+0x8d/0x280 [mlx5_core]
+ ? notifier_call_chain+0x33/0xa0
+ handle_softirqs+0xda/0x250
+ irq_exit_rcu+0x6d/0xc0
+ common_interrupt+0x81/0xa0
+ </IRQ>
+
+Fixes: b2ac7541e377 ("net/mlx5e: IPsec: Add Connect-X IPsec Rx data path offload")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
+Reviewed-by: Yael Chemla <ychemla@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1753256672-337784-3-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c
+index 727fa7c18523..6056106edcc6 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c
+@@ -327,6 +327,10 @@ void mlx5e_ipsec_offload_handle_rx_skb(struct net_device *netdev,
+ if (unlikely(!sa_entry)) {
+ rcu_read_unlock();
+ atomic64_inc(&ipsec->sw_stats.ipsec_rx_drop_sadb_miss);
++ /* Clear secpath to prevent invalid dereference
++ * in downstream XFRM policy checks.
++ */
++ secpath_reset(skb);
+ return;
+ }
+ xfrm_state_hold(sa_entry->x);
+--
+2.39.5
+
--- /dev/null
+From fbdbaccab3396627cdddc63b2a5748acb47afe50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 16:43:26 +0000
+Subject: net/sched: Restrict conditions for adding duplicating netems to qdisc
+ tree
+
+From: William Liu <will@willsroot.io>
+
+[ Upstream commit ec8e0e3d7adef940cdf9475e2352c0680189d14e ]
+
+netem_enqueue's duplication prevention logic breaks when a netem
+resides in a qdisc tree with other netems - this can lead to a
+soft lockup and OOM loop in netem_dequeue, as seen in [1].
+Ensure that a duplicating netem cannot exist in a tree with other
+netems.
+
+Previous approaches suggested in discussions in chronological order:
+
+1) Track duplication status or ttl in the sk_buff struct. Considered
+too specific a use case to extend such a struct, though this would
+be a resilient fix and address other previous and potential future
+DOS bugs like the one described in loopy fun [2].
+
+2) Restrict netem_enqueue recursion depth like in act_mirred with a
+per cpu variable. However, netem_dequeue can call enqueue on its
+child, and the depth restriction could be bypassed if the child is a
+netem.
+
+3) Use the same approach as in 2, but add metadata in netem_skb_cb
+to handle the netem_dequeue case and track a packet's involvement
+in duplication. This is an overly complex approach, and Jamal
+notes that the skb cb can be overwritten to circumvent this
+safeguard.
+
+4) Prevent the addition of a netem to a qdisc tree if its ancestral
+path contains a netem. However, filters and actions can cause a
+packet to change paths when re-enqueued to the root from netem
+duplication, leading us to the current solution: prevent a
+duplicating netem from inhabiting the same tree as other netems.
+
+[1] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/
+[2] https://lwn.net/Articles/719297/
+
+Fixes: 0afb51e72855 ("[PKT_SCHED]: netem: reinsert for duplication")
+Reported-by: William Liu <will@willsroot.io>
+Reported-by: Savino Dicanosa <savy@syst3mfailure.io>
+Signed-off-by: William Liu <will@willsroot.io>
+Signed-off-by: Savino Dicanosa <savy@syst3mfailure.io>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20250708164141.875402-1-will@willsroot.io
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_netem.c | 40 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
+index fdd79d3ccd8c..eafc316ae319 100644
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -973,6 +973,41 @@ static int parse_attr(struct nlattr *tb[], int maxtype, struct nlattr *nla,
+ return 0;
+ }
+
++static const struct Qdisc_class_ops netem_class_ops;
++
++static int check_netem_in_tree(struct Qdisc *sch, bool duplicates,
++ struct netlink_ext_ack *extack)
++{
++ struct Qdisc *root, *q;
++ unsigned int i;
++
++ root = qdisc_root_sleeping(sch);
++
++ if (sch != root && root->ops->cl_ops == &netem_class_ops) {
++ if (duplicates ||
++ ((struct netem_sched_data *)qdisc_priv(root))->duplicate)
++ goto err;
++ }
++
++ if (!qdisc_dev(root))
++ return 0;
++
++ hash_for_each(qdisc_dev(root)->qdisc_hash, i, q, hash) {
++ if (sch != q && q->ops->cl_ops == &netem_class_ops) {
++ if (duplicates ||
++ ((struct netem_sched_data *)qdisc_priv(q))->duplicate)
++ goto err;
++ }
++ }
++
++ return 0;
++
++err:
++ NL_SET_ERR_MSG(extack,
++ "netem: cannot mix duplicating netems with other netems in tree");
++ return -EINVAL;
++}
++
+ /* Parse netlink message to set options */
+ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
+ struct netlink_ext_ack *extack)
+@@ -1031,6 +1066,11 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
+ q->gap = qopt->gap;
+ q->counter = 0;
+ q->loss = qopt->loss;
++
++ ret = check_netem_in_tree(sch, qopt->duplicate, extack);
++ if (ret)
++ goto unlock;
++
+ q->duplicate = qopt->duplicate;
+
+ /* for compatibility with earlier versions.
+--
+2.39.5
+
--- /dev/null
+From 4a19cce2d0d6ae45c429922d109dbc3e16163979 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 09:01:57 +0000
+Subject: net_sched: act_ctinfo: use atomic64_t for three counters
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d300335b4e18672913dd792ff9f49e6cccf41d26 ]
+
+Commit 21c167aa0ba9 ("net/sched: act_ctinfo: use percpu stats")
+missed that stats_dscp_set, stats_dscp_error and stats_cpmark_set
+might be written (and read) locklessly.
+
+Use atomic64_t for these three fields, I doubt act_ctinfo is used
+heavily on big SMP hosts anyway.
+
+Fixes: 24ec483cec98 ("net: sched: Introduce act_ctinfo action")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Pedro Tammela <pctammela@mojatatu.com>
+Link: https://patch.msgid.link/20250709090204.797558-6-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/tc_act/tc_ctinfo.h | 6 +++---
+ net/sched/act_ctinfo.c | 19 +++++++++++--------
+ 2 files changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/include/net/tc_act/tc_ctinfo.h b/include/net/tc_act/tc_ctinfo.h
+index f071c1d70a25..a04bcac7adf4 100644
+--- a/include/net/tc_act/tc_ctinfo.h
++++ b/include/net/tc_act/tc_ctinfo.h
+@@ -18,9 +18,9 @@ struct tcf_ctinfo_params {
+ struct tcf_ctinfo {
+ struct tc_action common;
+ struct tcf_ctinfo_params __rcu *params;
+- u64 stats_dscp_set;
+- u64 stats_dscp_error;
+- u64 stats_cpmark_set;
++ atomic64_t stats_dscp_set;
++ atomic64_t stats_dscp_error;
++ atomic64_t stats_cpmark_set;
+ };
+
+ enum {
+diff --git a/net/sched/act_ctinfo.c b/net/sched/act_ctinfo.c
+index 5b1241ddc758..93ab3bcd6d31 100644
+--- a/net/sched/act_ctinfo.c
++++ b/net/sched/act_ctinfo.c
+@@ -44,9 +44,9 @@ static void tcf_ctinfo_dscp_set(struct nf_conn *ct, struct tcf_ctinfo *ca,
+ ipv4_change_dsfield(ip_hdr(skb),
+ INET_ECN_MASK,
+ newdscp);
+- ca->stats_dscp_set++;
++ atomic64_inc(&ca->stats_dscp_set);
+ } else {
+- ca->stats_dscp_error++;
++ atomic64_inc(&ca->stats_dscp_error);
+ }
+ }
+ break;
+@@ -57,9 +57,9 @@ static void tcf_ctinfo_dscp_set(struct nf_conn *ct, struct tcf_ctinfo *ca,
+ ipv6_change_dsfield(ipv6_hdr(skb),
+ INET_ECN_MASK,
+ newdscp);
+- ca->stats_dscp_set++;
++ atomic64_inc(&ca->stats_dscp_set);
+ } else {
+- ca->stats_dscp_error++;
++ atomic64_inc(&ca->stats_dscp_error);
+ }
+ }
+ break;
+@@ -72,7 +72,7 @@ static void tcf_ctinfo_cpmark_set(struct nf_conn *ct, struct tcf_ctinfo *ca,
+ struct tcf_ctinfo_params *cp,
+ struct sk_buff *skb)
+ {
+- ca->stats_cpmark_set++;
++ atomic64_inc(&ca->stats_cpmark_set);
+ skb->mark = READ_ONCE(ct->mark) & cp->cpmarkmask;
+ }
+
+@@ -323,15 +323,18 @@ static int tcf_ctinfo_dump(struct sk_buff *skb, struct tc_action *a,
+ }
+
+ if (nla_put_u64_64bit(skb, TCA_CTINFO_STATS_DSCP_SET,
+- ci->stats_dscp_set, TCA_CTINFO_PAD))
++ atomic64_read(&ci->stats_dscp_set),
++ TCA_CTINFO_PAD))
+ goto nla_put_failure;
+
+ if (nla_put_u64_64bit(skb, TCA_CTINFO_STATS_DSCP_ERROR,
+- ci->stats_dscp_error, TCA_CTINFO_PAD))
++ atomic64_read(&ci->stats_dscp_error),
++ TCA_CTINFO_PAD))
+ goto nla_put_failure;
+
+ if (nla_put_u64_64bit(skb, TCA_CTINFO_STATS_CPMARK_SET,
+- ci->stats_cpmark_set, TCA_CTINFO_PAD))
++ atomic64_read(&ci->stats_cpmark_set),
++ TCA_CTINFO_PAD))
+ goto nla_put_failure;
+
+ spin_unlock_bh(&ci->tcf_lock);
+--
+2.39.5
+
--- /dev/null
+From 88e50977664d5caa54a35b7f50d5652daec8f4ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 02:46:26 -0700
+Subject: netconsole: Only register console drivers when targets are configured
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit bc0cb64db1c765a81f69997d5a28f539e1731bc0 ]
+
+The netconsole driver currently registers the basic console driver
+unconditionally during initialization, even when only extended targets
+are configured. This results in unnecessary console registration and
+performance overhead, as the write_msg() callback is invoked for every
+log message only to return early when no matching targets are found.
+
+Optimize the driver by conditionally registering console drivers based
+on the actual target configuration. The basic console driver is now
+registered only when non-extended targets exist, same as the extended
+console. The implementation also handles dynamic target creation through
+the configfs interface.
+
+This change eliminates unnecessary console driver registrations,
+redundant write_msg() callbacks for unused console types, and associated
+lock contention and target list iterations. The optimization is
+particularly beneficial for systems using only the most common extended
+console type.
+
+Fixes: e2f15f9a79201 ("netconsole: implement extended console support")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Link: https://patch.msgid.link/20250609-netcons_ext-v3-1-5336fa670326@debian.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/netconsole.c | 30 ++++++++++++++++++++++--------
+ 1 file changed, 22 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c
+index 176935a8645f..a35b1fd4337b 100644
+--- a/drivers/net/netconsole.c
++++ b/drivers/net/netconsole.c
+@@ -86,10 +86,10 @@ static DEFINE_SPINLOCK(target_list_lock);
+ static DEFINE_MUTEX(target_cleanup_list_lock);
+
+ /*
+- * Console driver for extended netconsoles. Registered on the first use to
+- * avoid unnecessarily enabling ext message formatting.
++ * Console driver for netconsoles. Register only consoles that have
++ * an associated target of the same type.
+ */
+-static struct console netconsole_ext;
++static struct console netconsole_ext, netconsole;
+
+ struct netconsole_target_stats {
+ u64_stats_t xmit_drop_count;
+@@ -97,6 +97,11 @@ struct netconsole_target_stats {
+ struct u64_stats_sync syncp;
+ };
+
++enum console_type {
++ CONS_BASIC = BIT(0),
++ CONS_EXTENDED = BIT(1),
++};
++
+ /* Features enabled in sysdata. Contrary to userdata, this data is populated by
+ * the kernel. The fields are designed as bitwise flags, allowing multiple
+ * features to be set in sysdata_fields.
+@@ -491,6 +496,12 @@ static ssize_t enabled_store(struct config_item *item,
+ if (nt->extended && !console_is_registered(&netconsole_ext))
+ register_console(&netconsole_ext);
+
++ /* User might be enabling the basic format target for the very
++ * first time, make sure the console is registered.
++ */
++ if (!nt->extended && !console_is_registered(&netconsole))
++ register_console(&netconsole);
++
+ /*
+ * Skip netpoll_parse_options() -- all the attributes are
+ * already configured via configfs. Just print them out.
+@@ -1690,8 +1701,8 @@ static int __init init_netconsole(void)
+ {
+ int err;
+ struct netconsole_target *nt, *tmp;
++ u32 console_type_needed = 0;
+ unsigned int count = 0;
+- bool extended = false;
+ unsigned long flags;
+ char *target_config;
+ char *input = config;
+@@ -1707,9 +1718,10 @@ static int __init init_netconsole(void)
+ }
+ /* Dump existing printks when we register */
+ if (nt->extended) {
+- extended = true;
++ console_type_needed |= CONS_EXTENDED;
+ netconsole_ext.flags |= CON_PRINTBUFFER;
+ } else {
++ console_type_needed |= CONS_BASIC;
+ netconsole.flags |= CON_PRINTBUFFER;
+ }
+
+@@ -1728,9 +1740,10 @@ static int __init init_netconsole(void)
+ if (err)
+ goto undonotifier;
+
+- if (extended)
++ if (console_type_needed & CONS_EXTENDED)
+ register_console(&netconsole_ext);
+- register_console(&netconsole);
++ if (console_type_needed & CONS_BASIC)
++ register_console(&netconsole);
+ pr_info("network logging started\n");
+
+ return err;
+@@ -1760,7 +1773,8 @@ static void __exit cleanup_netconsole(void)
+
+ if (console_is_registered(&netconsole_ext))
+ unregister_console(&netconsole_ext);
+- unregister_console(&netconsole);
++ if (console_is_registered(&netconsole))
++ unregister_console(&netconsole);
+ dynamic_netconsole_exit();
+ unregister_netdevice_notifier(&netconsole_netdev_notifier);
+
+--
+2.39.5
+
--- /dev/null
+From 4555292c7825892092079c691d094caaf1a0247c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 14:12:15 +0300
+Subject: netfilter: nf_tables: adjust lockdep assertions handling
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 8df1b40de76979bb8e975201d07b71103d5de820 ]
+
+It's needed to check the return value of lockdep_commit_lock_is_held(),
+otherwise there's no point in this assertion as it doesn't print any
+debug information on itself.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace static
+analysis tool.
+
+Fixes: b04df3da1b5c ("netfilter: nf_tables: do not defer rule destruction via call_rcu")
+Reported-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 9ebda0248d20..064f18792d98 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -4029,7 +4029,7 @@ void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
+ /* can only be used if rule is no longer visible to dumps */
+ static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
+ {
+- lockdep_commit_lock_is_held(ctx->net);
++ WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net));
+
+ nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
+ nf_tables_rule_destroy(ctx, rule);
+@@ -5844,7 +5844,7 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
+ struct nft_set_binding *binding,
+ enum nft_trans_phase phase)
+ {
+- lockdep_commit_lock_is_held(ctx->net);
++ WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net));
+
+ switch (phase) {
+ case NFT_TRANS_PREPARE_ERROR:
+--
+2.39.5
+
--- /dev/null
+From 90e0f9bb8fc55ffdc923e8221790dd38d99397c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 15:37:02 +0200
+Subject: netfilter: nf_tables: Drop dead code from fill_*_info routines
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 8080357a8c6cf4905bbd8969412c19d34be3395e ]
+
+This practically reverts commit 28339b21a365 ("netfilter: nf_tables: do
+not send complete notification of deletions"): The feature was never
+effective, due to prior modification of 'event' variable the conditional
+early return never happened.
+
+User space also relies upon the current behaviour, so better reintroduce
+the shortened deletion notifications once it is fixed.
+
+Fixes: 28339b21a365 ("netfilter: nf_tables: do not send complete notification of deletions")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 25 -------------------------
+ 1 file changed, 25 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index a7240736f98e..9ebda0248d20 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1165,11 +1165,6 @@ static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
+ NFTA_TABLE_PAD))
+ goto nla_put_failure;
+
+- if (event == NFT_MSG_DELTABLE) {
+- nlmsg_end(skb, nlh);
+- return 0;
+- }
+-
+ if (nla_put_be32(skb, NFTA_TABLE_FLAGS,
+ htonl(table->flags & NFT_TABLE_F_MASK)))
+ goto nla_put_failure;
+@@ -2028,11 +2023,6 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
+ NFTA_CHAIN_PAD))
+ goto nla_put_failure;
+
+- if (event == NFT_MSG_DELCHAIN && !hook_list) {
+- nlmsg_end(skb, nlh);
+- return 0;
+- }
+-
+ if (nft_is_base_chain(chain)) {
+ const struct nft_base_chain *basechain = nft_base_chain(chain);
+ struct nft_stats __percpu *stats;
+@@ -4859,11 +4849,6 @@ static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
+ NFTA_SET_PAD))
+ goto nla_put_failure;
+
+- if (event == NFT_MSG_DELSET) {
+- nlmsg_end(skb, nlh);
+- return 0;
+- }
+-
+ if (set->flags != 0)
+ if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
+ goto nla_put_failure;
+@@ -8350,11 +8335,6 @@ static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
+ NFTA_OBJ_PAD))
+ goto nla_put_failure;
+
+- if (event == NFT_MSG_DELOBJ) {
+- nlmsg_end(skb, nlh);
+- return 0;
+- }
+-
+ if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
+ nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
+ nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
+@@ -9394,11 +9374,6 @@ static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
+ NFTA_FLOWTABLE_PAD))
+ goto nla_put_failure;
+
+- if (event == NFT_MSG_DELFLOWTABLE && !hook_list) {
+- nlmsg_end(skb, nlh);
+- return 0;
+- }
+-
+ if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
+ nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
+ goto nla_put_failure;
+--
+2.39.5
+
--- /dev/null
+From 6f8c0304d7be044947f13c2b1c43ab77fb1044da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jul 2025 13:27:13 +0200
+Subject: netfilter: xt_nfacct: don't assume acct name is null-terminated
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit bf58e667af7d96c8eb9411f926a0a0955f41ce21 ]
+
+BUG: KASAN: slab-out-of-bounds in .. lib/vsprintf.c:721
+Read of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851
+[..]
+ string+0x231/0x2b0 lib/vsprintf.c:721
+ vsnprintf+0x739/0xf00 lib/vsprintf.c:2874
+ [..]
+ nfacct_mt_checkentry+0xd2/0xe0 net/netfilter/xt_nfacct.c:41
+ xt_check_match+0x3d1/0xab0 net/netfilter/x_tables.c:523
+
+nfnl_acct_find_get() handles non-null input, but the error
+printk relied on its presence.
+
+Reported-by: syzbot+4ff165b9251e4d295690@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=4ff165b9251e4d295690
+Tested-by: syzbot+4ff165b9251e4d295690@syzkaller.appspotmail.com
+Fixes: ceb98d03eac5 ("netfilter: xtables: add nfacct match to support extended accounting")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_nfacct.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c
+index 7c6bf1c16813..0ca1cdfc4095 100644
+--- a/net/netfilter/xt_nfacct.c
++++ b/net/netfilter/xt_nfacct.c
+@@ -38,8 +38,8 @@ nfacct_mt_checkentry(const struct xt_mtchk_param *par)
+
+ nfacct = nfnl_acct_find_get(par->net, info->name);
+ if (nfacct == NULL) {
+- pr_info_ratelimited("accounting object `%s' does not exists\n",
+- info->name);
++ pr_info_ratelimited("accounting object `%.*s' does not exist\n",
++ NFACCT_NAME_MAX, info->name);
+ return -ENOENT;
+ }
+ info->nfacct = nfacct;
+--
+2.39.5
+
--- /dev/null
+From 89d046e40173fd8a263c4deb2d0853296d411dfc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jul 2025 13:15:03 +0200
+Subject: nvmet: pci-epf: Do not complete commands twice if nvmet_req_init()
+ fails
+
+From: Rick Wertenbroek <rick.wertenbroek@gmail.com>
+
+[ Upstream commit 746d0ac5a07d5da952ef258dd4d75f0b26c96476 ]
+
+Have nvmet_req_init() and req->execute() complete failed commands.
+
+Description of the problem:
+nvmet_req_init() calls __nvmet_req_complete() internally upon failure,
+e.g., unsupported opcode, which calls the "queue_response" callback,
+this results in nvmet_pci_epf_queue_response() being called, which will
+call nvmet_pci_epf_complete_iod() if data_len is 0 or if dma_dir is
+different from DMA_TO_DEVICE. This results in a double completion as
+nvmet_pci_epf_exec_iod_work() also calls nvmet_pci_epf_complete_iod()
+when nvmet_req_init() fails.
+
+Steps to reproduce:
+On the host send a command with an unsupported opcode with nvme-cli,
+For example the admin command "security receive"
+$ sudo nvme security-recv /dev/nvme0n1 -n1 -x4096
+
+This triggers a double completion as nvmet_req_init() fails and
+nvmet_pci_epf_queue_response() is called, here iod->dma_dir is still
+in the default state of "DMA_NONE" as set by default in
+nvmet_pci_epf_alloc_iod(), so nvmet_pci_epf_complete_iod() is called.
+Because nvmet_req_init() failed nvmet_pci_epf_complete_iod() is also
+called in nvmet_pci_epf_exec_iod_work() leading to a double completion.
+This not only sends two completions to the host but also corrupts the
+state of the PCI NVMe target leading to kernel oops.
+
+This patch lets nvmet_req_init() and req->execute() complete all failed
+commands, and removes the double completion case in
+nvmet_pci_epf_exec_iod_work() therefore fixing the edge cases where
+double completions occurred.
+
+Fixes: 0faa0fe6f90e ("nvmet: New NVMe PCI endpoint function target driver")
+Signed-off-by: Rick Wertenbroek <rick.wertenbroek@gmail.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/pci-epf.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/nvme/target/pci-epf.c b/drivers/nvme/target/pci-epf.c
+index a4295a5b8d28..6f1651183e32 100644
+--- a/drivers/nvme/target/pci-epf.c
++++ b/drivers/nvme/target/pci-epf.c
+@@ -1242,8 +1242,11 @@ static void nvmet_pci_epf_queue_response(struct nvmet_req *req)
+
+ iod->status = le16_to_cpu(req->cqe->status) >> 1;
+
+- /* If we have no data to transfer, directly complete the command. */
+- if (!iod->data_len || iod->dma_dir != DMA_TO_DEVICE) {
++ /*
++ * If the command failed or we have no data to transfer, complete the
++ * command immediately.
++ */
++ if (iod->status || !iod->data_len || iod->dma_dir != DMA_TO_DEVICE) {
+ nvmet_pci_epf_complete_iod(iod);
+ return;
+ }
+@@ -1604,8 +1607,13 @@ static void nvmet_pci_epf_exec_iod_work(struct work_struct *work)
+ goto complete;
+ }
+
++ /*
++ * If nvmet_req_init() fails (e.g., unsupported opcode) it will call
++ * __nvmet_req_complete() internally which will call
++ * nvmet_pci_epf_queue_response() and will complete the command directly.
++ */
+ if (!nvmet_req_init(req, &iod->sq->nvme_sq, &nvmet_pci_epf_fabrics_ops))
+- goto complete;
++ return;
+
+ iod->data_len = nvmet_req_transfer_len(req);
+ if (iod->data_len) {
+@@ -1643,10 +1651,11 @@ static void nvmet_pci_epf_exec_iod_work(struct work_struct *work)
+
+ wait_for_completion(&iod->done);
+
+- if (iod->status == NVME_SC_SUCCESS) {
+- WARN_ON_ONCE(!iod->data_len || iod->dma_dir != DMA_TO_DEVICE);
+- nvmet_pci_epf_transfer_iod_data(iod);
+- }
++ if (iod->status != NVME_SC_SUCCESS)
++ return;
++
++ WARN_ON_ONCE(!iod->data_len || iod->dma_dir != DMA_TO_DEVICE);
++ nvmet_pci_epf_transfer_iod_data(iod);
+
+ complete:
+ nvmet_pci_epf_complete_iod(iod);
+--
+2.39.5
+
--- /dev/null
+From dcfff4d44cad3eb5450318de53dbff864f30eaab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 May 2025 20:32:20 +0800
+Subject: padata: Fix pd UAF once and for all
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 71203f68c7749609d7fc8ae6ad054bdedeb24f91 ]
+
+There is a race condition/UAF in padata_reorder that goes back
+to the initial commit. A reference count is taken at the start
+of the process in padata_do_parallel, and released at the end in
+padata_serial_worker.
+
+This reference count is (and only is) required for padata_replace
+to function correctly. If padata_replace is never called then
+there is no issue.
+
+In the function padata_reorder which serves as the core of padata,
+as soon as padata is added to queue->serial.list, and the associated
+spin lock released, that padata may be processed and the reference
+count on pd would go away.
+
+Fix this by getting the next padata before the squeue->serial lock
+is released.
+
+In order to make this possible, simplify padata_reorder by only
+calling it once the next padata arrives.
+
+Fixes: 16295bec6398 ("padata: Generic parallelization/serialization interface")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/padata.h | 3 -
+ kernel/padata.c | 132 ++++++++++++-----------------------------
+ 2 files changed, 37 insertions(+), 98 deletions(-)
+
+diff --git a/include/linux/padata.h b/include/linux/padata.h
+index 0146daf34430..b486c7359de2 100644
+--- a/include/linux/padata.h
++++ b/include/linux/padata.h
+@@ -91,7 +91,6 @@ struct padata_cpumask {
+ * @cpu: Next CPU to be processed.
+ * @cpumask: The cpumasks in use for parallel and serial workers.
+ * @reorder_work: work struct for reordering.
+- * @lock: Reorder lock.
+ */
+ struct parallel_data {
+ struct padata_shell *ps;
+@@ -102,8 +101,6 @@ struct parallel_data {
+ unsigned int processed;
+ int cpu;
+ struct padata_cpumask cpumask;
+- struct work_struct reorder_work;
+- spinlock_t ____cacheline_aligned lock;
+ };
+
+ /**
+diff --git a/kernel/padata.c b/kernel/padata.c
+index 7eee94166357..25cd3406477a 100644
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -261,20 +261,17 @@ EXPORT_SYMBOL(padata_do_parallel);
+ * be parallel processed by another cpu and is not yet present in
+ * the cpu's reorder queue.
+ */
+-static struct padata_priv *padata_find_next(struct parallel_data *pd,
+- bool remove_object)
++static struct padata_priv *padata_find_next(struct parallel_data *pd, int cpu,
++ unsigned int processed)
+ {
+ struct padata_priv *padata;
+ struct padata_list *reorder;
+- int cpu = pd->cpu;
+
+ reorder = per_cpu_ptr(pd->reorder_list, cpu);
+
+ spin_lock(&reorder->lock);
+- if (list_empty(&reorder->list)) {
+- spin_unlock(&reorder->lock);
+- return NULL;
+- }
++ if (list_empty(&reorder->list))
++ goto notfound;
+
+ padata = list_entry(reorder->list.next, struct padata_priv, list);
+
+@@ -282,97 +279,52 @@ static struct padata_priv *padata_find_next(struct parallel_data *pd,
+ * Checks the rare case where two or more parallel jobs have hashed to
+ * the same CPU and one of the later ones finishes first.
+ */
+- if (padata->seq_nr != pd->processed) {
+- spin_unlock(&reorder->lock);
+- return NULL;
+- }
+-
+- if (remove_object) {
+- list_del_init(&padata->list);
+- ++pd->processed;
+- pd->cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu);
+- }
++ if (padata->seq_nr != processed)
++ goto notfound;
+
++ list_del_init(&padata->list);
+ spin_unlock(&reorder->lock);
+ return padata;
++
++notfound:
++ pd->processed = processed;
++ pd->cpu = cpu;
++ spin_unlock(&reorder->lock);
++ return NULL;
+ }
+
+-static void padata_reorder(struct parallel_data *pd)
++static void padata_reorder(struct padata_priv *padata)
+ {
++ struct parallel_data *pd = padata->pd;
+ struct padata_instance *pinst = pd->ps->pinst;
+- int cb_cpu;
+- struct padata_priv *padata;
+- struct padata_serial_queue *squeue;
+- struct padata_list *reorder;
++ unsigned int processed;
++ int cpu;
+
+- /*
+- * We need to ensure that only one cpu can work on dequeueing of
+- * the reorder queue the time. Calculating in which percpu reorder
+- * queue the next object will arrive takes some time. A spinlock
+- * would be highly contended. Also it is not clear in which order
+- * the objects arrive to the reorder queues. So a cpu could wait to
+- * get the lock just to notice that there is nothing to do at the
+- * moment. Therefore we use a trylock and let the holder of the lock
+- * care for all the objects enqueued during the holdtime of the lock.
+- */
+- if (!spin_trylock_bh(&pd->lock))
+- return;
++ processed = pd->processed;
++ cpu = pd->cpu;
+
+- while (1) {
+- padata = padata_find_next(pd, true);
++ do {
++ struct padata_serial_queue *squeue;
++ int cb_cpu;
+
+- /*
+- * If the next object that needs serialization is parallel
+- * processed by another cpu and is still on it's way to the
+- * cpu's reorder queue, nothing to do for now.
+- */
+- if (!padata)
+- break;
++ cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu);
++ processed++;
+
+ cb_cpu = padata->cb_cpu;
+ squeue = per_cpu_ptr(pd->squeue, cb_cpu);
+
+ spin_lock(&squeue->serial.lock);
+ list_add_tail(&padata->list, &squeue->serial.list);
+- spin_unlock(&squeue->serial.lock);
+-
+ queue_work_on(cb_cpu, pinst->serial_wq, &squeue->work);
+- }
+
+- spin_unlock_bh(&pd->lock);
+-
+- /*
+- * The next object that needs serialization might have arrived to
+- * the reorder queues in the meantime.
+- *
+- * Ensure reorder queue is read after pd->lock is dropped so we see
+- * new objects from another task in padata_do_serial. Pairs with
+- * smp_mb in padata_do_serial.
+- */
+- smp_mb();
+-
+- reorder = per_cpu_ptr(pd->reorder_list, pd->cpu);
+- if (!list_empty(&reorder->list) && padata_find_next(pd, false)) {
+ /*
+- * Other context(eg. the padata_serial_worker) can finish the request.
+- * To avoid UAF issue, add pd ref here, and put pd ref after reorder_work finish.
++ * If the next object that needs serialization is parallel
++ * processed by another cpu and is still on it's way to the
++ * cpu's reorder queue, end the loop.
+ */
+- padata_get_pd(pd);
+- if (!queue_work(pinst->serial_wq, &pd->reorder_work))
+- padata_put_pd(pd);
+- }
+-}
+-
+-static void invoke_padata_reorder(struct work_struct *work)
+-{
+- struct parallel_data *pd;
+-
+- local_bh_disable();
+- pd = container_of(work, struct parallel_data, reorder_work);
+- padata_reorder(pd);
+- local_bh_enable();
+- /* Pairs with putting the reorder_work in the serial_wq */
+- padata_put_pd(pd);
++ padata = padata_find_next(pd, cpu, processed);
++ spin_unlock(&squeue->serial.lock);
++ } while (padata);
+ }
+
+ static void padata_serial_worker(struct work_struct *serial_work)
+@@ -423,6 +375,7 @@ void padata_do_serial(struct padata_priv *padata)
+ struct padata_list *reorder = per_cpu_ptr(pd->reorder_list, hashed_cpu);
+ struct padata_priv *cur;
+ struct list_head *pos;
++ bool gotit = true;
+
+ spin_lock(&reorder->lock);
+ /* Sort in ascending order of sequence number. */
+@@ -432,17 +385,14 @@ void padata_do_serial(struct padata_priv *padata)
+ if ((signed int)(cur->seq_nr - padata->seq_nr) < 0)
+ break;
+ }
+- list_add(&padata->list, pos);
++ if (padata->seq_nr != pd->processed) {
++ gotit = false;
++ list_add(&padata->list, pos);
++ }
+ spin_unlock(&reorder->lock);
+
+- /*
+- * Ensure the addition to the reorder list is ordered correctly
+- * with the trylock of pd->lock in padata_reorder. Pairs with smp_mb
+- * in padata_reorder.
+- */
+- smp_mb();
+-
+- padata_reorder(pd);
++ if (gotit)
++ padata_reorder(padata);
+ }
+ EXPORT_SYMBOL(padata_do_serial);
+
+@@ -632,9 +582,7 @@ static struct parallel_data *padata_alloc_pd(struct padata_shell *ps)
+ padata_init_squeues(pd);
+ pd->seq_nr = -1;
+ refcount_set(&pd->refcnt, 1);
+- spin_lock_init(&pd->lock);
+ pd->cpu = cpumask_first(pd->cpumask.pcpu);
+- INIT_WORK(&pd->reorder_work, invoke_padata_reorder);
+
+ return pd;
+
+@@ -1144,12 +1092,6 @@ void padata_free_shell(struct padata_shell *ps)
+ if (!ps)
+ return;
+
+- /*
+- * Wait for all _do_serial calls to finish to avoid touching
+- * freed pd's and ps's.
+- */
+- synchronize_rcu();
+-
+ mutex_lock(&ps->pinst->lock);
+ list_del(&ps->list);
+ pd = rcu_dereference_protected(ps->pd, 1);
+--
+2.39.5
+
--- /dev/null
+From 50a24e8ff42308cf8aec57d1811ec90fb4f2b100 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 16:38:49 +0800
+Subject: padata: Remove comment for reorder_work
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 82a0302e7167d0b7c6cde56613db3748f8dd806d ]
+
+Remove comment for reorder_work which no longer exists.
+
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Fixes: 71203f68c774 ("padata: Fix pd UAF once and for all")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/padata.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/include/linux/padata.h b/include/linux/padata.h
+index b486c7359de2..765f2778e264 100644
+--- a/include/linux/padata.h
++++ b/include/linux/padata.h
+@@ -90,7 +90,6 @@ struct padata_cpumask {
+ * @processed: Number of already processed objects.
+ * @cpu: Next CPU to be processed.
+ * @cpumask: The cpumasks in use for parallel and serial workers.
+- * @reorder_work: work struct for reordering.
+ */
+ struct parallel_data {
+ struct padata_shell *ps;
+--
+2.39.5
+
--- /dev/null
+From f1d59070d6fce4c2a416c328fccf4bfbf1be79ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jan 2025 13:51:55 +0800
+Subject: PCI: Adjust the position of reading the Link Control 2 register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jiwei Sun <sunjw10@lenovo.com>
+
+[ Upstream commit b85af48de3ece4e5bbdb2248a5360a409991cf67 ]
+
+In a89c82249c37 ("PCI: Work around PCIe link training failures"), if the
+speed limit is set to 2.5 GT/s and the retraining is successful, an attempt
+will be made to lift the speed limit. One condition for lifting the speed
+limit is to check whether the link speed field of the Link Control 2
+register is PCI_EXP_LNKCTL2_TLS_2_5GT.
+
+However, since de9a6c8d5dbf ("PCI/bwctrl: Add pcie_set_target_speed() to
+set PCIe Link Speed"), the `lnkctl2` local variable does not undergo any
+changes during the speed limit setting and retraining process. As a result,
+the code intended to lift the speed limit is not executed.
+
+To address this issue, adjust the position of the Link Control 2 register
+read operation in the code and place it before its use.
+
+Fixes: de9a6c8d5dbf ("PCI/bwctrl: Add pcie_set_target_speed() to set PCIe Link Speed")
+Suggested-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Suggested-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Jiwei Sun <sunjw10@lenovo.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Link: https://patch.msgid.link/20250123055155.22648-3-sjiwei@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/quirks.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index d7f4ee634263..db6e142b082d 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -105,13 +105,13 @@ int pcie_failed_link_retrain(struct pci_dev *dev)
+ !pcie_cap_has_lnkctl2(dev) || !dev->link_active_reporting)
+ return ret;
+
+- pcie_capability_read_word(dev, PCI_EXP_LNKCTL2, &lnkctl2);
+ pcie_capability_read_word(dev, PCI_EXP_LNKSTA, &lnksta);
+ if (!(lnksta & PCI_EXP_LNKSTA_DLLLA) && pcie_lbms_seen(dev, lnksta)) {
+- u16 oldlnkctl2 = lnkctl2;
++ u16 oldlnkctl2;
+
+ pci_info(dev, "broken device, retraining non-functional downstream link at 2.5GT/s\n");
+
++ pcie_capability_read_word(dev, PCI_EXP_LNKCTL2, &oldlnkctl2);
+ ret = pcie_set_target_speed(dev, PCIE_SPEED_2_5GT, false);
+ if (ret) {
+ pci_info(dev, "retraining failed\n");
+@@ -123,6 +123,8 @@ int pcie_failed_link_retrain(struct pci_dev *dev)
+ pcie_capability_read_word(dev, PCI_EXP_LNKSTA, &lnksta);
+ }
+
++ pcie_capability_read_word(dev, PCI_EXP_LNKCTL2, &lnkctl2);
++
+ if ((lnksta & PCI_EXP_LNKSTA_DLLLA) &&
+ (lnkctl2 & PCI_EXP_LNKCTL2_TLS) == PCI_EXP_LNKCTL2_TLS_2_5GT &&
+ pci_match_id(ids, dev)) {
+--
+2.39.5
+
--- /dev/null
+From d22030c485485a396c236af021c191be02d19545 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 12:23:49 +0200
+Subject: PCI: dw-rockchip: Wait PCIE_RESET_CONFIG_WAIT_MS after link-up IRQ
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit c7eb9c5e1498882951b7583c56add0b77bfc162e ]
+
+Per PCIe r6.0, sec 6.6.1, software must generally wait a minimum of
+100ms (PCIE_RESET_CONFIG_WAIT_MS) after Link training completes before
+sending a Configuration Request.
+
+Prior to ec9fd499b9c6 ("PCI: dw-rockchip: Don't wait for link since
+we can detect Link Up"), dw-rockchip used dw_pcie_wait_for_link(),
+which waited between 0 and 90ms after the link came up before we
+enumerate the bus, and this was apparently enough for most devices.
+
+After ec9fd499b9c6, rockchip_pcie_rc_sys_irq_thread() started
+enumeration immediately when handling the link-up IRQ, and devices
+(e.g., Laszlo Fiat's PLEXTOR PX-256M8PeGN NVMe SSD) may not be ready
+to handle config requests yet.
+
+Delay PCIE_RESET_CONFIG_WAIT_MS after the link-up IRQ before starting
+enumeration.
+
+Fixes: 0e898eb8df4e ("PCI: rockchip-dwc: Add Rockchip RK356X host controller driver")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
+Cc: Laszlo Fiat <laszlo.fiat@proton.me>
+Link: https://patch.msgid.link/20250625102347.1205584-12-cassel@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pcie-dw-rockchip.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/controller/dwc/pcie-dw-rockchip.c b/drivers/pci/controller/dwc/pcie-dw-rockchip.c
+index 93171a392879..108d30637920 100644
+--- a/drivers/pci/controller/dwc/pcie-dw-rockchip.c
++++ b/drivers/pci/controller/dwc/pcie-dw-rockchip.c
+@@ -458,6 +458,7 @@ static irqreturn_t rockchip_pcie_rc_sys_irq_thread(int irq, void *arg)
+
+ if (reg & PCIE_RDLH_LINK_UP_CHGED) {
+ if (rockchip_pcie_link_up(pci)) {
++ msleep(PCIE_RESET_CONFIG_WAIT_MS);
+ dev_dbg(dev, "Received Link up event. Starting enumeration!\n");
+ /* Rescan the bus to enumerate endpoint devices */
+ pci_lock_rescan_remove();
+--
+2.39.5
+
--- /dev/null
+From 2f4c9ebbe9c6b00bcd0639a3dc709a09d1d6d7b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 18:20:22 +0530
+Subject: PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem
+ attribute
+
+From: Manivannan Sadhasivam <mani@kernel.org>
+
+[ Upstream commit 61ae7f8694fb4b57a8c02a1a8d2b601806afc999 ]
+
+__iomem attribute is supposed to be used only with variables holding the
+MMIO pointer. But here, 'mw_addr' variable is just holding a 'void *'
+returned by pci_epf_alloc_space(). So annotating it with __iomem is clearly
+wrong. Hence, drop the attribute.
+
+This also fixes the below sparse warning:
+
+ drivers/pci/endpoint/functions/pci-epf-vntb.c:524:17: warning: incorrect type in assignment (different address spaces)
+ drivers/pci/endpoint/functions/pci-epf-vntb.c:524:17: expected void [noderef] __iomem *mw_addr
+ drivers/pci/endpoint/functions/pci-epf-vntb.c:524:17: got void *
+ drivers/pci/endpoint/functions/pci-epf-vntb.c:530:21: warning: incorrect type in assignment (different address spaces)
+ drivers/pci/endpoint/functions/pci-epf-vntb.c:530:21: expected unsigned int [usertype] *epf_db
+ drivers/pci/endpoint/functions/pci-epf-vntb.c:530:21: got void [noderef] __iomem *mw_addr
+ drivers/pci/endpoint/functions/pci-epf-vntb.c:542:38: warning: incorrect type in argument 2 (different address spaces)
+ drivers/pci/endpoint/functions/pci-epf-vntb.c:542:38: expected void *addr
+ drivers/pci/endpoint/functions/pci-epf-vntb.c:542:38: got void [noderef] __iomem *mw_addr
+
+Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP")
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/20250709125022.22524-1-mani@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/endpoint/functions/pci-epf-vntb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c
+index 30c6c563335a..577055be3033 100644
+--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c
++++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c
+@@ -510,7 +510,7 @@ static int epf_ntb_db_bar_init(struct epf_ntb *ntb)
+ struct device *dev = &ntb->epf->dev;
+ int ret;
+ struct pci_epf_bar *epf_bar;
+- void __iomem *mw_addr;
++ void *mw_addr;
+ enum pci_barno barno;
+ size_t size = sizeof(u32) * ntb->db_count;
+
+--
+2.39.5
+
--- /dev/null
+From 5ff848de678c6c07c07d9eb9c921c42f57af6149 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 19:03:38 +0200
+Subject: PCI: endpoint: pci-epf-vntb: Return -ENOENT if
+ pci_epc_get_next_free_bar() fails
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit 7ea488cce73263231662e426639dd3e836537068 ]
+
+According the function documentation of epf_ntb_init_epc_bar(), the
+function should return an error code on error. However, it returns -1 when
+no BAR is available i.e., when pci_epc_get_next_free_bar() fails.
+
+Return -ENOENT instead.
+
+Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+[mani: changed err code to -ENOENT]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/20250603-pci-vntb-bar-mapping-v2-1-fc685a22ad28@baylibre.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/endpoint/functions/pci-epf-vntb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c
+index e4da3fdb0007..30c6c563335a 100644
+--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c
++++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c
+@@ -680,7 +680,7 @@ static int epf_ntb_init_epc_bar(struct epf_ntb *ntb)
+ barno = pci_epc_get_next_free_bar(epc_features, barno);
+ if (barno < 0) {
+ dev_err(dev, "Fail to get NTB function BAR\n");
+- return barno;
++ return -ENOENT;
+ }
+ ntb->epf_ntb_bar[bar] = barno;
+ }
+--
+2.39.5
+
--- /dev/null
+From 9a45ccdd771a0cee1119f13ceeb77c5be4a98393 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 14:39:29 +0100
+Subject: PCI: Fix driver_managed_dma check
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit 78447d4545b2ea76ee04f4e46d473639483158b2 ]
+
+Since it's not currently safe to take device_lock() in the IOMMU probe
+path, that can race against really_probe() setting dev->driver before
+attempting to bind. The race itself isn't so bad, since we're only
+concerned with dereferencing dev->driver itself anyway, but sadly my
+attempt to implement the check with minimal churn leads to a kind of
+Time-of-Check to Time-of-Use (TOCTOU) issue, where dev->driver becomes
+valid after to_pci_driver(NULL) is already computed, and thus the check
+fails to work as intended.
+
+Will and I both hit this with the platform bus, but the pattern here is
+the same, so fix it for correctness too.
+
+Fixes: bcb81ac6ae3c ("iommu: Get DT/ACPI parsing into the proper probe path")
+Reported-by: Will McVicker <willmcvicker@google.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Will McVicker <willmcvicker@google.com>
+Link: https://patch.msgid.link/20250425133929.646493-4-robin.murphy@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci-driver.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
+index 67db34fd10ee..01e6aea1b0c7 100644
+--- a/drivers/pci/pci-driver.c
++++ b/drivers/pci/pci-driver.c
+@@ -1628,7 +1628,7 @@ static int pci_bus_num_vf(struct device *dev)
+ */
+ static int pci_dma_configure(struct device *dev)
+ {
+- struct pci_driver *driver = to_pci_driver(dev->driver);
++ const struct device_driver *drv = READ_ONCE(dev->driver);
+ struct device *bridge;
+ int ret = 0;
+
+@@ -1645,8 +1645,8 @@ static int pci_dma_configure(struct device *dev)
+
+ pci_put_host_bridge_device(bridge);
+
+- /* @driver may not be valid when we're called from the IOMMU layer */
+- if (!ret && dev->driver && !driver->driver_managed_dma) {
++ /* @drv may not be valid when we're called from the IOMMU layer */
++ if (!ret && drv && !to_pci_driver(drv)->driver_managed_dma) {
+ ret = iommu_device_use_default_domain(dev);
+ if (ret)
+ arch_teardown_dma_ops(dev);
+--
+2.39.5
+
--- /dev/null
+From c6d0b55043e4c86d821fcc7c00a28b2f1f013a2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 16:36:07 -0500
+Subject: PCI: pnv_php: Clean up allocated IRQs on unplug
+
+From: Timothy Pearson <tpearson@raptorengineering.com>
+
+[ Upstream commit 4668619092554e1b95c9a5ac2941ca47ba6d548a ]
+
+When the root of a nested PCIe bridge configuration is unplugged, the
+pnv_php driver leaked the allocated IRQ resources for the child bridges'
+hotplug event notifications, resulting in a panic.
+
+Fix this by walking all child buses and deallocating all its IRQ resources
+before calling pci_hp_remove_devices().
+
+Also modify the lifetime of the workqueue at struct pnv_php_slot::wq so
+that it is only destroyed in pnv_php_free_slot(), instead of
+pnv_php_disable_irq(). This is required since pnv_php_disable_irq() will
+now be called by workers triggered by hot unplug interrupts, so the
+workqueue needs to stay allocated.
+
+The abridged kernel panic that occurs without this patch is as follows:
+
+ WARNING: CPU: 0 PID: 687 at kernel/irq/msi.c:292 msi_device_data_release+0x6c/0x9c
+ CPU: 0 UID: 0 PID: 687 Comm: bash Not tainted 6.14.0-rc5+ #2
+ Call Trace:
+ msi_device_data_release+0x34/0x9c (unreliable)
+ release_nodes+0x64/0x13c
+ devres_release_all+0xc0/0x140
+ device_del+0x2d4/0x46c
+ pci_destroy_dev+0x5c/0x194
+ pci_hp_remove_devices+0x90/0x128
+ pci_hp_remove_devices+0x44/0x128
+ pnv_php_disable_slot+0x54/0xd4
+ power_write_file+0xf8/0x18c
+ pci_slot_attr_store+0x40/0x5c
+ sysfs_kf_write+0x64/0x78
+ kernfs_fop_write_iter+0x1b0/0x290
+ vfs_write+0x3bc/0x50c
+ ksys_write+0x84/0x140
+ system_call_exception+0x124/0x230
+ system_call_vectored_common+0x15c/0x2ec
+
+Signed-off-by: Shawn Anastasio <sanastasio@raptorengineering.com>
+Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
+[bhelgaas: tidy comments]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/2013845045.1359852.1752615367790.JavaMail.zimbra@raptorengineeringinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/pnv_php.c | 96 ++++++++++++++++++++++++++++-------
+ 1 file changed, 77 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c
+index 573a41869c15..1304329ca6f7 100644
+--- a/drivers/pci/hotplug/pnv_php.c
++++ b/drivers/pci/hotplug/pnv_php.c
+@@ -3,6 +3,7 @@
+ * PCI Hotplug Driver for PowerPC PowerNV platform.
+ *
+ * Copyright Gavin Shan, IBM Corporation 2016.
++ * Copyright (C) 2025 Raptor Engineering, LLC
+ */
+
+ #include <linux/bitfield.h>
+@@ -36,8 +37,10 @@ static void pnv_php_register(struct device_node *dn);
+ static void pnv_php_unregister_one(struct device_node *dn);
+ static void pnv_php_unregister(struct device_node *dn);
+
++static void pnv_php_enable_irq(struct pnv_php_slot *php_slot);
++
+ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot,
+- bool disable_device)
++ bool disable_device, bool disable_msi)
+ {
+ struct pci_dev *pdev = php_slot->pdev;
+ u16 ctrl;
+@@ -53,19 +56,15 @@ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot,
+ php_slot->irq = 0;
+ }
+
+- if (php_slot->wq) {
+- destroy_workqueue(php_slot->wq);
+- php_slot->wq = NULL;
+- }
+-
+- if (disable_device) {
++ if (disable_device || disable_msi) {
+ if (pdev->msix_enabled)
+ pci_disable_msix(pdev);
+ else if (pdev->msi_enabled)
+ pci_disable_msi(pdev);
++ }
+
++ if (disable_device)
+ pci_disable_device(pdev);
+- }
+ }
+
+ static void pnv_php_free_slot(struct kref *kref)
+@@ -74,7 +73,8 @@ static void pnv_php_free_slot(struct kref *kref)
+ struct pnv_php_slot, kref);
+
+ WARN_ON(!list_empty(&php_slot->children));
+- pnv_php_disable_irq(php_slot, false);
++ pnv_php_disable_irq(php_slot, false, false);
++ destroy_workqueue(php_slot->wq);
+ kfree(php_slot->name);
+ kfree(php_slot);
+ }
+@@ -561,8 +561,58 @@ static int pnv_php_reset_slot(struct hotplug_slot *slot, bool probe)
+ static int pnv_php_enable_slot(struct hotplug_slot *slot)
+ {
+ struct pnv_php_slot *php_slot = to_pnv_php_slot(slot);
++ u32 prop32;
++ int ret;
++
++ ret = pnv_php_enable(php_slot, true);
++ if (ret)
++ return ret;
++
++ /* (Re-)enable interrupt if the slot supports surprise hotplug */
++ ret = of_property_read_u32(php_slot->dn, "ibm,slot-surprise-pluggable",
++ &prop32);
++ if (!ret && prop32)
++ pnv_php_enable_irq(php_slot);
+
+- return pnv_php_enable(php_slot, true);
++ return 0;
++}
++
++/*
++ * Disable any hotplug interrupts for all slots on the provided bus, as well as
++ * all downstream slots in preparation for a hot unplug.
++ */
++static int pnv_php_disable_all_irqs(struct pci_bus *bus)
++{
++ struct pci_bus *child_bus;
++ struct pci_slot *slot;
++
++ /* First go down child buses */
++ list_for_each_entry(child_bus, &bus->children, node)
++ pnv_php_disable_all_irqs(child_bus);
++
++ /* Disable IRQs for all pnv_php slots on this bus */
++ list_for_each_entry(slot, &bus->slots, list) {
++ struct pnv_php_slot *php_slot = to_pnv_php_slot(slot->hotplug);
++
++ pnv_php_disable_irq(php_slot, false, true);
++ }
++
++ return 0;
++}
++
++/*
++ * Disable any hotplug interrupts for all downstream slots on the provided
++ * bus in preparation for a hot unplug.
++ */
++static int pnv_php_disable_all_downstream_irqs(struct pci_bus *bus)
++{
++ struct pci_bus *child_bus;
++
++ /* Go down child buses, recursively deactivating their IRQs */
++ list_for_each_entry(child_bus, &bus->children, node)
++ pnv_php_disable_all_irqs(child_bus);
++
++ return 0;
+ }
+
+ static int pnv_php_disable_slot(struct hotplug_slot *slot)
+@@ -579,6 +629,13 @@ static int pnv_php_disable_slot(struct hotplug_slot *slot)
+ php_slot->state != PNV_PHP_STATE_REGISTERED)
+ return 0;
+
++ /*
++ * Free all IRQ resources from all child slots before remove.
++ * Note that we do not disable the root slot IRQ here as that
++ * would also deactivate the slot hot (re)plug interrupt!
++ */
++ pnv_php_disable_all_downstream_irqs(php_slot->bus);
++
+ /* Remove all devices behind the slot */
+ pci_lock_rescan_remove();
+ pci_hp_remove_devices(php_slot->bus);
+@@ -647,6 +704,15 @@ static struct pnv_php_slot *pnv_php_alloc_slot(struct device_node *dn)
+ return NULL;
+ }
+
++ /* Allocate workqueue for this slot's interrupt handling */
++ php_slot->wq = alloc_workqueue("pciehp-%s", 0, 0, php_slot->name);
++ if (!php_slot->wq) {
++ SLOT_WARN(php_slot, "Cannot alloc workqueue\n");
++ kfree(php_slot->name);
++ kfree(php_slot);
++ return NULL;
++ }
++
+ if (dn->child && PCI_DN(dn->child))
+ php_slot->slot_no = PCI_SLOT(PCI_DN(dn->child)->devfn);
+ else
+@@ -843,14 +909,6 @@ static void pnv_php_init_irq(struct pnv_php_slot *php_slot, int irq)
+ u16 sts, ctrl;
+ int ret;
+
+- /* Allocate workqueue */
+- php_slot->wq = alloc_workqueue("pciehp-%s", 0, 0, php_slot->name);
+- if (!php_slot->wq) {
+- SLOT_WARN(php_slot, "Cannot alloc workqueue\n");
+- pnv_php_disable_irq(php_slot, true);
+- return;
+- }
+-
+ /* Check PDC (Presence Detection Change) is broken or not */
+ ret = of_property_read_u32(php_slot->dn, "ibm,slot-broken-pdc",
+ &broken_pdc);
+@@ -869,7 +927,7 @@ static void pnv_php_init_irq(struct pnv_php_slot *php_slot, int irq)
+ ret = request_irq(irq, pnv_php_interrupt, IRQF_SHARED,
+ php_slot->name, php_slot);
+ if (ret) {
+- pnv_php_disable_irq(php_slot, true);
++ pnv_php_disable_irq(php_slot, true, true);
+ SLOT_WARN(php_slot, "Error %d enabling IRQ %d\n", ret, irq);
+ return;
+ }
+--
+2.39.5
+
--- /dev/null
+From 84d678ef3c8d6a0b49ab5dfad2cf90b7a6428f31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 16:39:06 -0500
+Subject: PCI: pnv_php: Fix surprise plug detection and recovery
+
+From: Timothy Pearson <tpearson@raptorengineering.com>
+
+[ Upstream commit a2a2a6fc2469524caa713036297c542746d148dc ]
+
+The existing PowerNV hotplug code did not handle surprise plug events
+correctly, leading to a complete failure of the hotplug system after device
+removal and a required reboot to detect new devices.
+
+This comes down to two issues:
+
+ 1) When a device is surprise removed, often the bridge upstream
+ port will cause a PE freeze on the PHB. If this freeze is not
+ cleared, the MSI interrupts from the bridge hotplug notification
+ logic will not be received by the kernel, stalling all plug events
+ on all slots associated with the PE.
+
+ 2) When a device is removed from a slot, regardless of surprise or
+ programmatic removal, the associated PHB/PE ls left frozen.
+ If this freeze is not cleared via a fundamental reset, skiboot
+ is unable to clear the freeze and cannot retrain / rescan the
+ slot. This also requires a reboot to clear the freeze and redetect
+ the device in the slot.
+
+Issue the appropriate unfreeze and rescan commands on hotplug events,
+and don't oops on hotplug if pci_bus_to_OF_node() returns NULL.
+
+Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
+[bhelgaas: tidy comments]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/171044224.1359864.1752615546988.JavaMail.zimbra@raptorengineeringinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/pci-hotplug.c | 3 +
+ drivers/pci/hotplug/pnv_php.c | 110 +++++++++++++++++++++++++++++-
+ 2 files changed, 110 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/kernel/pci-hotplug.c b/arch/powerpc/kernel/pci-hotplug.c
+index 9ea74973d78d..6f444d0822d8 100644
+--- a/arch/powerpc/kernel/pci-hotplug.c
++++ b/arch/powerpc/kernel/pci-hotplug.c
+@@ -141,6 +141,9 @@ void pci_hp_add_devices(struct pci_bus *bus)
+ struct pci_controller *phb;
+ struct device_node *dn = pci_bus_to_OF_node(bus);
+
++ if (!dn)
++ return;
++
+ phb = pci_bus_to_host(bus);
+
+ mode = PCI_PROBE_NORMAL;
+diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c
+index 5476c9e7760d..4f85e7fe29ec 100644
+--- a/drivers/pci/hotplug/pnv_php.c
++++ b/drivers/pci/hotplug/pnv_php.c
+@@ -4,12 +4,14 @@
+ *
+ * Copyright Gavin Shan, IBM Corporation 2016.
+ * Copyright (C) 2025 Raptor Engineering, LLC
++ * Copyright (C) 2025 Raptor Computing Systems, LLC
+ */
+
+ #include <linux/bitfield.h>
+ #include <linux/libfdt.h>
+ #include <linux/module.h>
+ #include <linux/pci.h>
++#include <linux/delay.h>
+ #include <linux/pci_hotplug.h>
+ #include <linux/of_fdt.h>
+
+@@ -469,6 +471,61 @@ static int pnv_php_set_attention_state(struct hotplug_slot *slot, u8 state)
+ return 0;
+ }
+
++static int pnv_php_activate_slot(struct pnv_php_slot *php_slot,
++ struct hotplug_slot *slot)
++{
++ int ret, i;
++
++ /*
++ * Issue initial slot activation command to firmware
++ *
++ * Firmware will power slot on, attempt to train the link, and
++ * discover any downstream devices. If this process fails, firmware
++ * will return an error code and an invalid device tree. Failure
++ * can be caused for multiple reasons, including a faulty
++ * downstream device, poor connection to the downstream device, or
++ * a previously latched PHB fence. On failure, issue fundamental
++ * reset up to three times before aborting.
++ */
++ ret = pnv_php_set_slot_power_state(slot, OPAL_PCI_SLOT_POWER_ON);
++ if (ret) {
++ SLOT_WARN(
++ php_slot,
++ "PCI slot activation failed with error code %d, possible frozen PHB",
++ ret);
++ SLOT_WARN(
++ php_slot,
++ "Attempting complete PHB reset before retrying slot activation\n");
++ for (i = 0; i < 3; i++) {
++ /*
++ * Slot activation failed, PHB may be fenced from a
++ * prior device failure.
++ *
++ * Use the OPAL fundamental reset call to both try a
++ * device reset and clear any potentially active PHB
++ * fence / freeze.
++ */
++ SLOT_WARN(php_slot, "Try %d...\n", i + 1);
++ pci_set_pcie_reset_state(php_slot->pdev,
++ pcie_warm_reset);
++ msleep(250);
++ pci_set_pcie_reset_state(php_slot->pdev,
++ pcie_deassert_reset);
++
++ ret = pnv_php_set_slot_power_state(
++ slot, OPAL_PCI_SLOT_POWER_ON);
++ if (!ret)
++ break;
++ }
++
++ if (i >= 3)
++ SLOT_WARN(php_slot,
++ "Failed to bring slot online, aborting!\n");
++ }
++
++ return ret;
++}
++
+ static int pnv_php_enable(struct pnv_php_slot *php_slot, bool rescan)
+ {
+ struct hotplug_slot *slot = &php_slot->slot;
+@@ -531,7 +588,7 @@ static int pnv_php_enable(struct pnv_php_slot *php_slot, bool rescan)
+ goto scan;
+
+ /* Power is off, turn it on and then scan the slot */
+- ret = pnv_php_set_slot_power_state(slot, OPAL_PCI_SLOT_POWER_ON);
++ ret = pnv_php_activate_slot(php_slot, slot);
+ if (ret)
+ return ret;
+
+@@ -838,16 +895,63 @@ static int pnv_php_enable_msix(struct pnv_php_slot *php_slot)
+ return entry.vector;
+ }
+
++static void
++pnv_php_detect_clear_suprise_removal_freeze(struct pnv_php_slot *php_slot)
++{
++ struct pci_dev *pdev = php_slot->pdev;
++ struct eeh_dev *edev;
++ struct eeh_pe *pe;
++ int i, rc;
++
++ /*
++ * When a device is surprise removed from a downstream bridge slot,
++ * the upstream bridge port can still end up frozen due to related EEH
++ * events, which will in turn block the MSI interrupts for slot hotplug
++ * detection.
++ *
++ * Detect and thaw any frozen upstream PE after slot deactivation.
++ */
++ edev = pci_dev_to_eeh_dev(pdev);
++ pe = edev ? edev->pe : NULL;
++ rc = eeh_pe_get_state(pe);
++ if ((rc == -ENODEV) || (rc == -ENOENT)) {
++ SLOT_WARN(
++ php_slot,
++ "Upstream bridge PE state unknown, hotplug detect may fail\n");
++ } else {
++ if (pe->state & EEH_PE_ISOLATED) {
++ SLOT_WARN(
++ php_slot,
++ "Upstream bridge PE %02x frozen, thawing...\n",
++ pe->addr);
++ for (i = 0; i < 3; i++)
++ if (!eeh_unfreeze_pe(pe))
++ break;
++ if (i >= 3)
++ SLOT_WARN(
++ php_slot,
++ "Unable to thaw PE %02x, hotplug detect will fail!\n",
++ pe->addr);
++ else
++ SLOT_WARN(php_slot,
++ "PE %02x thawed successfully\n",
++ pe->addr);
++ }
++ }
++}
++
+ static void pnv_php_event_handler(struct work_struct *work)
+ {
+ struct pnv_php_event *event =
+ container_of(work, struct pnv_php_event, work);
+ struct pnv_php_slot *php_slot = event->php_slot;
+
+- if (event->added)
++ if (event->added) {
+ pnv_php_enable_slot(&php_slot->slot);
+- else
++ } else {
+ pnv_php_disable_slot(&php_slot->slot);
++ pnv_php_detect_clear_suprise_removal_freeze(php_slot);
++ }
+
+ kfree(event);
+ }
+--
+2.39.5
+
--- /dev/null
+From 0539340f75b75b24340ab7cfff5e854bc3c76c1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 16:36:55 -0500
+Subject: PCI: pnv_php: Work around switches with broken presence detection
+
+From: Timothy Pearson <tpearson@raptorengineering.com>
+
+[ Upstream commit 80f9fc2362797538ebd4fd70a1dfa838cc2c2cdb ]
+
+The Microsemi Switchtec PM8533 PFX 48xG3 [11f8:8533] PCIe switch system
+was observed to incorrectly assert the Presence Detect Set bit in its
+capabilities when tested on a Raptor Computing Systems Blackbird system,
+resulting in the hot insert path never attempting a rescan of the bus
+and any downstream devices not being re-detected.
+
+Work around this by additionally checking whether the PCIe data link is
+active or not when performing presence detection on downstream switches'
+ports, similar to the pciehp_hpc.c driver.
+
+Signed-off-by: Shawn Anastasio <sanastasio@raptorengineering.com>
+Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/505981576.1359853.1752615415117.JavaMail.zimbra@raptorengineeringinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/pnv_php.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c
+index 1304329ca6f7..5476c9e7760d 100644
+--- a/drivers/pci/hotplug/pnv_php.c
++++ b/drivers/pci/hotplug/pnv_php.c
+@@ -391,6 +391,20 @@ static int pnv_php_get_power_state(struct hotplug_slot *slot, u8 *state)
+ return 0;
+ }
+
++static int pcie_check_link_active(struct pci_dev *pdev)
++{
++ u16 lnk_status;
++ int ret;
++
++ ret = pcie_capability_read_word(pdev, PCI_EXP_LNKSTA, &lnk_status);
++ if (ret == PCIBIOS_DEVICE_NOT_FOUND || PCI_POSSIBLE_ERROR(lnk_status))
++ return -ENODEV;
++
++ ret = !!(lnk_status & PCI_EXP_LNKSTA_DLLLA);
++
++ return ret;
++}
++
+ static int pnv_php_get_adapter_state(struct hotplug_slot *slot, u8 *state)
+ {
+ struct pnv_php_slot *php_slot = to_pnv_php_slot(slot);
+@@ -403,6 +417,19 @@ static int pnv_php_get_adapter_state(struct hotplug_slot *slot, u8 *state)
+ */
+ ret = pnv_pci_get_presence_state(php_slot->id, &presence);
+ if (ret >= 0) {
++ if (pci_pcie_type(php_slot->pdev) == PCI_EXP_TYPE_DOWNSTREAM &&
++ presence == OPAL_PCI_SLOT_EMPTY) {
++ /*
++ * Similar to pciehp_hpc, check whether the Link Active
++ * bit is set to account for broken downstream bridges
++ * that don't properly assert Presence Detect State, as
++ * was observed on the Microsemi Switchtec PM8533 PFX
++ * [11f8:8533].
++ */
++ if (pcie_check_link_active(php_slot->pdev) > 0)
++ presence = OPAL_PCI_SLOT_PRESENT;
++ }
++
+ *state = presence;
+ ret = 0;
+ } else {
+--
+2.39.5
+
--- /dev/null
+From 8d449462e52ab88431cfb1e7a3c4967d3eacb484 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 12:23:50 +0200
+Subject: PCI: qcom: Wait PCIE_RESET_CONFIG_WAIT_MS after link-up IRQ
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit 15b6b243cc2b1017cf89e2477aa0b4e1a306a82a ]
+
+Per PCIe r6.0, sec 6.6.1, software must generally wait a minimum of
+100ms (PCIE_RESET_CONFIG_WAIT_MS) after Link training completes before
+sending a Configuration Request.
+
+Prior to 36971d6c5a9a ("PCI: qcom: Don't wait for link if we can detect
+Link Up"), qcom used dw_pcie_wait_for_link(), which waited between 0
+and 90ms after the link came up before we enumerate the bus, and this
+was apparently enough for most devices.
+
+After 36971d6c5a9a, qcom_pcie_global_irq_thread() started enumeration
+immediately when handling the link-up IRQ, and devices (e.g., Laszlo
+Fiat's PLEXTOR PX-256M8PeGN NVMe SSD) may not be ready to handle config
+requests yet.
+
+Delay PCIE_RESET_CONFIG_WAIT_MS after the link-up IRQ before starting
+enumeration.
+
+Fixes: 82a823833f4e ("PCI: qcom: Add Qualcomm PCIe controller driver")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
+Link: https://patch.msgid.link/20250625102347.1205584-13-cassel@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pcie-qcom.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/controller/dwc/pcie-qcom.c b/drivers/pci/controller/dwc/pcie-qcom.c
+index c789e3f85655..9b12f2f02042 100644
+--- a/drivers/pci/controller/dwc/pcie-qcom.c
++++ b/drivers/pci/controller/dwc/pcie-qcom.c
+@@ -1564,6 +1564,7 @@ static irqreturn_t qcom_pcie_global_irq_thread(int irq, void *data)
+ writel_relaxed(status, pcie->parf + PARF_INT_ALL_CLEAR);
+
+ if (FIELD_GET(PARF_INT_ALL_LINK_UP, status)) {
++ msleep(PCIE_RESET_CONFIG_WAIT_MS);
+ dev_dbg(dev, "Received Link up event. Starting enumeration!\n");
+ /* Rescan the bus to enumerate endpoint devices */
+ pci_lock_rescan_remove();
+--
+2.39.5
+
--- /dev/null
+From 910d56cc142dd3f344d45fa1e88fe349b48d4fda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 12:23:47 +0200
+Subject: PCI: Rename PCIE_RESET_CONFIG_DEVICE_WAIT_MS to
+ PCIE_RESET_CONFIG_WAIT_MS
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit 817f989700fddefa56e5e443e7d138018ca6709d ]
+
+Rename PCIE_RESET_CONFIG_DEVICE_WAIT_MS to PCIE_RESET_CONFIG_WAIT_MS.
+
+Suggested-by: Bjorn Helgaas <helgaas@kernel.org>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Link: https://patch.msgid.link/20250625102347.1205584-10-cassel@kernel.org
+Stable-dep-of: c7eb9c5e1498 ("PCI: dw-rockchip: Wait PCIE_RESET_CONFIG_WAIT_MS after link-up IRQ")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/plda/pcie-starfive.c | 2 +-
+ drivers/pci/pci.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/controller/plda/pcie-starfive.c b/drivers/pci/controller/plda/pcie-starfive.c
+index e73c1b7bc8ef..3caf53c6c082 100644
+--- a/drivers/pci/controller/plda/pcie-starfive.c
++++ b/drivers/pci/controller/plda/pcie-starfive.c
+@@ -368,7 +368,7 @@ static int starfive_pcie_host_init(struct plda_pcie_rp *plda)
+ * of 100ms following exit from a conventional reset before
+ * sending a configuration request to the device.
+ */
+- msleep(PCIE_RESET_CONFIG_DEVICE_WAIT_MS);
++ msleep(PCIE_RESET_CONFIG_WAIT_MS);
+
+ if (starfive_pcie_host_wait_for_link(pcie))
+ dev_info(dev, "port link down\n");
+diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
+index 12215ee72afb..98d6fccb383e 100644
+--- a/drivers/pci/pci.h
++++ b/drivers/pci/pci.h
+@@ -61,7 +61,7 @@ struct pcie_tlp_log;
+ * completes before sending a Configuration Request to the device
+ * immediately below that Port."
+ */
+-#define PCIE_RESET_CONFIG_DEVICE_WAIT_MS 100
++#define PCIE_RESET_CONFIG_WAIT_MS 100
+
+ /* Message Routing (r[2:0]); PCIe r6.0, sec 2.2.8 */
+ #define PCIE_MSG_TYPE_R_RC 0
+--
+2.39.5
+
--- /dev/null
+From 06988101792cd4d995f9fec42e02567f4bde7b87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Jun 2025 00:01:59 +0800
+Subject: PCI: rockchip-host: Fix "Unexpected Completion" log message
+
+From: Hans Zhang <18255117159@163.com>
+
+[ Upstream commit fcc5f586c4edbcc10de23fb9b8c0972a84e945cd ]
+
+Fix the debug message for the PCIE_CORE_INT_UCR interrupt to clearly
+indicate "Unexpected Completion" instead of a duplicate "malformed TLP"
+message.
+
+Fixes: e77f847df54c ("PCI: rockchip: Add Rockchip PCIe controller support")
+Signed-off-by: Hans Zhang <18255117159@163.com>
+[mani: added fixes tag]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
+Acked-by: Shawn Lin <shawn.lin@rock-chips.com>
+Link: https://patch.msgid.link/20250607160201.807043-2-18255117159@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-rockchip-host.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/pcie-rockchip-host.c b/drivers/pci/controller/pcie-rockchip-host.c
+index b9e7a8710cf0..648b6fcb93b0 100644
+--- a/drivers/pci/controller/pcie-rockchip-host.c
++++ b/drivers/pci/controller/pcie-rockchip-host.c
+@@ -439,7 +439,7 @@ static irqreturn_t rockchip_pcie_subsys_irq_handler(int irq, void *arg)
+ dev_dbg(dev, "malformed TLP received from the link\n");
+
+ if (sub_reg & PCIE_CORE_INT_UCR)
+- dev_dbg(dev, "malformed TLP received from the link\n");
++ dev_dbg(dev, "Unexpected Completion received from the link\n");
+
+ if (sub_reg & PCIE_CORE_INT_FCE)
+ dev_dbg(dev, "an error was observed in the flow control advertisements from the other side\n");
+--
+2.39.5
+
--- /dev/null
+From c4f4010bdca479eb93d5e90b1ac741c3a6e4ebd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 12:03:21 -0700
+Subject: perf dso: Add missed dso__put to dso__load_kcore
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 63a088e999de3f431f87d9a367933da894ddb613 ]
+
+The kcore loading creates a set of list nodes that have reference
+counted references to maps of the kcore. The list node freeing in the
+success path wasn't releasing the maps, add the missing puts. It is
+unclear why this leak was being missed by leak sanitizer.
+
+Fixes: 83720209961f ("perf map: Move map list node into symbol")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250624190326.2038704-2-irogers@google.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/symbol.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/util/symbol.c b/tools/perf/util/symbol.c
+index 8b30c6f16a9e..fd4583718eab 100644
+--- a/tools/perf/util/symbol.c
++++ b/tools/perf/util/symbol.c
+@@ -1422,6 +1422,7 @@ static int dso__load_kcore(struct dso *dso, struct map *map,
+ goto out_err;
+ }
+ }
++ map__zput(new_node->map);
+ free(new_node);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 8b5a617b380574b1b60660e90514ce650ecc2a4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 16:51:14 -0700
+Subject: perf hwmon_pmu: Avoid shortening hwmon PMU name
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 28f5aa8184c9c9b8eab35fa3884c416fe75e88e4 ]
+
+Long names like ucsi_source_psy_USBC000:001 when prefixed with hwmon_
+exceed the buffer size and the last digit is lost. This causes
+confusion with similar names like ucsi_source_psy_USBC000:002. Extend
+the buffer size to avoid this.
+
+Fixes: 53cc0b351ec9 ("perf hwmon_pmu: Add a tool PMU exposing events from hwmon in sysfs")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250710235126.1086011-2-irogers@google.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/hwmon_pmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/hwmon_pmu.c b/tools/perf/util/hwmon_pmu.c
+index c25e7296f1c1..75683c543994 100644
+--- a/tools/perf/util/hwmon_pmu.c
++++ b/tools/perf/util/hwmon_pmu.c
+@@ -344,7 +344,7 @@ static int hwmon_pmu__read_events(struct hwmon_pmu *pmu)
+
+ struct perf_pmu *hwmon_pmu__new(struct list_head *pmus, int hwmon_dir, const char *sysfs_name, const char *name)
+ {
+- char buf[32];
++ char buf[64];
+ struct hwmon_pmu *hwm;
+ __u32 type = PERF_PMU_TYPE_HWMON_START + strtoul(sysfs_name + 5, NULL, 10);
+
+--
+2.39.5
+
--- /dev/null
+From e649c27e5c98c6d3dcbb3c04488449a274ffaf75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 15:54:31 -0700
+Subject: perf parse-events: Set default GH modifier properly
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit dcbe6e51a0bb80a40f9a8c87750c291c2364573d ]
+
+Commit 7b100989b4f6bce7 ("perf evlist: Remove __evlist__add_default")
+changed to use "cycles:P" as a default event. But the problem is it
+cannot set other default modifiers correctly.
+
+perf kvm needs to set attr.exclude_host by default but it didn't work
+because of the logic in the parse_events__modifier_list(). Also the
+exclude_GH_default was applied only if ":u" modifier was specified -
+which is strange. Move it out after handling the ":GH" and check
+perf_host and perf_guest properly.
+
+Before:
+ $ ./perf kvm record -vv true |& grep exclude
+ (nothing)
+
+But specifying an event (without a modifier) works:
+
+ $ ./perf kvm record -vv -e cycles true |& grep exclude
+ exclude_host 1
+
+After:
+It now works for the both cases:
+
+ $ ./perf kvm record -vv true |& grep exclude
+ exclude_host 1
+
+ $ ./perf kvm record -vv -e cycles true |& grep exclude
+ exclude_host 1
+
+Reviewed-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250606225431.2109754-1-namhyung@kernel.org
+Fixes: 35c8d21371e9b342 ("perf tools: Don't set attr.exclude_guest by default")
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/parse-events.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c
+index 2380de56a207..d07c83ba6f1a 100644
+--- a/tools/perf/util/parse-events.c
++++ b/tools/perf/util/parse-events.c
+@@ -1829,13 +1829,11 @@ static int parse_events__modifier_list(struct parse_events_state *parse_state,
+ int eH = group ? evsel->core.attr.exclude_host : 0;
+ int eG = group ? evsel->core.attr.exclude_guest : 0;
+ int exclude = eu | ek | eh;
+- int exclude_GH = group ? evsel->exclude_GH : 0;
++ int exclude_GH = eG | eH;
+
+ if (mod.user) {
+ if (!exclude)
+ exclude = eu = ek = eh = 1;
+- if (!exclude_GH && !perf_guest && exclude_GH_default)
+- eG = 1;
+ eu = 0;
+ }
+ if (mod.kernel) {
+@@ -1858,6 +1856,13 @@ static int parse_events__modifier_list(struct parse_events_state *parse_state,
+ exclude_GH = eG = eH = 1;
+ eH = 0;
+ }
++ if (!exclude_GH && exclude_GH_default) {
++ if (perf_host)
++ eG = 1;
++ else if (perf_guest)
++ eH = 1;
++ }
++
+ evsel->core.attr.exclude_user = eu;
+ evsel->core.attr.exclude_kernel = ek;
+ evsel->core.attr.exclude_hv = eh;
+--
+2.39.5
+
--- /dev/null
+From 39e897771d228f0c9eb7f26dcc0ceaae838a2ed3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 08:08:54 -0700
+Subject: perf pmu: Switch FILENAME_MAX to NAME_MAX
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 82aac553372cd201b91a8b064be0cd5a501932b2 ]
+
+FILENAME_MAX is the same as PATH_MAX (4kb) in glibc rather than
+NAME_MAX's 255. Switch to using NAME_MAX and ensure the '\0' is
+accounted for in the path's buffer size.
+
+Fixes: 754baf426e09 ("perf pmu: Change aliases from list to hashmap")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250717150855.1032526-2-irogers@google.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/pmu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c
+index 609828513f6c..55ee17082c7f 100644
+--- a/tools/perf/util/pmu.c
++++ b/tools/perf/util/pmu.c
+@@ -452,7 +452,7 @@ static struct perf_pmu_alias *perf_pmu__find_alias(struct perf_pmu *pmu,
+ {
+ struct perf_pmu_alias *alias;
+ bool has_sysfs_event;
+- char event_file_name[FILENAME_MAX + 8];
++ char event_file_name[NAME_MAX + 8];
+
+ if (hashmap__find(pmu->aliases, name, &alias))
+ return alias;
+@@ -752,7 +752,7 @@ static int pmu_aliases_parse(struct perf_pmu *pmu)
+
+ static int pmu_aliases_parse_eager(struct perf_pmu *pmu, int sysfs_fd)
+ {
+- char path[FILENAME_MAX + 7];
++ char path[NAME_MAX + 8];
+ int ret, events_dir_fd;
+
+ scnprintf(path, sizeof(path), "%s/events", pmu->name);
+--
+2.39.5
+
--- /dev/null
+From f3273c90814b886372e87cd9bda06791b851fa63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 16:51:24 -0700
+Subject: perf python: Correct pyrf_evsel__read for tool PMUs
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 6183afcba9c1c810656ddb36170106aaf3cf778c ]
+
+Tool PMUs assume that stat's process_counter_values is being used to
+read the counters. Specifically they hold onto old values in
+evsel->prev_raw_counts and give the cumulative count based off of this
+value. Update pyrf_evsel__read to allocate counts and prev_raw_counts,
+use evsel__read_counter rather than perf_evsel__read so tool PMUs are
+read from not just perf_event_open events, make the returned
+pyrf_counts_values contain the delta value rather than the cumulative
+value.
+
+Fixes: 739621f65702 ("perf python: Add evsel read method")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250710235126.1086011-12-irogers@google.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/python.c | 47 +++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 44 insertions(+), 3 deletions(-)
+
+diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c
+index eb560e3f9e35..b9fe7f2c14af 100644
+--- a/tools/perf/util/python.c
++++ b/tools/perf/util/python.c
+@@ -10,6 +10,7 @@
+ #endif
+ #include <perf/mmap.h>
+ #include "callchain.h"
++#include "counts.h"
+ #include "evlist.h"
+ #include "evsel.h"
+ #include "event.h"
+@@ -888,12 +889,38 @@ static PyObject *pyrf_evsel__threads(struct pyrf_evsel *pevsel)
+ return (PyObject *)pthread_map;
+ }
+
++/*
++ * Ensure evsel's counts and prev_raw_counts are allocated, the latter
++ * used by tool PMUs to compute the cumulative count as expected by
++ * stat's process_counter_values.
++ */
++static int evsel__ensure_counts(struct evsel *evsel)
++{
++ int nthreads, ncpus;
++
++ if (evsel->counts != NULL)
++ return 0;
++
++ nthreads = perf_thread_map__nr(evsel->core.threads);
++ ncpus = perf_cpu_map__nr(evsel->core.cpus);
++
++ evsel->counts = perf_counts__new(ncpus, nthreads);
++ if (evsel->counts == NULL)
++ return -ENOMEM;
++
++ evsel->prev_raw_counts = perf_counts__new(ncpus, nthreads);
++ if (evsel->prev_raw_counts == NULL)
++ return -ENOMEM;
++
++ return 0;
++}
++
+ static PyObject *pyrf_evsel__read(struct pyrf_evsel *pevsel,
+ PyObject *args, PyObject *kwargs)
+ {
+ struct evsel *evsel = &pevsel->evsel;
+ int cpu = 0, cpu_idx, thread = 0, thread_idx;
+- struct perf_counts_values counts;
++ struct perf_counts_values *old_count, *new_count;
+ struct pyrf_counts_values *count_values = PyObject_New(struct pyrf_counts_values,
+ &pyrf_counts_values__type);
+
+@@ -914,8 +941,22 @@ static PyObject *pyrf_evsel__read(struct pyrf_evsel *pevsel,
+ thread);
+ return NULL;
+ }
+- perf_evsel__read(&(evsel->core), cpu_idx, thread_idx, &counts);
+- count_values->values = counts;
++
++ if (evsel__ensure_counts(evsel))
++ return PyErr_NoMemory();
++
++ /* Set up pointers to the old and newly read counter values. */
++ old_count = perf_counts(evsel->prev_raw_counts, cpu_idx, thread_idx);
++ new_count = perf_counts(evsel->counts, cpu_idx, thread_idx);
++ /* Update the value in evsel->counts. */
++ evsel__read_counter(evsel, cpu_idx, thread_idx);
++ /* Copy the value and turn it into the delta from old_count. */
++ count_values->values = *new_count;
++ count_values->values.val -= old_count->val;
++ count_values->values.ena -= old_count->ena;
++ count_values->values.run -= old_count->run;
++ /* Save the new count over the old_count for the next read. */
++ *old_count = *new_count;
+ return (PyObject *)count_values;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 8f2a9d2428d4c2df79e3464e5f02464e52af040a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 16:51:23 -0700
+Subject: perf python: Fix thread check in pyrf_evsel__read
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 64ec9b997f3a9462901a404ad60f452f76dd2d6e ]
+
+The CPU index is incorrectly checked rather than the thread index.
+
+Fixes: 739621f65702 ("perf python: Add evsel read method")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250710235126.1086011-11-irogers@google.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/python.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c
+index 321c333877fa..eb560e3f9e35 100644
+--- a/tools/perf/util/python.c
++++ b/tools/perf/util/python.c
+@@ -909,7 +909,7 @@ static PyObject *pyrf_evsel__read(struct pyrf_evsel *pevsel,
+ return NULL;
+ }
+ thread_idx = perf_thread_map__idx(evsel->core.threads, thread);
+- if (cpu_idx < 0) {
++ if (thread_idx < 0) {
+ PyErr_Format(PyExc_TypeError, "Thread %d is not part of evsel's threads",
+ thread);
+ return NULL;
+--
+2.39.5
+
--- /dev/null
+From 6f1e72b9771943053a97d585482cc8b2f260d360 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Jul 2025 00:03:30 -0700
+Subject: perf record: Cache build-ID of hit DSOs only
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 6235ce77749f45cac27f630337e2fdf04e8a6c73 ]
+
+It post-processes samples to find which DSO has samples. Based on that
+info, it can save used DSOs in the build-ID cache directory. But for
+some reason, it saves all DSOs without checking the hit mark. Skipping
+unused DSOs can give some speedup especially with --buildid-mmap being
+default.
+
+On my idle machine, `time perf record -a sleep 1` goes down from 3 sec
+to 1.5 sec with this change.
+
+Fixes: e29386c8f7d71fa5 ("perf record: Add --buildid-mmap option to enable PERF_RECORD_MMAP2's build id")
+Reviewed-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Link: https://lore.kernel.org/r/20250731070330.57116-1-namhyung@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/build-id.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/build-id.c b/tools/perf/util/build-id.c
+index e763e8d99a43..ee00313d5d7e 100644
+--- a/tools/perf/util/build-id.c
++++ b/tools/perf/util/build-id.c
+@@ -864,7 +864,7 @@ static int dso__cache_build_id(struct dso *dso, struct machine *machine,
+ char *allocated_name = NULL;
+ int ret = 0;
+
+- if (!dso__has_build_id(dso))
++ if (!dso__has_build_id(dso) || !dso__hit(dso))
+ return 0;
+
+ if (dso__is_kcore(dso)) {
+--
+2.39.5
+
--- /dev/null
+From e547b585c8f0a9f1a16f5043cc87cdddc93b1ff1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 18:49:39 -0700
+Subject: perf sched: Fix memory leaks for evsel->priv in timehist
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 117e5c33b1c44037af016d77ce6c0b086d55535f ]
+
+It uses evsel->priv to save per-cpu timing information. It should be
+freed when the evsel is released.
+
+Add the priv destructor for evsel same as thread to handle that.
+
+Fixes: 49394a2a24c78ce0 ("perf sched timehist: Introduce timehist command")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Tested-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250703014942.1369397-6-namhyung@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-sched.c | 12 ++++++++++++
+ tools/perf/util/evsel.c | 11 +++++++++++
+ tools/perf/util/evsel.h | 2 ++
+ 3 files changed, 25 insertions(+)
+
+diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
+index 83b5a85a91b7..a6eb0462dd5b 100644
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -2020,6 +2020,16 @@ static u64 evsel__get_time(struct evsel *evsel, u32 cpu)
+ return r->last_time[cpu];
+ }
+
++static void timehist__evsel_priv_destructor(void *priv)
++{
++ struct evsel_runtime *r = priv;
++
++ if (r) {
++ free(r->last_time);
++ free(r);
++ }
++}
++
+ static int comm_width = 30;
+
+ static char *timehist_get_commstr(struct thread *thread)
+@@ -3314,6 +3324,8 @@ static int perf_sched__timehist(struct perf_sched *sched)
+
+ setup_pager();
+
++ evsel__set_priv_destructor(timehist__evsel_priv_destructor);
++
+ /* prefer sched_waking if it is captured */
+ if (evlist__find_tracepoint_by_name(session->evlist, "sched:sched_waking"))
+ handlers[1].handler = timehist_sched_wakeup_ignore;
+diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
+index d55482f094bf..1dc1f7b3bfb8 100644
+--- a/tools/perf/util/evsel.c
++++ b/tools/perf/util/evsel.c
+@@ -1656,6 +1656,15 @@ static void evsel__free_config_terms(struct evsel *evsel)
+ free_config_terms(&evsel->config_terms);
+ }
+
++static void (*evsel__priv_destructor)(void *priv);
++
++void evsel__set_priv_destructor(void (*destructor)(void *priv))
++{
++ assert(evsel__priv_destructor == NULL);
++
++ evsel__priv_destructor = destructor;
++}
++
+ void evsel__exit(struct evsel *evsel)
+ {
+ assert(list_empty(&evsel->core.node));
+@@ -1686,6 +1695,8 @@ void evsel__exit(struct evsel *evsel)
+ hashmap__free(evsel->per_pkg_mask);
+ evsel->per_pkg_mask = NULL;
+ zfree(&evsel->metric_events);
++ if (evsel__priv_destructor)
++ evsel__priv_destructor(evsel->priv);
+ perf_evsel__object.fini(evsel);
+ if (evsel__tool_event(evsel) == TOOL_PMU__EVENT_SYSTEM_TIME ||
+ evsel__tool_event(evsel) == TOOL_PMU__EVENT_USER_TIME)
+diff --git a/tools/perf/util/evsel.h b/tools/perf/util/evsel.h
+index 6dbc9690e0c9..b84ee274602d 100644
+--- a/tools/perf/util/evsel.h
++++ b/tools/perf/util/evsel.h
+@@ -280,6 +280,8 @@ void evsel__init(struct evsel *evsel, struct perf_event_attr *attr, int idx);
+ void evsel__exit(struct evsel *evsel);
+ void evsel__delete(struct evsel *evsel);
+
++void evsel__set_priv_destructor(void (*destructor)(void *priv));
++
+ struct callchain_param;
+
+ void evsel__config(struct evsel *evsel, struct record_opts *opts,
+--
+2.39.5
+
--- /dev/null
+From 1574b96478208c0dcf566ce27e818ee1367c4057 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 18:49:41 -0700
+Subject: perf sched: Fix memory leaks in 'perf sched latency'
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit e68b1c0098b959cb88afce5c93dd6a9324e6da78 ]
+
+The work_atoms should be freed after use. Add free_work_atoms() to
+make sure to release all. It should use list_splice_init() when merging
+atoms to prevent accessing invalid pointers.
+
+Fixes: b1ffe8f3e0c96f552 ("perf sched: Finish latency => atom rename and misc cleanups")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Tested-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250703014942.1369397-8-namhyung@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-sched.c | 27 ++++++++++++++++++++++++---
+ 1 file changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
+index 087d4eaba5f7..4bbebd6ef2e4 100644
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -1111,6 +1111,21 @@ add_sched_in_event(struct work_atoms *atoms, u64 timestamp)
+ atoms->nb_atoms++;
+ }
+
++static void free_work_atoms(struct work_atoms *atoms)
++{
++ struct work_atom *atom, *tmp;
++
++ if (atoms == NULL)
++ return;
++
++ list_for_each_entry_safe(atom, tmp, &atoms->work_list, list) {
++ list_del(&atom->list);
++ free(atom);
++ }
++ thread__zput(atoms->thread);
++ free(atoms);
++}
++
+ static int latency_switch_event(struct perf_sched *sched,
+ struct evsel *evsel,
+ struct perf_sample *sample,
+@@ -3426,13 +3441,13 @@ static void __merge_work_atoms(struct rb_root_cached *root, struct work_atoms *d
+ this->total_runtime += data->total_runtime;
+ this->nb_atoms += data->nb_atoms;
+ this->total_lat += data->total_lat;
+- list_splice(&data->work_list, &this->work_list);
++ list_splice_init(&data->work_list, &this->work_list);
+ if (this->max_lat < data->max_lat) {
+ this->max_lat = data->max_lat;
+ this->max_lat_start = data->max_lat_start;
+ this->max_lat_end = data->max_lat_end;
+ }
+- zfree(&data);
++ free_work_atoms(data);
+ return;
+ }
+ }
+@@ -3511,7 +3526,6 @@ static int perf_sched__lat(struct perf_sched *sched)
+ work_list = rb_entry(next, struct work_atoms, node);
+ output_lat_thread(sched, work_list);
+ next = rb_next(next);
+- thread__zput(work_list->thread);
+ }
+
+ printf(" -----------------------------------------------------------------------------------------------------------------\n");
+@@ -3525,6 +3539,13 @@ static int perf_sched__lat(struct perf_sched *sched)
+
+ rc = 0;
+
++ while ((next = rb_first_cached(&sched->sorted_atom_root))) {
++ struct work_atoms *data;
++
++ data = rb_entry(next, struct work_atoms, node);
++ rb_erase_cached(next, &sched->sorted_atom_root);
++ free_work_atoms(data);
++ }
+ out_free_cpus_switch_event:
+ free_cpus_switch_event(sched);
+ return rc;
+--
+2.39.5
+
--- /dev/null
+From 43203bc6bf847f6dab270f4c427a2a63c56c8d53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 18:49:37 -0700
+Subject: perf sched: Fix memory leaks in 'perf sched map'
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit dc3a80c98884d86389b3b572c50ccc7f502cd41b ]
+
+It maintains per-cpu pointers for the current thread but it doesn't
+release the refcounts.
+
+Fixes: 5e895278697c014e ("perf sched: Move curr_thread initialization to perf_sched__map()")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Tested-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250703014942.1369397-4-namhyung@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-sched.c | 31 ++++++++++++++++++++-----------
+ 1 file changed, 20 insertions(+), 11 deletions(-)
+
+diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
+index fa4052e04020..b73989fb6ace 100644
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -1634,6 +1634,7 @@ static int map_switch_event(struct perf_sched *sched, struct evsel *evsel,
+ const char *color = PERF_COLOR_NORMAL;
+ char stimestamp[32];
+ const char *str;
++ int ret = -1;
+
+ BUG_ON(this_cpu.cpu >= MAX_CPUS || this_cpu.cpu < 0);
+
+@@ -1664,17 +1665,20 @@ static int map_switch_event(struct perf_sched *sched, struct evsel *evsel,
+ sched_in = map__findnew_thread(sched, machine, -1, next_pid);
+ sched_out = map__findnew_thread(sched, machine, -1, prev_pid);
+ if (sched_in == NULL || sched_out == NULL)
+- return -1;
++ goto out;
+
+ tr = thread__get_runtime(sched_in);
+- if (tr == NULL) {
+- thread__put(sched_in);
+- return -1;
+- }
++ if (tr == NULL)
++ goto out;
++
++ thread__put(sched->curr_thread[this_cpu.cpu]);
++ thread__put(sched->curr_out_thread[this_cpu.cpu]);
+
+ sched->curr_thread[this_cpu.cpu] = thread__get(sched_in);
+ sched->curr_out_thread[this_cpu.cpu] = thread__get(sched_out);
+
++ ret = 0;
++
+ str = thread__comm_str(sched_in);
+ new_shortname = 0;
+ if (!tr->shortname[0]) {
+@@ -1769,12 +1773,10 @@ static int map_switch_event(struct perf_sched *sched, struct evsel *evsel,
+ color_fprintf(stdout, color, "\n");
+
+ out:
+- if (sched->map.task_name)
+- thread__put(sched_out);
+-
++ thread__put(sched_out);
+ thread__put(sched_in);
+
+- return 0;
++ return ret;
+ }
+
+ static int process_sched_switch_event(const struct perf_tool *tool,
+@@ -3556,10 +3558,10 @@ static int perf_sched__map(struct perf_sched *sched)
+
+ sched->curr_out_thread = calloc(MAX_CPUS, sizeof(*(sched->curr_out_thread)));
+ if (!sched->curr_out_thread)
+- return rc;
++ goto out_free_curr_thread;
+
+ if (setup_cpus_switch_event(sched))
+- goto out_free_curr_thread;
++ goto out_free_curr_out_thread;
+
+ if (setup_map_cpus(sched))
+ goto out_free_cpus_switch_event;
+@@ -3590,7 +3592,14 @@ static int perf_sched__map(struct perf_sched *sched)
+ out_free_cpus_switch_event:
+ free_cpus_switch_event(sched);
+
++out_free_curr_out_thread:
++ for (int i = 0; i < MAX_CPUS; i++)
++ thread__put(sched->curr_out_thread[i]);
++ zfree(&sched->curr_out_thread);
++
+ out_free_curr_thread:
++ for (int i = 0; i < MAX_CPUS; i++)
++ thread__put(sched->curr_thread[i]);
+ zfree(&sched->curr_thread);
+ return rc;
+ }
+--
+2.39.5
+
--- /dev/null
+From 4326226b6011bed8ed29fb5c08251a0be446eb78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 18:49:38 -0700
+Subject: perf sched: Fix thread leaks in 'perf sched timehist'
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit e2eb59260c4f6bac403491d0112891766b8650d1 ]
+
+Add missing thread__put() after machine__findnew_thread() or
+timehist_get_thread(). Also idle threads' last_thread should be
+refcounted properly.
+
+Fixes: 699b5b920db04a6f ("perf sched timehist: Save callchain when entering idle")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Tested-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250703014942.1369397-5-namhyung@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-sched.c | 48 +++++++++++++++++++++++++++++---------
+ 1 file changed, 37 insertions(+), 11 deletions(-)
+
+diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
+index b73989fb6ace..83b5a85a91b7 100644
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -2313,8 +2313,10 @@ static void save_task_callchain(struct perf_sched *sched,
+ return;
+ }
+
+- if (!sched->show_callchain || sample->callchain == NULL)
++ if (!sched->show_callchain || sample->callchain == NULL) {
++ thread__put(thread);
+ return;
++ }
+
+ cursor = get_tls_callchain_cursor();
+
+@@ -2323,10 +2325,12 @@ static void save_task_callchain(struct perf_sched *sched,
+ if (verbose > 0)
+ pr_err("Failed to resolve callchain. Skipping\n");
+
++ thread__put(thread);
+ return;
+ }
+
+ callchain_cursor_commit(cursor);
++ thread__put(thread);
+
+ while (true) {
+ struct callchain_cursor_node *node;
+@@ -2403,8 +2407,17 @@ static void free_idle_threads(void)
+ return;
+
+ for (i = 0; i < idle_max_cpu; ++i) {
+- if ((idle_threads[i]))
+- thread__delete(idle_threads[i]);
++ struct thread *idle = idle_threads[i];
++
++ if (idle) {
++ struct idle_thread_runtime *itr;
++
++ itr = thread__priv(idle);
++ if (itr)
++ thread__put(itr->last_thread);
++
++ thread__delete(idle);
++ }
+ }
+
+ free(idle_threads);
+@@ -2441,7 +2454,7 @@ static struct thread *get_idle_thread(int cpu)
+ }
+ }
+
+- return idle_threads[cpu];
++ return thread__get(idle_threads[cpu]);
+ }
+
+ static void save_idle_callchain(struct perf_sched *sched,
+@@ -2496,7 +2509,8 @@ static struct thread *timehist_get_thread(struct perf_sched *sched,
+ if (itr == NULL)
+ return NULL;
+
+- itr->last_thread = thread;
++ thread__put(itr->last_thread);
++ itr->last_thread = thread__get(thread);
+
+ /* copy task callchain when entering to idle */
+ if (evsel__intval(evsel, sample, "next_pid") == 0)
+@@ -2567,6 +2581,7 @@ static void timehist_print_wakeup_event(struct perf_sched *sched,
+ /* show wakeup unless both awakee and awaker are filtered */
+ if (timehist_skip_sample(sched, thread, evsel, sample) &&
+ timehist_skip_sample(sched, awakened, evsel, sample)) {
++ thread__put(thread);
+ return;
+ }
+
+@@ -2583,6 +2598,8 @@ static void timehist_print_wakeup_event(struct perf_sched *sched,
+ printf("awakened: %s", timehist_get_commstr(awakened));
+
+ printf("\n");
++
++ thread__put(thread);
+ }
+
+ static int timehist_sched_wakeup_ignore(const struct perf_tool *tool __maybe_unused,
+@@ -2611,8 +2628,10 @@ static int timehist_sched_wakeup_event(const struct perf_tool *tool,
+ return -1;
+
+ tr = thread__get_runtime(thread);
+- if (tr == NULL)
++ if (tr == NULL) {
++ thread__put(thread);
+ return -1;
++ }
+
+ if (tr->ready_to_run == 0)
+ tr->ready_to_run = sample->time;
+@@ -2622,6 +2641,7 @@ static int timehist_sched_wakeup_event(const struct perf_tool *tool,
+ !perf_time__skip_sample(&sched->ptime, sample->time))
+ timehist_print_wakeup_event(sched, evsel, sample, machine, thread);
+
++ thread__put(thread);
+ return 0;
+ }
+
+@@ -2649,6 +2669,7 @@ static void timehist_print_migration_event(struct perf_sched *sched,
+
+ if (timehist_skip_sample(sched, thread, evsel, sample) &&
+ timehist_skip_sample(sched, migrated, evsel, sample)) {
++ thread__put(thread);
+ return;
+ }
+
+@@ -2676,6 +2697,7 @@ static void timehist_print_migration_event(struct perf_sched *sched,
+ printf(" cpu %d => %d", ocpu, dcpu);
+
+ printf("\n");
++ thread__put(thread);
+ }
+
+ static int timehist_migrate_task_event(const struct perf_tool *tool,
+@@ -2695,8 +2717,10 @@ static int timehist_migrate_task_event(const struct perf_tool *tool,
+ return -1;
+
+ tr = thread__get_runtime(thread);
+- if (tr == NULL)
++ if (tr == NULL) {
++ thread__put(thread);
+ return -1;
++ }
+
+ tr->migrations++;
+ tr->migrated = sample->time;
+@@ -2706,6 +2730,7 @@ static int timehist_migrate_task_event(const struct perf_tool *tool,
+ timehist_print_migration_event(sched, evsel, sample,
+ machine, thread);
+ }
++ thread__put(thread);
+
+ return 0;
+ }
+@@ -2728,10 +2753,10 @@ static void timehist_update_task_prio(struct evsel *evsel,
+ return;
+
+ tr = thread__get_runtime(thread);
+- if (tr == NULL)
+- return;
++ if (tr != NULL)
++ tr->prio = next_prio;
+
+- tr->prio = next_prio;
++ thread__put(thread);
+ }
+
+ static int timehist_sched_change_event(const struct perf_tool *tool,
+@@ -2743,7 +2768,7 @@ static int timehist_sched_change_event(const struct perf_tool *tool,
+ struct perf_sched *sched = container_of(tool, struct perf_sched, tool);
+ struct perf_time_interval *ptime = &sched->ptime;
+ struct addr_location al;
+- struct thread *thread;
++ struct thread *thread = NULL;
+ struct thread_runtime *tr = NULL;
+ u64 tprev, t = sample->time;
+ int rc = 0;
+@@ -2867,6 +2892,7 @@ static int timehist_sched_change_event(const struct perf_tool *tool,
+
+ evsel__save_time(evsel, sample->time, sample->cpu);
+
++ thread__put(thread);
+ addr_location__exit(&al);
+ return rc;
+ }
+--
+2.39.5
+
--- /dev/null
+From fdb97c93df7d7a400999c177934087203d6c0ffc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 18:49:36 -0700
+Subject: perf sched: Free thread->priv using priv_destructor
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit aa9fdd106bab8c478d37eba5703c0950ad5c0d4f ]
+
+In many perf sched subcommand saves priv data structure in the thread
+but it forgot to free them. As it's an opaque type with 'void *', it
+needs to register that knows how to free the data. In this case, just
+regular 'free()' is fine.
+
+Fixes: 04cb4fc4d40a5bf1 ("perf thread: Allow tools to register a thread->priv destructor")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Tested-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250703014942.1369397-3-namhyung@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-sched.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
+index b7bbfad0ed60..fa4052e04020 100644
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -3898,6 +3898,8 @@ int cmd_sched(int argc, const char **argv)
+ if (!argc)
+ usage_with_options(sched_usage, sched_options);
+
++ thread__set_priv_destructor(free);
++
+ /*
+ * Aliased to 'perf script' for now:
+ */
+--
+2.39.5
+
--- /dev/null
+From 064e43bea8e36ae17d2460452bb0845f82a88a91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 18:49:35 -0700
+Subject: perf sched: Make sure it frees the usage string
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 10d9b89203765fb776512742c13af8dd92821842 ]
+
+The parse_options_subcommand() allocates the usage string based on the
+given subcommands. So it should reach the end of the function to free
+the string to prevent memory leaks.
+
+Fixes: 1a5efc9e13f357ab ("libsubcmd: Don't free the usage string")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Tested-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250703014942.1369397-2-namhyung@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-sched.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
+index 26ece6e9bfd1..b7bbfad0ed60 100644
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -3902,9 +3902,9 @@ int cmd_sched(int argc, const char **argv)
+ * Aliased to 'perf script' for now:
+ */
+ if (!strcmp(argv[0], "script")) {
+- return cmd_script(argc, argv);
++ ret = cmd_script(argc, argv);
+ } else if (strlen(argv[0]) > 2 && strstarts("record", argv[0])) {
+- return __cmd_record(argc, argv);
++ ret = __cmd_record(argc, argv);
+ } else if (strlen(argv[0]) > 2 && strstarts("latency", argv[0])) {
+ sched.tp_handler = &lat_ops;
+ if (argc > 1) {
+@@ -3913,7 +3913,7 @@ int cmd_sched(int argc, const char **argv)
+ usage_with_options(latency_usage, latency_options);
+ }
+ setup_sorting(&sched, latency_options, latency_usage);
+- return perf_sched__lat(&sched);
++ ret = perf_sched__lat(&sched);
+ } else if (!strcmp(argv[0], "map")) {
+ if (argc) {
+ argc = parse_options(argc, argv, map_options, map_usage, 0);
+@@ -3924,13 +3924,14 @@ int cmd_sched(int argc, const char **argv)
+ sched.map.task_names = strlist__new(sched.map.task_name, NULL);
+ if (sched.map.task_names == NULL) {
+ fprintf(stderr, "Failed to parse task names\n");
+- return -1;
++ ret = -1;
++ goto out;
+ }
+ }
+ }
+ sched.tp_handler = &map_ops;
+ setup_sorting(&sched, latency_options, latency_usage);
+- return perf_sched__map(&sched);
++ ret = perf_sched__map(&sched);
+ } else if (strlen(argv[0]) > 2 && strstarts("replay", argv[0])) {
+ sched.tp_handler = &replay_ops;
+ if (argc) {
+@@ -3938,7 +3939,7 @@ int cmd_sched(int argc, const char **argv)
+ if (argc)
+ usage_with_options(replay_usage, replay_options);
+ }
+- return perf_sched__replay(&sched);
++ ret = perf_sched__replay(&sched);
+ } else if (!strcmp(argv[0], "timehist")) {
+ if (argc) {
+ argc = parse_options(argc, argv, timehist_options,
+@@ -3954,19 +3955,19 @@ int cmd_sched(int argc, const char **argv)
+ parse_options_usage(NULL, timehist_options, "w", true);
+ if (sched.show_next)
+ parse_options_usage(NULL, timehist_options, "n", true);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto out;
+ }
+ ret = symbol__validate_sym_arguments();
+- if (ret)
+- return ret;
+-
+- return perf_sched__timehist(&sched);
++ if (!ret)
++ ret = perf_sched__timehist(&sched);
+ } else {
+ usage_with_options(sched_usage, sched_options);
+ }
+
++out:
+ /* free usage string allocated by parse_options_subcommand */
+ free((void *)sched_usage[0]);
+
+- return 0;
++ return ret;
+ }
+--
+2.39.5
+
--- /dev/null
+From aa12f28ec05d2676649317ce5a9456df980b96e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 18:49:40 -0700
+Subject: perf sched: Use RC_CHK_EQUAL() to compare pointers
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 7a4002ec9e0fced907179da94f67c3082d7b4162 ]
+
+So that it can check two pointers to the same object properly when
+REFCNT_CHECKING is on.
+
+Fixes: 78c32f4cb12f9430 ("libperf rc_check: Add RC_CHK_EQUAL")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Tested-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250703014942.1369397-7-namhyung@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-sched.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
+index a6eb0462dd5b..087d4eaba5f7 100644
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -994,7 +994,7 @@ thread_atoms_search(struct rb_root_cached *root, struct thread *thread,
+ else if (cmp < 0)
+ node = node->rb_right;
+ else {
+- BUG_ON(thread != atoms->thread);
++ BUG_ON(!RC_CHK_EQUAL(thread, atoms->thread));
+ return atoms;
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From 5e7d77e84296d1df2864b91ab0c6bdcf7b339706 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 12:10:15 +0100
+Subject: perf tests bp_account: Fix leaked file descriptor
+
+From: Leo Yan <leo.yan@arm.com>
+
+[ Upstream commit 4a6cdecaa1497f1fbbd1d5307a225b6ca5a62a90 ]
+
+Since the commit e9846f5ead26 ("perf test: In forked mode add check that
+fds aren't leaked"), the test "Breakpoint accounting" reports the error:
+
+ # perf test -vvv "Breakpoint accounting"
+ 20: Breakpoint accounting:
+ --- start ---
+ test child forked, pid 373
+ failed opening event 0
+ failed opening event 0
+ watchpoints count 4, breakpoints count 6, has_ioctl 1, share 0
+ wp 0 created
+ wp 1 created
+ wp 2 created
+ wp 3 created
+ wp 0 modified to bp
+ wp max created
+ ---- end(0) ----
+ Leak of file descriptor 7 that opened: 'anon_inode:[perf_event]'
+
+A watchpoint's file descriptor was not properly released. This patch
+fixes the leak.
+
+Fixes: 032db28e5fa3 ("perf tests: Add breakpoint accounting/modify test")
+Reported-by: Aishwarya TCV <aishwarya.tcv@arm.com>
+Signed-off-by: Leo Yan <leo.yan@arm.com>
+Reviewed-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250711-perf_fix_breakpoint_accounting-v1-1-b314393023f9@arm.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/bp_account.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/tests/bp_account.c b/tools/perf/tests/bp_account.c
+index 4cb7d486b5c1..047433c977bc 100644
+--- a/tools/perf/tests/bp_account.c
++++ b/tools/perf/tests/bp_account.c
+@@ -104,6 +104,7 @@ static int bp_accounting(int wp_cnt, int share)
+ fd_wp = wp_event((void *)&the_var, &attr_new);
+ TEST_ASSERT_VAL("failed to create max wp\n", fd_wp != -1);
+ pr_debug("wp max created\n");
++ close(fd_wp);
+ }
+
+ for (i = 0; i < wp_cnt; i++)
+--
+2.39.5
+
--- /dev/null
+From 609cfb305a83777e1e7576b348dd295c47cf7890 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 13:10:27 -0700
+Subject: perf tools: Fix use-after-free in help_unknown_cmd()
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 1fdf938168c4d26fa279d4f204768690d1f9c4ae ]
+
+Currently perf aborts when it finds an invalid command. I guess it
+depends on the environment as I have some custom commands in the path.
+
+ $ perf bad-command
+ perf: 'bad-command' is not a perf-command. See 'perf --help'.
+ Aborted (core dumped)
+
+It's because the exclude_cmds() in libsubcmd has a use-after-free when
+it removes some entries. After copying one to another entry, it keeps
+the pointer in the both position. And the next copy operation will free
+the later one but it's the same entry in the previous one.
+
+For example, let's say cmds = { A, B, C, D, E } and excludes = { B, E }.
+
+ ci cj ei cmds-name excludes
+ -----------+--------------------
+ 0 0 0 | A B : cmp < 0, ci == cj
+ 1 1 0 | B B : cmp == 0
+ 2 1 1 | C E : cmp < 0, ci != cj
+
+At this point, it frees cmds->names[1] and cmds->names[1] is assigned to
+cmds->names[2].
+
+ 3 2 1 | D E : cmp < 0, ci != cj
+
+Now it frees cmds->names[2] but it's the same as cmds->names[1]. So
+accessing cmds->names[1] will be invalid.
+
+This makes the subcmd tests succeed.
+
+ $ perf test subcmd
+ 69: libsubcmd help tests :
+ 69.1: Load subcmd names : Ok
+ 69.2: Uniquify subcmd names : Ok
+ 69.3: Exclude duplicate subcmd names : Ok
+
+Fixes: 4b96679170c6 ("libsubcmd: Avoid SEGV/use-after-free when commands aren't excluded")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250701201027.1171561-3-namhyung@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/subcmd/help.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/tools/lib/subcmd/help.c b/tools/lib/subcmd/help.c
+index 8561b0f01a24..9ef569492560 100644
+--- a/tools/lib/subcmd/help.c
++++ b/tools/lib/subcmd/help.c
+@@ -9,6 +9,7 @@
+ #include <sys/stat.h>
+ #include <unistd.h>
+ #include <dirent.h>
++#include <assert.h>
+ #include "subcmd-util.h"
+ #include "help.h"
+ #include "exec-cmd.h"
+@@ -82,10 +83,11 @@ void exclude_cmds(struct cmdnames *cmds, struct cmdnames *excludes)
+ ci++;
+ cj++;
+ } else {
+- zfree(&cmds->names[cj]);
+- cmds->names[cj++] = cmds->names[ci++];
++ cmds->names[cj++] = cmds->names[ci];
++ cmds->names[ci++] = NULL;
+ }
+ } else if (cmp == 0) {
++ zfree(&cmds->names[ci]);
+ ci++;
+ ei++;
+ } else if (cmp > 0) {
+@@ -94,12 +96,12 @@ void exclude_cmds(struct cmdnames *cmds, struct cmdnames *excludes)
+ }
+ if (ci != cj) {
+ while (ci < cmds->cnt) {
+- zfree(&cmds->names[cj]);
+- cmds->names[cj++] = cmds->names[ci++];
++ cmds->names[cj++] = cmds->names[ci];
++ cmds->names[ci++] = NULL;
+ }
+ }
+ for (ci = cj; ci < cmds->cnt; ci++)
+- zfree(&cmds->names[ci]);
++ assert(cmds->names[ci] == NULL);
+ cmds->cnt = cj;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 594258a7442266456b9c4bf00ca439d16c3998b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Jul 2025 19:15:32 +0800
+Subject: perf tools: Remove libtraceevent in .gitignore
+
+From: Chen Pei <cp0613@linux.alibaba.com>
+
+[ Upstream commit af470fb532fc803c4c582d15b4bd394682a77a15 ]
+
+The libtraceevent has been removed from the source tree, and .gitignore
+needs to be updated as well.
+
+Fixes: 4171925aa9f3f7bf ("tools lib traceevent: Remove libtraceevent")
+Signed-off-by: Chen Pei <cp0613@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20250726111532.8031-1-cp0613@linux.alibaba.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/.gitignore | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/tools/perf/.gitignore b/tools/perf/.gitignore
+index 5aaf73df6700..b64302a76144 100644
+--- a/tools/perf/.gitignore
++++ b/tools/perf/.gitignore
+@@ -48,8 +48,6 @@ libbpf/
+ libperf/
+ libsubcmd/
+ libsymbol/
+-libtraceevent/
+-libtraceevent_plugins/
+ fixdep
+ Documentation/doc.dep
+ python_ext_build/
+--
+2.39.5
+
--- /dev/null
+From 95bf86d910ad0efad5222afe865defa9eda8d496 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jul 2025 20:05:15 -0700
+Subject: perf topdown: Use attribute to see an event is a topdown metic or
+ slots
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 5b546de9cc177936a3ed07d7d46ef072db4fdbab ]
+
+The string comparisons were overly broad and could fire for the
+incorrect PMU and events. Switch to using the config in the attribute
+then add a perf test to confirm the attribute config values match
+those of parsed events of that name and don't match others. This
+exposed matches for slots events that shouldn't have matched as the
+slots fixed counter event, such as topdown.slots_p.
+
+Fixes: fbc798316bef ("perf x86/topdown: Refine helper arch_is_topdown_metrics()")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250719030517.1990983-14-irogers@google.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/arch/x86/include/arch-tests.h | 4 ++
+ tools/perf/arch/x86/tests/Build | 1 +
+ tools/perf/arch/x86/tests/arch-tests.c | 1 +
+ tools/perf/arch/x86/tests/topdown.c | 76 ++++++++++++++++++++++++
+ tools/perf/arch/x86/util/evsel.c | 46 ++++----------
+ tools/perf/arch/x86/util/topdown.c | 31 ++++------
+ tools/perf/arch/x86/util/topdown.h | 4 ++
+ 7 files changed, 108 insertions(+), 55 deletions(-)
+ create mode 100644 tools/perf/arch/x86/tests/topdown.c
+
+diff --git a/tools/perf/arch/x86/include/arch-tests.h b/tools/perf/arch/x86/include/arch-tests.h
+index 4fd425157d7d..8713e9122d4c 100644
+--- a/tools/perf/arch/x86/include/arch-tests.h
++++ b/tools/perf/arch/x86/include/arch-tests.h
+@@ -2,6 +2,8 @@
+ #ifndef ARCH_TESTS_H
+ #define ARCH_TESTS_H
+
++#include "tests/tests.h"
++
+ struct test_suite;
+
+ /* Tests */
+@@ -17,6 +19,8 @@ int test__amd_ibs_via_core_pmu(struct test_suite *test, int subtest);
+ int test__amd_ibs_period(struct test_suite *test, int subtest);
+ int test__hybrid(struct test_suite *test, int subtest);
+
++DECLARE_SUITE(x86_topdown);
++
+ extern struct test_suite *arch_tests[];
+
+ #endif
+diff --git a/tools/perf/arch/x86/tests/Build b/tools/perf/arch/x86/tests/Build
+index 5e00cbfd2d56..9252a29d31a7 100644
+--- a/tools/perf/arch/x86/tests/Build
++++ b/tools/perf/arch/x86/tests/Build
+@@ -11,6 +11,7 @@ endif
+ perf-test-$(CONFIG_X86_64) += bp-modify.o
+ perf-test-y += amd-ibs-via-core-pmu.o
+ perf-test-y += amd-ibs-period.o
++perf-test-y += topdown.o
+
+ ifdef SHELLCHECK
+ SHELL_TESTS := gen-insn-x86-dat.sh
+diff --git a/tools/perf/arch/x86/tests/arch-tests.c b/tools/perf/arch/x86/tests/arch-tests.c
+index bfee2432515b..29ec1861ccef 100644
+--- a/tools/perf/arch/x86/tests/arch-tests.c
++++ b/tools/perf/arch/x86/tests/arch-tests.c
+@@ -53,5 +53,6 @@ struct test_suite *arch_tests[] = {
+ &suite__amd_ibs_via_core_pmu,
+ &suite__amd_ibs_period,
+ &suite__hybrid,
++ &suite__x86_topdown,
+ NULL,
+ };
+diff --git a/tools/perf/arch/x86/tests/topdown.c b/tools/perf/arch/x86/tests/topdown.c
+new file mode 100644
+index 000000000000..8d0ea7a4bbc1
+--- /dev/null
++++ b/tools/perf/arch/x86/tests/topdown.c
+@@ -0,0 +1,76 @@
++// SPDX-License-Identifier: GPL-2.0
++#include "arch-tests.h"
++#include "../util/topdown.h"
++#include "evlist.h"
++#include "parse-events.h"
++#include "pmu.h"
++#include "pmus.h"
++
++static int event_cb(void *state, struct pmu_event_info *info)
++{
++ char buf[256];
++ struct parse_events_error parse_err;
++ int *ret = state, err;
++ struct evlist *evlist = evlist__new();
++ struct evsel *evsel;
++
++ if (!evlist)
++ return -ENOMEM;
++
++ parse_events_error__init(&parse_err);
++ snprintf(buf, sizeof(buf), "%s/%s/", info->pmu->name, info->name);
++ err = parse_events(evlist, buf, &parse_err);
++ if (err) {
++ parse_events_error__print(&parse_err, buf);
++ *ret = TEST_FAIL;
++ }
++ parse_events_error__exit(&parse_err);
++ evlist__for_each_entry(evlist, evsel) {
++ bool fail = false;
++ bool p_core_pmu = evsel->pmu->type == PERF_TYPE_RAW;
++ const char *name = evsel__name(evsel);
++
++ if (strcasestr(name, "uops_retired.slots") ||
++ strcasestr(name, "topdown.backend_bound_slots") ||
++ strcasestr(name, "topdown.br_mispredict_slots") ||
++ strcasestr(name, "topdown.memory_bound_slots") ||
++ strcasestr(name, "topdown.bad_spec_slots") ||
++ strcasestr(name, "topdown.slots_p")) {
++ if (arch_is_topdown_slots(evsel) || arch_is_topdown_metrics(evsel))
++ fail = true;
++ } else if (strcasestr(name, "slots")) {
++ if (arch_is_topdown_slots(evsel) != p_core_pmu ||
++ arch_is_topdown_metrics(evsel))
++ fail = true;
++ } else if (strcasestr(name, "topdown")) {
++ if (arch_is_topdown_slots(evsel) ||
++ arch_is_topdown_metrics(evsel) != p_core_pmu)
++ fail = true;
++ } else if (arch_is_topdown_slots(evsel) || arch_is_topdown_metrics(evsel)) {
++ fail = true;
++ }
++ if (fail) {
++ pr_debug("Broken topdown information for '%s'\n", evsel__name(evsel));
++ *ret = TEST_FAIL;
++ }
++ }
++ evlist__delete(evlist);
++ return 0;
++}
++
++static int test__x86_topdown(struct test_suite *test __maybe_unused, int subtest __maybe_unused)
++{
++ int ret = TEST_OK;
++ struct perf_pmu *pmu = NULL;
++
++ if (!topdown_sys_has_perf_metrics())
++ return TEST_OK;
++
++ while ((pmu = perf_pmus__scan_core(pmu)) != NULL) {
++ if (perf_pmu__for_each_event(pmu, /*skip_duplicate_pmus=*/false, &ret, event_cb))
++ break;
++ }
++ return ret;
++}
++
++DEFINE_SUITE("x86 topdown", x86_topdown);
+diff --git a/tools/perf/arch/x86/util/evsel.c b/tools/perf/arch/x86/util/evsel.c
+index 3dd29ba2c23b..9bc80fff3aa0 100644
+--- a/tools/perf/arch/x86/util/evsel.c
++++ b/tools/perf/arch/x86/util/evsel.c
+@@ -23,47 +23,25 @@ void arch_evsel__set_sample_weight(struct evsel *evsel)
+ bool evsel__sys_has_perf_metrics(const struct evsel *evsel)
+ {
+ struct perf_pmu *pmu;
+- u32 type = evsel->core.attr.type;
+
+- /*
+- * The PERF_TYPE_RAW type is the core PMU type, e.g., "cpu" PMU
+- * on a non-hybrid machine, "cpu_core" PMU on a hybrid machine.
+- * The slots event is only available for the core PMU, which
+- * supports the perf metrics feature.
+- * Checking both the PERF_TYPE_RAW type and the slots event
+- * should be good enough to detect the perf metrics feature.
+- */
+-again:
+- switch (type) {
+- case PERF_TYPE_HARDWARE:
+- case PERF_TYPE_HW_CACHE:
+- type = evsel->core.attr.config >> PERF_PMU_TYPE_SHIFT;
+- if (type)
+- goto again;
+- break;
+- case PERF_TYPE_RAW:
+- break;
+- default:
++ if (!topdown_sys_has_perf_metrics())
+ return false;
+- }
+-
+- pmu = evsel->pmu;
+- if (pmu && perf_pmu__is_fake(pmu))
+- pmu = NULL;
+
+- if (!pmu) {
+- while ((pmu = perf_pmus__scan_core(pmu)) != NULL) {
+- if (pmu->type == PERF_TYPE_RAW)
+- break;
+- }
+- }
+- return pmu && perf_pmu__have_event(pmu, "slots");
++ /*
++ * The PERF_TYPE_RAW type is the core PMU type, e.g., "cpu" PMU on a
++ * non-hybrid machine, "cpu_core" PMU on a hybrid machine. The
++ * topdown_sys_has_perf_metrics checks the slots event is only available
++ * for the core PMU, which supports the perf metrics feature. Checking
++ * both the PERF_TYPE_RAW type and the slots event should be good enough
++ * to detect the perf metrics feature.
++ */
++ pmu = evsel__find_pmu(evsel);
++ return pmu && pmu->type == PERF_TYPE_RAW;
+ }
+
+ bool arch_evsel__must_be_in_group(const struct evsel *evsel)
+ {
+- if (!evsel__sys_has_perf_metrics(evsel) || !evsel->name ||
+- strcasestr(evsel->name, "uops_retired.slots"))
++ if (!evsel__sys_has_perf_metrics(evsel))
+ return false;
+
+ return arch_is_topdown_metrics(evsel) || arch_is_topdown_slots(evsel);
+diff --git a/tools/perf/arch/x86/util/topdown.c b/tools/perf/arch/x86/util/topdown.c
+index d1c654839049..66b231fbf52e 100644
+--- a/tools/perf/arch/x86/util/topdown.c
++++ b/tools/perf/arch/x86/util/topdown.c
+@@ -1,6 +1,4 @@
+ // SPDX-License-Identifier: GPL-2.0
+-#include "api/fs/fs.h"
+-#include "util/evsel.h"
+ #include "util/evlist.h"
+ #include "util/pmu.h"
+ #include "util/pmus.h"
+@@ -8,6 +6,9 @@
+ #include "topdown.h"
+ #include "evsel.h"
+
++// cmask=0, inv=0, pc=0, edge=0, umask=4, event=0
++#define TOPDOWN_SLOTS 0x0400
++
+ /* Check whether there is a PMU which supports the perf metrics. */
+ bool topdown_sys_has_perf_metrics(void)
+ {
+@@ -32,31 +33,19 @@ bool topdown_sys_has_perf_metrics(void)
+ return has_perf_metrics;
+ }
+
+-#define TOPDOWN_SLOTS 0x0400
+ bool arch_is_topdown_slots(const struct evsel *evsel)
+ {
+- if (evsel->core.attr.config == TOPDOWN_SLOTS)
+- return true;
+-
+- return false;
++ return evsel->core.attr.type == PERF_TYPE_RAW &&
++ evsel->core.attr.config == TOPDOWN_SLOTS &&
++ evsel->core.attr.config1 == 0;
+ }
+
+ bool arch_is_topdown_metrics(const struct evsel *evsel)
+ {
+- int config = evsel->core.attr.config;
+- const char *name_from_config;
+- struct perf_pmu *pmu;
+-
+- /* All topdown events have an event code of 0. */
+- if ((config & 0xFF) != 0)
+- return false;
+-
+- pmu = evsel__find_pmu(evsel);
+- if (!pmu || !pmu->is_core)
+- return false;
+-
+- name_from_config = perf_pmu__name_from_config(pmu, config);
+- return name_from_config && strcasestr(name_from_config, "topdown");
++ // cmask=0, inv=0, pc=0, edge=0, umask=0x80-0x87, event=0
++ return evsel->core.attr.type == PERF_TYPE_RAW &&
++ (evsel->core.attr.config & 0xFFFFF8FF) == 0x8000 &&
++ evsel->core.attr.config1 == 0;
+ }
+
+ /*
+diff --git a/tools/perf/arch/x86/util/topdown.h b/tools/perf/arch/x86/util/topdown.h
+index 1bae9b1822d7..2349536cf882 100644
+--- a/tools/perf/arch/x86/util/topdown.h
++++ b/tools/perf/arch/x86/util/topdown.h
+@@ -2,6 +2,10 @@
+ #ifndef _TOPDOWN_H
+ #define _TOPDOWN_H 1
+
++#include <stdbool.h>
++
++struct evsel;
++
+ bool topdown_sys_has_perf_metrics(void);
+ bool arch_is_topdown_slots(const struct evsel *evsel);
+ bool arch_is_topdown_metrics(const struct evsel *evsel);
+--
+2.39.5
+
--- /dev/null
+From b349b2f441d002fbc1e2952875132880c07907e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 09:29:36 +0200
+Subject: phy: qcom: phy-qcom-snps-eusb2: Add missing write from init sequence
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+[ Upstream commit 7f5f703210109366c1e1b685086c9b0a4897ea54 ]
+
+As per a commit from Qualcomm's downstream 6.1 kernel[0], the init
+sequence is missing setting the CMN_CTRL_OVERRIDE_EN bit back to 0 at
+the end, as per the 'latest' HPG revision (as of November 2023).
+
+[0] https://git.codelinaro.org/clo/la/kernel/qcom/-/commit/b77774a89e3fda3246e09dd39e16e2ab43cd1329
+
+Fixes: 80090810f5d3 ("phy: qcom: Add QCOM SNPS eUSB2 driver")
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Link: https://lore.kernel.org/r/20250715-sm7635-eusb-phy-v3-3-6c3224085eb6@fairphone.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/phy-snps-eusb2.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/phy/phy-snps-eusb2.c b/drivers/phy/phy-snps-eusb2.c
+index 751b6d8ba2be..e78d222eec5f 100644
+--- a/drivers/phy/phy-snps-eusb2.c
++++ b/drivers/phy/phy-snps-eusb2.c
+@@ -437,6 +437,9 @@ static int qcom_snps_eusb2_hsphy_init(struct phy *p)
+ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL2,
+ USB2_SUSPEND_N_SEL, 0);
+
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG0,
++ CMN_CTRL_OVERRIDE_EN, 0);
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 6b16231b8f52a3742810b6cc63ad3fc699b37e1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 10:26:36 +0200
+Subject: phy: qualcomm: phy-qcom-eusb2-repeater: Don't zero-out registers
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+[ Upstream commit 31bc94de76026c527f82c238f414539a14f0f3e6 ]
+
+Zeroing out registers does not happen in the downstream kernel, and will
+"tune" the repeater in surely unexpected ways since most registers don't
+have a reset value of 0x0.
+
+Stop doing that and instead just set the registers that are in the init
+sequence (though long term I don't think there's actually PMIC-specific
+init sequences, there's board specific tuning, but that's a story for
+another day).
+
+Fixes: 99a517a582fc ("phy: qualcomm: phy-qcom-eusb2-repeater: Zero out untouched tuning regs")
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20250617-eusb2-repeater-tuning-v2-2-ed6c484f18ee@fairphone.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../phy/qualcomm/phy-qcom-eusb2-repeater.c | 87 +++++++------------
+ 1 file changed, 32 insertions(+), 55 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c b/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c
+index 6bd1b3c75c77..d7493c2294ef 100644
+--- a/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c
++++ b/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c
+@@ -37,32 +37,13 @@
+ #define EUSB2_TUNE_EUSB_EQU 0x5A
+ #define EUSB2_TUNE_EUSB_HS_COMP_CUR 0x5B
+
+-enum eusb2_reg_layout {
+- TUNE_EUSB_HS_COMP_CUR,
+- TUNE_EUSB_EQU,
+- TUNE_EUSB_SLEW,
+- TUNE_USB2_HS_COMP_CUR,
+- TUNE_USB2_PREEM,
+- TUNE_USB2_EQU,
+- TUNE_USB2_SLEW,
+- TUNE_SQUELCH_U,
+- TUNE_HSDISC,
+- TUNE_RES_FSDIF,
+- TUNE_IUSB2,
+- TUNE_USB2_CROSSOVER,
+- NUM_TUNE_FIELDS,
+-
+- FORCE_VAL_5 = NUM_TUNE_FIELDS,
+- FORCE_EN_5,
+-
+- EN_CTL1,
+-
+- RPTR_STATUS,
+- LAYOUT_SIZE,
++struct eusb2_repeater_init_tbl_reg {
++ unsigned int reg;
++ unsigned int value;
+ };
+
+ struct eusb2_repeater_cfg {
+- const u32 *init_tbl;
++ const struct eusb2_repeater_init_tbl_reg *init_tbl;
+ int init_tbl_num;
+ const char * const *vreg_list;
+ int num_vregs;
+@@ -82,16 +63,16 @@ static const char * const pm8550b_vreg_l[] = {
+ "vdd18", "vdd3",
+ };
+
+-static const u32 pm8550b_init_tbl[NUM_TUNE_FIELDS] = {
+- [TUNE_IUSB2] = 0x8,
+- [TUNE_SQUELCH_U] = 0x3,
+- [TUNE_USB2_PREEM] = 0x5,
++static const struct eusb2_repeater_init_tbl_reg pm8550b_init_tbl[] = {
++ { EUSB2_TUNE_IUSB2, 0x8 },
++ { EUSB2_TUNE_SQUELCH_U, 0x3 },
++ { EUSB2_TUNE_USB2_PREEM, 0x5 },
+ };
+
+-static const u32 smb2360_init_tbl[NUM_TUNE_FIELDS] = {
+- [TUNE_IUSB2] = 0x5,
+- [TUNE_SQUELCH_U] = 0x3,
+- [TUNE_USB2_PREEM] = 0x2,
++static const struct eusb2_repeater_init_tbl_reg smb2360_init_tbl[] = {
++ { EUSB2_TUNE_IUSB2, 0x5 },
++ { EUSB2_TUNE_SQUELCH_U, 0x3 },
++ { EUSB2_TUNE_USB2_PREEM, 0x2 },
+ };
+
+ static const struct eusb2_repeater_cfg pm8550b_eusb2_cfg = {
+@@ -129,17 +110,10 @@ static int eusb2_repeater_init(struct phy *phy)
+ struct eusb2_repeater *rptr = phy_get_drvdata(phy);
+ struct device_node *np = rptr->dev->of_node;
+ struct regmap *regmap = rptr->regmap;
+- const u32 *init_tbl = rptr->cfg->init_tbl;
+- u8 tune_usb2_preem = init_tbl[TUNE_USB2_PREEM];
+- u8 tune_hsdisc = init_tbl[TUNE_HSDISC];
+- u8 tune_iusb2 = init_tbl[TUNE_IUSB2];
+ u32 base = rptr->base;
+- u32 val;
++ u32 poll_val;
+ int ret;
+-
+- of_property_read_u8(np, "qcom,tune-usb2-amplitude", &tune_iusb2);
+- of_property_read_u8(np, "qcom,tune-usb2-disc-thres", &tune_hsdisc);
+- of_property_read_u8(np, "qcom,tune-usb2-preem", &tune_usb2_preem);
++ u8 val;
+
+ ret = regulator_bulk_enable(rptr->cfg->num_vregs, rptr->vregs);
+ if (ret)
+@@ -147,21 +121,24 @@ static int eusb2_repeater_init(struct phy *phy)
+
+ regmap_write(regmap, base + EUSB2_EN_CTL1, EUSB2_RPTR_EN);
+
+- regmap_write(regmap, base + EUSB2_TUNE_EUSB_HS_COMP_CUR, init_tbl[TUNE_EUSB_HS_COMP_CUR]);
+- regmap_write(regmap, base + EUSB2_TUNE_EUSB_EQU, init_tbl[TUNE_EUSB_EQU]);
+- regmap_write(regmap, base + EUSB2_TUNE_EUSB_SLEW, init_tbl[TUNE_EUSB_SLEW]);
+- regmap_write(regmap, base + EUSB2_TUNE_USB2_HS_COMP_CUR, init_tbl[TUNE_USB2_HS_COMP_CUR]);
+- regmap_write(regmap, base + EUSB2_TUNE_USB2_EQU, init_tbl[TUNE_USB2_EQU]);
+- regmap_write(regmap, base + EUSB2_TUNE_USB2_SLEW, init_tbl[TUNE_USB2_SLEW]);
+- regmap_write(regmap, base + EUSB2_TUNE_SQUELCH_U, init_tbl[TUNE_SQUELCH_U]);
+- regmap_write(regmap, base + EUSB2_TUNE_RES_FSDIF, init_tbl[TUNE_RES_FSDIF]);
+- regmap_write(regmap, base + EUSB2_TUNE_USB2_CROSSOVER, init_tbl[TUNE_USB2_CROSSOVER]);
+-
+- regmap_write(regmap, base + EUSB2_TUNE_USB2_PREEM, tune_usb2_preem);
+- regmap_write(regmap, base + EUSB2_TUNE_HSDISC, tune_hsdisc);
+- regmap_write(regmap, base + EUSB2_TUNE_IUSB2, tune_iusb2);
+-
+- ret = regmap_read_poll_timeout(regmap, base + EUSB2_RPTR_STATUS, val, val & RPTR_OK, 10, 5);
++ /* Write registers from init table */
++ for (int i = 0; i < rptr->cfg->init_tbl_num; i++)
++ regmap_write(regmap, base + rptr->cfg->init_tbl[i].reg,
++ rptr->cfg->init_tbl[i].value);
++
++ /* Override registers from devicetree values */
++ if (!of_property_read_u8(np, "qcom,tune-usb2-amplitude", &val))
++ regmap_write(regmap, base + EUSB2_TUNE_USB2_PREEM, val);
++
++ if (!of_property_read_u8(np, "qcom,tune-usb2-disc-thres", &val))
++ regmap_write(regmap, base + EUSB2_TUNE_HSDISC, val);
++
++ if (!of_property_read_u8(np, "qcom,tune-usb2-preem", &val))
++ regmap_write(regmap, base + EUSB2_TUNE_IUSB2, val);
++
++ /* Wait for status OK */
++ ret = regmap_read_poll_timeout(regmap, base + EUSB2_RPTR_STATUS, poll_val,
++ poll_val & RPTR_OK, 10, 5);
+ if (ret)
+ dev_err(rptr->dev, "initialization timed-out\n");
+
+--
+2.39.5
+
--- /dev/null
+From e585584f543e72e912a1fa1bc6d5e2aa2aa2c861 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 09:53:43 +0800
+Subject: pinctrl: berlin: fix memory leak in berlin_pinctrl_build_state()
+
+From: Yuan Chen <chenyuan@kylinos.cn>
+
+[ Upstream commit 8f6f303551100291bf2c1e1ccc66b758fffb1168 ]
+
+In the original implementation, krealloc() failure handling incorrectly
+assigned the original memory pointer to NULL after kfree(), causing a
+memory leak when reallocation failed.
+
+Fixes: de845036f997 ("pinctrl: berlin: fix error return code of berlin_pinctrl_build_state()")
+Signed-off-by: Yuan Chen <chenyuan@kylinos.cn>
+Link: https://lore.kernel.org/20250620015343.21494-1-chenyuan_fl@163.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/berlin/berlin.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pinctrl/berlin/berlin.c b/drivers/pinctrl/berlin/berlin.c
+index c372a2a24be4..9dc2da8056b7 100644
+--- a/drivers/pinctrl/berlin/berlin.c
++++ b/drivers/pinctrl/berlin/berlin.c
+@@ -204,6 +204,7 @@ static int berlin_pinctrl_build_state(struct platform_device *pdev)
+ const struct berlin_desc_group *desc_group;
+ const struct berlin_desc_function *desc_function;
+ int i, max_functions = 0;
++ struct pinfunction *new_functions;
+
+ pctrl->nfunctions = 0;
+
+@@ -229,12 +230,15 @@ static int berlin_pinctrl_build_state(struct platform_device *pdev)
+ }
+ }
+
+- pctrl->functions = krealloc(pctrl->functions,
++ new_functions = krealloc(pctrl->functions,
+ pctrl->nfunctions * sizeof(*pctrl->functions),
+ GFP_KERNEL);
+- if (!pctrl->functions)
++ if (!new_functions) {
++ kfree(pctrl->functions);
+ return -ENOMEM;
++ }
+
++ pctrl->functions = new_functions;
+ /* map functions to theirs groups */
+ for (i = 0; i < pctrl->desc->ngroups; i++) {
+ desc_group = pctrl->desc->groups + i;
+--
+2.39.5
+
--- /dev/null
+From ab9ce7366ad8731984ab0bb47235389c610a75ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 00:11:13 +0800
+Subject: pinctrl: canaan: k230: add NULL check in DT parse
+
+From: Ze Huang <huangze@whut.edu.cn>
+
+[ Upstream commit 65bd0be486390fc12a84eafaad78758c5e5a55e6 ]
+
+Add a NULL check for the return value of of_get_property() when
+retrieving the "pinmux" property in the group parser. This avoids
+a potential NULL pointer dereference if the property is missing
+from the device tree node.
+
+Also fix a typo ("sintenel") in the device ID match table comment,
+correcting it to "sentinel".
+
+Fixes: 545887eab6f6 ("pinctrl: canaan: Add support for k230 SoC")
+Reported-by: Yao Zi <ziyao@disroot.org>
+Signed-off-by: Ze Huang <huangze@whut.edu.cn>
+Link: https://lore.kernel.org/20250624-k230-return-check-v1-1-6b4fc5ba0c41@whut.edu.cn
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-k230.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinctrl-k230.c b/drivers/pinctrl/pinctrl-k230.c
+index a9b4627b46b0..4976308e6237 100644
+--- a/drivers/pinctrl/pinctrl-k230.c
++++ b/drivers/pinctrl/pinctrl-k230.c
+@@ -477,6 +477,10 @@ static int k230_pinctrl_parse_groups(struct device_node *np,
+ grp->name = np->name;
+
+ list = of_get_property(np, "pinmux", &size);
++ if (!list) {
++ dev_err(dev, "failed to get pinmux property\n");
++ return -EINVAL;
++ }
+ size /= sizeof(*list);
+
+ grp->num_pins = size;
+@@ -623,7 +627,7 @@ static int k230_pinctrl_probe(struct platform_device *pdev)
+
+ static const struct of_device_id k230_dt_ids[] = {
+ { .compatible = "canaan,k230-pinctrl", },
+- { /* sintenel */ }
++ { /* sentinel */ }
+ };
+ MODULE_DEVICE_TABLE(of, k230_dt_ids);
+
+--
+2.39.5
+
--- /dev/null
+From 38d4a93e0a8e03e737edef5c41476d1b60c6e85c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 00:11:14 +0800
+Subject: pinctrl: canaan: k230: Fix order of DT parse and pinctrl register
+
+From: Ze Huang <huangze@whut.edu.cn>
+
+[ Upstream commit d94a32ac688f953dc9a9f12b5b4139ecad841bbb ]
+
+Move DT parse before pinctrl register. This ensures that device tree
+parsing is done before calling devm_pinctrl_register() to prevent using
+uninitialized pin resources.
+
+Fixes: 545887eab6f6 ("pinctrl: canaan: Add support for k230 SoC")
+Reported-by: Yao Zi <ziyao@disroot.org>
+Signed-off-by: Ze Huang <huangze@whut.edu.cn>
+Link: https://lore.kernel.org/20250624-k230-return-check-v1-2-6b4fc5ba0c41@whut.edu.cn
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-k230.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pinctrl/pinctrl-k230.c b/drivers/pinctrl/pinctrl-k230.c
+index 4976308e6237..d716f23d837f 100644
+--- a/drivers/pinctrl/pinctrl-k230.c
++++ b/drivers/pinctrl/pinctrl-k230.c
+@@ -590,6 +590,7 @@ static int k230_pinctrl_probe(struct platform_device *pdev)
+ struct device *dev = &pdev->dev;
+ struct k230_pinctrl *info;
+ struct pinctrl_desc *pctl;
++ int ret;
+
+ info = devm_kzalloc(dev, sizeof(*info), GFP_KERNEL);
+ if (!info)
+@@ -615,13 +616,15 @@ static int k230_pinctrl_probe(struct platform_device *pdev)
+ return dev_err_probe(dev, PTR_ERR(info->regmap_base),
+ "failed to init regmap\n");
+
++ ret = k230_pinctrl_parse_dt(pdev, info);
++ if (ret)
++ return ret;
++
+ info->pctl_dev = devm_pinctrl_register(dev, pctl, info);
+ if (IS_ERR(info->pctl_dev))
+ return dev_err_probe(dev, PTR_ERR(info->pctl_dev),
+ "devm_pinctrl_register failed\n");
+
+- k230_pinctrl_parse_dt(pdev, info);
+-
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 4e0bbad4ff93ccb35e85604d23ff68f55f1a16a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 13:51:15 +0200
+Subject: pinctrl: cirrus: madera-core: Use devm_pinctrl_register_mappings()
+
+From: Thomas Richard <thomas.richard@bootlin.com>
+
+[ Upstream commit 90256033c11028a57437b145449c0dab196183b9 ]
+
+Use devm_pinctrl_register_mappings(), so the mappings are automatically
+unregistered by the core. If pinctrl_enable() failed during the probe,
+pinctrl_mappings were not freed. Now it is done by the core.
+
+Fixes: 218d72a77b0b ("pinctrl: madera: Add driver for Cirrus Logic Madera codecs")
+Signed-off-by: Thomas Richard <thomas.richard@bootlin.com>
+Reviewed-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Link: https://lore.kernel.org/20250609-pinctrl-madera-devm-pinctrl-register-mappings-v1-1-ba2c2822cf6c@bootlin.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/cirrus/pinctrl-madera-core.c | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/pinctrl/cirrus/pinctrl-madera-core.c b/drivers/pinctrl/cirrus/pinctrl-madera-core.c
+index 73ec5b9beb49..d19ef13224cc 100644
+--- a/drivers/pinctrl/cirrus/pinctrl-madera-core.c
++++ b/drivers/pinctrl/cirrus/pinctrl-madera-core.c
+@@ -1061,8 +1061,9 @@ static int madera_pin_probe(struct platform_device *pdev)
+
+ /* if the configuration is provided through pdata, apply it */
+ if (pdata->gpio_configs) {
+- ret = pinctrl_register_mappings(pdata->gpio_configs,
+- pdata->n_gpio_configs);
++ ret = devm_pinctrl_register_mappings(priv->dev,
++ pdata->gpio_configs,
++ pdata->n_gpio_configs);
+ if (ret)
+ return dev_err_probe(priv->dev, ret,
+ "Failed to register pdata mappings\n");
+@@ -1081,17 +1082,8 @@ static int madera_pin_probe(struct platform_device *pdev)
+ return 0;
+ }
+
+-static void madera_pin_remove(struct platform_device *pdev)
+-{
+- struct madera_pin_private *priv = platform_get_drvdata(pdev);
+-
+- if (priv->madera->pdata.gpio_configs)
+- pinctrl_unregister_mappings(priv->madera->pdata.gpio_configs);
+-}
+-
+ static struct platform_driver madera_pin_driver = {
+ .probe = madera_pin_probe,
+- .remove = madera_pin_remove,
+ .driver = {
+ .name = "madera-pinctrl",
+ },
+--
+2.39.5
+
--- /dev/null
+From 5b1aad903ee8a70c4a73ade8ec316da9ab9034bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 09:27:08 +0800
+Subject: pinctrl: sunxi: Fix memory leak on krealloc failure
+
+From: Yuan Chen <chenyuan@kylinos.cn>
+
+[ Upstream commit e3507c56cbb208d4f160942748c527ef6a528ba1 ]
+
+In sunxi_pctrl_dt_node_to_map(), when krealloc() fails to resize
+the pinctrl_map array, the function returns -ENOMEM directly
+without freeing the previously allocated *map buffer. This results
+in a memory leak of the original kmalloc_array allocation.
+
+Fixes: e11dee2e98f8 ("pinctrl: sunxi: Deal with configless pins")
+Signed-off-by: Yuan Chen <chenyuan@kylinos.cn>
+Link: https://lore.kernel.org/20250620012708.16709-1-chenyuan_fl@163.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/sunxi/pinctrl-sunxi.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pinctrl/sunxi/pinctrl-sunxi.c b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
+index bf8612d72daa..d63859a2a64e 100644
+--- a/drivers/pinctrl/sunxi/pinctrl-sunxi.c
++++ b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
+@@ -408,6 +408,7 @@ static int sunxi_pctrl_dt_node_to_map(struct pinctrl_dev *pctldev,
+ const char *function, *pin_prop;
+ const char *group;
+ int ret, npins, nmaps, configlen = 0, i = 0;
++ struct pinctrl_map *new_map;
+
+ *map = NULL;
+ *num_maps = 0;
+@@ -482,9 +483,13 @@ static int sunxi_pctrl_dt_node_to_map(struct pinctrl_dev *pctldev,
+ * We know have the number of maps we need, we can resize our
+ * map array
+ */
+- *map = krealloc(*map, i * sizeof(struct pinctrl_map), GFP_KERNEL);
+- if (!*map)
+- return -ENOMEM;
++ new_map = krealloc(*map, i * sizeof(struct pinctrl_map), GFP_KERNEL);
++ if (!new_map) {
++ ret = -ENOMEM;
++ goto err_free_map;
++ }
++
++ *map = new_map;
+
+ return 0;
+
+--
+2.39.5
+
--- /dev/null
+From 7ca95289926aa1a6f308632c9cc7f2b0dbbb9f0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 13:28:38 +0530
+Subject: pinmux: fix race causing mux_owner NULL with active mux_usecount
+
+From: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+
+[ Upstream commit 0b075c011032f88d1cfde3b45d6dcf08b44140eb ]
+
+commit 5a3e85c3c397 ("pinmux: Use sequential access to access
+desc->pinmux data") tried to address the issue when two client of the
+same gpio calls pinctrl_select_state() for the same functionality, was
+resulting in NULL pointer issue while accessing desc->mux_owner.
+However, issue was not completely fixed due to the way it was handled
+and it can still result in the same NULL pointer.
+
+The issue occurs due to the following interleaving:
+
+ cpu0 (process A) cpu1 (process B)
+
+ pin_request() { pin_free() {
+
+ mutex_lock()
+ desc->mux_usecount--; //becomes 0
+ ..
+ mutex_unlock()
+
+ mutex_lock(desc->mux)
+ desc->mux_usecount++; // becomes 1
+ desc->mux_owner = owner;
+ mutex_unlock(desc->mux)
+
+ mutex_lock(desc->mux)
+ desc->mux_owner = NULL;
+ mutex_unlock(desc->mux)
+
+This sequence leads to a state where the pin appears to be in use
+(`mux_usecount == 1`) but has no owner (`mux_owner == NULL`), which can
+cause NULL pointer on next pin_request on the same pin.
+
+Ensure that updates to mux_usecount and mux_owner are performed
+atomically under the same lock. Only clear mux_owner when mux_usecount
+reaches zero and no new owner has been assigned.
+
+Fixes: 5a3e85c3c397 ("pinmux: Use sequential access to access desc->pinmux data")
+Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Link: https://lore.kernel.org/20250708-pinmux-race-fix-v2-1-8ae9e8a0d1a1@oss.qualcomm.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinmux.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/pinctrl/pinmux.c b/drivers/pinctrl/pinmux.c
+index 0743190da59e..2c31e7f2a27a 100644
+--- a/drivers/pinctrl/pinmux.c
++++ b/drivers/pinctrl/pinmux.c
+@@ -236,18 +236,7 @@ static const char *pin_free(struct pinctrl_dev *pctldev, int pin,
+ if (desc->mux_usecount)
+ return NULL;
+ }
+- }
+-
+- /*
+- * If there is no kind of request function for the pin we just assume
+- * we got it by default and proceed.
+- */
+- if (gpio_range && ops->gpio_disable_free)
+- ops->gpio_disable_free(pctldev, gpio_range, pin);
+- else if (ops->free)
+- ops->free(pctldev, pin);
+
+- scoped_guard(mutex, &desc->mux_lock) {
+ if (gpio_range) {
+ owner = desc->gpio_owner;
+ desc->gpio_owner = NULL;
+@@ -258,6 +247,15 @@ static const char *pin_free(struct pinctrl_dev *pctldev, int pin,
+ }
+ }
+
++ /*
++ * If there is no kind of request function for the pin we just assume
++ * we got it by default and proceed.
++ */
++ if (gpio_range && ops->gpio_disable_free)
++ ops->gpio_disable_free(pctldev, gpio_range, pin);
++ else if (ops->free)
++ ops->free(pctldev, pin);
++
+ module_put(pctldev->owner);
+
+ return owner;
+--
+2.39.5
+
--- /dev/null
+From 8adc461dd28f1981603ad99ca6f72d61f3fe9624 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jul 2025 18:33:04 +0200
+Subject: platform/x86: oxpec: Fix turbo register for G1 AMD
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Antheas Kapenekakis <lkml@antheas.dev>
+
+[ Upstream commit 232b41d3c2ce8cf4641a174416676458bf0de5b2 ]
+
+Turns out that the AMD variant of the G1 uses different EC registers
+than the Intel variant. Differentiate them and apply the correct ones
+to the AMD variant.
+
+Fixes: b369395c895b ("platform/x86: oxpec: Add support for the OneXPlayer G1")
+Signed-off-by: Antheas Kapenekakis <lkml@antheas.dev>
+Link: https://lore.kernel.org/r/20250718163305.159232-1-lkml@antheas.dev
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/oxpec.c | 37 +++++++++++++++++++++++-------------
+ 1 file changed, 24 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/platform/x86/oxpec.c b/drivers/platform/x86/oxpec.c
+index 06759036945d..9839e8cb82ce 100644
+--- a/drivers/platform/x86/oxpec.c
++++ b/drivers/platform/x86/oxpec.c
+@@ -58,7 +58,8 @@ enum oxp_board {
+ oxp_mini_amd_a07,
+ oxp_mini_amd_pro,
+ oxp_x1,
+- oxp_g1,
++ oxp_g1_i,
++ oxp_g1_a,
+ };
+
+ static enum oxp_board board;
+@@ -247,14 +248,14 @@ static const struct dmi_system_id dmi_table[] = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ONE-NETBOOK"),
+ DMI_EXACT_MATCH(DMI_BOARD_NAME, "ONEXPLAYER G1 A"),
+ },
+- .driver_data = (void *)oxp_g1,
++ .driver_data = (void *)oxp_g1_a,
+ },
+ {
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ONE-NETBOOK"),
+ DMI_EXACT_MATCH(DMI_BOARD_NAME, "ONEXPLAYER G1 i"),
+ },
+- .driver_data = (void *)oxp_g1,
++ .driver_data = (void *)oxp_g1_i,
+ },
+ {
+ .matches = {
+@@ -352,7 +353,8 @@ static umode_t tt_toggle_is_visible(struct kobject *kobj,
+ case oxp_mini_amd_a07:
+ case oxp_mini_amd_pro:
+ case oxp_x1:
+- case oxp_g1:
++ case oxp_g1_i:
++ case oxp_g1_a:
+ return attr->mode;
+ default:
+ break;
+@@ -381,12 +383,13 @@ static ssize_t tt_toggle_store(struct device *dev,
+ case aok_zoe_a1:
+ case oxp_fly:
+ case oxp_mini_amd_pro:
++ case oxp_g1_a:
+ reg = OXP_TURBO_SWITCH_REG;
+ mask = OXP_TURBO_TAKE_VAL;
+ break;
+ case oxp_2:
+ case oxp_x1:
+- case oxp_g1:
++ case oxp_g1_i:
+ reg = OXP_2_TURBO_SWITCH_REG;
+ mask = OXP_TURBO_TAKE_VAL;
+ break;
+@@ -426,12 +429,13 @@ static ssize_t tt_toggle_show(struct device *dev,
+ case aok_zoe_a1:
+ case oxp_fly:
+ case oxp_mini_amd_pro:
++ case oxp_g1_a:
+ reg = OXP_TURBO_SWITCH_REG;
+ mask = OXP_TURBO_TAKE_VAL;
+ break;
+ case oxp_2:
+ case oxp_x1:
+- case oxp_g1:
++ case oxp_g1_i:
+ reg = OXP_2_TURBO_SWITCH_REG;
+ mask = OXP_TURBO_TAKE_VAL;
+ break;
+@@ -520,7 +524,8 @@ static bool oxp_psy_ext_supported(void)
+ {
+ switch (board) {
+ case oxp_x1:
+- case oxp_g1:
++ case oxp_g1_i:
++ case oxp_g1_a:
+ case oxp_fly:
+ return true;
+ default:
+@@ -659,7 +664,8 @@ static int oxp_pwm_enable(void)
+ case oxp_mini_amd_a07:
+ case oxp_mini_amd_pro:
+ case oxp_x1:
+- case oxp_g1:
++ case oxp_g1_i:
++ case oxp_g1_a:
+ return write_to_ec(OXP_SENSOR_PWM_ENABLE_REG, PWM_MODE_MANUAL);
+ default:
+ return -EINVAL;
+@@ -686,7 +692,8 @@ static int oxp_pwm_disable(void)
+ case oxp_mini_amd_a07:
+ case oxp_mini_amd_pro:
+ case oxp_x1:
+- case oxp_g1:
++ case oxp_g1_i:
++ case oxp_g1_a:
+ return write_to_ec(OXP_SENSOR_PWM_ENABLE_REG, PWM_MODE_AUTO);
+ default:
+ return -EINVAL;
+@@ -713,7 +720,8 @@ static int oxp_pwm_read(long *val)
+ case oxp_mini_amd_a07:
+ case oxp_mini_amd_pro:
+ case oxp_x1:
+- case oxp_g1:
++ case oxp_g1_i:
++ case oxp_g1_a:
+ return read_from_ec(OXP_SENSOR_PWM_ENABLE_REG, 1, val);
+ default:
+ return -EOPNOTSUPP;
+@@ -742,7 +750,7 @@ static int oxp_pwm_fan_speed(long *val)
+ return read_from_ec(ORANGEPI_SENSOR_FAN_REG, 2, val);
+ case oxp_2:
+ case oxp_x1:
+- case oxp_g1:
++ case oxp_g1_i:
+ return read_from_ec(OXP_2_SENSOR_FAN_REG, 2, val);
+ case aok_zoe_a1:
+ case aya_neo_2:
+@@ -757,6 +765,7 @@ static int oxp_pwm_fan_speed(long *val)
+ case oxp_mini_amd:
+ case oxp_mini_amd_a07:
+ case oxp_mini_amd_pro:
++ case oxp_g1_a:
+ return read_from_ec(OXP_SENSOR_FAN_REG, 2, val);
+ default:
+ return -EOPNOTSUPP;
+@@ -776,7 +785,7 @@ static int oxp_pwm_input_write(long val)
+ return write_to_ec(ORANGEPI_SENSOR_PWM_REG, val);
+ case oxp_2:
+ case oxp_x1:
+- case oxp_g1:
++ case oxp_g1_i:
+ /* scale to range [0-184] */
+ val = (val * 184) / 255;
+ return write_to_ec(OXP_SENSOR_PWM_REG, val);
+@@ -796,6 +805,7 @@ static int oxp_pwm_input_write(long val)
+ case aok_zoe_a1:
+ case oxp_fly:
+ case oxp_mini_amd_pro:
++ case oxp_g1_a:
+ return write_to_ec(OXP_SENSOR_PWM_REG, val);
+ default:
+ return -EOPNOTSUPP;
+@@ -816,7 +826,7 @@ static int oxp_pwm_input_read(long *val)
+ break;
+ case oxp_2:
+ case oxp_x1:
+- case oxp_g1:
++ case oxp_g1_i:
+ ret = read_from_ec(OXP_SENSOR_PWM_REG, 1, val);
+ if (ret)
+ return ret;
+@@ -842,6 +852,7 @@ static int oxp_pwm_input_read(long *val)
+ case aok_zoe_a1:
+ case oxp_fly:
+ case oxp_mini_amd_pro:
++ case oxp_g1_a:
+ default:
+ ret = read_from_ec(OXP_SENSOR_PWM_REG, 1, val);
+ if (ret)
+--
+2.39.5
+
--- /dev/null
+From 6e5ac59739f121973950cbd1415fe5b09716382b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 10:53:11 -0400
+Subject: PM: cpufreq: powernv/tracing: Move powernv_throttle trace event
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+[ Upstream commit 647fe16b46999258ce1aec41f4bdeabb4f0cc8e7 ]
+
+As the trace event powernv_throttle is only used by the powernv code, move
+it to a separate include file and have that code directly enable it.
+
+Trace events can take up around 5K of memory when they are defined
+regardless if they are used or not. It wastes memory to have them defined
+in configurations where the tracepoint is not used.
+
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/20250612145407.906308844@goodmis.org
+Fixes: 0306e481d479a ("cpufreq: powernv/tracing: Add powernv_throttle tracepoint")
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Acked-by: Rafael J. Wysocki <rafael@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/Makefile | 1 +
+ drivers/cpufreq/powernv-cpufreq.c | 4 ++-
+ drivers/cpufreq/powernv-trace.h | 44 +++++++++++++++++++++++++++++++
+ include/trace/events/power.h | 22 ----------------
+ kernel/trace/power-traces.c | 1 -
+ 5 files changed, 48 insertions(+), 24 deletions(-)
+ create mode 100644 drivers/cpufreq/powernv-trace.h
+
+diff --git a/drivers/cpufreq/Makefile b/drivers/cpufreq/Makefile
+index d38526b8e063..681d687b5a18 100644
+--- a/drivers/cpufreq/Makefile
++++ b/drivers/cpufreq/Makefile
+@@ -21,6 +21,7 @@ obj-$(CONFIG_CPUFREQ_VIRT) += virtual-cpufreq.o
+
+ # Traces
+ CFLAGS_amd-pstate-trace.o := -I$(src)
++CFLAGS_powernv-cpufreq.o := -I$(src)
+ amd_pstate-y := amd-pstate.o amd-pstate-trace.o
+
+ ##################################################################################
+diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c
+index a8943e2a93be..7d9a5f656de8 100644
+--- a/drivers/cpufreq/powernv-cpufreq.c
++++ b/drivers/cpufreq/powernv-cpufreq.c
+@@ -21,7 +21,6 @@
+ #include <linux/string_choices.h>
+ #include <linux/cpu.h>
+ #include <linux/hashtable.h>
+-#include <trace/events/power.h>
+
+ #include <asm/cputhreads.h>
+ #include <asm/firmware.h>
+@@ -30,6 +29,9 @@
+ #include <asm/opal.h>
+ #include <linux/timer.h>
+
++#define CREATE_TRACE_POINTS
++#include "powernv-trace.h"
++
+ #define POWERNV_MAX_PSTATES_ORDER 8
+ #define POWERNV_MAX_PSTATES (1UL << (POWERNV_MAX_PSTATES_ORDER))
+ #define PMSR_PSAFE_ENABLE (1UL << 30)
+diff --git a/drivers/cpufreq/powernv-trace.h b/drivers/cpufreq/powernv-trace.h
+new file mode 100644
+index 000000000000..8cadb7c9427b
+--- /dev/null
++++ b/drivers/cpufreq/powernv-trace.h
+@@ -0,0 +1,44 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++
++#if !defined(_POWERNV_TRACE_H) || defined(TRACE_HEADER_MULTI_READ)
++#define _POWERNV_TRACE_H
++
++#include <linux/cpufreq.h>
++#include <linux/tracepoint.h>
++#include <linux/trace_events.h>
++
++#undef TRACE_SYSTEM
++#define TRACE_SYSTEM power
++
++TRACE_EVENT(powernv_throttle,
++
++ TP_PROTO(int chip_id, const char *reason, int pmax),
++
++ TP_ARGS(chip_id, reason, pmax),
++
++ TP_STRUCT__entry(
++ __field(int, chip_id)
++ __string(reason, reason)
++ __field(int, pmax)
++ ),
++
++ TP_fast_assign(
++ __entry->chip_id = chip_id;
++ __assign_str(reason);
++ __entry->pmax = pmax;
++ ),
++
++ TP_printk("Chip %d Pmax %d %s", __entry->chip_id,
++ __entry->pmax, __get_str(reason))
++);
++
++#endif /* _POWERNV_TRACE_H */
++
++/* This part must be outside protection */
++#undef TRACE_INCLUDE_PATH
++#define TRACE_INCLUDE_PATH .
++
++#undef TRACE_INCLUDE_FILE
++#define TRACE_INCLUDE_FILE powernv-trace
++
++#include <trace/define_trace.h>
+diff --git a/include/trace/events/power.h b/include/trace/events/power.h
+index 6c631eec23e3..913181cebfe9 100644
+--- a/include/trace/events/power.h
++++ b/include/trace/events/power.h
+@@ -99,28 +99,6 @@ DEFINE_EVENT(psci_domain_idle, psci_domain_idle_exit,
+ TP_ARGS(cpu_id, state, s2idle)
+ );
+
+-TRACE_EVENT(powernv_throttle,
+-
+- TP_PROTO(int chip_id, const char *reason, int pmax),
+-
+- TP_ARGS(chip_id, reason, pmax),
+-
+- TP_STRUCT__entry(
+- __field(int, chip_id)
+- __string(reason, reason)
+- __field(int, pmax)
+- ),
+-
+- TP_fast_assign(
+- __entry->chip_id = chip_id;
+- __assign_str(reason);
+- __entry->pmax = pmax;
+- ),
+-
+- TP_printk("Chip %d Pmax %d %s", __entry->chip_id,
+- __entry->pmax, __get_str(reason))
+-);
+-
+ TRACE_EVENT(pstate_sample,
+
+ TP_PROTO(u32 core_busy,
+diff --git a/kernel/trace/power-traces.c b/kernel/trace/power-traces.c
+index 21bb161c2316..f2fe33573e54 100644
+--- a/kernel/trace/power-traces.c
++++ b/kernel/trace/power-traces.c
+@@ -17,5 +17,4 @@
+ EXPORT_TRACEPOINT_SYMBOL_GPL(suspend_resume);
+ EXPORT_TRACEPOINT_SYMBOL_GPL(cpu_idle);
+ EXPORT_TRACEPOINT_SYMBOL_GPL(cpu_frequency);
+-EXPORT_TRACEPOINT_SYMBOL_GPL(powernv_throttle);
+
+--
+2.39.5
+
--- /dev/null
+From 8fa4f756d3f37cfdffcf331addb8e5905abaa924 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 17:53:55 +0530
+Subject: pm: cpupower: Fix printing of CORE, CPU fields in cpupower-monitor
+
+From: Gautham R. Shenoy <gautham.shenoy@amd.com>
+
+[ Upstream commit 14a3318b4ac8ae0ca2e1132a89de167e1030fbdb ]
+
+After the commit 0014f65e3df0 ("pm: cpupower: remove hard-coded
+topology depth values"), "cpupower monitor" output ceased to print the
+CORE and the CPU fields on a multi-socket platform.
+
+The reason for this is that the patch changed the behaviour to break
+out of the switch-case after printing the PKG details, while prior to
+the patch, the CORE and the CPU details would also get printed since
+the "if" condition check would pass for any level whose topology depth
+was lesser than that of a package.
+
+Fix this ensuring all the details below a desired topology depth are
+printed in the cpupower monitor output.
+
+Link: https://lore.kernel.org/r/20250612122355.19629-3-gautham.shenoy@amd.com
+Fixes: 0014f65e3df0 ("pm: cpupower: remove hard-coded topology depth values")
+Signed-off-by: Gautham R. Shenoy <gautham.shenoy@amd.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/cpupower/utils/idle_monitor/cpupower-monitor.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/tools/power/cpupower/utils/idle_monitor/cpupower-monitor.c b/tools/power/cpupower/utils/idle_monitor/cpupower-monitor.c
+index ad493157f826..e8b3841d5c0f 100644
+--- a/tools/power/cpupower/utils/idle_monitor/cpupower-monitor.c
++++ b/tools/power/cpupower/utils/idle_monitor/cpupower-monitor.c
+@@ -121,10 +121,8 @@ void print_header(int topology_depth)
+ switch (topology_depth) {
+ case TOPOLOGY_DEPTH_PKG:
+ printf(" PKG|");
+- break;
+ case TOPOLOGY_DEPTH_CORE:
+ printf("CORE|");
+- break;
+ case TOPOLOGY_DEPTH_CPU:
+ printf(" CPU|");
+ break;
+@@ -167,10 +165,8 @@ void print_results(int topology_depth, int cpu)
+ switch (topology_depth) {
+ case TOPOLOGY_DEPTH_PKG:
+ printf("%4d|", cpu_top.core_info[cpu].pkg);
+- break;
+ case TOPOLOGY_DEPTH_CORE:
+ printf("%4d|", cpu_top.core_info[cpu].core);
+- break;
+ case TOPOLOGY_DEPTH_CPU:
+ printf("%4d|", cpu_top.core_info[cpu].cpu);
+ break;
+--
+2.39.5
+
--- /dev/null
+From a11dea8e9356731207eb591738b979349a74c75b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Apr 2025 11:00:20 +0800
+Subject: PM / devfreq: Check governor before using governor->name
+
+From: Lifeng Zheng <zhenglifeng1@huawei.com>
+
+[ Upstream commit bab7834c03820eb11269bc48f07c3800192460d2 ]
+
+Commit 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from
+struct devfreq") removes governor_name and uses governor->name to replace
+it. But devfreq->governor may be NULL and directly using
+devfreq->governor->name may cause null pointer exception. Move the check of
+governor to before using governor->name.
+
+Fixes: 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from struct devfreq")
+Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Link: https://lore.kernel.org/lkml/20250421030020.3108405-5-zhenglifeng1@huawei.com/
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/devfreq/devfreq.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
+index 98657d3b9435..713e6e52cca1 100644
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -1382,15 +1382,11 @@ int devfreq_remove_governor(struct devfreq_governor *governor)
+ int ret;
+ struct device *dev = devfreq->dev.parent;
+
++ if (!devfreq->governor)
++ continue;
++
+ if (!strncmp(devfreq->governor->name, governor->name,
+ DEVFREQ_NAME_LEN)) {
+- /* we should have a devfreq governor! */
+- if (!devfreq->governor) {
+- dev_warn(dev, "%s: Governor %s NOT present\n",
+- __func__, governor->name);
+- continue;
+- /* Fall through */
+- }
+ ret = devfreq->governor->event_handler(devfreq,
+ DEVFREQ_GOV_STOP, NULL);
+ if (ret) {
+--
+2.39.5
+
--- /dev/null
+From 6a4d7fdefe405da786c3cb8dd685fe3ff095ff1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Feb 2025 16:13:50 -1000
+Subject: PM / devfreq: Fix a index typo in trans_stat
+
+From: Chanwoo Choi <cw00.choi@samsung.com>
+
+[ Upstream commit 78c5845fbbf6aaeb9959c5fbaee5cc53ef5f38c2 ]
+
+Fixes: 4920ee6dcfaf ("PM / devfreq: Convert to use sysfs_emit_at() API")
+Signed-off-by: pls <pleasurefish@126.com>
+Link: https://patchwork.kernel.org/project/linux-pm/patch/20250515143100.17849-1-chanwoo@kernel.org/
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/devfreq/devfreq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
+index 713e6e52cca1..0d9f3d3282ec 100644
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -1739,7 +1739,7 @@ static ssize_t trans_stat_show(struct device *dev,
+ for (i = 0; i < max_state; i++) {
+ if (len >= PAGE_SIZE - 1)
+ break;
+- if (df->freq_table[2] == df->previous_freq)
++ if (df->freq_table[i] == df->previous_freq)
+ len += sysfs_emit_at(buf, len, "*");
+ else
+ len += sysfs_emit_at(buf, len, " ");
+--
+2.39.5
+
--- /dev/null
+From 1bb954d71f2107cc992e65b6abc1e73a9ba57fca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 May 2025 15:01:27 +0200
+Subject: power: reset: POWER_RESET_TORADEX_EC should depend on ARCH_MXC
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 22e4d29f081df8a10f1c062d3d952bb876eb9bdc ]
+
+The Toradex Embedded Controller is currently only present on Toradex
+SMARC iMX8MP and iMX95 SoMs. Hence add a dependency on ARCH_MXC, to
+prevent asking the user about this driver when configuring a kernel
+without NXP i.MX SoC family support.
+
+Fixes: 18672fe12367ed44 ("power: reset: add Toradex Embedded Controller")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/1ef0beb1e09bf914650f9f9885a33af06772540d.1746536287.git.geert+renesas@glider.be
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/reset/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/power/reset/Kconfig b/drivers/power/reset/Kconfig
+index e71f0af4e378..95f140ee7077 100644
+--- a/drivers/power/reset/Kconfig
++++ b/drivers/power/reset/Kconfig
+@@ -218,6 +218,7 @@ config POWER_RESET_ST
+
+ config POWER_RESET_TORADEX_EC
+ tristate "Toradex Embedded Controller power-off and reset driver"
++ depends on ARCH_MXC || COMPILE_TEST
+ depends on I2C
+ select REGMAP_I2C
+ help
+--
+2.39.5
+
--- /dev/null
+From f7bc71f4ef94cdb097a9a8a24ab4815df91f7c6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 17:55:43 +0200
+Subject: power: sequencing: qcom-wcn: fix bluetooth-wifi copypasta for WCN6855
+
+From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+
+[ Upstream commit 07d59dec6795428983a840de85aa02febaf7e01b ]
+
+Prevent a name conflict (which is surprisingly not caught by the
+framework).
+
+Fixes: bd4c8bafcf50 ("power: sequencing: qcom-wcn: improve support for wcn6855")
+Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250625-topic-wcn6855_pwrseq-v1-1-cfb96d599ff8@oss.qualcomm.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/sequencing/pwrseq-qcom-wcn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/sequencing/pwrseq-qcom-wcn.c b/drivers/power/sequencing/pwrseq-qcom-wcn.c
+index e8f5030f2639..7d8d6b340749 100644
+--- a/drivers/power/sequencing/pwrseq-qcom-wcn.c
++++ b/drivers/power/sequencing/pwrseq-qcom-wcn.c
+@@ -155,7 +155,7 @@ static const struct pwrseq_unit_data pwrseq_qcom_wcn_bt_unit_data = {
+ };
+
+ static const struct pwrseq_unit_data pwrseq_qcom_wcn6855_bt_unit_data = {
+- .name = "wlan-enable",
++ .name = "bluetooth-enable",
+ .deps = pwrseq_qcom_wcn6855_unit_deps,
+ .enable = pwrseq_qcom_wcn_bt_enable,
+ .disable = pwrseq_qcom_wcn_bt_disable,
+--
+2.39.5
+
--- /dev/null
+From b71caa07673b8403b5102c0ac18331844c83ddf6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 May 2025 10:47:41 +0800
+Subject: power: supply: cpcap-charger: Fix null check for
+ power_supply_get_by_name
+
+From: Charles Han <hanchunchao@inspur.com>
+
+[ Upstream commit d9fa3aae08f99493e67fb79413c0e95d30fca5e9 ]
+
+In the cpcap_usb_detect() function, the power_supply_get_by_name()
+function may return `NULL` instead of an error pointer.
+To prevent potential null pointer dereferences, Added a null check.
+
+Fixes: eab4e6d953c1 ("power: supply: cpcap-charger: get the battery inserted infomation from cpcap-battery")
+Signed-off-by: Charles Han <hanchunchao@inspur.com>
+Link: https://lore.kernel.org/r/20250519024741.5846-1-hanchunchao@inspur.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/cpcap-charger.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/power/supply/cpcap-charger.c b/drivers/power/supply/cpcap-charger.c
+index 13300dc60baf..d0c3008db534 100644
+--- a/drivers/power/supply/cpcap-charger.c
++++ b/drivers/power/supply/cpcap-charger.c
+@@ -689,9 +689,8 @@ static void cpcap_usb_detect(struct work_struct *work)
+ struct power_supply *battery;
+
+ battery = power_supply_get_by_name("battery");
+- if (IS_ERR_OR_NULL(battery)) {
+- dev_err(ddata->dev, "battery power_supply not available %li\n",
+- PTR_ERR(battery));
++ if (!battery) {
++ dev_err(ddata->dev, "battery power_supply not available\n");
+ return;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From c277647034556842c85e0dc2e032a9b0bbc4a057 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 May 2025 14:16:01 +0800
+Subject: power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set
+
+From: Charles Han <hanchunchao@inspur.com>
+
+[ Upstream commit 2937f5d2e24eefef8cb126244caec7fe3307f724 ]
+
+When the kernel is not configured CONFIG_OF, the max14577_charger_dt_init
+function returns NULL. Fix the max14577_charger_probe functionby returning
+-ENODATA instead of potentially passing a NULL pointer to PTR_ERR.
+
+This fixes the below smatch warning:
+max14577_charger_probe() warn: passing zero to 'PTR_ERR'
+
+Fixes: e30110e9c96f ("charger: max14577: Configure battery-dependent settings from DTS and sysfs")
+Signed-off-by: Charles Han <hanchunchao@inspur.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20250519061601.8755-1-hanchunchao@inspur.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/max14577_charger.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/power/supply/max14577_charger.c b/drivers/power/supply/max14577_charger.c
+index 1cef2f860b5f..63077d38ea30 100644
+--- a/drivers/power/supply/max14577_charger.c
++++ b/drivers/power/supply/max14577_charger.c
+@@ -501,7 +501,7 @@ static struct max14577_charger_platform_data *max14577_charger_dt_init(
+ static struct max14577_charger_platform_data *max14577_charger_dt_init(
+ struct platform_device *pdev)
+ {
+- return NULL;
++ return ERR_PTR(-ENODATA);
+ }
+ #endif /* CONFIG_OF */
+
+@@ -572,7 +572,7 @@ static int max14577_charger_probe(struct platform_device *pdev)
+ chg->max14577 = max14577;
+
+ chg->pdata = max14577_charger_dt_init(pdev);
+- if (IS_ERR_OR_NULL(chg->pdata))
++ if (IS_ERR(chg->pdata))
+ return PTR_ERR(chg->pdata);
+
+ ret = max14577_charger_reg_init(chg);
+--
+2.39.5
+
--- /dev/null
+From 2e306df554b2da663080c2e45bb94c02b585c564 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 14:51:44 +0200
+Subject: power: supply: max1720x correct capacity computation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Antoine <t.antoine@uclouvain.be>
+
+[ Upstream commit 58ae036172b5f051a19a32eba94a3e5eb37bf47e ]
+
+From the datasheet of the MAX17201/17205, the LSB should be "5.0μVh/RSENSE".
+The current computation sets it at 0.5mAh=5.0μVh/10mOhm, which does not take
+into account the value of rsense (which is in 10µV steps) which can be
+different from 10mOhm.
+
+Change the computation to fit the specs.
+
+Fixes: 479b6d04964b ("power: supply: add support for MAX1720x standalone fuel gauge")
+Signed-off-by: Thomas Antoine <t.antoine@uclouvain.be>
+Link: https://lore.kernel.org/r/20250523-b4-gs101_max77759_fg-v4-1-b49904e35a34@uclouvain.be
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/max1720x_battery.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/power/supply/max1720x_battery.c b/drivers/power/supply/max1720x_battery.c
+index ea3912fd1de8..68b5314ecf3a 100644
+--- a/drivers/power/supply/max1720x_battery.c
++++ b/drivers/power/supply/max1720x_battery.c
+@@ -288,9 +288,10 @@ static int max172xx_voltage_to_ps(unsigned int reg)
+ return reg * 1250; /* in uV */
+ }
+
+-static int max172xx_capacity_to_ps(unsigned int reg)
++static int max172xx_capacity_to_ps(unsigned int reg,
++ struct max1720x_device_info *info)
+ {
+- return reg * 500; /* in uAh */
++ return reg * (500000 / info->rsense); /* in uAh */
+ }
+
+ /*
+@@ -394,11 +395,11 @@ static int max1720x_battery_get_property(struct power_supply *psy,
+ break;
+ case POWER_SUPPLY_PROP_CHARGE_FULL_DESIGN:
+ ret = regmap_read(info->regmap, MAX172XX_DESIGN_CAP, ®_val);
+- val->intval = max172xx_capacity_to_ps(reg_val);
++ val->intval = max172xx_capacity_to_ps(reg_val, info);
+ break;
+ case POWER_SUPPLY_PROP_CHARGE_AVG:
+ ret = regmap_read(info->regmap, MAX172XX_REPCAP, ®_val);
+- val->intval = max172xx_capacity_to_ps(reg_val);
++ val->intval = max172xx_capacity_to_ps(reg_val, info);
+ break;
+ case POWER_SUPPLY_PROP_TIME_TO_EMPTY_AVG:
+ ret = regmap_read(info->regmap, MAX172XX_TTE, ®_val);
+@@ -422,7 +423,7 @@ static int max1720x_battery_get_property(struct power_supply *psy,
+ break;
+ case POWER_SUPPLY_PROP_CHARGE_FULL:
+ ret = regmap_read(info->regmap, MAX172XX_FULL_CAP, ®_val);
+- val->intval = max172xx_capacity_to_ps(reg_val);
++ val->intval = max172xx_capacity_to_ps(reg_val, info);
+ break;
+ case POWER_SUPPLY_PROP_MODEL_NAME:
+ ret = regmap_read(info->regmap, MAX172XX_DEV_NAME, ®_val);
+--
+2.39.5
+
--- /dev/null
+From 378adec6e254abdf193502909075cd5eb97e5509 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 16:55:11 +0200
+Subject: power: supply: qcom_pmi8998_charger: fix wakeirq
+
+From: Casey Connolly <casey.connolly@linaro.org>
+
+[ Upstream commit 6c5393771c50fac30f08dfb6d2f65f4f2cfeb8c7 ]
+
+Unloading and reloading the driver (e.g. when built as a module)
+currently leads to errors trying to enable wake IRQ since it's already
+enabled.
+
+Use devm to manage this for us so it correctly gets disabled when
+removing the driver.
+
+Additionally, call device_init_wakeup() so that charger attach/remove
+will trigger a wakeup by default.
+
+Fixes: 8648aeb5d7b7 ("power: supply: add Qualcomm PMI8998 SMB2 Charger driver")
+Signed-off-by: Casey Connolly <casey.connolly@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250619-smb2-smb5-support-v1-3-ac5dec51b6e1@linaro.org
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/qcom_pmi8998_charger.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/qcom_pmi8998_charger.c b/drivers/power/supply/qcom_pmi8998_charger.c
+index c2f8f2e24398..cd3cb473c70d 100644
+--- a/drivers/power/supply/qcom_pmi8998_charger.c
++++ b/drivers/power/supply/qcom_pmi8998_charger.c
+@@ -1016,7 +1016,9 @@ static int smb2_probe(struct platform_device *pdev)
+ if (rc < 0)
+ return rc;
+
+- rc = dev_pm_set_wake_irq(chip->dev, chip->cable_irq);
++ devm_device_init_wakeup(chip->dev);
++
++ rc = devm_pm_set_wake_irq(chip->dev, chip->cable_irq);
+ if (rc < 0)
+ return dev_err_probe(chip->dev, rc, "Couldn't set wake irq\n");
+
+--
+2.39.5
+
--- /dev/null
+From aa872862cb8c4698f8116875138d0a362fe3169e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 01:13:55 +0300
+Subject: powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw()
+
+From: Sivan Zohar-Kotzer <sivany32@gmail.com>
+
+[ Upstream commit 46dc57406887dd02565cb264224194a6776d882b ]
+
+The get_pd_power_uw() function can crash with a NULL pointer dereference
+when em_cpu_get() returns NULL. This occurs when a CPU becomes impossible
+during runtime, causing get_cpu_device() to return NULL, which propagates
+through em_cpu_get() and leads to a crash when em_span_cpus() dereferences
+the NULL pointer.
+
+Add a NULL check after em_cpu_get() and return 0 if unavailable,
+matching the existing fallback behavior in __dtpm_cpu_setup().
+
+Fixes: eb82bace8931 ("powercap/drivers/dtpm: Scale the power with the load")
+Signed-off-by: Sivan Zohar-Kotzer <sivany32@gmail.com>
+Link: https://patch.msgid.link/20250701221355.96916-1-sivany32@gmail.com
+[ rjw: Drop an excess empty code line ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/powercap/dtpm_cpu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/powercap/dtpm_cpu.c b/drivers/powercap/dtpm_cpu.c
+index 6b6f51b21550..99390ec1481f 100644
+--- a/drivers/powercap/dtpm_cpu.c
++++ b/drivers/powercap/dtpm_cpu.c
+@@ -96,6 +96,8 @@ static u64 get_pd_power_uw(struct dtpm *dtpm)
+ int i;
+
+ pd = em_cpu_get(dtpm_cpu->cpu);
++ if (!pd)
++ return 0;
+
+ pd_mask = em_span_cpus(pd);
+
+--
+2.39.5
+
--- /dev/null
+From a99b30a9cd6c9dae1ba7c424f872a6ade8235ece Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 16:37:34 -0500
+Subject: powerpc/eeh: Export eeh_unfreeze_pe()
+
+From: Timothy Pearson <tpearson@raptorengineering.com>
+
+[ Upstream commit e82b34eed04b0ddcff4548b62633467235672fd3 ]
+
+The PowerNV hotplug driver needs to be able to clear any frozen PE(s)
+on the PHB after suprise removal of a downstream device.
+
+Export the eeh_unfreeze_pe() symbol to allow implementation of this
+functionality in the php_nv module.
+
+Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/1778535414.1359858.1752615454618.JavaMail.zimbra@raptorengineeringinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/eeh.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c
+index ca7f7bb2b478..2b5f3323e107 100644
+--- a/arch/powerpc/kernel/eeh.c
++++ b/arch/powerpc/kernel/eeh.c
+@@ -1139,6 +1139,7 @@ int eeh_unfreeze_pe(struct eeh_pe *pe)
+
+ return ret;
+ }
++EXPORT_SYMBOL_GPL(eeh_unfreeze_pe);
+
+
+ static struct pci_device_id eeh_reset_ids[] = {
+--
+2.39.5
+
--- /dev/null
+From 752553ee7f1178d58a949d28455f4cef02875358 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 16:38:23 -0500
+Subject: powerpc/eeh: Make EEH driver device hotplug safe
+
+From: Timothy Pearson <tpearson@raptorengineering.com>
+
+[ Upstream commit 1010b4c012b0d78dfb9d3132b49aa2ef024a07a7 ]
+
+Multiple race conditions existed between the PCIe hotplug driver and the
+EEH driver, leading to a variety of kernel oopses of the same general
+nature:
+
+<pcie device unplug>
+<eeh driver trigger>
+<hotplug removal trigger>
+<pcie tree reconfiguration>
+<eeh recovery next step>
+<oops in EEH driver bus iteration loop>
+
+A second class of oops is also seen when the underlying bus disappears
+during device recovery.
+
+Refactor the EEH module to be PCI rescan and remove safe. Also clean
+up a few minor formatting / readability issues.
+
+Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/1334208367.1359861.1752615503144.JavaMail.zimbra@raptorengineeringinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/eeh_driver.c | 48 +++++++++++++++++++++-----------
+ arch/powerpc/kernel/eeh_pe.c | 10 ++++---
+ 2 files changed, 38 insertions(+), 20 deletions(-)
+
+diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c
+index 7efe04c68f0f..dd50de91c438 100644
+--- a/arch/powerpc/kernel/eeh_driver.c
++++ b/arch/powerpc/kernel/eeh_driver.c
+@@ -257,13 +257,12 @@ static void eeh_pe_report_edev(struct eeh_dev *edev, eeh_report_fn fn,
+ struct pci_driver *driver;
+ enum pci_ers_result new_result;
+
+- pci_lock_rescan_remove();
+ pdev = edev->pdev;
+ if (pdev)
+ get_device(&pdev->dev);
+- pci_unlock_rescan_remove();
+ if (!pdev) {
+ eeh_edev_info(edev, "no device");
++ *result = PCI_ERS_RESULT_DISCONNECT;
+ return;
+ }
+ device_lock(&pdev->dev);
+@@ -304,8 +303,9 @@ static void eeh_pe_report(const char *name, struct eeh_pe *root,
+ struct eeh_dev *edev, *tmp;
+
+ pr_info("EEH: Beginning: '%s'\n", name);
+- eeh_for_each_pe(root, pe) eeh_pe_for_each_dev(pe, edev, tmp)
+- eeh_pe_report_edev(edev, fn, result);
++ eeh_for_each_pe(root, pe)
++ eeh_pe_for_each_dev(pe, edev, tmp)
++ eeh_pe_report_edev(edev, fn, result);
+ if (result)
+ pr_info("EEH: Finished:'%s' with aggregate recovery state:'%s'\n",
+ name, pci_ers_result_name(*result));
+@@ -383,6 +383,8 @@ static void eeh_dev_restore_state(struct eeh_dev *edev, void *userdata)
+ if (!edev)
+ return;
+
++ pci_lock_rescan_remove();
++
+ /*
+ * The content in the config space isn't saved because
+ * the blocked config space on some adapters. We have
+@@ -393,14 +395,19 @@ static void eeh_dev_restore_state(struct eeh_dev *edev, void *userdata)
+ if (list_is_last(&edev->entry, &edev->pe->edevs))
+ eeh_pe_restore_bars(edev->pe);
+
++ pci_unlock_rescan_remove();
+ return;
+ }
+
+ pdev = eeh_dev_to_pci_dev(edev);
+- if (!pdev)
++ if (!pdev) {
++ pci_unlock_rescan_remove();
+ return;
++ }
+
+ pci_restore_state(pdev);
++
++ pci_unlock_rescan_remove();
+ }
+
+ /**
+@@ -647,9 +654,7 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus,
+ if (any_passed || driver_eeh_aware || (pe->type & EEH_PE_VF)) {
+ eeh_pe_dev_traverse(pe, eeh_rmv_device, rmv_data);
+ } else {
+- pci_lock_rescan_remove();
+ pci_hp_remove_devices(bus);
+- pci_unlock_rescan_remove();
+ }
+
+ /*
+@@ -665,8 +670,6 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus,
+ if (rc)
+ return rc;
+
+- pci_lock_rescan_remove();
+-
+ /* Restore PE */
+ eeh_ops->configure_bridge(pe);
+ eeh_pe_restore_bars(pe);
+@@ -674,7 +677,6 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus,
+ /* Clear frozen state */
+ rc = eeh_clear_pe_frozen_state(pe, false);
+ if (rc) {
+- pci_unlock_rescan_remove();
+ return rc;
+ }
+
+@@ -709,7 +711,6 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus,
+ pe->tstamp = tstamp;
+ pe->freeze_count = cnt;
+
+- pci_unlock_rescan_remove();
+ return 0;
+ }
+
+@@ -843,10 +844,13 @@ void eeh_handle_normal_event(struct eeh_pe *pe)
+ {LIST_HEAD_INIT(rmv_data.removed_vf_list), 0};
+ int devices = 0;
+
++ pci_lock_rescan_remove();
++
+ bus = eeh_pe_bus_get(pe);
+ if (!bus) {
+ pr_err("%s: Cannot find PCI bus for PHB#%x-PE#%x\n",
+ __func__, pe->phb->global_number, pe->addr);
++ pci_unlock_rescan_remove();
+ return;
+ }
+
+@@ -1094,10 +1098,15 @@ void eeh_handle_normal_event(struct eeh_pe *pe)
+ eeh_pe_state_clear(pe, EEH_PE_PRI_BUS, true);
+ eeh_pe_dev_mode_mark(pe, EEH_DEV_REMOVED);
+
+- pci_lock_rescan_remove();
+- pci_hp_remove_devices(bus);
+- pci_unlock_rescan_remove();
++ bus = eeh_pe_bus_get(pe);
++ if (bus)
++ pci_hp_remove_devices(bus);
++ else
++ pr_err("%s: PCI bus for PHB#%x-PE#%x disappeared\n",
++ __func__, pe->phb->global_number, pe->addr);
++
+ /* The passed PE should no longer be used */
++ pci_unlock_rescan_remove();
+ return;
+ }
+
+@@ -1114,6 +1123,8 @@ void eeh_handle_normal_event(struct eeh_pe *pe)
+ eeh_clear_slot_attention(edev->pdev);
+
+ eeh_pe_state_clear(pe, EEH_PE_RECOVERING, true);
++
++ pci_unlock_rescan_remove();
+ }
+
+ /**
+@@ -1132,6 +1143,7 @@ void eeh_handle_special_event(void)
+ unsigned long flags;
+ int rc;
+
++ pci_lock_rescan_remove();
+
+ do {
+ rc = eeh_ops->next_error(&pe);
+@@ -1171,10 +1183,12 @@ void eeh_handle_special_event(void)
+
+ break;
+ case EEH_NEXT_ERR_NONE:
++ pci_unlock_rescan_remove();
+ return;
+ default:
+ pr_warn("%s: Invalid value %d from next_error()\n",
+ __func__, rc);
++ pci_unlock_rescan_remove();
+ return;
+ }
+
+@@ -1186,7 +1200,9 @@ void eeh_handle_special_event(void)
+ if (rc == EEH_NEXT_ERR_FROZEN_PE ||
+ rc == EEH_NEXT_ERR_FENCED_PHB) {
+ eeh_pe_state_mark(pe, EEH_PE_RECOVERING);
++ pci_unlock_rescan_remove();
+ eeh_handle_normal_event(pe);
++ pci_lock_rescan_remove();
+ } else {
+ eeh_for_each_pe(pe, tmp_pe)
+ eeh_pe_for_each_dev(tmp_pe, edev, tmp_edev)
+@@ -1199,7 +1215,6 @@ void eeh_handle_special_event(void)
+ eeh_report_failure, NULL);
+ eeh_set_channel_state(pe, pci_channel_io_perm_failure);
+
+- pci_lock_rescan_remove();
+ list_for_each_entry(hose, &hose_list, list_node) {
+ phb_pe = eeh_phb_pe_get(hose);
+ if (!phb_pe ||
+@@ -1218,7 +1233,6 @@ void eeh_handle_special_event(void)
+ }
+ pci_hp_remove_devices(bus);
+ }
+- pci_unlock_rescan_remove();
+ }
+
+ /*
+@@ -1228,4 +1242,6 @@ void eeh_handle_special_event(void)
+ if (rc == EEH_NEXT_ERR_DEAD_IOC)
+ break;
+ } while (rc != EEH_NEXT_ERR_NONE);
++
++ pci_unlock_rescan_remove();
+ }
+diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c
+index d283d281d28e..e740101fadf3 100644
+--- a/arch/powerpc/kernel/eeh_pe.c
++++ b/arch/powerpc/kernel/eeh_pe.c
+@@ -671,10 +671,12 @@ static void eeh_bridge_check_link(struct eeh_dev *edev)
+ eeh_ops->write_config(edev, cap + PCI_EXP_LNKCTL, 2, val);
+
+ /* Check link */
+- if (!edev->pdev->link_active_reporting) {
+- eeh_edev_dbg(edev, "No link reporting capability\n");
+- msleep(1000);
+- return;
++ if (edev->pdev) {
++ if (!edev->pdev->link_active_reporting) {
++ eeh_edev_dbg(edev, "No link reporting capability\n");
++ msleep(1000);
++ return;
++ }
+ }
+
+ /* Wait the link is up until timeout (5s) */
+--
+2.39.5
+
--- /dev/null
+From be488f8986d0257ba805a8b9f35e041e5faf243f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 May 2025 16:50:02 -0700
+Subject: powerpc/pseries/dlpar: Search DRC index from ibm,drc-indexes for IO
+ add
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Haren Myneni <haren@linux.ibm.com>
+
+[ Upstream commit 41a1452759a8b1121df9cf7310acf31d766ba70b ]
+
+IO hotplug add event is handled in the user space with drmgr tool.
+After the device is enabled, the user space uses /sys/kernel/dlpar
+interface with “dt add index <drc_index>” to update the device tree.
+The kernel interface (dlpar_hp_dt_add()) finds the parent node for
+the specified ‘drc_index’ from ibm,drc-info property. The recent FW
+provides this property from 2017 onwards. But KVM guest code in
+some releases is still using the older SLOF firmware which has
+ibm,drc-indexes property instead of ibm,drc-info.
+
+If the ibm,drc-info is not available, this patch adds changes to
+search ‘drc_index’ from the indexes array in ibm,drc-indexes
+property to support old FW.
+
+Fixes: 02b98ff44a57 ("powerpc/pseries/dlpar: Add device tree nodes for DLPAR IO add")
+Reported-by: Kowshik Jois <kowsjois@linux.ibm.com>
+Signed-off-by: Haren Myneni <haren@linux.ibm.com>
+Tested-by: Amit Machhiwal <amachhiw@linux.ibm.com>
+Reviewed-by: Tyrel Datwyler <tyreld@linux.ibm.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20250531235002.239213-1-haren@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/dlpar.c | 52 +++++++++++++++++++++++++-
+ 1 file changed, 50 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/dlpar.c b/arch/powerpc/platforms/pseries/dlpar.c
+index 213aa26dc8b3..979487da6522 100644
+--- a/arch/powerpc/platforms/pseries/dlpar.c
++++ b/arch/powerpc/platforms/pseries/dlpar.c
+@@ -404,6 +404,45 @@ get_device_node_with_drc_info(u32 index)
+ return NULL;
+ }
+
++static struct device_node *
++get_device_node_with_drc_indexes(u32 drc_index)
++{
++ struct device_node *np = NULL;
++ u32 nr_indexes, index;
++ int i, rc;
++
++ for_each_node_with_property(np, "ibm,drc-indexes") {
++ /*
++ * First element in the array is the total number of
++ * DRC indexes returned.
++ */
++ rc = of_property_read_u32_index(np, "ibm,drc-indexes",
++ 0, &nr_indexes);
++ if (rc)
++ goto out_put_np;
++
++ /*
++ * Retrieve DRC index from the list and return the
++ * device node if matched with the specified index.
++ */
++ for (i = 0; i < nr_indexes; i++) {
++ rc = of_property_read_u32_index(np, "ibm,drc-indexes",
++ i+1, &index);
++ if (rc)
++ goto out_put_np;
++
++ if (drc_index == index)
++ return np;
++ }
++ }
++
++ return NULL;
++
++out_put_np:
++ of_node_put(np);
++ return NULL;
++}
++
+ static int dlpar_hp_dt_add(u32 index)
+ {
+ struct device_node *np, *nodes;
+@@ -423,10 +462,19 @@ static int dlpar_hp_dt_add(u32 index)
+ goto out;
+ }
+
++ /*
++ * Recent FW provides ibm,drc-info property. So search
++ * for the user specified DRC index from ibm,drc-info
++ * property. If this property is not available, search
++ * in the indexes array from ibm,drc-indexes property.
++ */
+ np = get_device_node_with_drc_info(index);
+
+- if (!np)
+- return -EIO;
++ if (!np) {
++ np = get_device_node_with_drc_indexes(index);
++ if (!np)
++ return -EIO;
++ }
+
+ /* Next, configure the connector. */
+ nodes = dlpar_configure_connector(cpu_to_be32(index), np);
+--
+2.39.5
+
--- /dev/null
+From 170d4ab7925e123beebb7a5259d4531e3e200517 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 12:57:50 +0200
+Subject: pps: fix poll support
+
+From: Denis OSTERLAND-HEIM <denis.osterland@diehl.com>
+
+[ Upstream commit 12c409aa1ec2592280a2ddcc66ff8f3c7f7bb171 ]
+
+Because pps_cdev_poll() returns unconditionally EPOLLIN,
+a user space program that calls select/poll get always an immediate data
+ready-to-read response. As a result the intended use to wait until next
+data becomes ready does not work.
+
+User space snippet:
+
+ struct pollfd pollfd = {
+ .fd = open("/dev/pps0", O_RDONLY),
+ .events = POLLIN|POLLERR,
+ .revents = 0 };
+ while(1) {
+ poll(&pollfd, 1, 2000/*ms*/); // returns immediate, but should wait
+ if(revents & EPOLLIN) { // always true
+ struct pps_fdata fdata;
+ memset(&fdata, 0, sizeof(memdata));
+ ioctl(PPS_FETCH, &fdata); // currently fetches data at max speed
+ }
+ }
+
+Lets remember the last fetch event counter and compare this value
+in pps_cdev_poll() with most recent event counter
+and return 0 if they are equal.
+
+Signed-off-by: Denis OSTERLAND-HEIM <denis.osterland@diehl.com>
+Co-developed-by: Rodolfo Giometti <giometti@enneenne.com>
+Signed-off-by: Rodolfo Giometti <giometti@enneenne.com>
+Fixes: eae9d2ba0cfc ("LinuxPPS: core support")
+Link: https://lore.kernel.org/all/f6bed779-6d59-4f0f-8a59-b6312bd83b4e@enneenne.com/
+Acked-by: Rodolfo Giometti <giometti@enneenne.com>
+Link: https://lore.kernel.org/r/c3c50ad1eb19ef553eca8a57c17f4c006413ab70.camel@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pps/pps.c | 11 +++++++++--
+ include/linux/pps_kernel.h | 1 +
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pps/pps.c b/drivers/pps/pps.c
+index 6a02245ea35f..9463232af8d2 100644
+--- a/drivers/pps/pps.c
++++ b/drivers/pps/pps.c
+@@ -41,6 +41,9 @@ static __poll_t pps_cdev_poll(struct file *file, poll_table *wait)
+
+ poll_wait(file, &pps->queue, wait);
+
++ if (pps->last_fetched_ev == pps->last_ev)
++ return 0;
++
+ return EPOLLIN | EPOLLRDNORM;
+ }
+
+@@ -186,9 +189,11 @@ static long pps_cdev_ioctl(struct file *file,
+ if (err)
+ return err;
+
+- /* Return the fetched timestamp */
++ /* Return the fetched timestamp and save last fetched event */
+ spin_lock_irq(&pps->lock);
+
++ pps->last_fetched_ev = pps->last_ev;
++
+ fdata.info.assert_sequence = pps->assert_sequence;
+ fdata.info.clear_sequence = pps->clear_sequence;
+ fdata.info.assert_tu = pps->assert_tu;
+@@ -272,9 +277,11 @@ static long pps_cdev_compat_ioctl(struct file *file,
+ if (err)
+ return err;
+
+- /* Return the fetched timestamp */
++ /* Return the fetched timestamp and save last fetched event */
+ spin_lock_irq(&pps->lock);
+
++ pps->last_fetched_ev = pps->last_ev;
++
+ compat.info.assert_sequence = pps->assert_sequence;
+ compat.info.clear_sequence = pps->clear_sequence;
+ compat.info.current_mode = pps->current_mode;
+diff --git a/include/linux/pps_kernel.h b/include/linux/pps_kernel.h
+index c7abce28ed29..aab0aebb529e 100644
+--- a/include/linux/pps_kernel.h
++++ b/include/linux/pps_kernel.h
+@@ -52,6 +52,7 @@ struct pps_device {
+ int current_mode; /* PPS mode at event time */
+
+ unsigned int last_ev; /* last PPS event id */
++ unsigned int last_fetched_ev; /* last fetched PPS event id */
+ wait_queue_head_t queue; /* PPS event queue */
+
+ unsigned int id; /* PPS source unique ID */
+--
+2.39.5
+
--- /dev/null
+From 9d5cf8f9262efd3e0a5737ad21e9e074234d0fd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Jun 2025 10:13:53 +0800
+Subject: proc: use the same treatment to check proc_lseek as ones for
+ proc_read_iter et.al
+
+From: wangzijie <wangzijie1@honor.com>
+
+[ Upstream commit ff7ec8dc1b646296f8d94c39339e8d3833d16c05 ]
+
+Check pde->proc_ops->proc_lseek directly may cause UAF in rmmod scenario.
+It's a gap in proc_reg_open() after commit 654b33ada4ab("proc: fix UAF in
+proc_get_inode()"). Followed by AI Viro's suggestion, fix it in same
+manner.
+
+Link: https://lkml.kernel.org/r/20250607021353.1127963-1-wangzijie1@honor.com
+Fixes: 3f61631d47f1 ("take care to handle NULL ->proc_lseek()")
+Signed-off-by: wangzijie <wangzijie1@honor.com>
+Reviewed-by: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
+Cc: Kirill A. Shuemov <kirill.shutemov@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/generic.c | 2 ++
+ fs/proc/inode.c | 2 +-
+ fs/proc/internal.h | 5 +++++
+ include/linux/proc_fs.h | 1 +
+ 4 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/fs/proc/generic.c b/fs/proc/generic.c
+index a3e22803cddf..e0e50914ab25 100644
+--- a/fs/proc/generic.c
++++ b/fs/proc/generic.c
+@@ -569,6 +569,8 @@ static void pde_set_flags(struct proc_dir_entry *pde)
+ if (pde->proc_ops->proc_compat_ioctl)
+ pde->flags |= PROC_ENTRY_proc_compat_ioctl;
+ #endif
++ if (pde->proc_ops->proc_lseek)
++ pde->flags |= PROC_ENTRY_proc_lseek;
+ }
+
+ struct proc_dir_entry *proc_create_data(const char *name, umode_t mode,
+diff --git a/fs/proc/inode.c b/fs/proc/inode.c
+index 3604b616311c..129490151be1 100644
+--- a/fs/proc/inode.c
++++ b/fs/proc/inode.c
+@@ -473,7 +473,7 @@ static int proc_reg_open(struct inode *inode, struct file *file)
+ typeof_member(struct proc_ops, proc_open) open;
+ struct pde_opener *pdeo;
+
+- if (!pde->proc_ops->proc_lseek)
++ if (!pde_has_proc_lseek(pde))
+ file->f_mode &= ~FMODE_LSEEK;
+
+ if (pde_is_permanent(pde)) {
+diff --git a/fs/proc/internal.h b/fs/proc/internal.h
+index 96122e91c645..3d48ffe72583 100644
+--- a/fs/proc/internal.h
++++ b/fs/proc/internal.h
+@@ -99,6 +99,11 @@ static inline bool pde_has_proc_compat_ioctl(const struct proc_dir_entry *pde)
+ #endif
+ }
+
++static inline bool pde_has_proc_lseek(const struct proc_dir_entry *pde)
++{
++ return pde->flags & PROC_ENTRY_proc_lseek;
++}
++
+ extern struct kmem_cache *proc_dir_entry_cache;
+ void pde_free(struct proc_dir_entry *pde);
+
+diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
+index ea62201c74c4..703d0c76cc9a 100644
+--- a/include/linux/proc_fs.h
++++ b/include/linux/proc_fs.h
+@@ -27,6 +27,7 @@ enum {
+
+ PROC_ENTRY_proc_read_iter = 1U << 1,
+ PROC_ENTRY_proc_compat_ioctl = 1U << 2,
++ PROC_ENTRY_proc_lseek = 1U << 3,
+ };
+
+ struct proc_ops {
+--
+2.39.5
+
--- /dev/null
+From 51144efa3159cd95ab37e786c982822a060d7d1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 17:14:17 +0200
+Subject: pwm: rockchip: Round period/duty down on apply, up on get
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nicolas Frattaroli <nicolas.frattaroli@collabora.com>
+
+[ Upstream commit 0b4d1abe5ca568c5b7f667345ec2b5ad0fb2e54b ]
+
+With CONFIG_PWM_DEBUG=y, the rockchip PWM driver produces warnings like
+this:
+
+ rockchip-pwm fd8b0010.pwm: .apply is supposed to round down
+ duty_cycle (requested: 23529/50000, applied: 23542/50000)
+
+This is because the driver chooses ROUND_CLOSEST for purported
+idempotency reasons. However, it's possible to keep idempotency while
+always rounding down in .apply().
+
+Do this by making .get_state() always round up, and making .apply()
+always round down. This is done with u64 maths, and setting both period
+and duty to U32_MAX (the biggest the hardware can support) if they would
+exceed their 32 bits confines.
+
+Fixes: 12f9ce4a5198 ("pwm: rockchip: Fix period and duty cycle approximation")
+Fixes: 1ebb74cf3537 ("pwm: rockchip: Add support for hardware readout")
+Signed-off-by: Nicolas Frattaroli <nicolas.frattaroli@collabora.com>
+Link: https://lore.kernel.org/r/20250616-rockchip-pwm-rounding-fix-v2-1-a9c65acad7b6@collabora.com
+Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-rockchip.c | 33 ++++++++++++++++++++-------------
+ 1 file changed, 20 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/pwm/pwm-rockchip.c b/drivers/pwm/pwm-rockchip.c
+index c5f50e5eaf41..67b85bdb491b 100644
+--- a/drivers/pwm/pwm-rockchip.c
++++ b/drivers/pwm/pwm-rockchip.c
+@@ -8,6 +8,8 @@
+
+ #include <linux/clk.h>
+ #include <linux/io.h>
++#include <linux/limits.h>
++#include <linux/math64.h>
+ #include <linux/module.h>
+ #include <linux/of.h>
+ #include <linux/platform_device.h>
+@@ -61,6 +63,7 @@ static int rockchip_pwm_get_state(struct pwm_chip *chip,
+ struct pwm_state *state)
+ {
+ struct rockchip_pwm_chip *pc = to_rockchip_pwm_chip(chip);
++ u64 prescaled_ns = (u64)pc->data->prescaler * NSEC_PER_SEC;
+ u32 enable_conf = pc->data->enable_conf;
+ unsigned long clk_rate;
+ u64 tmp;
+@@ -78,12 +81,12 @@ static int rockchip_pwm_get_state(struct pwm_chip *chip,
+ clk_rate = clk_get_rate(pc->clk);
+
+ tmp = readl_relaxed(pc->base + pc->data->regs.period);
+- tmp *= pc->data->prescaler * NSEC_PER_SEC;
+- state->period = DIV_ROUND_CLOSEST_ULL(tmp, clk_rate);
++ tmp *= prescaled_ns;
++ state->period = DIV_U64_ROUND_UP(tmp, clk_rate);
+
+ tmp = readl_relaxed(pc->base + pc->data->regs.duty);
+- tmp *= pc->data->prescaler * NSEC_PER_SEC;
+- state->duty_cycle = DIV_ROUND_CLOSEST_ULL(tmp, clk_rate);
++ tmp *= prescaled_ns;
++ state->duty_cycle = DIV_U64_ROUND_UP(tmp, clk_rate);
+
+ val = readl_relaxed(pc->base + pc->data->regs.ctrl);
+ state->enabled = (val & enable_conf) == enable_conf;
+@@ -103,8 +106,9 @@ static void rockchip_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
+ const struct pwm_state *state)
+ {
+ struct rockchip_pwm_chip *pc = to_rockchip_pwm_chip(chip);
+- unsigned long period, duty;
+- u64 clk_rate, div;
++ u64 prescaled_ns = (u64)pc->data->prescaler * NSEC_PER_SEC;
++ u64 clk_rate, tmp;
++ u32 period_ticks, duty_ticks;
+ u32 ctrl;
+
+ clk_rate = clk_get_rate(pc->clk);
+@@ -114,12 +118,15 @@ static void rockchip_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
+ * bits, every possible input period can be obtained using the
+ * default prescaler value for all practical clock rate values.
+ */
+- div = clk_rate * state->period;
+- period = DIV_ROUND_CLOSEST_ULL(div,
+- pc->data->prescaler * NSEC_PER_SEC);
++ tmp = mul_u64_u64_div_u64(clk_rate, state->period, prescaled_ns);
++ if (tmp > U32_MAX)
++ tmp = U32_MAX;
++ period_ticks = tmp;
+
+- div = clk_rate * state->duty_cycle;
+- duty = DIV_ROUND_CLOSEST_ULL(div, pc->data->prescaler * NSEC_PER_SEC);
++ tmp = mul_u64_u64_div_u64(clk_rate, state->duty_cycle, prescaled_ns);
++ if (tmp > U32_MAX)
++ tmp = U32_MAX;
++ duty_ticks = tmp;
+
+ /*
+ * Lock the period and duty of previous configuration, then
+@@ -131,8 +138,8 @@ static void rockchip_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
+ writel_relaxed(ctrl, pc->base + pc->data->regs.ctrl);
+ }
+
+- writel(period, pc->base + pc->data->regs.period);
+- writel(duty, pc->base + pc->data->regs.duty);
++ writel(period_ticks, pc->base + pc->data->regs.period);
++ writel(duty_ticks, pc->base + pc->data->regs.duty);
+
+ if (pc->data->supports_polarity) {
+ ctrl &= ~PWM_POLARITY_MASK;
+--
+2.39.5
+
--- /dev/null
+From d8426525c4bfd91ffed0eee32c43756ce923402b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 13:53:38 +0800
+Subject: rcu: Fix delayed execution of hurry callbacks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tze-nan Wu <Tze-nan.Wu@mediatek.com>
+
+[ Upstream commit 463d46044f04013306a4893242f65788b8a16b2e ]
+
+We observed a regression in our customer’s environment after enabling
+CONFIG_LAZY_RCU. In the Android Update Engine scenario, where ioctl() is
+used heavily, we found that callbacks queued via call_rcu_hurry (such as
+percpu_ref_switch_to_atomic_rcu) can sometimes be delayed by up to 5
+seconds before execution. This occurs because the new grace period does
+not start immediately after the previous one completes.
+
+The root cause is that the wake_nocb_gp_defer() function now checks
+"rdp->nocb_defer_wakeup" instead of "rdp_gp->nocb_defer_wakeup". On CPUs
+that are not rcuog, "rdp->nocb_defer_wakeup" may always be
+RCU_NOCB_WAKE_NOT. This can cause "rdp_gp->nocb_defer_wakeup" to be
+downgraded and the "rdp_gp->nocb_timer" to be postponed by up to 10
+seconds, delaying the execution of hurry RCU callbacks.
+
+The trace log of one scenario we encountered is as follow:
+ // previous GP ends at this point
+ rcu_preempt [000] d..1. 137.240210: rcu_grace_period: rcu_preempt 8369 end
+ rcu_preempt [000] ..... 137.240212: rcu_grace_period: rcu_preempt 8372 reqwait
+ // call_rcu_hurry enqueues "percpu_ref_switch_to_atomic_rcu", the callback waited on by UpdateEngine
+ update_engine [002] d..1. 137.301593: __call_rcu_common: wyy: unlikely p_ref = 00000000********. lazy = 0
+ // FirstQ on cpu 2 rdp_gp->nocb_timer is set to fire after 1 jiffy (4ms)
+ // and the rdp_gp->nocb_defer_wakeup is set to RCU_NOCB_WAKE
+ update_engine [002] d..2. 137.301595: rcu_nocb_wake: rcu_preempt 2 FirstQ on cpu2 with rdp_gp (cpu0).
+ // FirstBQ event on cpu2 during the 1 jiffy, make the timer postpond 10 seconds later.
+ // also, the rdp_gp->nocb_defer_wakeup is overwrite to RCU_NOCB_WAKE_LAZY
+ update_engine [002] d..1. 137.301601: rcu_nocb_wake: rcu_preempt 2 WakeEmptyIsDeferred
+ ...
+ ...
+ ...
+ // before the 10 seconds timeout, cpu0 received another call_rcu_hurry
+ // reset the timer to jiffies+1 and set the waketype = RCU_NOCB_WAKE.
+ kworker/u32:0 [000] d..2. 142.557564: rcu_nocb_wake: rcu_preempt 0 FirstQ
+ kworker/u32:0 [000] d..1. 142.557576: rcu_nocb_wake: rcu_preempt 0 WakeEmptyIsDeferred
+ kworker/u32:0 [000] d..1. 142.558296: rcu_nocb_wake: rcu_preempt 0 WakeNot
+ kworker/u32:0 [000] d..1. 142.558562: rcu_nocb_wake: rcu_preempt 0 WakeNot
+ // idle(do_nocb_deferred_wakeup) wake rcuog due to waketype == RCU_NOCB_WAKE
+ <idle> [000] d..1. 142.558786: rcu_nocb_wake: rcu_preempt 0 DoWake
+ <idle> [000] dN.1. 142.558839: rcu_nocb_wake: rcu_preempt 0 DeferredWake
+ rcuog/0 [000] ..... 142.558871: rcu_nocb_wake: rcu_preempt 0 EndSleep
+ rcuog/0 [000] ..... 142.558877: rcu_nocb_wake: rcu_preempt 0 Check
+ // finally rcuog request a new GP at this point (5 seconds after the FirstQ event)
+ rcuog/0 [000] d..2. 142.558886: rcu_grace_period: rcu_preempt 8372 newreq
+ rcu_preempt [001] d..1. 142.559458: rcu_grace_period: rcu_preempt 8373 start
+ ...
+ rcu_preempt [000] d..1. 142.564258: rcu_grace_period: rcu_preempt 8373 end
+ rcuop/2 [000] D..1. 142.566337: rcu_batch_start: rcu_preempt CBs=219 bl=10
+ // the hurry CB is invoked at this point
+ rcuop/2 [000] b.... 142.566352: blk_queue_usage_counter_release: wyy: wakeup. p_ref = 00000000********.
+
+This patch changes the condition to check "rdp_gp->nocb_defer_wakeup" in
+the lazy path. This prevents an already scheduled "rdp_gp->nocb_timer"
+from being postponed and avoids overwriting "rdp_gp->nocb_defer_wakeup"
+when it is not RCU_NOCB_WAKE_NOT.
+
+Fixes: 3cb278e73be5 ("rcu: Make call_rcu() lazy to save power")
+Co-developed-by: Cheng-jui Wang <cheng-jui.wang@mediatek.com>
+Signed-off-by: Cheng-jui Wang <cheng-jui.wang@mediatek.com>
+Co-developed-by: Lorry.Luo@mediatek.com
+Signed-off-by: Lorry.Luo@mediatek.com
+Tested-by: weiyangyang@vivo.com
+Signed-off-by: weiyangyang@vivo.com
+Signed-off-by: Tze-nan Wu <Tze-nan.Wu@mediatek.com>
+Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Neeraj Upadhyay (AMD) <neeraj.upadhyay@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree_nocb.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/rcu/tree_nocb.h b/kernel/rcu/tree_nocb.h
+index b473ff056f49..711043e4eb54 100644
+--- a/kernel/rcu/tree_nocb.h
++++ b/kernel/rcu/tree_nocb.h
+@@ -276,7 +276,7 @@ static void wake_nocb_gp_defer(struct rcu_data *rdp, int waketype,
+ * callback storms, no need to wake up too early.
+ */
+ if (waketype == RCU_NOCB_WAKE_LAZY &&
+- rdp->nocb_defer_wakeup == RCU_NOCB_WAKE_NOT) {
++ rdp_gp->nocb_defer_wakeup == RCU_NOCB_WAKE_NOT) {
+ mod_timer(&rdp_gp->nocb_timer, jiffies + rcu_get_jiffies_lazy_flush());
+ WRITE_ONCE(rdp_gp->nocb_defer_wakeup, waketype);
+ } else if (waketype == RCU_NOCB_WAKE_BYPASS) {
+--
+2.39.5
+
--- /dev/null
+From e5836a8665eacf261ae558e4b3c3082d07469b81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 21:58:12 +0300
+Subject: RDMA/counter: Check CAP_NET_RAW check in user namespace for RDMA
+ counters
+
+From: Parav Pandit <parav@nvidia.com>
+
+[ Upstream commit 449728196d65fce513dbacf4d3696764be1c6524 ]
+
+Currently, the capability check is done in the default
+init_user_ns user namespace. When a process runs in a
+non default user namespace, such check fails.
+
+Since the RDMA device is a resource within a network namespace,
+use the network namespace associated with the RDMA device to
+determine its owning user namespace.
+
+Fixes: 1bd8e0a9d0fd ("RDMA/counter: Allow manual mode configuration support")
+Signed-off-by: Parav Pandit <parav@nvidia.com>
+Link: https://patch.msgid.link/68e2064e72e94558a576fdbbb987681a64f6fea8.1750963874.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/counters.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/counters.c b/drivers/infiniband/core/counters.c
+index e6ec7b7a40af..c3aa6d7fc66b 100644
+--- a/drivers/infiniband/core/counters.c
++++ b/drivers/infiniband/core/counters.c
+@@ -461,7 +461,7 @@ static struct ib_qp *rdma_counter_get_qp(struct ib_device *dev, u32 qp_num)
+ return NULL;
+
+ qp = container_of(res, struct ib_qp, res);
+- if (qp->qp_type == IB_QPT_RAW_PACKET && !capable(CAP_NET_RAW))
++ if (qp->qp_type == IB_QPT_RAW_PACKET && !rdma_dev_has_raw_cap(dev))
+ goto err;
+
+ return qp;
+--
+2.39.5
+
--- /dev/null
+From bd14bab8ea17baa3321299b91f5172f9e61e2353 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 19:39:04 +0800
+Subject: RDMA/hns: Drop GFP_NOWARN
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit 5338abb299f0cd764edf78a7e71a0b746af35030 ]
+
+GFP_NOWARN silences all warnings on dma_alloc_coherent() failure,
+which might otherwise help with troubleshooting.
+
+Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20250703113905.3597124-6-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hem.c | 18 +++++-------------
+ 1 file changed, 5 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c
+index ca0798224e56..3d479c63b117 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hem.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
+@@ -249,15 +249,12 @@ int hns_roce_calc_hem_mhop(struct hns_roce_dev *hr_dev,
+ }
+
+ static struct hns_roce_hem *hns_roce_alloc_hem(struct hns_roce_dev *hr_dev,
+- unsigned long hem_alloc_size,
+- gfp_t gfp_mask)
++ unsigned long hem_alloc_size)
+ {
+ struct hns_roce_hem *hem;
+ int order;
+ void *buf;
+
+- WARN_ON(gfp_mask & __GFP_HIGHMEM);
+-
+ order = get_order(hem_alloc_size);
+ if (PAGE_SIZE << order != hem_alloc_size) {
+ dev_err(hr_dev->dev, "invalid hem_alloc_size: %lu!\n",
+@@ -265,13 +262,12 @@ static struct hns_roce_hem *hns_roce_alloc_hem(struct hns_roce_dev *hr_dev,
+ return NULL;
+ }
+
+- hem = kmalloc(sizeof(*hem),
+- gfp_mask & ~(__GFP_HIGHMEM | __GFP_NOWARN));
++ hem = kmalloc(sizeof(*hem), GFP_KERNEL);
+ if (!hem)
+ return NULL;
+
+ buf = dma_alloc_coherent(hr_dev->dev, hem_alloc_size,
+- &hem->dma, gfp_mask);
++ &hem->dma, GFP_KERNEL);
+ if (!buf)
+ goto fail;
+
+@@ -378,7 +374,6 @@ static int alloc_mhop_hem(struct hns_roce_dev *hr_dev,
+ {
+ u32 bt_size = mhop->bt_chunk_size;
+ struct device *dev = hr_dev->dev;
+- gfp_t flag;
+ u64 bt_ba;
+ u32 size;
+ int ret;
+@@ -417,8 +412,7 @@ static int alloc_mhop_hem(struct hns_roce_dev *hr_dev,
+ * alloc bt space chunk for MTT/CQE.
+ */
+ size = table->type < HEM_TYPE_MTT ? mhop->buf_chunk_size : bt_size;
+- flag = GFP_KERNEL | __GFP_NOWARN;
+- table->hem[index->buf] = hns_roce_alloc_hem(hr_dev, size, flag);
++ table->hem[index->buf] = hns_roce_alloc_hem(hr_dev, size);
+ if (!table->hem[index->buf]) {
+ ret = -ENOMEM;
+ goto err_alloc_hem;
+@@ -546,9 +540,7 @@ int hns_roce_table_get(struct hns_roce_dev *hr_dev,
+ goto out;
+ }
+
+- table->hem[i] = hns_roce_alloc_hem(hr_dev,
+- table->table_chunk_size,
+- GFP_KERNEL | __GFP_NOWARN);
++ table->hem[i] = hns_roce_alloc_hem(hr_dev, table->table_chunk_size);
+ if (!table->hem[i]) {
+ ret = -ENOMEM;
+ goto out;
+--
+2.39.5
+
--- /dev/null
+From edf61862da30b4b21798b169b0e17ab768ada631 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 19:39:03 +0800
+Subject: RDMA/hns: Fix accessing uninitialized resources
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit 278c18a4a78a9a6bf529ef45ccde512a5686ea9d ]
+
+hr_dev->pgdir_list and hr_dev->pgdir_mutex won't be initialized if
+CQ/QP record db are not enabled, but they are also needed when using
+SRQ with SRQ record db enabled. Simplified the logic by always
+initailizing the reosurces.
+
+Fixes: c9813b0b9992 ("RDMA/hns: Support SRQ record doorbell")
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20250703113905.3597124-5-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_main.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
+index 623610b3e2ec..11fa64044a8d 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_main.c
++++ b/drivers/infiniband/hw/hns/hns_roce_main.c
+@@ -947,10 +947,7 @@ static int hns_roce_init_hem(struct hns_roce_dev *hr_dev)
+ static void hns_roce_teardown_hca(struct hns_roce_dev *hr_dev)
+ {
+ hns_roce_cleanup_bitmap(hr_dev);
+-
+- if (hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_CQ_RECORD_DB ||
+- hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_QP_RECORD_DB)
+- mutex_destroy(&hr_dev->pgdir_mutex);
++ mutex_destroy(&hr_dev->pgdir_mutex);
+ }
+
+ /**
+@@ -968,11 +965,8 @@ static int hns_roce_setup_hca(struct hns_roce_dev *hr_dev)
+ INIT_LIST_HEAD(&hr_dev->qp_list);
+ spin_lock_init(&hr_dev->qp_list_lock);
+
+- if (hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_CQ_RECORD_DB ||
+- hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_QP_RECORD_DB) {
+- INIT_LIST_HEAD(&hr_dev->pgdir_list);
+- mutex_init(&hr_dev->pgdir_mutex);
+- }
++ INIT_LIST_HEAD(&hr_dev->pgdir_list);
++ mutex_init(&hr_dev->pgdir_mutex);
+
+ hns_roce_init_uar_table(hr_dev);
+
+@@ -1004,9 +998,7 @@ static int hns_roce_setup_hca(struct hns_roce_dev *hr_dev)
+
+ err_uar_table_free:
+ ida_destroy(&hr_dev->uar_ida.ida);
+- if (hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_CQ_RECORD_DB ||
+- hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_QP_RECORD_DB)
+- mutex_destroy(&hr_dev->pgdir_mutex);
++ mutex_destroy(&hr_dev->pgdir_mutex);
+
+ return ret;
+ }
+--
+2.39.5
+
--- /dev/null
+From d793427ba23c1038d12a69bfc41f50995c97f543 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 19:39:00 +0800
+Subject: RDMA/hns: Fix double destruction of rsv_qp
+
+From: wenglianfa <wenglianfa@huawei.com>
+
+[ Upstream commit c6957b95ecc5b63c5a4bb4ecc28af326cf8f6dc8 ]
+
+rsv_qp may be double destroyed in error flow, first in free_mr_init(),
+and then in hns_roce_exit(). Fix it by moving the free_mr_init() call
+into hns_roce_v2_init().
+
+list_del corruption, ffff589732eb9b50->next is LIST_POISON1 (dead000000000100)
+WARNING: CPU: 8 PID: 1047115 at lib/list_debug.c:53 __list_del_entry_valid+0x148/0x240
+...
+Call trace:
+ __list_del_entry_valid+0x148/0x240
+ hns_roce_qp_remove+0x4c/0x3f0 [hns_roce_hw_v2]
+ hns_roce_v2_destroy_qp_common+0x1dc/0x5f4 [hns_roce_hw_v2]
+ hns_roce_v2_destroy_qp+0x22c/0x46c [hns_roce_hw_v2]
+ free_mr_exit+0x6c/0x120 [hns_roce_hw_v2]
+ hns_roce_v2_exit+0x170/0x200 [hns_roce_hw_v2]
+ hns_roce_exit+0x118/0x350 [hns_roce_hw_v2]
+ __hns_roce_hw_v2_init_instance+0x1c8/0x304 [hns_roce_hw_v2]
+ hns_roce_hw_v2_reset_notify_init+0x170/0x21c [hns_roce_hw_v2]
+ hns_roce_hw_v2_reset_notify+0x6c/0x190 [hns_roce_hw_v2]
+ hclge_notify_roce_client+0x6c/0x160 [hclge]
+ hclge_reset_rebuild+0x150/0x5c0 [hclge]
+ hclge_reset+0x10c/0x140 [hclge]
+ hclge_reset_subtask+0x80/0x104 [hclge]
+ hclge_reset_service_task+0x168/0x3ac [hclge]
+ hclge_service_task+0x50/0x100 [hclge]
+ process_one_work+0x250/0x9a0
+ worker_thread+0x324/0x990
+ kthread+0x190/0x210
+ ret_from_fork+0x10/0x18
+
+Fixes: fd8489294dd2 ("RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08")
+Signed-off-by: wenglianfa <wenglianfa@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20250703113905.3597124-2-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 25 +++++++++++-----------
+ drivers/infiniband/hw/hns/hns_roce_main.c | 6 +++---
+ 2 files changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index fa8747656f25..29068be052d9 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -2986,14 +2986,22 @@ static int hns_roce_v2_init(struct hns_roce_dev *hr_dev)
+ {
+ int ret;
+
++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) {
++ ret = free_mr_init(hr_dev);
++ if (ret) {
++ dev_err(hr_dev->dev, "failed to init free mr!\n");
++ return ret;
++ }
++ }
++
+ /* The hns ROCEE requires the extdb info to be cleared before using */
+ ret = hns_roce_clear_extdb_list_info(hr_dev);
+ if (ret)
+- return ret;
++ goto err_clear_extdb_failed;
+
+ ret = get_hem_table(hr_dev);
+ if (ret)
+- return ret;
++ goto err_clear_extdb_failed;
+
+ if (hr_dev->is_vf)
+ return 0;
+@@ -3008,6 +3016,9 @@ static int hns_roce_v2_init(struct hns_roce_dev *hr_dev)
+
+ err_llm_init_failed:
+ put_hem_table(hr_dev);
++err_clear_extdb_failed:
++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08)
++ free_mr_exit(hr_dev);
+
+ return ret;
+ }
+@@ -7044,21 +7055,11 @@ static int __hns_roce_hw_v2_init_instance(struct hnae3_handle *handle)
+ goto error_failed_roce_init;
+ }
+
+- if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) {
+- ret = free_mr_init(hr_dev);
+- if (ret) {
+- dev_err(hr_dev->dev, "failed to init free mr!\n");
+- goto error_failed_free_mr_init;
+- }
+- }
+
+ handle->priv = hr_dev;
+
+ return 0;
+
+-error_failed_free_mr_init:
+- hns_roce_exit(hr_dev);
+-
+ error_failed_roce_init:
+ kfree(hr_dev->priv);
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
+index e7a497cc125c..623610b3e2ec 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_main.c
++++ b/drivers/infiniband/hw/hns/hns_roce_main.c
+@@ -965,6 +965,9 @@ static int hns_roce_setup_hca(struct hns_roce_dev *hr_dev)
+
+ spin_lock_init(&hr_dev->sm_lock);
+
++ INIT_LIST_HEAD(&hr_dev->qp_list);
++ spin_lock_init(&hr_dev->qp_list_lock);
++
+ if (hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_CQ_RECORD_DB ||
+ hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_QP_RECORD_DB) {
+ INIT_LIST_HEAD(&hr_dev->pgdir_list);
+@@ -1132,9 +1135,6 @@ int hns_roce_init(struct hns_roce_dev *hr_dev)
+ }
+ }
+
+- INIT_LIST_HEAD(&hr_dev->qp_list);
+- spin_lock_init(&hr_dev->qp_list_lock);
+-
+ ret = hns_roce_register_device(hr_dev);
+ if (ret)
+ goto error_failed_register_device;
+--
+2.39.5
+
--- /dev/null
+From 8537960d7b8fa687b190f765eeb482eaedd84ae7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 19:39:01 +0800
+Subject: RDMA/hns: Fix HW configurations not cleared in error flow
+
+From: wenglianfa <wenglianfa@huawei.com>
+
+[ Upstream commit 998b41cb20b02c4e28ac558e4e7f8609d659ec05 ]
+
+hns_roce_clear_extdb_list_info() will eventually do some HW
+configurations through FW, and they need to be cleared by
+calling hns_roce_function_clear() when the initialization
+fails.
+
+Fixes: 7e78dd816e45 ("RDMA/hns: Clear extended doorbell info before using")
+Signed-off-by: wenglianfa <wenglianfa@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20250703113905.3597124-3-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 29068be052d9..2b04e25c6b09 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -3001,7 +3001,7 @@ static int hns_roce_v2_init(struct hns_roce_dev *hr_dev)
+
+ ret = get_hem_table(hr_dev);
+ if (ret)
+- goto err_clear_extdb_failed;
++ goto err_get_hem_table_failed;
+
+ if (hr_dev->is_vf)
+ return 0;
+@@ -3016,6 +3016,8 @@ static int hns_roce_v2_init(struct hns_roce_dev *hr_dev)
+
+ err_llm_init_failed:
+ put_hem_table(hr_dev);
++err_get_hem_table_failed:
++ hns_roce_function_clear(hr_dev);
+ err_clear_extdb_failed:
+ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08)
+ free_mr_exit(hr_dev);
+--
+2.39.5
+
--- /dev/null
+From 9d884a16190b2e5ee81c4e9be3c3d4add6285081 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 19:39:05 +0800
+Subject: RDMA/hns: Fix -Wframe-larger-than issue
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit 79d56805c5068f2bc81518043e043c3dedd1c82a ]
+
+Fix -Wframe-larger-than issue by allocating memory for qpc struct
+with kzalloc() instead of using stack memory.
+
+Fixes: 606bf89e98ef ("RDMA/hns: Refactor for hns_roce_v2_modify_qp function")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202506240032.CSgIyFct-lkp@intel.com/
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20250703113905.3597124-7-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 246642859159..b30dce00f240 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -5387,11 +5387,10 @@ static int hns_roce_v2_modify_qp(struct ib_qp *ibqp,
+ {
+ struct hns_roce_dev *hr_dev = to_hr_dev(ibqp->device);
+ struct hns_roce_qp *hr_qp = to_hr_qp(ibqp);
+- struct hns_roce_v2_qp_context ctx[2];
+- struct hns_roce_v2_qp_context *context = ctx;
+- struct hns_roce_v2_qp_context *qpc_mask = ctx + 1;
++ struct hns_roce_v2_qp_context *context;
++ struct hns_roce_v2_qp_context *qpc_mask;
+ struct ib_device *ibdev = &hr_dev->ib_dev;
+- int ret;
++ int ret = -ENOMEM;
+
+ if (attr_mask & ~IB_QP_ATTR_STANDARD_BITS)
+ return -EOPNOTSUPP;
+@@ -5402,7 +5401,11 @@ static int hns_roce_v2_modify_qp(struct ib_qp *ibqp,
+ * we should set all bits of the relevant fields in context mask to
+ * 0 at the same time, else set them to 0x1.
+ */
+- memset(context, 0, hr_dev->caps.qpc_sz);
++ context = kvzalloc(sizeof(*context), GFP_KERNEL);
++ qpc_mask = kvzalloc(sizeof(*qpc_mask), GFP_KERNEL);
++ if (!context || !qpc_mask)
++ goto out;
++
+ memset(qpc_mask, 0xff, hr_dev->caps.qpc_sz);
+
+ ret = hns_roce_v2_set_abs_fields(ibqp, attr, attr_mask, cur_state,
+@@ -5444,6 +5447,8 @@ static int hns_roce_v2_modify_qp(struct ib_qp *ibqp,
+ clear_qp(hr_qp);
+
+ out:
++ kvfree(qpc_mask);
++ kvfree(context);
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 6066cb42b1efe00c4f4c70770b3d9b2aebfc1a57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 19:39:02 +0800
+Subject: RDMA/hns: Get message length of ack_req from FW
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit 2c2ec0106c0f1f12d4eefd11de318ac47557a750 ]
+
+ACK_REQ_FREQ indicates the number of packets (after MTU fragmentation)
+HW sends before setting an ACK request. When MTU is greater than or
+equal to 1024, the current ACK_REQ_FREQ value causes HW to request an
+ACK for every MTU fragment. The processing of a large number of ACKs
+severely impacts HW performance when sending large size payloads.
+
+Get message length of ack_req from FW so that we can adjust this
+parameter according to different situations. There are several
+constraints for ACK_REQ_FREQ:
+
+1. mtu * (2 ^ ACK_REQ_FREQ) should not be too large, otherwise it may
+ cause some unexpected retries when sending large payload.
+
+2. ACK_REQ_FREQ should be larger than or equal to LP_PKTN_INI.
+
+3. ACK_REQ_FREQ must be equal to LP_PKTN_INI when using LDCP
+ or HC3 congestion control algorithm.
+
+Fixes: 56518a603fd2 ("RDMA/hns: Modify the value of long message loopback slice")
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20250703113905.3597124-4-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_device.h | 1 +
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 45 ++++++++++++++++-----
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 8 +++-
+ 3 files changed, 43 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_device.h b/drivers/infiniband/hw/hns/hns_roce_device.h
+index 1dcc9cbb4678..254fd4d6ea9f 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_device.h
++++ b/drivers/infiniband/hw/hns/hns_roce_device.h
+@@ -856,6 +856,7 @@ struct hns_roce_caps {
+ u16 default_ceq_arm_st;
+ u8 cong_cap;
+ enum hns_roce_cong_type default_cong_type;
++ u32 max_ack_req_msg_len;
+ };
+
+ enum hns_roce_device_state {
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 2b04e25c6b09..246642859159 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -2196,31 +2196,36 @@ static void apply_func_caps(struct hns_roce_dev *hr_dev)
+
+ static int hns_roce_query_caps(struct hns_roce_dev *hr_dev)
+ {
+- struct hns_roce_cmq_desc desc[HNS_ROCE_QUERY_PF_CAPS_CMD_NUM];
++ struct hns_roce_cmq_desc desc[HNS_ROCE_QUERY_PF_CAPS_CMD_NUM] = {};
+ struct hns_roce_caps *caps = &hr_dev->caps;
+ struct hns_roce_query_pf_caps_a *resp_a;
+ struct hns_roce_query_pf_caps_b *resp_b;
+ struct hns_roce_query_pf_caps_c *resp_c;
+ struct hns_roce_query_pf_caps_d *resp_d;
+ struct hns_roce_query_pf_caps_e *resp_e;
++ struct hns_roce_query_pf_caps_f *resp_f;
+ enum hns_roce_opcode_type cmd;
+ int ctx_hop_num;
+ int pbl_hop_num;
++ int cmd_num;
+ int ret;
+ int i;
+
+ cmd = hr_dev->is_vf ? HNS_ROCE_OPC_QUERY_VF_CAPS_NUM :
+ HNS_ROCE_OPC_QUERY_PF_CAPS_NUM;
++ cmd_num = hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08 ?
++ HNS_ROCE_QUERY_PF_CAPS_CMD_NUM_HIP08 :
++ HNS_ROCE_QUERY_PF_CAPS_CMD_NUM;
+
+- for (i = 0; i < HNS_ROCE_QUERY_PF_CAPS_CMD_NUM; i++) {
++ for (i = 0; i < cmd_num - 1; i++) {
+ hns_roce_cmq_setup_basic_desc(&desc[i], cmd, true);
+- if (i < (HNS_ROCE_QUERY_PF_CAPS_CMD_NUM - 1))
+- desc[i].flag |= cpu_to_le16(HNS_ROCE_CMD_FLAG_NEXT);
+- else
+- desc[i].flag &= ~cpu_to_le16(HNS_ROCE_CMD_FLAG_NEXT);
++ desc[i].flag |= cpu_to_le16(HNS_ROCE_CMD_FLAG_NEXT);
+ }
+
+- ret = hns_roce_cmq_send(hr_dev, desc, HNS_ROCE_QUERY_PF_CAPS_CMD_NUM);
++ hns_roce_cmq_setup_basic_desc(&desc[cmd_num - 1], cmd, true);
++ desc[cmd_num - 1].flag &= ~cpu_to_le16(HNS_ROCE_CMD_FLAG_NEXT);
++
++ ret = hns_roce_cmq_send(hr_dev, desc, cmd_num);
+ if (ret)
+ return ret;
+
+@@ -2229,6 +2234,7 @@ static int hns_roce_query_caps(struct hns_roce_dev *hr_dev)
+ resp_c = (struct hns_roce_query_pf_caps_c *)desc[2].data;
+ resp_d = (struct hns_roce_query_pf_caps_d *)desc[3].data;
+ resp_e = (struct hns_roce_query_pf_caps_e *)desc[4].data;
++ resp_f = (struct hns_roce_query_pf_caps_f *)desc[5].data;
+
+ caps->local_ca_ack_delay = resp_a->local_ca_ack_delay;
+ caps->max_sq_sg = le16_to_cpu(resp_a->max_sq_sg);
+@@ -2293,6 +2299,8 @@ static int hns_roce_query_caps(struct hns_roce_dev *hr_dev)
+ caps->reserved_srqs = hr_reg_read(resp_e, PF_CAPS_E_RSV_SRQS);
+ caps->reserved_lkey = hr_reg_read(resp_e, PF_CAPS_E_RSV_LKEYS);
+
++ caps->max_ack_req_msg_len = le32_to_cpu(resp_f->max_ack_req_msg_len);
++
+ caps->qpc_hop_num = ctx_hop_num;
+ caps->sccc_hop_num = ctx_hop_num;
+ caps->srqc_hop_num = ctx_hop_num;
+@@ -4573,7 +4581,9 @@ static int modify_qp_init_to_rtr(struct ib_qp *ibqp,
+ dma_addr_t trrl_ba;
+ dma_addr_t irrl_ba;
+ enum ib_mtu ib_mtu;
++ u8 ack_req_freq;
+ const u8 *smac;
++ int lp_msg_len;
+ u8 lp_pktn_ini;
+ u64 *mtts;
+ u8 *dmac;
+@@ -4656,7 +4666,8 @@ static int modify_qp_init_to_rtr(struct ib_qp *ibqp,
+ return -EINVAL;
+ #define MIN_LP_MSG_LEN 1024
+ /* mtu * (2 ^ lp_pktn_ini) should be in the range of 1024 to mtu */
+- lp_pktn_ini = ilog2(max(mtu, MIN_LP_MSG_LEN) / mtu);
++ lp_msg_len = max(mtu, MIN_LP_MSG_LEN);
++ lp_pktn_ini = ilog2(lp_msg_len / mtu);
+
+ if (attr_mask & IB_QP_PATH_MTU) {
+ hr_reg_write(context, QPC_MTU, ib_mtu);
+@@ -4666,8 +4677,22 @@ static int modify_qp_init_to_rtr(struct ib_qp *ibqp,
+ hr_reg_write(context, QPC_LP_PKTN_INI, lp_pktn_ini);
+ hr_reg_clear(qpc_mask, QPC_LP_PKTN_INI);
+
+- /* ACK_REQ_FREQ should be larger than or equal to LP_PKTN_INI */
+- hr_reg_write(context, QPC_ACK_REQ_FREQ, lp_pktn_ini);
++ /*
++ * There are several constraints for ACK_REQ_FREQ:
++ * 1. mtu * (2 ^ ACK_REQ_FREQ) should not be too large, otherwise
++ * it may cause some unexpected retries when sending large
++ * payload.
++ * 2. ACK_REQ_FREQ should be larger than or equal to LP_PKTN_INI.
++ * 3. ACK_REQ_FREQ must be equal to LP_PKTN_INI when using LDCP
++ * or HC3 congestion control algorithm.
++ */
++ if (hr_qp->cong_type == CONG_TYPE_LDCP ||
++ hr_qp->cong_type == CONG_TYPE_HC3 ||
++ hr_dev->caps.max_ack_req_msg_len < lp_msg_len)
++ ack_req_freq = lp_pktn_ini;
++ else
++ ack_req_freq = ilog2(hr_dev->caps.max_ack_req_msg_len / mtu);
++ hr_reg_write(context, QPC_ACK_REQ_FREQ, ack_req_freq);
+ hr_reg_clear(qpc_mask, QPC_ACK_REQ_FREQ);
+
+ hr_reg_clear(qpc_mask, QPC_RX_REQ_PSN_ERR);
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+index bc7466830eaf..1c2660305d27 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+@@ -1168,7 +1168,8 @@ struct hns_roce_cfg_gmv_tb_b {
+ #define GMV_TB_B_SMAC_H GMV_TB_B_FIELD_LOC(47, 32)
+ #define GMV_TB_B_SGID_IDX GMV_TB_B_FIELD_LOC(71, 64)
+
+-#define HNS_ROCE_QUERY_PF_CAPS_CMD_NUM 5
++#define HNS_ROCE_QUERY_PF_CAPS_CMD_NUM_HIP08 5
++#define HNS_ROCE_QUERY_PF_CAPS_CMD_NUM 6
+ struct hns_roce_query_pf_caps_a {
+ u8 number_ports;
+ u8 local_ca_ack_delay;
+@@ -1280,6 +1281,11 @@ struct hns_roce_query_pf_caps_e {
+ __le16 aeq_period;
+ };
+
++struct hns_roce_query_pf_caps_f {
++ __le32 max_ack_req_msg_len;
++ __le32 rsv[5];
++};
++
+ #define PF_CAPS_E_FIELD_LOC(h, l) \
+ FIELD_LOC(struct hns_roce_query_pf_caps_e, h, l)
+
+--
+2.39.5
+
--- /dev/null
+From 74f922171c681c16d95321a7ef86694db25874aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 11:44:03 +0300
+Subject: RDMA/ipoib: Use parent rdma device net namespace
+
+From: Mark Bloch <mbloch@nvidia.com>
+
+[ Upstream commit f1208b05574f63c52e88109d8c75afdf4fc6bf42 ]
+
+Use the net namespace of the underlying rdma device.
+After honoring the rdma device's namespace, the ipoib
+netdev now also runs in the same net namespace of the
+rdma device.
+
+Add an API to read the net namespace of the rdma device
+so that ULP such as IPoIB can use it to initialize its
+netdev.
+
+Signed-off-by: Parav Pandit <parav@nvidia.com>
+Signed-off-by: Mark Bloch <mbloch@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Stable-dep-of: f458ccd2aa2c ("RDMA/uverbs: Check CAP_NET_RAW in user namespace for flow create")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 ++
+ include/rdma/ib_verbs.h | 5 +++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+index f2f5465f2a90..7acafc5c0e09 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+@@ -2577,6 +2577,8 @@ static struct net_device *ipoib_add_port(const char *format,
+
+ ndev->rtnl_link_ops = ipoib_get_link_ops();
+
++ dev_net_set(ndev, rdma_dev_net(hca));
++
+ result = register_netdev(ndev);
+ if (result) {
+ pr_warn("%s: couldn't register ipoib port %d; error %d\n",
+diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
+index af43a8d2a74a..c83e5a375cd6 100644
+--- a/include/rdma/ib_verbs.h
++++ b/include/rdma/ib_verbs.h
+@@ -4855,6 +4855,11 @@ static inline int ibdev_to_node(struct ib_device *ibdev)
+ bool rdma_dev_access_netns(const struct ib_device *device,
+ const struct net *net);
+
++static inline struct net *rdma_dev_net(struct ib_device *device)
++{
++ return read_pnet(&device->coredev.rdma_net);
++}
++
+ #define IB_ROCE_UDP_ENCAP_VALID_PORT_MIN (0xC000)
+ #define IB_ROCE_UDP_ENCAP_VALID_PORT_MAX (0xFFFF)
+ #define IB_GRH_FLOWLABEL_MASK (0x000FFFFF)
+--
+2.39.5
+
--- /dev/null
+From 5d89b92d892253260f285bd3394780ed143d9255 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 03:24:45 -0700
+Subject: RDMA/mana_ib: Fix DSCP value in modify QP
+
+From: Shiraz Saleem <shirazsaleem@microsoft.com>
+
+[ Upstream commit 62de0e67328e9503459a24b9343c3358937cdeef ]
+
+Convert the traffic_class in GRH to a DSCP value as required by the HW.
+
+Fixes: e095405b45bb ("RDMA/mana_ib: Modify QP state")
+Signed-off-by: Shiraz Saleem <shirazsaleem@microsoft.com>
+Signed-off-by: Konstantin Taranov <kotaranov@microsoft.com>
+Link: https://patch.msgid.link/1752143085-4169-1-git-send-email-kotaranov@linux.microsoft.com
+Reviewed-by: Long Li <longli@microsoft.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mana/qp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c
+index 14fd7d6c54a2..a6bf4d539e67 100644
+--- a/drivers/infiniband/hw/mana/qp.c
++++ b/drivers/infiniband/hw/mana/qp.c
+@@ -772,7 +772,7 @@ static int mana_ib_gd_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr,
+ req.ah_attr.dest_port = ROCE_V2_UDP_DPORT;
+ req.ah_attr.src_port = rdma_get_udp_sport(attr->ah_attr.grh.flow_label,
+ ibqp->qp_num, attr->dest_qp_num);
+- req.ah_attr.traffic_class = attr->ah_attr.grh.traffic_class;
++ req.ah_attr.traffic_class = attr->ah_attr.grh.traffic_class >> 2;
+ req.ah_attr.hop_limit = attr->ah_attr.grh.hop_limit;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From e3206138799bbc96bea0d52b061f293382d289a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 21:58:06 +0300
+Subject: RDMA/mlx5: Check CAP_NET_RAW in user namespace for anchor create
+
+From: Parav Pandit <parav@nvidia.com>
+
+[ Upstream commit 14957e8125e767bfd40a3ac61b1d6b8e62ee0a98 ]
+
+Currently, the capability check is done in the default
+init_user_ns user namespace. When a process runs in a
+non default user namespace, such check fails. Due to this
+when a process is running using Podman, it fails to create
+the anchor.
+
+Since the RDMA device is a resource within a network namespace,
+use the network namespace associated with the RDMA device to
+determine its owning user namespace.
+
+Fixes: 0c6ab0ca9a66 ("RDMA/mlx5: Expose steering anchor to userspace")
+Signed-off-by: Parav Pandit <parav@nvidia.com>
+Link: https://patch.msgid.link/c2376ca75e7658e2cbd1f619cf28fbe98c906419.1750963874.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/fs.c b/drivers/infiniband/hw/mlx5/fs.c
+index de8114ba9c1f..eabc37f2ac19 100644
+--- a/drivers/infiniband/hw/mlx5/fs.c
++++ b/drivers/infiniband/hw/mlx5/fs.c
+@@ -2989,7 +2989,7 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_STEERING_ANCHOR_CREATE)(
+ u32 ft_id;
+ int err;
+
+- if (!capable(CAP_NET_RAW))
++ if (!rdma_dev_has_raw_cap(&dev->ib_dev))
+ return -EPERM;
+
+ err = uverbs_get_const(&ib_uapi_ft_type, attrs,
+--
+2.39.5
+
--- /dev/null
+From cd6efa88c7beb174728029048d63b059daf1848c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 21:58:10 +0300
+Subject: RDMA/mlx5: Check CAP_NET_RAW in user namespace for devx create
+
+From: Parav Pandit <parav@nvidia.com>
+
+[ Upstream commit bd82467f17e0940c6f6a5396278cda586c9cb6fd ]
+
+Currently, the capability check is done in the default
+init_user_ns user namespace. When a process runs in a
+non default user namespace, such check fails. Due to this
+when a process is running using Podman, it fails to create
+the devx object.
+
+Since the RDMA device is a resource within a network namespace,
+use the network namespace associated with the RDMA device to
+determine its owning user namespace.
+
+Fixes: a8b92ca1b0e5 ("IB/mlx5: Introduce DEVX")
+Signed-off-by: Parav Pandit <parav@nvidia.com>
+Link: https://patch.msgid.link/36ee87e92defd81410c6a2b33f9d6c0d6dcfd64c.1750963874.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/devx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c
+index 843dcd312242..c369fee33562 100644
+--- a/drivers/infiniband/hw/mlx5/devx.c
++++ b/drivers/infiniband/hw/mlx5/devx.c
+@@ -159,7 +159,7 @@ int mlx5_ib_devx_create(struct mlx5_ib_dev *dev, bool is_user, u64 req_ucaps)
+ uctx = MLX5_ADDR_OF(create_uctx_in, in, uctx);
+ if (is_user &&
+ (MLX5_CAP_GEN(dev->mdev, uctx_cap) & MLX5_UCTX_CAP_RAW_TX) &&
+- capable(CAP_NET_RAW))
++ rdma_dev_has_raw_cap(&dev->ib_dev))
+ cap |= MLX5_UCTX_CAP_RAW_TX;
+ if (is_user &&
+ (MLX5_CAP_GEN(dev->mdev, uctx_cap) &
+--
+2.39.5
+
--- /dev/null
+From 995e00c3d599a35ec2d9d26f47cbf2434ea95717 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 21:58:05 +0300
+Subject: RDMA/mlx5: Check CAP_NET_RAW in user namespace for flow create
+
+From: Parav Pandit <parav@nvidia.com>
+
+[ Upstream commit 95a89ec304c38f7447cdbf271f2d1cbad4c3bf81 ]
+
+Currently, the capability check is done in the default
+init_user_ns user namespace. When a process runs in a
+non default user namespace, such check fails. Due to this
+when a process is running using Podman, it fails to create
+the flow.
+
+Since the RDMA device is a resource within a network namespace,
+use the network namespace associated with the RDMA device to
+determine its owning user namespace.
+
+Fixes: 322694412400 ("IB/mlx5: Introduce driver create and destroy flow methods")
+Signed-off-by: Parav Pandit <parav@nvidia.com>
+Link: https://patch.msgid.link/a4dcd5e3ac6904ef50b19e56942ca6ab0728794c.1750963874.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/fs.c b/drivers/infiniband/hw/mlx5/fs.c
+index 680627f1de33..de8114ba9c1f 100644
+--- a/drivers/infiniband/hw/mlx5/fs.c
++++ b/drivers/infiniband/hw/mlx5/fs.c
+@@ -2458,7 +2458,7 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_CREATE_FLOW)(
+ struct mlx5_ib_dev *dev;
+ u32 flags;
+
+- if (!capable(CAP_NET_RAW))
++ if (!rdma_uattrs_has_raw_cap(attrs))
+ return -EPERM;
+
+ fs_matcher = uverbs_attr_get_obj(attrs,
+--
+2.39.5
+
--- /dev/null
+From bd439262994431338912f8a93c2eefe8d5be41b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 09:42:09 +0300
+Subject: RDMA/mlx5: Fix UMR modifying of mkey page size
+
+From: Edward Srouji <edwards@nvidia.com>
+
+[ Upstream commit c4f96972c3c206ac8f6770b5ecd5320b561d0058 ]
+
+When changing the page size on an mkey, the driver needs to set the
+appropriate bits in the mkey mask to indicate which fields are being
+modified.
+The 6th bit of a page size in mlx5 driver is considered an extension,
+and this bit has a dedicated capability and mask bits.
+
+Previously, the driver was not setting this mask in the mkey mask when
+performing page size changes, regardless of its hardware support,
+potentially leading to an incorrect page size updates.
+
+This fixes the issue by setting the relevant bit in the mkey mask when
+performing page size changes on an mkey and the 6th bit of this field is
+supported by the hardware.
+
+Fixes: cef7dde8836a ("net/mlx5: Expand mkey page size to support 6 bits")
+Signed-off-by: Edward Srouji <edwards@nvidia.com>
+Reviewed-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://patch.msgid.link/9f43a9c73bf2db6085a99dc836f7137e76579f09.1751979184.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/umr.c | 6 ++++--
+ include/linux/mlx5/device.h | 1 +
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/umr.c b/drivers/infiniband/hw/mlx5/umr.c
+index 5be4426a2884..25601dea9e30 100644
+--- a/drivers/infiniband/hw/mlx5/umr.c
++++ b/drivers/infiniband/hw/mlx5/umr.c
+@@ -32,13 +32,15 @@ static __be64 get_umr_disable_mr_mask(void)
+ return cpu_to_be64(result);
+ }
+
+-static __be64 get_umr_update_translation_mask(void)
++static __be64 get_umr_update_translation_mask(struct mlx5_ib_dev *dev)
+ {
+ u64 result;
+
+ result = MLX5_MKEY_MASK_LEN |
+ MLX5_MKEY_MASK_PAGE_SIZE |
+ MLX5_MKEY_MASK_START_ADDR;
++ if (MLX5_CAP_GEN_2(dev->mdev, umr_log_entity_size_5))
++ result |= MLX5_MKEY_MASK_PAGE_SIZE_5;
+
+ return cpu_to_be64(result);
+ }
+@@ -654,7 +656,7 @@ static void mlx5r_umr_final_update_xlt(struct mlx5_ib_dev *dev,
+ flags & MLX5_IB_UPD_XLT_ENABLE || flags & MLX5_IB_UPD_XLT_ADDR;
+
+ if (update_translation) {
+- wqe->ctrl_seg.mkey_mask |= get_umr_update_translation_mask();
++ wqe->ctrl_seg.mkey_mask |= get_umr_update_translation_mask(dev);
+ if (!mr->ibmr.length)
+ MLX5_SET(mkc, &wqe->mkey_seg, length64, 1);
+ }
+diff --git a/include/linux/mlx5/device.h b/include/linux/mlx5/device.h
+index 6822cfa5f4ad..9d2467f982ad 100644
+--- a/include/linux/mlx5/device.h
++++ b/include/linux/mlx5/device.h
+@@ -280,6 +280,7 @@ enum {
+ MLX5_MKEY_MASK_SMALL_FENCE = 1ull << 23,
+ MLX5_MKEY_MASK_RELAXED_ORDERING_WRITE = 1ull << 25,
+ MLX5_MKEY_MASK_FREE = 1ull << 29,
++ MLX5_MKEY_MASK_PAGE_SIZE_5 = 1ull << 42,
+ MLX5_MKEY_MASK_RELAXED_ORDERING_READ = 1ull << 47,
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 5e3dbe7d0ce6444accf0d0bdd5322060406b85b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 21:58:11 +0300
+Subject: RDMA/nldev: Check CAP_NET_RAW in user namespace for QP modify
+
+From: Parav Pandit <parav@nvidia.com>
+
+[ Upstream commit 28ea058a2979f063d4b756c5d82d885fc16f5ca2 ]
+
+Currently, the capability check is done in the default
+init_user_ns user namespace. When a process runs in a
+non default user namespace, such check fails. Due to this
+when a process is running using Podman, it fails to modify
+the QP.
+
+Since the RDMA device is a resource within a network namespace,
+use the network namespace associated with the RDMA device to
+determine its owning user namespace.
+
+Fixes: 0cadb4db79e1 ("RDMA/uverbs: Restrict usage of privileged QKEYs")
+Signed-off-by: Parav Pandit <parav@nvidia.com>
+Link: https://patch.msgid.link/099eb263622ccdd27014db7e02fec824a3307829.1750963874.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/nldev.c | 2 +-
+ drivers/infiniband/core/uverbs_cmd.c | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
+index a872643e8039..be6b2ef0ede4 100644
+--- a/drivers/infiniband/core/nldev.c
++++ b/drivers/infiniband/core/nldev.c
+@@ -255,7 +255,7 @@ EXPORT_SYMBOL(rdma_nl_put_driver_u64_hex);
+
+ bool rdma_nl_get_privileged_qkey(void)
+ {
+- return privileged_qkey || capable(CAP_NET_RAW);
++ return privileged_qkey;
+ }
+ EXPORT_SYMBOL(rdma_nl_get_privileged_qkey);
+
+diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
+index 4d96e4a678f3..0807e9a00008 100644
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -1877,7 +1877,8 @@ static int modify_qp(struct uverbs_attr_bundle *attrs,
+ attr->path_mig_state = cmd->base.path_mig_state;
+ if (cmd->base.attr_mask & IB_QP_QKEY) {
+ if (cmd->base.qkey & IB_QP_SET_QKEY &&
+- !rdma_nl_get_privileged_qkey()) {
++ !(rdma_nl_get_privileged_qkey() ||
++ rdma_uattrs_has_raw_cap(attrs))) {
+ ret = -EPERM;
+ goto release_qp;
+ }
+--
+2.39.5
+
--- /dev/null
+From 89b7941b4691d3e60f5453e9c2af8a82e97ffc25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 12:31:39 +0300
+Subject: RDMA/uverbs: Add empty rdma_uattrs_has_raw_cap() declaration
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit 98269398c02ab20eb9ed6d77416023a2627049d8 ]
+
+The call to rdma_uattrs_has_raw_cap() is placed in mlx5 fs.c file,
+which is compiled without relation to CONFIG_INFINIBAND_USER_ACCESS.
+
+Despite the check is used only in flows with CONFIG_INFINIBAND_USER_ACCESS=y|m,
+the compilers generate the following error for CONFIG_INFINIBAND_USER_ACCESS=n
+builds.
+
+>> ERROR: modpost: "rdma_uattrs_has_raw_cap" [drivers/infiniband/hw/mlx5/mlx5_ib.ko] undefined!
+
+Fixes: f458ccd2aa2c ("RDMA/uverbs: Check CAP_NET_RAW in user namespace for flow create")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202507080725.bh7xrhpg-lkp@intel.com/
+Link: https://patch.msgid.link/72dee6b379bd709255a5d8e8010b576d50e47170.1751967071.git.leon@kernel.org
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: Parav Pandit <parav@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/rdma/ib_verbs.h | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
+index 087048b75d13..6353da1c0228 100644
+--- a/include/rdma/ib_verbs.h
++++ b/include/rdma/ib_verbs.h
+@@ -4794,15 +4794,19 @@ struct ib_ucontext *ib_uverbs_get_ucontext_file(struct ib_uverbs_file *ufile);
+
+ #if IS_ENABLED(CONFIG_INFINIBAND_USER_ACCESS)
+ int uverbs_destroy_def_handler(struct uverbs_attr_bundle *attrs);
++bool rdma_uattrs_has_raw_cap(const struct uverbs_attr_bundle *attrs);
+ #else
+ static inline int uverbs_destroy_def_handler(struct uverbs_attr_bundle *attrs)
+ {
+ return 0;
+ }
++static inline bool
++rdma_uattrs_has_raw_cap(const struct uverbs_attr_bundle *attrs)
++{
++ return false;
++}
+ #endif
+
+-bool rdma_uattrs_has_raw_cap(const struct uverbs_attr_bundle *attrs);
+-
+ struct net_device *rdma_alloc_netdev(struct ib_device *device, u32 port_num,
+ enum rdma_netdev_t type, const char *name,
+ unsigned char name_assign_type,
+--
+2.39.5
+
--- /dev/null
+From 7c0bd8bfd142d14f497684c7a6b88dda098dea4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 21:58:04 +0300
+Subject: RDMA/uverbs: Check CAP_NET_RAW in user namespace for flow create
+
+From: Parav Pandit <parav@nvidia.com>
+
+[ Upstream commit f458ccd2aa2c5a6f0129a9b1548f2825071fdc6b ]
+
+Currently, the capability check is done in the default
+init_user_ns user namespace. When a process runs in a
+non default user namespace, such check fails. Due to this
+when a process is running using Podman, it fails to create
+the flow resource.
+
+Since the RDMA device is a resource within a network namespace,
+use the network namespace associated with the RDMA device to
+determine its owning user namespace.
+
+Fixes: 436f2ad05a0b ("IB/core: Export ib_create/destroy_flow through uverbs")
+Signed-off-by: Parav Pandit <parav@nvidia.com>
+Suggested-by: Eric W. Biederman <ebiederm@xmission.com>
+Link: https://patch.msgid.link/6df6f2f24627874c4f6d041c19dc1f6f29f68f84.1750963874.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/device.c | 27 ++++++++++++++++++++++++++
+ drivers/infiniband/core/rdma_core.c | 29 ++++++++++++++++++++++++++++
+ drivers/infiniband/core/uverbs_cmd.c | 2 +-
+ include/rdma/ib_verbs.h | 3 +++
+ 4 files changed, 60 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
+index d4263385850a..792824e0ab2c 100644
+--- a/drivers/infiniband/core/device.c
++++ b/drivers/infiniband/core/device.c
+@@ -145,6 +145,33 @@ bool rdma_dev_access_netns(const struct ib_device *dev, const struct net *net)
+ }
+ EXPORT_SYMBOL(rdma_dev_access_netns);
+
++/**
++ * rdma_dev_has_raw_cap() - Returns whether a specified rdma device has
++ * CAP_NET_RAW capability or not.
++ *
++ * @dev: Pointer to rdma device whose capability to be checked
++ *
++ * Returns true if a rdma device's owning user namespace has CAP_NET_RAW
++ * capability, otherwise false. When rdma subsystem is in legacy shared network,
++ * namespace mode, the default net namespace is considered.
++ */
++bool rdma_dev_has_raw_cap(const struct ib_device *dev)
++{
++ const struct net *net;
++
++ /* Network namespace is the resource whose user namespace
++ * to be considered. When in shared mode, there is no reliable
++ * network namespace resource, so consider the default net namespace.
++ */
++ if (ib_devices_shared_netns)
++ net = &init_net;
++ else
++ net = read_pnet(&dev->coredev.rdma_net);
++
++ return ns_capable(net->user_ns, CAP_NET_RAW);
++}
++EXPORT_SYMBOL(rdma_dev_has_raw_cap);
++
+ /*
+ * xarray has this behavior where it won't iterate over NULL values stored in
+ * allocated arrays. So we need our own iterator to see all values stored in
+diff --git a/drivers/infiniband/core/rdma_core.c b/drivers/infiniband/core/rdma_core.c
+index 90c177edf9b0..18918f463361 100644
+--- a/drivers/infiniband/core/rdma_core.c
++++ b/drivers/infiniband/core/rdma_core.c
+@@ -1019,3 +1019,32 @@ void uverbs_finalize_object(struct ib_uobject *uobj,
+ WARN_ON(true);
+ }
+ }
++
++/**
++ * rdma_uattrs_has_raw_cap() - Returns whether a rdma device linked to the
++ * uverbs attributes file has CAP_NET_RAW
++ * capability or not.
++ *
++ * @attrs: Pointer to uverbs attributes
++ *
++ * Returns true if a rdma device's owning user namespace has CAP_NET_RAW
++ * capability, otherwise false.
++ */
++bool rdma_uattrs_has_raw_cap(const struct uverbs_attr_bundle *attrs)
++{
++ struct ib_uverbs_file *ufile = attrs->ufile;
++ struct ib_ucontext *ucontext;
++ bool has_cap = false;
++ int srcu_key;
++
++ srcu_key = srcu_read_lock(&ufile->device->disassociate_srcu);
++ ucontext = ib_uverbs_get_ucontext_file(ufile);
++ if (IS_ERR(ucontext))
++ goto out;
++ has_cap = rdma_dev_has_raw_cap(ucontext->device);
++
++out:
++ srcu_read_unlock(&ufile->device->disassociate_srcu, srcu_key);
++ return has_cap;
++}
++EXPORT_SYMBOL(rdma_uattrs_has_raw_cap);
+diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
+index bc9fe3ceca4d..6700c2c66167 100644
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -3225,7 +3225,7 @@ static int ib_uverbs_ex_create_flow(struct uverbs_attr_bundle *attrs)
+ if (cmd.comp_mask)
+ return -EINVAL;
+
+- if (!capable(CAP_NET_RAW))
++ if (!rdma_uattrs_has_raw_cap(attrs))
+ return -EPERM;
+
+ if (cmd.flow_attr.flags >= IB_FLOW_ATTR_FLAGS_RESERVED)
+diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
+index c83e5a375cd6..087048b75d13 100644
+--- a/include/rdma/ib_verbs.h
++++ b/include/rdma/ib_verbs.h
+@@ -4801,6 +4801,8 @@ static inline int uverbs_destroy_def_handler(struct uverbs_attr_bundle *attrs)
+ }
+ #endif
+
++bool rdma_uattrs_has_raw_cap(const struct uverbs_attr_bundle *attrs);
++
+ struct net_device *rdma_alloc_netdev(struct ib_device *device, u32 port_num,
+ enum rdma_netdev_t type, const char *name,
+ unsigned char name_assign_type,
+@@ -4855,6 +4857,7 @@ static inline int ibdev_to_node(struct ib_device *ibdev)
+ bool rdma_dev_access_netns(const struct ib_device *device,
+ const struct net *net);
+
++bool rdma_dev_has_raw_cap(const struct ib_device *dev);
+ static inline struct net *rdma_dev_net(struct ib_device *device)
+ {
+ return read_pnet(&device->coredev.rdma_net);
+--
+2.39.5
+
--- /dev/null
+From 8c08c7d0c1a6f0e45abe116054ba4e0b30b4fba8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 21:58:07 +0300
+Subject: RDMA/uverbs: Check CAP_NET_RAW in user namespace for QP create
+
+From: Parav Pandit <parav@nvidia.com>
+
+[ Upstream commit 0498c2d9984ed2ad75b1cd5ba6abfa1226742df5 ]
+
+Currently, the capability check is done in the default
+init_user_ns user namespace. When a process runs in a
+non default user namespace, such check fails. Due to this
+when a process is running using Podman, it fails to create
+the QP.
+
+Since the RDMA device is a resource within a network namespace,
+use the network namespace associated with the RDMA device to
+determine its owning user namespace.
+
+Fixes: 2dee0e545894 ("IB/uverbs: Enable QP creation with a given source QP number")
+Signed-off-by: Parav Pandit <parav@nvidia.com>
+Link: https://patch.msgid.link/0e5920d1dfe836817bb07576b192da41b637130b.1750963874.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/uverbs_cmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
+index 6700c2c66167..4d96e4a678f3 100644
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -1451,7 +1451,7 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
+ }
+
+ if (attr.create_flags & IB_QP_CREATE_SOURCE_QPN) {
+- if (!capable(CAP_NET_RAW)) {
++ if (!rdma_uattrs_has_raw_cap(attrs)) {
+ ret = -EPERM;
+ goto err_put;
+ }
+--
+2.39.5
+
--- /dev/null
+From 6e10c9f12fd38655a79bb4ca59682d1d1cf4b12d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 21:58:08 +0300
+Subject: RDMA/uverbs: Check CAP_NET_RAW in user namespace for RAW QP create
+
+From: Parav Pandit <parav@nvidia.com>
+
+[ Upstream commit a6dca091ba7646ff5304af660c94fa51b6696476 ]
+
+Currently, the capability check is done in the default
+init_user_ns user namespace. When a process runs in a
+non default user namespace, such check fails. Due to this
+when a process is running using Podman, it fails to create
+the QP.
+
+Since the RDMA device is a resource within a network namespace,
+use the network namespace associated with the RDMA device to
+determine its owning user namespace.
+
+Fixes: 6d1e7ba241e9 ("IB/uverbs: Introduce create/destroy QP commands over ioctl")
+Signed-off-by: Parav Pandit <parav@nvidia.com>
+Link: https://patch.msgid.link/7b6b87505ccc28a1f7b4255af94d898d2df0fff5.1750963874.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/uverbs_std_types_qp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/uverbs_std_types_qp.c b/drivers/infiniband/core/uverbs_std_types_qp.c
+index 7b4773fa4bc0..be0730e8509e 100644
+--- a/drivers/infiniband/core/uverbs_std_types_qp.c
++++ b/drivers/infiniband/core/uverbs_std_types_qp.c
+@@ -133,7 +133,7 @@ static int UVERBS_HANDLER(UVERBS_METHOD_QP_CREATE)(
+ device = xrcd->device;
+ break;
+ case IB_UVERBS_QPT_RAW_PACKET:
+- if (!capable(CAP_NET_RAW))
++ if (!rdma_uattrs_has_raw_cap(attrs))
+ return -EPERM;
+ fallthrough;
+ case IB_UVERBS_QPT_RC:
+--
+2.39.5
+
--- /dev/null
+From 5a600e6d94bce3a2f2d41d529d3c3cac018b5a9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 17:45:29 +0200
+Subject: Reapply "wifi: mac80211: Update skb's control block key in
+ ieee80211_tx_dequeue()"
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit 754fe848b3b297fc85ec24cd959bad22b6df8cb8 ]
+
+This reverts commit 0937cb5f345c ("Revert "wifi: mac80211: Update
+skb's control block key in ieee80211_tx_dequeue()"").
+
+This commit broke TX with 802.11 encapsulation HW offloading, now that
+this is fixed, reapply it.
+
+Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Link: https://patch.msgid.link/66b8fc39fb0194fa06c9ca7eeb6ffe0118dcb3ec.1752765971.git.repk@triplefau.lt
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 73304a5cf6fc..8aaa59a27bc4 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3883,6 +3883,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
+ * The key can be removed while the packet was queued, so need to call
+ * this here to get the current key.
+ */
++ info->control.hw_key = NULL;
+ r = ieee80211_tx_h_select_key(&tx);
+ if (r != TX_CONTINUE) {
+ ieee80211_free_txskb(&local->hw, skb);
+--
+2.39.5
+
--- /dev/null
+From 59a6e80962bd1850fcb7495787d77333d2bcba51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Jun 2025 23:12:12 +0000
+Subject: refscale: Check that nreaders and loops multiplication doesn't
+ overflow
+
+From: Artem Sadovnikov <a.sadovnikov@ispras.ru>
+
+[ Upstream commit 005b6187705bc9723518ce19c5cb911fc1f7ef07 ]
+
+The nreaders and loops variables are exposed as module parameters, which,
+in certain combinations, can lead to multiplication overflow.
+
+Besides, loops parameter is defined as long, while through the code is
+used as int, which can cause truncation on 64-bit kernels and possible
+zeroes where they shouldn't appear.
+
+Since code uses result of multiplication as int anyway, it only makes sense
+to replace loops with int. Multiplication overflow check is also added
+due to possible multiplication between two very big numbers.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 653ed64b01dc ("refperf: Add a test to measure performance of read-side synchronization")
+Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
+Signed-off-by: Neeraj Upadhyay (AMD) <neeraj.upadhyay@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/refscale.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/rcu/refscale.c b/kernel/rcu/refscale.c
+index f11a7c2af778..ab7fcdc94cc0 100644
+--- a/kernel/rcu/refscale.c
++++ b/kernel/rcu/refscale.c
+@@ -85,7 +85,7 @@ torture_param(int, holdoff, IS_BUILTIN(CONFIG_RCU_REF_SCALE_TEST) ? 10 : 0,
+ // Number of typesafe_lookup structures, that is, the degree of concurrency.
+ torture_param(long, lookup_instances, 0, "Number of typesafe_lookup structures.");
+ // Number of loops per experiment, all readers execute operations concurrently.
+-torture_param(long, loops, 10000, "Number of loops per experiment.");
++torture_param(int, loops, 10000, "Number of loops per experiment.");
+ // Number of readers, with -1 defaulting to about 75% of the CPUs.
+ torture_param(int, nreaders, -1, "Number of readers, -1 for 75% of CPUs.");
+ // Number of runs.
+@@ -1140,7 +1140,7 @@ static void
+ ref_scale_print_module_parms(const struct ref_scale_ops *cur_ops, const char *tag)
+ {
+ pr_alert("%s" SCALE_FLAG
+- "--- %s: verbose=%d verbose_batched=%d shutdown=%d holdoff=%d lookup_instances=%ld loops=%ld nreaders=%d nruns=%d readdelay=%d\n", scale_type, tag,
++ "--- %s: verbose=%d verbose_batched=%d shutdown=%d holdoff=%d lookup_instances=%ld loops=%d nreaders=%d nruns=%d readdelay=%d\n", scale_type, tag,
+ verbose, verbose_batched, shutdown, holdoff, lookup_instances, loops, nreaders, nruns, readdelay);
+ }
+
+@@ -1238,12 +1238,16 @@ ref_scale_init(void)
+ // Reader tasks (default to ~75% of online CPUs).
+ if (nreaders < 0)
+ nreaders = (num_online_cpus() >> 1) + (num_online_cpus() >> 2);
+- if (WARN_ONCE(loops <= 0, "%s: loops = %ld, adjusted to 1\n", __func__, loops))
++ if (WARN_ONCE(loops <= 0, "%s: loops = %d, adjusted to 1\n", __func__, loops))
+ loops = 1;
+ if (WARN_ONCE(nreaders <= 0, "%s: nreaders = %d, adjusted to 1\n", __func__, nreaders))
+ nreaders = 1;
+ if (WARN_ONCE(nruns <= 0, "%s: nruns = %d, adjusted to 1\n", __func__, nruns))
+ nruns = 1;
++ if (WARN_ONCE(loops > INT_MAX / nreaders,
++ "%s: nreaders * loops will overflow, adjusted loops to %d",
++ __func__, INT_MAX / nreaders))
++ loops = INT_MAX / nreaders;
+ reader_tasks = kcalloc(nreaders, sizeof(reader_tasks[0]),
+ GFP_KERNEL);
+ if (!reader_tasks) {
+--
+2.39.5
+
--- /dev/null
+From 164e10e81e29521dcb54606a85f196e9532a8ab4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Jun 2025 17:17:47 -0500
+Subject: remoteproc: qcom: pas: Conclude the rename from adsp
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+[ Upstream commit 2c0c883f895f16fd9d367ec2e64bccab907d8d87 ]
+
+The change that renamed the driver from "adsp" to "pas" didn't change
+any of the implementation. The result is an aesthetic eyesore, and
+confusing to many.
+
+Conclude the rename of the driver, by updating function, structures and
+variable names to match what the driver actually is. The "Hexagon v5" is
+also dropped from the name and Kconfig, as this isn't correct either.
+
+No functional change.
+
+Fixes: 9e004f97161d ("remoteproc: qcom: Rename Hexagon v5 PAS driver")
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Reviewed-by: Wasim Nazir <quic_wasimn@quicinc.com>
+Link: https://lore.kernel.org/r/20250605-pas-rename-v2-1-f1c89e49e691@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/Kconfig | 11 +-
+ drivers/remoteproc/qcom_q6v5_pas.c | 621 ++++++++++++++---------------
+ 2 files changed, 313 insertions(+), 319 deletions(-)
+
+diff --git a/drivers/remoteproc/Kconfig b/drivers/remoteproc/Kconfig
+index 83962a114dc9..48a0d3a69ed0 100644
+--- a/drivers/remoteproc/Kconfig
++++ b/drivers/remoteproc/Kconfig
+@@ -214,7 +214,7 @@ config QCOM_Q6V5_MSS
+ handled by QCOM_Q6V5_PAS driver.
+
+ config QCOM_Q6V5_PAS
+- tristate "Qualcomm Hexagon v5 Peripheral Authentication Service support"
++ tristate "Qualcomm Peripheral Authentication Service support"
+ depends on OF && ARCH_QCOM
+ depends on QCOM_SMEM
+ depends on RPMSG_QCOM_SMD || RPMSG_QCOM_SMD=n
+@@ -229,11 +229,10 @@ config QCOM_Q6V5_PAS
+ select QCOM_RPROC_COMMON
+ select QCOM_SCM
+ help
+- Say y here to support the TrustZone based Peripheral Image Loader
+- for the Qualcomm Hexagon v5 based remote processors. This is commonly
+- used to control subsystems such as ADSP (Audio DSP),
+- CDSP (Compute DSP), MPSS (Modem Peripheral SubSystem), and
+- SLPI (Sensor Low Power Island).
++ Say y here to support the TrustZone based Peripheral Image Loader for
++ the Qualcomm remote processors. This is commonly used to control
++ subsystems such as ADSP (Audio DSP), CDSP (Compute DSP), MPSS (Modem
++ Peripheral SubSystem), and SLPI (Sensor Low Power Island).
+
+ config QCOM_Q6V5_WCSS
+ tristate "Qualcomm Hexagon based WCSS Peripheral Image Loader"
+diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c
+index b306f223127c..02e29171cbbe 100644
+--- a/drivers/remoteproc/qcom_q6v5_pas.c
++++ b/drivers/remoteproc/qcom_q6v5_pas.c
+@@ -1,6 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0-only
+ /*
+- * Qualcomm ADSP/SLPI Peripheral Image Loader for MSM8974 and MSM8996
++ * Qualcomm Peripheral Authentication Service remoteproc driver
+ *
+ * Copyright (C) 2016 Linaro Ltd
+ * Copyright (C) 2014 Sony Mobile Communications AB
+@@ -31,11 +31,11 @@
+ #include "qcom_q6v5.h"
+ #include "remoteproc_internal.h"
+
+-#define ADSP_DECRYPT_SHUTDOWN_DELAY_MS 100
++#define QCOM_PAS_DECRYPT_SHUTDOWN_DELAY_MS 100
+
+ #define MAX_ASSIGN_COUNT 3
+
+-struct adsp_data {
++struct qcom_pas_data {
+ int crash_reason_smem;
+ const char *firmware_name;
+ const char *dtb_firmware_name;
+@@ -60,7 +60,7 @@ struct adsp_data {
+ int region_assign_vmid;
+ };
+
+-struct qcom_adsp {
++struct qcom_pas {
+ struct device *dev;
+ struct rproc *rproc;
+
+@@ -119,36 +119,37 @@ struct qcom_adsp {
+ struct qcom_scm_pas_metadata dtb_pas_metadata;
+ };
+
+-static void adsp_segment_dump(struct rproc *rproc, struct rproc_dump_segment *segment,
+- void *dest, size_t offset, size_t size)
++static void qcom_pas_segment_dump(struct rproc *rproc,
++ struct rproc_dump_segment *segment,
++ void *dest, size_t offset, size_t size)
+ {
+- struct qcom_adsp *adsp = rproc->priv;
++ struct qcom_pas *pas = rproc->priv;
+ int total_offset;
+
+- total_offset = segment->da + segment->offset + offset - adsp->mem_phys;
+- if (total_offset < 0 || total_offset + size > adsp->mem_size) {
+- dev_err(adsp->dev,
++ total_offset = segment->da + segment->offset + offset - pas->mem_phys;
++ if (total_offset < 0 || total_offset + size > pas->mem_size) {
++ dev_err(pas->dev,
+ "invalid copy request for segment %pad with offset %zu and size %zu)\n",
+ &segment->da, offset, size);
+ memset(dest, 0xff, size);
+ return;
+ }
+
+- memcpy_fromio(dest, adsp->mem_region + total_offset, size);
++ memcpy_fromio(dest, pas->mem_region + total_offset, size);
+ }
+
+-static void adsp_minidump(struct rproc *rproc)
++static void qcom_pas_minidump(struct rproc *rproc)
+ {
+- struct qcom_adsp *adsp = rproc->priv;
++ struct qcom_pas *pas = rproc->priv;
+
+ if (rproc->dump_conf == RPROC_COREDUMP_DISABLED)
+ return;
+
+- qcom_minidump(rproc, adsp->minidump_id, adsp_segment_dump);
++ qcom_minidump(rproc, pas->minidump_id, qcom_pas_segment_dump);
+ }
+
+-static int adsp_pds_enable(struct qcom_adsp *adsp, struct device **pds,
+- size_t pd_count)
++static int qcom_pas_pds_enable(struct qcom_pas *pas, struct device **pds,
++ size_t pd_count)
+ {
+ int ret;
+ int i;
+@@ -174,8 +175,8 @@ static int adsp_pds_enable(struct qcom_adsp *adsp, struct device **pds,
+ return ret;
+ };
+
+-static void adsp_pds_disable(struct qcom_adsp *adsp, struct device **pds,
+- size_t pd_count)
++static void qcom_pas_pds_disable(struct qcom_pas *pas, struct device **pds,
++ size_t pd_count)
+ {
+ int i;
+
+@@ -185,65 +186,65 @@ static void adsp_pds_disable(struct qcom_adsp *adsp, struct device **pds,
+ }
+ }
+
+-static int adsp_shutdown_poll_decrypt(struct qcom_adsp *adsp)
++static int qcom_pas_shutdown_poll_decrypt(struct qcom_pas *pas)
+ {
+ unsigned int retry_num = 50;
+ int ret;
+
+ do {
+- msleep(ADSP_DECRYPT_SHUTDOWN_DELAY_MS);
+- ret = qcom_scm_pas_shutdown(adsp->pas_id);
++ msleep(QCOM_PAS_DECRYPT_SHUTDOWN_DELAY_MS);
++ ret = qcom_scm_pas_shutdown(pas->pas_id);
+ } while (ret == -EINVAL && --retry_num);
+
+ return ret;
+ }
+
+-static int adsp_unprepare(struct rproc *rproc)
++static int qcom_pas_unprepare(struct rproc *rproc)
+ {
+- struct qcom_adsp *adsp = rproc->priv;
++ struct qcom_pas *pas = rproc->priv;
+
+ /*
+- * adsp_load() did pass pas_metadata to the SCM driver for storing
++ * qcom_pas_load() did pass pas_metadata to the SCM driver for storing
+ * metadata context. It might have been released already if
+ * auth_and_reset() was successful, but in other cases clean it up
+ * here.
+ */
+- qcom_scm_pas_metadata_release(&adsp->pas_metadata);
+- if (adsp->dtb_pas_id)
+- qcom_scm_pas_metadata_release(&adsp->dtb_pas_metadata);
++ qcom_scm_pas_metadata_release(&pas->pas_metadata);
++ if (pas->dtb_pas_id)
++ qcom_scm_pas_metadata_release(&pas->dtb_pas_metadata);
+
+ return 0;
+ }
+
+-static int adsp_load(struct rproc *rproc, const struct firmware *fw)
++static int qcom_pas_load(struct rproc *rproc, const struct firmware *fw)
+ {
+- struct qcom_adsp *adsp = rproc->priv;
++ struct qcom_pas *pas = rproc->priv;
+ int ret;
+
+- /* Store firmware handle to be used in adsp_start() */
+- adsp->firmware = fw;
++ /* Store firmware handle to be used in qcom_pas_start() */
++ pas->firmware = fw;
+
+- if (adsp->lite_pas_id)
+- ret = qcom_scm_pas_shutdown(adsp->lite_pas_id);
++ if (pas->lite_pas_id)
++ ret = qcom_scm_pas_shutdown(pas->lite_pas_id);
+
+- if (adsp->dtb_pas_id) {
+- ret = request_firmware(&adsp->dtb_firmware, adsp->dtb_firmware_name, adsp->dev);
++ if (pas->dtb_pas_id) {
++ ret = request_firmware(&pas->dtb_firmware, pas->dtb_firmware_name, pas->dev);
+ if (ret) {
+- dev_err(adsp->dev, "request_firmware failed for %s: %d\n",
+- adsp->dtb_firmware_name, ret);
++ dev_err(pas->dev, "request_firmware failed for %s: %d\n",
++ pas->dtb_firmware_name, ret);
+ return ret;
+ }
+
+- ret = qcom_mdt_pas_init(adsp->dev, adsp->dtb_firmware, adsp->dtb_firmware_name,
+- adsp->dtb_pas_id, adsp->dtb_mem_phys,
+- &adsp->dtb_pas_metadata);
++ ret = qcom_mdt_pas_init(pas->dev, pas->dtb_firmware, pas->dtb_firmware_name,
++ pas->dtb_pas_id, pas->dtb_mem_phys,
++ &pas->dtb_pas_metadata);
+ if (ret)
+ goto release_dtb_firmware;
+
+- ret = qcom_mdt_load_no_init(adsp->dev, adsp->dtb_firmware, adsp->dtb_firmware_name,
+- adsp->dtb_pas_id, adsp->dtb_mem_region,
+- adsp->dtb_mem_phys, adsp->dtb_mem_size,
+- &adsp->dtb_mem_reloc);
++ ret = qcom_mdt_load_no_init(pas->dev, pas->dtb_firmware, pas->dtb_firmware_name,
++ pas->dtb_pas_id, pas->dtb_mem_region,
++ pas->dtb_mem_phys, pas->dtb_mem_size,
++ &pas->dtb_mem_reloc);
+ if (ret)
+ goto release_dtb_metadata;
+ }
+@@ -251,248 +252,246 @@ static int adsp_load(struct rproc *rproc, const struct firmware *fw)
+ return 0;
+
+ release_dtb_metadata:
+- qcom_scm_pas_metadata_release(&adsp->dtb_pas_metadata);
++ qcom_scm_pas_metadata_release(&pas->dtb_pas_metadata);
+
+ release_dtb_firmware:
+- release_firmware(adsp->dtb_firmware);
++ release_firmware(pas->dtb_firmware);
+
+ return ret;
+ }
+
+-static int adsp_start(struct rproc *rproc)
++static int qcom_pas_start(struct rproc *rproc)
+ {
+- struct qcom_adsp *adsp = rproc->priv;
++ struct qcom_pas *pas = rproc->priv;
+ int ret;
+
+- ret = qcom_q6v5_prepare(&adsp->q6v5);
++ ret = qcom_q6v5_prepare(&pas->q6v5);
+ if (ret)
+ return ret;
+
+- ret = adsp_pds_enable(adsp, adsp->proxy_pds, adsp->proxy_pd_count);
++ ret = qcom_pas_pds_enable(pas, pas->proxy_pds, pas->proxy_pd_count);
+ if (ret < 0)
+ goto disable_irqs;
+
+- ret = clk_prepare_enable(adsp->xo);
++ ret = clk_prepare_enable(pas->xo);
+ if (ret)
+ goto disable_proxy_pds;
+
+- ret = clk_prepare_enable(adsp->aggre2_clk);
++ ret = clk_prepare_enable(pas->aggre2_clk);
+ if (ret)
+ goto disable_xo_clk;
+
+- if (adsp->cx_supply) {
+- ret = regulator_enable(adsp->cx_supply);
++ if (pas->cx_supply) {
++ ret = regulator_enable(pas->cx_supply);
+ if (ret)
+ goto disable_aggre2_clk;
+ }
+
+- if (adsp->px_supply) {
+- ret = regulator_enable(adsp->px_supply);
++ if (pas->px_supply) {
++ ret = regulator_enable(pas->px_supply);
+ if (ret)
+ goto disable_cx_supply;
+ }
+
+- if (adsp->dtb_pas_id) {
+- ret = qcom_scm_pas_auth_and_reset(adsp->dtb_pas_id);
++ if (pas->dtb_pas_id) {
++ ret = qcom_scm_pas_auth_and_reset(pas->dtb_pas_id);
+ if (ret) {
+- dev_err(adsp->dev,
++ dev_err(pas->dev,
+ "failed to authenticate dtb image and release reset\n");
+ goto disable_px_supply;
+ }
+ }
+
+- ret = qcom_mdt_pas_init(adsp->dev, adsp->firmware, rproc->firmware, adsp->pas_id,
+- adsp->mem_phys, &adsp->pas_metadata);
++ ret = qcom_mdt_pas_init(pas->dev, pas->firmware, rproc->firmware, pas->pas_id,
++ pas->mem_phys, &pas->pas_metadata);
+ if (ret)
+ goto disable_px_supply;
+
+- ret = qcom_mdt_load_no_init(adsp->dev, adsp->firmware, rproc->firmware, adsp->pas_id,
+- adsp->mem_region, adsp->mem_phys, adsp->mem_size,
+- &adsp->mem_reloc);
++ ret = qcom_mdt_load_no_init(pas->dev, pas->firmware, rproc->firmware, pas->pas_id,
++ pas->mem_region, pas->mem_phys, pas->mem_size,
++ &pas->mem_reloc);
+ if (ret)
+ goto release_pas_metadata;
+
+- qcom_pil_info_store(adsp->info_name, adsp->mem_phys, adsp->mem_size);
++ qcom_pil_info_store(pas->info_name, pas->mem_phys, pas->mem_size);
+
+- ret = qcom_scm_pas_auth_and_reset(adsp->pas_id);
++ ret = qcom_scm_pas_auth_and_reset(pas->pas_id);
+ if (ret) {
+- dev_err(adsp->dev,
++ dev_err(pas->dev,
+ "failed to authenticate image and release reset\n");
+ goto release_pas_metadata;
+ }
+
+- ret = qcom_q6v5_wait_for_start(&adsp->q6v5, msecs_to_jiffies(5000));
++ ret = qcom_q6v5_wait_for_start(&pas->q6v5, msecs_to_jiffies(5000));
+ if (ret == -ETIMEDOUT) {
+- dev_err(adsp->dev, "start timed out\n");
+- qcom_scm_pas_shutdown(adsp->pas_id);
++ dev_err(pas->dev, "start timed out\n");
++ qcom_scm_pas_shutdown(pas->pas_id);
+ goto release_pas_metadata;
+ }
+
+- qcom_scm_pas_metadata_release(&adsp->pas_metadata);
+- if (adsp->dtb_pas_id)
+- qcom_scm_pas_metadata_release(&adsp->dtb_pas_metadata);
++ qcom_scm_pas_metadata_release(&pas->pas_metadata);
++ if (pas->dtb_pas_id)
++ qcom_scm_pas_metadata_release(&pas->dtb_pas_metadata);
+
+- /* Remove pointer to the loaded firmware, only valid in adsp_load() & adsp_start() */
+- adsp->firmware = NULL;
++ /* firmware is used to pass reference from qcom_pas_start(), drop it now */
++ pas->firmware = NULL;
+
+ return 0;
+
+ release_pas_metadata:
+- qcom_scm_pas_metadata_release(&adsp->pas_metadata);
+- if (adsp->dtb_pas_id)
+- qcom_scm_pas_metadata_release(&adsp->dtb_pas_metadata);
++ qcom_scm_pas_metadata_release(&pas->pas_metadata);
++ if (pas->dtb_pas_id)
++ qcom_scm_pas_metadata_release(&pas->dtb_pas_metadata);
+ disable_px_supply:
+- if (adsp->px_supply)
+- regulator_disable(adsp->px_supply);
++ if (pas->px_supply)
++ regulator_disable(pas->px_supply);
+ disable_cx_supply:
+- if (adsp->cx_supply)
+- regulator_disable(adsp->cx_supply);
++ if (pas->cx_supply)
++ regulator_disable(pas->cx_supply);
+ disable_aggre2_clk:
+- clk_disable_unprepare(adsp->aggre2_clk);
++ clk_disable_unprepare(pas->aggre2_clk);
+ disable_xo_clk:
+- clk_disable_unprepare(adsp->xo);
++ clk_disable_unprepare(pas->xo);
+ disable_proxy_pds:
+- adsp_pds_disable(adsp, adsp->proxy_pds, adsp->proxy_pd_count);
++ qcom_pas_pds_disable(pas, pas->proxy_pds, pas->proxy_pd_count);
+ disable_irqs:
+- qcom_q6v5_unprepare(&adsp->q6v5);
++ qcom_q6v5_unprepare(&pas->q6v5);
+
+- /* Remove pointer to the loaded firmware, only valid in adsp_load() & adsp_start() */
+- adsp->firmware = NULL;
++ /* firmware is used to pass reference from qcom_pas_start(), drop it now */
++ pas->firmware = NULL;
+
+ return ret;
+ }
+
+ static void qcom_pas_handover(struct qcom_q6v5 *q6v5)
+ {
+- struct qcom_adsp *adsp = container_of(q6v5, struct qcom_adsp, q6v5);
+-
+- if (adsp->px_supply)
+- regulator_disable(adsp->px_supply);
+- if (adsp->cx_supply)
+- regulator_disable(adsp->cx_supply);
+- clk_disable_unprepare(adsp->aggre2_clk);
+- clk_disable_unprepare(adsp->xo);
+- adsp_pds_disable(adsp, adsp->proxy_pds, adsp->proxy_pd_count);
++ struct qcom_pas *pas = container_of(q6v5, struct qcom_pas, q6v5);
++
++ if (pas->px_supply)
++ regulator_disable(pas->px_supply);
++ if (pas->cx_supply)
++ regulator_disable(pas->cx_supply);
++ clk_disable_unprepare(pas->aggre2_clk);
++ clk_disable_unprepare(pas->xo);
++ qcom_pas_pds_disable(pas, pas->proxy_pds, pas->proxy_pd_count);
+ }
+
+-static int adsp_stop(struct rproc *rproc)
++static int qcom_pas_stop(struct rproc *rproc)
+ {
+- struct qcom_adsp *adsp = rproc->priv;
++ struct qcom_pas *pas = rproc->priv;
+ int handover;
+ int ret;
+
+- ret = qcom_q6v5_request_stop(&adsp->q6v5, adsp->sysmon);
++ ret = qcom_q6v5_request_stop(&pas->q6v5, pas->sysmon);
+ if (ret == -ETIMEDOUT)
+- dev_err(adsp->dev, "timed out on wait\n");
++ dev_err(pas->dev, "timed out on wait\n");
+
+- ret = qcom_scm_pas_shutdown(adsp->pas_id);
+- if (ret && adsp->decrypt_shutdown)
+- ret = adsp_shutdown_poll_decrypt(adsp);
++ ret = qcom_scm_pas_shutdown(pas->pas_id);
++ if (ret && pas->decrypt_shutdown)
++ ret = qcom_pas_shutdown_poll_decrypt(pas);
+
+ if (ret)
+- dev_err(adsp->dev, "failed to shutdown: %d\n", ret);
++ dev_err(pas->dev, "failed to shutdown: %d\n", ret);
+
+- if (adsp->dtb_pas_id) {
+- ret = qcom_scm_pas_shutdown(adsp->dtb_pas_id);
++ if (pas->dtb_pas_id) {
++ ret = qcom_scm_pas_shutdown(pas->dtb_pas_id);
+ if (ret)
+- dev_err(adsp->dev, "failed to shutdown dtb: %d\n", ret);
++ dev_err(pas->dev, "failed to shutdown dtb: %d\n", ret);
+ }
+
+- handover = qcom_q6v5_unprepare(&adsp->q6v5);
++ handover = qcom_q6v5_unprepare(&pas->q6v5);
+ if (handover)
+- qcom_pas_handover(&adsp->q6v5);
++ qcom_pas_handover(&pas->q6v5);
+
+- if (adsp->smem_host_id)
+- ret = qcom_smem_bust_hwspin_lock_by_host(adsp->smem_host_id);
++ if (pas->smem_host_id)
++ ret = qcom_smem_bust_hwspin_lock_by_host(pas->smem_host_id);
+
+ return ret;
+ }
+
+-static void *adsp_da_to_va(struct rproc *rproc, u64 da, size_t len, bool *is_iomem)
++static void *qcom_pas_da_to_va(struct rproc *rproc, u64 da, size_t len, bool *is_iomem)
+ {
+- struct qcom_adsp *adsp = rproc->priv;
++ struct qcom_pas *pas = rproc->priv;
+ int offset;
+
+- offset = da - adsp->mem_reloc;
+- if (offset < 0 || offset + len > adsp->mem_size)
++ offset = da - pas->mem_reloc;
++ if (offset < 0 || offset + len > pas->mem_size)
+ return NULL;
+
+ if (is_iomem)
+ *is_iomem = true;
+
+- return adsp->mem_region + offset;
++ return pas->mem_region + offset;
+ }
+
+-static unsigned long adsp_panic(struct rproc *rproc)
++static unsigned long qcom_pas_panic(struct rproc *rproc)
+ {
+- struct qcom_adsp *adsp = rproc->priv;
++ struct qcom_pas *pas = rproc->priv;
+
+- return qcom_q6v5_panic(&adsp->q6v5);
++ return qcom_q6v5_panic(&pas->q6v5);
+ }
+
+-static const struct rproc_ops adsp_ops = {
+- .unprepare = adsp_unprepare,
+- .start = adsp_start,
+- .stop = adsp_stop,
+- .da_to_va = adsp_da_to_va,
++static const struct rproc_ops qcom_pas_ops = {
++ .unprepare = qcom_pas_unprepare,
++ .start = qcom_pas_start,
++ .stop = qcom_pas_stop,
++ .da_to_va = qcom_pas_da_to_va,
+ .parse_fw = qcom_register_dump_segments,
+- .load = adsp_load,
+- .panic = adsp_panic,
++ .load = qcom_pas_load,
++ .panic = qcom_pas_panic,
+ };
+
+-static const struct rproc_ops adsp_minidump_ops = {
+- .unprepare = adsp_unprepare,
+- .start = adsp_start,
+- .stop = adsp_stop,
+- .da_to_va = adsp_da_to_va,
++static const struct rproc_ops qcom_pas_minidump_ops = {
++ .unprepare = qcom_pas_unprepare,
++ .start = qcom_pas_start,
++ .stop = qcom_pas_stop,
++ .da_to_va = qcom_pas_da_to_va,
+ .parse_fw = qcom_register_dump_segments,
+- .load = adsp_load,
+- .panic = adsp_panic,
+- .coredump = adsp_minidump,
++ .load = qcom_pas_load,
++ .panic = qcom_pas_panic,
++ .coredump = qcom_pas_minidump,
+ };
+
+-static int adsp_init_clock(struct qcom_adsp *adsp)
++static int qcom_pas_init_clock(struct qcom_pas *pas)
+ {
+- adsp->xo = devm_clk_get(adsp->dev, "xo");
+- if (IS_ERR(adsp->xo))
+- return dev_err_probe(adsp->dev, PTR_ERR(adsp->xo),
++ pas->xo = devm_clk_get(pas->dev, "xo");
++ if (IS_ERR(pas->xo))
++ return dev_err_probe(pas->dev, PTR_ERR(pas->xo),
+ "failed to get xo clock");
+
+-
+- adsp->aggre2_clk = devm_clk_get_optional(adsp->dev, "aggre2");
+- if (IS_ERR(adsp->aggre2_clk))
+- return dev_err_probe(adsp->dev, PTR_ERR(adsp->aggre2_clk),
++ pas->aggre2_clk = devm_clk_get_optional(pas->dev, "aggre2");
++ if (IS_ERR(pas->aggre2_clk))
++ return dev_err_probe(pas->dev, PTR_ERR(pas->aggre2_clk),
+ "failed to get aggre2 clock");
+
+ return 0;
+ }
+
+-static int adsp_init_regulator(struct qcom_adsp *adsp)
++static int qcom_pas_init_regulator(struct qcom_pas *pas)
+ {
+- adsp->cx_supply = devm_regulator_get_optional(adsp->dev, "cx");
+- if (IS_ERR(adsp->cx_supply)) {
+- if (PTR_ERR(adsp->cx_supply) == -ENODEV)
+- adsp->cx_supply = NULL;
++ pas->cx_supply = devm_regulator_get_optional(pas->dev, "cx");
++ if (IS_ERR(pas->cx_supply)) {
++ if (PTR_ERR(pas->cx_supply) == -ENODEV)
++ pas->cx_supply = NULL;
+ else
+- return PTR_ERR(adsp->cx_supply);
++ return PTR_ERR(pas->cx_supply);
+ }
+
+- if (adsp->cx_supply)
+- regulator_set_load(adsp->cx_supply, 100000);
++ if (pas->cx_supply)
++ regulator_set_load(pas->cx_supply, 100000);
+
+- adsp->px_supply = devm_regulator_get_optional(adsp->dev, "px");
+- if (IS_ERR(adsp->px_supply)) {
+- if (PTR_ERR(adsp->px_supply) == -ENODEV)
+- adsp->px_supply = NULL;
++ pas->px_supply = devm_regulator_get_optional(pas->dev, "px");
++ if (IS_ERR(pas->px_supply)) {
++ if (PTR_ERR(pas->px_supply) == -ENODEV)
++ pas->px_supply = NULL;
+ else
+- return PTR_ERR(adsp->px_supply);
++ return PTR_ERR(pas->px_supply);
+ }
+
+ return 0;
+ }
+
+-static int adsp_pds_attach(struct device *dev, struct device **devs,
+- char **pd_names)
++static int qcom_pas_pds_attach(struct device *dev, struct device **devs, char **pd_names)
+ {
+ size_t num_pds = 0;
+ int ret;
+@@ -528,10 +527,9 @@ static int adsp_pds_attach(struct device *dev, struct device **devs,
+ return ret;
+ };
+
+-static void adsp_pds_detach(struct qcom_adsp *adsp, struct device **pds,
+- size_t pd_count)
++static void qcom_pas_pds_detach(struct qcom_pas *pas, struct device **pds, size_t pd_count)
+ {
+- struct device *dev = adsp->dev;
++ struct device *dev = pas->dev;
+ int i;
+
+ /* Handle single power domain */
+@@ -544,62 +542,62 @@ static void adsp_pds_detach(struct qcom_adsp *adsp, struct device **pds,
+ dev_pm_domain_detach(pds[i], false);
+ }
+
+-static int adsp_alloc_memory_region(struct qcom_adsp *adsp)
++static int qcom_pas_alloc_memory_region(struct qcom_pas *pas)
+ {
+ struct reserved_mem *rmem;
+ struct device_node *node;
+
+- node = of_parse_phandle(adsp->dev->of_node, "memory-region", 0);
++ node = of_parse_phandle(pas->dev->of_node, "memory-region", 0);
+ if (!node) {
+- dev_err(adsp->dev, "no memory-region specified\n");
++ dev_err(pas->dev, "no memory-region specified\n");
+ return -EINVAL;
+ }
+
+ rmem = of_reserved_mem_lookup(node);
+ of_node_put(node);
+ if (!rmem) {
+- dev_err(adsp->dev, "unable to resolve memory-region\n");
++ dev_err(pas->dev, "unable to resolve memory-region\n");
+ return -EINVAL;
+ }
+
+- adsp->mem_phys = adsp->mem_reloc = rmem->base;
+- adsp->mem_size = rmem->size;
+- adsp->mem_region = devm_ioremap_wc(adsp->dev, adsp->mem_phys, adsp->mem_size);
+- if (!adsp->mem_region) {
+- dev_err(adsp->dev, "unable to map memory region: %pa+%zx\n",
+- &rmem->base, adsp->mem_size);
++ pas->mem_phys = pas->mem_reloc = rmem->base;
++ pas->mem_size = rmem->size;
++ pas->mem_region = devm_ioremap_wc(pas->dev, pas->mem_phys, pas->mem_size);
++ if (!pas->mem_region) {
++ dev_err(pas->dev, "unable to map memory region: %pa+%zx\n",
++ &rmem->base, pas->mem_size);
+ return -EBUSY;
+ }
+
+- if (!adsp->dtb_pas_id)
++ if (!pas->dtb_pas_id)
+ return 0;
+
+- node = of_parse_phandle(adsp->dev->of_node, "memory-region", 1);
++ node = of_parse_phandle(pas->dev->of_node, "memory-region", 1);
+ if (!node) {
+- dev_err(adsp->dev, "no dtb memory-region specified\n");
++ dev_err(pas->dev, "no dtb memory-region specified\n");
+ return -EINVAL;
+ }
+
+ rmem = of_reserved_mem_lookup(node);
+ of_node_put(node);
+ if (!rmem) {
+- dev_err(adsp->dev, "unable to resolve dtb memory-region\n");
++ dev_err(pas->dev, "unable to resolve dtb memory-region\n");
+ return -EINVAL;
+ }
+
+- adsp->dtb_mem_phys = adsp->dtb_mem_reloc = rmem->base;
+- adsp->dtb_mem_size = rmem->size;
+- adsp->dtb_mem_region = devm_ioremap_wc(adsp->dev, adsp->dtb_mem_phys, adsp->dtb_mem_size);
+- if (!adsp->dtb_mem_region) {
+- dev_err(adsp->dev, "unable to map dtb memory region: %pa+%zx\n",
+- &rmem->base, adsp->dtb_mem_size);
++ pas->dtb_mem_phys = pas->dtb_mem_reloc = rmem->base;
++ pas->dtb_mem_size = rmem->size;
++ pas->dtb_mem_region = devm_ioremap_wc(pas->dev, pas->dtb_mem_phys, pas->dtb_mem_size);
++ if (!pas->dtb_mem_region) {
++ dev_err(pas->dev, "unable to map dtb memory region: %pa+%zx\n",
++ &rmem->base, pas->dtb_mem_size);
+ return -EBUSY;
+ }
+
+ return 0;
+ }
+
+-static int adsp_assign_memory_region(struct qcom_adsp *adsp)
++static int qcom_pas_assign_memory_region(struct qcom_pas *pas)
+ {
+ struct qcom_scm_vmperm perm[MAX_ASSIGN_COUNT];
+ struct device_node *node;
+@@ -607,45 +605,45 @@ static int adsp_assign_memory_region(struct qcom_adsp *adsp)
+ int offset;
+ int ret;
+
+- if (!adsp->region_assign_idx)
++ if (!pas->region_assign_idx)
+ return 0;
+
+- for (offset = 0; offset < adsp->region_assign_count; ++offset) {
++ for (offset = 0; offset < pas->region_assign_count; ++offset) {
+ struct reserved_mem *rmem = NULL;
+
+- node = of_parse_phandle(adsp->dev->of_node, "memory-region",
+- adsp->region_assign_idx + offset);
++ node = of_parse_phandle(pas->dev->of_node, "memory-region",
++ pas->region_assign_idx + offset);
+ if (node)
+ rmem = of_reserved_mem_lookup(node);
+ of_node_put(node);
+ if (!rmem) {
+- dev_err(adsp->dev, "unable to resolve shareable memory-region index %d\n",
++ dev_err(pas->dev, "unable to resolve shareable memory-region index %d\n",
+ offset);
+ return -EINVAL;
+ }
+
+- if (adsp->region_assign_shared) {
++ if (pas->region_assign_shared) {
+ perm[0].vmid = QCOM_SCM_VMID_HLOS;
+ perm[0].perm = QCOM_SCM_PERM_RW;
+- perm[1].vmid = adsp->region_assign_vmid;
++ perm[1].vmid = pas->region_assign_vmid;
+ perm[1].perm = QCOM_SCM_PERM_RW;
+ perm_size = 2;
+ } else {
+- perm[0].vmid = adsp->region_assign_vmid;
++ perm[0].vmid = pas->region_assign_vmid;
+ perm[0].perm = QCOM_SCM_PERM_RW;
+ perm_size = 1;
+ }
+
+- adsp->region_assign_phys[offset] = rmem->base;
+- adsp->region_assign_size[offset] = rmem->size;
+- adsp->region_assign_owners[offset] = BIT(QCOM_SCM_VMID_HLOS);
++ pas->region_assign_phys[offset] = rmem->base;
++ pas->region_assign_size[offset] = rmem->size;
++ pas->region_assign_owners[offset] = BIT(QCOM_SCM_VMID_HLOS);
+
+- ret = qcom_scm_assign_mem(adsp->region_assign_phys[offset],
+- adsp->region_assign_size[offset],
+- &adsp->region_assign_owners[offset],
++ ret = qcom_scm_assign_mem(pas->region_assign_phys[offset],
++ pas->region_assign_size[offset],
++ &pas->region_assign_owners[offset],
+ perm, perm_size);
+ if (ret < 0) {
+- dev_err(adsp->dev, "assign memory %d failed\n", offset);
++ dev_err(pas->dev, "assign memory %d failed\n", offset);
+ return ret;
+ }
+ }
+@@ -653,35 +651,35 @@ static int adsp_assign_memory_region(struct qcom_adsp *adsp)
+ return 0;
+ }
+
+-static void adsp_unassign_memory_region(struct qcom_adsp *adsp)
++static void qcom_pas_unassign_memory_region(struct qcom_pas *pas)
+ {
+ struct qcom_scm_vmperm perm;
+ int offset;
+ int ret;
+
+- if (!adsp->region_assign_idx || adsp->region_assign_shared)
++ if (!pas->region_assign_idx || pas->region_assign_shared)
+ return;
+
+- for (offset = 0; offset < adsp->region_assign_count; ++offset) {
++ for (offset = 0; offset < pas->region_assign_count; ++offset) {
+ perm.vmid = QCOM_SCM_VMID_HLOS;
+ perm.perm = QCOM_SCM_PERM_RW;
+
+- ret = qcom_scm_assign_mem(adsp->region_assign_phys[offset],
+- adsp->region_assign_size[offset],
+- &adsp->region_assign_owners[offset],
++ ret = qcom_scm_assign_mem(pas->region_assign_phys[offset],
++ pas->region_assign_size[offset],
++ &pas->region_assign_owners[offset],
+ &perm, 1);
+ if (ret < 0)
+- dev_err(adsp->dev, "unassign memory %d failed\n", offset);
++ dev_err(pas->dev, "unassign memory %d failed\n", offset);
+ }
+ }
+
+-static int adsp_probe(struct platform_device *pdev)
++static int qcom_pas_probe(struct platform_device *pdev)
+ {
+- const struct adsp_data *desc;
+- struct qcom_adsp *adsp;
++ const struct qcom_pas_data *desc;
++ struct qcom_pas *pas;
+ struct rproc *rproc;
+ const char *fw_name, *dtb_fw_name = NULL;
+- const struct rproc_ops *ops = &adsp_ops;
++ const struct rproc_ops *ops = &qcom_pas_ops;
+ int ret;
+
+ desc = of_device_get_match_data(&pdev->dev);
+@@ -706,9 +704,9 @@ static int adsp_probe(struct platform_device *pdev)
+ }
+
+ if (desc->minidump_id)
+- ops = &adsp_minidump_ops;
++ ops = &qcom_pas_minidump_ops;
+
+- rproc = devm_rproc_alloc(&pdev->dev, desc->sysmon_name, ops, fw_name, sizeof(*adsp));
++ rproc = devm_rproc_alloc(&pdev->dev, desc->sysmon_name, ops, fw_name, sizeof(*pas));
+
+ if (!rproc) {
+ dev_err(&pdev->dev, "unable to allocate remoteproc\n");
+@@ -718,68 +716,65 @@ static int adsp_probe(struct platform_device *pdev)
+ rproc->auto_boot = desc->auto_boot;
+ rproc_coredump_set_elf_info(rproc, ELFCLASS32, EM_NONE);
+
+- adsp = rproc->priv;
+- adsp->dev = &pdev->dev;
+- adsp->rproc = rproc;
+- adsp->minidump_id = desc->minidump_id;
+- adsp->pas_id = desc->pas_id;
+- adsp->lite_pas_id = desc->lite_pas_id;
+- adsp->info_name = desc->sysmon_name;
+- adsp->smem_host_id = desc->smem_host_id;
+- adsp->decrypt_shutdown = desc->decrypt_shutdown;
+- adsp->region_assign_idx = desc->region_assign_idx;
+- adsp->region_assign_count = min_t(int, MAX_ASSIGN_COUNT, desc->region_assign_count);
+- adsp->region_assign_vmid = desc->region_assign_vmid;
+- adsp->region_assign_shared = desc->region_assign_shared;
++ pas = rproc->priv;
++ pas->dev = &pdev->dev;
++ pas->rproc = rproc;
++ pas->minidump_id = desc->minidump_id;
++ pas->pas_id = desc->pas_id;
++ pas->lite_pas_id = desc->lite_pas_id;
++ pas->info_name = desc->sysmon_name;
++ pas->smem_host_id = desc->smem_host_id;
++ pas->decrypt_shutdown = desc->decrypt_shutdown;
++ pas->region_assign_idx = desc->region_assign_idx;
++ pas->region_assign_count = min_t(int, MAX_ASSIGN_COUNT, desc->region_assign_count);
++ pas->region_assign_vmid = desc->region_assign_vmid;
++ pas->region_assign_shared = desc->region_assign_shared;
+ if (dtb_fw_name) {
+- adsp->dtb_firmware_name = dtb_fw_name;
+- adsp->dtb_pas_id = desc->dtb_pas_id;
++ pas->dtb_firmware_name = dtb_fw_name;
++ pas->dtb_pas_id = desc->dtb_pas_id;
+ }
+- platform_set_drvdata(pdev, adsp);
++ platform_set_drvdata(pdev, pas);
+
+- ret = device_init_wakeup(adsp->dev, true);
++ ret = device_init_wakeup(pas->dev, true);
+ if (ret)
+ goto free_rproc;
+
+- ret = adsp_alloc_memory_region(adsp);
++ ret = qcom_pas_alloc_memory_region(pas);
+ if (ret)
+ goto free_rproc;
+
+- ret = adsp_assign_memory_region(adsp);
++ ret = qcom_pas_assign_memory_region(pas);
+ if (ret)
+ goto free_rproc;
+
+- ret = adsp_init_clock(adsp);
++ ret = qcom_pas_init_clock(pas);
+ if (ret)
+ goto unassign_mem;
+
+- ret = adsp_init_regulator(adsp);
++ ret = qcom_pas_init_regulator(pas);
+ if (ret)
+ goto unassign_mem;
+
+- ret = adsp_pds_attach(&pdev->dev, adsp->proxy_pds,
+- desc->proxy_pd_names);
++ ret = qcom_pas_pds_attach(&pdev->dev, pas->proxy_pds, desc->proxy_pd_names);
+ if (ret < 0)
+ goto unassign_mem;
+- adsp->proxy_pd_count = ret;
++ pas->proxy_pd_count = ret;
+
+- ret = qcom_q6v5_init(&adsp->q6v5, pdev, rproc, desc->crash_reason_smem, desc->load_state,
+- qcom_pas_handover);
++ ret = qcom_q6v5_init(&pas->q6v5, pdev, rproc, desc->crash_reason_smem,
++ desc->load_state, qcom_pas_handover);
+ if (ret)
+ goto detach_proxy_pds;
+
+- qcom_add_glink_subdev(rproc, &adsp->glink_subdev, desc->ssr_name);
+- qcom_add_smd_subdev(rproc, &adsp->smd_subdev);
+- qcom_add_pdm_subdev(rproc, &adsp->pdm_subdev);
+- adsp->sysmon = qcom_add_sysmon_subdev(rproc,
+- desc->sysmon_name,
+- desc->ssctl_id);
+- if (IS_ERR(adsp->sysmon)) {
+- ret = PTR_ERR(adsp->sysmon);
++ qcom_add_glink_subdev(rproc, &pas->glink_subdev, desc->ssr_name);
++ qcom_add_smd_subdev(rproc, &pas->smd_subdev);
++ qcom_add_pdm_subdev(rproc, &pas->pdm_subdev);
++ pas->sysmon = qcom_add_sysmon_subdev(rproc, desc->sysmon_name, desc->ssctl_id);
++ if (IS_ERR(pas->sysmon)) {
++ ret = PTR_ERR(pas->sysmon);
+ goto deinit_remove_pdm_smd_glink;
+ }
+
+- qcom_add_ssr_subdev(rproc, &adsp->ssr_subdev, desc->ssr_name);
++ qcom_add_ssr_subdev(rproc, &pas->ssr_subdev, desc->ssr_name);
+ ret = rproc_add(rproc);
+ if (ret)
+ goto remove_ssr_sysmon;
+@@ -787,41 +782,41 @@ static int adsp_probe(struct platform_device *pdev)
+ return 0;
+
+ remove_ssr_sysmon:
+- qcom_remove_ssr_subdev(rproc, &adsp->ssr_subdev);
+- qcom_remove_sysmon_subdev(adsp->sysmon);
++ qcom_remove_ssr_subdev(rproc, &pas->ssr_subdev);
++ qcom_remove_sysmon_subdev(pas->sysmon);
+ deinit_remove_pdm_smd_glink:
+- qcom_remove_pdm_subdev(rproc, &adsp->pdm_subdev);
+- qcom_remove_smd_subdev(rproc, &adsp->smd_subdev);
+- qcom_remove_glink_subdev(rproc, &adsp->glink_subdev);
+- qcom_q6v5_deinit(&adsp->q6v5);
++ qcom_remove_pdm_subdev(rproc, &pas->pdm_subdev);
++ qcom_remove_smd_subdev(rproc, &pas->smd_subdev);
++ qcom_remove_glink_subdev(rproc, &pas->glink_subdev);
++ qcom_q6v5_deinit(&pas->q6v5);
+ detach_proxy_pds:
+- adsp_pds_detach(adsp, adsp->proxy_pds, adsp->proxy_pd_count);
++ qcom_pas_pds_detach(pas, pas->proxy_pds, pas->proxy_pd_count);
+ unassign_mem:
+- adsp_unassign_memory_region(adsp);
++ qcom_pas_unassign_memory_region(pas);
+ free_rproc:
+- device_init_wakeup(adsp->dev, false);
++ device_init_wakeup(pas->dev, false);
+
+ return ret;
+ }
+
+-static void adsp_remove(struct platform_device *pdev)
++static void qcom_pas_remove(struct platform_device *pdev)
+ {
+- struct qcom_adsp *adsp = platform_get_drvdata(pdev);
+-
+- rproc_del(adsp->rproc);
+-
+- qcom_q6v5_deinit(&adsp->q6v5);
+- adsp_unassign_memory_region(adsp);
+- qcom_remove_glink_subdev(adsp->rproc, &adsp->glink_subdev);
+- qcom_remove_sysmon_subdev(adsp->sysmon);
+- qcom_remove_smd_subdev(adsp->rproc, &adsp->smd_subdev);
+- qcom_remove_pdm_subdev(adsp->rproc, &adsp->pdm_subdev);
+- qcom_remove_ssr_subdev(adsp->rproc, &adsp->ssr_subdev);
+- adsp_pds_detach(adsp, adsp->proxy_pds, adsp->proxy_pd_count);
+- device_init_wakeup(adsp->dev, false);
++ struct qcom_pas *pas = platform_get_drvdata(pdev);
++
++ rproc_del(pas->rproc);
++
++ qcom_q6v5_deinit(&pas->q6v5);
++ qcom_pas_unassign_memory_region(pas);
++ qcom_remove_glink_subdev(pas->rproc, &pas->glink_subdev);
++ qcom_remove_sysmon_subdev(pas->sysmon);
++ qcom_remove_smd_subdev(pas->rproc, &pas->smd_subdev);
++ qcom_remove_pdm_subdev(pas->rproc, &pas->pdm_subdev);
++ qcom_remove_ssr_subdev(pas->rproc, &pas->ssr_subdev);
++ qcom_pas_pds_detach(pas, pas->proxy_pds, pas->proxy_pd_count);
++ device_init_wakeup(pas->dev, false);
+ }
+
+-static const struct adsp_data adsp_resource_init = {
++static const struct qcom_pas_data adsp_resource_init = {
+ .crash_reason_smem = 423,
+ .firmware_name = "adsp.mdt",
+ .pas_id = 1,
+@@ -831,7 +826,7 @@ static const struct adsp_data adsp_resource_init = {
+ .ssctl_id = 0x14,
+ };
+
+-static const struct adsp_data sa8775p_adsp_resource = {
++static const struct qcom_pas_data sa8775p_adsp_resource = {
+ .crash_reason_smem = 423,
+ .firmware_name = "adsp.mbn",
+ .pas_id = 1,
+@@ -848,7 +843,7 @@ static const struct adsp_data sa8775p_adsp_resource = {
+ .ssctl_id = 0x14,
+ };
+
+-static const struct adsp_data sdm845_adsp_resource_init = {
++static const struct qcom_pas_data sdm845_adsp_resource_init = {
+ .crash_reason_smem = 423,
+ .firmware_name = "adsp.mdt",
+ .pas_id = 1,
+@@ -859,7 +854,7 @@ static const struct adsp_data sdm845_adsp_resource_init = {
+ .ssctl_id = 0x14,
+ };
+
+-static const struct adsp_data sm6350_adsp_resource = {
++static const struct qcom_pas_data sm6350_adsp_resource = {
+ .crash_reason_smem = 423,
+ .firmware_name = "adsp.mdt",
+ .pas_id = 1,
+@@ -875,7 +870,7 @@ static const struct adsp_data sm6350_adsp_resource = {
+ .ssctl_id = 0x14,
+ };
+
+-static const struct adsp_data sm6375_mpss_resource = {
++static const struct qcom_pas_data sm6375_mpss_resource = {
+ .crash_reason_smem = 421,
+ .firmware_name = "modem.mdt",
+ .pas_id = 4,
+@@ -890,7 +885,7 @@ static const struct adsp_data sm6375_mpss_resource = {
+ .ssctl_id = 0x12,
+ };
+
+-static const struct adsp_data sm8150_adsp_resource = {
++static const struct qcom_pas_data sm8150_adsp_resource = {
+ .crash_reason_smem = 423,
+ .firmware_name = "adsp.mdt",
+ .pas_id = 1,
+@@ -905,7 +900,7 @@ static const struct adsp_data sm8150_adsp_resource = {
+ .ssctl_id = 0x14,
+ };
+
+-static const struct adsp_data sm8250_adsp_resource = {
++static const struct qcom_pas_data sm8250_adsp_resource = {
+ .crash_reason_smem = 423,
+ .firmware_name = "adsp.mdt",
+ .pas_id = 1,
+@@ -922,7 +917,7 @@ static const struct adsp_data sm8250_adsp_resource = {
+ .ssctl_id = 0x14,
+ };
+
+-static const struct adsp_data sm8350_adsp_resource = {
++static const struct qcom_pas_data sm8350_adsp_resource = {
+ .crash_reason_smem = 423,
+ .firmware_name = "adsp.mdt",
+ .pas_id = 1,
+@@ -938,7 +933,7 @@ static const struct adsp_data sm8350_adsp_resource = {
+ .ssctl_id = 0x14,
+ };
+
+-static const struct adsp_data msm8996_adsp_resource = {
++static const struct qcom_pas_data msm8996_adsp_resource = {
+ .crash_reason_smem = 423,
+ .firmware_name = "adsp.mdt",
+ .pas_id = 1,
+@@ -952,7 +947,7 @@ static const struct adsp_data msm8996_adsp_resource = {
+ .ssctl_id = 0x14,
+ };
+
+-static const struct adsp_data cdsp_resource_init = {
++static const struct qcom_pas_data cdsp_resource_init = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp.mdt",
+ .pas_id = 18,
+@@ -962,7 +957,7 @@ static const struct adsp_data cdsp_resource_init = {
+ .ssctl_id = 0x17,
+ };
+
+-static const struct adsp_data sa8775p_cdsp0_resource = {
++static const struct qcom_pas_data sa8775p_cdsp0_resource = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp0.mbn",
+ .pas_id = 18,
+@@ -980,7 +975,7 @@ static const struct adsp_data sa8775p_cdsp0_resource = {
+ .ssctl_id = 0x17,
+ };
+
+-static const struct adsp_data sa8775p_cdsp1_resource = {
++static const struct qcom_pas_data sa8775p_cdsp1_resource = {
+ .crash_reason_smem = 633,
+ .firmware_name = "cdsp1.mbn",
+ .pas_id = 30,
+@@ -998,7 +993,7 @@ static const struct adsp_data sa8775p_cdsp1_resource = {
+ .ssctl_id = 0x20,
+ };
+
+-static const struct adsp_data sdm845_cdsp_resource_init = {
++static const struct qcom_pas_data sdm845_cdsp_resource_init = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp.mdt",
+ .pas_id = 18,
+@@ -1009,7 +1004,7 @@ static const struct adsp_data sdm845_cdsp_resource_init = {
+ .ssctl_id = 0x17,
+ };
+
+-static const struct adsp_data sm6350_cdsp_resource = {
++static const struct qcom_pas_data sm6350_cdsp_resource = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp.mdt",
+ .pas_id = 18,
+@@ -1025,7 +1020,7 @@ static const struct adsp_data sm6350_cdsp_resource = {
+ .ssctl_id = 0x17,
+ };
+
+-static const struct adsp_data sm8150_cdsp_resource = {
++static const struct qcom_pas_data sm8150_cdsp_resource = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp.mdt",
+ .pas_id = 18,
+@@ -1040,7 +1035,7 @@ static const struct adsp_data sm8150_cdsp_resource = {
+ .ssctl_id = 0x17,
+ };
+
+-static const struct adsp_data sm8250_cdsp_resource = {
++static const struct qcom_pas_data sm8250_cdsp_resource = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp.mdt",
+ .pas_id = 18,
+@@ -1055,7 +1050,7 @@ static const struct adsp_data sm8250_cdsp_resource = {
+ .ssctl_id = 0x17,
+ };
+
+-static const struct adsp_data sc8280xp_nsp0_resource = {
++static const struct qcom_pas_data sc8280xp_nsp0_resource = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp.mdt",
+ .pas_id = 18,
+@@ -1069,7 +1064,7 @@ static const struct adsp_data sc8280xp_nsp0_resource = {
+ .ssctl_id = 0x17,
+ };
+
+-static const struct adsp_data sc8280xp_nsp1_resource = {
++static const struct qcom_pas_data sc8280xp_nsp1_resource = {
+ .crash_reason_smem = 633,
+ .firmware_name = "cdsp.mdt",
+ .pas_id = 30,
+@@ -1083,7 +1078,7 @@ static const struct adsp_data sc8280xp_nsp1_resource = {
+ .ssctl_id = 0x20,
+ };
+
+-static const struct adsp_data x1e80100_adsp_resource = {
++static const struct qcom_pas_data x1e80100_adsp_resource = {
+ .crash_reason_smem = 423,
+ .firmware_name = "adsp.mdt",
+ .dtb_firmware_name = "adsp_dtb.mdt",
+@@ -1103,7 +1098,7 @@ static const struct adsp_data x1e80100_adsp_resource = {
+ .ssctl_id = 0x14,
+ };
+
+-static const struct adsp_data x1e80100_cdsp_resource = {
++static const struct qcom_pas_data x1e80100_cdsp_resource = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp.mdt",
+ .dtb_firmware_name = "cdsp_dtb.mdt",
+@@ -1123,7 +1118,7 @@ static const struct adsp_data x1e80100_cdsp_resource = {
+ .ssctl_id = 0x17,
+ };
+
+-static const struct adsp_data sm8350_cdsp_resource = {
++static const struct qcom_pas_data sm8350_cdsp_resource = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp.mdt",
+ .pas_id = 18,
+@@ -1140,7 +1135,7 @@ static const struct adsp_data sm8350_cdsp_resource = {
+ .ssctl_id = 0x17,
+ };
+
+-static const struct adsp_data sa8775p_gpdsp0_resource = {
++static const struct qcom_pas_data sa8775p_gpdsp0_resource = {
+ .crash_reason_smem = 640,
+ .firmware_name = "gpdsp0.mbn",
+ .pas_id = 39,
+@@ -1157,7 +1152,7 @@ static const struct adsp_data sa8775p_gpdsp0_resource = {
+ .ssctl_id = 0x21,
+ };
+
+-static const struct adsp_data sa8775p_gpdsp1_resource = {
++static const struct qcom_pas_data sa8775p_gpdsp1_resource = {
+ .crash_reason_smem = 641,
+ .firmware_name = "gpdsp1.mbn",
+ .pas_id = 40,
+@@ -1174,7 +1169,7 @@ static const struct adsp_data sa8775p_gpdsp1_resource = {
+ .ssctl_id = 0x22,
+ };
+
+-static const struct adsp_data mpss_resource_init = {
++static const struct qcom_pas_data mpss_resource_init = {
+ .crash_reason_smem = 421,
+ .firmware_name = "modem.mdt",
+ .pas_id = 4,
+@@ -1191,7 +1186,7 @@ static const struct adsp_data mpss_resource_init = {
+ .ssctl_id = 0x12,
+ };
+
+-static const struct adsp_data sc8180x_mpss_resource = {
++static const struct qcom_pas_data sc8180x_mpss_resource = {
+ .crash_reason_smem = 421,
+ .firmware_name = "modem.mdt",
+ .pas_id = 4,
+@@ -1206,7 +1201,7 @@ static const struct adsp_data sc8180x_mpss_resource = {
+ .ssctl_id = 0x12,
+ };
+
+-static const struct adsp_data msm8996_slpi_resource_init = {
++static const struct qcom_pas_data msm8996_slpi_resource_init = {
+ .crash_reason_smem = 424,
+ .firmware_name = "slpi.mdt",
+ .pas_id = 12,
+@@ -1220,7 +1215,7 @@ static const struct adsp_data msm8996_slpi_resource_init = {
+ .ssctl_id = 0x16,
+ };
+
+-static const struct adsp_data sdm845_slpi_resource_init = {
++static const struct qcom_pas_data sdm845_slpi_resource_init = {
+ .crash_reason_smem = 424,
+ .firmware_name = "slpi.mdt",
+ .pas_id = 12,
+@@ -1236,7 +1231,7 @@ static const struct adsp_data sdm845_slpi_resource_init = {
+ .ssctl_id = 0x16,
+ };
+
+-static const struct adsp_data wcss_resource_init = {
++static const struct qcom_pas_data wcss_resource_init = {
+ .crash_reason_smem = 421,
+ .firmware_name = "wcnss.mdt",
+ .pas_id = 6,
+@@ -1246,7 +1241,7 @@ static const struct adsp_data wcss_resource_init = {
+ .ssctl_id = 0x12,
+ };
+
+-static const struct adsp_data sdx55_mpss_resource = {
++static const struct qcom_pas_data sdx55_mpss_resource = {
+ .crash_reason_smem = 421,
+ .firmware_name = "modem.mdt",
+ .pas_id = 4,
+@@ -1261,7 +1256,7 @@ static const struct adsp_data sdx55_mpss_resource = {
+ .ssctl_id = 0x22,
+ };
+
+-static const struct adsp_data sm8450_mpss_resource = {
++static const struct qcom_pas_data sm8450_mpss_resource = {
+ .crash_reason_smem = 421,
+ .firmware_name = "modem.mdt",
+ .pas_id = 4,
+@@ -1279,7 +1274,7 @@ static const struct adsp_data sm8450_mpss_resource = {
+ .ssctl_id = 0x12,
+ };
+
+-static const struct adsp_data sm8550_adsp_resource = {
++static const struct qcom_pas_data sm8550_adsp_resource = {
+ .crash_reason_smem = 423,
+ .firmware_name = "adsp.mdt",
+ .dtb_firmware_name = "adsp_dtb.mdt",
+@@ -1299,7 +1294,7 @@ static const struct adsp_data sm8550_adsp_resource = {
+ .smem_host_id = 2,
+ };
+
+-static const struct adsp_data sm8550_cdsp_resource = {
++static const struct qcom_pas_data sm8550_cdsp_resource = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp.mdt",
+ .dtb_firmware_name = "cdsp_dtb.mdt",
+@@ -1320,7 +1315,7 @@ static const struct adsp_data sm8550_cdsp_resource = {
+ .smem_host_id = 5,
+ };
+
+-static const struct adsp_data sm8550_mpss_resource = {
++static const struct qcom_pas_data sm8550_mpss_resource = {
+ .crash_reason_smem = 421,
+ .firmware_name = "modem.mdt",
+ .dtb_firmware_name = "modem_dtb.mdt",
+@@ -1344,7 +1339,7 @@ static const struct adsp_data sm8550_mpss_resource = {
+ .region_assign_vmid = QCOM_SCM_VMID_MSS_MSA,
+ };
+
+-static const struct adsp_data sc7280_wpss_resource = {
++static const struct qcom_pas_data sc7280_wpss_resource = {
+ .crash_reason_smem = 626,
+ .firmware_name = "wpss.mdt",
+ .pas_id = 6,
+@@ -1361,7 +1356,7 @@ static const struct adsp_data sc7280_wpss_resource = {
+ .ssctl_id = 0x19,
+ };
+
+-static const struct adsp_data sm8650_cdsp_resource = {
++static const struct qcom_pas_data sm8650_cdsp_resource = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp.mdt",
+ .dtb_firmware_name = "cdsp_dtb.mdt",
+@@ -1386,7 +1381,7 @@ static const struct adsp_data sm8650_cdsp_resource = {
+ .region_assign_vmid = QCOM_SCM_VMID_CDSP,
+ };
+
+-static const struct adsp_data sm8650_mpss_resource = {
++static const struct qcom_pas_data sm8650_mpss_resource = {
+ .crash_reason_smem = 421,
+ .firmware_name = "modem.mdt",
+ .dtb_firmware_name = "modem_dtb.mdt",
+@@ -1410,7 +1405,7 @@ static const struct adsp_data sm8650_mpss_resource = {
+ .region_assign_vmid = QCOM_SCM_VMID_MSS_MSA,
+ };
+
+-static const struct adsp_data sm8750_mpss_resource = {
++static const struct qcom_pas_data sm8750_mpss_resource = {
+ .crash_reason_smem = 421,
+ .firmware_name = "modem.mdt",
+ .dtb_firmware_name = "modem_dtb.mdt",
+@@ -1434,7 +1429,7 @@ static const struct adsp_data sm8750_mpss_resource = {
+ .region_assign_vmid = QCOM_SCM_VMID_MSS_MSA,
+ };
+
+-static const struct of_device_id adsp_of_match[] = {
++static const struct of_device_id qcom_pas_of_match[] = {
+ { .compatible = "qcom,msm8226-adsp-pil", .data = &msm8996_adsp_resource},
+ { .compatible = "qcom,msm8953-adsp-pil", .data = &msm8996_adsp_resource},
+ { .compatible = "qcom,msm8974-adsp-pil", .data = &adsp_resource_init},
+@@ -1504,17 +1499,17 @@ static const struct of_device_id adsp_of_match[] = {
+ { .compatible = "qcom,x1e80100-cdsp-pas", .data = &x1e80100_cdsp_resource},
+ { },
+ };
+-MODULE_DEVICE_TABLE(of, adsp_of_match);
++MODULE_DEVICE_TABLE(of, qcom_pas_of_match);
+
+-static struct platform_driver adsp_driver = {
+- .probe = adsp_probe,
+- .remove = adsp_remove,
++static struct platform_driver qcom_pas_driver = {
++ .probe = qcom_pas_probe,
++ .remove = qcom_pas_remove,
+ .driver = {
+ .name = "qcom_q6v5_pas",
+- .of_match_table = adsp_of_match,
++ .of_match_table = qcom_pas_of_match,
+ },
+ };
+
+-module_platform_driver(adsp_driver);
+-MODULE_DESCRIPTION("Qualcomm Hexagon v5 Peripheral Authentication Service driver");
++module_platform_driver(qcom_pas_driver);
++MODULE_DESCRIPTION("Qualcomm Peripheral Authentication Service remoteproc driver");
+ MODULE_LICENSE("GPL v2");
+--
+2.39.5
+
--- /dev/null
+From 5337f6b2e9a459bfca54bd5c8c2061381fd1d5e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jul 2025 14:30:47 -0700
+Subject: remoteproc: xlnx: Disable unsupported features
+
+From: Tanmay Shah <tanmay.shah@amd.com>
+
+[ Upstream commit 699cdd706290208d47bd858a188b030df2e90357 ]
+
+AMD-Xilinx platform driver does not support iommu or recovery mechanism
+yet. Disable both features in platform driver.
+
+Signed-off-by: Tanmay Shah <tanmay.shah@amd.com>
+Link: https://lore.kernel.org/r/20250716213048.2316424-2-tanmay.shah@amd.com
+Fixes: 6b291e8020a8 ("drivers: remoteproc: Add Xilinx r5 remoteproc driver")
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/xlnx_r5_remoteproc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/remoteproc/xlnx_r5_remoteproc.c b/drivers/remoteproc/xlnx_r5_remoteproc.c
+index 1af89782e116..79be88b40ab0 100644
+--- a/drivers/remoteproc/xlnx_r5_remoteproc.c
++++ b/drivers/remoteproc/xlnx_r5_remoteproc.c
+@@ -938,6 +938,8 @@ static struct zynqmp_r5_core *zynqmp_r5_add_rproc_core(struct device *cdev)
+
+ rproc_coredump_set_elf_info(r5_rproc, ELFCLASS32, EM_ARM);
+
++ r5_rproc->recovery_disabled = true;
++ r5_rproc->has_iommu = false;
+ r5_rproc->auto_boot = false;
+ r5_core = r5_rproc->priv;
+ r5_core->dev = cdev;
+--
+2.39.5
+
--- /dev/null
+From 7f36ff6a48152cc302c1c60855ceff7268868c36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 12:05:10 -0400
+Subject: Revert "drm/amdgpu: fix slab-use-after-free in amdgpu_userq_mgr_fini"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vitaly Prosyak <vitaly.prosyak@amd.com>
+
+[ Upstream commit a73345b866ff8bbd93135af667c973a8fb4b2c40 ]
+
+This reverts commit 5fb90421fa0fbe0a968274912101fe917bf1c47b.
+
+The original patch moved `amdgpu_userq_mgr_fini()` to the driver's
+`postclose` callback, which is called after `drm_gem_release()` in
+the DRM file cleanup sequence.If a user application crashes or aborts
+without cleaning up its user queues, 'drm_gem_release()` may free
+GEM objects that are still referenced by active user queues, leading
+to use-after-free. By reverting, we ensure that user queues are
+disabled and cleaned up before any GEM objects are released,
+preventing this class of bug. However, this reintroduces a race
+during PCI hot-unplug, where device removal can race with per-file
+cleanup, leading to use-after-free in suspend/unplug paths.
+This will be fixed in the next patch.
+
+Fixes: 5fb90421fa0f ("drm/amdgpu: fix slab-use-after-free in amdgpu_userq_mgr_fini+0x70c")
+Signed-off-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 16 +++++++++++++++-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 3 ---
+ 2 files changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+index 501bb82f2a37..4db92e0a60da 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+@@ -2906,6 +2906,20 @@ static int amdgpu_pmops_runtime_idle(struct device *dev)
+ return ret;
+ }
+
++static int amdgpu_drm_release(struct inode *inode, struct file *filp)
++{
++ struct drm_file *file_priv = filp->private_data;
++ struct amdgpu_fpriv *fpriv = file_priv->driver_priv;
++
++ if (fpriv) {
++ fpriv->evf_mgr.fd_closing = true;
++ amdgpu_eviction_fence_destroy(&fpriv->evf_mgr);
++ amdgpu_userq_mgr_fini(&fpriv->userq_mgr);
++ }
++
++ return drm_release(inode, filp);
++}
++
+ long amdgpu_drm_ioctl(struct file *filp,
+ unsigned int cmd, unsigned long arg)
+ {
+@@ -2957,7 +2971,7 @@ static const struct file_operations amdgpu_driver_kms_fops = {
+ .owner = THIS_MODULE,
+ .open = drm_open,
+ .flush = amdgpu_flush,
+- .release = drm_release,
++ .release = amdgpu_drm_release,
+ .unlocked_ioctl = amdgpu_drm_ioctl,
+ .mmap = drm_gem_mmap,
+ .poll = drm_poll,
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+index 195ed81d39ff..d2ce7d86dbc8 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+@@ -1501,9 +1501,6 @@ void amdgpu_driver_postclose_kms(struct drm_device *dev,
+ amdgpu_vm_bo_del(adev, fpriv->prt_va);
+ amdgpu_bo_unreserve(pd);
+ }
+- fpriv->evf_mgr.fd_closing = true;
+- amdgpu_eviction_fence_destroy(&fpriv->evf_mgr);
+- amdgpu_userq_mgr_fini(&fpriv->userq_mgr);
+
+ amdgpu_ctx_mgr_fini(&fpriv->ctx_mgr);
+ amdgpu_vm_fini(adev, &fpriv->vm);
+--
+2.39.5
+
--- /dev/null
+From 3d4642abffaa073daf6c21641abbf6800c31a60e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 15:11:32 +0200
+Subject: Revert "fs/ntfs3: Replace inode_trylock with inode_lock"
+
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+
+[ Upstream commit a49f0abd8959048af18c6c690b065eb0d65b2d21 ]
+
+This reverts commit 69505fe98f198ee813898cbcaf6770949636430b.
+
+Initially, conditional lock acquisition was removed to fix an xfstest bug
+that was observed during internal testing. The deadlock reported by syzbot
+is resolved by reintroducing conditional acquisition. The xfstest bug no
+longer occurs on kernel version 6.16-rc1 during internal testing. I
+assume that changes in other modules may have contributed to this.
+
+Fixes: 69505fe98f19 ("fs/ntfs3: Replace inode_trylock with inode_lock")
+Reported-by: syzbot+a91fcdbd2698f99db8f4@syzkaller.appspotmail.com
+Suggested-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/file.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c
+index 1e99a35691cd..4dc8d7eb0901 100644
+--- a/fs/ntfs3/file.c
++++ b/fs/ntfs3/file.c
+@@ -310,7 +310,10 @@ static int ntfs_file_mmap(struct file *file, struct vm_area_struct *vma)
+ }
+
+ if (ni->i_valid < to) {
+- inode_lock(inode);
++ if (!inode_trylock(inode)) {
++ err = -EAGAIN;
++ goto out;
++ }
+ err = ntfs_extend_initialized_size(file, ni,
+ ni->i_valid, to);
+ inode_unlock(inode);
+--
+2.39.5
+
--- /dev/null
+From e87850ba11b64f3875b13a1b84357defbec91656 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Apr 2025 15:38:29 +0800
+Subject: Revert "udmabuf: fix vmap_udmabuf error page set"
+
+From: Huan Yang <link@vivo.com>
+
+[ Upstream commit ceb7b62eaaaacfcf87473bd2e99ac73a758620cb ]
+
+This reverts commit 18d7de823b7150344d242c3677e65d68c5271b04.
+
+We cannot use vmap_pfn() in vmap_udmabuf() as it would fail the pfn_valid()
+check in vmap_pfn_apply(). This is because vmap_pfn() is intended to be
+used for mapping non-struct-page memory such as PCIe BARs. Since, udmabuf
+mostly works with pages/folios backed by shmem/hugetlbfs/THP, vmap_pfn()
+is not the right tool or API to invoke for implementing vmap.
+
+Signed-off-by: Huan Yang <link@vivo.com>
+Suggested-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
+Reported-by: Bingbu Cao <bingbu.cao@linux.intel.com>
+Closes: https://lore.kernel.org/dri-devel/eb7e0137-3508-4287-98c4-816c5fd98e10@vivo.com/T/#mbda4f64a3532b32e061f4e8763bc8e307bea3ca8
+Acked-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
+Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
+Link: https://lore.kernel.org/r/20250428073831.19942-2-link@vivo.com
+Stable-dep-of: a26fd92b7223 ("udmabuf: fix vmap missed offset page")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma-buf/Kconfig | 1 -
+ drivers/dma-buf/udmabuf.c | 22 +++++++---------------
+ 2 files changed, 7 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/dma-buf/Kconfig b/drivers/dma-buf/Kconfig
+index fee04fdb0822..b46eb8a552d7 100644
+--- a/drivers/dma-buf/Kconfig
++++ b/drivers/dma-buf/Kconfig
+@@ -36,7 +36,6 @@ config UDMABUF
+ depends on DMA_SHARED_BUFFER
+ depends on MEMFD_CREATE || COMPILE_TEST
+ depends on MMU
+- select VMAP_PFN
+ help
+ A driver to let userspace turn memfd regions into dma-bufs.
+ Qemu can use this to create host dmabufs for guest framebuffers.
+diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
+index c9d0c68d2fcb..4cc342fb28f4 100644
+--- a/drivers/dma-buf/udmabuf.c
++++ b/drivers/dma-buf/udmabuf.c
+@@ -109,29 +109,21 @@ static int mmap_udmabuf(struct dma_buf *buf, struct vm_area_struct *vma)
+ static int vmap_udmabuf(struct dma_buf *buf, struct iosys_map *map)
+ {
+ struct udmabuf *ubuf = buf->priv;
+- unsigned long *pfns;
++ struct page **pages;
+ void *vaddr;
+ pgoff_t pg;
+
+ dma_resv_assert_held(buf->resv);
+
+- /**
+- * HVO may free tail pages, so just use pfn to map each folio
+- * into vmalloc area.
+- */
+- pfns = kvmalloc_array(ubuf->pagecount, sizeof(*pfns), GFP_KERNEL);
+- if (!pfns)
++ pages = kvmalloc_array(ubuf->pagecount, sizeof(*pages), GFP_KERNEL);
++ if (!pages)
+ return -ENOMEM;
+
+- for (pg = 0; pg < ubuf->pagecount; pg++) {
+- unsigned long pfn = folio_pfn(ubuf->folios[pg]);
+-
+- pfn += ubuf->offsets[pg] >> PAGE_SHIFT;
+- pfns[pg] = pfn;
+- }
++ for (pg = 0; pg < ubuf->pagecount; pg++)
++ pages[pg] = &ubuf->folios[pg]->page;
+
+- vaddr = vmap_pfn(pfns, ubuf->pagecount, PAGE_KERNEL);
+- kvfree(pfns);
++ vaddr = vm_map_ram(pages, ubuf->pagecount, -1);
++ kvfree(pages);
+ if (!vaddr)
+ return -EINVAL;
+
+--
+2.39.5
+
--- /dev/null
+From 180f95057eef9ea7df2a0c2fddef7878f739b17c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 10:30:09 +0200
+Subject: Revert "vmci: Prevent the dispatching of uninitialized payloads"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit 8f5d9bed6122b8d96508436e5ad2498bb797eb6b ]
+
+This reverts commit bfb4cf9fb97e4063f0aa62e9e398025fb6625031.
+
+While the code "looks" correct, the compiler has no way to know that
+doing "fun" pointer math like this really isn't a write off the end of
+the structure as there is no hint anywhere that the structure has data
+at the end of it.
+
+This causes the following build warning:
+
+In function 'fortify_memset_chk',
+ inlined from 'ctx_fire_notification.isra' at drivers/misc/vmw_vmci/vmci_context.c:254:3:
+include/linux/fortify-string.h:480:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
+ 480 | __write_overflow_field(p_size_field, size);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+So revert it for now and it can come back in the future in a "sane" way
+that either correctly makes the structure know that there is trailing
+data, OR just the payload structure is properly referenced and zeroed
+out.
+
+Fixes: bfb4cf9fb97e ("vmci: Prevent the dispatching of uninitialized payloads")
+Cc: Stephen Rothwell <sfr@canb.auug.org.au>
+Cc: Lizhi Xu <lizhi.xu@windriver.com>
+Link: https://lore.kernel.org/r/20250703171021.0aee1482@canb.auug.org.au
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/vmw_vmci/vmci_context.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/misc/vmw_vmci/vmci_context.c b/drivers/misc/vmw_vmci/vmci_context.c
+index d566103caa27..f22b44827e92 100644
+--- a/drivers/misc/vmw_vmci/vmci_context.c
++++ b/drivers/misc/vmw_vmci/vmci_context.c
+@@ -251,8 +251,6 @@ static int ctx_fire_notification(u32 context_id, u32 priv_flags)
+ ev.msg.hdr.src = vmci_make_handle(VMCI_HYPERVISOR_CONTEXT_ID,
+ VMCI_CONTEXT_RESOURCE_ID);
+ ev.msg.hdr.payload_size = sizeof(ev) - sizeof(ev.msg.hdr);
+- memset((char*)&ev.msg.hdr + sizeof(ev.msg.hdr), 0,
+- ev.msg.hdr.payload_size);
+ ev.msg.event_data.event = VMCI_EVENT_CTX_REMOVED;
+ ev.payload.context_id = context_id;
+
+--
+2.39.5
+
--- /dev/null
+From 1c77ea7dbda384b514ccc2b4a739abca74ecdee0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 18:04:40 -0400
+Subject: ring-buffer: Remove ring_buffer_read_prepare_sync()
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+[ Upstream commit 119a5d573622ae90ba730d18acfae9bb75d77b9a ]
+
+When the ring buffer was first introduced, reading the non-consuming
+"trace" file required disabling the writing of the ring buffer. To make
+sure the writing was fully disabled before iterating the buffer with a
+non-consuming read, it would set the disable flag of the buffer and then
+call an RCU synchronization to make sure all the buffers were
+synchronized.
+
+The function ring_buffer_read_start() originally would initialize the
+iterator and call an RCU synchronization, but this was for each individual
+per CPU buffer where this would get called many times on a machine with
+many CPUs before the trace file could be read. The commit 72c9ddfd4c5bf
+("ring-buffer: Make non-consuming read less expensive with lots of cpus.")
+separated ring_buffer_read_start into ring_buffer_read_prepare(),
+ring_buffer_read_sync() and then ring_buffer_read_start() to allow each of
+the per CPU buffers to be prepared, call the read_buffer_read_sync() once,
+and then the ring_buffer_read_start() for each of the CPUs which made
+things much faster.
+
+The commit 1039221cc278 ("ring-buffer: Do not disable recording when there
+is an iterator") removed the requirement of disabling the recording of the
+ring buffer in order to iterate it, but it did not remove the
+synchronization that was happening that was required to wait for all the
+buffers to have no more writers. It's now OK for the buffers to have
+writers and no synchronization is needed.
+
+Remove the synchronization and put back the interface for the ring buffer
+iterator back before commit 72c9ddfd4c5bf was applied.
+
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Link: https://lore.kernel.org/20250630180440.3eabb514@batman.local.home
+Reported-by: David Howells <dhowells@redhat.com>
+Fixes: 1039221cc278 ("ring-buffer: Do not disable recording when there is an iterator")
+Tested-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ring_buffer.h | 4 +--
+ kernel/trace/ring_buffer.c | 63 ++++++-------------------------------
+ kernel/trace/trace.c | 14 +++------
+ kernel/trace/trace_kdb.c | 8 ++---
+ 4 files changed, 18 insertions(+), 71 deletions(-)
+
+diff --git a/include/linux/ring_buffer.h b/include/linux/ring_buffer.h
+index cd7f0ae26615..bc90c3c7b5fd 100644
+--- a/include/linux/ring_buffer.h
++++ b/include/linux/ring_buffer.h
+@@ -152,9 +152,7 @@ ring_buffer_consume(struct trace_buffer *buffer, int cpu, u64 *ts,
+ unsigned long *lost_events);
+
+ struct ring_buffer_iter *
+-ring_buffer_read_prepare(struct trace_buffer *buffer, int cpu, gfp_t flags);
+-void ring_buffer_read_prepare_sync(void);
+-void ring_buffer_read_start(struct ring_buffer_iter *iter);
++ring_buffer_read_start(struct trace_buffer *buffer, int cpu, gfp_t flags);
+ void ring_buffer_read_finish(struct ring_buffer_iter *iter);
+
+ struct ring_buffer_event *
+diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
+index 00fc38d70e86..24bb5287c415 100644
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -5846,24 +5846,20 @@ ring_buffer_consume(struct trace_buffer *buffer, int cpu, u64 *ts,
+ EXPORT_SYMBOL_GPL(ring_buffer_consume);
+
+ /**
+- * ring_buffer_read_prepare - Prepare for a non consuming read of the buffer
++ * ring_buffer_read_start - start a non consuming read of the buffer
+ * @buffer: The ring buffer to read from
+ * @cpu: The cpu buffer to iterate over
+ * @flags: gfp flags to use for memory allocation
+ *
+- * This performs the initial preparations necessary to iterate
+- * through the buffer. Memory is allocated, buffer resizing
+- * is disabled, and the iterator pointer is returned to the caller.
+- *
+- * After a sequence of ring_buffer_read_prepare calls, the user is
+- * expected to make at least one call to ring_buffer_read_prepare_sync.
+- * Afterwards, ring_buffer_read_start is invoked to get things going
+- * for real.
++ * This creates an iterator to allow non-consuming iteration through
++ * the buffer. If the buffer is disabled for writing, it will produce
++ * the same information each time, but if the buffer is still writing
++ * then the first hit of a write will cause the iteration to stop.
+ *
+- * This overall must be paired with ring_buffer_read_finish.
++ * Must be paired with ring_buffer_read_finish.
+ */
+ struct ring_buffer_iter *
+-ring_buffer_read_prepare(struct trace_buffer *buffer, int cpu, gfp_t flags)
++ring_buffer_read_start(struct trace_buffer *buffer, int cpu, gfp_t flags)
+ {
+ struct ring_buffer_per_cpu *cpu_buffer;
+ struct ring_buffer_iter *iter;
+@@ -5889,51 +5885,12 @@ ring_buffer_read_prepare(struct trace_buffer *buffer, int cpu, gfp_t flags)
+
+ atomic_inc(&cpu_buffer->resize_disabled);
+
+- return iter;
+-}
+-EXPORT_SYMBOL_GPL(ring_buffer_read_prepare);
+-
+-/**
+- * ring_buffer_read_prepare_sync - Synchronize a set of prepare calls
+- *
+- * All previously invoked ring_buffer_read_prepare calls to prepare
+- * iterators will be synchronized. Afterwards, read_buffer_read_start
+- * calls on those iterators are allowed.
+- */
+-void
+-ring_buffer_read_prepare_sync(void)
+-{
+- synchronize_rcu();
+-}
+-EXPORT_SYMBOL_GPL(ring_buffer_read_prepare_sync);
+-
+-/**
+- * ring_buffer_read_start - start a non consuming read of the buffer
+- * @iter: The iterator returned by ring_buffer_read_prepare
+- *
+- * This finalizes the startup of an iteration through the buffer.
+- * The iterator comes from a call to ring_buffer_read_prepare and
+- * an intervening ring_buffer_read_prepare_sync must have been
+- * performed.
+- *
+- * Must be paired with ring_buffer_read_finish.
+- */
+-void
+-ring_buffer_read_start(struct ring_buffer_iter *iter)
+-{
+- struct ring_buffer_per_cpu *cpu_buffer;
+- unsigned long flags;
+-
+- if (!iter)
+- return;
+-
+- cpu_buffer = iter->cpu_buffer;
+-
+- raw_spin_lock_irqsave(&cpu_buffer->reader_lock, flags);
++ guard(raw_spinlock_irqsave)(&cpu_buffer->reader_lock);
+ arch_spin_lock(&cpu_buffer->lock);
+ rb_iter_reset(iter);
+ arch_spin_unlock(&cpu_buffer->lock);
+- raw_spin_unlock_irqrestore(&cpu_buffer->reader_lock, flags);
++
++ return iter;
+ }
+ EXPORT_SYMBOL_GPL(ring_buffer_read_start);
+
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index 95ae7c4e5835..7996f26c3f46 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -4735,21 +4735,15 @@ __tracing_open(struct inode *inode, struct file *file, bool snapshot)
+ if (iter->cpu_file == RING_BUFFER_ALL_CPUS) {
+ for_each_tracing_cpu(cpu) {
+ iter->buffer_iter[cpu] =
+- ring_buffer_read_prepare(iter->array_buffer->buffer,
+- cpu, GFP_KERNEL);
+- }
+- ring_buffer_read_prepare_sync();
+- for_each_tracing_cpu(cpu) {
+- ring_buffer_read_start(iter->buffer_iter[cpu]);
++ ring_buffer_read_start(iter->array_buffer->buffer,
++ cpu, GFP_KERNEL);
+ tracing_iter_reset(iter, cpu);
+ }
+ } else {
+ cpu = iter->cpu_file;
+ iter->buffer_iter[cpu] =
+- ring_buffer_read_prepare(iter->array_buffer->buffer,
+- cpu, GFP_KERNEL);
+- ring_buffer_read_prepare_sync();
+- ring_buffer_read_start(iter->buffer_iter[cpu]);
++ ring_buffer_read_start(iter->array_buffer->buffer,
++ cpu, GFP_KERNEL);
+ tracing_iter_reset(iter, cpu);
+ }
+
+diff --git a/kernel/trace/trace_kdb.c b/kernel/trace/trace_kdb.c
+index d7b135de958a..896ff78b8349 100644
+--- a/kernel/trace/trace_kdb.c
++++ b/kernel/trace/trace_kdb.c
+@@ -43,17 +43,15 @@ static void ftrace_dump_buf(int skip_entries, long cpu_file)
+ if (cpu_file == RING_BUFFER_ALL_CPUS) {
+ for_each_tracing_cpu(cpu) {
+ iter.buffer_iter[cpu] =
+- ring_buffer_read_prepare(iter.array_buffer->buffer,
+- cpu, GFP_ATOMIC);
+- ring_buffer_read_start(iter.buffer_iter[cpu]);
++ ring_buffer_read_start(iter.array_buffer->buffer,
++ cpu, GFP_ATOMIC);
+ tracing_iter_reset(&iter, cpu);
+ }
+ } else {
+ iter.cpu_file = cpu_file;
+ iter.buffer_iter[cpu_file] =
+- ring_buffer_read_prepare(iter.array_buffer->buffer,
++ ring_buffer_read_start(iter.array_buffer->buffer,
+ cpu_file, GFP_ATOMIC);
+- ring_buffer_read_start(iter.buffer_iter[cpu_file]);
+ tracing_iter_reset(&iter, cpu_file);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 7a0b5c7687829eed82c61613c607fab19541a5de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jan 2025 16:46:58 -0800
+Subject: RISC-V: KVM: Fix inclusion of Smnpm in the guest ISA bitmap
+
+From: Samuel Holland <samuel.holland@sifive.com>
+
+[ Upstream commit 7826c8f37220daabf90c09fcd9a835d6763f1372 ]
+
+The Smnpm extension requires special handling because the guest ISA
+extension maps to a different extension (Ssnpm) on the host side.
+commit 1851e7836212 ("RISC-V: KVM: Allow Smnpm and Ssnpm extensions for
+guests") missed that the vcpu->arch.isa bit is based only on the host
+extension, so currently both KVM_RISCV_ISA_EXT_{SMNPM,SSNPM} map to
+vcpu->arch.isa[RISCV_ISA_EXT_SSNPM]. This does not cause any problems
+for the guest, because both extensions are force-enabled anyway when the
+host supports Ssnpm, but prevents checking for (guest) Smnpm in the SBI
+FWFT logic.
+
+Redefine kvm_isa_ext_arr to look up the guest extension, since only the
+guest -> host mapping is unambiguous. Factor out the logic for checking
+for host support of an extension, so this special case only needs to be
+handled in one place, and be explicit about which variables hold a host
+vs a guest ISA extension.
+
+Fixes: 1851e7836212 ("RISC-V: KVM: Allow Smnpm and Ssnpm extensions for guests")
+Signed-off-by: Samuel Holland <samuel.holland@sifive.com>
+Reviewed-by: Anup Patel <anup@brainfault.org>
+Link: https://lore.kernel.org/r/20250111004702.2813013-2-samuel.holland@sifive.com
+Signed-off-by: Anup Patel <anup@brainfault.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kvm/vcpu_onereg.c | 83 +++++++++++++++++++++++-------------
+ 1 file changed, 53 insertions(+), 30 deletions(-)
+
+diff --git a/arch/riscv/kvm/vcpu_onereg.c b/arch/riscv/kvm/vcpu_onereg.c
+index 2e1b646f0d61..cce6a38ea54f 100644
+--- a/arch/riscv/kvm/vcpu_onereg.c
++++ b/arch/riscv/kvm/vcpu_onereg.c
+@@ -23,7 +23,7 @@
+ #define KVM_ISA_EXT_ARR(ext) \
+ [KVM_RISCV_ISA_EXT_##ext] = RISCV_ISA_EXT_##ext
+
+-/* Mapping between KVM ISA Extension ID & Host ISA extension ID */
++/* Mapping between KVM ISA Extension ID & guest ISA extension ID */
+ static const unsigned long kvm_isa_ext_arr[] = {
+ /* Single letter extensions (alphabetically sorted) */
+ [KVM_RISCV_ISA_EXT_A] = RISCV_ISA_EXT_a,
+@@ -35,7 +35,7 @@ static const unsigned long kvm_isa_ext_arr[] = {
+ [KVM_RISCV_ISA_EXT_M] = RISCV_ISA_EXT_m,
+ [KVM_RISCV_ISA_EXT_V] = RISCV_ISA_EXT_v,
+ /* Multi letter extensions (alphabetically sorted) */
+- [KVM_RISCV_ISA_EXT_SMNPM] = RISCV_ISA_EXT_SSNPM,
++ KVM_ISA_EXT_ARR(SMNPM),
+ KVM_ISA_EXT_ARR(SMSTATEEN),
+ KVM_ISA_EXT_ARR(SSAIA),
+ KVM_ISA_EXT_ARR(SSCOFPMF),
+@@ -112,6 +112,36 @@ static unsigned long kvm_riscv_vcpu_base2isa_ext(unsigned long base_ext)
+ return KVM_RISCV_ISA_EXT_MAX;
+ }
+
++static int kvm_riscv_vcpu_isa_check_host(unsigned long kvm_ext, unsigned long *guest_ext)
++{
++ unsigned long host_ext;
++
++ if (kvm_ext >= KVM_RISCV_ISA_EXT_MAX ||
++ kvm_ext >= ARRAY_SIZE(kvm_isa_ext_arr))
++ return -ENOENT;
++
++ *guest_ext = kvm_isa_ext_arr[kvm_ext];
++ switch (*guest_ext) {
++ case RISCV_ISA_EXT_SMNPM:
++ /*
++ * Pointer masking effective in (H)S-mode is provided by the
++ * Smnpm extension, so that extension is reported to the guest,
++ * even though the CSR bits for configuring VS-mode pointer
++ * masking on the host side are part of the Ssnpm extension.
++ */
++ host_ext = RISCV_ISA_EXT_SSNPM;
++ break;
++ default:
++ host_ext = *guest_ext;
++ break;
++ }
++
++ if (!__riscv_isa_extension_available(NULL, host_ext))
++ return -ENOENT;
++
++ return 0;
++}
++
+ static bool kvm_riscv_vcpu_isa_enable_allowed(unsigned long ext)
+ {
+ switch (ext) {
+@@ -219,13 +249,13 @@ static bool kvm_riscv_vcpu_isa_disable_allowed(unsigned long ext)
+
+ void kvm_riscv_vcpu_setup_isa(struct kvm_vcpu *vcpu)
+ {
+- unsigned long host_isa, i;
++ unsigned long guest_ext, i;
+
+ for (i = 0; i < ARRAY_SIZE(kvm_isa_ext_arr); i++) {
+- host_isa = kvm_isa_ext_arr[i];
+- if (__riscv_isa_extension_available(NULL, host_isa) &&
+- kvm_riscv_vcpu_isa_enable_allowed(i))
+- set_bit(host_isa, vcpu->arch.isa);
++ if (kvm_riscv_vcpu_isa_check_host(i, &guest_ext))
++ continue;
++ if (kvm_riscv_vcpu_isa_enable_allowed(i))
++ set_bit(guest_ext, vcpu->arch.isa);
+ }
+ }
+
+@@ -607,18 +637,15 @@ static int riscv_vcpu_get_isa_ext_single(struct kvm_vcpu *vcpu,
+ unsigned long reg_num,
+ unsigned long *reg_val)
+ {
+- unsigned long host_isa_ext;
+-
+- if (reg_num >= KVM_RISCV_ISA_EXT_MAX ||
+- reg_num >= ARRAY_SIZE(kvm_isa_ext_arr))
+- return -ENOENT;
++ unsigned long guest_ext;
++ int ret;
+
+- host_isa_ext = kvm_isa_ext_arr[reg_num];
+- if (!__riscv_isa_extension_available(NULL, host_isa_ext))
+- return -ENOENT;
++ ret = kvm_riscv_vcpu_isa_check_host(reg_num, &guest_ext);
++ if (ret)
++ return ret;
+
+ *reg_val = 0;
+- if (__riscv_isa_extension_available(vcpu->arch.isa, host_isa_ext))
++ if (__riscv_isa_extension_available(vcpu->arch.isa, guest_ext))
+ *reg_val = 1; /* Mark the given extension as available */
+
+ return 0;
+@@ -628,17 +655,14 @@ static int riscv_vcpu_set_isa_ext_single(struct kvm_vcpu *vcpu,
+ unsigned long reg_num,
+ unsigned long reg_val)
+ {
+- unsigned long host_isa_ext;
+-
+- if (reg_num >= KVM_RISCV_ISA_EXT_MAX ||
+- reg_num >= ARRAY_SIZE(kvm_isa_ext_arr))
+- return -ENOENT;
++ unsigned long guest_ext;
++ int ret;
+
+- host_isa_ext = kvm_isa_ext_arr[reg_num];
+- if (!__riscv_isa_extension_available(NULL, host_isa_ext))
+- return -ENOENT;
++ ret = kvm_riscv_vcpu_isa_check_host(reg_num, &guest_ext);
++ if (ret)
++ return ret;
+
+- if (reg_val == test_bit(host_isa_ext, vcpu->arch.isa))
++ if (reg_val == test_bit(guest_ext, vcpu->arch.isa))
+ return 0;
+
+ if (!vcpu->arch.ran_atleast_once) {
+@@ -648,10 +672,10 @@ static int riscv_vcpu_set_isa_ext_single(struct kvm_vcpu *vcpu,
+ */
+ if (reg_val == 1 &&
+ kvm_riscv_vcpu_isa_enable_allowed(reg_num))
+- set_bit(host_isa_ext, vcpu->arch.isa);
++ set_bit(guest_ext, vcpu->arch.isa);
+ else if (!reg_val &&
+ kvm_riscv_vcpu_isa_disable_allowed(reg_num))
+- clear_bit(host_isa_ext, vcpu->arch.isa);
++ clear_bit(guest_ext, vcpu->arch.isa);
+ else
+ return -EINVAL;
+ kvm_riscv_vcpu_fp_reset(vcpu);
+@@ -1009,16 +1033,15 @@ static int copy_fp_d_reg_indices(const struct kvm_vcpu *vcpu,
+ static int copy_isa_ext_reg_indices(const struct kvm_vcpu *vcpu,
+ u64 __user *uindices)
+ {
++ unsigned long guest_ext;
+ unsigned int n = 0;
+- unsigned long isa_ext;
+
+ for (int i = 0; i < KVM_RISCV_ISA_EXT_MAX; i++) {
+ u64 size = IS_ENABLED(CONFIG_32BIT) ?
+ KVM_REG_SIZE_U32 : KVM_REG_SIZE_U64;
+ u64 reg = KVM_REG_RISCV | size | KVM_REG_RISCV_ISA_EXT | i;
+
+- isa_ext = kvm_isa_ext_arr[i];
+- if (!__riscv_isa_extension_available(NULL, isa_ext))
++ if (kvm_riscv_vcpu_isa_check_host(i, &guest_ext))
+ continue;
+
+ if (uindices) {
+--
+2.39.5
+
--- /dev/null
+From 297cc61c11c59b8418f87efcfba440a74508f1e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 15:45:12 +0800
+Subject: riscv: dts: sophgo: sg2044: Add missing riscv,cbop-block-size
+ property
+
+From: Inochi Amaoto <inochiama@gmail.com>
+
+[ Upstream commit 02d548e553d161813b7d3702a311b9067806057d ]
+
+The kernel complains no "riscv,cbop-block-size" and disables the Zicbop
+extension. Add the missing property to keep it functional.
+
+Fixes: ae5bac370ed4 ("riscv: dts: sophgo: Add initial device tree of Sophgo SRD3-10")
+Link: https://lore.kernel.org/r/20250613074513.1683624-1-inochiama@gmail.com
+Signed-off-by: Inochi Amaoto <inochiama@gmail.com>
+Signed-off-by: Chen Wang <unicorn_wang@outlook.com>
+Signed-off-by: Chen Wang <wangchen20@iscas.ac.cn>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/boot/dts/sophgo/sg2044-cpus.dtsi | 64 +++++++++++++++++++++
+ 1 file changed, 64 insertions(+)
+
+diff --git a/arch/riscv/boot/dts/sophgo/sg2044-cpus.dtsi b/arch/riscv/boot/dts/sophgo/sg2044-cpus.dtsi
+index 2a4267078ce6..6a35ed8f253c 100644
+--- a/arch/riscv/boot/dts/sophgo/sg2044-cpus.dtsi
++++ b/arch/riscv/boot/dts/sophgo/sg2044-cpus.dtsi
+@@ -38,6 +38,7 @@ cpu0: cpu@0 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu0_intc: interrupt-controller {
+@@ -73,6 +74,7 @@ cpu1: cpu@1 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu1_intc: interrupt-controller {
+@@ -108,6 +110,7 @@ cpu2: cpu@2 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu2_intc: interrupt-controller {
+@@ -143,6 +146,7 @@ cpu3: cpu@3 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu3_intc: interrupt-controller {
+@@ -178,6 +182,7 @@ cpu4: cpu@4 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu4_intc: interrupt-controller {
+@@ -213,6 +218,7 @@ cpu5: cpu@5 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu5_intc: interrupt-controller {
+@@ -248,6 +254,7 @@ cpu6: cpu@6 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu6_intc: interrupt-controller {
+@@ -283,6 +290,7 @@ cpu7: cpu@7 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu7_intc: interrupt-controller {
+@@ -318,6 +326,7 @@ cpu8: cpu@8 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu8_intc: interrupt-controller {
+@@ -353,6 +362,7 @@ cpu9: cpu@9 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu9_intc: interrupt-controller {
+@@ -388,6 +398,7 @@ cpu10: cpu@10 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu10_intc: interrupt-controller {
+@@ -423,6 +434,7 @@ cpu11: cpu@11 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu11_intc: interrupt-controller {
+@@ -458,6 +470,7 @@ cpu12: cpu@12 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu12_intc: interrupt-controller {
+@@ -493,6 +506,7 @@ cpu13: cpu@13 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu13_intc: interrupt-controller {
+@@ -528,6 +542,7 @@ cpu14: cpu@14 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu14_intc: interrupt-controller {
+@@ -563,6 +578,7 @@ cpu15: cpu@15 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu15_intc: interrupt-controller {
+@@ -598,6 +614,7 @@ cpu16: cpu@16 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu16_intc: interrupt-controller {
+@@ -633,6 +650,7 @@ cpu17: cpu@17 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu17_intc: interrupt-controller {
+@@ -668,6 +686,7 @@ cpu18: cpu@18 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu18_intc: interrupt-controller {
+@@ -703,6 +722,7 @@ cpu19: cpu@19 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu19_intc: interrupt-controller {
+@@ -738,6 +758,7 @@ cpu20: cpu@20 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu20_intc: interrupt-controller {
+@@ -773,6 +794,7 @@ cpu21: cpu@21 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu21_intc: interrupt-controller {
+@@ -808,6 +830,7 @@ cpu22: cpu@22 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu22_intc: interrupt-controller {
+@@ -843,6 +866,7 @@ cpu23: cpu@23 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu23_intc: interrupt-controller {
+@@ -878,6 +902,7 @@ cpu24: cpu@24 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu24_intc: interrupt-controller {
+@@ -913,6 +938,7 @@ cpu25: cpu@25 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu25_intc: interrupt-controller {
+@@ -948,6 +974,7 @@ cpu26: cpu@26 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu26_intc: interrupt-controller {
+@@ -983,6 +1010,7 @@ cpu27: cpu@27 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu27_intc: interrupt-controller {
+@@ -1018,6 +1046,7 @@ cpu28: cpu@28 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu28_intc: interrupt-controller {
+@@ -1053,6 +1082,7 @@ cpu29: cpu@29 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu29_intc: interrupt-controller {
+@@ -1088,6 +1118,7 @@ cpu30: cpu@30 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu30_intc: interrupt-controller {
+@@ -1123,6 +1154,7 @@ cpu31: cpu@31 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu31_intc: interrupt-controller {
+@@ -1158,6 +1190,7 @@ cpu32: cpu@32 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu32_intc: interrupt-controller {
+@@ -1193,6 +1226,7 @@ cpu33: cpu@33 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu33_intc: interrupt-controller {
+@@ -1228,6 +1262,7 @@ cpu34: cpu@34 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu34_intc: interrupt-controller {
+@@ -1263,6 +1298,7 @@ cpu35: cpu@35 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu35_intc: interrupt-controller {
+@@ -1298,6 +1334,7 @@ cpu36: cpu@36 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu36_intc: interrupt-controller {
+@@ -1333,6 +1370,7 @@ cpu37: cpu@37 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu37_intc: interrupt-controller {
+@@ -1368,6 +1406,7 @@ cpu38: cpu@38 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu38_intc: interrupt-controller {
+@@ -1403,6 +1442,7 @@ cpu39: cpu@39 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu39_intc: interrupt-controller {
+@@ -1438,6 +1478,7 @@ cpu40: cpu@40 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu40_intc: interrupt-controller {
+@@ -1473,6 +1514,7 @@ cpu41: cpu@41 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu41_intc: interrupt-controller {
+@@ -1508,6 +1550,7 @@ cpu42: cpu@42 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu42_intc: interrupt-controller {
+@@ -1543,6 +1586,7 @@ cpu43: cpu@43 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu43_intc: interrupt-controller {
+@@ -1578,6 +1622,7 @@ cpu44: cpu@44 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu44_intc: interrupt-controller {
+@@ -1613,6 +1658,7 @@ cpu45: cpu@45 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu45_intc: interrupt-controller {
+@@ -1648,6 +1694,7 @@ cpu46: cpu@46 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu46_intc: interrupt-controller {
+@@ -1683,6 +1730,7 @@ cpu47: cpu@47 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu47_intc: interrupt-controller {
+@@ -1718,6 +1766,7 @@ cpu48: cpu@48 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu48_intc: interrupt-controller {
+@@ -1753,6 +1802,7 @@ cpu49: cpu@49 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu49_intc: interrupt-controller {
+@@ -1788,6 +1838,7 @@ cpu50: cpu@50 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu50_intc: interrupt-controller {
+@@ -1823,6 +1874,7 @@ cpu51: cpu@51 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu51_intc: interrupt-controller {
+@@ -1858,6 +1910,7 @@ cpu52: cpu@52 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu52_intc: interrupt-controller {
+@@ -1893,6 +1946,7 @@ cpu53: cpu@53 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu53_intc: interrupt-controller {
+@@ -1928,6 +1982,7 @@ cpu54: cpu@54 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu54_intc: interrupt-controller {
+@@ -1963,6 +2018,7 @@ cpu55: cpu@55 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu55_intc: interrupt-controller {
+@@ -1998,6 +2054,7 @@ cpu56: cpu@56 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu56_intc: interrupt-controller {
+@@ -2033,6 +2090,7 @@ cpu57: cpu@57 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu57_intc: interrupt-controller {
+@@ -2068,6 +2126,7 @@ cpu58: cpu@58 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu58_intc: interrupt-controller {
+@@ -2103,6 +2162,7 @@ cpu59: cpu@59 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu59_intc: interrupt-controller {
+@@ -2138,6 +2198,7 @@ cpu60: cpu@60 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu60_intc: interrupt-controller {
+@@ -2173,6 +2234,7 @@ cpu61: cpu@61 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu61_intc: interrupt-controller {
+@@ -2208,6 +2270,7 @@ cpu62: cpu@62 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu62_intc: interrupt-controller {
+@@ -2243,6 +2306,7 @@ cpu63: cpu@63 {
+ "zvfbfmin", "zvfbfwma", "zvfh",
+ "zvfhmin";
+ riscv,cbom-block-size = <64>;
++ riscv,cbop-block-size = <64>;
+ riscv,cboz-block-size = <64>;
+
+ cpu63_intc: interrupt-controller {
+--
+2.39.5
+
--- /dev/null
+From 78de22e44335304eb6892c57ebe1a74d962c342e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:20:21 -0400
+Subject: rtc: ds1307: fix incorrect maximum clock rate handling
+
+From: Brian Masney <bmasney@redhat.com>
+
+[ Upstream commit cf6eb547a24af7ad7bbd2abe9c5327f956bbeae8 ]
+
+When ds3231_clk_sqw_round_rate() is called with a requested rate higher
+than the highest supported rate, it currently returns 0, which disables
+the clock. According to the clk API, round_rate() should instead return
+the highest supported rate. Update the function to return the maximum
+supported rate in this case.
+
+Fixes: 6c6ff145b3346 ("rtc: ds1307: add clock provider support for DS3231")
+Signed-off-by: Brian Masney <bmasney@redhat.com>
+Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-1-33140bb2278e@redhat.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
+index 5efbe69bf5ca..c8a666de9cbe 100644
+--- a/drivers/rtc/rtc-ds1307.c
++++ b/drivers/rtc/rtc-ds1307.c
+@@ -1466,7 +1466,7 @@ static long ds3231_clk_sqw_round_rate(struct clk_hw *hw, unsigned long rate,
+ return ds3231_clk_sqw_rates[i];
+ }
+
+- return 0;
++ return ds3231_clk_sqw_rates[ARRAY_SIZE(ds3231_clk_sqw_rates) - 1];
+ }
+
+ static int ds3231_clk_sqw_set_rate(struct clk_hw *hw, unsigned long rate,
+--
+2.39.5
+
--- /dev/null
+From 2a1ccb62a688b4e0dde647f4ba19f808c788433e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:20:22 -0400
+Subject: rtc: hym8563: fix incorrect maximum clock rate handling
+
+From: Brian Masney <bmasney@redhat.com>
+
+[ Upstream commit d0a518eb0a692a2ab8357e844970660c5ea37720 ]
+
+When hym8563_clkout_round_rate() is called with a requested rate higher
+than the highest supported rate, it currently returns 0, which disables
+the clock. According to the clk API, round_rate() should instead return
+the highest supported rate. Update the function to return the maximum
+supported rate in this case.
+
+Fixes: dcaf038493525 ("rtc: add hym8563 rtc-driver")
+Signed-off-by: Brian Masney <bmasney@redhat.com>
+Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-2-33140bb2278e@redhat.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-hym8563.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-hym8563.c b/drivers/rtc/rtc-hym8563.c
+index 63f11ea3589d..759dc2ad6e3b 100644
+--- a/drivers/rtc/rtc-hym8563.c
++++ b/drivers/rtc/rtc-hym8563.c
+@@ -294,7 +294,7 @@ static long hym8563_clkout_round_rate(struct clk_hw *hw, unsigned long rate,
+ if (clkout_rates[i] <= rate)
+ return clkout_rates[i];
+
+- return 0;
++ return clkout_rates[0];
+ }
+
+ static int hym8563_clkout_set_rate(struct clk_hw *hw, unsigned long rate,
+--
+2.39.5
+
--- /dev/null
+From 35d8f623a3b7ca4da330794a5bae2acf0864c663 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:20:23 -0400
+Subject: rtc: nct3018y: fix incorrect maximum clock rate handling
+
+From: Brian Masney <bmasney@redhat.com>
+
+[ Upstream commit 437c59e4b222cd697b4cf95995d933e7d583c5f1 ]
+
+When nct3018y_clkout_round_rate() is called with a requested rate higher
+than the highest supported rate, it currently returns 0, which disables
+the clock. According to the clk API, round_rate() should instead return
+the highest supported rate. Update the function to return the maximum
+supported rate in this case.
+
+Fixes: 5adbaed16cc63 ("rtc: Add NCT3018Y real time clock driver")
+Signed-off-by: Brian Masney <bmasney@redhat.com>
+Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-3-33140bb2278e@redhat.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-nct3018y.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-nct3018y.c b/drivers/rtc/rtc-nct3018y.c
+index 76c5f464b2da..cea05fca0bcc 100644
+--- a/drivers/rtc/rtc-nct3018y.c
++++ b/drivers/rtc/rtc-nct3018y.c
+@@ -376,7 +376,7 @@ static long nct3018y_clkout_round_rate(struct clk_hw *hw, unsigned long rate,
+ if (clkout_rates[i] <= rate)
+ return clkout_rates[i];
+
+- return 0;
++ return clkout_rates[0];
+ }
+
+ static int nct3018y_clkout_set_rate(struct clk_hw *hw, unsigned long rate,
+--
+2.39.5
+
--- /dev/null
+From 799bd807915adbf3782d7d4cff2dbcb17312114d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:20:24 -0400
+Subject: rtc: pcf85063: fix incorrect maximum clock rate handling
+
+From: Brian Masney <bmasney@redhat.com>
+
+[ Upstream commit 186ae1869880e58bb3f142d222abdb35ecb4df0f ]
+
+When pcf85063_clkout_round_rate() is called with a requested rate higher
+than the highest supported rate, it currently returns 0, which disables
+the clock. According to the clk API, round_rate() should instead return
+the highest supported rate. Update the function to return the maximum
+supported rate in this case.
+
+Fixes: 8c229ab6048b7 ("rtc: pcf85063: Add pcf85063 clkout control to common clock framework")
+Signed-off-by: Brian Masney <bmasney@redhat.com>
+Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-4-33140bb2278e@redhat.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-pcf85063.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c
+index 4fa5c4ecdd5a..b26c9bfad5d9 100644
+--- a/drivers/rtc/rtc-pcf85063.c
++++ b/drivers/rtc/rtc-pcf85063.c
+@@ -410,7 +410,7 @@ static long pcf85063_clkout_round_rate(struct clk_hw *hw, unsigned long rate,
+ if (clkout_rates[i] <= rate)
+ return clkout_rates[i];
+
+- return 0;
++ return clkout_rates[0];
+ }
+
+ static int pcf85063_clkout_set_rate(struct clk_hw *hw, unsigned long rate,
+--
+2.39.5
+
--- /dev/null
+From 2076cfe7cbf5e816aadc3197f280d6c8c7ddb10d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:20:25 -0400
+Subject: rtc: pcf8563: fix incorrect maximum clock rate handling
+
+From: Brian Masney <bmasney@redhat.com>
+
+[ Upstream commit 906726a5efeefe0ef0103ccff5312a09080c04ae ]
+
+When pcf8563_clkout_round_rate() is called with a requested rate higher
+than the highest supported rate, it currently returns 0, which disables
+the clock. According to the clk API, round_rate() should instead return
+the highest supported rate. Update the function to return the maximum
+supported rate in this case.
+
+Fixes: a39a6405d5f94 ("rtc: pcf8563: add CLKOUT to common clock framework")
+Signed-off-by: Brian Masney <bmasney@redhat.com>
+Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-5-33140bb2278e@redhat.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-pcf8563.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-pcf8563.c b/drivers/rtc/rtc-pcf8563.c
+index b2611697fa5e..a2a2067b28a1 100644
+--- a/drivers/rtc/rtc-pcf8563.c
++++ b/drivers/rtc/rtc-pcf8563.c
+@@ -339,7 +339,7 @@ static long pcf8563_clkout_round_rate(struct clk_hw *hw, unsigned long rate,
+ if (clkout_rates[i] <= rate)
+ return clkout_rates[i];
+
+- return 0;
++ return clkout_rates[0];
+ }
+
+ static int pcf8563_clkout_set_rate(struct clk_hw *hw, unsigned long rate,
+--
+2.39.5
+
--- /dev/null
+From 46f9c162dfc9c92c8d95c143fe3ea788a8342887 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:20:26 -0400
+Subject: rtc: rv3028: fix incorrect maximum clock rate handling
+
+From: Brian Masney <bmasney@redhat.com>
+
+[ Upstream commit b574acb3cf7591d2513a9f29f8c2021ad55fb881 ]
+
+When rv3028_clkout_round_rate() is called with a requested rate higher
+than the highest supported rate, it currently returns 0, which disables
+the clock. According to the clk API, round_rate() should instead return
+the highest supported rate. Update the function to return the maximum
+supported rate in this case.
+
+Fixes: f583c341a515f ("rtc: rv3028: add clkout support")
+Signed-off-by: Brian Masney <bmasney@redhat.com>
+Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-6-33140bb2278e@redhat.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-rv3028.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-rv3028.c b/drivers/rtc/rtc-rv3028.c
+index 868d1b1eb0f4..278841c2e47e 100644
+--- a/drivers/rtc/rtc-rv3028.c
++++ b/drivers/rtc/rtc-rv3028.c
+@@ -740,7 +740,7 @@ static long rv3028_clkout_round_rate(struct clk_hw *hw, unsigned long rate,
+ if (clkout_rates[i] <= rate)
+ return clkout_rates[i];
+
+- return 0;
++ return clkout_rates[0];
+ }
+
+ static int rv3028_clkout_set_rate(struct clk_hw *hw, unsigned long rate,
+--
+2.39.5
+
--- /dev/null
+From dec39a21f511feae923276bcda4163e8a4b403eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 15:24:46 +0200
+Subject: rust: devres: require T: Send for Devres
+
+From: Danilo Krummrich <dakr@kernel.org>
+
+[ Upstream commit 0dab138d0f4c0b3ce7f835d577e52a2b5ebdd536 ]
+
+Due to calling Revocable::revoke() from Devres::devres_callback() T may
+be dropped from Devres::devres_callback() and hence must be Send.
+
+Fix this by adding the corresponding bound to Devres and DevresInner.
+
+Reported-by: Boqun Feng <boqun.feng@gmail.com>
+Closes: https://lore.kernel.org/lkml/aFzI5L__OcB9hqdG@Mac.home/
+Fixes: 76c01ded724b ("rust: add devres abstraction")
+Reviewed-by: Boqun Feng <boqun.fenng@gmail.com>
+Reviewed-by: Benno Lossin <lossin@kernel.org>
+Link: https://lore.kernel.org/r/20250626132544.72866-1-dakr@kernel.org
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ rust/kernel/devres.rs | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
+index 57502534d985..8ede607414fd 100644
+--- a/rust/kernel/devres.rs
++++ b/rust/kernel/devres.rs
+@@ -18,7 +18,7 @@
+ };
+
+ #[pin_data]
+-struct DevresInner<T> {
++struct DevresInner<T: Send> {
+ dev: ARef<Device>,
+ callback: unsafe extern "C" fn(*mut c_void),
+ #[pin]
+@@ -95,9 +95,9 @@ struct DevresInner<T> {
+ /// # Ok(())
+ /// # }
+ /// ```
+-pub struct Devres<T>(Arc<DevresInner<T>>);
++pub struct Devres<T: Send>(Arc<DevresInner<T>>);
+
+-impl<T> DevresInner<T> {
++impl<T: Send> DevresInner<T> {
+ fn new(dev: &Device<Bound>, data: T, flags: Flags) -> Result<Arc<DevresInner<T>>> {
+ let inner = Arc::pin_init(
+ pin_init!( DevresInner {
+@@ -175,7 +175,7 @@ fn remove_action(this: &Arc<Self>) -> bool {
+ }
+ }
+
+-impl<T> Devres<T> {
++impl<T: Send> Devres<T> {
+ /// Creates a new [`Devres`] instance of the given `data`. The `data` encapsulated within the
+ /// returned `Devres` instance' `data` will be revoked once the device is detached.
+ pub fn new(dev: &Device<Bound>, data: T, flags: Flags) -> Result<Self> {
+@@ -247,7 +247,7 @@ pub fn try_access_with_guard<'a>(&'a self, guard: &'a rcu::Guard) -> Option<&'a
+ }
+ }
+
+-impl<T> Drop for Devres<T> {
++impl<T: Send> Drop for Devres<T> {
+ fn drop(&mut self) {
+ // SAFETY: When `drop` runs, it is guaranteed that nobody is accessing the revocable data
+ // anymore, hence it is safe not to wait for the grace period to finish.
+--
+2.39.5
+
--- /dev/null
+From 55c21eacacc664cf4cbe853bd551e23ffb59ad64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 16:15:20 +0530
+Subject: rust: miscdevice: clarify invariant for `MiscDeviceRegistration`
+
+From: Shankari Anand <shankari.ak0208@gmail.com>
+
+[ Upstream commit b9ff1c2a26fa31216be18e9b14c419ff8fe39e72 ]
+
+Reword and expand the invariant documentation for `MiscDeviceRegistration`
+to clarify what it means for the inner device to be "registered".
+It expands to explain:
+- `inner` points to a `miscdevice` registered via `misc_register`.
+- This registration stays valid for the entire lifetime of the object.
+- Deregistration is guaranteed on `Drop`, via `misc_deregister`.
+
+Reported-by: Benno Lossin <lossin@kernel.org>
+Closes: https://github.com/Rust-for-Linux/linux/issues/1168
+Fixes: f893691e7426 ("rust: miscdevice: add base miscdevice abstraction")
+Signed-off-by: Shankari Anand <shankari.ak0208@gmail.com>
+Link: https://lore.kernel.org/r/20250626104520.563036-1-shankari.ak0208@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ rust/kernel/miscdevice.rs | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/rust/kernel/miscdevice.rs b/rust/kernel/miscdevice.rs
+index 939278bc7b03..4f7a8714ad36 100644
+--- a/rust/kernel/miscdevice.rs
++++ b/rust/kernel/miscdevice.rs
+@@ -45,7 +45,13 @@ pub const fn into_raw<T: MiscDevice>(self) -> bindings::miscdevice {
+ ///
+ /// # Invariants
+ ///
+-/// `inner` is a registered misc device.
++/// - `inner` contains a `struct miscdevice` that is registered using
++/// `misc_register()`.
++/// - This registration remains valid for the entire lifetime of the
++/// [`MiscDeviceRegistration`] instance.
++/// - Deregistration occurs exactly once in [`Drop`] via `misc_deregister()`.
++/// - `inner` wraps a valid, pinned `miscdevice` created using
++/// [`MiscDeviceOptions::into_raw`].
+ #[repr(transparent)]
+ #[pin_data(PinnedDrop)]
+ pub struct MiscDeviceRegistration<T> {
+--
+2.39.5
+
--- /dev/null
+From 40decb35e86a072f5ea667885ba100a468f5110c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jul 2025 15:50:16 +0200
+Subject: rv: Adjust monitor dependencies
+
+From: Gabriele Monaco <gmonaco@redhat.com>
+
+[ Upstream commit 79de661707a4a2dc695fd3e00529a14b4f5ec50d ]
+
+RV monitors relying on the preemptirqs tracepoints are set as dependent
+on PREEMPT_TRACER and IRQSOFF_TRACER. In fact, those configurations do
+enable the tracepoints but are not the minimal configurations enabling
+them, which are TRACE_PREEMPT_TOGGLE and TRACE_IRQFLAGS (not selectable
+manually).
+
+Set TRACE_PREEMPT_TOGGLE and TRACE_IRQFLAGS as dependencies for
+monitors.
+
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Tomas Glozar <tglozar@redhat.com>
+Cc: Juri Lelli <jlelli@redhat.com>
+Cc: Clark Williams <williams@redhat.com>
+Cc: John Kacur <jkacur@redhat.com>
+Link: https://lore.kernel.org/20250728135022.255578-5-gmonaco@redhat.com
+Fixes: fbe6c09b7eb4 ("rv: Add scpd, snep and sncid per-cpu monitors")
+Acked-by: Nam Cao <namcao@linutronix.de>
+Signed-off-by: Gabriele Monaco <gmonaco@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/rv/monitors/scpd/Kconfig | 2 +-
+ kernel/trace/rv/monitors/sncid/Kconfig | 2 +-
+ kernel/trace/rv/monitors/snep/Kconfig | 2 +-
+ kernel/trace/rv/monitors/wip/Kconfig | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/trace/rv/monitors/scpd/Kconfig b/kernel/trace/rv/monitors/scpd/Kconfig
+index b9114fbf680f..682d0416188b 100644
+--- a/kernel/trace/rv/monitors/scpd/Kconfig
++++ b/kernel/trace/rv/monitors/scpd/Kconfig
+@@ -2,7 +2,7 @@
+ #
+ config RV_MON_SCPD
+ depends on RV
+- depends on PREEMPT_TRACER
++ depends on TRACE_PREEMPT_TOGGLE
+ depends on RV_MON_SCHED
+ default y
+ select DA_MON_EVENTS_IMPLICIT
+diff --git a/kernel/trace/rv/monitors/sncid/Kconfig b/kernel/trace/rv/monitors/sncid/Kconfig
+index 76bcfef4fd10..3a5639feaaaf 100644
+--- a/kernel/trace/rv/monitors/sncid/Kconfig
++++ b/kernel/trace/rv/monitors/sncid/Kconfig
+@@ -2,7 +2,7 @@
+ #
+ config RV_MON_SNCID
+ depends on RV
+- depends on IRQSOFF_TRACER
++ depends on TRACE_IRQFLAGS
+ depends on RV_MON_SCHED
+ default y
+ select DA_MON_EVENTS_IMPLICIT
+diff --git a/kernel/trace/rv/monitors/snep/Kconfig b/kernel/trace/rv/monitors/snep/Kconfig
+index 77527f971232..7dd54f434ff7 100644
+--- a/kernel/trace/rv/monitors/snep/Kconfig
++++ b/kernel/trace/rv/monitors/snep/Kconfig
+@@ -2,7 +2,7 @@
+ #
+ config RV_MON_SNEP
+ depends on RV
+- depends on PREEMPT_TRACER
++ depends on TRACE_PREEMPT_TOGGLE
+ depends on RV_MON_SCHED
+ default y
+ select DA_MON_EVENTS_IMPLICIT
+diff --git a/kernel/trace/rv/monitors/wip/Kconfig b/kernel/trace/rv/monitors/wip/Kconfig
+index e464b9294865..87a26195792b 100644
+--- a/kernel/trace/rv/monitors/wip/Kconfig
++++ b/kernel/trace/rv/monitors/wip/Kconfig
+@@ -2,7 +2,7 @@
+ #
+ config RV_MON_WIP
+ depends on RV
+- depends on PREEMPT_TRACER
++ depends on TRACE_PREEMPT_TOGGLE
+ select DA_MON_EVENTS_IMPLICIT
+ bool "wip monitor"
+ help
+--
+2.39.5
+
--- /dev/null
+From 052f3430e82a64ad1f62bd8b1adb250ddc218a10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jul 2025 15:50:14 +0200
+Subject: rv: Remove trailing whitespace from tracepoint string
+
+From: Gabriele Monaco <gmonaco@redhat.com>
+
+[ Upstream commit 7b70ac4cad2b20eaf415276bbaa0d9df9abb428c ]
+
+RV event tracepoints print a line with the format:
+ "event_xyz: S0 x event -> S1 "
+ "event_xyz: S1 x event -> S0 (final)"
+
+While printing an event leading to a non-final state, the line
+has a trailing white space (visible above before the closing ").
+
+Adapt the format string not to print the trailing whitespace if we are
+not printing "(final)".
+
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Tomas Glozar <tglozar@redhat.com>
+Cc: Juri Lelli <jlelli@redhat.com>
+Cc: Clark Williams <williams@redhat.com>
+Cc: John Kacur <jkacur@redhat.com>
+Link: https://lore.kernel.org/20250728135022.255578-3-gmonaco@redhat.com
+Reviewed-by: Nam Cao <namcao@linutronix.de>
+Signed-off-by: Gabriele Monaco <gmonaco@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Stable-dep-of: 7f904ff6e58d ("rv: Use strings in da monitors tracepoints")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/rv/rv_trace.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/trace/rv/rv_trace.h b/kernel/trace/rv/rv_trace.h
+index 422b75f58891..18fa0e358a30 100644
+--- a/kernel/trace/rv/rv_trace.h
++++ b/kernel/trace/rv/rv_trace.h
+@@ -29,11 +29,11 @@ DECLARE_EVENT_CLASS(event_da_monitor,
+ __entry->final_state = final_state;
+ ),
+
+- TP_printk("%s x %s -> %s %s",
++ TP_printk("%s x %s -> %s%s",
+ __entry->state,
+ __entry->event,
+ __entry->next_state,
+- __entry->final_state ? "(final)" : "")
++ __entry->final_state ? " (final)" : "")
+ );
+
+ DECLARE_EVENT_CLASS(error_da_monitor,
+@@ -90,12 +90,12 @@ DECLARE_EVENT_CLASS(event_da_monitor_id,
+ __entry->final_state = final_state;
+ ),
+
+- TP_printk("%d: %s x %s -> %s %s",
++ TP_printk("%d: %s x %s -> %s%s",
+ __entry->id,
+ __entry->state,
+ __entry->event,
+ __entry->next_state,
+- __entry->final_state ? "(final)" : "")
++ __entry->final_state ? " (final)" : "")
+ );
+
+ DECLARE_EVENT_CLASS(error_da_monitor_id,
+--
+2.39.5
+
--- /dev/null
+From 1e49f49a592321067ed36059458b8cdd94ae2351 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jul 2025 15:50:15 +0200
+Subject: rv: Use strings in da monitors tracepoints
+
+From: Gabriele Monaco <gmonaco@redhat.com>
+
+[ Upstream commit 7f904ff6e58d398c4336f3c19c42b338324451f7 ]
+
+Using DA monitors tracepoints with KASAN enabled triggers the following
+warning:
+
+ BUG: KASAN: global-out-of-bounds in do_trace_event_raw_event_event_da_monitor+0xd6/0x1a0
+ Read of size 32 at addr ffffffffaada8980 by task ...
+ Call Trace:
+ <TASK>
+ [...]
+ do_trace_event_raw_event_event_da_monitor+0xd6/0x1a0
+ ? __pfx_do_trace_event_raw_event_event_da_monitor+0x10/0x10
+ ? trace_event_sncid+0x83/0x200
+ trace_event_sncid+0x163/0x200
+ [...]
+ The buggy address belongs to the variable:
+ automaton_snep+0x4e0/0x5e0
+
+This is caused by the tracepoints reading 32 bytes __array instead of
+__string from the automata definition. Such strings are literals and
+reading 32 bytes ends up in out of bound memory accesses (e.g. the next
+automaton's data in this case).
+The error is harmless as, while printing the string, we stop at the null
+terminator, but it should still be fixed.
+
+Use the __string facilities while defining the tracepoints to avoid
+reading out of bound memory.
+
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Tomas Glozar <tglozar@redhat.com>
+Cc: Juri Lelli <jlelli@redhat.com>
+Cc: Clark Williams <williams@redhat.com>
+Cc: John Kacur <jkacur@redhat.com>
+Link: https://lore.kernel.org/20250728135022.255578-4-gmonaco@redhat.com
+Fixes: 792575348ff7 ("rv/include: Add deterministic automata monitor definition via C macros")
+Reviewed-by: Nam Cao <namcao@linutronix.de>
+Signed-off-by: Gabriele Monaco <gmonaco@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/rv/rv_trace.h | 76 +++++++++++++++++++-------------------
+ 1 file changed, 38 insertions(+), 38 deletions(-)
+
+diff --git a/kernel/trace/rv/rv_trace.h b/kernel/trace/rv/rv_trace.h
+index 18fa0e358a30..01fa84824bcb 100644
+--- a/kernel/trace/rv/rv_trace.h
++++ b/kernel/trace/rv/rv_trace.h
+@@ -16,23 +16,23 @@ DECLARE_EVENT_CLASS(event_da_monitor,
+ TP_ARGS(state, event, next_state, final_state),
+
+ TP_STRUCT__entry(
+- __array( char, state, MAX_DA_NAME_LEN )
+- __array( char, event, MAX_DA_NAME_LEN )
+- __array( char, next_state, MAX_DA_NAME_LEN )
+- __field( bool, final_state )
++ __string( state, state )
++ __string( event, event )
++ __string( next_state, next_state )
++ __field( bool, final_state )
+ ),
+
+ TP_fast_assign(
+- memcpy(__entry->state, state, MAX_DA_NAME_LEN);
+- memcpy(__entry->event, event, MAX_DA_NAME_LEN);
+- memcpy(__entry->next_state, next_state, MAX_DA_NAME_LEN);
+- __entry->final_state = final_state;
++ __assign_str(state);
++ __assign_str(event);
++ __assign_str(next_state);
++ __entry->final_state = final_state;
+ ),
+
+ TP_printk("%s x %s -> %s%s",
+- __entry->state,
+- __entry->event,
+- __entry->next_state,
++ __get_str(state),
++ __get_str(event),
++ __get_str(next_state),
+ __entry->final_state ? " (final)" : "")
+ );
+
+@@ -43,18 +43,18 @@ DECLARE_EVENT_CLASS(error_da_monitor,
+ TP_ARGS(state, event),
+
+ TP_STRUCT__entry(
+- __array( char, state, MAX_DA_NAME_LEN )
+- __array( char, event, MAX_DA_NAME_LEN )
++ __string( state, state )
++ __string( event, event )
+ ),
+
+ TP_fast_assign(
+- memcpy(__entry->state, state, MAX_DA_NAME_LEN);
+- memcpy(__entry->event, event, MAX_DA_NAME_LEN);
++ __assign_str(state);
++ __assign_str(event);
+ ),
+
+ TP_printk("event %s not expected in the state %s",
+- __entry->event,
+- __entry->state)
++ __get_str(event),
++ __get_str(state))
+ );
+
+ #include <monitors/wip/wip_trace.h>
+@@ -75,26 +75,26 @@ DECLARE_EVENT_CLASS(event_da_monitor_id,
+ TP_ARGS(id, state, event, next_state, final_state),
+
+ TP_STRUCT__entry(
+- __field( int, id )
+- __array( char, state, MAX_DA_NAME_LEN )
+- __array( char, event, MAX_DA_NAME_LEN )
+- __array( char, next_state, MAX_DA_NAME_LEN )
+- __field( bool, final_state )
++ __field( int, id )
++ __string( state, state )
++ __string( event, event )
++ __string( next_state, next_state )
++ __field( bool, final_state )
+ ),
+
+ TP_fast_assign(
+- memcpy(__entry->state, state, MAX_DA_NAME_LEN);
+- memcpy(__entry->event, event, MAX_DA_NAME_LEN);
+- memcpy(__entry->next_state, next_state, MAX_DA_NAME_LEN);
+- __entry->id = id;
+- __entry->final_state = final_state;
++ __assign_str(state);
++ __assign_str(event);
++ __assign_str(next_state);
++ __entry->id = id;
++ __entry->final_state = final_state;
+ ),
+
+ TP_printk("%d: %s x %s -> %s%s",
+ __entry->id,
+- __entry->state,
+- __entry->event,
+- __entry->next_state,
++ __get_str(state),
++ __get_str(event),
++ __get_str(next_state),
+ __entry->final_state ? " (final)" : "")
+ );
+
+@@ -105,21 +105,21 @@ DECLARE_EVENT_CLASS(error_da_monitor_id,
+ TP_ARGS(id, state, event),
+
+ TP_STRUCT__entry(
+- __field( int, id )
+- __array( char, state, MAX_DA_NAME_LEN )
+- __array( char, event, MAX_DA_NAME_LEN )
++ __field( int, id )
++ __string( state, state )
++ __string( event, event )
+ ),
+
+ TP_fast_assign(
+- memcpy(__entry->state, state, MAX_DA_NAME_LEN);
+- memcpy(__entry->event, event, MAX_DA_NAME_LEN);
+- __entry->id = id;
++ __assign_str(state);
++ __assign_str(event);
++ __entry->id = id;
+ ),
+
+ TP_printk("%d: event %s not expected in the state %s",
+ __entry->id,
+- __entry->event,
+- __entry->state)
++ __get_str(event),
++ __get_str(state))
+ );
+
+ #include <monitors/wwnr/wwnr_trace.h>
+--
+2.39.5
+
--- /dev/null
+From b7b93b4d4deb1cad73747fa7d5e7ca58603a392c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 19:29:55 +0530
+Subject: samples: mei: Fix building on musl libc
+
+From: Brahmajit Das <listout@listout.xyz>
+
+[ Upstream commit 239df3e4b4752524e7c0fb3417c218d8063654b4 ]
+
+The header bits/wordsize.h is glibc specific and on building on musl
+with allyesconfig results in
+
+samples/mei/mei-amt-version.c:77:10: fatal error: bits/wordsize.h: No such file or directory
+ 77 | #include <bits/wordsize.h>
+ | ^~~~~~~~~~~~~~~~~
+
+mei-amt-version.c build file without bits/wordsize.h on musl and glibc.
+
+However on musl we get the follwing error without sys/time.h
+
+samples/mei/mei-amt-version.c: In function 'mei_recv_msg':
+samples/mei/mei-amt-version.c:159:24: error: storage size of 'tv' isn't known
+ 159 | struct timeval tv;
+ | ^~
+samples/mei/mei-amt-version.c:160:9: error: unknown type name 'fd_set'
+ 160 | fd_set set;
+ | ^~~~~~
+samples/mei/mei-amt-version.c:168:9: error: implicit declaration of function 'FD_ZERO' [-Wimplicit-function-declaration]
+ 168 | FD_ZERO(&set);
+ | ^~~~~~~
+samples/mei/mei-amt-version.c:169:9: error: implicit declaration of function 'FD_SET'; did you mean 'L_SET'? [-Wimplicit-function-declaration]
+ 169 | FD_SET(me->fd, &set);
+ | ^~~~~~
+ | L_SET
+samples/mei/mei-amt-version.c:170:14: error: implicit declaration of function 'select' [-Wimplicit-function-declaration]
+ 170 | rc = select(me->fd + 1, &set, NULL, NULL, &tv);
+ | ^~~~~~
+samples/mei/mei-amt-version.c:171:23: error: implicit declaration of function 'FD_ISSET' [-Wimplicit-function-declaration]
+ 171 | if (rc > 0 && FD_ISSET(me->fd, &set)) {
+ | ^~~~~~~~
+samples/mei/mei-amt-version.c:159:24: warning: unused variable 'tv' [-Wunused-variable]
+ 159 | struct timeval tv;
+ | ^~
+
+Hence the the file has been included.
+
+Fixes: c52827cc4ddf ("staging/mei: add mei user space example")
+Signed-off-by: Brahmajit Das <listout@listout.xyz>
+Link: https://lore.kernel.org/r/20250702135955.24955-1-listout@listout.xyz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/mei/mei-amt-version.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/samples/mei/mei-amt-version.c b/samples/mei/mei-amt-version.c
+index 867debd3b912..1d7254bcb44c 100644
+--- a/samples/mei/mei-amt-version.c
++++ b/samples/mei/mei-amt-version.c
+@@ -69,11 +69,11 @@
+ #include <string.h>
+ #include <fcntl.h>
+ #include <sys/ioctl.h>
++#include <sys/time.h>
+ #include <unistd.h>
+ #include <errno.h>
+ #include <stdint.h>
+ #include <stdbool.h>
+-#include <bits/wordsize.h>
+ #include <linux/mei.h>
+
+ /*****************************************************************************
+--
+2.39.5
+
--- /dev/null
+From 81e144a4c91d4c2a831dbcc600708da892e86d0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 13:51:14 +0200
+Subject: sched/deadline: Initialize dl_servers after SMP
+
+From: Juri Lelli <juri.lelli@redhat.com>
+
+[ Upstream commit 9f239df55546ee1d28f0976130136ffd1cad0fd7 ]
+
+dl-servers are currently initialized too early at boot when CPUs are not
+fully up (only boot CPU is). This results in miscalculation of per
+runqueue DEADLINE variables like extra_bw (which needs a stable CPU
+count).
+
+Move initialization of dl-servers later on after SMP has been
+initialized and CPUs are all online, so that CPU count is stable and
+DEADLINE variables can be computed correctly.
+
+Fixes: d741f297bceaf ("sched/fair: Fair server interface")
+Reported-by: Marcel Ziswiler <marcel.ziswiler@codethink.co.uk>
+Signed-off-by: Juri Lelli <juri.lelli@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Waiman Long <longman@redhat.com>
+Tested-by: Marcel Ziswiler <marcel.ziswiler@codethink.co.uk> # nuc & rock5b
+Link: https://lore.kernel.org/r/20250627115118.438797-2-juri.lelli@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 2 ++
+ kernel/sched/deadline.c | 48 +++++++++++++++++++++++++----------------
+ kernel/sched/sched.h | 1 +
+ 3 files changed, 33 insertions(+), 18 deletions(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 81c6df746df1..deb6a8cce1ab 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -8470,6 +8470,8 @@ void __init sched_init_smp(void)
+ init_sched_rt_class();
+ init_sched_dl_class();
+
++ sched_init_dl_servers();
++
+ sched_smp_initialized = true;
+ }
+
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index 094134c9b135..ef5b5c045769 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -824,6 +824,8 @@ static inline void setup_new_dl_entity(struct sched_dl_entity *dl_se)
+ struct dl_rq *dl_rq = dl_rq_of_se(dl_se);
+ struct rq *rq = rq_of_dl_rq(dl_rq);
+
++ update_rq_clock(rq);
++
+ WARN_ON(is_dl_boosted(dl_se));
+ WARN_ON(dl_time_before(rq_clock(rq), dl_se->deadline));
+
+@@ -1652,23 +1654,7 @@ void dl_server_start(struct sched_dl_entity *dl_se)
+ {
+ struct rq *rq = dl_se->rq;
+
+- /*
+- * XXX: the apply do not work fine at the init phase for the
+- * fair server because things are not yet set. We need to improve
+- * this before getting generic.
+- */
+- if (!dl_server(dl_se)) {
+- u64 runtime = 50 * NSEC_PER_MSEC;
+- u64 period = 1000 * NSEC_PER_MSEC;
+-
+- dl_server_apply_params(dl_se, runtime, period, 1);
+-
+- dl_se->dl_server = 1;
+- dl_se->dl_defer = 1;
+- setup_new_dl_entity(dl_se);
+- }
+-
+- if (!dl_se->dl_runtime || dl_se->dl_server_active)
++ if (!dl_server(dl_se) || dl_se->dl_server_active)
+ return;
+
+ dl_se->dl_server_active = 1;
+@@ -1679,7 +1665,7 @@ void dl_server_start(struct sched_dl_entity *dl_se)
+
+ void dl_server_stop(struct sched_dl_entity *dl_se)
+ {
+- if (!dl_se->dl_runtime)
++ if (!dl_server(dl_se) || !dl_server_active(dl_se))
+ return;
+
+ dequeue_dl_entity(dl_se, DEQUEUE_SLEEP);
+@@ -1712,6 +1698,32 @@ void dl_server_init(struct sched_dl_entity *dl_se, struct rq *rq,
+ dl_se->server_pick_task = pick_task;
+ }
+
++void sched_init_dl_servers(void)
++{
++ int cpu;
++ struct rq *rq;
++ struct sched_dl_entity *dl_se;
++
++ for_each_online_cpu(cpu) {
++ u64 runtime = 50 * NSEC_PER_MSEC;
++ u64 period = 1000 * NSEC_PER_MSEC;
++
++ rq = cpu_rq(cpu);
++
++ guard(rq_lock_irq)(rq);
++
++ dl_se = &rq->fair_server;
++
++ WARN_ON(dl_server(dl_se));
++
++ dl_server_apply_params(dl_se, runtime, period, 1);
++
++ dl_se->dl_server = 1;
++ dl_se->dl_defer = 1;
++ setup_new_dl_entity(dl_se);
++ }
++}
++
+ void __dl_server_attach_root(struct sched_dl_entity *dl_se, struct rq *rq)
+ {
+ u64 new_bw = dl_se->dl_bw;
+diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
+index 83e3aa917142..e8e6011fe0d8 100644
+--- a/kernel/sched/sched.h
++++ b/kernel/sched/sched.h
+@@ -384,6 +384,7 @@ extern void dl_server_stop(struct sched_dl_entity *dl_se);
+ extern void dl_server_init(struct sched_dl_entity *dl_se, struct rq *rq,
+ dl_server_has_tasks_f has_tasks,
+ dl_server_pick_f pick_task);
++extern void sched_init_dl_servers(void);
+
+ extern void dl_server_update_idle_time(struct rq *rq,
+ struct task_struct *p);
+--
+2.39.5
+
--- /dev/null
+From d92f16b1d33db49aad293ba7bb82c53571cc1a2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 May 2025 11:19:30 +0200
+Subject: sched/deadline: Less agressive dl_server handling
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit cccb45d7c4295bbfeba616582d0249f2d21e6df5 ]
+
+Chris reported that commit 5f6bd380c7bd ("sched/rt: Remove default
+bandwidth control") caused a significant dip in his favourite
+benchmark of the day. Simply disabling dl_server cured things.
+
+His workload hammers the 0->1, 1->0 transitions, and the
+dl_server_{start,stop}() overhead kills it -- fairly obviously a bad
+idea in hind sight and all that.
+
+Change things around to only disable the dl_server when there has not
+been a fair task around for a whole period. Since the default period
+is 1 second, this ensures the benchmark never trips this, overhead
+gone.
+
+Fixes: 557a6bfc662c ("sched/fair: Add trivial fair server")
+Reported-by: Chris Mason <clm@meta.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Juri Lelli <juri.lelli@redhat.com>
+Acked-by: Juri Lelli <juri.lelli@redhat.com>
+Link: https://lkml.kernel.org/r/20250702121158.465086194@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sched.h | 1 +
+ kernel/sched/deadline.c | 25 ++++++++++++++++++++++---
+ kernel/sched/fair.c | 9 ---------
+ 3 files changed, 23 insertions(+), 12 deletions(-)
+
+diff --git a/include/linux/sched.h b/include/linux/sched.h
+index aa9c5be7a632..ae75562cca59 100644
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -701,6 +701,7 @@ struct sched_dl_entity {
+ unsigned int dl_defer : 1;
+ unsigned int dl_defer_armed : 1;
+ unsigned int dl_defer_running : 1;
++ unsigned int dl_server_idle : 1;
+
+ /*
+ * Bandwidth enforcement timer. Each -deadline task has its
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index 89019a140826..094134c9b135 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -1215,6 +1215,8 @@ static void __push_dl_task(struct rq *rq, struct rq_flags *rf)
+ /* a defer timer will not be reset if the runtime consumed was < dl_server_min_res */
+ static const u64 dl_server_min_res = 1 * NSEC_PER_MSEC;
+
++static bool dl_server_stopped(struct sched_dl_entity *dl_se);
++
+ static enum hrtimer_restart dl_server_timer(struct hrtimer *timer, struct sched_dl_entity *dl_se)
+ {
+ struct rq *rq = rq_of_dl_se(dl_se);
+@@ -1234,6 +1236,7 @@ static enum hrtimer_restart dl_server_timer(struct hrtimer *timer, struct sched_
+
+ if (!dl_se->server_has_tasks(dl_se)) {
+ replenish_dl_entity(dl_se);
++ dl_server_stopped(dl_se);
+ return HRTIMER_NORESTART;
+ }
+
+@@ -1639,8 +1642,10 @@ void dl_server_update_idle_time(struct rq *rq, struct task_struct *p)
+ void dl_server_update(struct sched_dl_entity *dl_se, s64 delta_exec)
+ {
+ /* 0 runtime = fair server disabled */
+- if (dl_se->dl_runtime)
++ if (dl_se->dl_runtime) {
++ dl_se->dl_server_idle = 0;
+ update_curr_dl_se(dl_se->rq, dl_se, delta_exec);
++ }
+ }
+
+ void dl_server_start(struct sched_dl_entity *dl_se)
+@@ -1663,7 +1668,7 @@ void dl_server_start(struct sched_dl_entity *dl_se)
+ setup_new_dl_entity(dl_se);
+ }
+
+- if (!dl_se->dl_runtime)
++ if (!dl_se->dl_runtime || dl_se->dl_server_active)
+ return;
+
+ dl_se->dl_server_active = 1;
+@@ -1684,6 +1689,20 @@ void dl_server_stop(struct sched_dl_entity *dl_se)
+ dl_se->dl_server_active = 0;
+ }
+
++static bool dl_server_stopped(struct sched_dl_entity *dl_se)
++{
++ if (!dl_se->dl_server_active)
++ return false;
++
++ if (dl_se->dl_server_idle) {
++ dl_server_stop(dl_se);
++ return true;
++ }
++
++ dl_se->dl_server_idle = 1;
++ return false;
++}
++
+ void dl_server_init(struct sched_dl_entity *dl_se, struct rq *rq,
+ dl_server_has_tasks_f has_tasks,
+ dl_server_pick_f pick_task)
+@@ -2435,7 +2454,7 @@ static struct task_struct *__pick_task_dl(struct rq *rq)
+ if (dl_server(dl_se)) {
+ p = dl_se->server_pick_task(dl_se);
+ if (!p) {
+- if (dl_server_active(dl_se)) {
++ if (!dl_server_stopped(dl_se)) {
+ dl_se->dl_yielded = 1;
+ update_curr_dl_se(rq, dl_se, 0);
+ }
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 7a14da5396fb..3ab8d4765edd 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -5889,7 +5889,6 @@ static bool throttle_cfs_rq(struct cfs_rq *cfs_rq)
+ struct cfs_bandwidth *cfs_b = tg_cfs_bandwidth(cfs_rq->tg);
+ struct sched_entity *se;
+ long queued_delta, runnable_delta, idle_delta, dequeue = 1;
+- long rq_h_nr_queued = rq->cfs.h_nr_queued;
+
+ raw_spin_lock(&cfs_b->lock);
+ /* This will start the period timer if necessary */
+@@ -5973,10 +5972,6 @@ static bool throttle_cfs_rq(struct cfs_rq *cfs_rq)
+
+ /* At this point se is NULL and we are at root level*/
+ sub_nr_running(rq, queued_delta);
+-
+- /* Stop the fair server if throttling resulted in no runnable tasks */
+- if (rq_h_nr_queued && !rq->cfs.h_nr_queued)
+- dl_server_stop(&rq->fair_server);
+ done:
+ /*
+ * Note: distribution will already see us throttled via the
+@@ -7070,7 +7065,6 @@ static void set_next_buddy(struct sched_entity *se);
+ static int dequeue_entities(struct rq *rq, struct sched_entity *se, int flags)
+ {
+ bool was_sched_idle = sched_idle_rq(rq);
+- int rq_h_nr_queued = rq->cfs.h_nr_queued;
+ bool task_sleep = flags & DEQUEUE_SLEEP;
+ bool task_delayed = flags & DEQUEUE_DELAYED;
+ struct task_struct *p = NULL;
+@@ -7154,9 +7148,6 @@ static int dequeue_entities(struct rq *rq, struct sched_entity *se, int flags)
+
+ sub_nr_running(rq, h_nr_queued);
+
+- if (rq_h_nr_queued && !rq->cfs.h_nr_queued)
+- dl_server_stop(&rq->fair_server);
+-
+ /* balance early to pull high priority tasks */
+ if (unlikely(!was_sched_idle && sched_idle_rq(rq)))
+ rq->next_balance = jiffies;
+--
+2.39.5
+
--- /dev/null
+From 8eb579ee78c917ba2c1058a5eb408a5b9370a0ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 13:51:15 +0200
+Subject: sched/deadline: Reset extra_bw to max_bw when clearing root domains
+
+From: Juri Lelli <juri.lelli@redhat.com>
+
+[ Upstream commit fcc9276c4d331cd1fe9319d793e80b02e09727f5 ]
+
+dl_clear_root_domain() doesn't take into account the fact that per-rq
+extra_bw variables retain values computed before root domain changes,
+resulting in broken accounting.
+
+Fix it by resetting extra_bw to max_bw before restoring back dl-servers
+contributions.
+
+Fixes: 2ff899e351643 ("sched/deadline: Rebuild root domain accounting after every update")
+Reported-by: Marcel Ziswiler <marcel.ziswiler@codethink.co.uk>
+Signed-off-by: Juri Lelli <juri.lelli@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Marcel Ziswiler <marcel.ziswiler@codethink.co.uk> # nuc & rock5b
+Link: https://lore.kernel.org/r/20250627115118.438797-3-juri.lelli@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/deadline.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index ef5b5c045769..135580a41e14 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -3007,7 +3007,14 @@ void dl_clear_root_domain(struct root_domain *rd)
+ int i;
+
+ guard(raw_spinlock_irqsave)(&rd->dl_bw.lock);
++
++ /*
++ * Reset total_bw to zero and extra_bw to max_bw so that next
++ * loop will add dl-servers contributions back properly,
++ */
+ rd->dl_bw.total_bw = 0;
++ for_each_cpu(i, rd->span)
++ cpu_rq(i)->dl.extra_bw = cpu_rq(i)->dl.max_bw;
+
+ /*
+ * dl_servers are not tasks. Since dl_add_task_root_domain ignores
+--
+2.39.5
+
--- /dev/null
+From 7bed29f5ad955444283dca82476dd92c59923f73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 11:03:59 -0300
+Subject: sched: Do not call __put_task_struct() on rt if pi_blocked_on is set
+
+From: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
+
+[ Upstream commit 8671bad873ebeb082afcf7b4501395c374da6023 ]
+
+With PREEMPT_RT enabled, some of the calls to put_task_struct() coming
+from rt_mutex_adjust_prio_chain() could happen in preemptible context and
+with a mutex enqueued. That could lead to this sequence:
+
+ rt_mutex_adjust_prio_chain()
+ put_task_struct()
+ __put_task_struct()
+ sched_ext_free()
+ spin_lock_irqsave()
+ rtlock_lock() ---> TRIGGERS
+ lockdep_assert(!current->pi_blocked_on);
+
+This is not a SCHED_EXT bug. The first cleanup function called by
+__put_task_struct() is sched_ext_free() and it happens to take a
+(RT) spin_lock, which in the scenario described above, would trigger
+the lockdep assertion of "!current->pi_blocked_on".
+
+Crystal Wood was able to identify the problem as __put_task_struct()
+being called during rt_mutex_adjust_prio_chain(), in the context of
+a process with a mutex enqueued.
+
+Instead of adding more complex conditions to decide when to directly
+call __put_task_struct() and when to defer the call, unconditionally
+resort to the deferred call on PREEMPT_RT to simplify the code.
+
+Fixes: 893cdaaa3977 ("sched: avoid false lockdep splat in put_task_struct()")
+Suggested-by: Crystal Wood <crwood@redhat.com>
+Signed-off-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Wander Lairson Costa <wander@redhat.com>
+Reviewed-by: Valentin Schneider <vschneid@redhat.com>
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Link: https://lore.kernel.org/r/aGvTz5VaPFyj0pBV@uudg.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sched/task.h | 27 ++++++++++-----------------
+ 1 file changed, 10 insertions(+), 17 deletions(-)
+
+diff --git a/include/linux/sched/task.h b/include/linux/sched/task.h
+index ca1db4b92c32..58ce71715268 100644
+--- a/include/linux/sched/task.h
++++ b/include/linux/sched/task.h
+@@ -135,24 +135,17 @@ static inline void put_task_struct(struct task_struct *t)
+ return;
+
+ /*
+- * In !RT, it is always safe to call __put_task_struct().
+- * Under RT, we can only call it in preemptible context.
+- */
+- if (!IS_ENABLED(CONFIG_PREEMPT_RT) || preemptible()) {
+- static DEFINE_WAIT_OVERRIDE_MAP(put_task_map, LD_WAIT_SLEEP);
+-
+- lock_map_acquire_try(&put_task_map);
+- __put_task_struct(t);
+- lock_map_release(&put_task_map);
+- return;
+- }
+-
+- /*
+- * under PREEMPT_RT, we can't call put_task_struct
++ * Under PREEMPT_RT, we can't call __put_task_struct
+ * in atomic context because it will indirectly
+- * acquire sleeping locks.
++ * acquire sleeping locks. The same is true if the
++ * current process has a mutex enqueued (blocked on
++ * a PI chain).
++ *
++ * In !RT, it is always safe to call __put_task_struct().
++ * Though, in order to simplify the code, resort to the
++ * deferred call too.
+ *
+- * call_rcu() will schedule delayed_put_task_struct_rcu()
++ * call_rcu() will schedule __put_task_struct_rcu_cb()
+ * to be called in process context.
+ *
+ * __put_task_struct() is called when
+@@ -165,7 +158,7 @@ static inline void put_task_struct(struct task_struct *t)
+ *
+ * delayed_free_task() also uses ->rcu, but it is only called
+ * when it fails to fork a process. Therefore, there is no
+- * way it can conflict with put_task_struct().
++ * way it can conflict with __put_task_struct().
+ */
+ call_rcu(&t->rcu, __put_task_struct_rcu_cb);
+ }
+--
+2.39.5
+
--- /dev/null
+From 243c304e1a5257e07a24e8152469f0f5f6a63540 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 15:11:14 -0400
+Subject: sched/psi: Fix psi_seq initialization
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 99b773d720aeea1ef2170dce5fcfa80649e26b78 ]
+
+With the seqcount moved out of the group into a global psi_seq,
+re-initializing the seqcount on group creation is causing seqcount
+corruption.
+
+Fixes: 570c8efd5eb7 ("sched/psi: Optimize psi_group_change() cpu_clock() usage")
+Reported-by: Chris Mason <clm@meta.com>
+Suggested-by: Beata Michalska <beata.michalska@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/psi.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c
+index 5f7c023c4cca..3f9f0a39e858 100644
+--- a/kernel/sched/psi.c
++++ b/kernel/sched/psi.c
+@@ -172,7 +172,7 @@ struct psi_group psi_system = {
+ .pcpu = &system_group_pcpu,
+ };
+
+-static DEFINE_PER_CPU(seqcount_t, psi_seq);
++static DEFINE_PER_CPU(seqcount_t, psi_seq) = SEQCNT_ZERO(psi_seq);
+
+ static inline void psi_write_begin(int cpu)
+ {
+@@ -200,11 +200,7 @@ static void poll_timer_fn(struct timer_list *t);
+
+ static void group_init(struct psi_group *group)
+ {
+- int cpu;
+-
+ group->enabled = true;
+- for_each_possible_cpu(cpu)
+- seqcount_init(per_cpu_ptr(&psi_seq, cpu));
+ group->avg_last_update = sched_clock();
+ group->avg_next_update = group->avg_last_update + psi_period;
+ mutex_init(&group->avgs_lock);
+--
+2.39.5
+
--- /dev/null
+From 44b165ba3e594307850a61ea28883c463d3316b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 17:28:00 +0200
+Subject: sched/psi: Optimize psi_group_change() cpu_clock() usage
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 570c8efd5eb79c3725ba439ce105ed1bedc5acd9 ]
+
+Dietmar reported that commit 3840cbe24cf0 ("sched: psi: fix bogus
+pressure spikes from aggregation race") caused a regression for him on
+a high context switch rate benchmark (schbench) due to the now
+repeating cpu_clock() calls.
+
+In particular the problem is that get_recent_times() will extrapolate
+the current state to 'now'. But if an update uses a timestamp from
+before the start of the update, it is possible to get two reads
+with inconsistent results. It is effectively back-dating an update.
+
+(note that this all hard-relies on the clock being synchronized across
+CPUs -- if this is not the case, all bets are off).
+
+Combine this problem with the fact that there are per-group-per-cpu
+seqcounts, the commit in question pushed the clock read into the group
+iteration, causing tree-depth cpu_clock() calls. On architectures
+where cpu_clock() has appreciable overhead, this hurts.
+
+Instead move to a per-cpu seqcount, which allows us to have a single
+clock read for all group updates, increasing internal consistency and
+lowering update overhead. This comes at the cost of a longer update
+side (proportional to the tree depth) which can cause the read side to
+retry more often.
+
+Fixes: 3840cbe24cf0 ("sched: psi: fix bogus pressure spikes from aggregation race")
+Reported-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>,
+Link: https://lkml.kernel.org/20250522084844.GC31726@noisy.programming.kicks-ass.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/psi_types.h | 6 +-
+ kernel/sched/psi.c | 121 +++++++++++++++++++++-----------------
+ 2 files changed, 68 insertions(+), 59 deletions(-)
+
+diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h
+index f1fd3a8044e0..dd10c22299ab 100644
+--- a/include/linux/psi_types.h
++++ b/include/linux/psi_types.h
+@@ -84,11 +84,9 @@ enum psi_aggregators {
+ struct psi_group_cpu {
+ /* 1st cacheline updated by the scheduler */
+
+- /* Aggregator needs to know of concurrent changes */
+- seqcount_t seq ____cacheline_aligned_in_smp;
+-
+ /* States of the tasks belonging to this group */
+- unsigned int tasks[NR_PSI_TASK_COUNTS];
++ unsigned int tasks[NR_PSI_TASK_COUNTS]
++ ____cacheline_aligned_in_smp;
+
+ /* Aggregate pressure state derived from the tasks */
+ u32 state_mask;
+diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c
+index ad04a5c3162a..5f7c023c4cca 100644
+--- a/kernel/sched/psi.c
++++ b/kernel/sched/psi.c
+@@ -172,6 +172,28 @@ struct psi_group psi_system = {
+ .pcpu = &system_group_pcpu,
+ };
+
++static DEFINE_PER_CPU(seqcount_t, psi_seq);
++
++static inline void psi_write_begin(int cpu)
++{
++ write_seqcount_begin(per_cpu_ptr(&psi_seq, cpu));
++}
++
++static inline void psi_write_end(int cpu)
++{
++ write_seqcount_end(per_cpu_ptr(&psi_seq, cpu));
++}
++
++static inline u32 psi_read_begin(int cpu)
++{
++ return read_seqcount_begin(per_cpu_ptr(&psi_seq, cpu));
++}
++
++static inline bool psi_read_retry(int cpu, u32 seq)
++{
++ return read_seqcount_retry(per_cpu_ptr(&psi_seq, cpu), seq);
++}
++
+ static void psi_avgs_work(struct work_struct *work);
+
+ static void poll_timer_fn(struct timer_list *t);
+@@ -182,7 +204,7 @@ static void group_init(struct psi_group *group)
+
+ group->enabled = true;
+ for_each_possible_cpu(cpu)
+- seqcount_init(&per_cpu_ptr(group->pcpu, cpu)->seq);
++ seqcount_init(per_cpu_ptr(&psi_seq, cpu));
+ group->avg_last_update = sched_clock();
+ group->avg_next_update = group->avg_last_update + psi_period;
+ mutex_init(&group->avgs_lock);
+@@ -262,14 +284,14 @@ static void get_recent_times(struct psi_group *group, int cpu,
+
+ /* Snapshot a coherent view of the CPU state */
+ do {
+- seq = read_seqcount_begin(&groupc->seq);
++ seq = psi_read_begin(cpu);
+ now = cpu_clock(cpu);
+ memcpy(times, groupc->times, sizeof(groupc->times));
+ state_mask = groupc->state_mask;
+ state_start = groupc->state_start;
+ if (cpu == current_cpu)
+ memcpy(tasks, groupc->tasks, sizeof(groupc->tasks));
+- } while (read_seqcount_retry(&groupc->seq, seq));
++ } while (psi_read_retry(cpu, seq));
+
+ /* Calculate state time deltas against the previous snapshot */
+ for (s = 0; s < NR_PSI_STATES; s++) {
+@@ -768,30 +790,20 @@ static void record_times(struct psi_group_cpu *groupc, u64 now)
+ groupc->times[PSI_NONIDLE] += delta;
+ }
+
++#define for_each_group(iter, group) \
++ for (typeof(group) iter = group; iter; iter = iter->parent)
++
+ static void psi_group_change(struct psi_group *group, int cpu,
+ unsigned int clear, unsigned int set,
+- bool wake_clock)
++ u64 now, bool wake_clock)
+ {
+ struct psi_group_cpu *groupc;
+ unsigned int t, m;
+ u32 state_mask;
+- u64 now;
+
+ lockdep_assert_rq_held(cpu_rq(cpu));
+ groupc = per_cpu_ptr(group->pcpu, cpu);
+
+- /*
+- * First we update the task counts according to the state
+- * change requested through the @clear and @set bits.
+- *
+- * Then if the cgroup PSI stats accounting enabled, we
+- * assess the aggregate resource states this CPU's tasks
+- * have been in since the last change, and account any
+- * SOME and FULL time these may have resulted in.
+- */
+- write_seqcount_begin(&groupc->seq);
+- now = cpu_clock(cpu);
+-
+ /*
+ * Start with TSK_ONCPU, which doesn't have a corresponding
+ * task count - it's just a boolean flag directly encoded in
+@@ -843,7 +855,6 @@ static void psi_group_change(struct psi_group *group, int cpu,
+
+ groupc->state_mask = state_mask;
+
+- write_seqcount_end(&groupc->seq);
+ return;
+ }
+
+@@ -864,8 +875,6 @@ static void psi_group_change(struct psi_group *group, int cpu,
+
+ groupc->state_mask = state_mask;
+
+- write_seqcount_end(&groupc->seq);
+-
+ if (state_mask & group->rtpoll_states)
+ psi_schedule_rtpoll_work(group, 1, false);
+
+@@ -900,24 +909,29 @@ static void psi_flags_change(struct task_struct *task, int clear, int set)
+ void psi_task_change(struct task_struct *task, int clear, int set)
+ {
+ int cpu = task_cpu(task);
+- struct psi_group *group;
++ u64 now;
+
+ if (!task->pid)
+ return;
+
+ psi_flags_change(task, clear, set);
+
+- group = task_psi_group(task);
+- do {
+- psi_group_change(group, cpu, clear, set, true);
+- } while ((group = group->parent));
++ psi_write_begin(cpu);
++ now = cpu_clock(cpu);
++ for_each_group(group, task_psi_group(task))
++ psi_group_change(group, cpu, clear, set, now, true);
++ psi_write_end(cpu);
+ }
+
+ void psi_task_switch(struct task_struct *prev, struct task_struct *next,
+ bool sleep)
+ {
+- struct psi_group *group, *common = NULL;
++ struct psi_group *common = NULL;
+ int cpu = task_cpu(prev);
++ u64 now;
++
++ psi_write_begin(cpu);
++ now = cpu_clock(cpu);
+
+ if (next->pid) {
+ psi_flags_change(next, 0, TSK_ONCPU);
+@@ -926,16 +940,15 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next,
+ * ancestors with @prev, those will already have @prev's
+ * TSK_ONCPU bit set, and we can stop the iteration there.
+ */
+- group = task_psi_group(next);
+- do {
+- if (per_cpu_ptr(group->pcpu, cpu)->state_mask &
+- PSI_ONCPU) {
++ for_each_group(group, task_psi_group(next)) {
++ struct psi_group_cpu *groupc = per_cpu_ptr(group->pcpu, cpu);
++
++ if (groupc->state_mask & PSI_ONCPU) {
+ common = group;
+ break;
+ }
+-
+- psi_group_change(group, cpu, 0, TSK_ONCPU, true);
+- } while ((group = group->parent));
++ psi_group_change(group, cpu, 0, TSK_ONCPU, now, true);
++ }
+ }
+
+ if (prev->pid) {
+@@ -968,12 +981,11 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next,
+
+ psi_flags_change(prev, clear, set);
+
+- group = task_psi_group(prev);
+- do {
++ for_each_group(group, task_psi_group(prev)) {
+ if (group == common)
+ break;
+- psi_group_change(group, cpu, clear, set, wake_clock);
+- } while ((group = group->parent));
++ psi_group_change(group, cpu, clear, set, now, wake_clock);
++ }
+
+ /*
+ * TSK_ONCPU is handled up to the common ancestor. If there are
+@@ -983,20 +995,21 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next,
+ */
+ if ((prev->psi_flags ^ next->psi_flags) & ~TSK_ONCPU) {
+ clear &= ~TSK_ONCPU;
+- for (; group; group = group->parent)
+- psi_group_change(group, cpu, clear, set, wake_clock);
++ for_each_group(group, common)
++ psi_group_change(group, cpu, clear, set, now, wake_clock);
+ }
+ }
++ psi_write_end(cpu);
+ }
+
+ #ifdef CONFIG_IRQ_TIME_ACCOUNTING
+ void psi_account_irqtime(struct rq *rq, struct task_struct *curr, struct task_struct *prev)
+ {
+ int cpu = task_cpu(curr);
+- struct psi_group *group;
+ struct psi_group_cpu *groupc;
+ s64 delta;
+ u64 irq;
++ u64 now;
+
+ if (static_branch_likely(&psi_disabled) || !irqtime_enabled())
+ return;
+@@ -1005,8 +1018,7 @@ void psi_account_irqtime(struct rq *rq, struct task_struct *curr, struct task_st
+ return;
+
+ lockdep_assert_rq_held(rq);
+- group = task_psi_group(curr);
+- if (prev && task_psi_group(prev) == group)
++ if (prev && task_psi_group(prev) == task_psi_group(curr))
+ return;
+
+ irq = irq_time_read(cpu);
+@@ -1015,25 +1027,22 @@ void psi_account_irqtime(struct rq *rq, struct task_struct *curr, struct task_st
+ return;
+ rq->psi_irq_time = irq;
+
+- do {
+- u64 now;
++ psi_write_begin(cpu);
++ now = cpu_clock(cpu);
+
++ for_each_group(group, task_psi_group(curr)) {
+ if (!group->enabled)
+ continue;
+
+ groupc = per_cpu_ptr(group->pcpu, cpu);
+
+- write_seqcount_begin(&groupc->seq);
+- now = cpu_clock(cpu);
+-
+ record_times(groupc, now);
+ groupc->times[PSI_IRQ_FULL] += delta;
+
+- write_seqcount_end(&groupc->seq);
+-
+ if (group->rtpoll_states & (1 << PSI_IRQ_FULL))
+ psi_schedule_rtpoll_work(group, 1, false);
+- } while ((group = group->parent));
++ }
++ psi_write_end(cpu);
+ }
+ #endif
+
+@@ -1221,12 +1230,14 @@ void psi_cgroup_restart(struct psi_group *group)
+ return;
+
+ for_each_possible_cpu(cpu) {
+- struct rq *rq = cpu_rq(cpu);
+- struct rq_flags rf;
++ u64 now;
+
+- rq_lock_irq(rq, &rf);
+- psi_group_change(group, cpu, 0, 0, true);
+- rq_unlock_irq(rq, &rf);
++ guard(rq_lock_irq)(cpu_rq(cpu));
++
++ psi_write_begin(cpu);
++ now = cpu_clock(cpu);
++ psi_group_change(group, cpu, 0, 0, now, true);
++ psi_write_end(cpu);
+ }
+ }
+ #endif /* CONFIG_CGROUPS */
+--
+2.39.5
+
--- /dev/null
+From d0874e174e74cdeb818b3c046200c668471d0dbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Jul 2025 00:29:54 -0700
+Subject: sched/task_stack: Add missing const qualifier to end_of_stack()
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 32e42ab9fc88a884435c27527a433f61c4d2b61b ]
+
+Add missing const qualifier to the non-CONFIG_THREAD_INFO_IN_TASK
+version of end_of_stack() to match the CONFIG_THREAD_INFO_IN_TASK
+version. Fixes a warning with CONFIG_KSTACK_ERASE=y on archs that don't
+select THREAD_INFO_IN_TASK (such as LoongArch):
+
+ error: passing 'const struct task_struct *' to parameter of type 'struct task_struct *' discards qualifiers
+
+The stackleak_task_low_bound() function correctly uses a const task
+parameter, but the legacy end_of_stack() prototype didn't like that.
+
+Build tested on loongarch (with CONFIG_KSTACK_ERASE=y) and m68k
+(with CONFIG_DEBUG_STACK_USAGE=y).
+
+Fixes: a45728fd4120 ("LoongArch: Enable HAVE_ARCH_STACKLEAK")
+Reported-by: Nathan Chancellor <nathan@kernel.org>
+Closes: https://lore.kernel.org/all/20250726004313.GA3650901@ax162
+Cc: Youling Tang <tangyouling@kylinos.cn>
+Cc: Huacai Chen <chenhuacai@loongson.cn>
+Tested-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sched/task_stack.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/sched/task_stack.h b/include/linux/sched/task_stack.h
+index 85c5a6392e02..1fab7e9043a3 100644
+--- a/include/linux/sched/task_stack.h
++++ b/include/linux/sched/task_stack.h
+@@ -53,7 +53,7 @@ static inline void setup_thread_stack(struct task_struct *p, struct task_struct
+ * When the stack grows up, this is the highest address.
+ * Beyond that position, we corrupt data on the next page.
+ */
+-static inline unsigned long *end_of_stack(struct task_struct *p)
++static inline unsigned long *end_of_stack(const struct task_struct *p)
+ {
+ #ifdef CONFIG_STACK_GROWSUP
+ return (unsigned long *)((unsigned long)task_thread_info(p) + THREAD_SIZE) - 1;
+--
+2.39.5
+
--- /dev/null
+From f19640e1ae7fa5aaa8b0d0bc64aef601e278df0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 15:46:02 +0200
+Subject: scripts: gdb: move MNT_* constants to gdb-parsed
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 41a7f737685eed2700654720d3faaffdf0132135 ]
+
+Since these are now no longer defines, but in an enum.
+
+Link: https://lkml.kernel.org/r/20250618134629.25700-2-johannes@sipsolutions.net
+Fixes: 101f2bbab541 ("fs: convert mount flags to enum")
+Reviewed-by: Benjamin Berg <benjamin.berg@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Cc: Jan Kiszka <jan.kiszka@siemens.com>
+Cc: Kieran Bingham <kbingham@kernel.org>
+Cc: Stephen Brennan <stephen.s.brennan@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/gdb/linux/constants.py.in | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/scripts/gdb/linux/constants.py.in b/scripts/gdb/linux/constants.py.in
+index f795302ddfa8..c3886739a028 100644
+--- a/scripts/gdb/linux/constants.py.in
++++ b/scripts/gdb/linux/constants.py.in
+@@ -74,12 +74,12 @@ if IS_BUILTIN(CONFIG_MODULES):
+ LX_GDBPARSED(MOD_RO_AFTER_INIT)
+
+ /* linux/mount.h */
+-LX_VALUE(MNT_NOSUID)
+-LX_VALUE(MNT_NODEV)
+-LX_VALUE(MNT_NOEXEC)
+-LX_VALUE(MNT_NOATIME)
+-LX_VALUE(MNT_NODIRATIME)
+-LX_VALUE(MNT_RELATIME)
++LX_GDBPARSED(MNT_NOSUID)
++LX_GDBPARSED(MNT_NODEV)
++LX_GDBPARSED(MNT_NOEXEC)
++LX_GDBPARSED(MNT_NOATIME)
++LX_GDBPARSED(MNT_NODIRATIME)
++LX_GDBPARSED(MNT_RELATIME)
+
+ /* linux/threads.h */
+ LX_VALUE(NR_CPUS)
+--
+2.39.5
+
--- /dev/null
+From 027d6fd56a926cd11e81173fbfa8e95c6d9037bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 10:58:23 +0700
+Subject: scsi: core: Fix kernel doc for scsi_track_queue_full()
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit 6070bd558aee1eb5114e1676165bf0ccaa08240a ]
+
+Sphinx reports indentation warning on scsi_track_queue_full() return
+values:
+
+Documentation/driver-api/scsi:101: ./drivers/scsi/scsi.c:247: ERROR: Unexpected indentation. [docutils]
+
+Fix the warning by making the return values listing a bullet list.
+
+Fixes: eb44820c28bc ("[SCSI] Add Documentation and integrate into docbook build")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Link: https://lore.kernel.org/r/20250702035822.18072-2-bagasdotme@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c
+index 518a252eb6aa..c2527dd289d9 100644
+--- a/drivers/scsi/scsi.c
++++ b/drivers/scsi/scsi.c
+@@ -242,9 +242,11 @@ EXPORT_SYMBOL(scsi_change_queue_depth);
+ * specific SCSI device to determine if and when there is a
+ * need to adjust the queue depth on the device.
+ *
+- * Returns: 0 - No change needed, >0 - Adjust queue depth to this new depth,
+- * -1 - Drop back to untagged operation using host->cmd_per_lun
+- * as the untagged command depth
++ * Returns:
++ * * 0 - No change needed
++ * * >0 - Adjust queue depth to this new depth,
++ * * -1 - Drop back to untagged operation using host->cmd_per_lun as the
++ * untagged command depth
+ *
+ * Lock Status: None held on entry
+ *
+--
+2.39.5
+
--- /dev/null
+From 23e3dfe3b8e27f640c1e150849f73bd50e285ce8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 13:41:13 +0200
+Subject: scsi: elx: efct: Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 3a988d0b65d7d1713ce7596eae288a293f3b938e ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: 692e5d73a811 ("scsi: elx: efct: LIO backend interface routines")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250627114117.188480-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/elx/efct/efct_lio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/elx/efct/efct_lio.c b/drivers/scsi/elx/efct/efct_lio.c
+index 9ac69356b13e..bd3d489e56ae 100644
+--- a/drivers/scsi/elx/efct/efct_lio.c
++++ b/drivers/scsi/elx/efct/efct_lio.c
+@@ -382,7 +382,7 @@ efct_lio_sg_unmap(struct efct_io *io)
+ return;
+
+ dma_unmap_sg(&io->efct->pci->dev, cmd->t_data_sg,
+- ocp->seg_map_cnt, cmd->data_direction);
++ cmd->t_data_nents, cmd->data_direction);
+ ocp->seg_map_cnt = 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 9155dd472768e049e6305e64a8e9b821fc6883ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 13:18:02 +0200
+Subject: scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 023a293b9cd0bb86a9b50cd7688a3d9d266826db ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: 88a678bbc34c ("ibmvscsis: Initial commit of IBM VSCSI Tgt Driver")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250630111803.94389-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ibmvscsi_tgt/libsrp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/ibmvscsi_tgt/libsrp.c b/drivers/scsi/ibmvscsi_tgt/libsrp.c
+index 8a0e28aec928..0ecad398ed3d 100644
+--- a/drivers/scsi/ibmvscsi_tgt/libsrp.c
++++ b/drivers/scsi/ibmvscsi_tgt/libsrp.c
+@@ -184,7 +184,8 @@ static int srp_direct_data(struct ibmvscsis_cmd *cmd, struct srp_direct_buf *md,
+ err = rdma_io(cmd, sg, nsg, md, 1, dir, len);
+
+ if (dma_map)
+- dma_unmap_sg(iue->target->dev, sg, nsg, DMA_BIDIRECTIONAL);
++ dma_unmap_sg(iue->target->dev, sg, cmd->se_cmd.t_data_nents,
++ DMA_BIDIRECTIONAL);
+
+ return err;
+ }
+@@ -256,7 +257,8 @@ static int srp_indirect_data(struct ibmvscsis_cmd *cmd, struct srp_cmd *srp_cmd,
+ err = rdma_io(cmd, sg, nsg, md, nmd, dir, len);
+
+ if (dma_map)
+- dma_unmap_sg(iue->target->dev, sg, nsg, DMA_BIDIRECTIONAL);
++ dma_unmap_sg(iue->target->dev, sg, cmd->se_cmd.t_data_nents,
++ DMA_BIDIRECTIONAL);
+
+ free_mem:
+ if (token && dma_map) {
+--
+2.39.5
+
--- /dev/null
+From 9efd19f0ecad0ceb83b12ee3115943f2d626de78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 16:24:47 +0200
+Subject: scsi: isci: Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 063bec4444d54e5f35d11949c5c90eaa1ff84c11 ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: ddcc7e347a89 ("isci: fix dma_unmap_sg usage")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250627142451.241713-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/isci/request.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/isci/request.c b/drivers/scsi/isci/request.c
+index 355a0bc0828e..bb89a2e33eb4 100644
+--- a/drivers/scsi/isci/request.c
++++ b/drivers/scsi/isci/request.c
+@@ -2904,7 +2904,7 @@ static void isci_request_io_request_complete(struct isci_host *ihost,
+ task->total_xfer_len, task->data_dir);
+ else /* unmap the sgl dma addresses */
+ dma_unmap_sg(&ihost->pdev->dev, task->scatter,
+- request->num_sg_entries, task->data_dir);
++ task->num_scatter, task->data_dir);
+ break;
+ case SAS_PROTOCOL_SMP: {
+ struct scatterlist *sg = &task->smp_task.smp_req;
+--
+2.39.5
+
--- /dev/null
+From 64d3a68435aafba29597fce566c599b457edef62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 17:30:18 +0200
+Subject: scsi: mpt3sas: Fix a fw_event memory leak
+
+From: Tomas Henzl <thenzl@redhat.com>
+
+[ Upstream commit 3e90b38781e3bdd651edaf789585687611638862 ]
+
+In _mpt3sas_fw_work() the fw_event reference is removed, it should also
+be freed in all cases.
+
+Fixes: 4318c7347847 ("scsi: mpt3sas: Handle NVMe PCIe device related events generated from firmware.")
+Signed-off-by: Tomas Henzl <thenzl@redhat.com>
+Link: https://lore.kernel.org/r/20250723153018.50518-1-thenzl@redhat.com
+Acked-by: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+index 508861e88d9f..0f900ddb3047 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -10790,8 +10790,7 @@ _mpt3sas_fw_work(struct MPT3SAS_ADAPTER *ioc, struct fw_event_work *fw_event)
+ break;
+ case MPI2_EVENT_PCIE_TOPOLOGY_CHANGE_LIST:
+ _scsih_pcie_topology_change_event(ioc, fw_event);
+- ioc->current_event = NULL;
+- return;
++ break;
+ }
+ out:
+ fw_event_work_put(fw_event);
+--
+2.39.5
+
--- /dev/null
+From 29fd7b055166340548680b45512c4a814020225c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 15:48:18 +0200
+Subject: scsi: mvsas: Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 0141618727bc929fe868153d21797f10ce5bef3f ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: b5762948263d ("[SCSI] mvsas: Add Marvell 6440 SAS/SATA driver")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250627134822.234813-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mvsas/mv_sas.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c
+index 6c46654b9cd9..15b3d9d55a4b 100644
+--- a/drivers/scsi/mvsas/mv_sas.c
++++ b/drivers/scsi/mvsas/mv_sas.c
+@@ -818,7 +818,7 @@ static int mvs_task_prep(struct sas_task *task, struct mvs_info *mvi, int is_tmf
+ dev_printk(KERN_ERR, mvi->dev, "mvsas prep failed[%d]!\n", rc);
+ if (!sas_protocol_ata(task->task_proto))
+ if (n_elem)
+- dma_unmap_sg(mvi->dev, task->scatter, n_elem,
++ dma_unmap_sg(mvi->dev, task->scatter, task->num_scatter,
+ task->data_dir);
+ prep_out:
+ return rc;
+@@ -864,7 +864,7 @@ static void mvs_slot_task_free(struct mvs_info *mvi, struct sas_task *task,
+ if (!sas_protocol_ata(task->task_proto))
+ if (slot->n_elem)
+ dma_unmap_sg(mvi->dev, task->scatter,
+- slot->n_elem, task->data_dir);
++ task->num_scatter, task->data_dir);
+
+ switch (task->task_proto) {
+ case SAS_PROTOCOL_SMP:
+--
+2.39.5
+
--- /dev/null
+From e43a5b6dc3fe680662f994dad7c4689921478f7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 15:39:26 +0800
+Subject: scsi: Revert "scsi: iscsi: Fix HW conn removal use after free"
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+[ Upstream commit 7bdc68921481c19cd8c85ddf805a834211c19e61 ]
+
+This reverts commit c577ab7ba5f3bf9062db8a58b6e89d4fe370447e.
+
+The invocation of iscsi_put_conn() in iscsi_iter_destory_conn_fn() is
+used to free the initial reference counter of iscsi_cls_conn. For
+non-qla4xxx cases, the ->destroy_conn() callback (e.g.,
+iscsi_conn_teardown) will call iscsi_remove_conn() and iscsi_put_conn()
+to remove the connection from the children list of session and free the
+connection at last. However for qla4xxx, it is not the case. The
+->destroy_conn() callback of qla4xxx will keep the connection in the
+session conn_list and doesn't use iscsi_put_conn() to free the initial
+reference counter. Therefore, it seems necessary to keep the
+iscsi_put_conn() in the iscsi_iter_destroy_conn_fn(), otherwise, there
+will be memory leak problem.
+
+Link: https://lore.kernel.org/all/88334658-072b-4b90-a949-9c74ef93cfd1@huawei.com/
+Fixes: c577ab7ba5f3 ("scsi: iscsi: Fix HW conn removal use after free")
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Link: https://lore.kernel.org/r/20250715073926.3529456-1-lilingfeng3@huawei.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index c75a806496d6..743b4c792ceb 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -2143,6 +2143,8 @@ static int iscsi_iter_destroy_conn_fn(struct device *dev, void *data)
+ return 0;
+
+ iscsi_remove_conn(iscsi_dev_to_conn(dev));
++ iscsi_put_conn(iscsi_dev_to_conn(dev));
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From b3d58dca61b966f095e5feb6f36daa8ac84c87a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 21:45:20 +0000
+Subject: scsi: sd: Make sd shutdown issue START STOP UNIT appropriately
+
+From: Salomon Dushimirimana <salomondush@google.com>
+
+[ Upstream commit 8e48727c26c4d839ff9b4b73d1cae486bea7fe19 ]
+
+Commit aa3998dbeb3a ("ata: libata-scsi: Disable scsi device
+manage_system_start_stop") enabled libata EH to manage device power mode
+trasitions for system suspend/resume and removed the flag from
+ata_scsi_dev_config. However, since the sd_shutdown() function still
+relies on the manage_system_start_stop flag, a spin-down command is not
+issued to the disk with command "echo 1 > /sys/block/sdb/device/delete"
+
+sd_shutdown() can be called for both system/runtime start stop
+operations, so utilize the manage_run_time_start_stop flag set in the
+ata_scsi_dev_config and issue a spin-down command during disk removal
+when the system is running. This is in addition to when the system is
+powering off and manage_shutdown flag is set. The
+manage_system_start_stop flag will still be used for drivers that still
+set the flag.
+
+Fixes: aa3998dbeb3a ("ata: libata-scsi: Disable scsi device manage_system_start_stop")
+Signed-off-by: Salomon Dushimirimana <salomondush@google.com>
+Link: https://lore.kernel.org/r/20250724214520.112927-1-salomondush@google.com
+Tested-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index eeaa6af294b8..282000c761f8 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -4173,7 +4173,9 @@ static void sd_shutdown(struct device *dev)
+ if ((system_state != SYSTEM_RESTART &&
+ sdkp->device->manage_system_start_stop) ||
+ (system_state == SYSTEM_POWER_OFF &&
+- sdkp->device->manage_shutdown)) {
++ sdkp->device->manage_shutdown) ||
++ (system_state == SYSTEM_RUNNING &&
++ sdkp->device->manage_runtime_start_stop)) {
+ sd_printk(KERN_NOTICE, sdkp, "Stopping disk\n");
+ sd_start_stop_device(sdkp, 0);
+ }
+--
+2.39.5
+
--- /dev/null
+From 86762b747cb5f898f404fff07cd392ad720207d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 17:12:13 +0900
+Subject: scsi: ufs: core: Use link recovery when h8 exit fails during runtime
+ resume
+
+From: Seunghui Lee <sh043.lee@samsung.com>
+
+[ Upstream commit 35dabf4503b94a697bababe94678a8bc989c3223 ]
+
+If the h8 exit fails during runtime resume process, the runtime thread
+enters runtime suspend immediately and the error handler operates at the
+same time. It becomes stuck and cannot be recovered through the error
+handler. To fix this, use link recovery instead of the error handler.
+
+Fixes: 4db7a2360597 ("scsi: ufs: Fix concurrency of error handler and other error recovery paths")
+Signed-off-by: Seunghui Lee <sh043.lee@samsung.com>
+Link: https://lore.kernel.org/r/20250717081213.6811-1-sh043.lee@samsung.com
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Acked-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/core/ufshcd.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
+index 50adfb8b335b..f07878c50f14 100644
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -4340,7 +4340,7 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd)
+ hba->uic_async_done = NULL;
+ if (reenable_intr)
+ ufshcd_enable_intr(hba, UIC_COMMAND_COMPL);
+- if (ret) {
++ if (ret && !hba->pm_op_in_progress) {
+ ufshcd_set_link_broken(hba);
+ ufshcd_schedule_eh_work(hba);
+ }
+@@ -4348,6 +4348,14 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd)
+ spin_unlock_irqrestore(hba->host->host_lock, flags);
+ mutex_unlock(&hba->uic_cmd_mutex);
+
++ /*
++ * If the h8 exit fails during the runtime resume process, it becomes
++ * stuck and cannot be recovered through the error handler. To fix
++ * this, use link recovery instead of the error handler.
++ */
++ if (ret && hba->pm_op_in_progress)
++ ret = ufshcd_link_recovery(hba);
++
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 49da7e5b2cf629485bb0f6bb0d6bb5a4babd56b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Jul 2025 18:02:22 +0800
+Subject: selftests: ALSA: fix memory leak in utimer test
+
+From: WangYuli <wangyuli@uniontech.com>
+
+[ Upstream commit 6260da046819b7bda828bacae148fc8856fdebd7 ]
+
+Free the malloc'd buffer in TEST_F(timer_f, utimer) to prevent
+memory leak.
+
+Fixes: 1026392d10af ("selftests: ALSA: Cover userspace-driven timers with test")
+Reported-by: Jun Zhan <zhanjun@uniontech.com>
+Signed-off-by: WangYuli <wangyuli@uniontech.com>
+Link: https://patch.msgid.link/DE4D931FCF54F3DB+20250731100222.65748-1-wangyuli@uniontech.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/alsa/utimer-test.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/alsa/utimer-test.c b/tools/testing/selftests/alsa/utimer-test.c
+index 32ee3ce57721..37964f311a33 100644
+--- a/tools/testing/selftests/alsa/utimer-test.c
++++ b/tools/testing/selftests/alsa/utimer-test.c
+@@ -135,6 +135,7 @@ TEST_F(timer_f, utimer) {
+ pthread_join(ticking_thread, NULL);
+ ASSERT_EQ(total_ticks, TICKS_COUNT);
+ pclose(rfp);
++ free(buf);
+ }
+
+ TEST(wrong_timers_test) {
+--
+2.39.5
+
--- /dev/null
+From 633b2cd828270faa7e438932e1126f9fac53f6bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 17:54:33 +0000
+Subject: selftests/bpf: fix implementation of smp_mb()
+
+From: Puranjay Mohan <puranjay@kernel.org>
+
+[ Upstream commit 0769857a07b4451a1dc1c3ad1f1c86a6f4ce136a ]
+
+As BPF doesn't include any barrier instructions, smp_mb() is implemented
+by doing a dummy value returning atomic operation. Such an operation
+acts a full barrier as enforced by LKMM and also by the work in progress
+BPF memory model.
+
+If the returned value is not used, clang[1] can optimize the value
+returning atomic instruction in to a normal atomic instruction which
+provides no ordering guarantees.
+
+Mark the variable as volatile so the above optimization is never
+performed and smp_mb() works as expected.
+
+[1] https://godbolt.org/z/qzze7bG6z
+
+Fixes: 88d706ba7cc5 ("selftests/bpf: Introduce arena spin lock")
+Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
+Link: https://lore.kernel.org/r/20250710175434.18829-2-puranjay@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/bpf_atomic.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/bpf_atomic.h b/tools/testing/selftests/bpf/bpf_atomic.h
+index a9674e544322..c550e5711967 100644
+--- a/tools/testing/selftests/bpf/bpf_atomic.h
++++ b/tools/testing/selftests/bpf/bpf_atomic.h
+@@ -61,7 +61,7 @@ extern bool CONFIG_X86_64 __kconfig __weak;
+
+ #define smp_mb() \
+ ({ \
+- unsigned long __val; \
++ volatile unsigned long __val; \
+ __sync_fetch_and_add(&__val, 0); \
+ })
+
+--
+2.39.5
+
--- /dev/null
+From 210e946726d437276c06c41f3434a9cda4485de1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 16:42:08 +0800
+Subject: selftests/bpf: fix signedness bug in redir_partial()
+
+From: Fushuai Wang <wangfushuai@baidu.com>
+
+[ Upstream commit 6a4bd31f680a1d1cf06492fe6dc4f08da09769e6 ]
+
+When xsend() returns -1 (error), the check 'n < sizeof(buf)' incorrectly
+treats it as success due to unsigned promotion. Explicitly check for -1
+first.
+
+Fixes: a4b7193d8efd ("selftests/bpf: Add sockmap test for redirecting partial skb data")
+Signed-off-by: Fushuai Wang <wangfushuai@baidu.com>
+Link: https://lore.kernel.org/r/20250612084208.27722-1-wangfushuai@baidu.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/sockmap_listen.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/sockmap_listen.c b/tools/testing/selftests/bpf/prog_tests/sockmap_listen.c
+index 1d98eee7a2c3..f1bdccc7e4e7 100644
+--- a/tools/testing/selftests/bpf/prog_tests/sockmap_listen.c
++++ b/tools/testing/selftests/bpf/prog_tests/sockmap_listen.c
+@@ -924,6 +924,8 @@ static void redir_partial(int family, int sotype, int sock_map, int parser_map)
+ goto close;
+
+ n = xsend(c1, buf, sizeof(buf), 0);
++ if (n == -1)
++ goto close;
+ if (n < sizeof(buf))
+ FAIL("incomplete write");
+
+--
+2.39.5
+
--- /dev/null
+From 9116165c847d9d936b099984015807776f1c7d60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 13:15:36 +0100
+Subject: selftests/bpf: Fix unintentional switch case fall through
+
+From: Mykyta Yatsenko <yatsenko@meta.com>
+
+[ Upstream commit 66ab68c9de89672366fdc474f4f185bb58cecf2d ]
+
+Break from switch expression after parsing -n CLI argument in veristat,
+instead of falling through and enabling comparison mode.
+
+Fixes: a5c57f81eb2b ("veristat: add ability to set BPF_F_TEST_SANITY_STRICT flag with -r flag")
+Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Yonghong Song <yonghong.song@linux.dev>
+Link: https://lore.kernel.org/bpf/20250617121536.1320074-1-mykyta.yatsenko5@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/veristat.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/veristat.c b/tools/testing/selftests/bpf/veristat.c
+index b2bb20b00952..adf948fff211 100644
+--- a/tools/testing/selftests/bpf/veristat.c
++++ b/tools/testing/selftests/bpf/veristat.c
+@@ -344,6 +344,7 @@ static error_t parse_arg(int key, char *arg, struct argp_state *state)
+ fprintf(stderr, "invalid top N specifier: %s\n", arg);
+ argp_usage(state);
+ }
++ break;
+ case 'C':
+ env.comparison_mode = true;
+ break;
+--
+2.39.5
+
--- /dev/null
+From bcb5200e8b1106cfae665c2b7433e2b5d86ebf8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 12:16:26 -0700
+Subject: selftests: breakpoints: use suspend_stats to reliably check suspend
+ success
+
+From: Moon Hee Lee <moonhee.lee.ca@gmail.com>
+
+[ Upstream commit 07b7c2b4eca3f83ce9cd5ee3fa1c7c001d721c69 ]
+
+The step_after_suspend_test verifies that the system successfully
+suspended and resumed by setting a timerfd and checking whether the
+timer fully expired. However, this method is unreliable due to timing
+races.
+
+In practice, the system may take time to enter suspend, during which the
+timer may expire just before or during the transition. As a result,
+the remaining time after resume may show non-zero nanoseconds, even if
+suspend/resume completed successfully. This leads to false test failures.
+
+Replace the timer-based check with a read from
+/sys/power/suspend_stats/success. This counter is incremented only
+after a full suspend/resume cycle, providing a reliable and race-free
+indicator.
+
+Also remove the unused file descriptor for /sys/power/state, which
+remained after switching to a system() call to trigger suspend [1].
+
+[1] https://lore.kernel.org/all/20240930224025.2858767-1-yifei.l.liu@oracle.com/
+
+Link: https://lore.kernel.org/r/20250626191626.36794-1-moonhee.lee.ca@gmail.com
+Fixes: c66be905cda2 ("selftests: breakpoints: use remaining time to check if suspend succeed")
+Signed-off-by: Moon Hee Lee <moonhee.lee.ca@gmail.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../breakpoints/step_after_suspend_test.c | 41 ++++++++++++++-----
+ 1 file changed, 31 insertions(+), 10 deletions(-)
+
+diff --git a/tools/testing/selftests/breakpoints/step_after_suspend_test.c b/tools/testing/selftests/breakpoints/step_after_suspend_test.c
+index 8d275f03e977..8d233ac95696 100644
+--- a/tools/testing/selftests/breakpoints/step_after_suspend_test.c
++++ b/tools/testing/selftests/breakpoints/step_after_suspend_test.c
+@@ -127,22 +127,42 @@ int run_test(int cpu)
+ return KSFT_PASS;
+ }
+
++/*
++ * Reads the suspend success count from sysfs.
++ * Returns the count on success or exits on failure.
++ */
++static int get_suspend_success_count_or_fail(void)
++{
++ FILE *fp;
++ int val;
++
++ fp = fopen("/sys/power/suspend_stats/success", "r");
++ if (!fp)
++ ksft_exit_fail_msg(
++ "Failed to open suspend_stats/success: %s\n",
++ strerror(errno));
++
++ if (fscanf(fp, "%d", &val) != 1) {
++ fclose(fp);
++ ksft_exit_fail_msg(
++ "Failed to read suspend success count\n");
++ }
++
++ fclose(fp);
++ return val;
++}
++
+ void suspend(void)
+ {
+- int power_state_fd;
+ int timerfd;
+ int err;
++ int count_before;
++ int count_after;
+ struct itimerspec spec = {};
+
+ if (getuid() != 0)
+ ksft_exit_skip("Please run the test as root - Exiting.\n");
+
+- power_state_fd = open("/sys/power/state", O_RDWR);
+- if (power_state_fd < 0)
+- ksft_exit_fail_msg(
+- "open(\"/sys/power/state\") failed %s)\n",
+- strerror(errno));
+-
+ timerfd = timerfd_create(CLOCK_BOOTTIME_ALARM, 0);
+ if (timerfd < 0)
+ ksft_exit_fail_msg("timerfd_create() failed\n");
+@@ -152,14 +172,15 @@ void suspend(void)
+ if (err < 0)
+ ksft_exit_fail_msg("timerfd_settime() failed\n");
+
++ count_before = get_suspend_success_count_or_fail();
++
+ system("(echo mem > /sys/power/state) 2> /dev/null");
+
+- timerfd_gettime(timerfd, &spec);
+- if (spec.it_value.tv_sec != 0 || spec.it_value.tv_nsec != 0)
++ count_after = get_suspend_success_count_or_fail();
++ if (count_after <= count_before)
+ ksft_exit_fail_msg("Failed to enter Suspend state\n");
+
+ close(timerfd);
+- close(power_state_fd);
+ }
+
+ int main(int argc, char **argv)
+--
+2.39.5
+
--- /dev/null
+From 3bb2e4fa34440fd49a684c91a27c847616c184a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 20:08:41 +0900
+Subject: selftests/cgroup: fix cpu.max tests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shashank Balaji <shashank.mahadasyam@sony.com>
+
+[ Upstream commit 954bacce36d976fe472090b55987df66da00c49b ]
+
+Current cpu.max tests (both the normal one and the nested one) are broken.
+
+They setup cpu.max with 1000 us quota and the default period (100,000 us).
+A cpu hog is run for a duration of 1s as per wall clock time. This corresponds
+to 10 periods, hence an expected usage of 10,000 us. We want the measured
+usage (as per cpu.stat) to be close to 10,000 us.
+
+Previously, this approximate equality test was done by
+`!values_close(usage_usec, expected_usage_usec, 95)`: if the absolute
+difference between usage_usec and expected_usage_usec is greater than 95% of
+their sum, then we pass. And expected_usage_usec was set to 1,000,000 us.
+Mathematically, this translates to the following being true for pass:
+
+ |usage - expected_usage| > (usage + expected_usage)*0.95
+
+ If usage > expected_usage:
+ usage - expected_usage > (usage + expected_usage)*0.95
+ 0.05*usage > 1.95*expected_usage
+ usage > 39*expected_usage = 39s
+
+ If usage < expected_usage:
+ expected_usage - usage > (usage + expected_usage)*0.95
+ 0.05*expected_usage > 1.95*usage
+ usage < 0.0256*expected_usage = 25,600 us
+
+Combined,
+
+ Pass if usage < 25,600 us or > 39 s,
+
+which makes no sense given that all we need is for usage_usec to be close to
+10,000 us.
+
+Fix this by explicitly calcuating the expected usage duration based on the
+configured quota, default period, and the duration, and compare usage_usec
+and expected_usage_usec using values_close() with a 10% error margin.
+
+Also, use snprintf to get the quota string to write to cpu.max instead of
+hardcoding the quota, ensuring a single source of truth.
+
+Remove the check comparing user_usec and expected_usage_usec, since on running
+this test modified with printfs, it's seen that user_usec and usage_usec can
+regularly exceed the theoretical expected_usage_usec:
+
+ $ sudo ./test_cpu
+ user: 10485, usage: 10485, expected: 10000
+ ok 1 test_cpucg_max
+ user: 11127, usage: 11127, expected: 10000
+ ok 2 test_cpucg_max_nested
+ $ sudo ./test_cpu
+ user: 10286, usage: 10286, expected: 10000
+ ok 1 test_cpucg_max
+ user: 10404, usage: 11271, expected: 10000
+ ok 2 test_cpucg_max_nested
+
+Hence, a values_close() check of usage_usec and expected_usage_usec is
+sufficient.
+
+Fixes: a79906570f9646ae17 ("cgroup: Add test_cpucg_max_nested() testcase")
+Fixes: 889ab8113ef1386c57 ("cgroup: Add test_cpucg_max() testcase")
+Acked-by: Michal Koutný <mkoutny@suse.com>
+Signed-off-by: Shashank Balaji <shashank.mahadasyam@sony.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/cgroup/test_cpu.c | 63 ++++++++++++++++-------
+ 1 file changed, 43 insertions(+), 20 deletions(-)
+
+diff --git a/tools/testing/selftests/cgroup/test_cpu.c b/tools/testing/selftests/cgroup/test_cpu.c
+index a2b50af8e9ee..2a60e6c41940 100644
+--- a/tools/testing/selftests/cgroup/test_cpu.c
++++ b/tools/testing/selftests/cgroup/test_cpu.c
+@@ -2,6 +2,7 @@
+
+ #define _GNU_SOURCE
+ #include <linux/limits.h>
++#include <sys/param.h>
+ #include <sys/sysinfo.h>
+ #include <sys/wait.h>
+ #include <errno.h>
+@@ -645,10 +646,16 @@ test_cpucg_nested_weight_underprovisioned(const char *root)
+ static int test_cpucg_max(const char *root)
+ {
+ int ret = KSFT_FAIL;
+- long usage_usec, user_usec;
+- long usage_seconds = 1;
+- long expected_usage_usec = usage_seconds * USEC_PER_SEC;
++ long quota_usec = 1000;
++ long default_period_usec = 100000; /* cpu.max's default period */
++ long duration_seconds = 1;
++
++ long duration_usec = duration_seconds * USEC_PER_SEC;
++ long usage_usec, n_periods, remainder_usec, expected_usage_usec;
+ char *cpucg;
++ char quota_buf[32];
++
++ snprintf(quota_buf, sizeof(quota_buf), "%ld", quota_usec);
+
+ cpucg = cg_name(root, "cpucg_test");
+ if (!cpucg)
+@@ -657,13 +664,13 @@ static int test_cpucg_max(const char *root)
+ if (cg_create(cpucg))
+ goto cleanup;
+
+- if (cg_write(cpucg, "cpu.max", "1000"))
++ if (cg_write(cpucg, "cpu.max", quota_buf))
+ goto cleanup;
+
+ struct cpu_hog_func_param param = {
+ .nprocs = 1,
+ .ts = {
+- .tv_sec = usage_seconds,
++ .tv_sec = duration_seconds,
+ .tv_nsec = 0,
+ },
+ .clock_type = CPU_HOG_CLOCK_WALL,
+@@ -672,14 +679,19 @@ static int test_cpucg_max(const char *root)
+ goto cleanup;
+
+ usage_usec = cg_read_key_long(cpucg, "cpu.stat", "usage_usec");
+- user_usec = cg_read_key_long(cpucg, "cpu.stat", "user_usec");
+- if (user_usec <= 0)
++ if (usage_usec <= 0)
+ goto cleanup;
+
+- if (user_usec >= expected_usage_usec)
+- goto cleanup;
++ /*
++ * The following calculation applies only since
++ * the cpu hog is set to run as per wall-clock time
++ */
++ n_periods = duration_usec / default_period_usec;
++ remainder_usec = duration_usec - n_periods * default_period_usec;
++ expected_usage_usec
++ = n_periods * quota_usec + MIN(remainder_usec, quota_usec);
+
+- if (values_close(usage_usec, expected_usage_usec, 95))
++ if (!values_close(usage_usec, expected_usage_usec, 10))
+ goto cleanup;
+
+ ret = KSFT_PASS;
+@@ -698,10 +710,16 @@ static int test_cpucg_max(const char *root)
+ static int test_cpucg_max_nested(const char *root)
+ {
+ int ret = KSFT_FAIL;
+- long usage_usec, user_usec;
+- long usage_seconds = 1;
+- long expected_usage_usec = usage_seconds * USEC_PER_SEC;
++ long quota_usec = 1000;
++ long default_period_usec = 100000; /* cpu.max's default period */
++ long duration_seconds = 1;
++
++ long duration_usec = duration_seconds * USEC_PER_SEC;
++ long usage_usec, n_periods, remainder_usec, expected_usage_usec;
+ char *parent, *child;
++ char quota_buf[32];
++
++ snprintf(quota_buf, sizeof(quota_buf), "%ld", quota_usec);
+
+ parent = cg_name(root, "cpucg_parent");
+ child = cg_name(parent, "cpucg_child");
+@@ -717,13 +735,13 @@ static int test_cpucg_max_nested(const char *root)
+ if (cg_create(child))
+ goto cleanup;
+
+- if (cg_write(parent, "cpu.max", "1000"))
++ if (cg_write(parent, "cpu.max", quota_buf))
+ goto cleanup;
+
+ struct cpu_hog_func_param param = {
+ .nprocs = 1,
+ .ts = {
+- .tv_sec = usage_seconds,
++ .tv_sec = duration_seconds,
+ .tv_nsec = 0,
+ },
+ .clock_type = CPU_HOG_CLOCK_WALL,
+@@ -732,14 +750,19 @@ static int test_cpucg_max_nested(const char *root)
+ goto cleanup;
+
+ usage_usec = cg_read_key_long(child, "cpu.stat", "usage_usec");
+- user_usec = cg_read_key_long(child, "cpu.stat", "user_usec");
+- if (user_usec <= 0)
++ if (usage_usec <= 0)
+ goto cleanup;
+
+- if (user_usec >= expected_usage_usec)
+- goto cleanup;
++ /*
++ * The following calculation applies only since
++ * the cpu hog is set to run as per wall-clock time
++ */
++ n_periods = duration_usec / default_period_usec;
++ remainder_usec = duration_usec - n_periods * default_period_usec;
++ expected_usage_usec
++ = n_periods * quota_usec + MIN(remainder_usec, quota_usec);
+
+- if (values_close(usage_usec, expected_usage_usec, 95))
++ if (!values_close(usage_usec, expected_usage_usec, 10))
+ goto cleanup;
+
+ ret = KSFT_PASS;
+--
+2.39.5
+
--- /dev/null
+From f588f9097d671de1c95aa8a7ec30e76bdd4d493e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 16:54:53 +0300
+Subject: selftests: drv-net: Fix remote command checking in require_cmd()
+
+From: Gal Pressman <gal@nvidia.com>
+
+[ Upstream commit b4d52c698210ae1a3ceb487b189701bc70551a48 ]
+
+The require_cmd() method was checking for command availability locally
+even when remote=True was specified, due to a missing host parameter.
+
+Fix by passing host=self.remote when checking remote command
+availability, ensuring commands are verified on the correct host.
+
+Fixes: f1e68a1a4a40 ("selftests: drv-net: add require_XYZ() helpers for validating env")
+Reviewed-by: Nimrod Oren <noren@nvidia.com>
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Link: https://patch.msgid.link/20250723135454.649342-2-gal@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/drivers/net/lib/py/env.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/drivers/net/lib/py/env.py b/tools/testing/selftests/drivers/net/lib/py/env.py
+index 3bccddf8cbc5..1b8bd648048f 100644
+--- a/tools/testing/selftests/drivers/net/lib/py/env.py
++++ b/tools/testing/selftests/drivers/net/lib/py/env.py
+@@ -259,7 +259,7 @@ class NetDrvEpEnv(NetDrvEnvBase):
+ if not self._require_cmd(comm, "local"):
+ raise KsftSkipEx("Test requires command: " + comm)
+ if remote:
+- if not self._require_cmd(comm, "remote"):
++ if not self._require_cmd(comm, "remote", host=self.remote):
+ raise KsftSkipEx("Test requires (remote) command: " + comm)
+
+ def wait_hw_stats_settle(self):
+--
+2.39.5
+
--- /dev/null
+From b3ba56da85092f014df3698da8dd5ce7814d658c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 11:47:36 -0700
+Subject: selftests: drv-net: tso: enable test cases based on hw_features
+
+From: Daniel Zahka <daniel.zahka@gmail.com>
+
+[ Upstream commit 266b835e5e84a0f8fec7fd988ee81925890e8d89 ]
+
+tso.py uses the active features at the time of test execution
+as the set of available gso features to test. This means if a gso
+feature is supported but toggled off at test start, the test will be
+skipped with a "Device does not support {feature}" message.
+
+Instead, we can enumerate the set of toggleable features by capturing
+the driver's hw_features bitmap. To avoid configuration side-effects
+from running the test, we also snapshot the wanted_features flag set
+before making any feature changes, and then attempt to restore the
+same set of wanted_features before test exit.
+
+Fixes: 0d0f4174f6c8 ("selftests: drv-net: add a simple TSO test")
+Signed-off-by: Daniel Zahka <daniel.zahka@gmail.com>
+Link: https://patch.msgid.link/20250723184740.4075410-2-daniel.zahka@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/drivers/net/hw/tso.py | 52 ++++++++++++++-----
+ 1 file changed, 40 insertions(+), 12 deletions(-)
+
+diff --git a/tools/testing/selftests/drivers/net/hw/tso.py b/tools/testing/selftests/drivers/net/hw/tso.py
+index 3370827409aa..f8386e3d88cd 100755
+--- a/tools/testing/selftests/drivers/net/hw/tso.py
++++ b/tools/testing/selftests/drivers/net/hw/tso.py
+@@ -119,15 +119,30 @@ def build_tunnel(cfg, outer_ipver, tun_info):
+ return remote_v4, remote_v6
+
+
++def restore_wanted_features(cfg):
++ features_cmd = ""
++ for feature in cfg.hw_features:
++ setting = "on" if feature in cfg.wanted_features else "off"
++ features_cmd += f" {feature} {setting}"
++ try:
++ ethtool(f"-K {cfg.ifname} {features_cmd}")
++ except Exception as e:
++ ksft_pr(f"WARNING: failure restoring wanted features: {e}")
++
++
+ def test_builder(name, cfg, outer_ipver, feature, tun=None, inner_ipver=None):
+ """Construct specific tests from the common template."""
+ def f(cfg):
+ cfg.require_ipver(outer_ipver)
++ defer(restore_wanted_features, cfg)
+
+ if not cfg.have_stat_super_count and \
+ not cfg.have_stat_wire_count:
+ raise KsftSkipEx(f"Device does not support LSO queue stats")
+
++ if feature not in cfg.hw_features:
++ raise KsftSkipEx(f"Device does not support {feature}")
++
+ ipver = outer_ipver
+ if tun:
+ remote_v4, remote_v6 = build_tunnel(cfg, ipver, tun)
+@@ -138,12 +153,12 @@ def test_builder(name, cfg, outer_ipver, feature, tun=None, inner_ipver=None):
+
+ tun_partial = tun and tun[1]
+ # Tunnel which can silently fall back to gso-partial
+- has_gso_partial = tun and 'tx-gso-partial' in cfg.features
++ has_gso_partial = tun and 'tx-gso-partial' in cfg.hw_features
+
+ # For TSO4 via partial we need mangleid
+ if ipver == "4" and feature in cfg.partial_features:
+ ksft_pr("Testing with mangleid enabled")
+- if 'tx-tcp-mangleid-segmentation' not in cfg.features:
++ if 'tx-tcp-mangleid-segmentation' not in cfg.hw_features:
+ ethtool(f"-K {cfg.ifname} tx-tcp-mangleid-segmentation on")
+ defer(ethtool, f"-K {cfg.ifname} tx-tcp-mangleid-segmentation off")
+
+@@ -161,11 +176,8 @@ def test_builder(name, cfg, outer_ipver, feature, tun=None, inner_ipver=None):
+ should_lso=tun_partial)
+
+ # Full feature enabled.
+- if feature in cfg.features:
+- ethtool(f"-K {cfg.ifname} {feature} on")
+- run_one_stream(cfg, ipver, remote_v4, remote_v6, should_lso=True)
+- else:
+- raise KsftXfailEx(f"Device does not support {feature}")
++ ethtool(f"-K {cfg.ifname} {feature} on")
++ run_one_stream(cfg, ipver, remote_v4, remote_v6, should_lso=True)
+
+ f.__name__ = name + ((outer_ipver + "_") if tun else "") + "ipv" + inner_ipver
+ return f
+@@ -176,23 +188,39 @@ def query_nic_features(cfg) -> None:
+ cfg.have_stat_super_count = False
+ cfg.have_stat_wire_count = False
+
+- cfg.features = set()
+ features = cfg.ethnl.features_get({"header": {"dev-index": cfg.ifindex}})
+- for f in features["active"]["bits"]["bit"]:
+- cfg.features.add(f["name"])
++
++ cfg.wanted_features = set()
++ for f in features["wanted"]["bits"]["bit"]:
++ cfg.wanted_features.add(f["name"])
++
++ cfg.hw_features = set()
++ hw_all_features_cmd = ""
++ for f in features["hw"]["bits"]["bit"]:
++ if f.get("value", False):
++ feature = f["name"]
++ cfg.hw_features.add(feature)
++ hw_all_features_cmd += f" {feature} on"
++ try:
++ ethtool(f"-K {cfg.ifname} {hw_all_features_cmd}")
++ except Exception as e:
++ ksft_pr(f"WARNING: failure enabling all hw features: {e}")
++ ksft_pr("partial gso feature detection may be impacted")
+
+ # Check which features are supported via GSO partial
+ cfg.partial_features = set()
+- if 'tx-gso-partial' in cfg.features:
++ if 'tx-gso-partial' in cfg.hw_features:
+ ethtool(f"-K {cfg.ifname} tx-gso-partial off")
+
+ no_partial = set()
+ features = cfg.ethnl.features_get({"header": {"dev-index": cfg.ifindex}})
+ for f in features["active"]["bits"]["bit"]:
+ no_partial.add(f["name"])
+- cfg.partial_features = cfg.features - no_partial
++ cfg.partial_features = cfg.hw_features - no_partial
+ ethtool(f"-K {cfg.ifname} tx-gso-partial on")
+
++ restore_wanted_features(cfg)
++
+ stats = cfg.netnl.qstats_get({"ifindex": cfg.ifindex}, dump=True)
+ if stats:
+ if 'tx-hw-gso-packets' in stats[0]:
+--
+2.39.5
+
--- /dev/null
+From 051b9d2d667f0bf2cf46a9410878879648d1fa1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 11:47:38 -0700
+Subject: selftests: drv-net: tso: fix non-tunneled tso6 test case name
+
+From: Daniel Zahka <daniel.zahka@gmail.com>
+
+[ Upstream commit b25b44cd178cc54277f2dc0ff3b3d5a37ae4b26b ]
+
+The non-tunneled tso6 test case was showing up as:
+ok 8 tso.ipv4
+
+This is because of the way test_builder() uses the inner_ipver arg in
+test naming, and how test_info is iterated over in main(). Given that
+some tunnels not supported yet, e.g. ipip or sit, only support ipv4 or
+ipv6 as the inner network protocol, I think the best fix here is to
+call test_builder() in separate branches for tunneled and non-tunneled
+tests, and to make supported inner l3 types an explicit attribute of
+tunnel test cases.
+
+ # Detected qstat for LSO wire-packets
+ TAP version 13
+ 1..14
+ ok 1 tso.ipv4
+ # Testing with mangleid enabled
+ ok 2 tso.vxlan4_ipv4
+ ok 3 tso.vxlan4_ipv6
+ # Testing with mangleid enabled
+ ok 4 tso.vxlan_csum4_ipv4
+ ok 5 tso.vxlan_csum4_ipv6
+ # Testing with mangleid enabled
+ ok 6 tso.gre4_ipv4
+ ok 7 tso.gre4_ipv6
+ ok 8 tso.ipv6
+ # Testing with mangleid enabled
+ ok 9 tso.vxlan6_ipv4
+ ok 10 tso.vxlan6_ipv6
+ # Testing with mangleid enabled
+ ok 11 tso.vxlan_csum6_ipv4
+ ok 12 tso.vxlan_csum6_ipv6
+ # Testing with mangleid enabled
+ ok 13 tso.gre6_ipv4
+ ok 14 tso.gre6_ipv6
+ # Totals: pass:14 fail:0 xfail:0 xpass:0 skip:0 error:0
+
+Fixes: 0d0f4174f6c8 ("selftests: drv-net: add a simple TSO test")
+Signed-off-by: Daniel Zahka <daniel.zahka@gmail.com>
+Link: https://patch.msgid.link/20250723184740.4075410-4-daniel.zahka@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/drivers/net/hw/tso.py | 26 ++++++++++---------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/tools/testing/selftests/drivers/net/hw/tso.py b/tools/testing/selftests/drivers/net/hw/tso.py
+index 6461a83b3d0e..5fddb5056a20 100755
+--- a/tools/testing/selftests/drivers/net/hw/tso.py
++++ b/tools/testing/selftests/drivers/net/hw/tso.py
+@@ -227,14 +227,14 @@ def main() -> None:
+ query_nic_features(cfg)
+
+ test_info = (
+- # name, v4/v6 ethtool_feature tun:(type, args)
+- ("", "4", "tx-tcp-segmentation", None),
+- ("", "6", "tx-tcp6-segmentation", None),
+- ("vxlan", "4", "tx-udp_tnl-segmentation", ("vxlan", "id 100 dstport 4789 noudpcsum")),
+- ("vxlan", "6", "tx-udp_tnl-segmentation", ("vxlan", "id 100 dstport 4789 udp6zerocsumtx udp6zerocsumrx")),
+- ("vxlan_csum", "", "tx-udp_tnl-csum-segmentation", ("vxlan", "id 100 dstport 4789 udpcsum")),
+- ("gre", "4", "tx-gre-segmentation", ("gre", "")),
+- ("gre", "6", "tx-gre-segmentation", ("ip6gre", "")),
++ # name, v4/v6 ethtool_feature tun:(type, args, inner ip versions)
++ ("", "4", "tx-tcp-segmentation", None),
++ ("", "6", "tx-tcp6-segmentation", None),
++ ("vxlan", "4", "tx-udp_tnl-segmentation", ("vxlan", "id 100 dstport 4789 noudpcsum", ("4", "6"))),
++ ("vxlan", "6", "tx-udp_tnl-segmentation", ("vxlan", "id 100 dstport 4789 udp6zerocsumtx udp6zerocsumrx", ("4", "6"))),
++ ("vxlan_csum", "", "tx-udp_tnl-csum-segmentation", ("vxlan", "id 100 dstport 4789 udpcsum", ("4", "6"))),
++ ("gre", "4", "tx-gre-segmentation", ("gre", "", ("4", "6"))),
++ ("gre", "6", "tx-gre-segmentation", ("ip6gre","", ("4", "6"))),
+ )
+
+ cases = []
+@@ -244,11 +244,13 @@ def main() -> None:
+ if info[1] and outer_ipver != info[1]:
+ continue
+
+- cases.append(test_builder(info[0], cfg, outer_ipver, info[2],
+- tun=info[3], inner_ipver="4"))
+ if info[3]:
+- cases.append(test_builder(info[0], cfg, outer_ipver, info[2],
+- tun=info[3], inner_ipver="6"))
++ cases += [
++ test_builder(info[0], cfg, outer_ipver, info[2], info[3], inner_ipver)
++ for inner_ipver in info[3][2]
++ ]
++ else:
++ cases.append(test_builder(info[0], cfg, outer_ipver, info[2], None, outer_ipver))
+
+ ksft_run(cases=cases, args=(cfg, ))
+ ksft_exit()
+--
+2.39.5
+
--- /dev/null
+From f2911bd54d77c89fd2fa16ffab4ddb928627f2ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 11:47:37 -0700
+Subject: selftests: drv-net: tso: fix vxlan tunnel flags to get correct
+ gso_type
+
+From: Daniel Zahka <daniel.zahka@gmail.com>
+
+[ Upstream commit 2cfbcc5d8af9199823151c21f740e476b223dd2e ]
+
+When vxlan is used with ipv6 as the outer network header, the correct
+ip link parameters for acheiving the SKB_GSO_UDP_TUNNEL gso type is
+"udp6zerocsumtx udp6zerocsumrx". Otherwise the gso type will be
+SKB_GSO_UDP_TUNNEL_CSUM.
+
+This bug was the reason for the second of the three possible
+invocations of run_one_stream() invocations, so that can be deleted as
+well. We only need to test with the feature off and on.
+
+Fixes: 0d0f4174f6c8 ("selftests: drv-net: add a simple TSO test")
+Signed-off-by: Daniel Zahka <daniel.zahka@gmail.com>
+Link: https://patch.msgid.link/20250723184740.4075410-3-daniel.zahka@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/drivers/net/hw/tso.py | 37 +++++++------------
+ 1 file changed, 13 insertions(+), 24 deletions(-)
+
+diff --git a/tools/testing/selftests/drivers/net/hw/tso.py b/tools/testing/selftests/drivers/net/hw/tso.py
+index f8386e3d88cd..6461a83b3d0e 100755
+--- a/tools/testing/selftests/drivers/net/hw/tso.py
++++ b/tools/testing/selftests/drivers/net/hw/tso.py
+@@ -102,7 +102,7 @@ def build_tunnel(cfg, outer_ipver, tun_info):
+ remote_addr = cfg.remote_addr_v[outer_ipver]
+
+ tun_type = tun_info[0]
+- tun_arg = tun_info[2]
++ tun_arg = tun_info[1]
+ ip(f"link add {tun_type}-ksft type {tun_type} {tun_arg} local {local_addr} remote {remote_addr} dev {cfg.ifname}")
+ defer(ip, f"link del {tun_type}-ksft")
+ ip(f"link set dev {tun_type}-ksft up")
+@@ -151,29 +151,17 @@ def test_builder(name, cfg, outer_ipver, feature, tun=None, inner_ipver=None):
+ remote_v4 = cfg.remote_addr_v["4"]
+ remote_v6 = cfg.remote_addr_v["6"]
+
+- tun_partial = tun and tun[1]
+- # Tunnel which can silently fall back to gso-partial
+- has_gso_partial = tun and 'tx-gso-partial' in cfg.hw_features
+-
+- # For TSO4 via partial we need mangleid
+- if ipver == "4" and feature in cfg.partial_features:
+- ksft_pr("Testing with mangleid enabled")
+- if 'tx-tcp-mangleid-segmentation' not in cfg.hw_features:
+- ethtool(f"-K {cfg.ifname} tx-tcp-mangleid-segmentation on")
+- defer(ethtool, f"-K {cfg.ifname} tx-tcp-mangleid-segmentation off")
+-
+ # First test without the feature enabled.
+ ethtool(f"-K {cfg.ifname} {feature} off")
+- if has_gso_partial:
+- ethtool(f"-K {cfg.ifname} tx-gso-partial off")
+ run_one_stream(cfg, ipver, remote_v4, remote_v6, should_lso=False)
+
+- # Now test with the feature enabled.
+- # For compatible tunnels only - just GSO partial, not specific feature.
+- if has_gso_partial:
++ ethtool(f"-K {cfg.ifname} tx-gso-partial off")
++ ethtool(f"-K {cfg.ifname} tx-tcp-mangleid-segmentation off")
++ if feature in cfg.partial_features:
+ ethtool(f"-K {cfg.ifname} tx-gso-partial on")
+- run_one_stream(cfg, ipver, remote_v4, remote_v6,
+- should_lso=tun_partial)
++ if ipver == "4":
++ ksft_pr("Testing with mangleid enabled")
++ ethtool(f"-K {cfg.ifname} tx-tcp-mangleid-segmentation on")
+
+ # Full feature enabled.
+ ethtool(f"-K {cfg.ifname} {feature} on")
+@@ -239,13 +227,14 @@ def main() -> None:
+ query_nic_features(cfg)
+
+ test_info = (
+- # name, v4/v6 ethtool_feature tun:(type, partial, args)
++ # name, v4/v6 ethtool_feature tun:(type, args)
+ ("", "4", "tx-tcp-segmentation", None),
+ ("", "6", "tx-tcp6-segmentation", None),
+- ("vxlan", "", "tx-udp_tnl-segmentation", ("vxlan", True, "id 100 dstport 4789 noudpcsum")),
+- ("vxlan_csum", "", "tx-udp_tnl-csum-segmentation", ("vxlan", False, "id 100 dstport 4789 udpcsum")),
+- ("gre", "4", "tx-gre-segmentation", ("gre", False, "")),
+- ("gre", "6", "tx-gre-segmentation", ("ip6gre", False, "")),
++ ("vxlan", "4", "tx-udp_tnl-segmentation", ("vxlan", "id 100 dstport 4789 noudpcsum")),
++ ("vxlan", "6", "tx-udp_tnl-segmentation", ("vxlan", "id 100 dstport 4789 udp6zerocsumtx udp6zerocsumrx")),
++ ("vxlan_csum", "", "tx-udp_tnl-csum-segmentation", ("vxlan", "id 100 dstport 4789 udpcsum")),
++ ("gre", "4", "tx-gre-segmentation", ("gre", "")),
++ ("gre", "6", "tx-gre-segmentation", ("ip6gre", "")),
+ )
+
+ cases = []
+--
+2.39.5
+
--- /dev/null
+From b3286b6b34e1186b2649c620fa06dec7da1db25b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 17:04:28 +0200
+Subject: selftests: Fix errno checking in syscall_user_dispatch test
+
+From: Dmitry Vyukov <dvyukov@google.com>
+
+[ Upstream commit b89732c8c8357487185f260a723a060b3476144e ]
+
+Successful syscalls don't change errno, so checking errno is wrong
+to ensure that a syscall has failed. For example for the following
+sequence:
+
+ prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0xff, 0);
+ EXPECT_EQ(EINVAL, errno);
+ prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x0, &sel);
+ EXPECT_EQ(EINVAL, errno);
+
+only the first syscall may fail and set errno, but the second may succeed
+and keep errno intact, and the check will falsely pass.
+Or if errno happened to be EINVAL before, even the first check may falsely
+pass.
+
+Also use EXPECT/ASSERT consistently. Currently there is an inconsistent mix
+without obvious reasons for usage of one or another.
+
+Fixes: 179ef035992e ("selftests: Add kselftest for syscall user dispatch")
+Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/all/af6a04dbfef9af8570f5bab43e3ef1416b62699a.1747839857.git.dvyukov@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../syscall_user_dispatch/sud_test.c | 50 +++++++++----------
+ 1 file changed, 25 insertions(+), 25 deletions(-)
+
+diff --git a/tools/testing/selftests/syscall_user_dispatch/sud_test.c b/tools/testing/selftests/syscall_user_dispatch/sud_test.c
+index d975a6767329..48cf01aeec3e 100644
+--- a/tools/testing/selftests/syscall_user_dispatch/sud_test.c
++++ b/tools/testing/selftests/syscall_user_dispatch/sud_test.c
+@@ -79,6 +79,21 @@ TEST_SIGNAL(dispatch_trigger_sigsys, SIGSYS)
+ }
+ }
+
++static void prctl_valid(struct __test_metadata *_metadata,
++ unsigned long op, unsigned long off,
++ unsigned long size, void *sel)
++{
++ EXPECT_EQ(0, prctl(PR_SET_SYSCALL_USER_DISPATCH, op, off, size, sel));
++}
++
++static void prctl_invalid(struct __test_metadata *_metadata,
++ unsigned long op, unsigned long off,
++ unsigned long size, void *sel, int err)
++{
++ EXPECT_EQ(-1, prctl(PR_SET_SYSCALL_USER_DISPATCH, op, off, size, sel));
++ EXPECT_EQ(err, errno);
++}
++
+ TEST(bad_prctl_param)
+ {
+ char sel = SYSCALL_DISPATCH_FILTER_ALLOW;
+@@ -86,57 +101,42 @@ TEST(bad_prctl_param)
+
+ /* Invalid op */
+ op = -1;
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0, 0, &sel);
+- ASSERT_EQ(EINVAL, errno);
++ prctl_invalid(_metadata, op, 0, 0, &sel, EINVAL);
+
+ /* PR_SYS_DISPATCH_OFF */
+ op = PR_SYS_DISPATCH_OFF;
+
+ /* offset != 0 */
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x1, 0x0, 0);
+- EXPECT_EQ(EINVAL, errno);
++ prctl_invalid(_metadata, op, 0x1, 0x0, 0, EINVAL);
+
+ /* len != 0 */
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0xff, 0);
+- EXPECT_EQ(EINVAL, errno);
++ prctl_invalid(_metadata, op, 0x0, 0xff, 0, EINVAL);
+
+ /* sel != NULL */
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x0, &sel);
+- EXPECT_EQ(EINVAL, errno);
++ prctl_invalid(_metadata, op, 0x0, 0x0, &sel, EINVAL);
+
+ /* Valid parameter */
+- errno = 0;
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x0, 0x0);
+- EXPECT_EQ(0, errno);
++ prctl_valid(_metadata, op, 0x0, 0x0, 0x0);
+
+ /* PR_SYS_DISPATCH_ON */
+ op = PR_SYS_DISPATCH_ON;
+
+ /* Dispatcher region is bad (offset > 0 && len == 0) */
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x1, 0x0, &sel);
+- EXPECT_EQ(EINVAL, errno);
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, -1L, 0x0, &sel);
+- EXPECT_EQ(EINVAL, errno);
++ prctl_invalid(_metadata, op, 0x1, 0x0, &sel, EINVAL);
++ prctl_invalid(_metadata, op, -1L, 0x0, &sel, EINVAL);
+
+ /* Invalid selector */
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x1, (void *) -1);
+- ASSERT_EQ(EFAULT, errno);
++ prctl_invalid(_metadata, op, 0x0, 0x1, (void *) -1, EFAULT);
+
+ /*
+ * Dispatcher range overflows unsigned long
+ */
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, PR_SYS_DISPATCH_ON, 1, -1L, &sel);
+- ASSERT_EQ(EINVAL, errno) {
+- TH_LOG("Should reject bad syscall range");
+- }
++ prctl_invalid(_metadata, PR_SYS_DISPATCH_ON, 1, -1L, &sel, EINVAL);
+
+ /*
+ * Allowed range overflows usigned long
+ */
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, PR_SYS_DISPATCH_ON, -1L, 0x1, &sel);
+- ASSERT_EQ(EINVAL, errno) {
+- TH_LOG("Should reject bad syscall range");
+- }
++ prctl_invalid(_metadata, PR_SYS_DISPATCH_ON, -1L, 0x1, &sel, EINVAL);
+ }
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From 5520d4d3bef8ef86d3aeb92403956394bc423c40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Jun 2025 14:44:16 -0700
+Subject: selftests/landlock: Fix build of audit_test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Song Liu <song@kernel.org>
+
+[ Upstream commit dc58130bc38f09b162aa3b216f8b8f1e0a56127b ]
+
+We are hitting build error on CentOS 9:
+
+audit_test.c:232:40: error: ‘O_CLOEXEC’ undeclared (...)
+
+Fix this by including fcntl.h.
+
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20250605214416.1885878-1-song@kernel.org
+Fixes: 6b4566400a29 ("selftests/landlock: Add PID tests for audit records")
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/landlock/audit_test.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/landlock/audit_test.c b/tools/testing/selftests/landlock/audit_test.c
+index cfc571afd0eb..46d02d49835a 100644
+--- a/tools/testing/selftests/landlock/audit_test.c
++++ b/tools/testing/selftests/landlock/audit_test.c
+@@ -7,6 +7,7 @@
+
+ #define _GNU_SOURCE
+ #include <errno.h>
++#include <fcntl.h>
+ #include <limits.h>
+ #include <linux/landlock.h>
+ #include <pthread.h>
+--
+2.39.5
+
--- /dev/null
+From ca1dfe471f9136f353f07ed923ec7538fb0910bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 16:44:25 +0200
+Subject: selftests/landlock: Fix readlink check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mickaël Salaün <mic@digikod.net>
+
+[ Upstream commit 94a7ce26428d3a7ceb46c503ed726160578b9fcc ]
+
+The audit_init_filter_exe() helper incorrectly checks the readlink(2)
+error because an unsigned integer is used to store the result. Use a
+signed integer for this check.
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/r/aDbFwyZ_fM-IO7sC@stanley.mountain
+Fixes: 6a500b22971c ("selftests/landlock: Add tests for audit flags and domain IDs")
+Reviewed-by: Günther Noack <gnoack@google.com>
+Link: https://lore.kernel.org/r/20250528144426.1709063-1-mic@digikod.net
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/landlock/audit.h | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/landlock/audit.h b/tools/testing/selftests/landlock/audit.h
+index 18a6014920b5..b16986aa6442 100644
+--- a/tools/testing/selftests/landlock/audit.h
++++ b/tools/testing/selftests/landlock/audit.h
+@@ -403,11 +403,12 @@ static int audit_init_filter_exe(struct audit_filter *filter, const char *path)
+ /* It is assume that there is not already filtering rules. */
+ filter->record_type = AUDIT_EXE;
+ if (!path) {
+- filter->exe_len = readlink("/proc/self/exe", filter->exe,
+- sizeof(filter->exe) - 1);
+- if (filter->exe_len < 0)
++ int ret = readlink("/proc/self/exe", filter->exe,
++ sizeof(filter->exe) - 1);
++ if (ret < 0)
+ return -errno;
+
++ filter->exe_len = ret;
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 040286c86ec47abbdcde24590362b9e2f8647aa1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 17:17:48 +0200
+Subject: selftests: netfilter: Ignore tainted kernels in interface stress test
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 8d1c91850d064944ab214b2fbfffb7fc08a11d65 ]
+
+Complain about kernel taint value only if it wasn't set at start
+already.
+
+Fixes: 73db1b5dab6f ("selftests: netfilter: Torture nftables netdev hooks")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/net/netfilter/nft_interface_stress.sh | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/netfilter/nft_interface_stress.sh b/tools/testing/selftests/net/netfilter/nft_interface_stress.sh
+index 5ff7be9daeee..c0fffaa6dbd9 100755
+--- a/tools/testing/selftests/net/netfilter/nft_interface_stress.sh
++++ b/tools/testing/selftests/net/netfilter/nft_interface_stress.sh
+@@ -10,6 +10,8 @@ source lib.sh
+ checktool "nft --version" "run test without nft tool"
+ checktool "iperf3 --version" "run test without iperf3 tool"
+
++read kernel_tainted < /proc/sys/kernel/tainted
++
+ # how many seconds to torture the kernel?
+ # default to 80% of max run time but don't exceed 48s
+ TEST_RUNTIME=$((${kselftest_timeout:-60} * 8 / 10))
+@@ -135,7 +137,8 @@ else
+ wait
+ fi
+
+-[[ $(</proc/sys/kernel/tainted) -eq 0 ]] || {
++
++[[ $kernel_tainted -eq 0 && $(</proc/sys/kernel/tainted) -ne 0 ]] && {
+ echo "FAIL: Kernel is tainted!"
+ exit $ksft_fail
+ }
+--
+2.39.5
+
--- /dev/null
+From aa085405ba2e684c47c480e2687a902cee6b7660 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 16:06:53 +0800
+Subject: selftests: netfilter: ipvs.sh: Explicity disable rp_filter on
+ interface tunl0
+
+From: Yi Chen <yiche@redhat.com>
+
+[ Upstream commit 8b4a1a46e84a17f5d6fde5c506cc6bb141a24772 ]
+
+Although setup_ns() set net.ipv4.conf.default.rp_filter=0,
+loading certain module such as ipip will automatically create a tunl0 interface
+in all netns including new created ones. In the script, this is before than
+default.rp_filter=0 applied, as a result tunl0.rp_filter remains set to 1
+which causes the test report FAIL when ipip module is preloaded.
+
+Before fix:
+Testing DR mode...
+Testing NAT mode...
+Testing Tunnel mode...
+ipvs.sh: FAIL
+
+After fix:
+Testing DR mode...
+Testing NAT mode...
+Testing Tunnel mode...
+ipvs.sh: PASS
+
+Fixes: 7c8b89ec506e ("selftests: netfilter: remove rp_filter configuration")
+Signed-off-by: Yi Chen <yiche@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/netfilter/ipvs.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/netfilter/ipvs.sh b/tools/testing/selftests/net/netfilter/ipvs.sh
+index 6af2ea3ad6b8..9c9d5b38ab71 100755
+--- a/tools/testing/selftests/net/netfilter/ipvs.sh
++++ b/tools/testing/selftests/net/netfilter/ipvs.sh
+@@ -151,7 +151,7 @@ test_nat() {
+ test_tun() {
+ ip netns exec "${ns0}" ip route add "${vip_v4}" via "${gip_v4}" dev br0
+
+- ip netns exec "${ns1}" modprobe -q ipip
++ modprobe -q ipip
+ ip netns exec "${ns1}" ip link set tunl0 up
+ ip netns exec "${ns1}" sysctl -qw net.ipv4.ip_forward=0
+ ip netns exec "${ns1}" sysctl -qw net.ipv4.conf.all.send_redirects=0
+@@ -160,10 +160,10 @@ test_tun() {
+ ip netns exec "${ns1}" ipvsadm -a -i -t "${vip_v4}:${port}" -r ${rip_v4}:${port}
+ ip netns exec "${ns1}" ip addr add ${vip_v4}/32 dev lo:1
+
+- ip netns exec "${ns2}" modprobe -q ipip
+ ip netns exec "${ns2}" ip link set tunl0 up
+ ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.arp_ignore=1
+ ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.arp_announce=2
++ ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.tunl0.rp_filter=0
+ ip netns exec "${ns2}" ip addr add "${vip_v4}/32" dev lo:1
+
+ test_service
+--
+2.39.5
+
--- /dev/null
+From 49c8124ce2315e7ffabf4b3704a49e9e717f954b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 15:43:13 +0200
+Subject: selftests/nolibc: correctly report errors from printf() and friends
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+
+[ Upstream commit 4a40129087a4c32135bb1177a57bbbe6ee646f1a ]
+
+When an error is encountered by printf() it needs to be reported.
+errno() is already set by the callback.
+
+sprintf() is different, but that keeps working and is already tested.
+
+Also add a new test.
+
+Fixes: 7e4346f4a3a6 ("tools/nolibc/stdio: add a minimal [vf]printf() implementation")
+Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Acked-by: Willy Tarreau <w@1wt.eu>
+Link: https://lore.kernel.org/r/20250704-nolibc-printf-error-v1-2-74b7a092433b@linutronix.de
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/include/nolibc/stdio.h | 4 ++--
+ tools/testing/selftests/nolibc/nolibc-test.c | 23 ++++++++++++++++++++
+ 2 files changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/tools/include/nolibc/stdio.h b/tools/include/nolibc/stdio.h
+index c470d334ef3f..7630234408c5 100644
+--- a/tools/include/nolibc/stdio.h
++++ b/tools/include/nolibc/stdio.h
+@@ -358,11 +358,11 @@ int __nolibc_printf(__nolibc_printf_cb cb, intptr_t state, size_t n, const char
+ n -= w;
+ while (width-- > w) {
+ if (cb(state, " ", 1) != 0)
+- break;
++ return -1;
+ written += 1;
+ }
+ if (cb(state, outstr, w) != 0)
+- break;
++ return -1;
+ }
+
+ written += len;
+diff --git a/tools/testing/selftests/nolibc/nolibc-test.c b/tools/testing/selftests/nolibc/nolibc-test.c
+index dbe13000fb1a..b5c04c137249 100644
+--- a/tools/testing/selftests/nolibc/nolibc-test.c
++++ b/tools/testing/selftests/nolibc/nolibc-test.c
+@@ -1646,6 +1646,28 @@ int test_strerror(void)
+ return 0;
+ }
+
++static int test_printf_error(void)
++{
++ int fd, ret, saved_errno;
++
++ fd = open("/dev/full", O_RDWR);
++ if (fd == -1)
++ return 1;
++
++ errno = 0;
++ ret = dprintf(fd, "foo");
++ saved_errno = errno;
++ close(fd);
++
++ if (ret != -1)
++ return 2;
++
++ if (saved_errno != ENOSPC)
++ return 3;
++
++ return 0;
++}
++
+ static int run_printf(int min, int max)
+ {
+ int test;
+@@ -1675,6 +1697,7 @@ static int run_printf(int min, int max)
+ CASE_TEST(width_trunc); EXPECT_VFPRINTF(25, " ", "%25d", 1); break;
+ CASE_TEST(scanf); EXPECT_ZR(1, test_scanf()); break;
+ CASE_TEST(strerror); EXPECT_ZR(1, test_strerror()); break;
++ CASE_TEST(printf_error); EXPECT_ZR(1, test_printf_error()); break;
+ case __LINE__:
+ return ret; /* must be last */
+ /* note: do not set any defaults so as to permit holes above */
+--
+2.39.5
+
--- /dev/null
+From 89af2c0d5aec5942f670d74cd152440d69daee02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 11:50:28 +0800
+Subject: selftests: rtnetlink.sh: remove esp4_offload after test
+
+From: Xiumei Mu <xmu@redhat.com>
+
+[ Upstream commit 5b32321fdaf3fd1a92ec726af18765e225b0ee2b ]
+
+The esp4_offload module, loaded during IPsec offload tests, should
+be reset to its default settings after testing.
+Otherwise, leaving it enabled could unintentionally affect subsequence
+test cases by keeping offload active.
+
+Without this fix:
+$ lsmod | grep offload; ./rtnetlink.sh -t kci_test_ipsec_offload ; lsmod | grep offload;
+PASS: ipsec_offload
+esp4_offload 12288 0
+esp4 32768 1 esp4_offload
+
+With this fix:
+$ lsmod | grep offload; ./rtnetlink.sh -t kci_test_ipsec_offload ; lsmod | grep offload;
+PASS: ipsec_offload
+
+Fixes: 2766a11161cc ("selftests: rtnetlink: add ipsec offload API test")
+Signed-off-by: Xiumei Mu <xmu@redhat.com>
+Reviewed-by: Shannon Nelson <sln@onemain.com>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://patch.msgid.link/6d3a1d777c4de4eb0ca94ced9e77be8d48c5b12f.1753415428.git.xmu@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/rtnetlink.sh | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh
+index 2e8243a65b50..d2298da320a6 100755
+--- a/tools/testing/selftests/net/rtnetlink.sh
++++ b/tools/testing/selftests/net/rtnetlink.sh
+@@ -673,6 +673,11 @@ kci_test_ipsec_offload()
+ sysfsf=$sysfsd/ipsec
+ sysfsnet=/sys/bus/netdevsim/devices/netdevsim0/net/
+ probed=false
++ esp4_offload_probed_default=false
++
++ if lsmod | grep -q esp4_offload; then
++ esp4_offload_probed_default=true
++ fi
+
+ if ! mount | grep -q debugfs; then
+ mount -t debugfs none /sys/kernel/debug/ &> /dev/null
+@@ -766,6 +771,7 @@ EOF
+ fi
+
+ # clean up any leftovers
++ ! "$esp4_offload_probed_default" && lsmod | grep -q esp4_offload && rmmod esp4_offload
+ echo 0 > /sys/bus/netdevsim/del_device
+ $probed && rmmod netdevsim
+
+--
+2.39.5
+
--- /dev/null
+From 1cba7329b7ecbab26ae34e9236f068dde3d6beaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 13:42:12 -0400
+Subject: selftests/tracing: Fix false failure of subsystem event test
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+[ Upstream commit 213879061a9c60200ba971330dbefec6df3b4a30 ]
+
+The subsystem event test enables all "sched" events and makes sure there's
+at least 3 different events in the output. It used to cat the entire trace
+file to | wc -l, but on slow machines, that could last a very long time.
+To solve that, it was changed to just read the first 100 lines of the
+trace file. This can cause false failures as some events repeat so often,
+that the 100 lines that are examined could possibly be of only one event.
+
+Instead, create an awk script that looks for 3 different events and will
+exit out after it finds them. This will find the 3 events the test looks
+for (eventually if it works), and still exit out after the test is
+satisfied and not cause slower machines to run forever.
+
+Link: https://lore.kernel.org/r/20250721134212.53c3e140@batman.local.home
+Reported-by: Tengda Wu <wutengda@huaweicloud.com>
+Closes: https://lore.kernel.org/all/20250710130134.591066-1-wutengda@huaweicloud.com/
+Fixes: 1a4ea83a6e67 ("selftests/ftrace: Limit length in subsystem-enable tests")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ftrace/test.d/event/subsystem-enable.tc | 28 +++++++++++++++++--
+ 1 file changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc b/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc
+index b7c8f29c09a9..65916bb55dfb 100644
+--- a/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc
++++ b/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc
+@@ -14,11 +14,35 @@ fail() { #msg
+ exit_fail
+ }
+
++# As reading trace can last forever, simply look for 3 different
++# events then exit out of reading the file. If there's not 3 different
++# events, then the test has failed.
++check_unique() {
++ cat trace | grep -v '^#' | awk '
++ BEGIN { cnt = 0; }
++ {
++ for (i = 0; i < cnt; i++) {
++ if (event[i] == $5) {
++ break;
++ }
++ }
++ if (i == cnt) {
++ event[cnt++] = $5;
++ if (cnt > 2) {
++ exit;
++ }
++ }
++ }
++ END {
++ printf "%d", cnt;
++ }'
++}
++
+ echo 'sched:*' > set_event
+
+ yield
+
+-count=`head -n 100 trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l`
++count=`check_unique`
+ if [ $count -lt 3 ]; then
+ fail "at least fork, exec and exit events should be recorded"
+ fi
+@@ -29,7 +53,7 @@ echo 1 > events/sched/enable
+
+ yield
+
+-count=`head -n 100 trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l`
++count=`check_unique`
+ if [ $count -lt 3 ]; then
+ fail "at least fork, exec and exit events should be recorded"
+ fi
+--
+2.39.5
+
--- /dev/null
+From 9db52bd11b733b97d2b67756662262105526ee02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 12:33:51 +0200
+Subject: selftests: vDSO: chacha: Correctly skip test if necessary
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+
+[ Upstream commit 2c0a4428f5d6005ff0db12057cc35273593fc040 ]
+
+According to kselftest.h ksft_exit_skip() is not meant to be called when
+a plan has already been printed.
+
+Use the recommended function ksft_test_result_skip().
+
+This fixes a bug, where the TAP output would be invalid when skipping:
+
+ TAP version 13
+ 1..1
+ ok 2 # SKIP Not implemented on architecture
+
+The SKIP line should start with "ok 1" as the plan only contains one test.
+
+Fixes: 3b5992eaf730 ("selftests: vDSO: unconditionally build chacha test")
+Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Link: https://lore.kernel.org/all/20250611-selftests-vdso-fixes-v3-1-e62e37a6bcf5@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vDSO/vdso_test_chacha.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/vDSO/vdso_test_chacha.c b/tools/testing/selftests/vDSO/vdso_test_chacha.c
+index 8757f738b0b1..0aad682b12c8 100644
+--- a/tools/testing/selftests/vDSO/vdso_test_chacha.c
++++ b/tools/testing/selftests/vDSO/vdso_test_chacha.c
+@@ -76,7 +76,8 @@ static void reference_chacha20_blocks(uint8_t *dst_bytes, const uint32_t *key, u
+
+ void __weak __arch_chacha20_blocks_nostack(uint8_t *dst_bytes, const uint32_t *key, uint32_t *counter, size_t nblocks)
+ {
+- ksft_exit_skip("Not implemented on architecture\n");
++ ksft_test_result_skip("Not implemented on architecture\n");
++ ksft_finished();
+ }
+
+ int main(int argc, char *argv[])
+--
+2.39.5
+
--- /dev/null
+audit-module-restore-audit-logging-in-load-failure-c.patch
+ceph-parse_longname-strrchr-expects-nul-terminated-s.patch
+fs_context-fix-parameter-name-in-infofc-macro.patch
+selftests-landlock-fix-readlink-check.patch
+selftests-landlock-fix-build-of-audit_test.patch
+fs-ntfs3-cancle-set-bad-inode-after-removing-name-fa.patch
+landlock-fix-warning-from-kunit-tests.patch
+ublk-use-vmalloc-for-ublk_device-s-__queues.patch
+hfsplus-make-splice-write-available-again.patch
+hfs-make-splice-write-available-again.patch
+hfsplus-remove-mutex_lock-check-in-hfsplus_free_exte.patch
+revert-fs-ntfs3-replace-inode_trylock-with-inode_loc.patch
+block-mtip32xx-fix-usage-of-dma_map_sg.patch
+gfs2-minor-do_xmote-cancelation-fix.patch
+nbd-fix-lockdep-deadlock-warning.patch
+md-allow-removing-faulty-rdev-during-resync.patch
+kunit-fortify-add-back-volatile-for-sizeof-constants.patch
+ublk-speed-up-ublk-server-exit-handling.patch
+ublk-validate-ublk-server-pid.patch
+md-raid10-fix-set-but-not-used-variable-in-sync_requ.patch
+gfs2-no-more-self-recovery.patch
+nvmet-pci-epf-do-not-complete-commands-twice-if-nvme.patch
+block-sanitize-chunk_sectors-for-atomic-write-limits.patch
+io_uring-fix-breakage-in-expert-menu.patch
+btrfs-remove-partial-support-for-lowest-level-from-b.patch
+eventpoll-fix-semi-unbounded-recursion.patch
+eventpoll-fix-sphinx-documentation-build-warning.patch
+erofs-fix-build-error-with-config_erofs_fs_zip_accel.patch
+block-restore-two-stage-elevator-switch-while-runnin.patch
+sched-task_stack-add-missing-const-qualifier-to-end_.patch
+asoc-rockchip-fix-capture-stream-handling-in-rockchi.patch
+asoc-soc-dai-tidyup-return-value-of-snd_soc_xlate_td.patch
+asoc-amd-acp-fix-pointer-assignments-for-snd_soc_acp.patch
+asoc-ops-dynamically-allocate-struct-snd_ctl_elem_va.patch
+arm64-dts-qcom-x1p42100-fix-thermal-sensor-configura.patch
+asoc-mediatek-use-reserved-memory-or-enable-buffer-p.patch
+asoc-mediatek-mt8183-afe-pcm-support-32-bit-dma-addr.patch
+arm64-dts-freescale-imx93-tqma9352-limit-buck2-to-60.patch
+selftests-fix-errno-checking-in-syscall_user_dispatc.patch
+soc-qcom-qmi-encoding-decoding-for-big-endian.patch
+soc-qcom-fix-endianness-for-qmi-header.patch
+arm64-dts-qcom-qcs615-fix-a-crash-issue-caused-by-in.patch
+arm64-dts-qcom-sdm845-expand-imem-region.patch
+arm64-dts-qcom-sc7180-expand-imem-region.patch
+arm64-dts-qcom-qcs615-disable-the-cti-device-of-the-.patch
+arm64-dts-exynos-gs101-add-local-timer-stop-to-cpuid.patch
+arm64-dts-qcom-sa8775p-correct-the-interrupt-for-rem.patch
+arm64-dts-qcom-msm8976-make-blsp_dma-controlled-remo.patch
+pm-cpupower-fix-printing-of-core-cpu-fields-in-cpupo.patch
+arm-dts-vfxxx-correctly-use-two-tuples-for-timer-add.patch
+usb-host-xhci-plat-fix-incorrect-type-for-of_match-v.patch
+usb-misc-apple-mfi-fastcharge-make-power-supply-name.patch
+arm64-dts-rockchip-fix-endpoint-dtc-warning-for-px30.patch
+arm64-dts-ti-k3-am642-phyboard-electra-fix-pru-icssg.patch
+arm64-dts-ti-k3-am62p-verdin-enable-pull-ups-on-i2c_.patch
+arm64-dts-ti-k3-am62p-j722s-fix-pinctrl-single-size.patch
+arm-dts-microchip-sama7d65-add-clock-name-property.patch
+arm-dts-microchip-sam9x7-add-clock-name-property.patch
+cpufreq-armada-8k-make-both-cpu-masks-static.patch
+firmware-arm_scmi-fix-up-turbo-frequencies-selection.patch
+x86-bugs-avoid-auto-after-the-select-step-in-the-ret.patch
+x86-bugs-simplify-the-retbleed-stuff-checks.patch
+x86-bugs-introduce-cdt_possible.patch
+x86-bugs-allow-its-stuffing-in-eibrs-retpoline-mode-.patch
+usb-typec-ucsi-yoga-c630-fix-error-and-remove-paths.patch
+mei-vsc-don-t-re-init-vsc-from-mei_vsc_hw_reset-on-s.patch
+mei-vsc-destroy-mutex-after-freeing-the-irq.patch
+mei-vsc-event-notifier-fixes.patch
+mei-vsc-unset-the-event-callback-on-remove-and-probe.patch
+mei-vsc-drop-unused-vsc_tp_request_irq-and-vsc_tp_fr.patch
+mei-vsc-run-event-callback-from-a-workqueue.patch
+mei-vsc-fix-bug-invalid-wait-context-lockdep-error.patch
+spi-stm32-check-for-cfg-availability-in-stm32_spi_pr.patch
+drivers-misc-sram-fix-up-some-const-issues-with-rece.patch
+rust-devres-require-t-send-for-devres.patch
+power-sequencing-qcom-wcn-fix-bluetooth-wifi-copypas.patch
+arm64-dts-rockchip-enable-emmc-hs200-mode-on-radxa-e.patch
+asoc-sdca-add-missing-default-in-switch-in-entity_pd.patch
+staging-gpib-fix-unset-padding-field-copy-back-to-us.patch
+staging-fbtft-fix-potential-memory-leak-in-fbtft_fra.patch
+rust-miscdevice-clarify-invariant-for-miscdeviceregi.patch
+vmci-prevent-the-dispatching-of-uninitialized-payloa.patch
+pps-fix-poll-support.patch
+arm64-dts-imx8mp-venice-gw74xx-update-name-of-m2skt_.patch
+selftests-vdso-chacha-correctly-skip-test-if-necessa.patch
+revert-vmci-prevent-the-dispatching-of-uninitialized.patch
+powercap-dtpm_cpu-fix-null-pointer-dereference-in-ge.patch
+arm64-dts-ti-k3-am62p-verdin-add-sd_1-cd-pull-up.patch
+selftests-nolibc-correctly-report-errors-from-printf.patch
+pwm-rockchip-round-period-duty-down-on-apply-up-on-g.patch
+usb-early-xhci-dbc-fix-early_ioremap-leak.patch
+tools-nolibc-avoid-false-positive-wmaybe-uninitializ.patch
+arm-dts-ti-omap-fixup-pinheader-typo.patch
+arm64-dts-renesas-r8a779g3-sparrow-hawk-fan-pwm-add-.patch
+arm64-dts-ti-k3-am62p-verdin-fix-pwm_3_dsi-gpio-dire.patch
+staging-gpib-fix-error-code-in-board_type_ioctl.patch
+staging-gpib-fix-error-handling-paths-in-cb_gpib_pro.patch
+soc-tegra-cbb-clear-err_force-register-with-err_stat.patch
+arm64-dts-rockchip-fix-phy-handling-for-rock-4d.patch
+arm64-dts-st-fix-timer-used-for-ticks.patch
+selftests-breakpoints-use-suspend_stats-to-reliably-.patch
+arm-dts-imx6ul-kontron-bl-common-fix-rts-polarity-fo.patch
+arm64-dts-imx8mm-beacon-fix-hs400-usdhc-clock-speed.patch
+arm64-dts-imx8mn-beacon-fix-hs400-usdhc-clock-speed.patch
+arm64-dts-freescale-imx8mp-toradex-smarc-fix-lvds-ds.patch
+arm64-dts-rockchip-fix-pinctrl-node-names-for-rk3528.patch
+pm-devfreq-check-governor-before-using-governor-name.patch
+pm-devfreq-fix-a-index-typo-in-trans_stat.patch
+cpufreq-intel_pstate-always-use-hwp_desired_perf-in-.patch
+cpufreq-initialize-cpufreq-based-frequency-invarianc.patch
+cpufreq-init-policy-rwsem-before-it-may-be-possibly-.patch
+arm64-dts-rockchip-fix-uart-dma-support-for-rk3528.patch
+kexec_core-fix-error-code-path-in-the-kexec_jump-flo.patch
+asoc-sdca-update-memory-allocations-to-zero-initiali.patch
+asoc-sdca-allow-read-only-controls-to-be-deferrable.patch
+staging-greybus-gbphy-fix-up-const-issue-with-the-ma.patch
+driver-core-auxiliary-bus-fix-of-node-leak.patch
+samples-mei-fix-building-on-musl-libc.patch
+soc-qcom-pmic_glink-fix-of-node-leak.patch
+interconnect-qcom-sc8280xp-specify-num_links-for-qnm.patch
+interconnect-qcom-sc8180x-specify-num_nodes.patch
+interconnect-qcom-qcs615-drop-ip0-interconnects.patch
+bus-mhi-host-pci_generic-fix-the-modem-name-of-foxco.patch
+drm-xe-correct-the-rev-value-for-the-dvsec-entries.patch
+drm-xe-correct-bmg-vsec-header-sizing.patch
+platform-x86-oxpec-fix-turbo-register-for-g1-amd.patch
+riscv-dts-sophgo-sg2044-add-missing-riscv-cbop-block.patch
+staging-nvec-fix-incorrect-null-termination-of-batte.patch
+selftests-tracing-fix-false-failure-of-subsystem-eve.patch
+mips-alchemy-gpio-use-new-gpio-line-value-setter-cal.patch
+revert-udmabuf-fix-vmap_udmabuf-error-page-set.patch
+udmabuf-fix-vmap-missed-offset-page.patch
+drm-rockchip-cleanup-fb-when-drm_gem_fb_afbc_init-fa.patch
+drm-sitronix-remove-broken-backwards-compatibility-l.patch
+drm-connector-hdmi-evaluate-limited-range-after-comp.patch
+drm-panfrost-fix-panfrost-device-variable-name-in-de.patch
+drm-panthor-add-missing-explicit-padding-in-drm_pant.patch
+wifi-rtw89-mcc-prevent-shift-wrapping-in-rtw89_core_.patch
+wifi-rtw89-sar-drop-lockdep-assertion-in-rtw89_set_s.patch
+wifi-rtw89-sar-do-not-assert-wiphy-lock-held-until-p.patch
+wifi-rtw89-fix-eht-20mhz-tx-rate-for-non-ap-sta.patch
+bpf-sockmap-fix-psock-incorrectly-pointing-to-sk.patch
+netconsole-only-register-console-drivers-when-target.patch
+bpf-ktls-fix-data-corruption-when-using-bpf_msg_pop_.patch
+net-bpf-fix-rcu-usage-in-task_cls_state-for-bpf-prog.patch
+selftests-bpf-fix-signedness-bug-in-redir_partial.patch
+bpf-handle-jset-if-a-b-.-as-a-jump-in-cfg-computatio.patch
+selftests-bpf-fix-unintentional-switch-case-fall-thr.patch
+net-ipv6-ip6mr-fix-in-out-netdev-to-pass-to-the-forw.patch
+drm-vmwgfx-fix-host-backed-userspace-on-guest-backed.patch
+slub-fix-a-documentation-build-error-for-krealloc.patch
+drm-amdgpu-remove-nbiov7.9-replay-count-reporting.patch
+drm-amdgpu-sdma-handle-paging-queues-in-amdgpu_sdma_.patch
+net-mana-fix-potential-deadlocks-in-mana-napi-ops.patch
+wifi-mac80211-fix-bssid_indicator-for-mbssid-in-ap-m.patch
+bpftool-fix-memory-leak-in-dump_xx_nlmsg-on-realloc-.patch
+powerpc-pseries-dlpar-search-drc-index-from-ibm-drc-.patch
+wifi-ath12k-avoid-accessing-uninitialized-arvif-ar-d.patch
+wifi-ath12k-update-channel-list-in-worker-when-wait-.patch
+wifi-ath12k-fix-double-budget-decrement-while-reapin.patch
+wifi-ath12k-pass-ab-pointer-directly-to-ath12k_dp_tx.patch
+caif-reduce-stack-size-again.patch
+net-annotate-races-around-sk-sk_uid.patch
+wifi-rtw89-avoid-null-dereference-when-rx-problemati.patch
+wifi-rtl818x-kill-urbs-before-clearing-tx-status-que.patch
+drm-amdgpu-fix-slab-use-after-free-in-amdgpu_userq_m.patch
+wifi-iwlwifi-fix-memory-leak-in-iwl_mvm_init.patch
+iwlwifi-add-missing-check-for-alloc_ordered_workqueu.patch
+drm-xe-uapi-correct-sync-type-definition-in-comments.patch
+team-replace-team-lock-with-rtnl-lock.patch
+wifi-ath11k-clear-initialized-flag-for-deinit-ed-srn.patch
+wifi-ath12k-clear-auth-flag-only-for-actual-associat.patch
+tcp-fix-tcp_ofo_queue-to-avoid-including-too-much-du.patch
+net-mlx5-check-device-memory-pointer-before-usage.patch
+net-dst-annotate-data-races-around-dst-input.patch
+net-dst-annotate-data-races-around-dst-output.patch
+net-dst-add-four-helpers-to-annotate-data-races-arou.patch
+wifi-iwlwifi-fix-error-code-in-iwl_op_mode_dvm_start.patch
+kselftest-arm64-fix-check-for-setting-new-vls-in-sve.patch
+wifi-mt76-mt7925-fix-off-by-one-in-mt7925_mcu_hw_sca.patch
+bpf-ensure-rcu-lock-is-held-around-bpf_prog_ksym_fin.patch
+drm-msm-dpu-fill-in-min_prefill_lines-for-sc8180x.patch
+m68k-don-t-unregister-boot-console-needlessly.patch
+refscale-check-that-nreaders-and-loops-multiplicatio.patch
+wifi-mt76-mt7996-fix-secondary-link-lookup-in-mt7996.patch
+wifi-mt76-mt7996-fix-possible-oob-access-in-mt7996_t.patch
+wifi-mt76-mt7996-fix-valid_links-bitmask-in-mt7996_m.patch
+drm-amdkfd-move-the-process-suspend-and-resume-out-o.patch
+drm-amdgpu-rework-queue-reset-scheduler-interaction.patch
+drm-amdgpu-move-force-completion-into-ring-resets.patch
+drm-amdgpu-gfx10-fix-kgq-reset-sequence.patch
+drm-amd-pm-powerplay-hwmgr-smu_helper-fix-order-of-m.patch
+revert-drm-amdgpu-fix-slab-use-after-free-in-amdgpu_.patch
+drm-amdgpu-fix-use-after-free-in-amdgpu_userq_suspen.patch
+wifi-ath12k-block-radio-bring-up-in-ftm-mode.patch
+arm64-fix-unnecessary-rebuilding-when-config_debug_e.patch
+drm-rockchip-vop2-fail-cleanly-if-missing-a-primary-.patch
+drm-rockchip-vop2-fix-the-update-of-layer-port-selec.patch
+sched-psi-optimize-psi_group_change-cpu_clock-usage.patch
+sched-deadline-less-agressive-dl_server-handling.patch
+fbcon-fix-outdated-registered_fb-reference-in-commen.patch
+netfilter-nf_tables-drop-dead-code-from-fill_-_info-.patch
+netfilter-nf_tables-adjust-lockdep-assertions-handli.patch
+drm-panthor-fix-uaf-in-panthor_gem_create_with_handl.patch
+wifi-ath12k-update-unsupported-bandwidth-flags-in-re.patch
+wifi-ath12k-pack-htt-pdev-rate-stats-structs.patch
+arch-powerpc-defconfig-drop-obsolete-config_net_cls_.patch
+um-rtc-avoid-shadowing-err-in-uml_rtc_start.patch
+iommu-amd-enable-pasid-and-ats-capabilities-in-the-c.patch
+spi-spi-nxp-fspi-check-return-value-of-devm_mutex_in.patch
+leds-lp8860-check-return-value-of-devm_mutex_init.patch
+net-sched-restrict-conditions-for-adding-duplicating.patch
+net_sched-act_ctinfo-use-atomic64_t-for-three-counte.patch
+rdma-mlx5-fix-umr-modifying-of-mkey-page-size.patch
+xen-fix-uaf-in-dmabuf_exp_from_pages.patch
+sched-deadline-initialize-dl_servers-after-smp.patch
+sched-deadline-reset-extra_bw-to-max_bw-when-clearin.patch
+iommu-vt-d-do-not-wipe-out-the-page-table-nid-when-d.patch
+iommu-vt-d-fix-missing-pasid-in-dev-tlb-flush-with-c.patch
+iommu-arm-smmu-disable-prr-on-sm8250.patch
+xen-gntdev-remove-struct-gntdev_copy_batch-from-stac.patch
+sched-do-not-call-__put_task_struct-on-rt-if-pi_bloc.patch
+tcp-call-tcp_measure_rcv_mss-for-ooo-packets.patch
+wifi-rtl8xxxu-fix-rx-skb-size-for-aggregation-disabl.patch
+wifi-rtw88-fix-macid-assigned-to-tdls-station.patch
+mwl8k-add-missing-check-after-dma-map.patch
+wifi-mac80211-use-rcu-safe-iteration-in-ieee80211_cs.patch
+wifi-ath12k-use-htt_tcl_metadata_ver_v1-in-ftm-mode.patch
+wifi-ath11k-fix-sleeping-in-atomic-in-ath11k_mac_op_.patch
+drm-amdgpu-gfx9-fix-kiq-locking-in-kcq-reset.patch
+drm-amdgpu-gfx9.4.3-fix-kiq-locking-in-kcq-reset.patch
+drm-amdgpu-gfx10-fix-kiq-locking-in-kcq-reset.patch
+selftests-bpf-fix-implementation-of-smp_mb.patch
+iommu-amd-fix-geometry.aperture_end-for-v2-tables.patch
+rcu-fix-delayed-execution-of-hurry-callbacks.patch
+wifi-mac80211-reject-tdls-operations-when-station-is.patch
+wifi-plfxlc-fix-error-handling-in-usb-driver-probe.patch
+wifi-cfg80211-add-missing-lock-in-cfg80211_check_and.patch
+wifi-mac80211-do-not-schedule-stopped-txqs.patch
+wifi-mac80211-don-t-call-fq_flow_idx-for-management-.patch
+wifi-mac80211-check-802.11-encaps-offloading-in-ieee.patch
+reapply-wifi-mac80211-update-skb-s-control-block-key.patch
+wifi-ath12k-fix-endianness-handling-while-accessing-.patch
+wifi-brcmfmac-fix-p2p-discovery-failure-in-p2p-peer-.patch
+pm-cpufreq-powernv-tracing-move-powernv_throttle-tra.patch
+wifi-mac80211-write-cnt-before-copying-in-ieee80211_.patch
+wifi-nl80211-set-num_sub_specs-before-looping-throug.patch
+ring-buffer-remove-ring_buffer_read_prepare_sync.patch
+kcsan-test-initialize-dummy-variable.patch
+memcg_slabinfo-fix-use-of-pg_slab.patch
+wifi-brcmfmac-cyw-fix-__counted_by-to-be-le-variant.patch
+wifi-mac80211-fix-warn_on-for-monitor-mode-on-some-d.patch
+arm64-gcs-task_gcs_el0_enable-should-use-passed-task.patch
+wifi-iwlwifi-mld-decode-eof-bit-for-ampdus.patch
+iommu-vt-d-fix-uaf-on-sva-unbind-with-pending-iopfs.patch
+wifi-brcmfmac-fix-extsae-wpa3-connection-failure-due.patch
+bluetooth-btusb-fix-potential-null-dereference-on-km.patch
+bluetooth-hci_sync-fix-double-free-in-hci_discovery_.patch
+bluetooth-hci_devcd_dump-fix-out-of-bounds-via-dev_c.patch
+bluetooth-btintel-define-a-macro-for-intel-reset-ven.patch
+bluetooth-btintel_pcie-make-driver-wait-for-alive-in.patch
+bluetooth-hci_event-mask-data-status-from-le-ext-adv.patch
+bpf-disable-migration-in-nf_hook_run_bpf.patch
+bpf-reject-narrower-access-to-pointer-ctx-fields.patch
+tools-rv-do-not-skip-idle-in-trace.patch
+selftests-drv-net-fix-remote-command-checking-in-req.patch
+selftests-drv-net-tso-enable-test-cases-based-on-hw_.patch
+selftests-drv-net-tso-fix-vxlan-tunnel-flags-to-get-.patch
+selftests-drv-net-tso-fix-non-tunneled-tso6-test-cas.patch
+can-peak_usb-fix-usb-fd-devices-potential-malfunctio.patch
+can-tscan1-kconfig-add-compile_test.patch
+can-tscan1-can_tscan1-can-depend-on-pc104.patch
+can-kvaser_pciefd-store-device-channel-index.patch
+can-kvaser_usb-assign-netdev.dev_port-based-on-devic.patch
+netfilter-xt_nfacct-don-t-assume-acct-name-is-null-t.patch
+selftests-netfilter-ignore-tainted-kernels-in-interf.patch
+selftests-netfilter-ipvs.sh-explicity-disable-rp_fil.patch
+net-mlx5e-clear-read-only-port-buffer-size-in-pbmc-b.patch
+net-mlx5e-remove-skb-secpath-if-xfrm-state-is-not-fo.patch
+net-mlx5e-fix-potential-deadlock-by-deferring-rx-tim.patch
+macsec-set-iff_unicast_flt-priv-flag.patch
+net-dsa-microchip-fix-wrong-rx-drop-mib-counter-for-.patch
+neighbour-fix-null-ptr-deref-in-neigh_flush_dev.patch
+stmmac-xsk-fix-negative-overflow-of-budget-in-zeroco.patch
+igb-xsk-solve-negative-overflow-of-nb_pkts-in-zeroco.patch
+selftests-rtnetlink.sh-remove-esp4_offload-after-tes.patch
+vrf-drop-existing-dst-reference-in-vrf_ip6_input_dst.patch
+ipv6-add-a-retry-logic-in-net6_rt_notify.patch
+ipv6-prevent-infinite-loop-in-rt6_nlmsg_size.patch
+ipv6-fix-possible-infinite-loop-in-fib6_info_uses_de.patch
+ipv6-annotate-data-races-around-rt-fib6_nsiblings.patch
+bpf-preload-don-t-select-usermode_driver.patch
+bpf-arm64-fix-fp-initialization-for-exception-bounda.patch
+risc-v-kvm-fix-inclusion-of-smnpm-in-the-guest-isa-b.patch
+rv-remove-trailing-whitespace-from-tracepoint-string.patch
+rv-use-strings-in-da-monitors-tracepoints.patch
+rv-adjust-monitor-dependencies.patch
+staging-media-atomisp-fix-stack-buffer-overflow-in-g.patch
+fortify-fix-incorrect-reporting-of-read-buffer-size.patch
+pinctrl-cirrus-madera-core-use-devm_pinctrl_register.patch
+remoteproc-qcom-pas-conclude-the-rename-from-adsp.patch
+pci-rockchip-host-fix-unexpected-completion-log-mess.patch
+clk-renesas-rzv2h-fix-missing-clk_set_rate_parent-fl.patch
+crypto-sun8i-ce-fix-nents-passed-to-dma_unmap_sg.patch
+crypto-qat-use-unmanaged-allocation-for-dc_data.patch
+crypto-marvell-cesa-fix-engine-load-inaccuracy.patch
+crypto-s390-hmac-fix-counter-in-export-state.patch
+crypto-s390-sha3-use-cpu-byte-order-when-exporting.patch
+padata-fix-pd-uaf-once-and-for-all.patch
+crypto-ccp-fix-dereferencing-uninitialized-error-poi.patch
+crypto-qat-allow-enabling-vfs-in-the-absence-of-iomm.patch
+crypto-qat-fix-state-restore-for-banks-with-exceptio.patch
+mtd-fix-possible-integer-overflow-in-erase_xfer.patch
+clk-davinci-add-null-check-in-davinci_lpsc_clk_regis.patch
+media-imx-jpeg-account-for-data_offset-when-getting-.patch
+media-v4l2-ctrls-fix-h264-separate_colour_plane-chec.patch
+perf-parse-events-set-default-gh-modifier-properly.patch
+clk-xilinx-vcu-unregister-pll_post-only-if-registere.patch
+power-supply-cpcap-charger-fix-null-check-for-power_.patch
+power-reset-power_reset_toradex_ec-should-depend-on-.patch
+power-supply-max14577-handle-null-pdata-when-config_.patch
+power-supply-qcom_pmi8998_charger-fix-wakeirq.patch
+power-supply-max1720x-correct-capacity-computation.patch
+crypto-arm-aes-neonbs-work-around-gcc-15-warning.patch
+crypto-ahash-add-support-for-drivers-with-no-fallbac.patch
+crypto-ahash-stop-legacy-tfms-from-using-the-set_vir.patch
+crypto-qat-restore-asym-service-support-for-gen6-dev.patch
+pci-endpoint-pci-epf-vntb-return-enoent-if-pci_epc_g.patch
+pinctrl-sunxi-fix-memory-leak-on-krealloc-failure.patch
+pinctrl-berlin-fix-memory-leak-in-berlin_pinctrl_bui.patch
+pinctrl-canaan-k230-add-null-check-in-dt-parse.patch
+pinctrl-canaan-k230-fix-order-of-dt-parse-and-pinctr.patch
+pci-adjust-the-position-of-reading-the-link-control-.patch
+pci-rename-pcie_reset_config_device_wait_ms-to-pcie_.patch
+pci-dw-rockchip-wait-pcie_reset_config_wait_ms-after.patch
+pci-qcom-wait-pcie_reset_config_wait_ms-after-link-u.patch
+soundwire-correct-some-property-names.patch
+dmaengine-mmp-fix-again-wvoid-pointer-to-enum-cast-w.patch
+soundwire-debugfs-move-debug-statement-outside-of-er.patch
+phy-qualcomm-phy-qcom-eusb2-repeater-don-t-zero-out-.patch
+fanotify-sanitize-handle_type-values-when-reporting-.patch
+clk-clk-axi-clkgen-fix-fpfd_max-frequency-for-zynq.patch
+rdma-ipoib-use-parent-rdma-device-net-namespace.patch
+rdma-uverbs-check-cap_net_raw-in-user-namespace-for-.patch
+rdma-mlx5-check-cap_net_raw-in-user-namespace-for-fl.patch
+rdma-mlx5-check-cap_net_raw-in-user-namespace-for-an.patch
+rdma-uverbs-check-cap_net_raw-in-user-namespace-for-.patch-18096
+rdma-uverbs-check-cap_net_raw-in-user-namespace-for-.patch-8105
+leds-tps6131x-add-v4l2_flash_led_class-dependency.patch
+rdma-mlx5-check-cap_net_raw-in-user-namespace-for-de.patch
+rdma-nldev-check-cap_net_raw-in-user-namespace-for-q.patch
+rdma-counter-check-cap_net_raw-check-in-user-namespa.patch
+fix-dma_unmap_sg-nents-value.patch
+leds-pca955x-avoid-potential-overflow-when-filling-d.patch
+gitignore-allow-.pylintrc-to-be-tracked.patch
+perf-tools-fix-use-after-free-in-help_unknown_cmd.patch
+perf-dso-add-missed-dso__put-to-dso__load_kcore.patch
+mtd-spi-nor-spansion-fixup-params-set_4byte_addr_mod.patch
+perf-sched-make-sure-it-frees-the-usage-string.patch
+perf-sched-free-thread-priv-using-priv_destructor.patch
+perf-sched-fix-memory-leaks-in-perf-sched-map.patch
+perf-sched-fix-thread-leaks-in-perf-sched-timehist.patch
+perf-sched-fix-memory-leaks-for-evsel-priv-in-timehi.patch
+perf-sched-use-rc_chk_equal-to-compare-pointers.patch
+perf-sched-fix-memory-leaks-in-perf-sched-latency.patch
+clk-spacemit-mark-k1-pll1_d8-as-critical.patch
+rdma-hns-fix-double-destruction-of-rsv_qp.patch
+rdma-hns-fix-hw-configurations-not-cleared-in-error-.patch
+crypto-ccp-fix-locking-on-alloc-failure-handling.patch
+crypto-inside-secure-fix-dma_unmap_sg-nents-value.patch
+crypto-ccp-fix-crash-when-rebind-ccp-device-for-ccp..patch
+rdma-hns-get-message-length-of-ack_req-from-fw.patch
+rdma-hns-fix-accessing-uninitialized-resources.patch
+rdma-hns-drop-gfp_nowarn.patch
+rdma-hns-fix-wframe-larger-than-issue.patch
+tracing-use-queue_rcu_work-to-free-filters.patch
+kernel-trace-preemptirq_delay_test-use-offstack-cpu-.patch
+rdma-uverbs-add-empty-rdma_uattrs_has_raw_cap-declar.patch
+proc-use-the-same-treatment-to-check-proc_lseek-as-o.patch
+cxl-core-introduce-a-new-helper-cxl_resource_contain.patch
+cxl-edac-fix-wrong-dpa-checking-for-ppr-operation.patch
+pinmux-fix-race-causing-mux_owner-null-with-active-m.patch
+perf-tests-bp_account-fix-leaked-file-descriptor.patch
+perf-hwmon_pmu-avoid-shortening-hwmon-pmu-name.patch
+perf-python-fix-thread-check-in-pyrf_evsel__read.patch
+perf-python-correct-pyrf_evsel__read-for-tool-pmus.patch
+rdma-mana_ib-fix-dscp-value-in-modify-qp.patch
+clk-thead-th1520-ap-correctly-refer-the-parent-of-os.patch
+ext4-correct-the-reserved-credits-for-extent-convers.patch
+ext4-fix-insufficient-credits-calculation-in-ext4_me.patch
+clk-sunxi-ng-v3s-fix-de-clock-definition.patch
+scsi-ibmvscsi_tgt-fix-dma_unmap_sg-nents-value.patch
+scsi-core-fix-kernel-doc-for-scsi_track_queue_full.patch
+scsi-elx-efct-fix-dma_unmap_sg-nents-value.patch
+scsi-mvsas-fix-dma_unmap_sg-nents-value.patch
+scsi-isci-fix-dma_unmap_sg-nents-value.patch
+pci-fix-driver_managed_dma-check.patch
+watchdog-ziirave_wdt-check-record-length-in-ziirave_.patch
+selftests-cgroup-fix-cpu.max-tests.patch
+ext4-fix-inode-use-after-free-in-ext4_end_io_rsv_wor.patch
+ext4-make-sure-bh_new-bit-is-cleared-in-write_end-ha.patch
+clk-at91-sam9x7-update-pll-clk-ranges.patch
+hwrng-mtk-handle-devm_pm_runtime_enable-errors.patch
+crypto-keembay-fix-dma_unmap_sg-nents-value.patch
+crypto-img-hash-fix-dma_unmap_sg-nents-value.patch
+crypto-qat-disable-zuc-256-capability-for-qat-gen5.patch
+crypto-qat-fix-virtual-channel-configuration-for-gen.patch
+crypto-krb5-fix-memory-leak-in-krb5_test_one_prf.patch
+cgroup-add-compatibility-option-for-content-of-proc-.patch
+soundwire-stream-restore-params-when-prepare-ports-f.patch
+pci-endpoint-pci-epf-vntb-fix-the-incorrect-usage-of.patch
+clk-imx95-blk-ctl-fix-synchronous-abort.patch
+phy-qcom-phy-qcom-snps-eusb2-add-missing-write-from-.patch
+remoteproc-xlnx-disable-unsupported-features.patch
+fs-orangefs-allow-2-more-characters-in-do_c_string.patch
+clk-thead-th1520-ap-describe-mux-clocks-with-clk_mux.patch
+tools-subcmd-tighten-the-filename-size-in-check_if_c.patch
+perf-pmu-switch-filename_max-to-name_max.patch
+dmaengine-mv_xor-fix-missing-check-after-dma-map-and.patch
+dmaengine-nbpfaxi-add-missing-check-after-dma-map.patch
+mfd-tps65219-update-tps65214-mfd-cell-s-gpio-compati.patch
+asoc-sdca-fix-some-holes-in-the-regmap-readable-writ.patch
+asoc-fsl_xcvr-get-channel-status-data-when-phy-is-no.patch
+asoc-fsl_xcvr-get-channel-status-data-with-firmware-.patch
+perf-topdown-use-attribute-to-see-an-event-is-a-topd.patch
+clk-spacemit-ccu_pll-fix-error-return-value-in-recal.patch
+sh-do-not-use-hyphen-in-exported-variable-name.patch
+perf-tools-remove-libtraceevent-in-.gitignore.patch
+clk-clocking-wizard-fix-the-round-rate-handling-for-.patch
+crypto-qat-fix-dma-direction-for-compression-on-gen2.patch
+crypto-qat-fix-seq_file-position-update-in-adf_ring_.patch
+fbdev-imxfb-check-fb_add_videomode-to-prevent-null-p.patch
+smb-client-allow-parsing-zero-length-av-pairs.patch
+drm-xe-configfs-fix-pci_dev-reference-leak.patch
+jfs-fix-metapage-reference-count-leak-in-dballocctl.patch
+mtd-rawnand-atmel-fix-dma_mapping_error-address.patch
+mtd-rawnand-rockchip-add-missing-check-after-dma-map.patch
+mtd-rawnand-atmel-set-pmecc-data-setup-time.patch
+drm-xe-vf-disable-csc-support-on-vf.patch
+selftests-alsa-fix-memory-leak-in-utimer-test.patch
+alsa-usb-scarlett2-fix-missing-null-check.patch
+perf-record-cache-build-id-of-hit-dsos-only.patch
+bpf-add-cookie-object-to-bpf-maps.patch
+bpf-move-bpf-map-owner-out-of-common-struct.patch
+bpf-move-cgroup-iterator-helpers-to-bpf.h.patch
+bpf-fix-oob-access-in-cgroup-local-storage.patch
+vdpa-mlx5-fix-needs_teardown-flag-calculation.patch
+vhost-scsi-fix-log-flooding-with-target-does-not-exi.patch
+vhost-scsi-fix-check-for-inline_sg_cnt-exceeding-pre.patch
+vdpa-mlx5-fix-release-of-uninitialized-resources-on-.patch
+vdpa-fix-idr-memory-leak-in-vduse-module-exit.patch
+vhost-reintroduce-kthread-api-and-add-mode-selection.patch
+bpf-check-flow_dissector-ctx-accesses-are-aligned.patch
+bpf-check-netfilter-ctx-accesses-are-aligned.patch
+apparmor-ensure-wb_history_size-value-is-a-power-of-.patch
+apparmor-fix-loop-detection-used-in-conflicting-atta.patch
+dm-flakey-fix-corrupt_bio_byte-setup-checks.patch
+uprobes-revert-ref_ctr_offset-in-uprobe_unregister-e.patch
+scripts-gdb-move-mnt_-constants-to-gdb-parsed.patch
+squashfs-use-folios-in-squashfs_bio_read_cached.patch
+squashfs-fix-incorrect-argument-to-sizeof-in-kmalloc.patch
+apparmor-fix-unaligned-memory-accesses-in-kunit-test.patch
+i3c-fix-module_i3c_i2c_driver-with-i3c-n.patch
+i3c-master-svc-fix-npcm845-fifo_empty-quirk.patch
+module-restore-the-moduleparam-prefix-length-check.patch
+ucount-fix-atomic_long_inc_below-argument-type.patch
+rtc-ds1307-fix-incorrect-maximum-clock-rate-handling.patch
+rtc-hym8563-fix-incorrect-maximum-clock-rate-handlin.patch
+rtc-nct3018y-fix-incorrect-maximum-clock-rate-handli.patch
+rtc-pcf85063-fix-incorrect-maximum-clock-rate-handli.patch
+rtc-pcf8563-fix-incorrect-maximum-clock-rate-handlin.patch
+rtc-rv3028-fix-incorrect-maximum-clock-rate-handling.patch
+f2fs-turn-off-one_time-when-forcibly-set-to-foregrou.patch
+f2fs-fix-bio-memleak-when-committing-super-block.patch
+f2fs-fix-to-avoid-invalid-wait-context-issue.patch
+f2fs-compress-change-the-first-parameter-of-page_arr.patch
+f2fs-compress-fix-uaf-of-f2fs_inode_info-in-f2fs_fre.patch
+f2fs-fix-kmsan-uninit-value-in-extent_info-usage.patch
+f2fs-fix-to-check-upper-boundary-for-value-of-gc_boo.patch
+f2fs-fix-to-check-upper-boundary-for-gc_valid_thresh.patch
+f2fs-fix-to-check-upper-boundary-for-gc_no_zoned_gc_.patch
+f2fs-doc-fix-wrong-quota-mount-option-description.patch
+f2fs-fix-to-avoid-uaf-in-f2fs_sync_inode_meta.patch
+f2fs-fix-to-avoid-panic-in-f2fs_evict_inode.patch
+f2fs-fix-to-avoid-out-of-boundary-access-in-devs.pat.patch
+f2fs-vm_unmap_ram-may-be-called-from-an-invalid-cont.patch
+f2fs-fix-to-update-upper_p-in-__get_secs_required-co.patch
+f2fs-fix-to-calculate-dirty-data-during-has_not_enou.patch
+f2fs-fix-to-trigger-foreground-gc-during-f2fs_map_bl.patch
+exfat-fdatasync-flag-should-be-same-like-generic_wri.patch
+i2c-muxes-mule-fix-an-error-handling-path-in-mule_i2.patch
+vfio-fix-unbalanced-vfio_df_close-call-in-no-iommu-m.patch
+vfio-prevent-open_count-decrement-to-negative.patch
+vfio-pds-fix-missing-detach_ioas-op.patch
+vfio-pci-separate-sr-iov-vf-dev_set.patch
+scsi-mpt3sas-fix-a-fw_event-memory-leak.patch
+scsi-revert-scsi-iscsi-fix-hw-conn-removal-use-after.patch
+scsi-ufs-core-use-link-recovery-when-h8-exit-fails-d.patch
+scsi-sd-make-sd-shutdown-issue-start-stop-unit-appro.patch
+kconfig-qconf-fix-configlist-updatelistallforall.patch
+vfio-pci-do-vf_token-checks-for-vfio_device_bind_iom.patch
+sched-psi-fix-psi_seq-initialization.patch
+padata-remove-comment-for-reorder_work.patch
+pci-pnv_php-clean-up-allocated-irqs-on-unplug.patch
+pci-pnv_php-work-around-switches-with-broken-presenc.patch
+powerpc-eeh-export-eeh_unfreeze_pe.patch
+powerpc-eeh-make-eeh-driver-device-hotplug-safe.patch
+pci-pnv_php-fix-surprise-plug-detection-and-recovery.patch
--- /dev/null
+From 77e5f5301bd99daa4df4345d25f18673c0ecce6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 16:47:32 +0200
+Subject: sh: Do not use hyphen in exported variable name
+
+From: Ben Hutchings <benh@debian.org>
+
+[ Upstream commit c32969d0362a790fbc6117e0b6a737a7e510b843 ]
+
+arch/sh/Makefile defines and exports ld-bfd to be used by
+arch/sh/boot/compressed/Makefile and arch/sh/boot/romimage/Makefile.
+However some shells, including dash, will not pass through environment
+variables whose name includes a hyphen. Usually GNU make does not use
+a shell to recurse, but if e.g. $(srctree) contains '~' it will use a
+shell here.
+
+Other instances of this problem were previously fixed by commits
+2bfbe7881ee0 "kbuild: Do not use hyphen in exported variable name"
+and 82977af93a0d "sh: rename suffix-y to suffix_y".
+
+Rename the variable to ld_bfd.
+
+References: https://buildd.debian.org/status/fetch.php?pkg=linux&arch=sh4&ver=4.13%7Erc5-1%7Eexp1&stamp=1502943967&raw=0
+Fixes: 7b022d07a0fd ("sh: Tidy up the ldscript output format specifier.")
+Signed-off-by: Ben Hutchings <benh@debian.org>
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/Makefile | 10 +++++-----
+ arch/sh/boot/compressed/Makefile | 4 ++--
+ arch/sh/boot/romimage/Makefile | 4 ++--
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/arch/sh/Makefile b/arch/sh/Makefile
+index cab2f9c011a8..7b420424b6d7 100644
+--- a/arch/sh/Makefile
++++ b/arch/sh/Makefile
+@@ -103,16 +103,16 @@ UTS_MACHINE := sh
+ LDFLAGS_vmlinux += -e _stext
+
+ ifdef CONFIG_CPU_LITTLE_ENDIAN
+-ld-bfd := elf32-sh-linux
+-LDFLAGS_vmlinux += --defsym jiffies=jiffies_64 --oformat $(ld-bfd)
++ld_bfd := elf32-sh-linux
++LDFLAGS_vmlinux += --defsym jiffies=jiffies_64 --oformat $(ld_bfd)
+ KBUILD_LDFLAGS += -EL
+ else
+-ld-bfd := elf32-shbig-linux
+-LDFLAGS_vmlinux += --defsym jiffies=jiffies_64+4 --oformat $(ld-bfd)
++ld_bfd := elf32-shbig-linux
++LDFLAGS_vmlinux += --defsym jiffies=jiffies_64+4 --oformat $(ld_bfd)
+ KBUILD_LDFLAGS += -EB
+ endif
+
+-export ld-bfd
++export ld_bfd
+
+ # Mach groups
+ machdir-$(CONFIG_SOLUTION_ENGINE) += mach-se
+diff --git a/arch/sh/boot/compressed/Makefile b/arch/sh/boot/compressed/Makefile
+index 8bc319ff54bf..58df491778b2 100644
+--- a/arch/sh/boot/compressed/Makefile
++++ b/arch/sh/boot/compressed/Makefile
+@@ -27,7 +27,7 @@ endif
+
+ ccflags-remove-$(CONFIG_MCOUNT) += -pg
+
+-LDFLAGS_vmlinux := --oformat $(ld-bfd) -Ttext $(IMAGE_OFFSET) -e startup \
++LDFLAGS_vmlinux := --oformat $(ld_bfd) -Ttext $(IMAGE_OFFSET) -e startup \
+ -T $(obj)/../../kernel/vmlinux.lds
+
+ KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING
+@@ -51,7 +51,7 @@ $(obj)/vmlinux.bin.lzo: $(obj)/vmlinux.bin FORCE
+
+ OBJCOPYFLAGS += -R .empty_zero_page
+
+-LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T
++LDFLAGS_piggy.o := -r --format binary --oformat $(ld_bfd) -T
+
+ $(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/vmlinux.bin.$(suffix_y) FORCE
+ $(call if_changed,ld)
+diff --git a/arch/sh/boot/romimage/Makefile b/arch/sh/boot/romimage/Makefile
+index c7c8be58400c..17b03df0a8de 100644
+--- a/arch/sh/boot/romimage/Makefile
++++ b/arch/sh/boot/romimage/Makefile
+@@ -13,7 +13,7 @@ mmcif-obj-$(CONFIG_CPU_SUBTYPE_SH7724) := $(obj)/mmcif-sh7724.o
+ load-$(CONFIG_ROMIMAGE_MMCIF) := $(mmcif-load-y)
+ obj-$(CONFIG_ROMIMAGE_MMCIF) := $(mmcif-obj-y)
+
+-LDFLAGS_vmlinux := --oformat $(ld-bfd) -Ttext $(load-y) -e romstart \
++LDFLAGS_vmlinux := --oformat $(ld_bfd) -Ttext $(load-y) -e romstart \
+ -T $(obj)/../../kernel/vmlinux.lds
+
+ $(obj)/vmlinux: $(obj)/head.o $(obj-y) $(obj)/piggy.o FORCE
+@@ -24,7 +24,7 @@ OBJCOPYFLAGS += -j .empty_zero_page
+ $(obj)/zeropage.bin: vmlinux FORCE
+ $(call if_changed,objcopy)
+
+-LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T
++LDFLAGS_piggy.o := -r --format binary --oformat $(ld_bfd) -T
+
+ $(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/zeropage.bin arch/sh/boot/zImage FORCE
+ $(call if_changed,ld)
+--
+2.39.5
+
--- /dev/null
+From 00bdededb45ebb35fa121a111ea55bc23b9dd536 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 16:59:08 +0100
+Subject: slub: Fix a documentation build error for krealloc()
+
+From: Jonathan Corbet <corbet@lwn.net>
+
+[ Upstream commit e8a45f198e3ae2434108f815bc28f37f6fe6742b ]
+
+The kerneldoc comment for krealloc() contains an unmarked literal block,
+leading to these warnings in the docs build:
+
+ ./mm/slub.c:4936: WARNING: Block quote ends without a blank line; unexpected unindent. [docutils]
+ ./mm/slub.c:4936: ERROR: Undefined substitution referenced: "--------". [docutils]
+
+Mark up and indent the block properly to bring a bit of peace to our build
+logs.
+
+Fixes: 489a744e5fb1 (mm: krealloc: clarify valid usage of __GFP_ZERO)
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Link: https://patch.msgid.link/20250611155916.2579160-6-willy@infradead.org
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/slub.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/mm/slub.c b/mm/slub.c
+index 31e11ef256f9..45a963e363d3 100644
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -4930,12 +4930,12 @@ __do_krealloc(const void *p, size_t new_size, gfp_t flags)
+ * When slub_debug_orig_size() is off, krealloc() only knows about the bucket
+ * size of an allocation (but not the exact size it was allocated with) and
+ * hence implements the following semantics for shrinking and growing buffers
+- * with __GFP_ZERO.
++ * with __GFP_ZERO::
+ *
+- * new bucket
+- * 0 size size
+- * |--------|----------------|
+- * | keep | zero |
++ * new bucket
++ * 0 size size
++ * |--------|----------------|
++ * | keep | zero |
+ *
+ * Otherwise, the original allocation size 'orig_size' could be used to
+ * precisely clear the requested size, and the new size will also be stored
+--
+2.39.5
+
--- /dev/null
+From 5f2a355f9654513b627789dc30415ca03c86d3cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 00:04:43 -0300
+Subject: smb: client: allow parsing zero-length AV pairs
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+[ Upstream commit be77ab6b9fbe348daf3c2d3ee40f23ca5110a339 ]
+
+Zero-length AV pairs should be considered as valid target infos.
+Don't skip the next AV pairs that follow them.
+
+Cc: linux-cifs@vger.kernel.org
+Cc: David Howells <dhowells@redhat.com>
+Fixes: 0e8ae9b953bc ("smb: client: parse av pair type 4 in CHALLENGE_MESSAGE")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifsencrypt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/smb/client/cifsencrypt.c b/fs/smb/client/cifsencrypt.c
+index 35892df7335c..6be850d2a346 100644
+--- a/fs/smb/client/cifsencrypt.c
++++ b/fs/smb/client/cifsencrypt.c
+@@ -343,7 +343,7 @@ static struct ntlmssp2_name *find_next_av(struct cifs_ses *ses,
+ len = AV_LEN(av);
+ if (AV_TYPE(av) == NTLMSSP_AV_EOL)
+ return NULL;
+- if (!len || (u8 *)av + sizeof(*av) + len > end)
++ if ((u8 *)av + sizeof(*av) + len > end)
+ return NULL;
+ return av;
+ }
+@@ -363,7 +363,7 @@ static int find_av_name(struct cifs_ses *ses, u16 type, char **name, u16 maxlen)
+
+ av_for_each_entry(ses, av) {
+ len = AV_LEN(av);
+- if (AV_TYPE(av) != type)
++ if (AV_TYPE(av) != type || !len)
+ continue;
+ if (!IS_ALIGNED(len, sizeof(__le16))) {
+ cifs_dbg(VFS | ONCE, "%s: bad length(%u) for type %u\n",
+--
+2.39.5
+
--- /dev/null
+From cee88023fd94ac50cf60117c510fd04ba669b4ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 16:35:30 +0200
+Subject: soc: qcom: fix endianness for QMI header
+
+From: Alexander Wilhelm <alexander.wilhelm@westermo.com>
+
+[ Upstream commit 07a4688833b237331e5045f90fc546c085b28c86 ]
+
+The members of QMI header have to be swapped on big endian platforms. Use
+__le16 types instead of u16 ones.
+
+Signed-off-by: Alexander Wilhelm <alexander.wilhelm@westermo.com>
+Fixes: 9b8a11e82615 ("soc: qcom: Introduce QMI encoder/decoder")
+Fixes: 3830d0771ef6 ("soc: qcom: Introduce QMI helpers")
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250522143530.3623809-3-alexander.wilhelm@westermo.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/qmi_encdec.c | 6 +++---
+ drivers/soc/qcom/qmi_interface.c | 6 +++---
+ include/linux/soc/qcom/qmi.h | 6 +++---
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/soc/qcom/qmi_encdec.c b/drivers/soc/qcom/qmi_encdec.c
+index dafe0a4c202e..7660a960fb45 100644
+--- a/drivers/soc/qcom/qmi_encdec.c
++++ b/drivers/soc/qcom/qmi_encdec.c
+@@ -776,9 +776,9 @@ void *qmi_encode_message(int type, unsigned int msg_id, size_t *len,
+
+ hdr = msg;
+ hdr->type = type;
+- hdr->txn_id = txn_id;
+- hdr->msg_id = msg_id;
+- hdr->msg_len = msglen;
++ hdr->txn_id = cpu_to_le16(txn_id);
++ hdr->msg_id = cpu_to_le16(msg_id);
++ hdr->msg_len = cpu_to_le16(msglen);
+
+ *len = sizeof(*hdr) + msglen;
+
+diff --git a/drivers/soc/qcom/qmi_interface.c b/drivers/soc/qcom/qmi_interface.c
+index bc6d6379d8b1..6500f863aae5 100644
+--- a/drivers/soc/qcom/qmi_interface.c
++++ b/drivers/soc/qcom/qmi_interface.c
+@@ -400,7 +400,7 @@ static void qmi_invoke_handler(struct qmi_handle *qmi, struct sockaddr_qrtr *sq,
+
+ for (handler = qmi->handlers; handler->fn; handler++) {
+ if (handler->type == hdr->type &&
+- handler->msg_id == hdr->msg_id)
++ handler->msg_id == le16_to_cpu(hdr->msg_id))
+ break;
+ }
+
+@@ -488,7 +488,7 @@ static void qmi_handle_message(struct qmi_handle *qmi,
+ /* If this is a response, find the matching transaction handle */
+ if (hdr->type == QMI_RESPONSE) {
+ mutex_lock(&qmi->txn_lock);
+- txn = idr_find(&qmi->txns, hdr->txn_id);
++ txn = idr_find(&qmi->txns, le16_to_cpu(hdr->txn_id));
+
+ /* Ignore unexpected responses */
+ if (!txn) {
+@@ -514,7 +514,7 @@ static void qmi_handle_message(struct qmi_handle *qmi,
+ } else {
+ /* Create a txn based on the txn_id of the incoming message */
+ memset(&tmp_txn, 0, sizeof(tmp_txn));
+- tmp_txn.id = hdr->txn_id;
++ tmp_txn.id = le16_to_cpu(hdr->txn_id);
+
+ qmi_invoke_handler(qmi, sq, &tmp_txn, buf, len);
+ }
+diff --git a/include/linux/soc/qcom/qmi.h b/include/linux/soc/qcom/qmi.h
+index 469e02d2aa0d..291cdc7ef49c 100644
+--- a/include/linux/soc/qcom/qmi.h
++++ b/include/linux/soc/qcom/qmi.h
+@@ -24,9 +24,9 @@ struct socket;
+ */
+ struct qmi_header {
+ u8 type;
+- u16 txn_id;
+- u16 msg_id;
+- u16 msg_len;
++ __le16 txn_id;
++ __le16 msg_id;
++ __le16 msg_len;
+ } __packed;
+
+ #define QMI_REQUEST 0
+--
+2.39.5
+
--- /dev/null
+From cd51f2b0cc609ef9b15aebec230b7686efd8f51a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 10:57:17 +0200
+Subject: soc: qcom: pmic_glink: fix OF node leak
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 65702c3d293e45d3cac5e4e175296a9c90404326 ]
+
+Make sure to drop the OF node reference taken when registering the
+auxiliary devices when the devices are later released.
+
+Fixes: 58ef4ece1e41 ("soc: qcom: pmic_glink: Introduce base PMIC GLINK driver")
+Cc: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250708085717.15922-1-johan@kernel.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/pmic_glink.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/qcom/pmic_glink.c b/drivers/soc/qcom/pmic_glink.c
+index 0a6d325b195c..c0a4be5df926 100644
+--- a/drivers/soc/qcom/pmic_glink.c
++++ b/drivers/soc/qcom/pmic_glink.c
+@@ -167,7 +167,10 @@ static int pmic_glink_rpmsg_callback(struct rpmsg_device *rpdev, void *data,
+ return 0;
+ }
+
+-static void pmic_glink_aux_release(struct device *dev) {}
++static void pmic_glink_aux_release(struct device *dev)
++{
++ of_node_put(dev->of_node);
++}
+
+ static int pmic_glink_add_aux_device(struct pmic_glink *pg,
+ struct auxiliary_device *aux,
+@@ -181,8 +184,10 @@ static int pmic_glink_add_aux_device(struct pmic_glink *pg,
+ aux->dev.release = pmic_glink_aux_release;
+ device_set_of_node_from_dev(&aux->dev, parent);
+ ret = auxiliary_device_init(aux);
+- if (ret)
++ if (ret) {
++ of_node_put(aux->dev.of_node);
+ return ret;
++ }
+
+ ret = auxiliary_device_add(aux);
+ if (ret)
+--
+2.39.5
+
--- /dev/null
+From a410c84cb61d4ed81bd0c7c1cf2f07702bbd84e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 16:35:29 +0200
+Subject: soc: qcom: QMI encoding/decoding for big endian
+
+From: Alexander Wilhelm <alexander.wilhelm@westermo.com>
+
+[ Upstream commit 3ced38da5f7de4c260f9eaa86fc805827953243a ]
+
+The QMI_DATA_LEN type may have different sizes. Taking the element's
+address of that type and interpret it as a smaller sized ones works fine
+for little endian platforms but not for big endian ones. Instead use
+temporary variables of smaller sized types and cast them correctly to
+support big endian platforms.
+
+Signed-off-by: Alexander Wilhelm <alexander.wilhelm@westermo.com>
+Fixes: 9b8a11e82615 ("soc: qcom: Introduce QMI encoder/decoder")
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250522143530.3623809-2-alexander.wilhelm@westermo.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/qmi_encdec.c | 46 +++++++++++++++++++++++++++++------
+ 1 file changed, 38 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/soc/qcom/qmi_encdec.c b/drivers/soc/qcom/qmi_encdec.c
+index bb09eff85cff..dafe0a4c202e 100644
+--- a/drivers/soc/qcom/qmi_encdec.c
++++ b/drivers/soc/qcom/qmi_encdec.c
+@@ -304,6 +304,8 @@ static int qmi_encode(const struct qmi_elem_info *ei_array, void *out_buf,
+ const void *buf_src;
+ int encode_tlv = 0;
+ int rc;
++ u8 val8;
++ u16 val16;
+
+ if (!ei_array)
+ return 0;
+@@ -338,7 +340,6 @@ static int qmi_encode(const struct qmi_elem_info *ei_array, void *out_buf,
+ break;
+
+ case QMI_DATA_LEN:
+- memcpy(&data_len_value, buf_src, temp_ei->elem_size);
+ data_len_sz = temp_ei->elem_size == sizeof(u8) ?
+ sizeof(u8) : sizeof(u16);
+ /* Check to avoid out of range buffer access */
+@@ -348,8 +349,17 @@ static int qmi_encode(const struct qmi_elem_info *ei_array, void *out_buf,
+ __func__);
+ return -ETOOSMALL;
+ }
+- rc = qmi_encode_basic_elem(buf_dst, &data_len_value,
+- 1, data_len_sz);
++ if (data_len_sz == sizeof(u8)) {
++ val8 = *(u8 *)buf_src;
++ data_len_value = (u32)val8;
++ rc = qmi_encode_basic_elem(buf_dst, &val8,
++ 1, data_len_sz);
++ } else {
++ val16 = *(u16 *)buf_src;
++ data_len_value = (u32)le16_to_cpu(val16);
++ rc = qmi_encode_basic_elem(buf_dst, &val16,
++ 1, data_len_sz);
++ }
+ UPDATE_ENCODE_VARIABLES(temp_ei, buf_dst,
+ encoded_bytes, tlv_len,
+ encode_tlv, rc);
+@@ -523,14 +533,23 @@ static int qmi_decode_string_elem(const struct qmi_elem_info *ei_array,
+ u32 string_len = 0;
+ u32 string_len_sz = 0;
+ const struct qmi_elem_info *temp_ei = ei_array;
++ u8 val8;
++ u16 val16;
+
+ if (dec_level == 1) {
+ string_len = tlv_len;
+ } else {
+ string_len_sz = temp_ei->elem_len <= U8_MAX ?
+ sizeof(u8) : sizeof(u16);
+- rc = qmi_decode_basic_elem(&string_len, buf_src,
+- 1, string_len_sz);
++ if (string_len_sz == sizeof(u8)) {
++ rc = qmi_decode_basic_elem(&val8, buf_src,
++ 1, string_len_sz);
++ string_len = (u32)val8;
++ } else {
++ rc = qmi_decode_basic_elem(&val16, buf_src,
++ 1, string_len_sz);
++ string_len = (u32)val16;
++ }
+ decoded_bytes += rc;
+ }
+
+@@ -604,6 +623,9 @@ static int qmi_decode(const struct qmi_elem_info *ei_array, void *out_c_struct,
+ u32 decoded_bytes = 0;
+ const void *buf_src = in_buf;
+ int rc;
++ u8 val8;
++ u16 val16;
++ u32 val32;
+
+ while (decoded_bytes < in_buf_len) {
+ if (dec_level >= 2 && temp_ei->data_type == QMI_EOTI)
+@@ -642,9 +664,17 @@ static int qmi_decode(const struct qmi_elem_info *ei_array, void *out_c_struct,
+ if (temp_ei->data_type == QMI_DATA_LEN) {
+ data_len_sz = temp_ei->elem_size == sizeof(u8) ?
+ sizeof(u8) : sizeof(u16);
+- rc = qmi_decode_basic_elem(&data_len_value, buf_src,
+- 1, data_len_sz);
+- memcpy(buf_dst, &data_len_value, sizeof(u32));
++ if (data_len_sz == sizeof(u8)) {
++ rc = qmi_decode_basic_elem(&val8, buf_src,
++ 1, data_len_sz);
++ data_len_value = (u32)val8;
++ } else {
++ rc = qmi_decode_basic_elem(&val16, buf_src,
++ 1, data_len_sz);
++ data_len_value = (u32)val16;
++ }
++ val32 = cpu_to_le32(data_len_value);
++ memcpy(buf_dst, &val32, sizeof(u32));
+ temp_ei = temp_ei + 1;
+ buf_dst = out_c_struct + temp_ei->offset;
+ tlv_len -= data_len_sz;
+--
+2.39.5
+
--- /dev/null
+From 4ec31e9fa43c3ae7cc89d5a34dbc39c7af62f40a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 16:08:22 +0530
+Subject: soc/tegra: cbb: Clear ERR_FORCE register with ERR_STATUS
+
+From: Sumit Gupta <sumitg@nvidia.com>
+
+[ Upstream commit a0647bca8966db04b79af72851ebd04224a4da40 ]
+
+When error is injected with the ERR_FORCE register, then this register
+is not auto cleared on clearing the ERR_STATUS register. This causes
+repeated interrupts on error injection. To fix, set the ERR_FORCE to
+zero along with clearing the ERR_STATUS register after handling error.
+
+Fixes: fc2f151d2314 ("soc/tegra: cbb: Add driver for Tegra234 CBB 2.0")
+Signed-off-by: Sumit Gupta <sumitg@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/tegra/cbb/tegra234-cbb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/soc/tegra/cbb/tegra234-cbb.c b/drivers/soc/tegra/cbb/tegra234-cbb.c
+index c74629af9bb5..1da31ead2b5e 100644
+--- a/drivers/soc/tegra/cbb/tegra234-cbb.c
++++ b/drivers/soc/tegra/cbb/tegra234-cbb.c
+@@ -185,6 +185,8 @@ static void tegra234_cbb_error_clear(struct tegra_cbb *cbb)
+ {
+ struct tegra234_cbb *priv = to_tegra234_cbb(cbb);
+
++ writel(0, priv->mon + FABRIC_MN_MASTER_ERR_FORCE_0);
++
+ writel(0x3f, priv->mon + FABRIC_MN_MASTER_ERR_STATUS_0);
+ dsb(sy);
+ }
+--
+2.39.5
+
--- /dev/null
+From 743dca6a5ae4c31d404adb0496d3626f31b19c8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 13:55:07 +0100
+Subject: soundwire: Correct some property names
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit ae6a0f5b8a5b0ca2e4bf1c0380267ad83aca8401 ]
+
+The DisCo properties should be mipi-sdw-paging-supported and
+mipi-sdw-bank-delay-supported, with an 'ed' on the end. Correct the
+property names used in sdw_slave_read_prop().
+
+The internal flag bank_delay_support is currently unimplemented, so that
+being read wrong does not currently affect anything. The two existing
+users for this helper and the paging_support flag rt1320-sdw.c and
+rt721-sdca-sdw.c both manually set the flag in their slave properties,
+thus are not affected by this bug either.
+
+Fixes: 56d4fe31af77 ("soundwire: Add MIPI DisCo property helpers")
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20250624125507.2866346-1-ckeepax@opensource.cirrus.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/mipi_disco.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soundwire/mipi_disco.c b/drivers/soundwire/mipi_disco.c
+index 65afb28ef8fa..c69b78cd0b62 100644
+--- a/drivers/soundwire/mipi_disco.c
++++ b/drivers/soundwire/mipi_disco.c
+@@ -451,10 +451,10 @@ int sdw_slave_read_prop(struct sdw_slave *slave)
+ "mipi-sdw-highPHY-capable");
+
+ prop->paging_support = mipi_device_property_read_bool(dev,
+- "mipi-sdw-paging-support");
++ "mipi-sdw-paging-supported");
+
+ prop->bank_delay_support = mipi_device_property_read_bool(dev,
+- "mipi-sdw-bank-delay-support");
++ "mipi-sdw-bank-delay-supported");
+
+ device_property_read_u32(dev,
+ "mipi-sdw-port15-read-behavior", &prop->p15_behave);
+--
+2.39.5
+
--- /dev/null
+From 63dae2f1ccfeaa4de0cf45111376380fa13b5e59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 18:33:14 -0300
+Subject: soundwire: debugfs: move debug statement outside of error handling
+
+From: Rodrigo Gobbi <rodrigo.gobbi.7@gmail.com>
+
+[ Upstream commit 06f77ff9d852c9f2764659ea81489364d8a69a9c ]
+
+The start_t and finish_t variables are not properly initialized
+if errors happens over request_firmware actions.
+This was also detected by smatch:
+
+drivers/soundwire/debugfs.c:301 cmd_go() error: uninitialized symbol 'finish_t'.
+drivers/soundwire/debugfs.c:301 cmd_go() error: uninitialized symbol 'start_t'.
+
+Move the debug statement outside of firmware error handling.
+
+Signed-off-by: Rodrigo Gobbi <rodrigo.gobbi.7@gmail.com>
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/linux-sound/0db6d0bf-7bac-43a7-b624-a00d3d2bf829@stanley.mountain/
+Fixes: bb5cb09eedce ("soundwire: debugfs: add interface for BPT/BRA transfers")
+Link: https://lore.kernel.org/r/20250626213628.9575-1-rodrigo.gobbi.7@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/debugfs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/soundwire/debugfs.c b/drivers/soundwire/debugfs.c
+index 3099ea074f10..230a51489486 100644
+--- a/drivers/soundwire/debugfs.c
++++ b/drivers/soundwire/debugfs.c
+@@ -291,6 +291,9 @@ static int cmd_go(void *data, u64 value)
+
+ finish_t = ktime_get();
+
++ dev_dbg(&slave->dev, "command completed, num_byte %zu status %d, time %lld ms\n",
++ num_bytes, ret, div_u64(finish_t - start_t, NSEC_PER_MSEC));
++
+ out:
+ if (fw)
+ release_firmware(fw);
+@@ -298,9 +301,6 @@ static int cmd_go(void *data, u64 value)
+ pm_runtime_mark_last_busy(&slave->dev);
+ pm_runtime_put(&slave->dev);
+
+- dev_dbg(&slave->dev, "command completed, num_byte %zu status %d, time %lld ms\n",
+- num_bytes, ret, div_u64(finish_t - start_t, NSEC_PER_MSEC));
+-
+ return ret;
+ }
+ DEFINE_DEBUGFS_ATTRIBUTE(cmd_go_fops, NULL,
+--
+2.39.5
+
--- /dev/null
+From 9dbdc1d96ff358cc0214d5099ed157dc7770cd64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 14:09:52 +0800
+Subject: soundwire: stream: restore params when prepare ports fail
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bard Liao <yung-chuan.liao@linux.intel.com>
+
+[ Upstream commit dba7d9dbfdc4389361ff3a910e767d3cfca22587 ]
+
+The bus->params should be restored if the stream is failed to prepare.
+The issue exists since beginning. The Fixes tag just indicates the
+first commit that the commit can be applied to.
+
+Fixes: 17ed5bef49f4 ("soundwire: add missing newlines in dynamic debug logs")
+Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Link: https://lore.kernel.org/r/20250626060952.405996-1-yung-chuan.liao@linux.intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/stream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c
+index a4bea742b5d9..38c9dbd35606 100644
+--- a/drivers/soundwire/stream.c
++++ b/drivers/soundwire/stream.c
+@@ -1510,7 +1510,7 @@ static int _sdw_prepare_stream(struct sdw_stream_runtime *stream,
+ if (ret < 0) {
+ dev_err(bus->dev, "Prepare port(s) failed ret = %d\n",
+ ret);
+- return ret;
++ goto restore_params;
+ }
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 89eef40d91bb25b0eac8f6efe3c8c60f997120bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 19:08:12 +0200
+Subject: spi: spi-nxp-fspi: Check return value of devm_mutex_init()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit d24a54e032021cf381af3c3cf119cc5cf6b3c1be ]
+
+devm_mutex_init() can fail. With CONFIG_DEBUG_MUTEXES=y the mutex will
+be marked as unusable and trigger errors on usage.
+
+Add the missed check.
+
+Fixes: 48900813abd2 ("spi: spi-nxp-fspi: remove the goto in probe")
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
+Link: https://lore.kernel.org/r/20250617-must_check-devm_mutex_init-v7-1-d9e449f4d224@weissschuh.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-nxp-fspi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-nxp-fspi.c b/drivers/spi/spi-nxp-fspi.c
+index e63c77e41823..f3d576505413 100644
+--- a/drivers/spi/spi-nxp-fspi.c
++++ b/drivers/spi/spi-nxp-fspi.c
+@@ -1273,7 +1273,9 @@ static int nxp_fspi_probe(struct platform_device *pdev)
+ if (ret)
+ return dev_err_probe(dev, ret, "Failed to request irq\n");
+
+- devm_mutex_init(dev, &f->lock);
++ ret = devm_mutex_init(dev, &f->lock);
++ if (ret)
++ return dev_err_probe(dev, ret, "Failed to initialize lock\n");
+
+ ctlr->bus_num = -1;
+ ctlr->num_chipselect = NXP_FSPI_MAX_CHIPSELECT;
+--
+2.39.5
+
--- /dev/null
+From d1337cfdb8b14249f6fe016802fd6b7ad6a5b0a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 11:21:03 +0200
+Subject: spi: stm32: Check for cfg availability in stm32_spi_probe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Clément Le Goffic <clement.legoffic@foss.st.com>
+
+[ Upstream commit 21f1c800f6620e43f31dfd76709dbac8ebaa5a16 ]
+
+The stm32_spi_probe function now includes a check to ensure that the
+pointer returned by of_device_get_match_data is not NULL before
+accessing its members. This resolves a warning where a potential NULL
+pointer dereference could occur when accessing cfg->has_device_mode.
+
+Before accessing the 'has_device_mode' member, we verify that 'cfg' is
+not NULL. If 'cfg' is NULL, an error message is logged.
+
+This change ensures that the driver does not attempt to access
+configuration data if it is not available, thus preventing a potential
+system crash due to a NULL pointer dereference.
+
+Signed-off-by: Clément Le Goffic <clement.legoffic@foss.st.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202310191831.MLwx1c6x-lkp@intel.com/
+Fixes: fee681646fc8 ("spi: stm32: disable device mode with st,stm32f4-spi compatible")
+Link: https://patch.msgid.link/20250616-spi-upstream-v1-2-7e8593f3f75d@foss.st.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-stm32.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c
+index da3517d7102d..dc22b98bdbcc 100644
+--- a/drivers/spi/spi-stm32.c
++++ b/drivers/spi/spi-stm32.c
+@@ -2069,9 +2069,15 @@ static int stm32_spi_probe(struct platform_device *pdev)
+ struct resource *res;
+ struct reset_control *rst;
+ struct device_node *np = pdev->dev.of_node;
++ const struct stm32_spi_cfg *cfg;
+ bool device_mode;
+ int ret;
+- const struct stm32_spi_cfg *cfg = of_device_get_match_data(&pdev->dev);
++
++ cfg = of_device_get_match_data(&pdev->dev);
++ if (!cfg) {
++ dev_err(&pdev->dev, "Failed to get match data for platform\n");
++ return -ENODEV;
++ }
+
+ device_mode = of_property_read_bool(np, "spi-slave");
+ if (!cfg->has_device_mode && device_mode) {
+--
+2.39.5
+
--- /dev/null
+From 839aab5effbef447316719c847427d95c802bb44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 15:26:04 +0100
+Subject: squashfs: fix incorrect argument to sizeof in kmalloc_array call
+
+From: Colin Ian King <colin.i.king@gmail.com>
+
+[ Upstream commit 97103dcec292b8688de142f7a48bd0d46038d3f6 ]
+
+The sizeof(void *) is the incorrect argument in the kmalloc_array call, it
+best to fix this by using sizeof(*cache_folios) instead.
+
+Fortunately the sizes of void* and folio* happen to be the same, so this
+has not shown up as a run time issue.
+
+[akpm@linux-foundation.org: fix build]
+Link: https://lkml.kernel.org/r/20250708142604.1891156-1-colin.i.king@gmail.com
+Fixes: 2e227ff5e272 ("squashfs: add optional full compressed block caching")
+Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
+Cc: Phillip Lougher <phillip@squashfs.org.uk>
+Cc: Chanho Min <chanho.min@lge.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/squashfs/block.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c
+index 296c5a0fcc40..e7a4649fc85c 100644
+--- a/fs/squashfs/block.c
++++ b/fs/squashfs/block.c
+@@ -89,7 +89,7 @@ static int squashfs_bio_read_cached(struct bio *fullbio,
+ int err = 0;
+ #ifdef CONFIG_SQUASHFS_COMP_CACHE_FULL
+ struct folio **cache_folios = kmalloc_array(page_count,
+- sizeof(void *), GFP_KERNEL | __GFP_ZERO);
++ sizeof(*cache_folios), GFP_KERNEL | __GFP_ZERO);
+ #endif
+
+ bio_for_each_folio_all(fi, fullbio) {
+--
+2.39.5
+
--- /dev/null
+From 5069d7966c2d88ed770845233c145583708dbf9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 15:39:01 +0100
+Subject: squashfs: use folios in squashfs_bio_read_cached()
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit c9e3fb050e9cb0d3a833b2c62b35ea42cdd81e89 ]
+
+Remove an access to page->mapping and a few calls to the old page-based
+APIs. This doesn't support large folios, but it's still a nice
+improvement.
+
+Link: https://lkml.kernel.org/r/20250612143903.2849289-3-willy@infradead.org
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Phillip Lougher <phillip@squashfs.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 97103dcec292 ("squashfs: fix incorrect argument to sizeof in kmalloc_array call")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/squashfs/block.c | 45 ++++++++++++++++++++++-----------------------
+ 1 file changed, 22 insertions(+), 23 deletions(-)
+
+diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c
+index 3061043e915c..296c5a0fcc40 100644
+--- a/fs/squashfs/block.c
++++ b/fs/squashfs/block.c
+@@ -80,23 +80,22 @@ static int squashfs_bio_read_cached(struct bio *fullbio,
+ struct address_space *cache_mapping, u64 index, int length,
+ u64 read_start, u64 read_end, int page_count)
+ {
+- struct page *head_to_cache = NULL, *tail_to_cache = NULL;
++ struct folio *head_to_cache = NULL, *tail_to_cache = NULL;
+ struct block_device *bdev = fullbio->bi_bdev;
+ int start_idx = 0, end_idx = 0;
+- struct bvec_iter_all iter_all;
++ struct folio_iter fi;;
+ struct bio *bio = NULL;
+- struct bio_vec *bv;
+ int idx = 0;
+ int err = 0;
+ #ifdef CONFIG_SQUASHFS_COMP_CACHE_FULL
+- struct page **cache_pages = kmalloc_array(page_count,
++ struct folio **cache_folios = kmalloc_array(page_count,
+ sizeof(void *), GFP_KERNEL | __GFP_ZERO);
+ #endif
+
+- bio_for_each_segment_all(bv, fullbio, iter_all) {
+- struct page *page = bv->bv_page;
++ bio_for_each_folio_all(fi, fullbio) {
++ struct folio *folio = fi.folio;
+
+- if (page->mapping == cache_mapping) {
++ if (folio->mapping == cache_mapping) {
+ idx++;
+ continue;
+ }
+@@ -111,13 +110,13 @@ static int squashfs_bio_read_cached(struct bio *fullbio,
+ * adjacent blocks.
+ */
+ if (idx == 0 && index != read_start)
+- head_to_cache = page;
++ head_to_cache = folio;
+ else if (idx == page_count - 1 && index + length != read_end)
+- tail_to_cache = page;
++ tail_to_cache = folio;
+ #ifdef CONFIG_SQUASHFS_COMP_CACHE_FULL
+ /* Cache all pages in the BIO for repeated reads */
+- else if (cache_pages)
+- cache_pages[idx] = page;
++ else if (cache_folios)
++ cache_folios[idx] = folio;
+ #endif
+
+ if (!bio || idx != end_idx) {
+@@ -150,45 +149,45 @@ static int squashfs_bio_read_cached(struct bio *fullbio,
+ return err;
+
+ if (head_to_cache) {
+- int ret = add_to_page_cache_lru(head_to_cache, cache_mapping,
++ int ret = filemap_add_folio(cache_mapping, head_to_cache,
+ read_start >> PAGE_SHIFT,
+ GFP_NOIO);
+
+ if (!ret) {
+- SetPageUptodate(head_to_cache);
+- unlock_page(head_to_cache);
++ folio_mark_uptodate(head_to_cache);
++ folio_unlock(head_to_cache);
+ }
+
+ }
+
+ if (tail_to_cache) {
+- int ret = add_to_page_cache_lru(tail_to_cache, cache_mapping,
++ int ret = filemap_add_folio(cache_mapping, tail_to_cache,
+ (read_end >> PAGE_SHIFT) - 1,
+ GFP_NOIO);
+
+ if (!ret) {
+- SetPageUptodate(tail_to_cache);
+- unlock_page(tail_to_cache);
++ folio_mark_uptodate(tail_to_cache);
++ folio_unlock(tail_to_cache);
+ }
+ }
+
+ #ifdef CONFIG_SQUASHFS_COMP_CACHE_FULL
+- if (!cache_pages)
++ if (!cache_folios)
+ goto out;
+
+ for (idx = 0; idx < page_count; idx++) {
+- if (!cache_pages[idx])
++ if (!cache_folios[idx])
+ continue;
+- int ret = add_to_page_cache_lru(cache_pages[idx], cache_mapping,
++ int ret = filemap_add_folio(cache_mapping, cache_folios[idx],
+ (read_start >> PAGE_SHIFT) + idx,
+ GFP_NOIO);
+
+ if (!ret) {
+- SetPageUptodate(cache_pages[idx]);
+- unlock_page(cache_pages[idx]);
++ folio_mark_uptodate(cache_folios[idx]);
++ folio_unlock(cache_folios[idx]);
+ }
+ }
+- kfree(cache_pages);
++ kfree(cache_folios);
+ out:
+ #endif
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From ea29b328703f14762ddb80e0dee4491164cb68bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 22:54:10 +0530
+Subject: staging: fbtft: fix potential memory leak in
+ fbtft_framebuffer_alloc()
+
+From: Abdun Nihaal <abdun.nihaal@gmail.com>
+
+[ Upstream commit eb2cb7dab60f9be0b435ac4a674255429a36d72c ]
+
+In the error paths after fb_info structure is successfully allocated,
+the memory allocated in fb_deferred_io_init() for info->pagerefs is not
+freed. Fix that by adding the cleanup function on the error path.
+
+Fixes: c296d5f9957c ("staging: fbtft: core support")
+Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/20250626172412.18355-1-abdun.nihaal@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/fbtft/fbtft-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c
+index da9c64152a60..39bced400065 100644
+--- a/drivers/staging/fbtft/fbtft-core.c
++++ b/drivers/staging/fbtft/fbtft-core.c
+@@ -692,6 +692,7 @@ struct fb_info *fbtft_framebuffer_alloc(struct fbtft_display *display,
+ return info;
+
+ release_framebuf:
++ fb_deferred_io_cleanup(info);
+ framebuffer_release(info);
+
+ alloc_fail:
+--
+2.39.5
+
--- /dev/null
+From 02cebf55d3d66b473508031b99189272313cf110 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 23:46:20 -0700
+Subject: staging: gpib: Fix error code in board_type_ioctl()
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+[ Upstream commit aa07b790d79226f9bd0731d2c065db2823867cc5 ]
+
+When copy_from_user() fails it return number of bytes it wasn't able to
+copy. So the correct return value when copy_from_user() fails is
+-EFAULT.
+
+Fixes: 9dde4559e939 ("staging: gpib: Add GPIB common core driver")
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Link: https://lore.kernel.org/r/20250703064633.1955893-1-harshit.m.mogalapalli@oracle.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/gpib/common/gpib_os.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/gpib/common/gpib_os.c b/drivers/staging/gpib/common/gpib_os.c
+index 93ef5f6ce249..4cb2683caf99 100644
+--- a/drivers/staging/gpib/common/gpib_os.c
++++ b/drivers/staging/gpib/common/gpib_os.c
+@@ -831,7 +831,7 @@ static int board_type_ioctl(struct gpib_file_private *file_priv,
+ retval = copy_from_user(&cmd, (void __user *)arg,
+ sizeof(struct gpib_board_type_ioctl));
+ if (retval)
+- return retval;
++ return -EFAULT;
+
+ for (list_ptr = registered_drivers.next; list_ptr != ®istered_drivers;
+ list_ptr = list_ptr->next) {
+--
+2.39.5
+
--- /dev/null
+From db36f8b8ef15fad84df03343579aabeb4556edb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Jul 2025 11:52:33 +0200
+Subject: staging: gpib: Fix error handling paths in cb_gpib_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 1b0ee85ee7967a4d7a68080c3f6a66af69e4e0b4 ]
+
+If cb_gpib_config() fails, 'info' needs to be freed, as already done in the
+remove function.
+
+While at it, remove a pointless comment related to gpib_attach().
+
+Fixes: e9dc69956d4d ("staging: gpib: Add Computer Boards GPIB driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/bf89d6f2f8b8c680720d02061fc4ebdd805deca8.1751709098.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/gpib/cb7210/cb7210.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/gpib/cb7210/cb7210.c b/drivers/staging/gpib/cb7210/cb7210.c
+index 298ed306189d..3e2397898a9b 100644
+--- a/drivers/staging/gpib/cb7210/cb7210.c
++++ b/drivers/staging/gpib/cb7210/cb7210.c
+@@ -1184,8 +1184,7 @@ struct local_info {
+ static int cb_gpib_probe(struct pcmcia_device *link)
+ {
+ struct local_info *info;
+-
+-// int ret, i;
++ int ret;
+
+ /* Allocate space for private device-specific data */
+ info = kzalloc(sizeof(*info), GFP_KERNEL);
+@@ -1211,8 +1210,16 @@ static int cb_gpib_probe(struct pcmcia_device *link)
+
+ /* Register with Card Services */
+ curr_dev = link;
+- return cb_gpib_config(link);
+-} /* gpib_attach */
++ ret = cb_gpib_config(link);
++ if (ret)
++ goto free_info;
++
++ return 0;
++
++free_info:
++ kfree(info);
++ return ret;
++}
+
+ /*
+ * This deletes a driver "instance". The device is de-registered
+--
+2.39.5
+
--- /dev/null
+From e9549ba813bd34efe9bc0d9aeffae03dce63f146 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 23:09:58 +0100
+Subject: staging: gpib: fix unset padding field copy back to userspace
+
+From: Colin Ian King <colin.i.king@gmail.com>
+
+[ Upstream commit a739d3b13bff0dfa1aec679d08c7062131a2a425 ]
+
+The introduction of a padding field in the gpib_board_info_ioctl is
+showing up as initialized data on the stack frame being copyied back
+to userspace in function board_info_ioctl. The simplest fix is to
+initialize the entire struct to zero to ensure all unassigned padding
+fields are zero'd before being copied back to userspace.
+
+Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
+Fixes: 9dde4559e939 ("staging: gpib: Add GPIB common core driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/20250623220958.280424-1-colin.i.king@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/gpib/common/gpib_os.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/gpib/common/gpib_os.c b/drivers/staging/gpib/common/gpib_os.c
+index a193d64db033..93ef5f6ce249 100644
+--- a/drivers/staging/gpib/common/gpib_os.c
++++ b/drivers/staging/gpib/common/gpib_os.c
+@@ -1774,7 +1774,7 @@ static int query_board_rsv_ioctl(struct gpib_board *board, unsigned long arg)
+
+ static int board_info_ioctl(const struct gpib_board *board, unsigned long arg)
+ {
+- struct gpib_board_info_ioctl info;
++ struct gpib_board_info_ioctl info = { };
+ int retval;
+
+ info.pad = board->pad;
+--
+2.39.5
+
--- /dev/null
+From 3f820f7e83b66e80e6c8b8dcde0a09de5b946051 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 13:06:16 +0200
+Subject: staging: greybus: gbphy: fix up const issue with the match callback
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit ce32eff1cf3ae8ac2596171dd0af1657634c83eb ]
+
+gbphy_dev_match_id() should be taking a const pointer, as the pointer
+passed to it from the container_of() call was const to start with (it
+was accidentally cast away with the call.) Fix this all up by correctly
+marking the pointer types.
+
+Cc: Alex Elder <elder@kernel.org>
+Cc: greybus-dev@lists.linaro.org
+Fixes: d69d80484598 ("driver core: have match() callback in struct bus_type take a const *")
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/2025070115-reoccupy-showy-e2ad@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/greybus/gbphy.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/staging/greybus/gbphy.c b/drivers/staging/greybus/gbphy.c
+index 6adcad286633..60cf09a302a7 100644
+--- a/drivers/staging/greybus/gbphy.c
++++ b/drivers/staging/greybus/gbphy.c
+@@ -102,8 +102,8 @@ static int gbphy_dev_uevent(const struct device *dev, struct kobj_uevent_env *en
+ }
+
+ static const struct gbphy_device_id *
+-gbphy_dev_match_id(struct gbphy_device *gbphy_dev,
+- struct gbphy_driver *gbphy_drv)
++gbphy_dev_match_id(const struct gbphy_device *gbphy_dev,
++ const struct gbphy_driver *gbphy_drv)
+ {
+ const struct gbphy_device_id *id = gbphy_drv->id_table;
+
+@@ -119,7 +119,7 @@ gbphy_dev_match_id(struct gbphy_device *gbphy_dev,
+
+ static int gbphy_dev_match(struct device *dev, const struct device_driver *drv)
+ {
+- struct gbphy_driver *gbphy_drv = to_gbphy_driver(drv);
++ const struct gbphy_driver *gbphy_drv = to_gbphy_driver(drv);
+ struct gbphy_device *gbphy_dev = to_gbphy_dev(dev);
+ const struct gbphy_device_id *id;
+
+--
+2.39.5
+
--- /dev/null
+From 2839a69c569549236be3c2b473f97a37e24aacce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 01:08:05 -0700
+Subject: staging: media: atomisp: Fix stack buffer overflow in
+ gmin_get_var_int()
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit ee4cf798202d285dcbe85e4467a094c44f5ed8e6 ]
+
+When gmin_get_config_var() calls efi.get_variable() and the EFI variable
+is larger than the expected buffer size, two behaviors combine to create
+a stack buffer overflow:
+
+1. gmin_get_config_var() does not return the proper error code when
+ efi.get_variable() fails. It returns the stale 'ret' value from
+ earlier operations instead of indicating the EFI failure.
+
+2. When efi.get_variable() returns EFI_BUFFER_TOO_SMALL, it updates
+ *out_len to the required buffer size but writes no data to the output
+ buffer. However, due to bug #1, gmin_get_var_int() believes the call
+ succeeded.
+
+The caller gmin_get_var_int() then performs:
+- Allocates val[CFG_VAR_NAME_MAX + 1] (65 bytes) on stack
+- Calls gmin_get_config_var(dev, is_gmin, var, val, &len) with len=64
+- If EFI variable is >64 bytes, efi.get_variable() sets len=required_size
+- Due to bug #1, thinks call succeeded with len=required_size
+- Executes val[len] = 0, writing past end of 65-byte stack buffer
+
+This creates a stack buffer overflow when EFI variables are larger than
+64 bytes. Since EFI variables can be controlled by firmware or system
+configuration, this could potentially be exploited for code execution.
+
+Fix the bug by returning proper error codes from gmin_get_config_var()
+based on EFI status instead of stale 'ret' value.
+
+The gmin_get_var_int() function is called during device initialization
+for camera sensor configuration on Intel Bay Trail and Cherry Trail
+platforms using the atomisp camera stack.
+
+Reported-by: zepta <z3ptaa@gmail.com>
+Closes: https://lore.kernel.org/all/CAPBS6KoQyM7FMdPwOuXteXsOe44X4H3F8Fw+y_qWq6E+OdmxQA@mail.gmail.com
+Fixes: 38d4f74bc148 ("media: atomisp_gmin_platform: stop abusing efivar API")
+Reviewed-by: Hans de Goede <hansg@kernel.org>
+Link: https://lore.kernel.org/r/20250724080756.work.741-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../staging/media/atomisp/pci/atomisp_gmin_platform.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
+index 5f59519ac8e2..964cc3bcc0ac 100644
+--- a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
++++ b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
+@@ -1272,14 +1272,15 @@ static int gmin_get_config_var(struct device *maindev,
+ if (efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
+ status = efi.get_variable(var16, &GMIN_CFG_VAR_EFI_GUID, NULL,
+ (unsigned long *)out_len, out);
+- if (status == EFI_SUCCESS)
++ if (status == EFI_SUCCESS) {
+ dev_info(maindev, "found EFI entry for '%s'\n", var8);
+- else if (is_gmin)
++ return 0;
++ }
++ if (is_gmin)
+ dev_info(maindev, "Failed to find EFI gmin variable %s\n", var8);
+ else
+ dev_info(maindev, "Failed to find EFI variable %s\n", var8);
+-
+- return ret;
++ return -ENOENT;
+ }
+
+ int gmin_get_var_int(struct device *dev, bool is_gmin, const char *var, int def)
+--
+2.39.5
+
--- /dev/null
+From 61c3304cded0c4c714d049bae0eaa306073895c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Jul 2025 01:07:42 -0700
+Subject: staging: nvec: Fix incorrect null termination of battery manufacturer
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit a8934352ba01081c51d2df428e9d540aae0e88b5 ]
+
+The battery manufacturer string was incorrectly null terminated using
+bat_model instead of bat_manu. This could result in an unintended
+write to the wrong field and potentially incorrect behavior.
+
+fixe the issue by correctly null terminating the bat_manu string.
+
+Fixes: 32890b983086 ("Staging: initial version of the nvec driver")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/20250719080755.3954373-1-alok.a.tiwari@oracle.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/nvec/nvec_power.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/nvec/nvec_power.c b/drivers/staging/nvec/nvec_power.c
+index e0e67a3eb722..2faab9fdedef 100644
+--- a/drivers/staging/nvec/nvec_power.c
++++ b/drivers/staging/nvec/nvec_power.c
+@@ -194,7 +194,7 @@ static int nvec_power_bat_notifier(struct notifier_block *nb,
+ break;
+ case MANUFACTURER:
+ memcpy(power->bat_manu, &res->plc, res->length - 2);
+- power->bat_model[res->length - 2] = '\0';
++ power->bat_manu[res->length - 2] = '\0';
+ break;
+ case MODEL:
+ memcpy(power->bat_model, &res->plc, res->length - 2);
+--
+2.39.5
+
--- /dev/null
+From 7f9eac7f686eddda104ac9dceb05170314071d0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 22:23:26 +0800
+Subject: stmmac: xsk: fix negative overflow of budget in zerocopy mode
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit 2764ab51d5f0e8c7d3b7043af426b1883e3bde1d ]
+
+A negative overflow can happen when the budget number of descs are
+consumed. as long as the budget is decreased to zero, it will again go
+into while (budget-- > 0) statement and get decreased by one, so the
+overflow issue can happen. It will lead to returning true whereas the
+expected value should be false.
+
+In this case where all the budget is used up, it means zc function
+should return false to let the poll run again because normally we
+might have more data to process. Without this patch, zc function would
+return true instead.
+
+Fixes: 132c32ee5bc0 ("net: stmmac: Add TX via XDP zero-copy socket")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Link: https://patch.msgid.link/20250723142327.85187-2-kerneljasonxing@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index b948df1bff9a..e0fb06af1f94 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2596,7 +2596,7 @@ static bool stmmac_xdp_xmit_zc(struct stmmac_priv *priv, u32 queue, u32 budget)
+
+ budget = min(budget, stmmac_tx_avail(priv, queue));
+
+- while (budget-- > 0) {
++ for (; budget > 0; budget--) {
+ struct stmmac_metadata_request meta_req;
+ struct xsk_tx_metadata *meta = NULL;
+ dma_addr_t dma_addr;
+--
+2.39.5
+
--- /dev/null
+From ce927a6bd79399e509591529909b5e4075ef3afc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 11:40:02 +0000
+Subject: tcp: call tcp_measure_rcv_mss() for ooo packets
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 38d7e444336567bae1c7b21fc18b7ceaaa5643a0 ]
+
+tcp_measure_rcv_mss() is used to update icsk->icsk_ack.rcv_mss
+(tcpi_rcv_mss in tcp_info) and tp->scaling_ratio.
+
+Calling it from tcp_data_queue_ofo() makes sure these
+fields are updated, and permits a better tuning
+of sk->sk_rcvbuf, in the case a new flow receives many ooo
+packets.
+
+Fixes: dfa2f0483360 ("tcp: get rid of sysctl_tcp_adv_win_scale")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250711114006.480026-5-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_input.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 76b01df70e56..94391f32a5d8 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -5055,6 +5055,7 @@ static void tcp_data_queue_ofo(struct sock *sk, struct sk_buff *skb)
+ return;
+ }
+
++ tcp_measure_rcv_mss(sk, skb);
+ /* Disable header prediction. */
+ tp->pred_flags = 0;
+ inet_csk_schedule_ack(sk);
+--
+2.39.5
+
--- /dev/null
+From 7848170bf6dacd92fee6407b807b285b2386c5e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 12:34:19 +0000
+Subject: tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range
+
+From: xin.guo <guoxin0309@gmail.com>
+
+[ Upstream commit a041f70e573e185d5d5fdbba53f0db2fbe7257ad ]
+
+If the new coming segment covers more than one skbs in the ofo queue,
+and which seq is equal to rcv_nxt, then the sequence range
+that is duplicated will be sent as DUP SACK, the detail as below,
+in step6, the {501,2001} range is clearly including too much
+DUP SACK range, in violation of RFC 2883 rules.
+
+1. client > server: Flags [.], seq 501:1001, ack 1325288529, win 20000, length 500
+2. server > client: Flags [.], ack 1, [nop,nop,sack 1 {501:1001}], length 0
+3. client > server: Flags [.], seq 1501:2001, ack 1325288529, win 20000, length 500
+4. server > client: Flags [.], ack 1, [nop,nop,sack 2 {1501:2001} {501:1001}], length 0
+5. client > server: Flags [.], seq 1:2001, ack 1325288529, win 20000, length 2000
+6. server > client: Flags [.], ack 2001, [nop,nop,sack 1 {501:2001}], length 0
+
+After this fix, the final ACK is as below:
+
+6. server > client: Flags [.], ack 2001, options [nop,nop,sack 1 {501:1001}], length 0
+
+[edumazet] added a new packetdrill test in the following patch.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: xin.guo <guoxin0309@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250626123420.1933835-2-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_input.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 68bc79eb9019..76b01df70e56 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -4985,8 +4985,9 @@ static void tcp_ofo_queue(struct sock *sk)
+
+ if (before(TCP_SKB_CB(skb)->seq, dsack_high)) {
+ __u32 dsack = dsack_high;
++
+ if (before(TCP_SKB_CB(skb)->end_seq, dsack_high))
+- dsack_high = TCP_SKB_CB(skb)->end_seq;
++ dsack = TCP_SKB_CB(skb)->end_seq;
+ tcp_dsack_extend(sk, TCP_SKB_CB(skb)->seq, dsack);
+ }
+ p = rb_next(p);
+--
+2.39.5
+
--- /dev/null
+From ad1a13a22bab99aec6cedd5e35f8dfdfc5f324c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 08:31:47 -0700
+Subject: team: replace team lock with rtnl lock
+
+From: Stanislav Fomichev <sdf@fomichev.me>
+
+[ Upstream commit bfb4fb77f9a8ce33ce357224569eae5564eec573 ]
+
+syszbot reports various ordering issues for lower instance locks and
+team lock. Switch to using rtnl lock for protecting team device,
+similar to bonding. Based on the patch by Tetsuo Handa.
+
+Cc: Jiri Pirko <jiri@resnulli.us>
+Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot+705c61d60b091ef42c04@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=705c61d60b091ef42c04
+Reported-by: syzbot+71fd22ae4b81631e22fd@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=71fd22ae4b81631e22fd
+Fixes: 6b1d3c5f675c ("team: grab team lock during team_change_rx_flags")
+Link: https://lkml.kernel.org/r/ZoZ2RH9BcahEB9Sb@nanopsycho.orion
+Signed-off-by: Stanislav Fomichev <sdf@fomichev.me>
+Link: https://patch.msgid.link/20250623153147.3413631-1-sdf@fomichev.me
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team_core.c | 96 +++++++++++------------
+ drivers/net/team/team_mode_activebackup.c | 3 +-
+ drivers/net/team/team_mode_loadbalance.c | 13 ++-
+ include/linux/if_team.h | 3 -
+ 4 files changed, 50 insertions(+), 65 deletions(-)
+
+diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c
+index 8bc56186b2a3..17f07eb0ee52 100644
+--- a/drivers/net/team/team_core.c
++++ b/drivers/net/team/team_core.c
+@@ -933,7 +933,7 @@ static bool team_port_find(const struct team *team,
+ * Enable/disable port by adding to enabled port hashlist and setting
+ * port->index (Might be racy so reader could see incorrect ifindex when
+ * processing a flying packet, but that is not a problem). Write guarded
+- * by team->lock.
++ * by RTNL.
+ */
+ static void team_port_enable(struct team *team,
+ struct team_port *port)
+@@ -1660,8 +1660,6 @@ static int team_init(struct net_device *dev)
+ goto err_options_register;
+ netif_carrier_off(dev);
+
+- lockdep_register_key(&team->team_lock_key);
+- __mutex_init(&team->lock, "team->team_lock_key", &team->team_lock_key);
+ netdev_lockdep_set_classes(dev);
+
+ return 0;
+@@ -1682,7 +1680,8 @@ static void team_uninit(struct net_device *dev)
+ struct team_port *port;
+ struct team_port *tmp;
+
+- mutex_lock(&team->lock);
++ ASSERT_RTNL();
++
+ list_for_each_entry_safe(port, tmp, &team->port_list, list)
+ team_port_del(team, port->dev);
+
+@@ -1691,9 +1690,7 @@ static void team_uninit(struct net_device *dev)
+ team_mcast_rejoin_fini(team);
+ team_notify_peers_fini(team);
+ team_queue_override_fini(team);
+- mutex_unlock(&team->lock);
+ netdev_change_features(dev);
+- lockdep_unregister_key(&team->team_lock_key);
+ }
+
+ static void team_destructor(struct net_device *dev)
+@@ -1778,7 +1775,8 @@ static void team_change_rx_flags(struct net_device *dev, int change)
+ struct team_port *port;
+ int inc;
+
+- mutex_lock(&team->lock);
++ ASSERT_RTNL();
++
+ list_for_each_entry(port, &team->port_list, list) {
+ if (change & IFF_PROMISC) {
+ inc = dev->flags & IFF_PROMISC ? 1 : -1;
+@@ -1789,7 +1787,6 @@ static void team_change_rx_flags(struct net_device *dev, int change)
+ dev_set_allmulti(port->dev, inc);
+ }
+ }
+- mutex_unlock(&team->lock);
+ }
+
+ static void team_set_rx_mode(struct net_device *dev)
+@@ -1811,14 +1808,14 @@ static int team_set_mac_address(struct net_device *dev, void *p)
+ struct team *team = netdev_priv(dev);
+ struct team_port *port;
+
++ ASSERT_RTNL();
++
+ if (dev->type == ARPHRD_ETHER && !is_valid_ether_addr(addr->sa_data))
+ return -EADDRNOTAVAIL;
+ dev_addr_set(dev, addr->sa_data);
+- mutex_lock(&team->lock);
+ list_for_each_entry(port, &team->port_list, list)
+ if (team->ops.port_change_dev_addr)
+ team->ops.port_change_dev_addr(team, port);
+- mutex_unlock(&team->lock);
+ return 0;
+ }
+
+@@ -1828,11 +1825,8 @@ static int team_change_mtu(struct net_device *dev, int new_mtu)
+ struct team_port *port;
+ int err;
+
+- /*
+- * Alhough this is reader, it's guarded by team lock. It's not possible
+- * to traverse list in reverse under rcu_read_lock
+- */
+- mutex_lock(&team->lock);
++ ASSERT_RTNL();
++
+ team->port_mtu_change_allowed = true;
+ list_for_each_entry(port, &team->port_list, list) {
+ err = dev_set_mtu(port->dev, new_mtu);
+@@ -1843,7 +1837,6 @@ static int team_change_mtu(struct net_device *dev, int new_mtu)
+ }
+ }
+ team->port_mtu_change_allowed = false;
+- mutex_unlock(&team->lock);
+
+ WRITE_ONCE(dev->mtu, new_mtu);
+
+@@ -1853,7 +1846,6 @@ static int team_change_mtu(struct net_device *dev, int new_mtu)
+ list_for_each_entry_continue_reverse(port, &team->port_list, list)
+ dev_set_mtu(port->dev, dev->mtu);
+ team->port_mtu_change_allowed = false;
+- mutex_unlock(&team->lock);
+
+ return err;
+ }
+@@ -1903,24 +1895,19 @@ static int team_vlan_rx_add_vid(struct net_device *dev, __be16 proto, u16 vid)
+ struct team_port *port;
+ int err;
+
+- /*
+- * Alhough this is reader, it's guarded by team lock. It's not possible
+- * to traverse list in reverse under rcu_read_lock
+- */
+- mutex_lock(&team->lock);
++ ASSERT_RTNL();
++
+ list_for_each_entry(port, &team->port_list, list) {
+ err = vlan_vid_add(port->dev, proto, vid);
+ if (err)
+ goto unwind;
+ }
+- mutex_unlock(&team->lock);
+
+ return 0;
+
+ unwind:
+ list_for_each_entry_continue_reverse(port, &team->port_list, list)
+ vlan_vid_del(port->dev, proto, vid);
+- mutex_unlock(&team->lock);
+
+ return err;
+ }
+@@ -1930,10 +1917,10 @@ static int team_vlan_rx_kill_vid(struct net_device *dev, __be16 proto, u16 vid)
+ struct team *team = netdev_priv(dev);
+ struct team_port *port;
+
+- mutex_lock(&team->lock);
++ ASSERT_RTNL();
++
+ list_for_each_entry(port, &team->port_list, list)
+ vlan_vid_del(port->dev, proto, vid);
+- mutex_unlock(&team->lock);
+
+ return 0;
+ }
+@@ -1955,9 +1942,9 @@ static void team_netpoll_cleanup(struct net_device *dev)
+ {
+ struct team *team = netdev_priv(dev);
+
+- mutex_lock(&team->lock);
++ ASSERT_RTNL();
++
+ __team_netpoll_cleanup(team);
+- mutex_unlock(&team->lock);
+ }
+
+ static int team_netpoll_setup(struct net_device *dev)
+@@ -1966,7 +1953,8 @@ static int team_netpoll_setup(struct net_device *dev)
+ struct team_port *port;
+ int err = 0;
+
+- mutex_lock(&team->lock);
++ ASSERT_RTNL();
++
+ list_for_each_entry(port, &team->port_list, list) {
+ err = __team_port_enable_netpoll(port);
+ if (err) {
+@@ -1974,7 +1962,6 @@ static int team_netpoll_setup(struct net_device *dev)
+ break;
+ }
+ }
+- mutex_unlock(&team->lock);
+ return err;
+ }
+ #endif
+@@ -1985,9 +1972,9 @@ static int team_add_slave(struct net_device *dev, struct net_device *port_dev,
+ struct team *team = netdev_priv(dev);
+ int err;
+
+- mutex_lock(&team->lock);
++ ASSERT_RTNL();
++
+ err = team_port_add(team, port_dev, extack);
+- mutex_unlock(&team->lock);
+
+ if (!err)
+ netdev_change_features(dev);
+@@ -2000,18 +1987,13 @@ static int team_del_slave(struct net_device *dev, struct net_device *port_dev)
+ struct team *team = netdev_priv(dev);
+ int err;
+
+- mutex_lock(&team->lock);
++ ASSERT_RTNL();
++
+ err = team_port_del(team, port_dev);
+- mutex_unlock(&team->lock);
+
+ if (err)
+ return err;
+
+- if (netif_is_team_master(port_dev)) {
+- lockdep_unregister_key(&team->team_lock_key);
+- lockdep_register_key(&team->team_lock_key);
+- lockdep_set_class(&team->lock, &team->team_lock_key);
+- }
+ netdev_change_features(dev);
+
+ return err;
+@@ -2304,9 +2286,10 @@ int team_nl_noop_doit(struct sk_buff *skb, struct genl_info *info)
+ static struct team *team_nl_team_get(struct genl_info *info)
+ {
+ struct net *net = genl_info_net(info);
+- int ifindex;
+ struct net_device *dev;
+- struct team *team;
++ int ifindex;
++
++ ASSERT_RTNL();
+
+ if (!info->attrs[TEAM_ATTR_TEAM_IFINDEX])
+ return NULL;
+@@ -2318,14 +2301,11 @@ static struct team *team_nl_team_get(struct genl_info *info)
+ return NULL;
+ }
+
+- team = netdev_priv(dev);
+- mutex_lock(&team->lock);
+- return team;
++ return netdev_priv(dev);
+ }
+
+ static void team_nl_team_put(struct team *team)
+ {
+- mutex_unlock(&team->lock);
+ dev_put(team->dev);
+ }
+
+@@ -2515,9 +2495,13 @@ int team_nl_options_get_doit(struct sk_buff *skb, struct genl_info *info)
+ int err;
+ LIST_HEAD(sel_opt_inst_list);
+
++ rtnl_lock();
++
+ team = team_nl_team_get(info);
+- if (!team)
+- return -EINVAL;
++ if (!team) {
++ err = -EINVAL;
++ goto rtnl_unlock;
++ }
+
+ list_for_each_entry(opt_inst, &team->option_inst_list, list)
+ list_add_tail(&opt_inst->tmp_list, &sel_opt_inst_list);
+@@ -2527,6 +2511,9 @@ int team_nl_options_get_doit(struct sk_buff *skb, struct genl_info *info)
+
+ team_nl_team_put(team);
+
++rtnl_unlock:
++ rtnl_unlock();
++
+ return err;
+ }
+
+@@ -2805,15 +2792,22 @@ int team_nl_port_list_get_doit(struct sk_buff *skb,
+ struct team *team;
+ int err;
+
++ rtnl_lock();
++
+ team = team_nl_team_get(info);
+- if (!team)
+- return -EINVAL;
++ if (!team) {
++ err = -EINVAL;
++ goto rtnl_unlock;
++ }
+
+ err = team_nl_send_port_list_get(team, info->snd_portid, info->snd_seq,
+ NLM_F_ACK, team_nl_send_unicast, NULL);
+
+ team_nl_team_put(team);
+
++rtnl_unlock:
++ rtnl_unlock();
++
+ return err;
+ }
+
+@@ -2961,11 +2955,9 @@ static void __team_port_change_port_removed(struct team_port *port)
+
+ static void team_port_change_check(struct team_port *port, bool linkup)
+ {
+- struct team *team = port->team;
++ ASSERT_RTNL();
+
+- mutex_lock(&team->lock);
+ __team_port_change_check(port, linkup);
+- mutex_unlock(&team->lock);
+ }
+
+
+diff --git a/drivers/net/team/team_mode_activebackup.c b/drivers/net/team/team_mode_activebackup.c
+index e0f599e2a51d..1c3336c7a1b2 100644
+--- a/drivers/net/team/team_mode_activebackup.c
++++ b/drivers/net/team/team_mode_activebackup.c
+@@ -67,8 +67,7 @@ static void ab_active_port_get(struct team *team, struct team_gsetter_ctx *ctx)
+ {
+ struct team_port *active_port;
+
+- active_port = rcu_dereference_protected(ab_priv(team)->active_port,
+- lockdep_is_held(&team->lock));
++ active_port = rtnl_dereference(ab_priv(team)->active_port);
+ if (active_port)
+ ctx->data.u32_val = active_port->dev->ifindex;
+ else
+diff --git a/drivers/net/team/team_mode_loadbalance.c b/drivers/net/team/team_mode_loadbalance.c
+index 00f8989c29c0..b14538bde2f8 100644
+--- a/drivers/net/team/team_mode_loadbalance.c
++++ b/drivers/net/team/team_mode_loadbalance.c
+@@ -301,8 +301,7 @@ static int lb_bpf_func_set(struct team *team, struct team_gsetter_ctx *ctx)
+ if (lb_priv->ex->orig_fprog) {
+ /* Clear old filter data */
+ __fprog_destroy(lb_priv->ex->orig_fprog);
+- orig_fp = rcu_dereference_protected(lb_priv->fp,
+- lockdep_is_held(&team->lock));
++ orig_fp = rtnl_dereference(lb_priv->fp);
+ }
+
+ rcu_assign_pointer(lb_priv->fp, fp);
+@@ -324,8 +323,7 @@ static void lb_bpf_func_free(struct team *team)
+ return;
+
+ __fprog_destroy(lb_priv->ex->orig_fprog);
+- fp = rcu_dereference_protected(lb_priv->fp,
+- lockdep_is_held(&team->lock));
++ fp = rtnl_dereference(lb_priv->fp);
+ bpf_prog_destroy(fp);
+ }
+
+@@ -335,8 +333,7 @@ static void lb_tx_method_get(struct team *team, struct team_gsetter_ctx *ctx)
+ lb_select_tx_port_func_t *func;
+ char *name;
+
+- func = rcu_dereference_protected(lb_priv->select_tx_port_func,
+- lockdep_is_held(&team->lock));
++ func = rtnl_dereference(lb_priv->select_tx_port_func);
+ name = lb_select_tx_port_get_name(func);
+ BUG_ON(!name);
+ ctx->data.str_val = name;
+@@ -478,7 +475,7 @@ static void lb_stats_refresh(struct work_struct *work)
+ team = lb_priv_ex->team;
+ lb_priv = get_lb_priv(team);
+
+- if (!mutex_trylock(&team->lock)) {
++ if (!rtnl_trylock()) {
+ schedule_delayed_work(&lb_priv_ex->stats.refresh_dw, 0);
+ return;
+ }
+@@ -515,7 +512,7 @@ static void lb_stats_refresh(struct work_struct *work)
+ schedule_delayed_work(&lb_priv_ex->stats.refresh_dw,
+ (lb_priv_ex->stats.refresh_interval * HZ) / 10);
+
+- mutex_unlock(&team->lock);
++ rtnl_unlock();
+ }
+
+ static void lb_stats_refresh_interval_get(struct team *team,
+diff --git a/include/linux/if_team.h b/include/linux/if_team.h
+index cdc684e04a2f..ce97d891cf72 100644
+--- a/include/linux/if_team.h
++++ b/include/linux/if_team.h
+@@ -191,8 +191,6 @@ struct team {
+
+ const struct header_ops *header_ops_cache;
+
+- struct mutex lock; /* used for overall locking, e.g. port lists write */
+-
+ /*
+ * List of enabled ports and their count
+ */
+@@ -223,7 +221,6 @@ struct team {
+ atomic_t count_pending;
+ struct delayed_work dw;
+ } mcast_rejoin;
+- struct lock_class_key team_lock_key;
+ long mode_priv[TEAM_MODE_PRIV_LONGS];
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 518be497a654b520d9d574618ecd2bdeb211fbfe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 14:58:11 +0200
+Subject: tools/nolibc: avoid false-positive -Wmaybe-uninitialized through
+ waitpid()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+
+[ Upstream commit 31db7b6a78b7651973c66b7cf479209b20c55290 ]
+
+The compiler does not know that waitid() will only ever return 0 or -1.
+If waitid() would return a positive value than waitpid() would return that
+same value and *status would not be initialized.
+However users calling waitpid() know that the only possible return values
+of it are 0 or -1. They therefore might check for errors with
+'ret == -1' or 'ret < 0' and use *status otherwise. The compiler will then
+warn about the usage of a potentially uninitialized variable.
+
+Example:
+
+ $ cat test.c
+ #include <stdio.h>
+ #include <unistd.h>
+
+ int main(void)
+ {
+ int ret, status;
+
+ ret = waitpid(0, &status, 0);
+ if (ret == -1)
+ return 0;
+
+ printf("status %x\n", status);
+
+ return 0;
+ }
+
+ $ gcc --version
+ gcc (GCC) 15.1.1 20250425
+
+ $ gcc -Wall -Os -Werror -nostdlib -nostdinc -static -Iusr/include -Itools/include/nolibc/ -o /dev/null test.c
+ test.c: In function ‘main’:
+ test.c:12:9: error: ‘status’ may be used uninitialized [-Werror=maybe-uninitialized]
+ 12 | printf("status %x\n", status);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ test.c:6:18: note: ‘status’ was declared here
+ 6 | int ret, status;
+ | ^~~~~~
+ cc1: all warnings being treated as errors
+
+Avoid the warning by normalizing waitid() errors to '-1' in waitpid().
+
+Fixes: 0c89abf5ab3f ("tools/nolibc: implement waitpid() in terms of waitid()")
+Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Acked-by: Willy Tarreau <w@1wt.eu>
+Link: https://lore.kernel.org/r/20250707-nolibc-waitpid-uninitialized-v1-1-dcd4e70bcd8f@linutronix.de
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/include/nolibc/sys/wait.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/include/nolibc/sys/wait.h b/tools/include/nolibc/sys/wait.h
+index 4d44e3da0ba8..56ddb806da7f 100644
+--- a/tools/include/nolibc/sys/wait.h
++++ b/tools/include/nolibc/sys/wait.h
+@@ -78,7 +78,7 @@ pid_t waitpid(pid_t pid, int *status, int options)
+
+ ret = waitid(idtype, id, &info, options);
+ if (ret)
+- return ret;
++ return -1;
+
+ switch (info.si_code) {
+ case 0:
+--
+2.39.5
+
--- /dev/null
+From 05a18b05c6baaf75de0407afb28e7b8e745a8427 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 18:12:36 +0200
+Subject: tools/rv: Do not skip idle in trace
+
+From: Gabriele Monaco <gmonaco@redhat.com>
+
+[ Upstream commit f60227f3448911b682c45041c3fbd94f6d3b15a2 ]
+
+Currently, the userspace RV tool skips trace events triggered by the RV
+tool itself, this can be changed by passing the parameter -s, which sets
+the variable config_my_pid to 0 (instead of the tool's PID).
+This has the side effect of skipping events generated by idle (PID 0).
+
+Set config_my_pid to -1 (an invalid pid) to avoid skipping idle.
+
+Cc: Nam Cao <namcao@linutronix.de>
+Cc: Tomas Glozar <tglozar@redhat.com>
+Cc: Juri Lelli <jlelli@redhat.com>
+Cc: Clark Williams <williams@redhat.com>
+Cc: John Kacur <jkacur@redhat.com>
+Link: https://lore.kernel.org/20250723161240.194860-2-gmonaco@redhat.com
+Fixes: 6d60f89691fc ("tools/rv: Add in-kernel monitor interface")
+Signed-off-by: Gabriele Monaco <gmonaco@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/verification/rv/src/in_kernel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/verification/rv/src/in_kernel.c b/tools/verification/rv/src/in_kernel.c
+index c0dcee795c0d..4bb746ea6e17 100644
+--- a/tools/verification/rv/src/in_kernel.c
++++ b/tools/verification/rv/src/in_kernel.c
+@@ -431,7 +431,7 @@ ikm_event_handler(struct trace_seq *s, struct tep_record *record,
+
+ if (config_has_id && (config_my_pid == id))
+ return 0;
+- else if (config_my_pid && (config_my_pid == pid))
++ else if (config_my_pid == pid)
+ return 0;
+
+ tep_print_event(trace_event->tep, s, record, "%16s-%-8d [%.3d] ",
+@@ -734,7 +734,7 @@ static int parse_arguments(char *monitor_name, int argc, char **argv)
+ config_reactor = optarg;
+ break;
+ case 's':
+- config_my_pid = 0;
++ config_my_pid = -1;
+ break;
+ case 't':
+ config_trace = 1;
+--
+2.39.5
+
--- /dev/null
+From 3f895e8b639f73ffcd0b861aff63bc305691052e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 08:08:53 -0700
+Subject: tools subcmd: Tighten the filename size in check_if_command_finished
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 478272d1cdd9959a6d638e9d81f70642f04290c9 ]
+
+FILENAME_MAX is often PATH_MAX (4kb), far more than needed for the
+/proc path. Make the buffer size sufficient for the maximum integer
+plus "/proc/" and "/status" with a '\0' terminator.
+
+Fixes: 5ce42b5de461 ("tools subcmd: Add non-waitpid check_if_command_finished()")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250717150855.1032526-1-irogers@google.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/subcmd/run-command.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/tools/lib/subcmd/run-command.c b/tools/lib/subcmd/run-command.c
+index 0a764c25c384..b7510f83209a 100644
+--- a/tools/lib/subcmd/run-command.c
++++ b/tools/lib/subcmd/run-command.c
+@@ -5,6 +5,7 @@
+ #include <ctype.h>
+ #include <fcntl.h>
+ #include <string.h>
++#include <linux/compiler.h>
+ #include <linux/string.h>
+ #include <errno.h>
+ #include <sys/wait.h>
+@@ -216,10 +217,20 @@ static int wait_or_whine(struct child_process *cmd, bool block)
+ return result;
+ }
+
++/*
++ * Conservative estimate of number of characaters needed to hold an a decoded
++ * integer, assume each 3 bits needs a character byte and plus a possible sign
++ * character.
++ */
++#ifndef is_signed_type
++#define is_signed_type(type) (((type)(-1)) < (type)1)
++#endif
++#define MAX_STRLEN_TYPE(type) (sizeof(type) * 8 / 3 + (is_signed_type(type) ? 1 : 0))
++
+ int check_if_command_finished(struct child_process *cmd)
+ {
+ #ifdef __linux__
+- char filename[FILENAME_MAX + 12];
++ char filename[6 + MAX_STRLEN_TYPE(typeof(cmd->pid)) + 7 + 1];
+ char status_line[256];
+ FILE *status_file;
+
+@@ -227,7 +238,7 @@ int check_if_command_finished(struct child_process *cmd)
+ * Check by reading /proc/<pid>/status as calling waitpid causes
+ * stdout/stderr to be closed and data lost.
+ */
+- sprintf(filename, "/proc/%d/status", cmd->pid);
++ sprintf(filename, "/proc/%u/status", cmd->pid);
+ status_file = fopen(filename, "r");
+ if (status_file == NULL) {
+ /* Open failed assume finish_command was called. */
+--
+2.39.5
+
--- /dev/null
+From 1fa8b605137466a7e57cf864053b615ac40c1e6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 13:17:32 -0400
+Subject: tracing: Use queue_rcu_work() to free filters
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+[ Upstream commit 3aceaa539cfe3a2e62bd92e6697d9fae1c20c0be ]
+
+Freeing of filters requires to wait for both an RCU grace period as well as
+a RCU task trace wait period after they have been detached from their
+lists. The trace task period can be quite large so the freeing of the
+filters was moved to use the call_rcu*() routines. The problem with that is
+that the callback functions of call_rcu*() is done from a soft irq and can
+cause latencies if the callback takes a bit of time.
+
+The filters are freed per event in a system and the syscalls system
+contains an event per system call, which can be over 700 events. Freeing 700
+filters in a bottom half is undesirable.
+
+Instead, move the freeing to use queue_rcu_work() which is done in task
+context.
+
+Link: https://lore.kernel.org/all/9a2f0cd0-1561-4206-8966-f93ccd25927f@paulmck-laptop/
+
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Link: https://lore.kernel.org/20250609131732.04fd303b@gandalf.local.home
+Fixes: a9d0aab5eb33 ("tracing: Fix regression of filter waiting a long time on RCU synchronization")
+Suggested-by: "Paul E. McKenney" <paulmck@kernel.org>
+Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_events_filter.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
+index 3885aadc434d..196c8bf34970 100644
+--- a/kernel/trace/trace_events_filter.c
++++ b/kernel/trace/trace_events_filter.c
+@@ -1344,13 +1344,14 @@ struct filter_list {
+
+ struct filter_head {
+ struct list_head list;
+- struct rcu_head rcu;
++ union {
++ struct rcu_head rcu;
++ struct rcu_work rwork;
++ };
+ };
+
+-
+-static void free_filter_list(struct rcu_head *rhp)
++static void free_filter_list(struct filter_head *filter_list)
+ {
+- struct filter_head *filter_list = container_of(rhp, struct filter_head, rcu);
+ struct filter_list *filter_item, *tmp;
+
+ list_for_each_entry_safe(filter_item, tmp, &filter_list->list, list) {
+@@ -1361,9 +1362,20 @@ static void free_filter_list(struct rcu_head *rhp)
+ kfree(filter_list);
+ }
+
++static void free_filter_list_work(struct work_struct *work)
++{
++ struct filter_head *filter_list;
++
++ filter_list = container_of(to_rcu_work(work), struct filter_head, rwork);
++ free_filter_list(filter_list);
++}
++
+ static void free_filter_list_tasks(struct rcu_head *rhp)
+ {
+- call_rcu(rhp, free_filter_list);
++ struct filter_head *filter_list = container_of(rhp, struct filter_head, rcu);
++
++ INIT_RCU_WORK(&filter_list->rwork, free_filter_list_work);
++ queue_rcu_work(system_wq, &filter_list->rwork);
+ }
+
+ /*
+@@ -1460,7 +1472,7 @@ static void filter_free_subsystem_filters(struct trace_subsystem_dir *dir,
+ tracepoint_synchronize_unregister();
+
+ if (head)
+- free_filter_list(&head->rcu);
++ free_filter_list(head);
+
+ list_for_each_entry(file, &tr->events, list) {
+ if (file->system != dir || !file->filter)
+@@ -2305,7 +2317,7 @@ static int process_system_preds(struct trace_subsystem_dir *dir,
+ return 0;
+ fail:
+ /* No call succeeded */
+- free_filter_list(&filter_list->rcu);
++ free_filter_list(filter_list);
+ parse_error(pe, FILT_ERR_BAD_SUBSYS_FILTER, 0);
+ return -EINVAL;
+ fail_mem:
+@@ -2315,7 +2327,7 @@ static int process_system_preds(struct trace_subsystem_dir *dir,
+ if (!fail)
+ delay_free_filter(filter_list);
+ else
+- free_filter_list(&filter_list->rcu);
++ free_filter_list(filter_list);
+
+ return -ENOMEM;
+ }
+--
+2.39.5
+
--- /dev/null
+From 0cbc6796821c7a8ef1f688a79ce3ac7dd816df8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 23:41:07 -0600
+Subject: ublk: speed up ublk server exit handling
+
+From: Uday Shankar <ushankar@purestorage.com>
+
+[ Upstream commit 2fa9c93035e17380cafa897ee1a4d503881a3770 ]
+
+Recently, we've observed a few cases where a ublk server is able to
+complete restart more quickly than the driver can process the exit of
+the previous ublk server. The new ublk server comes up, attempts
+recovery of the preexisting ublk devices, and observes them still in
+state UBLK_S_DEV_LIVE. While this is possible due to the asynchronous
+nature of io_uring cleanup and should therefore be handled properly in
+the ublk server, it is still preferable to make ublk server exit
+handling faster if possible, as we should strive for it to not be a
+limiting factor in how fast a ublk server can restart and provide
+service again.
+
+Analysis of the issue showed that the vast majority of the time spent in
+handling the ublk server exit was in calls to blk_mq_quiesce_queue,
+which is essentially just a (relatively expensive) call to
+synchronize_rcu. The ublk server exit path currently issues an
+unnecessarily large number of calls to blk_mq_quiesce_queue, for two
+reasons:
+
+1. It tries to call blk_mq_quiesce_queue once per ublk_queue. However,
+ blk_mq_quiesce_queue targets the request_queue of the underlying ublk
+ device, of which there is only one. So the number of calls is larger
+ than necessary by a factor of nr_hw_queues.
+2. In practice, it calls blk_mq_quiesce_queue _more_ than once per
+ ublk_queue. This is because of a data race where we read
+ ubq->canceling without any locking when deciding if we should call
+ ublk_start_cancel. It is thus possible for two calls to
+ ublk_uring_cmd_cancel_fn against the same ublk_queue to both call
+ ublk_start_cancel against the same ublk_queue.
+
+Fix this by making the "canceling" flag a per-device state. This
+actually matches the existing code better, as there are several places
+where the flag is set or cleared for all queues simultaneously, and
+there is the general expectation that cancellation corresponds with ublk
+server exit. This per-device canceling flag is then checked under a
+(new) lock (addressing the data race (2) above), and the queue is only
+quiesced if it is cleared (addressing (1) above). The result is just one
+call to blk_mq_quiesce_queue per ublk device.
+
+To minimize the number of cache lines that are accessed in the hot path,
+the per-queue canceling flag is kept. The values of the per-device
+canceling flag and all per-queue canceling flags should always match.
+
+In our setup, where one ublk server handles I/O for 128 ublk devices,
+each having 24 hardware queues of depth 4096, here are the results
+before and after this patch, where teardown time is measured from the
+first call to io_ring_ctx_wait_and_kill to the return from the last
+ublk_ch_release:
+
+ before after
+number of calls to blk_mq_quiesce_queue: 6469 256
+teardown time: 11.14s 2.44s
+
+There are still some potential optimizations here, but this takes care
+of a big chunk of the ublk server exit handling delay.
+
+Signed-off-by: Uday Shankar <ushankar@purestorage.com>
+Reviewed-by: Caleb Sander Mateos <csander@purestorage.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20250703-ublk_too_many_quiesce-v2-1-3527b5339eeb@purestorage.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: c2c8089f325e ("ublk: validate ublk server pid")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ublk_drv.c | 36 +++++++++++++++++++++---------------
+ 1 file changed, 21 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
+index 8ded49f3b68b..2492c11defcc 100644
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -216,6 +216,8 @@ struct ublk_device {
+ struct completion completion;
+ unsigned int nr_queues_ready;
+ unsigned int nr_privileged_daemon;
++ struct mutex cancel_mutex;
++ bool canceling;
+ };
+
+ /* header of ublk_params */
+@@ -1578,6 +1580,7 @@ static int ublk_ch_release(struct inode *inode, struct file *filp)
+ * All requests may be inflight, so ->canceling may not be set, set
+ * it now.
+ */
++ ub->canceling = true;
+ for (i = 0; i < ub->dev_info.nr_hw_queues; i++) {
+ struct ublk_queue *ubq = ublk_get_queue(ub, i);
+
+@@ -1706,23 +1709,18 @@ static void ublk_abort_queue(struct ublk_device *ub, struct ublk_queue *ubq)
+ }
+ }
+
+-/* Must be called when queue is frozen */
+-static void ublk_mark_queue_canceling(struct ublk_queue *ubq)
+-{
+- spin_lock(&ubq->cancel_lock);
+- if (!ubq->canceling)
+- ubq->canceling = true;
+- spin_unlock(&ubq->cancel_lock);
+-}
+-
+-static void ublk_start_cancel(struct ublk_queue *ubq)
++static void ublk_start_cancel(struct ublk_device *ub)
+ {
+- struct ublk_device *ub = ubq->dev;
+ struct gendisk *disk = ublk_get_disk(ub);
++ int i;
+
+ /* Our disk has been dead */
+ if (!disk)
+ return;
++
++ mutex_lock(&ub->cancel_mutex);
++ if (ub->canceling)
++ goto out;
+ /*
+ * Now we are serialized with ublk_queue_rq()
+ *
+@@ -1731,8 +1729,12 @@ static void ublk_start_cancel(struct ublk_queue *ubq)
+ * touch completed uring_cmd
+ */
+ blk_mq_quiesce_queue(disk->queue);
+- ublk_mark_queue_canceling(ubq);
++ ub->canceling = true;
++ for (i = 0; i < ub->dev_info.nr_hw_queues; i++)
++ ublk_get_queue(ub, i)->canceling = true;
+ blk_mq_unquiesce_queue(disk->queue);
++out:
++ mutex_unlock(&ub->cancel_mutex);
+ ublk_put_disk(disk);
+ }
+
+@@ -1805,8 +1807,7 @@ static void ublk_uring_cmd_cancel_fn(struct io_uring_cmd *cmd,
+ if (WARN_ON_ONCE(task && task != io->task))
+ return;
+
+- if (!ubq->canceling)
+- ublk_start_cancel(ubq);
++ ublk_start_cancel(ubq->dev);
+
+ WARN_ON_ONCE(io->cmd != cmd);
+ ublk_cancel_cmd(ubq, pdu->tag, issue_flags);
+@@ -1933,6 +1934,7 @@ static void ublk_reset_io_flags(struct ublk_device *ub)
+ ubq->canceling = false;
+ ubq->fail_io = false;
+ }
++ ub->canceling = false;
+ }
+
+ /* device can only be started after all IOs are ready */
+@@ -2580,6 +2582,7 @@ static void ublk_cdev_rel(struct device *dev)
+ ublk_deinit_queues(ub);
+ ublk_free_dev_number(ub);
+ mutex_destroy(&ub->mutex);
++ mutex_destroy(&ub->cancel_mutex);
+ kfree(ub);
+ }
+
+@@ -2933,6 +2936,7 @@ static int ublk_ctrl_add_dev(const struct ublksrv_ctrl_cmd *header)
+ goto out_unlock;
+ mutex_init(&ub->mutex);
+ spin_lock_init(&ub->lock);
++ mutex_init(&ub->cancel_mutex);
+
+ ret = ublk_alloc_dev_number(ub, header->dev_id);
+ if (ret < 0)
+@@ -3003,6 +3007,7 @@ static int ublk_ctrl_add_dev(const struct ublksrv_ctrl_cmd *header)
+ ublk_free_dev_number(ub);
+ out_free_ub:
+ mutex_destroy(&ub->mutex);
++ mutex_destroy(&ub->cancel_mutex);
+ kfree(ub);
+ out_unlock:
+ mutex_unlock(&ublk_ctl_mutex);
+@@ -3357,8 +3362,9 @@ static int ublk_ctrl_quiesce_dev(struct ublk_device *ub,
+ if (ub->dev_info.state != UBLK_S_DEV_LIVE)
+ goto put_disk;
+
+- /* Mark all queues as canceling */
++ /* Mark the device as canceling */
+ blk_mq_quiesce_queue(disk->queue);
++ ub->canceling = true;
+ for (i = 0; i < ub->dev_info.nr_hw_queues; i++) {
+ struct ublk_queue *ubq = ublk_get_queue(ub, i);
+
+--
+2.39.5
+
--- /dev/null
+From 77edd0f77393a049b1196fc8a479e7a69f2e16d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 09:09:55 -0600
+Subject: ublk: use vmalloc for ublk_device's __queues
+
+From: Caleb Sander Mateos <csander@purestorage.com>
+
+[ Upstream commit c2f48453b7806d41f5a3270f206a5cd5640ed207 ]
+
+struct ublk_device's __queues points to an allocation with up to
+UBLK_MAX_NR_QUEUES (4096) queues, each of which have:
+- struct ublk_queue (48 bytes)
+- Tail array of up to UBLK_MAX_QUEUE_DEPTH (4096) struct ublk_io's,
+ 32 bytes each
+This means the full allocation can exceed 512 MB, which may well be
+impossible to service with contiguous physical pages. Switch to
+kvcalloc() and kvfree(), since there is no need for physically
+contiguous memory.
+
+Signed-off-by: Caleb Sander Mateos <csander@purestorage.com>
+Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver")
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20250620151008.3976463-2-csander@purestorage.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ublk_drv.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
+index 9fd284fa76dc..8ded49f3b68b 100644
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -2513,7 +2513,7 @@ static void ublk_deinit_queues(struct ublk_device *ub)
+
+ for (i = 0; i < nr_queues; i++)
+ ublk_deinit_queue(ub, i);
+- kfree(ub->__queues);
++ kvfree(ub->__queues);
+ }
+
+ static int ublk_init_queues(struct ublk_device *ub)
+@@ -2524,7 +2524,7 @@ static int ublk_init_queues(struct ublk_device *ub)
+ int i, ret = -ENOMEM;
+
+ ub->queue_size = ubq_size;
+- ub->__queues = kcalloc(nr_queues, ubq_size, GFP_KERNEL);
++ ub->__queues = kvcalloc(nr_queues, ubq_size, GFP_KERNEL);
+ if (!ub->__queues)
+ return ret;
+
+--
+2.39.5
+
--- /dev/null
+From 871036d9b22c43307888ed9d7b58353babeffafc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Jul 2025 22:33:56 +0800
+Subject: ublk: validate ublk server pid
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit c2c8089f325ed703fd5123b39e2dece1dd605904 ]
+
+ublk server pid(the `tgid` of the process opening the ublk device) is stored
+in `ublk_device->ublksrv_tgid`. This `tgid` is then checked against the
+`ublksrv_pid` in `ublk_ctrl_start_dev` and `ublk_ctrl_end_recovery`.
+
+This ensures that correct ublk server pid is stored in device info.
+
+Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20250713143415.2857561-2-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ublk_drv.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
+index 2492c11defcc..3e60558bf525 100644
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -218,6 +218,7 @@ struct ublk_device {
+ unsigned int nr_privileged_daemon;
+ struct mutex cancel_mutex;
+ bool canceling;
++ pid_t ublksrv_tgid;
+ };
+
+ /* header of ublk_params */
+@@ -1517,6 +1518,7 @@ static int ublk_ch_open(struct inode *inode, struct file *filp)
+ if (test_and_set_bit(UB_STATE_OPEN, &ub->state))
+ return -EBUSY;
+ filp->private_data = ub;
++ ub->ublksrv_tgid = current->tgid;
+ return 0;
+ }
+
+@@ -1531,6 +1533,7 @@ static void ublk_reset_ch_dev(struct ublk_device *ub)
+ ub->mm = NULL;
+ ub->nr_queues_ready = 0;
+ ub->nr_privileged_daemon = 0;
++ ub->ublksrv_tgid = -1;
+ }
+
+ static struct gendisk *ublk_get_disk(struct ublk_device *ub)
+@@ -2732,6 +2735,9 @@ static int ublk_ctrl_start_dev(struct ublk_device *ub,
+ if (wait_for_completion_interruptible(&ub->completion) != 0)
+ return -EINTR;
+
++ if (ub->ublksrv_tgid != ublksrv_pid)
++ return -EINVAL;
++
+ mutex_lock(&ub->mutex);
+ if (ub->dev_info.state == UBLK_S_DEV_LIVE ||
+ test_bit(UB_STATE_USED, &ub->state)) {
+@@ -3232,6 +3238,9 @@ static int ublk_ctrl_end_recovery(struct ublk_device *ub,
+ pr_devel("%s: All FETCH_REQs received, dev id %d\n", __func__,
+ header->dev_id);
+
++ if (ub->ublksrv_tgid != ublksrv_pid)
++ return -EINVAL;
++
+ mutex_lock(&ub->mutex);
+ if (ublk_nosrv_should_stop_dev(ub))
+ goto out_unlock;
+--
+2.39.5
+
--- /dev/null
+From 4925c0a1a4f9216a8bcbad6bfc91222743c61cfe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 19:45:57 +0200
+Subject: ucount: fix atomic_long_inc_below() argument type
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uros Bizjak <ubizjak@gmail.com>
+
+[ Upstream commit f8cd9193b62e92ad25def5370ca8ea2bc7585381 ]
+
+The type of u argument of atomic_long_inc_below() should be long to avoid
+unwanted truncation to int.
+
+The patch fixes the wrong argument type of an internal function to
+prevent unwanted argument truncation. It fixes an internal locking
+primitive; it should not have any direct effect on userspace.
+
+Mark said
+
+: AFAICT there's no problem in practice because atomic_long_inc_below()
+: is only used by inc_ucount(), and it looks like the value is
+: constrained between 0 and INT_MAX.
+:
+: In inc_ucount() the limit value is taken from
+: user_namespace::ucount_max[], and AFAICT that's only written by
+: sysctls, to the table setup by setup_userns_sysctls(), where
+: UCOUNT_ENTRY() limits the value between 0 and INT_MAX.
+:
+: This is certainly a cleanup, but there might be no functional issue in
+: practice as above.
+
+Link: https://lkml.kernel.org/r/20250721174610.28361-1-ubizjak@gmail.com
+Fixes: f9c82a4ea89c ("Increase size of ucounts to atomic_long_t")
+Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
+Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Cc: "Paul E. McKenney" <paulmck@kernel.org>
+Cc: Alexey Gladkov <legion@kernel.org>
+Cc: Roman Gushchin <roman.gushchin@linux.dev>
+Cc: MengEn Sun <mengensun@tencent.com>
+Cc: "Thomas Weißschuh" <linux@weissschuh.net>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/ucount.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/ucount.c b/kernel/ucount.c
+index 8686e329b8f2..f629db485a07 100644
+--- a/kernel/ucount.c
++++ b/kernel/ucount.c
+@@ -199,7 +199,7 @@ void put_ucounts(struct ucounts *ucounts)
+ }
+ }
+
+-static inline bool atomic_long_inc_below(atomic_long_t *v, int u)
++static inline bool atomic_long_inc_below(atomic_long_t *v, long u)
+ {
+ long c, old;
+ c = atomic_long_read(v);
+--
+2.39.5
+
--- /dev/null
+From d42c829792bff73f1154236e42452021d3489062 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Apr 2025 15:38:30 +0800
+Subject: udmabuf: fix vmap missed offset page
+
+From: Huan Yang <link@vivo.com>
+
+[ Upstream commit a26fd92b7223160ad31c3e2971b63178faed9cf5 ]
+
+Before invoke vmap, we need offer a pages pointer array which each page
+need to map in vmalloc area.
+
+But currently vmap_udmabuf only set each folio's head page into pages,
+missed each offset pages when iter.
+
+This patch set the correctly offset page in each folio into array.
+
+Signed-off-by: Huan Yang <link@vivo.com>
+Fixes: 5e72b2b41a21 ("udmabuf: convert udmabuf driver to use folios")
+Acked-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
+Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
+Link: https://lore.kernel.org/r/20250428073831.19942-3-link@vivo.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma-buf/udmabuf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
+index 4cc342fb28f4..40399c26e6be 100644
+--- a/drivers/dma-buf/udmabuf.c
++++ b/drivers/dma-buf/udmabuf.c
+@@ -120,7 +120,8 @@ static int vmap_udmabuf(struct dma_buf *buf, struct iosys_map *map)
+ return -ENOMEM;
+
+ for (pg = 0; pg < ubuf->pagecount; pg++)
+- pages[pg] = &ubuf->folios[pg]->page;
++ pages[pg] = folio_page(ubuf->folios[pg],
++ ubuf->offsets[pg] >> PAGE_SHIFT);
+
+ vaddr = vm_map_ram(pages, ubuf->pagecount, -1);
+ kvfree(pages);
+--
+2.39.5
+
--- /dev/null
+From f889719695779aa2a98e43999519c7637156c492 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 17:04:03 +0800
+Subject: um: rtc: Avoid shadowing err in uml_rtc_start()
+
+From: Tiwei Bie <tiwei.btw@antgroup.com>
+
+[ Upstream commit 4c916e3b224a02019b3cc3983a15f32bfd9a22df ]
+
+Remove the declaration of 'err' inside the 'if (timetravel)' block,
+as it would otherwise be unavailable outside that block, potentially
+leading to uml_rtc_start() returning an uninitialized value.
+
+Fixes: dde8b58d5127 ("um: add a pseudo RTC")
+Signed-off-by: Tiwei Bie <tiwei.btw@antgroup.com>
+Link: https://patch.msgid.link/20250708090403.1067440-5-tiwei.bie@linux.dev
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/drivers/rtc_user.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/um/drivers/rtc_user.c b/arch/um/drivers/rtc_user.c
+index 51e79f3148cd..67912fcf7b28 100644
+--- a/arch/um/drivers/rtc_user.c
++++ b/arch/um/drivers/rtc_user.c
+@@ -28,7 +28,7 @@ int uml_rtc_start(bool timetravel)
+ int err;
+
+ if (timetravel) {
+- int err = os_pipe(uml_rtc_irq_fds, 1, 1);
++ err = os_pipe(uml_rtc_irq_fds, 1, 1);
+ if (err)
+ goto fail;
+ } else {
+--
+2.39.5
+
--- /dev/null
+From 020f6d65f05b0ca2a8720877ef94c5e580318b55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 12:18:09 +0200
+Subject: uprobes: revert ref_ctr_offset in uprobe_unregister error path
+
+From: Jiri Olsa <olsajiri@gmail.com>
+
+[ Upstream commit aa644c405291a419e92b112e2279c01c410e9a26 ]
+
+There's error path that could lead to inactive uprobe:
+
+ 1) uprobe_register succeeds - updates instruction to int3 and
+ changes ref_ctr from 0 to 1
+ 2) uprobe_unregister fails - int3 stays in place, but ref_ctr
+ is changed to 0 (it's not restored to 1 in the fail path)
+ uprobe is leaked
+ 3) another uprobe_register comes and re-uses the leaked uprobe
+ and succeds - but int3 is already in place, so ref_ctr update
+ is skipped and it stays 0 - uprobe CAN NOT be triggered now
+ 4) uprobe_unregister fails because ref_ctr value is unexpected
+
+Fix this by reverting the updated ref_ctr value back to 1 in step 2),
+which is the case when uprobe_unregister fails (int3 stays in place), but
+we have already updated refctr.
+
+The new scenario will go as follows:
+
+ 1) uprobe_register succeeds - updates instruction to int3 and
+ changes ref_ctr from 0 to 1
+ 2) uprobe_unregister fails - int3 stays in place and ref_ctr
+ is reverted to 1.. uprobe is leaked
+ 3) another uprobe_register comes and re-uses the leaked uprobe
+ and succeds - but int3 is already in place, so ref_ctr update
+ is skipped and it stays 1 - uprobe CAN be triggered now
+ 4) uprobe_unregister succeeds
+
+Link: https://lkml.kernel.org/r/20250514101809.2010193-1-jolsa@kernel.org
+Fixes: 1cc33161a83d ("uprobes: Support SDT markers having reference count (semaphore)")
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: David Hildenbrand <david@redhat.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Suggested-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Andrii Nakryiko <andrii@kernel.org>
+Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/uprobes.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
+index 4c965ba77f9f..84ee7b590861 100644
+--- a/kernel/events/uprobes.c
++++ b/kernel/events/uprobes.c
+@@ -581,8 +581,8 @@ int uprobe_write_opcode(struct arch_uprobe *auprobe, struct vm_area_struct *vma,
+
+ out:
+ /* Revert back reference counter if instruction update failed. */
+- if (ret < 0 && is_register && ref_ctr_updated)
+- update_ref_ctr(uprobe, mm, -1);
++ if (ret < 0 && ref_ctr_updated)
++ update_ref_ctr(uprobe, mm, is_register ? -1 : 1);
+
+ /* try collapse pmd for compound page */
+ if (ret > 0)
+--
+2.39.5
+
--- /dev/null
+From 160e39e85f7ea6660bd828cef5dcfe678eefc222 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 14:47:47 -0700
+Subject: usb: early: xhci-dbc: Fix early_ioremap leak
+
+From: Lucas De Marchi <lucas.demarchi@intel.com>
+
+[ Upstream commit 2b7eec2ec3015f52fc74cf45d0408925e984ecd1 ]
+
+Using the kernel param earlyprintk=xdbc,keep without proper hardware
+setup leads to this:
+
+ [ ] xhci_dbc:early_xdbc_parse_parameter: dbgp_num: 0
+ ...
+ [ ] xhci_dbc:early_xdbc_setup_hardware: failed to setup the connection to host
+ ...
+ [ ] calling kmemleak_late_init+0x0/0xa0 @ 1
+ [ ] kmemleak: Kernel memory leak detector initialized (mem pool available: 14919)
+ [ ] kmemleak: Automatic memory scanning thread started
+ [ ] initcall kmemleak_late_init+0x0/0xa0 returned 0 after 417 usecs
+ [ ] calling check_early_ioremap_leak+0x0/0x70 @ 1
+ [ ] ------------[ cut here ]------------
+ [ ] Debug warning: early ioremap leak of 1 areas detected.
+ please boot with early_ioremap_debug and report the dmesg.
+ [ ] WARNING: CPU: 11 PID: 1 at mm/early_ioremap.c:90 check_early_ioremap_leak+0x4e/0x70
+
+When early_xdbc_setup_hardware() fails, make sure to call
+early_iounmap() since xdbc_init() won't handle it.
+
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Fixes: aeb9dd1de98c ("usb/early: Add driver for xhci debug capability")
+Link: https://lore.kernel.org/r/20250627-xdbc-v1-1-43cc8c317b1b@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/early/xhci-dbc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/usb/early/xhci-dbc.c b/drivers/usb/early/xhci-dbc.c
+index 341408410ed9..41118bba9197 100644
+--- a/drivers/usb/early/xhci-dbc.c
++++ b/drivers/usb/early/xhci-dbc.c
+@@ -681,6 +681,10 @@ int __init early_xdbc_setup_hardware(void)
+
+ xdbc.table_base = NULL;
+ xdbc.out_buf = NULL;
++
++ early_iounmap(xdbc.xhci_base, xdbc.xhci_length);
++ xdbc.xhci_base = NULL;
++ xdbc.xhci_length = 0;
+ }
+
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From ce1c35ec6c27d42ea94b51e9316eaa50eb769abe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 01:57:47 -0400
+Subject: usb: host: xhci-plat: fix incorrect type for of_match variable in
+ xhci_plat_probe()
+
+From: Seungjin Bae <eeodqql09@gmail.com>
+
+[ Upstream commit d9e496a9fb4021a9e6b11e7ba221a41a2597ac27 ]
+
+The variable `of_match` was incorrectly declared as a `bool`.
+It is assigned the return value of of_match_device(), which is a pointer of
+type `const struct of_device_id *`.
+
+Fixes: 16b7e0cccb243 ("USB: xhci-plat: fix legacy PHY double init")
+Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
+Link: https://lore.kernel.org/r/20250619055746.176112-2-eeodqql09@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-plat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
+index c79d5ed48a08..5eb51797de32 100644
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -152,7 +152,7 @@ int xhci_plat_probe(struct platform_device *pdev, struct device *sysdev, const s
+ int ret;
+ int irq;
+ struct xhci_plat_priv *priv = NULL;
+- bool of_match;
++ const struct of_device_id *of_match;
+
+ if (usb_disabled())
+ return -ENODEV;
+--
+2.39.5
+
--- /dev/null
+From 06f9399ab88909781bdaf4def925f0f3293a21c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Jun 2025 18:26:17 +0000
+Subject: usb: misc: apple-mfi-fastcharge: Make power supply names unique
+
+From: Charalampos Mitrodimas <charmitro@posteo.net>
+
+[ Upstream commit 43007b89fb2de746443fbbb84aedd1089afdf582 ]
+
+When multiple Apple devices are connected concurrently, the
+apple-mfi-fastcharge driver fails to probe the subsequent devices with
+the following error:
+
+ sysfs: cannot create duplicate filename '/class/power_supply/apple_mfi_fastcharge'
+ apple-mfi-fastcharge 5-2.4.3.3: probe of 5-2.4.3.3 failed with error -17
+
+This happens because the driver uses a fixed power supply name
+("apple_mfi_fastcharge") for all devices, causing a sysfs name
+conflict when a second device is connected.
+
+Fix this by generating unique names using the USB bus and device
+number (e.g., "apple_mfi_fastcharge_5-12"). This ensures each
+connected device gets a unique power supply entry in sysfs.
+
+The change requires storing a copy of the power_supply_desc structure
+in the per-device mfi_device struct, since the name pointer needs to
+remain valid for the lifetime of the power supply registration.
+
+Fixes: 249fa8217b84 ("USB: Add driver to control USB fast charge for iOS devices")
+Signed-off-by: Charalampos Mitrodimas <charmitro@posteo.net>
+Link: https://lore.kernel.org/r/20250602-apple-mfi-fastcharge-duplicate-sysfs-v1-1-5d84de34fac6@posteo.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/misc/apple-mfi-fastcharge.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/misc/apple-mfi-fastcharge.c b/drivers/usb/misc/apple-mfi-fastcharge.c
+index ac8695195c13..8e852f4b8262 100644
+--- a/drivers/usb/misc/apple-mfi-fastcharge.c
++++ b/drivers/usb/misc/apple-mfi-fastcharge.c
+@@ -44,6 +44,7 @@ MODULE_DEVICE_TABLE(usb, mfi_fc_id_table);
+ struct mfi_device {
+ struct usb_device *udev;
+ struct power_supply *battery;
++ struct power_supply_desc battery_desc;
+ int charge_type;
+ };
+
+@@ -178,6 +179,7 @@ static int mfi_fc_probe(struct usb_device *udev)
+ {
+ struct power_supply_config battery_cfg = {};
+ struct mfi_device *mfi = NULL;
++ char *battery_name;
+ int err;
+
+ if (!mfi_fc_match(udev))
+@@ -187,23 +189,38 @@ static int mfi_fc_probe(struct usb_device *udev)
+ if (!mfi)
+ return -ENOMEM;
+
++ battery_name = kasprintf(GFP_KERNEL, "apple_mfi_fastcharge_%d-%d",
++ udev->bus->busnum, udev->devnum);
++ if (!battery_name) {
++ err = -ENOMEM;
++ goto err_free_mfi;
++ }
++
++ mfi->battery_desc = apple_mfi_fc_desc;
++ mfi->battery_desc.name = battery_name;
++
+ battery_cfg.drv_data = mfi;
+
+ mfi->charge_type = POWER_SUPPLY_CHARGE_TYPE_TRICKLE;
+ mfi->battery = power_supply_register(&udev->dev,
+- &apple_mfi_fc_desc,
++ &mfi->battery_desc,
+ &battery_cfg);
+ if (IS_ERR(mfi->battery)) {
+ dev_err(&udev->dev, "Can't register battery\n");
+ err = PTR_ERR(mfi->battery);
+- kfree(mfi);
+- return err;
++ goto err_free_name;
+ }
+
+ mfi->udev = usb_get_dev(udev);
+ dev_set_drvdata(&udev->dev, mfi);
+
+ return 0;
++
++err_free_name:
++ kfree(battery_name);
++err_free_mfi:
++ kfree(mfi);
++ return err;
+ }
+
+ static void mfi_fc_disconnect(struct usb_device *udev)
+@@ -213,6 +230,7 @@ static void mfi_fc_disconnect(struct usb_device *udev)
+ mfi = dev_get_drvdata(&udev->dev);
+ if (mfi->battery)
+ power_supply_unregister(mfi->battery);
++ kfree(mfi->battery_desc.name);
+ dev_set_drvdata(&udev->dev, NULL);
+ usb_put_dev(mfi->udev);
+ kfree(mfi);
+--
+2.39.5
+
--- /dev/null
+From f0851a7c525cccc85118b4d4f7bd350ab54b8d64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Jun 2025 21:12:56 +0300
+Subject: usb: typec: ucsi: yoga-c630: fix error and remove paths
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit 168c3896f32e78e7b87f6aa9e85af36e47a9f96c ]
+
+Fix memory leak and call ucsi_destroy() from the driver's remove
+function and probe's error path in order to remove debugfs files and
+free the memory. Also call yoga_c630_ec_unregister_notify() in the
+probe's error path.
+
+Fixes: 2ea6d07efe53 ("usb: typec: ucsi: add Lenovo Yoga C630 glue driver")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20250621-c630-ucsi-v1-1-a86de5e11361@oss.qualcomm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/ucsi/ucsi_yoga_c630.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/typec/ucsi/ucsi_yoga_c630.c b/drivers/usb/typec/ucsi/ucsi_yoga_c630.c
+index d33e3f2dd1d8..47e8dd5b255b 100644
+--- a/drivers/usb/typec/ucsi/ucsi_yoga_c630.c
++++ b/drivers/usb/typec/ucsi/ucsi_yoga_c630.c
+@@ -133,17 +133,30 @@ static int yoga_c630_ucsi_probe(struct auxiliary_device *adev,
+
+ ret = yoga_c630_ec_register_notify(ec, &uec->nb);
+ if (ret)
+- return ret;
++ goto err_destroy;
++
++ ret = ucsi_register(uec->ucsi);
++ if (ret)
++ goto err_unregister;
++
++ return 0;
+
+- return ucsi_register(uec->ucsi);
++err_unregister:
++ yoga_c630_ec_unregister_notify(uec->ec, &uec->nb);
++
++err_destroy:
++ ucsi_destroy(uec->ucsi);
++
++ return ret;
+ }
+
+ static void yoga_c630_ucsi_remove(struct auxiliary_device *adev)
+ {
+ struct yoga_c630_ucsi *uec = auxiliary_get_drvdata(adev);
+
+- yoga_c630_ec_unregister_notify(uec->ec, &uec->nb);
+ ucsi_unregister(uec->ucsi);
++ yoga_c630_ec_unregister_notify(uec->ec, &uec->nb);
++ ucsi_destroy(uec->ucsi);
+ }
+
+ static const struct auxiliary_device_id yoga_c630_ucsi_id_table[] = {
+--
+2.39.5
+
--- /dev/null
+From 4c3f3643ac500bd20d51727cd2a35684539a019b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 14:53:35 +0200
+Subject: vdpa: Fix IDR memory leak in VDUSE module exit
+
+From: Anders Roxell <anders.roxell@linaro.org>
+
+[ Upstream commit d9ea58b5dc6b4b50fbb6a10c73f840e8b10442b7 ]
+
+Add missing idr_destroy() call in vduse_exit() to properly free the
+vduse_idr radix tree nodes. Without this, module load/unload cycles leak
+576-byte radix tree node allocations, detectable by kmemleak as:
+
+unreferenced object (size 576):
+ backtrace:
+ [<ffffffff81234567>] radix_tree_node_alloc+0xa0/0xf0
+ [<ffffffff81234568>] idr_get_free+0x128/0x280
+
+The vduse_idr is initialized via DEFINE_IDR() at line 136 and used throughout
+the VDUSE (vDPA Device in Userspace) driver for device ID management. The fix
+follows the documented pattern in lib/idr.c and matches the cleanup approach
+used by other drivers.
+
+This leak was discovered through comprehensive module testing with cumulative
+kmemleak detection across 10 load/unload iterations per module.
+
+Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
+Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
+Message-Id: <20250704125335.1084649-1-anders.roxell@linaro.org>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vdpa/vdpa_user/vduse_dev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
+index 6a9a37351310..04620bb77203 100644
+--- a/drivers/vdpa/vdpa_user/vduse_dev.c
++++ b/drivers/vdpa/vdpa_user/vduse_dev.c
+@@ -2216,6 +2216,7 @@ static void vduse_exit(void)
+ cdev_del(&vduse_ctrl_cdev);
+ unregister_chrdev_region(vduse_major, VDUSE_DEV_MAX);
+ class_unregister(&vduse_class);
++ idr_destroy(&vduse_idr);
+ }
+ module_exit(vduse_exit);
+
+--
+2.39.5
+
--- /dev/null
+From 30b51bed819fd119c4c68bb47ca40d107835ae75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 21:48:01 +0300
+Subject: vdpa/mlx5: Fix needs_teardown flag calculation
+
+From: Dragos Tatulea <dtatulea@nvidia.com>
+
+[ Upstream commit 6f0f3d7fc4e05797b801ded4910a64d16db230e9 ]
+
+needs_teardown is a device flag that indicates when virtual queues need
+to be recreated. This happens for certain configuration changes: queue
+size and some specific features.
+
+Currently, the needs_teardown state can be incorrectly reset by
+subsequent .set_vq_num() calls. For example, for 1 rx VQ with size 512
+and 1 tx VQ with size 256:
+
+.set_vq_num(0, 512) -> sets needs_teardown to true (rx queue has a
+ non-default size)
+.set_vq_num(1, 256) -> sets needs_teardown to false (tx queue has a
+ default size)
+
+This change takes into account the previous value of the needs_teardown
+flag when re-calculating it during VQ size configuration.
+
+Fixes: 0fe963d6fc16 ("vdpa/mlx5: Re-create HW VQs under certain conditions")
+Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
+Reviewed-by: Shahar Shitrit <shshitrit@nvidia.com>
+Reviewed-by: Si-Wei Liu <si-wei.liu@oracle.com>
+Tested-by: Si-Wei Liu<si-wei.liu@oracle.com>
+Message-Id: <20250604184802.2625300-1-dtatulea@nvidia.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c
+index cccc49a08a1a..efb5fa694f1e 100644
+--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
+@@ -2491,7 +2491,7 @@ static void mlx5_vdpa_set_vq_num(struct vdpa_device *vdev, u16 idx, u32 num)
+ }
+
+ mvq = &ndev->vqs[idx];
+- ndev->needs_teardown = num != mvq->num_ent;
++ ndev->needs_teardown |= num != mvq->num_ent;
+ mvq->num_ent = num;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 7fff6abc67a1f42fef3a939e478fd94e0c8096f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 12:04:24 +0000
+Subject: vdpa/mlx5: Fix release of uninitialized resources on error path
+
+From: Dragos Tatulea <dtatulea@nvidia.com>
+
+[ Upstream commit cc51a66815999afb7e9cd845968de4fdf07567b7 ]
+
+The commit in the fixes tag made sure that mlx5_vdpa_free()
+is the single entrypoint for removing the vdpa device resources
+added in mlx5_vdpa_dev_add(), even in the cleanup path of
+mlx5_vdpa_dev_add().
+
+This means that all functions from mlx5_vdpa_free() should be able to
+handle uninitialized resources. This was not the case though:
+mlx5_vdpa_destroy_mr_resources() and mlx5_cmd_cleanup_async_ctx()
+were not able to do so. This caused the splat below when adding
+a vdpa device without a MAC address.
+
+This patch fixes these remaining issues:
+
+- Makes mlx5_vdpa_destroy_mr_resources() return early if called on
+ uninitialized resources.
+
+- Moves mlx5_cmd_init_async_ctx() early on during device addition
+ because it can't fail. This means that mlx5_cmd_cleanup_async_ctx()
+ also can't fail. To mirror this, move the call site of
+ mlx5_cmd_cleanup_async_ctx() in mlx5_vdpa_free().
+
+An additional comment was added in mlx5_vdpa_free() to document
+the expectations of functions called from this context.
+
+Splat:
+
+ mlx5_core 0000:b5:03.2: mlx5_vdpa_dev_add:3950:(pid 2306) warning: No mac address provisioned?
+ ------------[ cut here ]------------
+ WARNING: CPU: 13 PID: 2306 at kernel/workqueue.c:4207 __flush_work+0x9a/0xb0
+ [...]
+ Call Trace:
+ <TASK>
+ ? __try_to_del_timer_sync+0x61/0x90
+ ? __timer_delete_sync+0x2b/0x40
+ mlx5_vdpa_destroy_mr_resources+0x1c/0x40 [mlx5_vdpa]
+ mlx5_vdpa_free+0x45/0x160 [mlx5_vdpa]
+ vdpa_release_dev+0x1e/0x50 [vdpa]
+ device_release+0x31/0x90
+ kobject_cleanup+0x37/0x130
+ mlx5_vdpa_dev_add+0x327/0x890 [mlx5_vdpa]
+ vdpa_nl_cmd_dev_add_set_doit+0x2c1/0x4d0 [vdpa]
+ genl_family_rcv_msg_doit+0xd8/0x130
+ genl_family_rcv_msg+0x14b/0x220
+ ? __pfx_vdpa_nl_cmd_dev_add_set_doit+0x10/0x10 [vdpa]
+ genl_rcv_msg+0x47/0xa0
+ ? __pfx_genl_rcv_msg+0x10/0x10
+ netlink_rcv_skb+0x53/0x100
+ genl_rcv+0x24/0x40
+ netlink_unicast+0x27b/0x3b0
+ netlink_sendmsg+0x1f7/0x430
+ __sys_sendto+0x1fa/0x210
+ ? ___pte_offset_map+0x17/0x160
+ ? next_uptodate_folio+0x85/0x2b0
+ ? percpu_counter_add_batch+0x51/0x90
+ ? filemap_map_pages+0x515/0x660
+ __x64_sys_sendto+0x20/0x30
+ do_syscall_64+0x7b/0x2c0
+ ? do_read_fault+0x108/0x220
+ ? do_pte_missing+0x14a/0x3e0
+ ? __handle_mm_fault+0x321/0x730
+ ? count_memcg_events+0x13f/0x180
+ ? handle_mm_fault+0x1fb/0x2d0
+ ? do_user_addr_fault+0x20c/0x700
+ ? syscall_exit_work+0x104/0x140
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ RIP: 0033:0x7f0c25b0feca
+ [...]
+ ---[ end trace 0000000000000000 ]---
+
+Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
+Fixes: 83e445e64f48 ("vdpa/mlx5: Fix error path during device add")
+Reported-by: Wenli Quan <wquan@redhat.com>
+Closes: https://lore.kernel.org/virtualization/CADZSLS0r78HhZAStBaN1evCSoPqRJU95Lt8AqZNJ6+wwYQ6vPQ@mail.gmail.com/
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Message-Id: <20250708120424.2363354-2-dtatulea@nvidia.com>
+Tested-by: Wenli Quan <wquan@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vdpa/mlx5/core/mr.c | 3 +++
+ drivers/vdpa/mlx5/net/mlx5_vnet.c | 10 ++++++----
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/vdpa/mlx5/core/mr.c b/drivers/vdpa/mlx5/core/mr.c
+index 61424342c096..c7a20278bc3c 100644
+--- a/drivers/vdpa/mlx5/core/mr.c
++++ b/drivers/vdpa/mlx5/core/mr.c
+@@ -908,6 +908,9 @@ void mlx5_vdpa_destroy_mr_resources(struct mlx5_vdpa_dev *mvdev)
+ {
+ struct mlx5_vdpa_mr_resources *mres = &mvdev->mres;
+
++ if (!mres->wq_gc)
++ return;
++
+ atomic_set(&mres->shutdown, 1);
+
+ flush_delayed_work(&mres->gc_dwork_ent);
+diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c
+index efb5fa694f1e..0ed2fc28e1ce 100644
+--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
+@@ -3432,15 +3432,17 @@ static void mlx5_vdpa_free(struct vdpa_device *vdev)
+
+ ndev = to_mlx5_vdpa_ndev(mvdev);
+
++ /* Functions called here should be able to work with
++ * uninitialized resources.
++ */
+ free_fixed_resources(ndev);
+ mlx5_vdpa_clean_mrs(mvdev);
+ mlx5_vdpa_destroy_mr_resources(&ndev->mvdev);
+- mlx5_cmd_cleanup_async_ctx(&mvdev->async_ctx);
+-
+ if (!is_zero_ether_addr(ndev->config.mac)) {
+ pfmdev = pci_get_drvdata(pci_physfn(mvdev->mdev->pdev));
+ mlx5_mpfs_del_mac(pfmdev, ndev->config.mac);
+ }
++ mlx5_cmd_cleanup_async_ctx(&mvdev->async_ctx);
+ mlx5_vdpa_free_resources(&ndev->mvdev);
+ free_irqs(ndev);
+ kfree(ndev->event_cbs);
+@@ -3888,6 +3890,8 @@ static int mlx5_vdpa_dev_add(struct vdpa_mgmt_dev *v_mdev, const char *name,
+ mvdev->actual_features =
+ (device_features & BIT_ULL(VIRTIO_F_VERSION_1));
+
++ mlx5_cmd_init_async_ctx(mdev, &mvdev->async_ctx);
++
+ ndev->vqs = kcalloc(max_vqs, sizeof(*ndev->vqs), GFP_KERNEL);
+ ndev->event_cbs = kcalloc(max_vqs + 1, sizeof(*ndev->event_cbs), GFP_KERNEL);
+ if (!ndev->vqs || !ndev->event_cbs) {
+@@ -3960,8 +3964,6 @@ static int mlx5_vdpa_dev_add(struct vdpa_mgmt_dev *v_mdev, const char *name,
+ ndev->rqt_size = 1;
+ }
+
+- mlx5_cmd_init_async_ctx(mdev, &mvdev->async_ctx);
+-
+ ndev->mvdev.mlx_features = device_features;
+ mvdev->vdev.dma_dev = &mdev->pdev->dev;
+ err = mlx5_vdpa_alloc_resources(&ndev->mvdev);
+--
+2.39.5
+
--- /dev/null
+From 6cda6b06d450f429ca1ff545ffba9f0a2a96f499 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 16:46:17 -0700
+Subject: vfio: Fix unbalanced vfio_df_close call in no-iommu mode
+
+From: Jacob Pan <jacob.pan@linux.microsoft.com>
+
+[ Upstream commit b25e271b377999191b12f0afbe1861edcf57e3fe ]
+
+For devices with no-iommu enabled in IOMMUFD VFIO compat mode, the group open
+path skips vfio_df_open(), leaving open_count at 0. This causes a warning in
+vfio_assert_device_open(device) when vfio_df_close() is called during group
+close.
+
+The correct behavior is to skip only the IOMMUFD bind in the device open path
+for no-iommu devices. Commit 6086efe73498 omitted vfio_df_open(), which was
+too broad. This patch restores the previous behavior, ensuring
+the vfio_df_open is called in the group open path.
+
+Fixes: 6086efe73498 ("vfio-iommufd: Move noiommu compat validation out of vfio_iommufd_bind()")
+Suggested-by: Alex Williamson <alex.williamson@redhat.com>
+Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Jacob Pan <jacob.pan@linux.microsoft.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/20250618234618.1910456-1-jacob.pan@linux.microsoft.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/group.c | 7 +++----
+ drivers/vfio/iommufd.c | 4 ++++
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/vfio/group.c b/drivers/vfio/group.c
+index c321d442f0da..c376a6279de0 100644
+--- a/drivers/vfio/group.c
++++ b/drivers/vfio/group.c
+@@ -192,11 +192,10 @@ static int vfio_df_group_open(struct vfio_device_file *df)
+ * implies they expected translation to exist
+ */
+ if (!capable(CAP_SYS_RAWIO) ||
+- vfio_iommufd_device_has_compat_ioas(device, df->iommufd))
++ vfio_iommufd_device_has_compat_ioas(device, df->iommufd)) {
+ ret = -EPERM;
+- else
+- ret = 0;
+- goto out_put_kvm;
++ goto out_put_kvm;
++ }
+ }
+
+ ret = vfio_df_open(df);
+diff --git a/drivers/vfio/iommufd.c b/drivers/vfio/iommufd.c
+index c8c3a2d53f86..a38d262c6028 100644
+--- a/drivers/vfio/iommufd.c
++++ b/drivers/vfio/iommufd.c
+@@ -25,6 +25,10 @@ int vfio_df_iommufd_bind(struct vfio_device_file *df)
+
+ lockdep_assert_held(&vdev->dev_set->lock);
+
++ /* Returns 0 to permit device opening under noiommu mode */
++ if (vfio_device_is_noiommu(vdev))
++ return 0;
++
+ return vdev->ops->bind_iommufd(vdev, ictx, &df->devid);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From b4185595f5d50b0914f50e3038802b8500d7586a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jul 2025 13:08:25 -0300
+Subject: vfio/pci: Do vf_token checks for VFIO_DEVICE_BIND_IOMMUFD
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 86624ba3b522b6512def25534341da93356c8da4 ]
+
+This was missed during the initial implementation. The VFIO PCI encodes
+the vf_token inside the device name when opening the device from the group
+FD, something like:
+
+ "0000:04:10.0 vf_token=bd8d9d2b-5a5f-4f5a-a211-f591514ba1f3"
+
+This is used to control access to a VF unless there is co-ordination with
+the owner of the PF.
+
+Since we no longer have a device name in the cdev path, pass the token
+directly through VFIO_DEVICE_BIND_IOMMUFD using an optional field
+indicated by VFIO_DEVICE_BIND_FLAG_TOKEN.
+
+Fixes: 5fcc26969a16 ("vfio: Add VFIO_DEVICE_BIND_IOMMUFD")
+Tested-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
+Reviewed-by: Yi Liu <yi.l.liu@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Link: https://lore.kernel.org/r/0-v3-bdd8716e85fe+3978a-vfio_token_jgg@nvidia.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/device_cdev.c | 38 +++++++++++++++++--
+ .../vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 1 +
+ drivers/vfio/pci/mlx5/main.c | 1 +
+ drivers/vfio/pci/nvgrace-gpu/main.c | 2 +
+ drivers/vfio/pci/pds/vfio_dev.c | 1 +
+ drivers/vfio/pci/qat/main.c | 1 +
+ drivers/vfio/pci/vfio_pci.c | 1 +
+ drivers/vfio/pci/vfio_pci_core.c | 22 +++++++----
+ drivers/vfio/pci/virtio/main.c | 3 ++
+ include/linux/vfio.h | 4 ++
+ include/linux/vfio_pci_core.h | 2 +
+ include/uapi/linux/vfio.h | 12 +++++-
+ 12 files changed, 76 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/vfio/device_cdev.c b/drivers/vfio/device_cdev.c
+index 281a8dc3ed49..480cac3a0c27 100644
+--- a/drivers/vfio/device_cdev.c
++++ b/drivers/vfio/device_cdev.c
+@@ -60,22 +60,50 @@ static void vfio_df_get_kvm_safe(struct vfio_device_file *df)
+ spin_unlock(&df->kvm_ref_lock);
+ }
+
++static int vfio_df_check_token(struct vfio_device *device,
++ const struct vfio_device_bind_iommufd *bind)
++{
++ uuid_t uuid;
++
++ if (!device->ops->match_token_uuid) {
++ if (bind->flags & VFIO_DEVICE_BIND_FLAG_TOKEN)
++ return -EINVAL;
++ return 0;
++ }
++
++ if (!(bind->flags & VFIO_DEVICE_BIND_FLAG_TOKEN))
++ return device->ops->match_token_uuid(device, NULL);
++
++ if (copy_from_user(&uuid, u64_to_user_ptr(bind->token_uuid_ptr),
++ sizeof(uuid)))
++ return -EFAULT;
++ return device->ops->match_token_uuid(device, &uuid);
++}
++
+ long vfio_df_ioctl_bind_iommufd(struct vfio_device_file *df,
+ struct vfio_device_bind_iommufd __user *arg)
+ {
++ const u32 VALID_FLAGS = VFIO_DEVICE_BIND_FLAG_TOKEN;
+ struct vfio_device *device = df->device;
+ struct vfio_device_bind_iommufd bind;
+ unsigned long minsz;
++ u32 user_size;
+ int ret;
+
+ static_assert(__same_type(arg->out_devid, df->devid));
+
+ minsz = offsetofend(struct vfio_device_bind_iommufd, out_devid);
+
+- if (copy_from_user(&bind, arg, minsz))
+- return -EFAULT;
++ ret = get_user(user_size, &arg->argsz);
++ if (ret)
++ return ret;
++ if (user_size < minsz)
++ return -EINVAL;
++ ret = copy_struct_from_user(&bind, minsz, arg, user_size);
++ if (ret)
++ return ret;
+
+- if (bind.argsz < minsz || bind.flags || bind.iommufd < 0)
++ if (bind.iommufd < 0 || bind.flags & ~VALID_FLAGS)
+ return -EINVAL;
+
+ /* BIND_IOMMUFD only allowed for cdev fds */
+@@ -93,6 +121,10 @@ long vfio_df_ioctl_bind_iommufd(struct vfio_device_file *df,
+ goto out_unlock;
+ }
+
++ ret = vfio_df_check_token(device, &bind);
++ if (ret)
++ goto out_unlock;
++
+ df->iommufd = iommufd_ctx_from_fd(bind.iommufd);
+ if (IS_ERR(df->iommufd)) {
+ ret = PTR_ERR(df->iommufd);
+diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
+index 2149f49aeec7..397f5e445136 100644
+--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
++++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
+@@ -1583,6 +1583,7 @@ static const struct vfio_device_ops hisi_acc_vfio_pci_ops = {
+ .mmap = vfio_pci_core_mmap,
+ .request = vfio_pci_core_request,
+ .match = vfio_pci_core_match,
++ .match_token_uuid = vfio_pci_core_match_token_uuid,
+ .bind_iommufd = vfio_iommufd_physical_bind,
+ .unbind_iommufd = vfio_iommufd_physical_unbind,
+ .attach_ioas = vfio_iommufd_physical_attach_ioas,
+diff --git a/drivers/vfio/pci/mlx5/main.c b/drivers/vfio/pci/mlx5/main.c
+index 93f894fe60d2..7ec47e736a8e 100644
+--- a/drivers/vfio/pci/mlx5/main.c
++++ b/drivers/vfio/pci/mlx5/main.c
+@@ -1372,6 +1372,7 @@ static const struct vfio_device_ops mlx5vf_pci_ops = {
+ .mmap = vfio_pci_core_mmap,
+ .request = vfio_pci_core_request,
+ .match = vfio_pci_core_match,
++ .match_token_uuid = vfio_pci_core_match_token_uuid,
+ .bind_iommufd = vfio_iommufd_physical_bind,
+ .unbind_iommufd = vfio_iommufd_physical_unbind,
+ .attach_ioas = vfio_iommufd_physical_attach_ioas,
+diff --git a/drivers/vfio/pci/nvgrace-gpu/main.c b/drivers/vfio/pci/nvgrace-gpu/main.c
+index e5ac39c4cc6b..d95761dcdd58 100644
+--- a/drivers/vfio/pci/nvgrace-gpu/main.c
++++ b/drivers/vfio/pci/nvgrace-gpu/main.c
+@@ -696,6 +696,7 @@ static const struct vfio_device_ops nvgrace_gpu_pci_ops = {
+ .mmap = nvgrace_gpu_mmap,
+ .request = vfio_pci_core_request,
+ .match = vfio_pci_core_match,
++ .match_token_uuid = vfio_pci_core_match_token_uuid,
+ .bind_iommufd = vfio_iommufd_physical_bind,
+ .unbind_iommufd = vfio_iommufd_physical_unbind,
+ .attach_ioas = vfio_iommufd_physical_attach_ioas,
+@@ -715,6 +716,7 @@ static const struct vfio_device_ops nvgrace_gpu_pci_core_ops = {
+ .mmap = vfio_pci_core_mmap,
+ .request = vfio_pci_core_request,
+ .match = vfio_pci_core_match,
++ .match_token_uuid = vfio_pci_core_match_token_uuid,
+ .bind_iommufd = vfio_iommufd_physical_bind,
+ .unbind_iommufd = vfio_iommufd_physical_unbind,
+ .attach_ioas = vfio_iommufd_physical_attach_ioas,
+diff --git a/drivers/vfio/pci/pds/vfio_dev.c b/drivers/vfio/pci/pds/vfio_dev.c
+index f6e0253a8a14..f3ccb0008f67 100644
+--- a/drivers/vfio/pci/pds/vfio_dev.c
++++ b/drivers/vfio/pci/pds/vfio_dev.c
+@@ -201,6 +201,7 @@ static const struct vfio_device_ops pds_vfio_ops = {
+ .mmap = vfio_pci_core_mmap,
+ .request = vfio_pci_core_request,
+ .match = vfio_pci_core_match,
++ .match_token_uuid = vfio_pci_core_match_token_uuid,
+ .bind_iommufd = vfio_iommufd_physical_bind,
+ .unbind_iommufd = vfio_iommufd_physical_unbind,
+ .attach_ioas = vfio_iommufd_physical_attach_ioas,
+diff --git a/drivers/vfio/pci/qat/main.c b/drivers/vfio/pci/qat/main.c
+index 845ed15b6771..5cce6b0b8d2f 100644
+--- a/drivers/vfio/pci/qat/main.c
++++ b/drivers/vfio/pci/qat/main.c
+@@ -614,6 +614,7 @@ static const struct vfio_device_ops qat_vf_pci_ops = {
+ .mmap = vfio_pci_core_mmap,
+ .request = vfio_pci_core_request,
+ .match = vfio_pci_core_match,
++ .match_token_uuid = vfio_pci_core_match_token_uuid,
+ .bind_iommufd = vfio_iommufd_physical_bind,
+ .unbind_iommufd = vfio_iommufd_physical_unbind,
+ .attach_ioas = vfio_iommufd_physical_attach_ioas,
+diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
+index 5ba39f7623bb..ac10f14417f2 100644
+--- a/drivers/vfio/pci/vfio_pci.c
++++ b/drivers/vfio/pci/vfio_pci.c
+@@ -138,6 +138,7 @@ static const struct vfio_device_ops vfio_pci_ops = {
+ .mmap = vfio_pci_core_mmap,
+ .request = vfio_pci_core_request,
+ .match = vfio_pci_core_match,
++ .match_token_uuid = vfio_pci_core_match_token_uuid,
+ .bind_iommufd = vfio_iommufd_physical_bind,
+ .unbind_iommufd = vfio_iommufd_physical_unbind,
+ .attach_ioas = vfio_iommufd_physical_attach_ioas,
+diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
+index 261a6dc5a5fc..fad410cf91bc 100644
+--- a/drivers/vfio/pci/vfio_pci_core.c
++++ b/drivers/vfio/pci/vfio_pci_core.c
+@@ -1821,9 +1821,13 @@ void vfio_pci_core_request(struct vfio_device *core_vdev, unsigned int count)
+ }
+ EXPORT_SYMBOL_GPL(vfio_pci_core_request);
+
+-static int vfio_pci_validate_vf_token(struct vfio_pci_core_device *vdev,
+- bool vf_token, uuid_t *uuid)
++int vfio_pci_core_match_token_uuid(struct vfio_device *core_vdev,
++ const uuid_t *uuid)
++
+ {
++ struct vfio_pci_core_device *vdev =
++ container_of(core_vdev, struct vfio_pci_core_device, vdev);
++
+ /*
+ * There's always some degree of trust or collaboration between SR-IOV
+ * PF and VFs, even if just that the PF hosts the SR-IOV capability and
+@@ -1854,7 +1858,7 @@ static int vfio_pci_validate_vf_token(struct vfio_pci_core_device *vdev,
+ bool match;
+
+ if (!pf_vdev) {
+- if (!vf_token)
++ if (!uuid)
+ return 0; /* PF is not vfio-pci, no VF token */
+
+ pci_info_ratelimited(vdev->pdev,
+@@ -1862,7 +1866,7 @@ static int vfio_pci_validate_vf_token(struct vfio_pci_core_device *vdev,
+ return -EINVAL;
+ }
+
+- if (!vf_token) {
++ if (!uuid) {
+ pci_info_ratelimited(vdev->pdev,
+ "VF token required to access device\n");
+ return -EACCES;
+@@ -1880,7 +1884,7 @@ static int vfio_pci_validate_vf_token(struct vfio_pci_core_device *vdev,
+ } else if (vdev->vf_token) {
+ mutex_lock(&vdev->vf_token->lock);
+ if (vdev->vf_token->users) {
+- if (!vf_token) {
++ if (!uuid) {
+ mutex_unlock(&vdev->vf_token->lock);
+ pci_info_ratelimited(vdev->pdev,
+ "VF token required to access device\n");
+@@ -1893,12 +1897,12 @@ static int vfio_pci_validate_vf_token(struct vfio_pci_core_device *vdev,
+ "Incorrect VF token provided for device\n");
+ return -EACCES;
+ }
+- } else if (vf_token) {
++ } else if (uuid) {
+ uuid_copy(&vdev->vf_token->uuid, uuid);
+ }
+
+ mutex_unlock(&vdev->vf_token->lock);
+- } else if (vf_token) {
++ } else if (uuid) {
+ pci_info_ratelimited(vdev->pdev,
+ "VF token incorrectly provided, not a PF or VF\n");
+ return -EINVAL;
+@@ -1906,6 +1910,7 @@ static int vfio_pci_validate_vf_token(struct vfio_pci_core_device *vdev,
+
+ return 0;
+ }
++EXPORT_SYMBOL_GPL(vfio_pci_core_match_token_uuid);
+
+ #define VF_TOKEN_ARG "vf_token="
+
+@@ -1952,7 +1957,8 @@ int vfio_pci_core_match(struct vfio_device *core_vdev, char *buf)
+ }
+ }
+
+- ret = vfio_pci_validate_vf_token(vdev, vf_token, &uuid);
++ ret = core_vdev->ops->match_token_uuid(core_vdev,
++ vf_token ? &uuid : NULL);
+ if (ret)
+ return ret;
+
+diff --git a/drivers/vfio/pci/virtio/main.c b/drivers/vfio/pci/virtio/main.c
+index 515fe1b9f94d..8084f3e36a9f 100644
+--- a/drivers/vfio/pci/virtio/main.c
++++ b/drivers/vfio/pci/virtio/main.c
+@@ -94,6 +94,7 @@ static const struct vfio_device_ops virtiovf_vfio_pci_lm_ops = {
+ .mmap = vfio_pci_core_mmap,
+ .request = vfio_pci_core_request,
+ .match = vfio_pci_core_match,
++ .match_token_uuid = vfio_pci_core_match_token_uuid,
+ .bind_iommufd = vfio_iommufd_physical_bind,
+ .unbind_iommufd = vfio_iommufd_physical_unbind,
+ .attach_ioas = vfio_iommufd_physical_attach_ioas,
+@@ -114,6 +115,7 @@ static const struct vfio_device_ops virtiovf_vfio_pci_tran_lm_ops = {
+ .mmap = vfio_pci_core_mmap,
+ .request = vfio_pci_core_request,
+ .match = vfio_pci_core_match,
++ .match_token_uuid = vfio_pci_core_match_token_uuid,
+ .bind_iommufd = vfio_iommufd_physical_bind,
+ .unbind_iommufd = vfio_iommufd_physical_unbind,
+ .attach_ioas = vfio_iommufd_physical_attach_ioas,
+@@ -134,6 +136,7 @@ static const struct vfio_device_ops virtiovf_vfio_pci_ops = {
+ .mmap = vfio_pci_core_mmap,
+ .request = vfio_pci_core_request,
+ .match = vfio_pci_core_match,
++ .match_token_uuid = vfio_pci_core_match_token_uuid,
+ .bind_iommufd = vfio_iommufd_physical_bind,
+ .unbind_iommufd = vfio_iommufd_physical_unbind,
+ .attach_ioas = vfio_iommufd_physical_attach_ioas,
+diff --git a/include/linux/vfio.h b/include/linux/vfio.h
+index 707b00772ce1..eb563f538dee 100644
+--- a/include/linux/vfio.h
++++ b/include/linux/vfio.h
+@@ -105,6 +105,9 @@ struct vfio_device {
+ * @match: Optional device name match callback (return: 0 for no-match, >0 for
+ * match, -errno for abort (ex. match with insufficient or incorrect
+ * additional args)
++ * @match_token_uuid: Optional device token match/validation. Return 0
++ * if the uuid is valid for the device, -errno otherwise. uuid is NULL
++ * if none was provided.
+ * @dma_unmap: Called when userspace unmaps IOVA from the container
+ * this device is attached to.
+ * @device_feature: Optional, fill in the VFIO_DEVICE_FEATURE ioctl
+@@ -132,6 +135,7 @@ struct vfio_device_ops {
+ int (*mmap)(struct vfio_device *vdev, struct vm_area_struct *vma);
+ void (*request)(struct vfio_device *vdev, unsigned int count);
+ int (*match)(struct vfio_device *vdev, char *buf);
++ int (*match_token_uuid)(struct vfio_device *vdev, const uuid_t *uuid);
+ void (*dma_unmap)(struct vfio_device *vdev, u64 iova, u64 length);
+ int (*device_feature)(struct vfio_device *device, u32 flags,
+ void __user *arg, size_t argsz);
+diff --git a/include/linux/vfio_pci_core.h b/include/linux/vfio_pci_core.h
+index fbb472dd99b3..f541044e42a2 100644
+--- a/include/linux/vfio_pci_core.h
++++ b/include/linux/vfio_pci_core.h
+@@ -122,6 +122,8 @@ ssize_t vfio_pci_core_write(struct vfio_device *core_vdev, const char __user *bu
+ int vfio_pci_core_mmap(struct vfio_device *core_vdev, struct vm_area_struct *vma);
+ void vfio_pci_core_request(struct vfio_device *core_vdev, unsigned int count);
+ int vfio_pci_core_match(struct vfio_device *core_vdev, char *buf);
++int vfio_pci_core_match_token_uuid(struct vfio_device *core_vdev,
++ const uuid_t *uuid);
+ int vfio_pci_core_enable(struct vfio_pci_core_device *vdev);
+ void vfio_pci_core_disable(struct vfio_pci_core_device *vdev);
+ void vfio_pci_core_finish_enable(struct vfio_pci_core_device *vdev);
+diff --git a/include/uapi/linux/vfio.h b/include/uapi/linux/vfio.h
+index 5764f315137f..75100bf009ba 100644
+--- a/include/uapi/linux/vfio.h
++++ b/include/uapi/linux/vfio.h
+@@ -905,10 +905,12 @@ struct vfio_device_feature {
+ * VFIO_DEVICE_BIND_IOMMUFD - _IOR(VFIO_TYPE, VFIO_BASE + 18,
+ * struct vfio_device_bind_iommufd)
+ * @argsz: User filled size of this data.
+- * @flags: Must be 0.
++ * @flags: Must be 0 or a bit flags of VFIO_DEVICE_BIND_*
+ * @iommufd: iommufd to bind.
+ * @out_devid: The device id generated by this bind. devid is a handle for
+ * this device/iommufd bond and can be used in IOMMUFD commands.
++ * @token_uuid_ptr: Valid if VFIO_DEVICE_BIND_FLAG_TOKEN. Points to a 16 byte
++ * UUID in the same format as VFIO_DEVICE_FEATURE_PCI_VF_TOKEN.
+ *
+ * Bind a vfio_device to the specified iommufd.
+ *
+@@ -917,13 +919,21 @@ struct vfio_device_feature {
+ *
+ * Unbind is automatically conducted when device fd is closed.
+ *
++ * A token is sometimes required to open the device, unless this is known to be
++ * needed VFIO_DEVICE_BIND_FLAG_TOKEN should not be set and token_uuid_ptr is
++ * ignored. The only case today is a PF/VF relationship where the VF bind must
++ * be provided the same token as VFIO_DEVICE_FEATURE_PCI_VF_TOKEN provided to
++ * the PF.
++ *
+ * Return: 0 on success, -errno on failure.
+ */
+ struct vfio_device_bind_iommufd {
+ __u32 argsz;
+ __u32 flags;
++#define VFIO_DEVICE_BIND_FLAG_TOKEN (1 << 0)
+ __s32 iommufd;
+ __u32 out_devid;
++ __aligned_u64 token_uuid_ptr;
+ };
+
+ #define VFIO_DEVICE_BIND_IOMMUFD _IO(VFIO_TYPE, VFIO_BASE + 18)
+--
+2.39.5
+
--- /dev/null
+From da2722527096ef7ae53ce003e7ea65640687ae5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 16:56:18 -0600
+Subject: vfio/pci: Separate SR-IOV VF dev_set
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+[ Upstream commit e908f58b6beb337cbe4481d52c3f5c78167b1aab ]
+
+In the below noted Fixes commit we introduced a reflck mutex to allow
+better scaling between devices for open and close. The reflck was
+based on the hot reset granularity, device level for root bus devices
+which cannot support hot reset or bus/slot reset otherwise. Overlooked
+in this were SR-IOV VFs, where there's also no bus reset option, but
+the default for a non-root-bus, non-slot-based device is bus level
+reflck granularity.
+
+The reflck mutex has since become the dev_set mutex (via commit
+2cd8b14aaa66 ("vfio/pci: Move to the device set infrastructure")) and
+is our defacto serialization for various operations and ioctls. It
+still seems to be the case though that sets of vfio-pci devices really
+only need serialization relative to hot resets affecting the entire
+set, which is not relevant to SR-IOV VFs. As described in the Closes
+link below, this serialization contributes to startup latency when
+multiple VFs sharing the same "bus" are opened concurrently.
+
+Mark the device itself as the basis of the dev_set for SR-IOV VFs.
+
+Reported-by: Aaron Lewis <aaronlewis@google.com>
+Closes: https://lore.kernel.org/all/20250626180424.632628-1-aaronlewis@google.com
+Tested-by: Aaron Lewis <aaronlewis@google.com>
+Fixes: e309df5b0c9e ("vfio/pci: Parallelize device open and release")
+Reviewed-by: Yi Liu <yi.l.liu@intel.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/20250626225623.1180952-1-alex.williamson@redhat.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/vfio_pci_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
+index 6328c3a05bcd..261a6dc5a5fc 100644
+--- a/drivers/vfio/pci/vfio_pci_core.c
++++ b/drivers/vfio/pci/vfio_pci_core.c
+@@ -2149,7 +2149,7 @@ int vfio_pci_core_register_device(struct vfio_pci_core_device *vdev)
+ return -EBUSY;
+ }
+
+- if (pci_is_root_bus(pdev->bus)) {
++ if (pci_is_root_bus(pdev->bus) || pdev->is_virtfn) {
+ ret = vfio_assign_device_set(&vdev->vdev, vdev);
+ } else if (!pci_probe_reset_slot(pdev->slot)) {
+ ret = vfio_assign_device_set(&vdev->vdev, pdev->slot);
+--
+2.39.5
+
--- /dev/null
+From 93ea0209716ccf65f7474dbea381166c9f1f8449 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 09:37:44 -0700
+Subject: vfio/pds: Fix missing detach_ioas op
+
+From: Brett Creeley <brett.creeley@amd.com>
+
+[ Upstream commit fe24d5bc635e103a517ec201c3cb571eeab8be2f ]
+
+When CONFIG_IOMMUFD is enabled and a device is bound to the pds_vfio_pci
+driver, the following WARN_ON() trace is seen and probe fails:
+
+WARNING: CPU: 0 PID: 5040 at drivers/vfio/vfio_main.c:317 __vfio_register_dev+0x130/0x140 [vfio]
+<...>
+pds_vfio_pci 0000:08:00.1: probe with driver pds_vfio_pci failed with error -22
+
+This is because the driver's vfio_device_ops.detach_ioas isn't set.
+
+Fix this by using the generic vfio_iommufd_physical_detach_ioas
+function.
+
+Fixes: 38fe3975b4c2 ("vfio/pds: Initial support for pds VFIO driver")
+Signed-off-by: Brett Creeley <brett.creeley@amd.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Link: https://lore.kernel.org/r/20250702163744.69767-1-brett.creeley@amd.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/pds/vfio_dev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/vfio/pci/pds/vfio_dev.c b/drivers/vfio/pci/pds/vfio_dev.c
+index 76a80ae7087b..f6e0253a8a14 100644
+--- a/drivers/vfio/pci/pds/vfio_dev.c
++++ b/drivers/vfio/pci/pds/vfio_dev.c
+@@ -204,6 +204,7 @@ static const struct vfio_device_ops pds_vfio_ops = {
+ .bind_iommufd = vfio_iommufd_physical_bind,
+ .unbind_iommufd = vfio_iommufd_physical_unbind,
+ .attach_ioas = vfio_iommufd_physical_attach_ioas,
++ .detach_ioas = vfio_iommufd_physical_detach_ioas,
+ };
+
+ const struct vfio_device_ops *pds_vfio_ops_info(void)
+--
+2.39.5
+
--- /dev/null
+From 2d00ae26ec49ebce95c5ecc58a4389c98a64f817 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 16:46:18 -0700
+Subject: vfio: Prevent open_count decrement to negative
+
+From: Jacob Pan <jacob.pan@linux.microsoft.com>
+
+[ Upstream commit 982ddd59ed97dc7e63efd97ed50273ffb817bd41 ]
+
+When vfio_df_close() is called with open_count=0, it triggers a warning in
+vfio_assert_device_open() but still decrements open_count to -1. This allows
+a subsequent open to incorrectly pass the open_count == 0 check, leading to
+unintended behavior, such as setting df->access_granted = true.
+
+For example, running an IOMMUFD compat no-IOMMU device with VFIO tests
+(https://github.com/awilliam/tests/blob/master/vfio-noiommu-pci-device-open.c)
+results in a warning and a failed VFIO_GROUP_GET_DEVICE_FD ioctl on the first
+run, but the second run succeeds incorrectly.
+
+Add checks to avoid decrementing open_count below zero.
+
+Fixes: 05f37e1c03b6 ("vfio: Pass struct vfio_device_file * to vfio_device_open/close()")
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Yi Liu <yi.l.liu@intel.com>
+Signed-off-by: Jacob Pan <jacob.pan@linux.microsoft.com>
+Link: https://lore.kernel.org/r/20250618234618.1910456-2-jacob.pan@linux.microsoft.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/vfio_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/vfio_main.c b/drivers/vfio/vfio_main.c
+index 1fd261efc582..5046cae05222 100644
+--- a/drivers/vfio/vfio_main.c
++++ b/drivers/vfio/vfio_main.c
+@@ -583,7 +583,8 @@ void vfio_df_close(struct vfio_device_file *df)
+
+ lockdep_assert_held(&device->dev_set->lock);
+
+- vfio_assert_device_open(device);
++ if (!vfio_assert_device_open(device))
++ return;
+ if (device->open_count == 1)
+ vfio_df_device_last_close(df);
+ device->open_count--;
+--
+2.39.5
+
--- /dev/null
+From 3cea4404cda29e02dbf02d59c7c96d766bff9df7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jul 2025 15:12:32 +0800
+Subject: vhost: Reintroduce kthread API and add mode selection
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cindy Lu <lulu@redhat.com>
+
+[ Upstream commit 7d9896e9f6d02d8aa85e63f736871f96c59a5263 ]
+
+Since commit 6e890c5d5021 ("vhost: use vhost_tasks for worker threads"),
+the vhost uses vhost_task and operates as a child of the
+owner thread. This is required for correct CPU usage accounting,
+especially when using containers.
+
+However, this change has caused confusion for some legacy
+userspace applications, and we didn't notice until it's too late.
+
+Unfortunately, it's too late to revert - we now have userspace
+depending both on old and new behaviour :(
+
+To address the issue, reintroduce kthread mode for vhost workers and
+provide a configuration to select between kthread and task worker.
+
+- Add 'fork_owner' parameter to vhost_dev to let users select kthread
+ or task mode. Default mode is task mode(VHOST_FORK_OWNER_TASK).
+
+- Reintroduce kthread mode support:
+ * Bring back the original vhost_worker() implementation,
+ and renamed to vhost_run_work_kthread_list().
+ * Add cgroup support for the kthread
+ * Introduce struct vhost_worker_ops:
+ - Encapsulates create / stop / wake‑up callbacks.
+ - vhost_worker_create() selects the proper ops according to
+ inherit_owner.
+
+- Userspace configuration interface:
+ * New IOCTLs:
+ - VHOST_SET_FORK_FROM_OWNER lets userspace select task mode
+ (VHOST_FORK_OWNER_TASK) or kthread mode (VHOST_FORK_OWNER_KTHREAD)
+ - VHOST_GET_FORK_FROM_OWNER reads the current worker mode
+ * Expose module parameter 'fork_from_owner_default' to allow system
+ administrators to configure the default mode for vhost workers
+ * Kconfig option CONFIG_VHOST_ENABLE_FORK_OWNER_CONTROL controls whether
+ these IOCTLs and the parameter are available
+
+- The VHOST_NEW_WORKER functionality requires fork_owner to be set
+ to true, with validation added to ensure proper configuration
+
+This partially reverts or improves upon:
+ commit 6e890c5d5021 ("vhost: use vhost_tasks for worker threads")
+ commit 1cdaafa1b8b4 ("vhost: replace single worker pointer with xarray")
+
+Fixes: 6e890c5d5021 ("vhost: use vhost_tasks for worker threads"),
+Signed-off-by: Cindy Lu <lulu@redhat.com>
+Message-Id: <20250714071333.59794-2-lulu@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Tested-by: Lei Yang <leiyang@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/Kconfig | 18 +++
+ drivers/vhost/vhost.c | 244 ++++++++++++++++++++++++++++++++++---
+ drivers/vhost/vhost.h | 22 ++++
+ include/uapi/linux/vhost.h | 29 +++++
+ 4 files changed, 295 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/vhost/Kconfig b/drivers/vhost/Kconfig
+index 020d4fbb947c..bc0f38574497 100644
+--- a/drivers/vhost/Kconfig
++++ b/drivers/vhost/Kconfig
+@@ -95,4 +95,22 @@ config VHOST_CROSS_ENDIAN_LEGACY
+
+ If unsure, say "N".
+
++config VHOST_ENABLE_FORK_OWNER_CONTROL
++ bool "Enable VHOST_ENABLE_FORK_OWNER_CONTROL"
++ default y
++ help
++ This option enables two IOCTLs: VHOST_SET_FORK_FROM_OWNER and
++ VHOST_GET_FORK_FROM_OWNER. These allow userspace applications
++ to modify the vhost worker mode for vhost devices.
++
++ Also expose module parameter 'fork_from_owner_default' to allow users
++ to configure the default mode for vhost workers.
++
++ By default, `VHOST_ENABLE_FORK_OWNER_CONTROL` is set to `y`,
++ users can change the worker thread mode as needed.
++ If this config is disabled (n),the related IOCTLs and parameters will
++ be unavailable.
++
++ If unsure, say "Y".
++
+ endif
+diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
+index 3a5ebb973dba..84c9bdf9aedd 100644
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -22,6 +22,7 @@
+ #include <linux/slab.h>
+ #include <linux/vmalloc.h>
+ #include <linux/kthread.h>
++#include <linux/cgroup.h>
+ #include <linux/module.h>
+ #include <linux/sort.h>
+ #include <linux/sched/mm.h>
+@@ -41,6 +42,13 @@ static int max_iotlb_entries = 2048;
+ module_param(max_iotlb_entries, int, 0444);
+ MODULE_PARM_DESC(max_iotlb_entries,
+ "Maximum number of iotlb entries. (default: 2048)");
++static bool fork_from_owner_default = VHOST_FORK_OWNER_TASK;
++
++#ifdef CONFIG_VHOST_ENABLE_FORK_OWNER_CONTROL
++module_param(fork_from_owner_default, bool, 0444);
++MODULE_PARM_DESC(fork_from_owner_default,
++ "Set task mode as the default(default: Y)");
++#endif
+
+ enum {
+ VHOST_MEMORY_F_LOG = 0x1,
+@@ -242,7 +250,7 @@ static void vhost_worker_queue(struct vhost_worker *worker,
+ * test_and_set_bit() implies a memory barrier.
+ */
+ llist_add(&work->node, &worker->work_list);
+- vhost_task_wake(worker->vtsk);
++ worker->ops->wakeup(worker);
+ }
+ }
+
+@@ -388,6 +396,44 @@ static void vhost_vq_reset(struct vhost_dev *dev,
+ __vhost_vq_meta_reset(vq);
+ }
+
++static int vhost_run_work_kthread_list(void *data)
++{
++ struct vhost_worker *worker = data;
++ struct vhost_work *work, *work_next;
++ struct vhost_dev *dev = worker->dev;
++ struct llist_node *node;
++
++ kthread_use_mm(dev->mm);
++
++ for (;;) {
++ /* mb paired w/ kthread_stop */
++ set_current_state(TASK_INTERRUPTIBLE);
++
++ if (kthread_should_stop()) {
++ __set_current_state(TASK_RUNNING);
++ break;
++ }
++ node = llist_del_all(&worker->work_list);
++ if (!node)
++ schedule();
++
++ node = llist_reverse_order(node);
++ /* make sure flag is seen after deletion */
++ smp_wmb();
++ llist_for_each_entry_safe(work, work_next, node, node) {
++ clear_bit(VHOST_WORK_QUEUED, &work->flags);
++ __set_current_state(TASK_RUNNING);
++ kcov_remote_start_common(worker->kcov_handle);
++ work->fn(work);
++ kcov_remote_stop();
++ cond_resched();
++ }
++ }
++ kthread_unuse_mm(dev->mm);
++
++ return 0;
++}
++
+ static bool vhost_run_work_list(void *data)
+ {
+ struct vhost_worker *worker = data;
+@@ -552,6 +598,7 @@ void vhost_dev_init(struct vhost_dev *dev,
+ dev->byte_weight = byte_weight;
+ dev->use_worker = use_worker;
+ dev->msg_handler = msg_handler;
++ dev->fork_owner = fork_from_owner_default;
+ init_waitqueue_head(&dev->wait);
+ INIT_LIST_HEAD(&dev->read_list);
+ INIT_LIST_HEAD(&dev->pending_list);
+@@ -581,6 +628,46 @@ long vhost_dev_check_owner(struct vhost_dev *dev)
+ }
+ EXPORT_SYMBOL_GPL(vhost_dev_check_owner);
+
++struct vhost_attach_cgroups_struct {
++ struct vhost_work work;
++ struct task_struct *owner;
++ int ret;
++};
++
++static void vhost_attach_cgroups_work(struct vhost_work *work)
++{
++ struct vhost_attach_cgroups_struct *s;
++
++ s = container_of(work, struct vhost_attach_cgroups_struct, work);
++ s->ret = cgroup_attach_task_all(s->owner, current);
++}
++
++static int vhost_attach_task_to_cgroups(struct vhost_worker *worker)
++{
++ struct vhost_attach_cgroups_struct attach;
++ int saved_cnt;
++
++ attach.owner = current;
++
++ vhost_work_init(&attach.work, vhost_attach_cgroups_work);
++ vhost_worker_queue(worker, &attach.work);
++
++ mutex_lock(&worker->mutex);
++
++ /*
++ * Bypass attachment_cnt check in __vhost_worker_flush:
++ * Temporarily change it to INT_MAX to bypass the check
++ */
++ saved_cnt = worker->attachment_cnt;
++ worker->attachment_cnt = INT_MAX;
++ __vhost_worker_flush(worker);
++ worker->attachment_cnt = saved_cnt;
++
++ mutex_unlock(&worker->mutex);
++
++ return attach.ret;
++}
++
+ /* Caller should have device mutex */
+ bool vhost_dev_has_owner(struct vhost_dev *dev)
+ {
+@@ -626,7 +713,7 @@ static void vhost_worker_destroy(struct vhost_dev *dev,
+
+ WARN_ON(!llist_empty(&worker->work_list));
+ xa_erase(&dev->worker_xa, worker->id);
+- vhost_task_stop(worker->vtsk);
++ worker->ops->stop(worker);
+ kfree(worker);
+ }
+
+@@ -649,42 +736,115 @@ static void vhost_workers_free(struct vhost_dev *dev)
+ xa_destroy(&dev->worker_xa);
+ }
+
++static void vhost_task_wakeup(struct vhost_worker *worker)
++{
++ return vhost_task_wake(worker->vtsk);
++}
++
++static void vhost_kthread_wakeup(struct vhost_worker *worker)
++{
++ wake_up_process(worker->kthread_task);
++}
++
++static void vhost_task_do_stop(struct vhost_worker *worker)
++{
++ return vhost_task_stop(worker->vtsk);
++}
++
++static void vhost_kthread_do_stop(struct vhost_worker *worker)
++{
++ kthread_stop(worker->kthread_task);
++}
++
++static int vhost_task_worker_create(struct vhost_worker *worker,
++ struct vhost_dev *dev, const char *name)
++{
++ struct vhost_task *vtsk;
++ u32 id;
++ int ret;
++
++ vtsk = vhost_task_create(vhost_run_work_list, vhost_worker_killed,
++ worker, name);
++ if (IS_ERR(vtsk))
++ return PTR_ERR(vtsk);
++
++ worker->vtsk = vtsk;
++ vhost_task_start(vtsk);
++ ret = xa_alloc(&dev->worker_xa, &id, worker, xa_limit_32b, GFP_KERNEL);
++ if (ret < 0) {
++ vhost_task_do_stop(worker);
++ return ret;
++ }
++ worker->id = id;
++ return 0;
++}
++
++static int vhost_kthread_worker_create(struct vhost_worker *worker,
++ struct vhost_dev *dev, const char *name)
++{
++ struct task_struct *task;
++ u32 id;
++ int ret;
++
++ task = kthread_create(vhost_run_work_kthread_list, worker, "%s", name);
++ if (IS_ERR(task))
++ return PTR_ERR(task);
++
++ worker->kthread_task = task;
++ wake_up_process(task);
++ ret = xa_alloc(&dev->worker_xa, &id, worker, xa_limit_32b, GFP_KERNEL);
++ if (ret < 0)
++ goto stop_worker;
++
++ ret = vhost_attach_task_to_cgroups(worker);
++ if (ret)
++ goto stop_worker;
++
++ worker->id = id;
++ return 0;
++
++stop_worker:
++ vhost_kthread_do_stop(worker);
++ return ret;
++}
++
++static const struct vhost_worker_ops kthread_ops = {
++ .create = vhost_kthread_worker_create,
++ .stop = vhost_kthread_do_stop,
++ .wakeup = vhost_kthread_wakeup,
++};
++
++static const struct vhost_worker_ops vhost_task_ops = {
++ .create = vhost_task_worker_create,
++ .stop = vhost_task_do_stop,
++ .wakeup = vhost_task_wakeup,
++};
++
+ static struct vhost_worker *vhost_worker_create(struct vhost_dev *dev)
+ {
+ struct vhost_worker *worker;
+- struct vhost_task *vtsk;
+ char name[TASK_COMM_LEN];
+ int ret;
+- u32 id;
++ const struct vhost_worker_ops *ops = dev->fork_owner ? &vhost_task_ops :
++ &kthread_ops;
+
+ worker = kzalloc(sizeof(*worker), GFP_KERNEL_ACCOUNT);
+ if (!worker)
+ return NULL;
+
+ worker->dev = dev;
++ worker->ops = ops;
+ snprintf(name, sizeof(name), "vhost-%d", current->pid);
+
+- vtsk = vhost_task_create(vhost_run_work_list, vhost_worker_killed,
+- worker, name);
+- if (IS_ERR(vtsk))
+- goto free_worker;
+-
+ mutex_init(&worker->mutex);
+ init_llist_head(&worker->work_list);
+ worker->kcov_handle = kcov_common_handle();
+- worker->vtsk = vtsk;
+-
+- vhost_task_start(vtsk);
+-
+- ret = xa_alloc(&dev->worker_xa, &id, worker, xa_limit_32b, GFP_KERNEL);
++ ret = ops->create(worker, dev, name);
+ if (ret < 0)
+- goto stop_worker;
+- worker->id = id;
++ goto free_worker;
+
+ return worker;
+
+-stop_worker:
+- vhost_task_stop(vtsk);
+ free_worker:
+ kfree(worker);
+ return NULL;
+@@ -865,6 +1025,14 @@ long vhost_worker_ioctl(struct vhost_dev *dev, unsigned int ioctl,
+ switch (ioctl) {
+ /* dev worker ioctls */
+ case VHOST_NEW_WORKER:
++ /*
++ * vhost_tasks will account for worker threads under the parent's
++ * NPROC value but kthreads do not. To avoid userspace overflowing
++ * the system with worker threads fork_owner must be true.
++ */
++ if (!dev->fork_owner)
++ return -EFAULT;
++
+ ret = vhost_new_worker(dev, &state);
+ if (!ret && copy_to_user(argp, &state, sizeof(state)))
+ ret = -EFAULT;
+@@ -982,6 +1150,7 @@ void vhost_dev_reset_owner(struct vhost_dev *dev, struct vhost_iotlb *umem)
+
+ vhost_dev_cleanup(dev);
+
++ dev->fork_owner = fork_from_owner_default;
+ dev->umem = umem;
+ /* We don't need VQ locks below since vhost_dev_cleanup makes sure
+ * VQs aren't running.
+@@ -2135,6 +2304,45 @@ long vhost_dev_ioctl(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
+ goto done;
+ }
+
++#ifdef CONFIG_VHOST_ENABLE_FORK_OWNER_CONTROL
++ if (ioctl == VHOST_SET_FORK_FROM_OWNER) {
++ /* Only allow modification before owner is set */
++ if (vhost_dev_has_owner(d)) {
++ r = -EBUSY;
++ goto done;
++ }
++ u8 fork_owner_val;
++
++ if (get_user(fork_owner_val, (u8 __user *)argp)) {
++ r = -EFAULT;
++ goto done;
++ }
++ if (fork_owner_val != VHOST_FORK_OWNER_TASK &&
++ fork_owner_val != VHOST_FORK_OWNER_KTHREAD) {
++ r = -EINVAL;
++ goto done;
++ }
++ d->fork_owner = !!fork_owner_val;
++ r = 0;
++ goto done;
++ }
++ if (ioctl == VHOST_GET_FORK_FROM_OWNER) {
++ u8 fork_owner_val = d->fork_owner;
++
++ if (fork_owner_val != VHOST_FORK_OWNER_TASK &&
++ fork_owner_val != VHOST_FORK_OWNER_KTHREAD) {
++ r = -EINVAL;
++ goto done;
++ }
++ if (put_user(fork_owner_val, (u8 __user *)argp)) {
++ r = -EFAULT;
++ goto done;
++ }
++ r = 0;
++ goto done;
++ }
++#endif
++
+ /* You must be the owner to do anything else */
+ r = vhost_dev_check_owner(d);
+ if (r)
+diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h
+index bb75a292d50c..ab704d84fb34 100644
+--- a/drivers/vhost/vhost.h
++++ b/drivers/vhost/vhost.h
+@@ -26,7 +26,18 @@ struct vhost_work {
+ unsigned long flags;
+ };
+
++struct vhost_worker;
++struct vhost_dev;
++
++struct vhost_worker_ops {
++ int (*create)(struct vhost_worker *worker, struct vhost_dev *dev,
++ const char *name);
++ void (*stop)(struct vhost_worker *worker);
++ void (*wakeup)(struct vhost_worker *worker);
++};
++
+ struct vhost_worker {
++ struct task_struct *kthread_task;
+ struct vhost_task *vtsk;
+ struct vhost_dev *dev;
+ /* Used to serialize device wide flushing with worker swapping. */
+@@ -36,6 +47,7 @@ struct vhost_worker {
+ u32 id;
+ int attachment_cnt;
+ bool killed;
++ const struct vhost_worker_ops *ops;
+ };
+
+ /* Poll a file (eventfd or socket) */
+@@ -176,6 +188,16 @@ struct vhost_dev {
+ int byte_weight;
+ struct xarray worker_xa;
+ bool use_worker;
++ /*
++ * If fork_owner is true we use vhost_tasks to create
++ * the worker so all settings/limits like cgroups, NPROC,
++ * scheduler, etc are inherited from the owner. If false,
++ * we use kthreads and only attach to the same cgroups
++ * as the owner for compat with older kernels.
++ * here we use true as default value.
++ * The default value is set by fork_from_owner_default
++ */
++ bool fork_owner;
+ int (*msg_handler)(struct vhost_dev *dev, u32 asid,
+ struct vhost_iotlb_msg *msg);
+ };
+diff --git a/include/uapi/linux/vhost.h b/include/uapi/linux/vhost.h
+index d4b3e2ae1314..e72f2655459e 100644
+--- a/include/uapi/linux/vhost.h
++++ b/include/uapi/linux/vhost.h
+@@ -235,4 +235,33 @@
+ */
+ #define VHOST_VDPA_GET_VRING_SIZE _IOWR(VHOST_VIRTIO, 0x82, \
+ struct vhost_vring_state)
++
++/* fork_owner values for vhost */
++#define VHOST_FORK_OWNER_KTHREAD 0
++#define VHOST_FORK_OWNER_TASK 1
++
++/**
++ * VHOST_SET_FORK_FROM_OWNER - Set the fork_owner flag for the vhost device,
++ * This ioctl must called before VHOST_SET_OWNER.
++ * Only available when CONFIG_VHOST_ENABLE_FORK_OWNER_CONTROL=y
++ *
++ * @param fork_owner: An 8-bit value that determines the vhost thread mode
++ *
++ * When fork_owner is set to VHOST_FORK_OWNER_TASK(default value):
++ * - Vhost will create vhost worker as tasks forked from the owner,
++ * inheriting all of the owner's attributes.
++ *
++ * When fork_owner is set to VHOST_FORK_OWNER_KTHREAD:
++ * - Vhost will create vhost workers as kernel threads.
++ */
++#define VHOST_SET_FORK_FROM_OWNER _IOW(VHOST_VIRTIO, 0x83, __u8)
++
++/**
++ * VHOST_GET_FORK_OWNER - Get the current fork_owner flag for the vhost device.
++ * Only available when CONFIG_VHOST_ENABLE_FORK_OWNER_CONTROL=y
++ *
++ * @return: An 8-bit value indicating the current thread mode.
++ */
++#define VHOST_GET_FORK_FROM_OWNER _IOR(VHOST_VIRTIO, 0x84, __u8)
++
+ #endif
+--
+2.39.5
+
--- /dev/null
+From 5308e0b7e8b6573573e0b35b1f9363022b925da3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Jun 2025 11:33:53 -0700
+Subject: vhost-scsi: Fix check for inline_sg_cnt exceeding preallocated limit
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 400cad513c78f9af72c5a20f3611c1f1dc71d465 ]
+
+The condition comparing ret to VHOST_SCSI_PREALLOC_SGLS was incorrect,
+as ret holds the result of kstrtouint() (typically 0 on success),
+not the parsed value. Update the check to use cnt, which contains the
+actual user-provided value.
+
+prevents silently accepting values exceeding the maximum inline_sg_cnt.
+
+Fixes: bca939d5bcd0 ("vhost-scsi: Dynamically allocate scatterlists")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20250628183405.3979538-1-alok.a.tiwari@oracle.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/scsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
+index c9f418a4571a..63b0829391eb 100644
+--- a/drivers/vhost/scsi.c
++++ b/drivers/vhost/scsi.c
+@@ -71,7 +71,7 @@ static int vhost_scsi_set_inline_sg_cnt(const char *buf,
+ if (ret)
+ return ret;
+
+- if (ret > VHOST_SCSI_PREALLOC_SGLS) {
++ if (cnt > VHOST_SCSI_PREALLOC_SGLS) {
+ pr_err("Max inline_sg_cnt is %u\n", VHOST_SCSI_PREALLOC_SGLS);
+ return -EINVAL;
+ }
+--
+2.39.5
+
--- /dev/null
+From 511e43a2d520750c7143fde4d42f81bf68de661e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 16:01:13 -0500
+Subject: vhost-scsi: Fix log flooding with target does not exist errors
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit 69cd720a8a5e9ef0f05ce5dd8c9ea6e018245c82 ]
+
+As part of the normal initiator side scanning the guest's scsi layer
+will loop over all possible targets and send an inquiry. Since the
+max number of targets for virtio-scsi is 256, this can result in 255
+error messages about targets not existing if you only have a single
+target. When there's more than 1 vhost-scsi device each with a single
+target, then you get N * 255 log messages.
+
+It looks like the log message was added by accident in:
+
+commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code from
+control queue handler")
+
+when we added common helpers. Then in:
+
+commit 09d7583294aa ("vhost/scsi: Use common handling code in request
+queue handler")
+
+we converted the scsi command processing path to use the new
+helpers so we started to see the extra log messages during scanning.
+
+The patches were just making some code common but added the vq_err
+call and I'm guessing the patch author forgot to enable the vq_err
+call (vq_err is implemented by pr_debug which defaults to off). So
+this patch removes the call since it's expected to hit this path
+during device discovery.
+
+Fixes: 09d7583294aa ("vhost/scsi: Use common handling code in request queue handler")
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Message-Id: <20250611210113.10912-1-michael.christie@oracle.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/scsi.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
+index c12a0d4e6386..c9f418a4571a 100644
+--- a/drivers/vhost/scsi.c
++++ b/drivers/vhost/scsi.c
+@@ -1226,10 +1226,8 @@ vhost_scsi_get_req(struct vhost_virtqueue *vq, struct vhost_scsi_ctx *vc,
+ /* validated at handler entry */
+ vs_tpg = vhost_vq_get_backend(vq);
+ tpg = READ_ONCE(vs_tpg[*vc->target]);
+- if (unlikely(!tpg)) {
+- vq_err(vq, "Target 0x%x does not exist\n", *vc->target);
++ if (unlikely(!tpg))
+ goto out;
+- }
+ }
+
+ if (tpgp)
+--
+2.39.5
+
--- /dev/null
+From ddf48f2cd01b812149f25047abc61ffa74f293fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 13:52:14 +0800
+Subject: vmci: Prevent the dispatching of uninitialized payloads
+
+From: Lizhi Xu <lizhi.xu@windriver.com>
+
+[ Upstream commit bfb4cf9fb97e4063f0aa62e9e398025fb6625031 ]
+
+The reproducer executes the host's unlocked_ioctl call in two different
+tasks. When init_context fails, the struct vmci_event_ctx is not fully
+initialized when executing vmci_datagram_dispatch() to send events to all
+vm contexts. This affects the datagram taken from the datagram queue of
+its context by another task, because the datagram payload is not initialized
+according to the size payload_size, which causes the kernel data to leak
+to the user space.
+
+Before dispatching the datagram, and before setting the payload content,
+explicitly set the payload content to 0 to avoid data leakage caused by
+incomplete payload initialization.
+
+Fixes: 28d6692cd8fb ("VMCI: context implementation.")
+Reported-by: syzbot+9b9124ae9b12d5af5d95@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=9b9124ae9b12d5af5d95
+Tested-by: syzbot+9b9124ae9b12d5af5d95@syzkaller.appspotmail.com
+Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
+Link: https://lore.kernel.org/r/20250627055214.2967129-1-lizhi.xu@windriver.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/vmw_vmci/vmci_context.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/misc/vmw_vmci/vmci_context.c b/drivers/misc/vmw_vmci/vmci_context.c
+index f22b44827e92..d566103caa27 100644
+--- a/drivers/misc/vmw_vmci/vmci_context.c
++++ b/drivers/misc/vmw_vmci/vmci_context.c
+@@ -251,6 +251,8 @@ static int ctx_fire_notification(u32 context_id, u32 priv_flags)
+ ev.msg.hdr.src = vmci_make_handle(VMCI_HYPERVISOR_CONTEXT_ID,
+ VMCI_CONTEXT_RESOURCE_ID);
+ ev.msg.hdr.payload_size = sizeof(ev) - sizeof(ev.msg.hdr);
++ memset((char*)&ev.msg.hdr + sizeof(ev.msg.hdr), 0,
++ ev.msg.hdr.payload_size);
+ ev.msg.event_data.event = VMCI_EVENT_CTX_REMOVED;
+ ev.payload.context_id = context_id;
+
+--
+2.39.5
+
--- /dev/null
+From 201136b9cec56df017abf8badd563bfeb1b35ad6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 09:00:43 -0700
+Subject: vrf: Drop existing dst reference in vrf_ip6_input_dst
+
+From: Stanislav Fomichev <sdf@fomichev.me>
+
+[ Upstream commit f388f807eca1de9e6e70f9ffb1a573c3811c4215 ]
+
+Commit ff3fbcdd4724 ("selftests: tc: Add generic erspan_opts matching support
+for tc-flower") started triggering the following kmemleak warning:
+
+unreferenced object 0xffff888015fb0e00 (size 512):
+ comm "softirq", pid 0, jiffies 4294679065
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 40 d2 85 9e ff ff ff ff ........@.......
+ 41 69 59 9d ff ff ff ff 00 00 00 00 00 00 00 00 AiY.............
+ backtrace (crc 30b71e8b):
+ __kmalloc_noprof+0x359/0x460
+ metadata_dst_alloc+0x28/0x490
+ erspan_rcv+0x4f1/0x1160 [ip_gre]
+ gre_rcv+0x217/0x240 [ip_gre]
+ gre_rcv+0x1b8/0x400 [gre]
+ ip_protocol_deliver_rcu+0x31d/0x3a0
+ ip_local_deliver_finish+0x37d/0x620
+ ip_local_deliver+0x174/0x460
+ ip_rcv+0x52b/0x6b0
+ __netif_receive_skb_one_core+0x149/0x1a0
+ process_backlog+0x3c8/0x1390
+ __napi_poll.constprop.0+0xa1/0x390
+ net_rx_action+0x59b/0xe00
+ handle_softirqs+0x22b/0x630
+ do_softirq+0xb1/0xf0
+ __local_bh_enable_ip+0x115/0x150
+
+vrf_ip6_input_dst unconditionally sets skb dst entry, add a call to
+skb_dst_drop to drop any existing entry.
+
+Cc: David Ahern <dsahern@kernel.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Fixes: 9ff74384600a ("net: vrf: Handle ipv6 multicast and link-local addresses")
+Signed-off-by: Stanislav Fomichev <sdf@fomichev.me>
+Link: https://patch.msgid.link/20250725160043.350725-1-sdf@fomichev.me
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vrf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
+index 9a4beea6ee0c..3ccd649913b5 100644
+--- a/drivers/net/vrf.c
++++ b/drivers/net/vrf.c
+@@ -1302,6 +1302,8 @@ static void vrf_ip6_input_dst(struct sk_buff *skb, struct net_device *vrf_dev,
+ struct net *net = dev_net(vrf_dev);
+ struct rt6_info *rt6;
+
++ skb_dst_drop(skb);
++
+ rt6 = vrf_ip6_route_lookup(net, vrf_dev, &fl6, ifindex, skb,
+ RT6_LOOKUP_F_HAS_SADDR | RT6_LOOKUP_F_IFACE);
+ if (unlikely(!rt6))
+--
+2.39.5
+
--- /dev/null
+From c28b6409cb66f3b10b59a4634ced609893b00981 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 23:22:19 +0300
+Subject: watchdog: ziirave_wdt: check record length in ziirave_firm_verify()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 8b61d8ca751bc15875b50e0ff6ac3ba0cf95a529 ]
+
+The "rec->len" value comes from the firmware. We generally do
+trust firmware, but it's always better to double check. If
+the length value is too large it would lead to memory corruption
+when we set "data[i] = ret;"
+
+Fixes: 217209db0204 ("watchdog: ziirave_wdt: Add support to upload the firmware.")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/3b58b453f0faa8b968c90523f52c11908b56c346.1748463049.git.dan.carpenter@linaro.org
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/ziirave_wdt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/watchdog/ziirave_wdt.c b/drivers/watchdog/ziirave_wdt.c
+index fcc1ba02e75b..5c6e3fa001d8 100644
+--- a/drivers/watchdog/ziirave_wdt.c
++++ b/drivers/watchdog/ziirave_wdt.c
+@@ -302,6 +302,9 @@ static int ziirave_firm_verify(struct watchdog_device *wdd,
+ const u16 len = be16_to_cpu(rec->len);
+ const u32 addr = be32_to_cpu(rec->addr);
+
++ if (len > sizeof(data))
++ return -EINVAL;
++
+ if (ziirave_firm_addr_readonly(addr))
+ continue;
+
+--
+2.39.5
+
--- /dev/null
+From 5f5e74249e4f977fef123296e76dd56809849fca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 17:45:06 +0900
+Subject: wifi: ath11k: clear initialized flag for deinit-ed srng lists
+
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+
+[ Upstream commit a5b46aa7cf5f05c213316a018e49a8e086efd98e ]
+
+In a number of cases we see kernel panics on resume due
+to ath11k kernel page fault, which happens under the
+following circumstances:
+
+1) First ath11k_hal_dump_srng_stats() call
+
+ Last interrupt received for each group:
+ ath11k_pci 0000:01:00.0: group_id 0 22511ms before
+ ath11k_pci 0000:01:00.0: group_id 1 14440788ms before
+ [..]
+ ath11k_pci 0000:01:00.0: failed to receive control response completion, polling..
+ ath11k_pci 0000:01:00.0: Service connect timeout
+ ath11k_pci 0000:01:00.0: failed to connect to HTT: -110
+ ath11k_pci 0000:01:00.0: failed to start core: -110
+ ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM
+ ath11k_pci 0000:01:00.0: already resetting count 2
+ ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110
+ ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110
+ ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery
+ [..]
+
+2) At this point reconfiguration fails (we have 2 resets) and
+ ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit()
+ which destroys srng lists. However, it does not reset per-list
+ ->initialized flag.
+
+3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized
+ flag and attempts to dump srng stats:
+
+ Last interrupt received for each group:
+ ath11k_pci 0000:01:00.0: group_id 0 66785ms before
+ ath11k_pci 0000:01:00.0: group_id 1 14485062ms before
+ ath11k_pci 0000:01:00.0: group_id 2 14485062ms before
+ ath11k_pci 0000:01:00.0: group_id 3 14485062ms before
+ ath11k_pci 0000:01:00.0: group_id 4 14780845ms before
+ ath11k_pci 0000:01:00.0: group_id 5 14780845ms before
+ ath11k_pci 0000:01:00.0: group_id 6 14485062ms before
+ ath11k_pci 0000:01:00.0: group_id 7 66814ms before
+ ath11k_pci 0000:01:00.0: group_id 8 68997ms before
+ ath11k_pci 0000:01:00.0: group_id 9 67588ms before
+ ath11k_pci 0000:01:00.0: group_id 10 69511ms before
+ BUG: unable to handle page fault for address: ffffa007404eb010
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]
+ Call Trace:
+ <TASK>
+ ? __die_body+0xae/0xb0
+ ? page_fault_oops+0x381/0x3e0
+ ? exc_page_fault+0x69/0xa0
+ ? asm_exc_page_fault+0x22/0x30
+ ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]
+ ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]
+ worker_thread+0x389/0x930
+ kthread+0x149/0x170
+
+Clear per-list ->initialized flag in ath11k_hal_srng_deinit().
+
+Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Reviewed-by: Baochen Qiang <quic_bqiang@quicinc.com>
+Fixes: 5118935b1bc2 ("ath11k: dump SRNG stats during FW assert")
+Link: https://patch.msgid.link/20250612084551.702803-1-senozhatsky@chromium.org
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/hal.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c
+index 8cb1505a5a0c..cab11a35f911 100644
+--- a/drivers/net/wireless/ath/ath11k/hal.c
++++ b/drivers/net/wireless/ath/ath11k/hal.c
+@@ -1346,6 +1346,10 @@ EXPORT_SYMBOL(ath11k_hal_srng_init);
+ void ath11k_hal_srng_deinit(struct ath11k_base *ab)
+ {
+ struct ath11k_hal *hal = &ab->hal;
++ int i;
++
++ for (i = 0; i < HAL_SRNG_RING_ID_MAX; i++)
++ ab->hal.srng_list[i].initialized = 0;
+
+ ath11k_hal_unregister_srng_key(ab);
+ ath11k_hal_free_cont_rdp(ab);
+--
+2.39.5
+
--- /dev/null
+From 04560cef37963747372ecceedc4f17792ff1dd87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 10:25:28 +0800
+Subject: wifi: ath11k: fix sleeping-in-atomic in
+ ath11k_mac_op_set_bitrate_mask()
+
+From: Baochen Qiang <quic_bqiang@quicinc.com>
+
+[ Upstream commit 65c12b104cb942d588a1a093acc4537fb3d3b129 ]
+
+ath11k_mac_disable_peer_fixed_rate() is passed as the iterator to
+ieee80211_iterate_stations_atomic(). Note in this case the iterator is
+required to be atomic, however ath11k_mac_disable_peer_fixed_rate() does
+not follow it as it might sleep. Consequently below warning is seen:
+
+BUG: sleeping function called from invalid context at wmi.c:304
+Call Trace:
+ <TASK>
+ dump_stack_lvl
+ __might_resched.cold
+ ath11k_wmi_cmd_send
+ ath11k_wmi_set_peer_param
+ ath11k_mac_disable_peer_fixed_rate
+ ieee80211_iterate_stations_atomic
+ ath11k_mac_op_set_bitrate_mask.cold
+
+Change to ieee80211_iterate_stations_mtx() to fix this issue.
+
+Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
+Link: https://patch.msgid.link/20250603-ath11k-use-non-atomic-iterator-v1-1-d75762068d56@quicinc.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/mac.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index 13301ca317a5..977f370fd6de 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -8740,9 +8740,9 @@ ath11k_mac_op_set_bitrate_mask(struct ieee80211_hw *hw,
+ arvif->vdev_id, ret);
+ return ret;
+ }
+- ieee80211_iterate_stations_atomic(ar->hw,
+- ath11k_mac_disable_peer_fixed_rate,
+- arvif);
++ ieee80211_iterate_stations_mtx(ar->hw,
++ ath11k_mac_disable_peer_fixed_rate,
++ arvif);
+ } else if (ath11k_mac_bitrate_mask_get_single_nss(ar, arvif, band, mask,
+ &single_nss)) {
+ rate = WMI_FIXED_RATE_NONE;
+@@ -8809,9 +8809,9 @@ ath11k_mac_op_set_bitrate_mask(struct ieee80211_hw *hw,
+ }
+
+ mutex_lock(&ar->conf_mutex);
+- ieee80211_iterate_stations_atomic(ar->hw,
+- ath11k_mac_disable_peer_fixed_rate,
+- arvif);
++ ieee80211_iterate_stations_mtx(ar->hw,
++ ath11k_mac_disable_peer_fixed_rate,
++ arvif);
+
+ arvif->bitrate_mask = *mask;
+ ieee80211_iterate_stations_atomic(ar->hw,
+--
+2.39.5
+
--- /dev/null
+From fee35c2ffabc99607fda2ee72ea1c6891a36d0d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 00:26:35 +0530
+Subject: wifi: ath12k: Avoid accessing uninitialized arvif->ar during beacon
+ miss
+
+From: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
+
+[ Upstream commit 36670b67de18f1e5d34900c5d2ac60a8970c293c ]
+
+During beacon miss handling, ath12k driver iterates over active virtual
+interfaces (vifs) and attempts to access the radio object (ar) via
+arvif->deflink->ar.
+
+However, after commit aa80f12f3bed ("wifi: ath12k: defer vdev creation for
+MLO"), arvif is linked to a radio only after vdev creation, typically when
+a channel is assigned or a scan is requested.
+For P2P capable devices, a default P2P interface is created by
+wpa_supplicant along with regular station interfaces, these serve as dummy
+interfaces for P2P-capable stations, lack an associated netdev and initiate
+frequent scans to discover neighbor p2p devices. When a scan is initiated
+on such P2P vifs, driver selects destination radio (ar) based on scan
+frequency, creates a scan vdev, and attaches arvif to the radio. Once the
+scan completes or is aborted, the scan vdev is deleted, detaching arvif
+from the radio and leaving arvif->ar uninitialized.
+
+While handling beacon miss for station interfaces, P2P interface is also
+encountered in the vif iteration and ath12k_mac_handle_beacon_miss_iter()
+tries to dereference the uninitialized arvif->deflink->ar.
+
+Fix this by verifying that vdev is created for the arvif before accessing
+its ar during beacon miss handling and similar vif iterator callbacks.
+
+==========================================================================
+ wlp6s0: detected beacon loss from AP (missed 7 beacons) - probing
+ KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
+
+ CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc1-wt-ath+ #2 PREEMPT(full)
+ RIP: 0010:ath12k_mac_handle_beacon_miss_iter+0xb5/0x1a0 [ath12k]
+ Call Trace:
+ __iterate_interfaces+0x11a/0x410 [mac80211]
+ ieee80211_iterate_active_interfaces_atomic+0x61/0x140 [mac80211]
+ ath12k_mac_handle_beacon_miss+0xa1/0xf0 [ath12k]
+ ath12k_roam_event+0x393/0x560 [ath12k]
+ ath12k_wmi_op_rx+0x1486/0x28c0 [ath12k]
+ ath12k_htc_process_trailer.isra.0+0x2fb/0x620 [ath12k]
+ ath12k_htc_rx_completion_handler+0x448/0x830 [ath12k]
+ ath12k_ce_recv_process_cb+0x549/0x9e0 [ath12k]
+ ath12k_ce_per_engine_service+0xbe/0xf0 [ath12k]
+ ath12k_pci_ce_workqueue+0x69/0x120 [ath12k]
+ process_one_work+0xe3a/0x1430
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
+Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284.1-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
+
+Fixes: aa80f12f3bed ("wifi: ath12k: defer vdev creation for MLO")
+Signed-off-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250618185635.750470-1-rameshkumar.sundaram@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/mac.c | 15 +++++++++------
+ drivers/net/wireless/ath/ath12k/p2p.c | 3 ++-
+ 2 files changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
+index 59ec422992d3..5be7b79db341 100644
+--- a/drivers/net/wireless/ath/ath12k/mac.c
++++ b/drivers/net/wireless/ath/ath12k/mac.c
+@@ -693,6 +693,9 @@ static void ath12k_get_arvif_iter(void *data, u8 *mac,
+ if (WARN_ON(!arvif))
+ continue;
+
++ if (!arvif->is_created)
++ continue;
++
+ if (arvif->vdev_id == arvif_iter->vdev_id &&
+ arvif->ar == arvif_iter->ar) {
+ arvif_iter->arvif = arvif;
+@@ -1755,7 +1758,7 @@ static void ath12k_mac_handle_beacon_iter(void *data, u8 *mac,
+ struct ath12k_vif *ahvif = ath12k_vif_to_ahvif(vif);
+ struct ath12k_link_vif *arvif = &ahvif->deflink;
+
+- if (vif->type != NL80211_IFTYPE_STATION)
++ if (vif->type != NL80211_IFTYPE_STATION || !arvif->is_created)
+ return;
+
+ if (!ether_addr_equal(mgmt->bssid, vif->bss_conf.bssid))
+@@ -1778,16 +1781,16 @@ static void ath12k_mac_handle_beacon_miss_iter(void *data, u8 *mac,
+ u32 *vdev_id = data;
+ struct ath12k_vif *ahvif = ath12k_vif_to_ahvif(vif);
+ struct ath12k_link_vif *arvif = &ahvif->deflink;
+- struct ath12k *ar = arvif->ar;
+- struct ieee80211_hw *hw = ath12k_ar_to_hw(ar);
++ struct ieee80211_hw *hw;
+
+- if (arvif->vdev_id != *vdev_id)
++ if (!arvif->is_created || arvif->vdev_id != *vdev_id)
+ return;
+
+ if (!arvif->is_up)
+ return;
+
+ ieee80211_beacon_loss(vif);
++ hw = ath12k_ar_to_hw(arvif->ar);
+
+ /* Firmware doesn't report beacon loss events repeatedly. If AP probe
+ * (done by mac80211) succeeds but beacons do not resume then it
+@@ -9818,7 +9821,7 @@ ath12k_mac_change_chanctx_cnt_iter(void *data, u8 *mac,
+ if (WARN_ON(!arvif))
+ continue;
+
+- if (arvif->ar != arg->ar)
++ if (!arvif->is_created || arvif->ar != arg->ar)
+ continue;
+
+ link_conf = wiphy_dereference(ahvif->ah->hw->wiphy,
+@@ -9853,7 +9856,7 @@ ath12k_mac_change_chanctx_fill_iter(void *data, u8 *mac,
+ if (WARN_ON(!arvif))
+ continue;
+
+- if (arvif->ar != arg->ar)
++ if (!arvif->is_created || arvif->ar != arg->ar)
+ continue;
+
+ link_conf = wiphy_dereference(ahvif->ah->hw->wiphy,
+diff --git a/drivers/net/wireless/ath/ath12k/p2p.c b/drivers/net/wireless/ath/ath12k/p2p.c
+index 84cccf7d91e7..59589748f1a8 100644
+--- a/drivers/net/wireless/ath/ath12k/p2p.c
++++ b/drivers/net/wireless/ath/ath12k/p2p.c
+@@ -1,6 +1,7 @@
+ // SPDX-License-Identifier: BSD-3-Clause-Clear
+ /*
+ * Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved.
++ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
+ */
+
+ #include <net/mac80211.h>
+@@ -124,7 +125,7 @@ static void ath12k_p2p_noa_update_vdev_iter(void *data, u8 *mac,
+
+ WARN_ON(!rcu_read_lock_any_held());
+ arvif = &ahvif->deflink;
+- if (arvif->ar != arg->ar || arvif->vdev_id != arg->vdev_id)
++ if (!arvif->is_created || arvif->ar != arg->ar || arvif->vdev_id != arg->vdev_id)
+ return;
+
+ ath12k_p2p_noa_update(arvif, arg->noa);
+--
+2.39.5
+
--- /dev/null
+From c61bf46fe780aa2908f59c5692c45f74aeee8b13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 08:45:02 +0530
+Subject: wifi: ath12k: Block radio bring-up in FTM mode
+
+From: Aaradhana Sahu <aaradhana.sahu@oss.qualcomm.com>
+
+[ Upstream commit 80570587e418f361e7ce3f9200477f728b38c94b ]
+
+Ensure that all radios remain down when the driver operates in Factory
+Test Mode (FTM). Reject any userspace attempts to bring up an
+interface in this mode.
+
+Currently, the driver allows userspace to bring up the interface even
+though it operates in FTM mode, which violates FTM constraints and
+leads to FTM command failures.
+
+Hence, block the radio start when the driver is in FTM mode. Also,
+remove ath12k_ftm_mode check from ath12k_drain_tx() because FTM mode
+check is already handled in the caller function
+(ath12k_mac_op_start()).
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
+Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
+
+Fixes: 3bc374cbc49e ("wifi: ath12k: add factory test mode support")
+Signed-off-by: Aaradhana Sahu <aaradhana.sahu@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250630031502.8902-1-aaradhana.sahu@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/mac.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
+index 0feb800a4921..43464853a01d 100644
+--- a/drivers/net/wireless/ath/ath12k/mac.c
++++ b/drivers/net/wireless/ath/ath12k/mac.c
+@@ -8167,14 +8167,9 @@ static int ath12k_mac_start(struct ath12k *ar)
+
+ static void ath12k_drain_tx(struct ath12k_hw *ah)
+ {
+- struct ath12k *ar = ah->radio;
++ struct ath12k *ar;
+ int i;
+
+- if (ath12k_ftm_mode) {
+- ath12k_err(ar->ab, "fail to start mac operations in ftm mode\n");
+- return;
+- }
+-
+ lockdep_assert_wiphy(ah->hw->wiphy);
+
+ for_each_ar(ah, ar, i)
+@@ -8187,6 +8182,9 @@ static int ath12k_mac_op_start(struct ieee80211_hw *hw)
+ struct ath12k *ar;
+ int ret, i;
+
++ if (ath12k_ftm_mode)
++ return -EPERM;
++
+ lockdep_assert_wiphy(hw->wiphy);
+
+ ath12k_drain_tx(ah);
+--
+2.39.5
+
--- /dev/null
+From 702582e3753a87e7c37f6c8999b3020364ef734b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Jun 2025 20:26:51 +0530
+Subject: wifi: ath12k: Clear auth flag only for actual association in security
+ mode
+
+From: Thiraviyam Mariyappan <thiraviyam.mariyappan@oss.qualcomm.com>
+
+[ Upstream commit c27bb624b3d789a337df3bbcc020a575680555cc ]
+
+When setting a new bitrate, WMI peer association command is sent from
+the host without the peer authentication bit set in peer_flags for
+security mode, which causes ping failure.
+
+The firmware handles peer_flags when the client is associating, as the
+peer authentication bit in peer_flags is set after the key exchange.
+When the WMI peer association command is sent from the host to update
+the new bitrate for an associated STA, the firmware expects the WMI
+peer authentication bit to be set in peer_flags.
+
+Fix this issue by ensuring that the WMI peer auth bit is set in
+peer_flags in WMI peer association command when updating the new
+bitrate.
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
+
+Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
+Signed-off-by: Thiraviyam Mariyappan <thiraviyam.mariyappan@oss.qualcomm.com>
+Signed-off-by: Ramasamy Kaliappan <ramasamy.kaliappan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250608145651.1735236-1-ramasamy.kaliappan@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/mac.c | 4 ++++
+ drivers/net/wireless/ath/ath12k/wmi.c | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
+index 3616269538e6..0feb800a4921 100644
+--- a/drivers/net/wireless/ath/ath12k/mac.c
++++ b/drivers/net/wireless/ath/ath12k/mac.c
+@@ -3235,6 +3235,7 @@ static void ath12k_bss_assoc(struct ath12k *ar,
+
+ rcu_read_unlock();
+
++ peer_arg->is_assoc = true;
+ ret = ath12k_wmi_send_peer_assoc_cmd(ar, peer_arg);
+ if (ret) {
+ ath12k_warn(ar->ab, "failed to run peer assoc for %pM vdev %i: %d\n",
+@@ -5165,6 +5166,8 @@ static int ath12k_mac_station_assoc(struct ath12k *ar,
+ "invalid peer NSS %d\n", peer_arg->peer_nss);
+ return -EINVAL;
+ }
++
++ peer_arg->is_assoc = true;
+ ret = ath12k_wmi_send_peer_assoc_cmd(ar, peer_arg);
+ if (ret) {
+ ath12k_warn(ar->ab, "failed to run peer assoc for STA %pM vdev %i: %d\n",
+@@ -5411,6 +5414,7 @@ static void ath12k_sta_rc_update_wk(struct wiphy *wiphy, struct wiphy_work *wk)
+ ath12k_peer_assoc_prepare(ar, arvif, arsta,
+ peer_arg, true);
+
++ peer_arg->is_assoc = false;
+ err = ath12k_wmi_send_peer_assoc_cmd(ar, peer_arg);
+ if (err)
+ ath12k_warn(ar->ab, "failed to run peer assoc for STA %pM vdev %i: %d\n",
+diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
+index 465f877fc0fb..e19803bfba75 100644
+--- a/drivers/net/wireless/ath/ath12k/wmi.c
++++ b/drivers/net/wireless/ath/ath12k/wmi.c
+@@ -2152,7 +2152,7 @@ static void ath12k_wmi_copy_peer_flags(struct wmi_peer_assoc_complete_cmd *cmd,
+ cmd->peer_flags |= cpu_to_le32(WMI_PEER_AUTH);
+ if (arg->need_ptk_4_way) {
+ cmd->peer_flags |= cpu_to_le32(WMI_PEER_NEED_PTK_4_WAY);
+- if (!hw_crypto_disabled)
++ if (!hw_crypto_disabled && arg->is_assoc)
+ cmd->peer_flags &= cpu_to_le32(~WMI_PEER_AUTH);
+ }
+ if (arg->need_gtk_2_way)
+--
+2.39.5
+
--- /dev/null
+From 5a5f8d38920a1e92a81a34054ec91ef1fbd928da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 16:05:42 +0530
+Subject: wifi: ath12k: Fix double budget decrement while reaping monitor ring
+
+From: P Praneesh <praneesh.p@oss.qualcomm.com>
+
+[ Upstream commit 54c350055b1da2767f18a49c11e4fcc42cf33ff8 ]
+
+Currently, the budget for monitor ring is reduced during each ring entry
+reaping and again when the end reason is HAL_MON_END_OF_PPDU, leading to
+inefficient budget use. The below mentioned commit intended to decrement
+the budget only for HAL_MON_END_OF_PPDU but did not remove the other
+decrement. Fix this by eliminating the budget decrement for each ring entry
+reaping, ensuring the driver always reaps one full PPDU worth of entries
+from the monitor destination ring.
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
+Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
+
+Fixes: 394a3fa7c538 ("wifi: ath12k: Optimize NAPI budget by adjusting PPDU processing")
+Signed-off-by: P Praneesh <praneesh.p@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250603103542.1164713-1-praneesh.p@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/dp_mon.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/dp_mon.c b/drivers/net/wireless/ath/ath12k/dp_mon.c
+index 28cadc4167f7..91f4e3aff74c 100644
+--- a/drivers/net/wireless/ath/ath12k/dp_mon.c
++++ b/drivers/net/wireless/ath/ath12k/dp_mon.c
+@@ -3761,7 +3761,6 @@ int ath12k_dp_mon_srng_process(struct ath12k *ar, int *budget,
+ ath12k_hal_srng_access_begin(ab, srng);
+
+ while (likely(*budget)) {
+- *budget -= 1;
+ mon_dst_desc = ath12k_hal_srng_dst_peek(ab, srng);
+ if (unlikely(!mon_dst_desc))
+ break;
+--
+2.39.5
+
--- /dev/null
+From e2a3b8cc1254e2ae522789e5b34edba6c1d5db88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 23:05:38 +0530
+Subject: wifi: ath12k: fix endianness handling while accessing wmi service bit
+
+From: Tamizh Chelvam Raja <tamizh.raja@oss.qualcomm.com>
+
+[ Upstream commit 8f1a078842d4af4877fb686f3907788024d0d1b7 ]
+
+Currently there is no endian conversion in ath12k_wmi_tlv_services_parser()
+so the service bit parsing will be incorrect on a big endian platform and
+to fix this by using appropriate endian conversion.
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00217-QCAHKSWPL_SILICONZ-1
+Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
+
+Fixes: 342527f35338 ("wifi: ath12k: Add support to parse new WMI event for 6 GHz regulatory")
+Signed-off-by: Tamizh Chelvam Raja <tamizh.raja@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250717173539.2523396-2-tamizh.raja@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/wmi.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
+index e19803bfba75..745d017c5aa8 100644
+--- a/drivers/net/wireless/ath/ath12k/wmi.c
++++ b/drivers/net/wireless/ath/ath12k/wmi.c
+@@ -7491,7 +7491,7 @@ static int ath12k_wmi_tlv_services_parser(struct ath12k_base *ab,
+ void *data)
+ {
+ const struct wmi_service_available_event *ev;
+- u32 *wmi_ext2_service_bitmap;
++ __le32 *wmi_ext2_service_bitmap;
+ int i, j;
+ u16 expected_len;
+
+@@ -7523,12 +7523,12 @@ static int ath12k_wmi_tlv_services_parser(struct ath12k_base *ab,
+ ev->wmi_service_segment_bitmap[3]);
+ break;
+ case WMI_TAG_ARRAY_UINT32:
+- wmi_ext2_service_bitmap = (u32 *)ptr;
++ wmi_ext2_service_bitmap = (__le32 *)ptr;
+ for (i = 0, j = WMI_MAX_EXT_SERVICE;
+ i < WMI_SERVICE_SEGMENT_BM_SIZE32 && j < WMI_MAX_EXT2_SERVICE;
+ i++) {
+ do {
+- if (wmi_ext2_service_bitmap[i] &
++ if (__le32_to_cpu(wmi_ext2_service_bitmap[i]) &
+ BIT(j % WMI_AVAIL_SERVICE_BITS_IN_SIZE32))
+ set_bit(j, ab->wmi_ab.svc_map);
+ } while (++j % WMI_AVAIL_SERVICE_BITS_IN_SIZE32);
+@@ -7536,8 +7536,10 @@ static int ath12k_wmi_tlv_services_parser(struct ath12k_base *ab,
+
+ ath12k_dbg(ab, ATH12K_DBG_WMI,
+ "wmi_ext2_service_bitmap 0x%04x 0x%04x 0x%04x 0x%04x",
+- wmi_ext2_service_bitmap[0], wmi_ext2_service_bitmap[1],
+- wmi_ext2_service_bitmap[2], wmi_ext2_service_bitmap[3]);
++ __le32_to_cpu(wmi_ext2_service_bitmap[0]),
++ __le32_to_cpu(wmi_ext2_service_bitmap[1]),
++ __le32_to_cpu(wmi_ext2_service_bitmap[2]),
++ __le32_to_cpu(wmi_ext2_service_bitmap[3]));
+ break;
+ }
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From f65b7d42b47becaddd6e32dd5f2e8b1aa21767d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 14:29:12 -0700
+Subject: wifi: ath12k: pack HTT pdev rate stats structs
+
+From: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+
+[ Upstream commit fee9b1f6691120182136edacf590f52d62d9de7f ]
+
+In order to ensure the HTT DebugFS structs shared with firmware have
+matching alignment, the structs should be packed. Most of the structs
+are correctly packed, however the following are not:
+
+ath12k_htt_tx_pdev_rate_stats_tlv
+ath12k_htt_rx_pdev_rate_stats_tlv
+ath12k_htt_rx_pdev_rate_ext_stats_tlv
+
+So pack those structs.
+
+Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
+
+Fixes: ba42b22aa336 ("wifi: ath12k: Dump PDEV transmit rate HTT stats")
+Fixes: a24cd7583003 ("wifi: ath12k: Dump PDEV receive rate HTT stats")
+Fixes: 7a3e8eec8d18 ("wifi: ath12k: Dump additional PDEV receive rate HTT stats")
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250702-debugfs_htt_packed-v1-1-07bd18b31e79@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/debugfs_htt_stats.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.h b/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.h
+index c2a02cf8a38b..db9532c39cbf 100644
+--- a/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.h
++++ b/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.h
+@@ -470,7 +470,7 @@ struct ath12k_htt_tx_pdev_rate_stats_tlv {
+ [ATH12K_HTT_TX_PDEV_STATS_NUM_EXTRA_MCS_COUNTERS];
+ __le32 tx_mcs_ext_2[ATH12K_HTT_TX_PDEV_STATS_NUM_EXTRA2_MCS_COUNTERS];
+ __le32 tx_bw_320mhz;
+-};
++} __packed;
+
+ #define ATH12K_HTT_RX_PDEV_STATS_NUM_LEGACY_CCK_STATS 4
+ #define ATH12K_HTT_RX_PDEV_STATS_NUM_LEGACY_OFDM_STATS 8
+@@ -550,7 +550,7 @@ struct ath12k_htt_rx_pdev_rate_stats_tlv {
+ __le32 rx_ulofdma_non_data_nusers[ATH12K_HTT_RX_PDEV_MAX_OFDMA_NUM_USER];
+ __le32 rx_ulofdma_data_nusers[ATH12K_HTT_RX_PDEV_MAX_OFDMA_NUM_USER];
+ __le32 rx_mcs_ext[ATH12K_HTT_RX_PDEV_STATS_NUM_EXTRA_MCS_COUNTERS];
+-};
++} __packed;
+
+ #define ATH12K_HTT_RX_PDEV_STATS_NUM_BW_EXT_COUNTERS 4
+ #define ATH12K_HTT_RX_PDEV_STATS_NUM_MCS_COUNTERS_EXT 14
+@@ -580,7 +580,7 @@ struct ath12k_htt_rx_pdev_rate_ext_stats_tlv {
+ __le32 rx_gi_ext_2[ATH12K_HTT_RX_PDEV_STATS_NUM_GI_COUNTERS]
+ [ATH12K_HTT_RX_PDEV_STATS_NUM_EXTRA2_MCS_COUNTERS];
+ __le32 rx_su_punctured_mode[ATH12K_HTT_RX_PDEV_STATS_NUM_PUNCTURED_MODE_COUNTERS];
+-};
++} __packed;
+
+ #define ATH12K_HTT_TX_PDEV_STATS_SCHED_PER_TXQ_MAC_ID GENMASK(7, 0)
+ #define ATH12K_HTT_TX_PDEV_STATS_SCHED_PER_TXQ_ID GENMASK(15, 8)
+--
+2.39.5
+
--- /dev/null
+From 0fc117f324e762db5d7ff9cb802644e99b62507c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 10:19:36 +0530
+Subject: wifi: ath12k: Pass ab pointer directly to
+ ath12k_dp_tx_get_encap_type()
+
+From: Tamizh Chelvam Raja <tamizh.raja@oss.qualcomm.com>
+
+[ Upstream commit 05062834350f0bf7ad1abcebc2807220e90220eb ]
+
+In ath12k_dp_tx_get_encap_type(), the arvif parameter is only used to
+retrieve the ab pointer. In vdev delete sequence the arvif->ar could
+become NULL and that would trigger kernel panic.
+Since the caller ath12k_dp_tx() already has a valid ab pointer, pass it
+directly to avoid panic and unnecessary dereferencing.
+
+PC points to "ath12k_dp_tx+0x228/0x988 [ath12k]"
+LR points to "ath12k_dp_tx+0xc8/0x988 [ath12k]".
+The Backtrace obtained is as follows:
+ath12k_dp_tx+0x228/0x988 [ath12k]
+ath12k_mac_tx_check_max_limit+0x608/0x920 [ath12k]
+ieee80211_process_measurement_req+0x320/0x348 [mac80211]
+ieee80211_tx_dequeue+0x9ac/0x1518 [mac80211]
+ieee80211_tx_dequeue+0xb14/0x1518 [mac80211]
+ieee80211_tx_prepare_skb+0x224/0x254 [mac80211]
+ieee80211_xmit+0xec/0x100 [mac80211]
+__ieee80211_subif_start_xmit+0xc50/0xf40 [mac80211]
+ieee80211_subif_start_xmit+0x2e8/0x308 [mac80211]
+netdev_start_xmit+0x150/0x18c
+dev_hard_start_xmit+0x74/0xc0
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1
+
+Fixes: e93bbd65547e ("wifi: ath12k: fix packets are sent in native wifi mode while we set raw mode")
+Signed-off-by: Tamizh Chelvam Raja <tamizh.raja@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250606044936.3989400-1-tamizh.raja@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/dp_tx.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/dp_tx.c b/drivers/net/wireless/ath/ath12k/dp_tx.c
+index b6816b6c2c04..075912eacfaa 100644
+--- a/drivers/net/wireless/ath/ath12k/dp_tx.c
++++ b/drivers/net/wireless/ath/ath12k/dp_tx.c
+@@ -13,10 +13,9 @@
+ #include "mac.h"
+
+ static enum hal_tcl_encap_type
+-ath12k_dp_tx_get_encap_type(struct ath12k_link_vif *arvif, struct sk_buff *skb)
++ath12k_dp_tx_get_encap_type(struct ath12k_base *ab, struct sk_buff *skb)
+ {
+ struct ieee80211_tx_info *tx_info = IEEE80211_SKB_CB(skb);
+- struct ath12k_base *ab = arvif->ar->ab;
+
+ if (test_bit(ATH12K_FLAG_RAW_MODE, &ab->dev_flags))
+ return HAL_TCL_ENCAP_TYPE_RAW;
+@@ -305,7 +304,7 @@ int ath12k_dp_tx(struct ath12k *ar, struct ath12k_link_vif *arvif,
+ u32_encode_bits(mcbc_gsn, HTT_TCL_META_DATA_GLOBAL_SEQ_NUM);
+ }
+
+- ti.encap_type = ath12k_dp_tx_get_encap_type(arvif, skb);
++ ti.encap_type = ath12k_dp_tx_get_encap_type(ab, skb);
+ ti.addr_search_flags = arvif->hal_addr_search_flags;
+ ti.search_type = arvif->search_type;
+ ti.type = HAL_TCL_DESC_TYPE_BUFFER;
+--
+2.39.5
+
--- /dev/null
+From 0d4686ce1127a5e533ee1173de66080b63503bf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Jun 2025 16:25:28 +0800
+Subject: wifi: ath12k: update channel list in worker when wait flag is set
+
+From: Kang Yang <kang.yang@oss.qualcomm.com>
+
+[ Upstream commit 437c7a2db6a34db2a9048920694a2bf9b0169726 ]
+
+With previous patch [1], ath12k_reg_update_chan_list() will be called
+during reg_process_self_managed_hint().
+
+reg_process_self_managed_hint() will hold rtnl_lock all the time.
+But ath12k_reg_update_chan_list() may increase the occupation time of
+rtnl_lock, because when wait flag is set, wait_for_completion_timeout()
+will be called during 11d/hw scan.
+
+Should minimize the occupation time of rtnl_lock as much as possible
+to avoid interfering with rest of the system. So move the update channel
+list operation to a new worker, so that wait_for_completion_timeout()
+won't be called with the rtnl_lock held.
+
+Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
+
+Fixes: f335295aa29c ("wifi: ath12k: avoid deadlock during regulatory update in ath12k_regd_update()") #[1]
+Signed-off-by: Kang Yang <kang.yang@oss.qualcomm.com>
+Reviewed-by: Aditya Kumar Singh <aditya.kumar.singh@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250605082528.701-1-kang.yang@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/core.c | 1 +
+ drivers/net/wireless/ath/ath12k/core.h | 4 +-
+ drivers/net/wireless/ath/ath12k/mac.c | 13 ++++
+ drivers/net/wireless/ath/ath12k/reg.c | 85 ++++++++++++++++++--------
+ drivers/net/wireless/ath/ath12k/reg.h | 1 +
+ drivers/net/wireless/ath/ath12k/wmi.h | 1 +
+ 6 files changed, 78 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/core.c b/drivers/net/wireless/ath/ath12k/core.c
+index 89ae80934b30..cd58ab9c2322 100644
+--- a/drivers/net/wireless/ath/ath12k/core.c
++++ b/drivers/net/wireless/ath/ath12k/core.c
+@@ -1409,6 +1409,7 @@ void ath12k_core_halt(struct ath12k *ar)
+ ath12k_mac_peer_cleanup_all(ar);
+ cancel_delayed_work_sync(&ar->scan.timeout);
+ cancel_work_sync(&ar->regd_update_work);
++ cancel_work_sync(&ar->regd_channel_update_work);
+ cancel_work_sync(&ab->rfkill_work);
+ cancel_work_sync(&ab->update_11d_work);
+
+diff --git a/drivers/net/wireless/ath/ath12k/core.h b/drivers/net/wireless/ath/ath12k/core.h
+index 7bcd9c70309f..289998585fcb 100644
+--- a/drivers/net/wireless/ath/ath12k/core.h
++++ b/drivers/net/wireless/ath/ath12k/core.h
+@@ -719,7 +719,7 @@ struct ath12k {
+
+ /* protects the radio specific data like debug stats, ppdu_stats_info stats,
+ * vdev_stop_status info, scan data, ath12k_sta info, ath12k_link_vif info,
+- * channel context data, survey info, test mode data.
++ * channel context data, survey info, test mode data, regd_channel_update_queue.
+ */
+ spinlock_t data_lock;
+
+@@ -778,6 +778,8 @@ struct ath12k {
+ struct completion bss_survey_done;
+
+ struct work_struct regd_update_work;
++ struct work_struct regd_channel_update_work;
++ struct list_head regd_channel_update_queue;
+
+ struct wiphy_work wmi_mgmt_tx_work;
+ struct sk_buff_head wmi_mgmt_tx_queue;
+diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
+index 5be7b79db341..3616269538e6 100644
+--- a/drivers/net/wireless/ath/ath12k/mac.c
++++ b/drivers/net/wireless/ath/ath12k/mac.c
+@@ -8289,6 +8289,7 @@ static void ath12k_mac_stop(struct ath12k *ar)
+ {
+ struct ath12k_hw *ah = ar->ah;
+ struct htt_ppdu_stats_info *ppdu_stats, *tmp;
++ struct ath12k_wmi_scan_chan_list_arg *arg;
+ int ret;
+
+ lockdep_assert_held(&ah->hw_mutex);
+@@ -8303,6 +8304,7 @@ static void ath12k_mac_stop(struct ath12k *ar)
+
+ cancel_delayed_work_sync(&ar->scan.timeout);
+ wiphy_work_cancel(ath12k_ar_to_hw(ar)->wiphy, &ar->scan.vdev_clean_wk);
++ cancel_work_sync(&ar->regd_channel_update_work);
+ cancel_work_sync(&ar->regd_update_work);
+ cancel_work_sync(&ar->ab->rfkill_work);
+ cancel_work_sync(&ar->ab->update_11d_work);
+@@ -8310,10 +8312,18 @@ static void ath12k_mac_stop(struct ath12k *ar)
+ complete(&ar->completed_11d_scan);
+
+ spin_lock_bh(&ar->data_lock);
++
+ list_for_each_entry_safe(ppdu_stats, tmp, &ar->ppdu_stats_info, list) {
+ list_del(&ppdu_stats->list);
+ kfree(ppdu_stats);
+ }
++
++ while ((arg = list_first_entry_or_null(&ar->regd_channel_update_queue,
++ struct ath12k_wmi_scan_chan_list_arg,
++ list))) {
++ list_del(&arg->list);
++ kfree(arg);
++ }
+ spin_unlock_bh(&ar->data_lock);
+
+ rcu_assign_pointer(ar->ab->pdevs_active[ar->pdev_idx], NULL);
+@@ -12207,6 +12217,7 @@ static void ath12k_mac_hw_unregister(struct ath12k_hw *ah)
+ int i;
+
+ for_each_ar(ah, ar, i) {
++ cancel_work_sync(&ar->regd_channel_update_work);
+ cancel_work_sync(&ar->regd_update_work);
+ ath12k_debugfs_unregister(ar);
+ ath12k_fw_stats_reset(ar);
+@@ -12567,6 +12578,8 @@ static void ath12k_mac_setup(struct ath12k *ar)
+
+ INIT_DELAYED_WORK(&ar->scan.timeout, ath12k_scan_timeout_work);
+ wiphy_work_init(&ar->scan.vdev_clean_wk, ath12k_scan_vdev_clean_work);
++ INIT_WORK(&ar->regd_channel_update_work, ath12k_regd_update_chan_list_work);
++ INIT_LIST_HEAD(&ar->regd_channel_update_queue);
+ INIT_WORK(&ar->regd_update_work, ath12k_regd_update_work);
+
+ wiphy_work_init(&ar->wmi_mgmt_tx_work, ath12k_mgmt_over_wmi_tx_work);
+diff --git a/drivers/net/wireless/ath/ath12k/reg.c b/drivers/net/wireless/ath/ath12k/reg.c
+index 2598b39d5d7e..0fc7f209956d 100644
+--- a/drivers/net/wireless/ath/ath12k/reg.c
++++ b/drivers/net/wireless/ath/ath12k/reg.c
+@@ -137,32 +137,7 @@ int ath12k_reg_update_chan_list(struct ath12k *ar, bool wait)
+ struct ath12k_wmi_channel_arg *ch;
+ enum nl80211_band band;
+ int num_channels = 0;
+- int i, ret, left;
+-
+- if (wait && ar->state_11d == ATH12K_11D_RUNNING) {
+- left = wait_for_completion_timeout(&ar->completed_11d_scan,
+- ATH12K_SCAN_TIMEOUT_HZ);
+- if (!left) {
+- ath12k_dbg(ar->ab, ATH12K_DBG_REG,
+- "failed to receive 11d scan complete: timed out\n");
+- ar->state_11d = ATH12K_11D_IDLE;
+- }
+- ath12k_dbg(ar->ab, ATH12K_DBG_REG,
+- "reg 11d scan wait left time %d\n", left);
+- }
+-
+- if (wait &&
+- (ar->scan.state == ATH12K_SCAN_STARTING ||
+- ar->scan.state == ATH12K_SCAN_RUNNING)) {
+- left = wait_for_completion_timeout(&ar->scan.completed,
+- ATH12K_SCAN_TIMEOUT_HZ);
+- if (!left)
+- ath12k_dbg(ar->ab, ATH12K_DBG_REG,
+- "failed to receive hw scan complete: timed out\n");
+-
+- ath12k_dbg(ar->ab, ATH12K_DBG_REG,
+- "reg hw scan wait left time %d\n", left);
+- }
++ int i, ret = 0;
+
+ if (ar->ah->state == ATH12K_HW_STATE_RESTARTING)
+ return 0;
+@@ -244,6 +219,16 @@ int ath12k_reg_update_chan_list(struct ath12k *ar, bool wait)
+ }
+ }
+
++ if (wait) {
++ spin_lock_bh(&ar->data_lock);
++ list_add_tail(&arg->list, &ar->regd_channel_update_queue);
++ spin_unlock_bh(&ar->data_lock);
++
++ queue_work(ar->ab->workqueue, &ar->regd_channel_update_work);
++
++ return 0;
++ }
++
+ ret = ath12k_wmi_send_scan_chan_list_cmd(ar, arg);
+ kfree(arg);
+
+@@ -764,6 +749,54 @@ ath12k_reg_build_regd(struct ath12k_base *ab,
+ return new_regd;
+ }
+
++void ath12k_regd_update_chan_list_work(struct work_struct *work)
++{
++ struct ath12k *ar = container_of(work, struct ath12k,
++ regd_channel_update_work);
++ struct ath12k_wmi_scan_chan_list_arg *arg;
++ struct list_head local_update_list;
++ int left;
++
++ INIT_LIST_HEAD(&local_update_list);
++
++ spin_lock_bh(&ar->data_lock);
++ list_splice_tail_init(&ar->regd_channel_update_queue, &local_update_list);
++ spin_unlock_bh(&ar->data_lock);
++
++ while ((arg = list_first_entry_or_null(&local_update_list,
++ struct ath12k_wmi_scan_chan_list_arg,
++ list))) {
++ if (ar->state_11d != ATH12K_11D_IDLE) {
++ left = wait_for_completion_timeout(&ar->completed_11d_scan,
++ ATH12K_SCAN_TIMEOUT_HZ);
++ if (!left) {
++ ath12k_dbg(ar->ab, ATH12K_DBG_REG,
++ "failed to receive 11d scan complete: timed out\n");
++ ar->state_11d = ATH12K_11D_IDLE;
++ }
++
++ ath12k_dbg(ar->ab, ATH12K_DBG_REG,
++ "reg 11d scan wait left time %d\n", left);
++ }
++
++ if ((ar->scan.state == ATH12K_SCAN_STARTING ||
++ ar->scan.state == ATH12K_SCAN_RUNNING)) {
++ left = wait_for_completion_timeout(&ar->scan.completed,
++ ATH12K_SCAN_TIMEOUT_HZ);
++ if (!left)
++ ath12k_dbg(ar->ab, ATH12K_DBG_REG,
++ "failed to receive hw scan complete: timed out\n");
++
++ ath12k_dbg(ar->ab, ATH12K_DBG_REG,
++ "reg hw scan wait left time %d\n", left);
++ }
++
++ ath12k_wmi_send_scan_chan_list_cmd(ar, arg);
++ list_del(&arg->list);
++ kfree(arg);
++ }
++}
++
+ void ath12k_regd_update_work(struct work_struct *work)
+ {
+ struct ath12k *ar = container_of(work, struct ath12k,
+diff --git a/drivers/net/wireless/ath/ath12k/reg.h b/drivers/net/wireless/ath/ath12k/reg.h
+index 8af8e9ba462e..0aeba06182c5 100644
+--- a/drivers/net/wireless/ath/ath12k/reg.h
++++ b/drivers/net/wireless/ath/ath12k/reg.h
+@@ -113,6 +113,7 @@ int ath12k_reg_handle_chan_list(struct ath12k_base *ab,
+ struct ath12k_reg_info *reg_info,
+ enum wmi_vdev_type vdev_type,
+ enum ieee80211_ap_reg_power power_type);
++void ath12k_regd_update_chan_list_work(struct work_struct *work);
+ enum wmi_reg_6g_ap_type
+ ath12k_reg_ap_pwr_convert(enum ieee80211_ap_reg_power power_type);
+ enum ath12k_reg_status ath12k_reg_validate_reg_info(struct ath12k_base *ab,
+diff --git a/drivers/net/wireless/ath/ath12k/wmi.h b/drivers/net/wireless/ath/ath12k/wmi.h
+index c640ffa180c8..117150220b99 100644
+--- a/drivers/net/wireless/ath/ath12k/wmi.h
++++ b/drivers/net/wireless/ath/ath12k/wmi.h
+@@ -3948,6 +3948,7 @@ struct wmi_stop_scan_cmd {
+ } __packed;
+
+ struct ath12k_wmi_scan_chan_list_arg {
++ struct list_head list;
+ u32 pdev_id;
+ u16 nallchans;
+ struct ath12k_wmi_channel_arg channel[];
+--
+2.39.5
+
--- /dev/null
+From c894ff9984b7957f20a3a5cc04669c03ba00dbfc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 19:29:02 +0530
+Subject: wifi: ath12k: update unsupported bandwidth flags in reg rules
+
+From: Harshitha Prem <quic_hprem@quicinc.com>
+
+[ Upstream commit 2109e98503bc1c01c399feac68cc8b7faf6d0a4a ]
+
+The maximum bandwidth an interface can operate in is defined by the
+configured country. However, currently, it is able to operate in
+bandwidths greater than the allowed bandwidth. For example,
+the Central African Republic (CF) supports a maximum bandwidth of 40 MHz
+in both the 2 GHz and 5 GHz bands, but an interface is still able to
+operate in bandwidths higher than 40 MHz. This issue arises because the
+regulatory rules in the regd are not updated with these restrictions
+received from firmware on the maximum bandwidth.
+
+Hence, update the regulatory rules with unsupported bandwidth flags based
+on the maximum bandwidth to ensure compliance with country-specific
+regulations.
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
+Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
+
+Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
+Signed-off-by: Harshitha Prem <quic_hprem@quicinc.com>
+Signed-off-by: Amith A <quic_amitajit@quicinc.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250701135902.722851-1-quic_amitajit@quicinc.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/reg.c | 31 ++++++++++++++++++++++++---
+ 1 file changed, 28 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/reg.c b/drivers/net/wireless/ath/ath12k/reg.c
+index 0fc7f209956d..743552abf149 100644
+--- a/drivers/net/wireless/ath/ath12k/reg.c
++++ b/drivers/net/wireless/ath/ath12k/reg.c
+@@ -398,6 +398,29 @@ ath12k_map_fw_dfs_region(enum ath12k_dfs_region dfs_region)
+ }
+ }
+
++static u32 ath12k_get_bw_reg_flags(u16 max_bw)
++{
++ switch (max_bw) {
++ case 20:
++ return NL80211_RRF_NO_HT40 |
++ NL80211_RRF_NO_80MHZ |
++ NL80211_RRF_NO_160MHZ |
++ NL80211_RRF_NO_320MHZ;
++ case 40:
++ return NL80211_RRF_NO_80MHZ |
++ NL80211_RRF_NO_160MHZ |
++ NL80211_RRF_NO_320MHZ;
++ case 80:
++ return NL80211_RRF_NO_160MHZ |
++ NL80211_RRF_NO_320MHZ;
++ case 160:
++ return NL80211_RRF_NO_320MHZ;
++ case 320:
++ default:
++ return 0;
++ }
++}
++
+ static u32 ath12k_map_fw_reg_flags(u16 reg_flags)
+ {
+ u32 flags = 0;
+@@ -676,7 +699,7 @@ ath12k_reg_build_regd(struct ath12k_base *ab,
+ reg_rule = reg_info->reg_rules_2g_ptr + i;
+ max_bw = min_t(u16, reg_rule->max_bw,
+ reg_info->max_bw_2g);
+- flags = 0;
++ flags = ath12k_get_bw_reg_flags(reg_info->max_bw_2g);
+ ath12k_reg_update_freq_range(&ab->reg_freq_2ghz, reg_rule);
+ } else if (reg_info->num_5g_reg_rules &&
+ (j < reg_info->num_5g_reg_rules)) {
+@@ -690,13 +713,15 @@ ath12k_reg_build_regd(struct ath12k_base *ab,
+ * BW correction if required and applies flags as
+ * per other BW rule flags we pass from here
+ */
+- flags = NL80211_RRF_AUTO_BW;
++ flags = NL80211_RRF_AUTO_BW |
++ ath12k_get_bw_reg_flags(reg_info->max_bw_5g);
+ ath12k_reg_update_freq_range(&ab->reg_freq_5ghz, reg_rule);
+ } else if (reg_info->is_ext_reg_event && reg_6ghz_number &&
+ (k < reg_6ghz_number)) {
+ reg_rule = reg_rule_6ghz + k++;
+ max_bw = min_t(u16, reg_rule->max_bw, max_bw_6ghz);
+- flags = NL80211_RRF_AUTO_BW;
++ flags = NL80211_RRF_AUTO_BW |
++ ath12k_get_bw_reg_flags(max_bw_6ghz);
+ if (reg_rule->psd_flag)
+ flags |= NL80211_RRF_PSD;
+ ath12k_reg_update_freq_range(&ab->reg_freq_6ghz, reg_rule);
+--
+2.39.5
+
--- /dev/null
+From 2fb778b0677e4b55e970eacb00df008a5d17f2d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 09:24:20 +0530
+Subject: wifi: ath12k: Use HTT_TCL_METADATA_VER_V1 in FTM mode
+
+From: Aaradhana Sahu <aaradhana.sahu@oss.qualcomm.com>
+
+[ Upstream commit 66b3ebc77d23d6574a965bdbfe41de8aeb7f384e ]
+
+Currently host sends HTT_TCL_METADATA_VER_V2 to the firmware
+regardless of the operating mode (Mission or FTM).
+
+Firmware expects additional software information (like peer ID, vdev
+ID, and link ID) in Tx packets when HTT_TCL_METADATA_VER_V2 is set.
+However, in FTM (Factory Test Mode) mode, no vdev is created on the
+host side (this is expected). As a result, the firmware fails to find
+the expected vdev during packet processing and ends up dropping
+packets.
+
+To fix this, send HTT_TCL_METADATA_VER_V1 in FTM mode because FTM
+mode doesn't support HTT_TCL_METADATA_VER_V2.
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.5-01651-QCAHKSWPL_SILICONZ-1
+
+Fixes: 5d964966bd3f ("wifi: ath12k: Update HTT_TCL_METADATA version and bit mask definitions")
+Signed-off-by: Aaradhana Sahu <aaradhana.sahu@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250711035420.1509029-1-aaradhana.sahu@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/dp.h | 1 +
+ drivers/net/wireless/ath/ath12k/dp_tx.c | 5 ++++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/dp.h b/drivers/net/wireless/ath/ath12k/dp.h
+index a353333f83b6..2f0718edabd2 100644
+--- a/drivers/net/wireless/ath/ath12k/dp.h
++++ b/drivers/net/wireless/ath/ath12k/dp.h
+@@ -469,6 +469,7 @@ enum htt_h2t_msg_type {
+ };
+
+ #define HTT_VER_REQ_INFO_MSG_ID GENMASK(7, 0)
++#define HTT_OPTION_TCL_METADATA_VER_V1 1
+ #define HTT_OPTION_TCL_METADATA_VER_V2 2
+ #define HTT_OPTION_TAG GENMASK(7, 0)
+ #define HTT_OPTION_LEN GENMASK(15, 8)
+diff --git a/drivers/net/wireless/ath/ath12k/dp_tx.c b/drivers/net/wireless/ath/ath12k/dp_tx.c
+index 075912eacfaa..7470731eb830 100644
+--- a/drivers/net/wireless/ath/ath12k/dp_tx.c
++++ b/drivers/net/wireless/ath/ath12k/dp_tx.c
+@@ -1182,6 +1182,7 @@ int ath12k_dp_tx_htt_h2t_ver_req_msg(struct ath12k_base *ab)
+ struct sk_buff *skb;
+ struct htt_ver_req_cmd *cmd;
+ int len = sizeof(*cmd);
++ u32 metadata_version;
+ int ret;
+
+ init_completion(&dp->htt_tgt_version_received);
+@@ -1194,12 +1195,14 @@ int ath12k_dp_tx_htt_h2t_ver_req_msg(struct ath12k_base *ab)
+ cmd = (struct htt_ver_req_cmd *)skb->data;
+ cmd->ver_reg_info = le32_encode_bits(HTT_H2T_MSG_TYPE_VERSION_REQ,
+ HTT_OPTION_TAG);
++ metadata_version = ath12k_ftm_mode ? HTT_OPTION_TCL_METADATA_VER_V1 :
++ HTT_OPTION_TCL_METADATA_VER_V2;
+
+ cmd->tcl_metadata_version = le32_encode_bits(HTT_TAG_TCL_METADATA_VERSION,
+ HTT_OPTION_TAG) |
+ le32_encode_bits(HTT_TCL_METADATA_VER_SZ,
+ HTT_OPTION_LEN) |
+- le32_encode_bits(HTT_OPTION_TCL_METADATA_VER_V2,
++ le32_encode_bits(metadata_version,
+ HTT_OPTION_VALUE);
+
+ ret = ath12k_htc_send(&ab->htc, dp->eid, skb);
+--
+2.39.5
+
--- /dev/null
+From c64a425aabf6d3b05916cadccc54cd0b98b91f7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 11:18:14 -0700
+Subject: wifi: brcmfmac: cyw: Fix __counted_by to be LE variant
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 204bb852863bf14f343a0801b15bc2173bc318f9 ]
+
+In brcmf_cyw_mgmt_tx() the "len" counter of the struct
+brcmf_mf_params_le::data flexible array is stored as little-endian via
+cpu_to_le16() so the __counted_by_le() variant must be used:
+
+ struct brcmf_mf_params_le *mf_params;
+ ...
+ mf_params_len = offsetof(struct brcmf_mf_params_le, data) +
+ (len - DOT11_MGMT_HDR_LEN);
+ mf_params = kzalloc(mf_params_len, GFP_KERNEL);
+ ...
+ mf_params->len = cpu_to_le16(len - DOT11_MGMT_HDR_LEN);
+
+Fixes: 66f909308a7c ("wifi: brcmfmac: cyw: support external SAE authentication in station mode")
+Signed-off-by: Kees Cook <kees@kernel.org>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>>
+Link: https://patch.msgid.link/20250721181810.work.575-kees@kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/cyw/fwil_types.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cyw/fwil_types.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cyw/fwil_types.h
+index 08c69142495a..669564382e32 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cyw/fwil_types.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cyw/fwil_types.h
+@@ -80,7 +80,7 @@ struct brcmf_mf_params_le {
+ u8 da[ETH_ALEN];
+ u8 bssid[ETH_ALEN];
+ __le32 packet_id;
+- u8 data[] __counted_by(len);
++ u8 data[] __counted_by_le(len);
+ };
+
+ #endif /* CYW_FWIL_TYPES_H_ */
+--
+2.39.5
+
--- /dev/null
+From a305b9eaad7c7e0200f81af702af28a8b88e9611 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 16:29:17 +0530
+Subject: wifi: brcmfmac: fix EXTSAE WPA3 connection failure due to AUTH TX
+ failure
+
+From: Ting-Ying Li <tingying.li@cypress.com>
+
+[ Upstream commit f2d7c3c380bf0c38c395d50de3a7c1a6275983cb ]
+
+For WPA3-SAE Connection in EXTSAE mode, the userspace daemon is allowed to
+generate the SAE Auth frames. The driver uses the "mgmt_frame" FW IOVAR to
+transmit this MGMT frame.
+
+Before sending the IOVAR, the Driver is incorrectly treating the channel
+number read from the FW as a frequency value and again attempts to convert
+this into a channel number using ieee80211_frequency_to_channel().
+
+This added an invalid channel number as part of the IOVAR request to the FW
+And some FW which strictly expects a valid channel would return BAD_CHAN
+error, while failing to transmit the driver requested SAE Auth MGMT frame.
+
+Fix this in the CYW vendor specific MGMT TX cfg80211 ops handler, by not
+treating the channel number read from the FW as frequency value and skip
+the attempt to convert it again into a channel number.
+
+Also fix this in the generic MGMT TX cfg80211 ops handler.
+
+Fixes: c2ff8cad6423 ("brcm80211: make mgmt_tx in brcmfmac accept a NULL channel")
+Fixes: 66f909308a7c ("wifi: brcmfmac: cyw: support external SAE authentication in station mode")
+Signed-off-by: Ting-Ying Li <tingying.li@cypress.com>
+Signed-off-by: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>>
+Link: https://patch.msgid.link/20250723105918.5229-1-gokulkumar.sivakumar@infineon.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../broadcom/brcm80211/brcmfmac/cfg80211.c | 30 ++++++++++++-------
+ .../broadcom/brcm80211/brcmfmac/cyw/core.c | 26 +++++++++-------
+ 2 files changed, 35 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index 086b9157292a..70e8ddd3851f 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -5527,8 +5527,7 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
+ struct brcmf_fil_action_frame_le *action_frame;
+ struct brcmf_fil_af_params_le *af_params;
+ bool ack;
+- s32 chan_nr;
+- u32 freq;
++ __le32 hw_ch;
+
+ brcmf_dbg(TRACE, "Enter\n");
+
+@@ -5589,25 +5588,34 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
+ /* Add the channel. Use the one specified as parameter if any or
+ * the current one (got from the firmware) otherwise
+ */
+- if (chan)
+- freq = chan->center_freq;
+- else
+- brcmf_fil_cmd_int_get(vif->ifp, BRCMF_C_GET_CHANNEL,
+- &freq);
+- chan_nr = ieee80211_frequency_to_channel(freq);
+- af_params->channel = cpu_to_le32(chan_nr);
++ if (chan) {
++ hw_ch = cpu_to_le32(chan->hw_value);
++ } else {
++ err = brcmf_fil_cmd_data_get(vif->ifp,
++ BRCMF_C_GET_CHANNEL,
++ &hw_ch, sizeof(hw_ch));
++ if (err) {
++ bphy_err(drvr,
++ "unable to get current hw channel\n");
++ goto free;
++ }
++ }
++ af_params->channel = hw_ch;
++
+ af_params->dwell_time = cpu_to_le32(params->wait);
+ memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
+ le16_to_cpu(action_frame->len));
+
+- brcmf_dbg(TRACE, "Action frame, cookie=%lld, len=%d, freq=%d\n",
+- *cookie, le16_to_cpu(action_frame->len), freq);
++ brcmf_dbg(TRACE, "Action frame, cookie=%lld, len=%d, channel=%d\n",
++ *cookie, le16_to_cpu(action_frame->len),
++ le32_to_cpu(af_params->channel));
+
+ ack = brcmf_p2p_send_action_frame(cfg, cfg_to_ndev(cfg),
+ af_params);
+
+ cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, ack,
+ GFP_KERNEL);
++free:
+ kfree(af_params);
+ } else {
+ brcmf_dbg(TRACE, "Unhandled, fc=%04x!!\n", mgmt->frame_control);
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cyw/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cyw/core.c
+index c9537fb597ce..4f0ea4347840 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cyw/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cyw/core.c
+@@ -112,8 +112,7 @@ int brcmf_cyw_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
+ struct brcmf_cfg80211_vif *vif;
+ s32 err = 0;
+ bool ack = false;
+- s32 chan_nr;
+- u32 freq;
++ __le16 hw_ch;
+ struct brcmf_mf_params_le *mf_params;
+ u32 mf_params_len;
+ s32 ready;
+@@ -143,13 +142,18 @@ int brcmf_cyw_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
+ mf_params->len = cpu_to_le16(len - DOT11_MGMT_HDR_LEN);
+ mf_params->frame_control = mgmt->frame_control;
+
+- if (chan)
+- freq = chan->center_freq;
+- else
+- brcmf_fil_cmd_int_get(vif->ifp, BRCMF_C_GET_CHANNEL,
+- &freq);
+- chan_nr = ieee80211_frequency_to_channel(freq);
+- mf_params->channel = cpu_to_le16(chan_nr);
++ if (chan) {
++ hw_ch = cpu_to_le16(chan->hw_value);
++ } else {
++ err = brcmf_fil_cmd_data_get(vif->ifp, BRCMF_C_GET_CHANNEL,
++ &hw_ch, sizeof(hw_ch));
++ if (err) {
++ bphy_err(drvr, "unable to get current hw channel\n");
++ goto free;
++ }
++ }
++ mf_params->channel = hw_ch;
++
+ memcpy(&mf_params->da[0], &mgmt->da[0], ETH_ALEN);
+ memcpy(&mf_params->bssid[0], &mgmt->bssid[0], ETH_ALEN);
+ mf_params->packet_id = cpu_to_le32(*cookie);
+@@ -159,7 +163,8 @@ int brcmf_cyw_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
+ brcmf_dbg(TRACE, "Auth frame, cookie=%d, fc=%04x, len=%d, channel=%d\n",
+ le32_to_cpu(mf_params->packet_id),
+ le16_to_cpu(mf_params->frame_control),
+- le16_to_cpu(mf_params->len), chan_nr);
++ le16_to_cpu(mf_params->len),
++ le16_to_cpu(mf_params->channel));
+
+ vif->mgmt_tx_id = le32_to_cpu(mf_params->packet_id);
+ set_bit(BRCMF_MGMT_TX_SEND_FRAME, &vif->mgmt_tx_status);
+@@ -185,6 +190,7 @@ int brcmf_cyw_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
+ tx_status:
+ cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, ack,
+ GFP_KERNEL);
++free:
+ kfree(mf_params);
+ return err;
+ }
+--
+2.39.5
+
--- /dev/null
+From 6b979484b56d1381e85e2afcaafed003286e35f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 10:37:02 +0530
+Subject: wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing
+ P2P IE
+
+From: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
+
+[ Upstream commit 579bf8037b70b644a674c126a32bbb2212cf5c21 ]
+
+After commit bd99a3013bdc ("brcmfmac: move configuration of probe request
+IEs"), the probe request MGMT IE addition operation brcmf_vif_set_mgmt_ie()
+got moved from the brcmf_p2p_scan_prep() to the brcmf_cfg80211_scan().
+
+Because of this, as part of the scan request handler for the P2P Discovery,
+vif struct used for adding the Probe Request P2P IE in firmware got changed
+from the P2PAPI_BSSCFG_DEVICE vif to P2PAPI_BSSCFG_PRIMARY vif incorrectly.
+So the firmware stopped adding P2P IE to the outgoing P2P Discovery probe
+requests frames and the other P2P peers were unable to discover this device
+causing a regression on the P2P feature.
+
+To fix this, while setting the P2P IE in firmware, properly use the vif of
+the P2P discovery wdev on which the driver received the P2P scan request.
+This is done by not changing the vif pointer, until brcmf_vif_set_mgmt_ie()
+is completed.
+
+Fixes: bd99a3013bdc ("brcmfmac: move configuration of probe request IEs")
+Signed-off-by: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Link: https://patch.msgid.link/20250626050706.7271-1-gokulkumar.sivakumar@infineon.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index b94c3619526c..086b9157292a 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -1544,10 +1544,6 @@ brcmf_cfg80211_scan(struct wiphy *wiphy, struct cfg80211_scan_request *request)
+ return -EAGAIN;
+ }
+
+- /* If scan req comes for p2p0, send it over primary I/F */
+- if (vif == cfg->p2p.bss_idx[P2PAPI_BSSCFG_DEVICE].vif)
+- vif = cfg->p2p.bss_idx[P2PAPI_BSSCFG_PRIMARY].vif;
+-
+ brcmf_dbg(SCAN, "START ESCAN\n");
+
+ cfg->scan_request = request;
+@@ -1563,6 +1559,10 @@ brcmf_cfg80211_scan(struct wiphy *wiphy, struct cfg80211_scan_request *request)
+ if (err)
+ goto scan_out;
+
++ /* If scan req comes for p2p0, send it over primary I/F */
++ if (vif == cfg->p2p.bss_idx[P2PAPI_BSSCFG_DEVICE].vif)
++ vif = cfg->p2p.bss_idx[P2PAPI_BSSCFG_PRIMARY].vif;
++
+ err = brcmf_do_escan(vif->ifp, request);
+ if (err)
+ goto scan_out;
+--
+2.39.5
+
--- /dev/null
+From 9a87c961884fa47d5ec5178702ed6812293ac4d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 18:25:45 +0200
+Subject: wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()
+
+From: Alexander Wetzel <Alexander@wetzel-home.de>
+
+[ Upstream commit 2c5dee15239f3f3e31aa5c8808f18996c039e2c1 ]
+
+Callers of wdev_chandef() must hold the wiphy mutex.
+
+But the worker cfg80211_propagate_cac_done_wk() never takes the lock.
+Which triggers the warning below with the mesh_peer_connected_dfs
+test from hostapd and not (yet) released mac80211 code changes:
+
+WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165
+Modules linked in:
+CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf
+Workqueue: cfg80211 cfg80211_propagate_cac_done_wk
+Stack:
+ 00000000 00000001 ffffff00 6093267c
+ 00000000 6002ec30 6d577c50 60037608
+ 00000000 67e8d108 6063717b 00000000
+Call Trace:
+ [<6002ec30>] ? _printk+0x0/0x98
+ [<6003c2b3>] show_stack+0x10e/0x11a
+ [<6002ec30>] ? _printk+0x0/0x98
+ [<60037608>] dump_stack_lvl+0x71/0xb8
+ [<6063717b>] ? wdev_chandef+0x60/0x165
+ [<6003766d>] dump_stack+0x1e/0x20
+ [<6005d1b7>] __warn+0x101/0x20f
+ [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d
+ [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec
+ [<60751191>] ? __this_cpu_preempt_check+0x0/0x16
+ [<600b11a2>] ? mark_held_locks+0x5a/0x6e
+ [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d
+ [<60052e53>] ? unblock_signals+0x3a/0xe7
+ [<60052f2d>] ? um_set_signals+0x2d/0x43
+ [<60751191>] ? __this_cpu_preempt_check+0x0/0x16
+ [<607508b2>] ? lock_is_held_type+0x207/0x21f
+ [<6063717b>] wdev_chandef+0x60/0x165
+ [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f
+ [<60052f00>] ? um_set_signals+0x0/0x43
+ [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a
+ [<6007e460>] process_scheduled_works+0x3bc/0x60e
+ [<6007d0ec>] ? move_linked_works+0x4d/0x81
+ [<6007d120>] ? assign_work+0x0/0xaa
+ [<6007f81f>] worker_thread+0x220/0x2dc
+ [<600786ef>] ? set_pf_worker+0x0/0x57
+ [<60087c96>] ? to_kthread+0x0/0x43
+ [<6008ab3c>] kthread+0x2d3/0x2e2
+ [<6007f5ff>] ? worker_thread+0x0/0x2dc
+ [<6006c05b>] ? calculate_sigpending+0x0/0x56
+ [<6003b37d>] new_thread_handler+0x4a/0x64
+irq event stamp: 614611
+hardirqs last enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf
+hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf
+softirqs last enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985
+softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985
+
+Fixes: 26ec17a1dc5e ("cfg80211: Fix radar event during another phy CAC")
+Signed-off-by: Alexander Wetzel <Alexander@wetzel-home.de>
+Link: https://patch.msgid.link/20250717162547.94582-1-Alexander@wetzel-home.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/reg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/wireless/reg.c b/net/wireless/reg.c
+index c1752b31734f..92e04370fa63 100644
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -4229,6 +4229,8 @@ static void cfg80211_check_and_end_cac(struct cfg80211_registered_device *rdev)
+ struct wireless_dev *wdev;
+ unsigned int link_id;
+
++ guard(wiphy)(&rdev->wiphy);
++
+ /* If we finished CAC or received radar, we should end any
+ * CAC running on the same channels.
+ * the check !cfg80211_chandef_dfs_usable contain 2 options:
+--
+2.39.5
+
--- /dev/null
+From 140eceb3db50fdd584e65df6aef61f4cfbc03c6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 13:08:42 -0500
+Subject: wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit cf80c02a9fdb6c5bc8508beb6a0f6a1294fc32f6 ]
+
+Preserve the error code if iwl_setup_deferred_work() fails. The current
+code returns ERR_PTR(0) (which is NULL) on this path. I believe the
+missing error code potentially leads to a use after free involving
+debugfs.
+
+Fixes: 90a0d9f33996 ("iwlwifi: Add missing check for alloc_ordered_workqueue")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/a7a1cd2c-ce01-461a-9afd-dbe535f8df01@sabinyo.mountain
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/dvm/main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/main.c b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+index e015b83bb6e9..2b4dbebc71c2 100644
+--- a/drivers/net/wireless/intel/iwlwifi/dvm/main.c
++++ b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+@@ -1467,7 +1467,8 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ /********************
+ * 6. Setup services
+ ********************/
+- if (iwl_setup_deferred_work(priv))
++ err = iwl_setup_deferred_work(priv);
++ if (err)
+ goto out_uninit_drv;
+
+ iwl_setup_rx_handlers(priv);
+--
+2.39.5
+
--- /dev/null
+From d648c6445986d5bec4ab31f001c5dd374eb193cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 11:52:13 +0800
+Subject: wifi: iwlwifi: Fix memory leak in iwl_mvm_init()
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit ed2e916c890944633d6826dce267579334f63ea5 ]
+
+When iwl_opmode_register() fails, it does not unregster rate control,
+which will cause a memory leak issue, this patch fixes it.
+
+Fixes: 9f66a397c877 ("iwlwifi: mvm: rs: add ops for the new rate scaling in the FW")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Link: https://patch.msgid.link/20221109035213.570-1-xiujianfeng@huawei.com
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+index a2dc5c3b0596..1c05a3d8e424 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+@@ -61,8 +61,10 @@ static int __init iwl_mvm_init(void)
+ }
+
+ ret = iwl_opmode_register("iwlmvm", &iwl_mvm_ops);
+- if (ret)
++ if (ret) {
+ pr_err("Unable to register MVM op_mode: %d\n", ret);
++ iwl_mvm_rate_control_unregister();
++ }
+
+ return ret;
+ }
+--
+2.39.5
+
--- /dev/null
+From ee6b26e33329476483893ee98abc6776d33b6de8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 09:45:11 +0300
+Subject: wifi: iwlwifi: mld: decode EOF bit for AMPDUs
+
+From: Benjamin Berg <benjamin.berg@intel.com>
+
+[ Upstream commit bc404dfddbf6817cae9b170c34556dc72ea975e5 ]
+
+Only the EOF bit handling for single frames was ported to the MLD
+driver. The code to handle AMPDUs correctly was forgotten. Add it back
+so that the bit is reported in the radiotap headers again.
+
+Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver")
+Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
+Reviewed-by: Daniel Gabay <daniel.gabay@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250723094230.195be86372d5.I4db4abf348f7b6dfc75f869770dd77655a204bc7@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mld/rx.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mld/rx.c b/drivers/net/wireless/intel/iwlwifi/mld/rx.c
+index ce0093d5c638..185c1a0cb47f 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mld/rx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mld/rx.c
+@@ -1039,6 +1039,15 @@ static void iwl_mld_rx_eht(struct iwl_mld *mld, struct sk_buff *skb,
+ rx_status->flag |= RX_FLAG_AMPDU_EOF_BIT;
+ }
+
++ /* update aggregation data for monitor sake on default queue */
++ if (!queue && (phy_info & IWL_RX_MPDU_PHY_TSF_OVERLOAD) &&
++ (phy_info & IWL_RX_MPDU_PHY_AMPDU) && phy_data->first_subframe) {
++ rx_status->flag |= RX_FLAG_AMPDU_EOF_BIT_KNOWN;
++ if (phy_data->data0 &
++ cpu_to_le32(IWL_RX_PHY_DATA0_EHT_DELIM_EOF))
++ rx_status->flag |= RX_FLAG_AMPDU_EOF_BIT;
++ }
++
+ if (phy_info & IWL_RX_MPDU_PHY_TSF_OVERLOAD)
+ iwl_mld_decode_eht_phy_data(mld, phy_data, rx_status, eht, usig);
+
+--
+2.39.5
+
--- /dev/null
+From fd97376f110696de50a953df97e5ec0a74fbf9a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 17:45:28 +0200
+Subject: wifi: mac80211: Check 802.11 encaps offloading in
+ ieee80211_tx_h_select_key()
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit 4037c468d1b3c508d69e6df0ef47fdee3d440e39 ]
+
+With 802.11 encapsulation offloading, ieee80211_tx_h_select_key() is
+called on 802.3 frames. In that case do not try to use skb data as
+valid 802.11 headers.
+
+Reported-by: Bert Karwatzki <spasswolf@web.de>
+Closes: https://lore.kernel.org/linux-wireless/20250410215527.3001-1-spasswolf@web.de
+Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Link: https://patch.msgid.link/1af4b5b903a5fca5ebe67333d5854f93b2be5abe.1752765971.git.repk@triplefau.lt
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 04f4d574401f..73304a5cf6fc 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -612,6 +612,12 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
+ else
+ tx->key = NULL;
+
++ if (info->flags & IEEE80211_TX_CTL_HW_80211_ENCAP) {
++ if (tx->key && tx->key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE)
++ info->control.hw_key = &tx->key->conf;
++ return TX_CONTINUE;
++ }
++
+ if (tx->key) {
+ bool skip_hw = false;
+
+--
+2.39.5
+
--- /dev/null
+From 8210aa3062a05cc49dc9f918a5e7661c5cf34dbd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 18:25:46 +0200
+Subject: wifi: mac80211: Do not schedule stopped TXQs
+
+From: Alexander Wetzel <Alexander@wetzel-home.de>
+
+[ Upstream commit 11e3e22fa533f5d7cf04e32343b05a27eda3c7a5 ]
+
+Ignore TXQs with the flag IEEE80211_TXQ_STOP when scheduling a queue.
+
+The flag is only set after all fragments have been dequeued and won't
+allow dequeueing other frames as long as the flag is set.
+
+For drivers using ieee80211_txq_schedule_start() this prevents an
+loop trying to push the queued frames while IEEE80211_TXQ_STOP is set:
+
+After setting IEEE80211_TXQ_STOP the driver will call
+ieee80211_return_txq(). Which calls __ieee80211_schedule_txq(), detects
+that there sill are frames in the queue and immediately restarts the
+stopped TXQ. Which can't dequeue any frame and thus starts over the loop.
+
+Signed-off-by: Alexander Wetzel <Alexander@wetzel-home.de>
+Fixes: ba8c3d6f16a1 ("mac80211: add an intermediate software queue implementation")
+Link: https://patch.msgid.link/20250717162547.94582-2-Alexander@wetzel-home.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index d58b80813bdd..4a9b258300fe 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -4098,7 +4098,9 @@ void __ieee80211_schedule_txq(struct ieee80211_hw *hw,
+
+ spin_lock_bh(&local->active_txq_lock[txq->ac]);
+
+- has_queue = force || txq_has_queue(txq);
++ has_queue = force ||
++ (!test_bit(IEEE80211_TXQ_STOP, &txqi->flags) &&
++ txq_has_queue(txq));
+ if (list_empty(&txqi->schedule_order) &&
+ (has_queue || ieee80211_txq_keep_active(txqi))) {
+ /* If airtime accounting is active, always enqueue STAs at the
+--
+2.39.5
+
--- /dev/null
+From 8fd9e64fae1e46a73811f248df5ce72d2d318177 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 18:25:47 +0200
+Subject: wifi: mac80211: Don't call fq_flow_idx() for management frames
+
+From: Alexander Wetzel <Alexander@wetzel-home.de>
+
+[ Upstream commit cb3bb3d88dfcd177a1050c0a009a3ee147b2e5b9 ]
+
+skb_get_hash() can only be used when the skb is linked to a netdev
+device.
+
+Signed-off-by: Alexander Wetzel <Alexander@wetzel-home.de>
+Fixes: 73bc9e0af594 ("mac80211: don't apply flow control on management frames")
+Link: https://patch.msgid.link/20250717162547.94582-3-Alexander@wetzel-home.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 4a9b258300fe..04f4d574401f 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -1428,7 +1428,7 @@ static void ieee80211_txq_enqueue(struct ieee80211_local *local,
+ {
+ struct fq *fq = &local->fq;
+ struct fq_tin *tin = &txqi->tin;
+- u32 flow_idx = fq_flow_idx(fq, skb);
++ u32 flow_idx;
+
+ ieee80211_set_skb_enqueue_time(skb);
+
+@@ -1444,6 +1444,7 @@ static void ieee80211_txq_enqueue(struct ieee80211_local *local,
+ IEEE80211_TX_INTCFL_NEED_TXPROCESSING;
+ __skb_queue_tail(&txqi->frags, skb);
+ } else {
++ flow_idx = fq_flow_idx(fq, skb);
+ fq_tin_enqueue(fq, tin, flow_idx, skb,
+ fq_skb_free_func);
+ }
+--
+2.39.5
+
--- /dev/null
+From a0e24ae6d8ffab8a07f869dfa5fb27da6e95b59b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 09:39:40 +0530
+Subject: wifi: mac80211: Fix bssid_indicator for MBSSID in AP mode
+
+From: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
+
+[ Upstream commit 2eb7c1baf46aea134e908cd6d37907d92f823251 ]
+
+Currently, in ieee80211_assign_beacon() mbssid count is updated as link's
+bssid_indicator. mbssid count is the total number of MBSSID elements in
+the beacon instead of Max BSSID indicator of the Multiple BSS set.
+This will result in drivers obtaining an invalid bssid_indicator for BSSes
+in a Multiple BSS set.
+Fix this by updating link's bssid_indicator from MBSSID element for
+Transmitting BSS and update the same for all of its Non-Transmitting BSSes.
+
+Fixes: dde78aa52015 ("mac80211: update bssid_indicator in ieee80211_assign_beacon")
+Signed-off-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250530040940.3188537-1-rameshkumar.sundaram@oss.qualcomm.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 954795b0fe48..bc64c1b83a6e 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -178,6 +178,7 @@ static int ieee80211_set_ap_mbssid_options(struct ieee80211_sub_if_data *sdata,
+
+ link_conf->nontransmitted = true;
+ link_conf->bssid_index = params->index;
++ link_conf->bssid_indicator = tx_bss_conf->bssid_indicator;
+ }
+ if (params->ema)
+ link_conf->ema_ap = true;
+@@ -1218,8 +1219,11 @@ ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
+ ieee80211_copy_rnr_beacon(pos, new->rnr_ies, rnr);
+ }
+ /* update bssid_indicator */
+- link_conf->bssid_indicator =
+- ilog2(__roundup_pow_of_two(mbssid->cnt + 1));
++ if (new->mbssid_ies->cnt && new->mbssid_ies->elem[0].len > 2)
++ link_conf->bssid_indicator =
++ *(new->mbssid_ies->elem[0].data + 2);
++ else
++ link_conf->bssid_indicator = 0;
+ }
+
+ if (csa) {
+--
+2.39.5
+
--- /dev/null
+From be6e498218b213ae79ebe285f77c06dc7fb1357f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 09:14:19 +0200
+Subject: wifi: mac80211: fix WARN_ON for monitor mode on some devices
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit c57e5b9819dfd16d709bcd6cb633301ed0829a66 ]
+
+On devices without WANT_MONITOR_VIF (and probably without
+channel context support) we get a WARN_ON for changing the
+per-link setting of a monitor interface.
+
+Since we already skip AP_VLAN interfaces and MONITOR with
+WANT_MONITOR_VIF and/or NO_VIRTUAL_MONITOR should update
+the settings, catch this in the link change code instead
+of the warning.
+
+Reported-by: Martin Kaistra <martin.kaistra@linutronix.de>
+Link: https://lore.kernel.org/r/a9de62a0-28f1-4981-84df-253489da74ed@linutronix.de/
+Fixes: c4382d5ca1af ("wifi: mac80211: update the right link for tx power")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/main.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/main.c b/net/mac80211/main.c
+index 6b6de43d9420..1bad353d8a77 100644
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -407,9 +407,20 @@ void ieee80211_link_info_change_notify(struct ieee80211_sub_if_data *sdata,
+
+ WARN_ON_ONCE(changed & BSS_CHANGED_VIF_CFG_FLAGS);
+
+- if (!changed || sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
++ if (!changed)
+ return;
+
++ switch (sdata->vif.type) {
++ case NL80211_IFTYPE_AP_VLAN:
++ return;
++ case NL80211_IFTYPE_MONITOR:
++ if (!ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF))
++ return;
++ break;
++ default:
++ break;
++ }
++
+ if (!check_sdata_in_driver(sdata))
+ return;
+
+--
+2.39.5
+
--- /dev/null
+From 1ebafe3797ebc2eed55bff421e3c9a737e30db7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 16:09:05 -0700
+Subject: wifi: mac80211: reject TDLS operations when station is not associated
+
+From: Moon Hee Lee <moonhee.lee.ca@gmail.com>
+
+[ Upstream commit 16ecdab5446f15a61ec88eb0d23d25d009821db0 ]
+
+syzbot triggered a WARN in ieee80211_tdls_oper() by sending
+NL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,
+before association completed and without prior TDLS setup.
+
+This left internal state like sdata->u.mgd.tdls_peer uninitialized,
+leading to a WARN_ON() in code paths that assumed it was valid.
+
+Reject the operation early if not in station mode or not associated.
+
+Reported-by: syzbot+f73f203f8c9b19037380@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=f73f203f8c9b19037380
+Fixes: 81dd2b882241 ("mac80211: move TDLS data to mgd private part")
+Tested-by: syzbot+f73f203f8c9b19037380@syzkaller.appspotmail.com
+Signed-off-by: Moon Hee Lee <moonhee.lee.ca@gmail.com>
+Link: https://patch.msgid.link/20250715230904.661092-2-moonhee.lee.ca@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tdls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
+index 94714f8ffd22..ba5fbacbeeda 100644
+--- a/net/mac80211/tdls.c
++++ b/net/mac80211/tdls.c
+@@ -1422,7 +1422,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev,
+ if (!(wiphy->flags & WIPHY_FLAG_SUPPORTS_TDLS))
+ return -EOPNOTSUPP;
+
+- if (sdata->vif.type != NL80211_IFTYPE_STATION)
++ if (sdata->vif.type != NL80211_IFTYPE_STATION || !sdata->vif.cfg.assoc)
+ return -EINVAL;
+
+ switch (oper) {
+--
+2.39.5
+
--- /dev/null
+From 066a01829253715eb9db59d0a75e28c39481fc0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 09:08:46 +0530
+Subject: wifi: mac80211: use RCU-safe iteration in ieee80211_csa_finish
+
+From: Maharaja Kennadyrajan <maharaja.kennadyrajan@oss.qualcomm.com>
+
+[ Upstream commit 9975aeebe2908cdd552ee59607754755459fad52 ]
+
+The ieee80211_csa_finish() function currently uses for_each_sdata_link()
+to iterate over links of sdata. However, this macro internally uses
+wiphy_dereference(), which expects the wiphy->mtx lock to be held.
+When ieee80211_csa_finish() is invoked under an RCU read-side critical
+section (e.g., under rcu_read_lock()), this leads to a warning from the
+RCU debugging framework.
+
+ WARNING: suspicious RCU usage
+ net/mac80211/cfg.c:3830 suspicious rcu_dereference_protected() usage!
+
+This warning is triggered because wiphy_dereference() is not safe to use
+without holding the wiphy mutex, and it is being used in an RCU context
+without the required locking.
+
+Fix this by introducing and using a new macro, for_each_sdata_link_rcu(),
+which performs RCU-safe iteration over sdata links using
+list_for_each_entry_rcu() and rcu_dereference(). This ensures that the
+link pointers are accessed safely under RCU and eliminates the warning.
+
+Fixes: f600832794c9 ("wifi: mac80211: restructure tx profile retrieval for MLO MBSSID")
+Signed-off-by: Maharaja Kennadyrajan <maharaja.kennadyrajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250711033846.40455-1-maharaja.kennadyrajan@oss.qualcomm.com
+[unindent like the non-RCU macro]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 2 +-
+ net/mac80211/ieee80211_i.h | 15 +++++++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index bc64c1b83a6e..18ad7ab1bb8c 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -3760,7 +3760,7 @@ void ieee80211_csa_finish(struct ieee80211_vif *vif, unsigned int link_id)
+ */
+ struct ieee80211_link_data *iter;
+
+- for_each_sdata_link(local, iter) {
++ for_each_sdata_link_rcu(local, iter) {
+ if (iter->sdata == sdata ||
+ rcu_access_pointer(iter->conf->tx_bss_conf) != tx_bss_conf)
+ continue;
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index 30809f0b35f7..f71d9eeb8abc 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -1226,6 +1226,21 @@ struct ieee80211_sub_if_data *vif_to_sdata(struct ieee80211_vif *p)
+ if ((_link = wiphy_dereference((_local)->hw.wiphy, \
+ ___sdata->link[___link_id])))
+
++/*
++ * for_each_sdata_link_rcu() must be used under RCU read lock.
++ */
++#define for_each_sdata_link_rcu(_local, _link) \
++ /* outer loop just to define the variables ... */ \
++ for (struct ieee80211_sub_if_data *___sdata = NULL; \
++ !___sdata; \
++ ___sdata = (void *)~0 /* always stop */) \
++ list_for_each_entry_rcu(___sdata, &(_local)->interfaces, list) \
++ if (ieee80211_sdata_running(___sdata)) \
++ for (int ___link_id = 0; \
++ ___link_id < ARRAY_SIZE((___sdata)->link); \
++ ___link_id++) \
++ if ((_link = rcu_dereference((___sdata)->link[___link_id])))
++
+ #define for_each_link_data(sdata, __link) \
+ struct ieee80211_sub_if_data *__sdata = sdata; \
+ for (int __link_id = 0; \
+--
+2.39.5
+
--- /dev/null
+From 40cfd540a33999218d8a77066b68f316b48a85dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 11:25:22 -0700
+Subject: wifi: mac80211: Write cnt before copying in
+ ieee80211_copy_rnr_beacon()
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit a37192c432adaec9e8ef29e4ddb319ea2f443aa6 ]
+
+While I caught the need for setting cnt early in nl80211_parse_rnr_elems()
+in the original annotation of struct cfg80211_rnr_elems with __counted_by,
+I missed a similar pattern in ieee80211_copy_rnr_beacon(). Fix this by
+moving the cnt assignment to before the loop.
+
+Fixes: 7b6d7087031b ("wifi: cfg80211: Annotate struct cfg80211_rnr_elems with __counted_by")
+Signed-off-by: Kees Cook <kees@kernel.org>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Link: https://patch.msgid.link/20250721182521.work.540-kees@kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 18ad7ab1bb8c..7b17591a8610 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1122,13 +1122,13 @@ ieee80211_copy_rnr_beacon(u8 *pos, struct cfg80211_rnr_elems *dst,
+ {
+ int i, offset = 0;
+
++ dst->cnt = src->cnt;
+ for (i = 0; i < src->cnt; i++) {
+ memcpy(pos + offset, src->elem[i].data, src->elem[i].len);
+ dst->elem[i].len = src->elem[i].len;
+ dst->elem[i].data = pos + offset;
+ offset += dst->elem[i].len;
+ }
+- dst->cnt = src->cnt;
+
+ return offset;
+ }
+--
+2.39.5
+
--- /dev/null
+From 0764267577b876ea5b8b2112457624bb2e93fdbd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 08:55:38 +0300
+Subject: wifi: mt76: mt7925: fix off by one in mt7925_mcu_hw_scan()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit b3a431fe2e399b2e0cc5f43f7e9d63d63d3710ee ]
+
+The ssid->ssids[] and sreq->ssids[] arrays have MT7925_RNR_SCAN_MAX_BSSIDS
+elements so this >= needs to be > to prevent an out of bounds access.
+
+Fixes: 8284815ca161 ("wifi: mt76: mt7925: add RNR scan support for 6GHz")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/aDVT2tPhG_8T0Qla@stanley.mountain
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+index 8ac6fbb736ab..300c863f0e3e 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+@@ -2916,7 +2916,7 @@ int mt7925_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif,
+ for (i = 0; i < sreq->n_ssids; i++) {
+ if (!sreq->ssids[i].ssid_len)
+ continue;
+- if (i > MT7925_RNR_SCAN_MAX_BSSIDS)
++ if (i >= MT7925_RNR_SCAN_MAX_BSSIDS)
+ break;
+
+ ssid->ssids[n_ssids].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len);
+@@ -2933,7 +2933,7 @@ int mt7925_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif,
+ mt76_connac_mcu_build_rnr_scan_param(mdev, sreq);
+
+ for (j = 0; j < mdev->rnr.bssid_num; j++) {
+- if (j > MT7925_RNR_SCAN_MAX_BSSIDS)
++ if (j >= MT7925_RNR_SCAN_MAX_BSSIDS)
+ break;
+
+ tlv = mt76_connac_mcu_add_tlv(skb, UNI_SCAN_BSSID,
+--
+2.39.5
+
--- /dev/null
+From b2a3cbbc5d8da8e2a071971b36add97f1d0b4374 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 15:08:10 +0200
+Subject: wifi: mt76: mt7996: Fix possible OOB access in mt7996_tx()
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 64cbf0d7ce9afe20666da90ec6ecaec6ba5ac64b ]
+
+Fis possible Out-Of-Boundary access in mt7996_tx routine if link_id is
+set to IEEE80211_LINK_UNSPECIFIED
+
+Fixes: 3ce8acb86b661 ("wifi: mt76: mt7996: Update mt7996_tx to MLO support")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://patch.msgid.link/20250704-mt7996-mlo-fixes-v1-6-356456c73f43@kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/mediatek/mt76/mt7996/main.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+index 07dd75ce94a5..44b4e48e499d 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+@@ -1216,10 +1216,17 @@ static void mt7996_tx(struct ieee80211_hw *hw,
+
+ if (vif) {
+ struct mt7996_vif *mvif = (void *)vif->drv_priv;
+- struct mt76_vif_link *mlink;
++ struct mt76_vif_link *mlink = &mvif->deflink.mt76;
+
+- mlink = rcu_dereference(mvif->mt76.link[link_id]);
+- if (mlink && mlink->wcid)
++ if (link_id < IEEE80211_LINK_UNSPECIFIED)
++ mlink = rcu_dereference(mvif->mt76.link[link_id]);
++
++ if (!mlink) {
++ ieee80211_free_txskb(hw, skb);
++ goto unlock;
++ }
++
++ if (mlink->wcid)
+ wcid = mlink->wcid;
+
+ if (mvif->mt76.roc_phy &&
+@@ -1228,7 +1235,7 @@ static void mt7996_tx(struct ieee80211_hw *hw,
+ if (mphy->roc_link)
+ wcid = mphy->roc_link->wcid;
+ } else {
+- mphy = mt76_vif_link_phy(&mvif->deflink.mt76);
++ mphy = mt76_vif_link_phy(mlink);
+ }
+ }
+
+@@ -1237,7 +1244,7 @@ static void mt7996_tx(struct ieee80211_hw *hw,
+ goto unlock;
+ }
+
+- if (control->sta) {
++ if (control->sta && link_id < IEEE80211_LINK_UNSPECIFIED) {
+ struct mt7996_sta *msta = (void *)control->sta->drv_priv;
+ struct mt7996_sta_link *msta_link;
+
+--
+2.39.5
+
--- /dev/null
+From c68fb1425c4330b65fe83145196805ede3748a8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 15:08:06 +0200
+Subject: wifi: mt76: mt7996: Fix secondary link lookup in
+ mt7996_mcu_sta_mld_setup_tlv()
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit e8d7eef07199887161cd6f3c062406628781f8b6 ]
+
+Use proper link_id value for secondary link lookup in
+mt7996_mcu_sta_mld_setup_tlv routine.
+
+Fixes: 00cef41d9d8f5 ("wifi: mt76: mt7996: Add mt7996_mcu_sta_mld_setup_tlv() and mt7996_mcu_sta_eht_mld_tlv()")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://patch.msgid.link/20250704-mt7996-mlo-fixes-v1-2-356456c73f43@kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+index 994526c65bfc..dd4b7b8c34ea 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+@@ -2326,8 +2326,7 @@ mt7996_mcu_sta_mld_setup_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
+
+ if (nlinks > 1) {
+ link_id = __ffs(links & ~BIT(msta->deflink_id));
+- msta_link = mt76_dereference(msta->link[msta->deflink_id],
+- &dev->mt76);
++ msta_link = mt76_dereference(msta->link[link_id], &dev->mt76);
+ if (!msta_link)
+ return;
+ }
+--
+2.39.5
+
--- /dev/null
+From 81507fc025745a8dffbcc2f03ce9a43e2ccb1a84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 15:08:11 +0200
+Subject: wifi: mt76: mt7996: Fix valid_links bitmask in
+ mt7996_mac_sta_{add,remove}
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit a59650a2270190905fdab79431140371feb35251 ]
+
+sta->valid_links bitmask can be set even for non-MLO client.
+
+Fixes: dd82a9e02c054 ("wifi: mt76: mt7996: Rely on mt7996_sta_link in sta_add/sta_remove callbacks")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://patch.msgid.link/20250704-mt7996-mlo-fixes-v1-7-356456c73f43@kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+index 44b4e48e499d..f41b2c98bc45 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+@@ -1061,7 +1061,7 @@ mt7996_mac_sta_add(struct mt76_phy *mphy, struct ieee80211_vif *vif,
+ struct mt7996_dev *dev = container_of(mdev, struct mt7996_dev, mt76);
+ struct mt7996_sta *msta = (struct mt7996_sta *)sta->drv_priv;
+ struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
+- unsigned long links = sta->mlo ? sta->valid_links : BIT(0);
++ unsigned long links = sta->valid_links ? sta->valid_links : BIT(0);
+ int err;
+
+ mutex_lock(&mdev->mutex);
+@@ -1155,7 +1155,7 @@ mt7996_mac_sta_remove(struct mt76_phy *mphy, struct ieee80211_vif *vif,
+ {
+ struct mt76_dev *mdev = mphy->dev;
+ struct mt7996_dev *dev = container_of(mdev, struct mt7996_dev, mt76);
+- unsigned long links = sta->mlo ? sta->valid_links : BIT(0);
++ unsigned long links = sta->valid_links ? sta->valid_links : BIT(0);
+
+ mutex_lock(&mdev->mutex);
+
+--
+2.39.5
+
--- /dev/null
+From 94a053218018c54773b489bb7263072ebf375889 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 11:31:29 -0700
+Subject: wifi: nl80211: Set num_sub_specs before looping through sub_specs
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 2ed9a9fc9976262109d04f1a3c75c46de8ce4f22 ]
+
+The processing of the struct cfg80211_sar_specs::sub_specs flexible
+array requires its counter, num_sub_specs, to be assigned before the
+loop in nl80211_set_sar_specs(). Leave the final assignment after the
+loop in place in case fewer ended up in the array.
+
+Fixes: aa4ec06c455d ("wifi: cfg80211: use __counted_by where appropriate")
+Signed-off-by: Kees Cook <kees@kernel.org>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Link: https://patch.msgid.link/20250721183125.work.183-kees@kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 50202d170f3a..bcdccd7dea06 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -16932,6 +16932,7 @@ static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
+ if (!sar_spec)
+ return -ENOMEM;
+
++ sar_spec->num_sub_specs = specs;
+ sar_spec->type = type;
+ specs = 0;
+ nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
+--
+2.39.5
+
--- /dev/null
+From 56be322a09904611bae6ba6b3e7b60683cd76dff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Mar 2025 21:52:26 +0300
+Subject: wifi: plfxlc: Fix error handling in usb driver probe
+
+From: Murad Masimov <m.masimov@mt-integration.ru>
+
+[ Upstream commit 3fe79a25c3cd54d25d30bc235c0c57f8a123d9d5 ]
+
+If probe fails before ieee80211_register_hw() is successfully done,
+ieee80211_unregister_hw() will be called anyway. This may lead to various
+bugs as the implementation of ieee80211_unregister_hw() assumes that
+ieee80211_register_hw() has been called.
+
+Divide error handling section into relevant subsections, so that
+ieee80211_unregister_hw() is called only when it is appropriate. Correct
+the order of the calls: ieee80211_unregister_hw() should go before
+plfxlc_mac_release(). Also move ieee80211_free_hw() to plfxlc_mac_release()
+as it supposed to be the opposite to plfxlc_mac_alloc_hw() that calls
+ieee80211_alloc_hw().
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 68d57a07bfe5 ("wireless: add plfxlc driver for pureLiFi X, XL, XC devices")
+Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
+Link: https://patch.msgid.link/20250321185226.71-3-m.masimov@mt-integration.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/purelifi/plfxlc/mac.c | 11 ++++----
+ drivers/net/wireless/purelifi/plfxlc/mac.h | 2 +-
+ drivers/net/wireless/purelifi/plfxlc/usb.c | 29 +++++++++++-----------
+ 3 files changed, 21 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/net/wireless/purelifi/plfxlc/mac.c b/drivers/net/wireless/purelifi/plfxlc/mac.c
+index 82d1bf7edba2..a7f5d287e369 100644
+--- a/drivers/net/wireless/purelifi/plfxlc/mac.c
++++ b/drivers/net/wireless/purelifi/plfxlc/mac.c
+@@ -99,11 +99,6 @@ int plfxlc_mac_init_hw(struct ieee80211_hw *hw)
+ return r;
+ }
+
+-void plfxlc_mac_release(struct plfxlc_mac *mac)
+-{
+- plfxlc_chip_release(&mac->chip);
+-}
+-
+ int plfxlc_op_start(struct ieee80211_hw *hw)
+ {
+ plfxlc_hw_mac(hw)->chip.usb.initialized = 1;
+@@ -755,3 +750,9 @@ struct ieee80211_hw *plfxlc_mac_alloc_hw(struct usb_interface *intf)
+ SET_IEEE80211_DEV(hw, &intf->dev);
+ return hw;
+ }
++
++void plfxlc_mac_release_hw(struct ieee80211_hw *hw)
++{
++ plfxlc_chip_release(&plfxlc_hw_mac(hw)->chip);
++ ieee80211_free_hw(hw);
++}
+diff --git a/drivers/net/wireless/purelifi/plfxlc/mac.h b/drivers/net/wireless/purelifi/plfxlc/mac.h
+index 9384acddcf26..56da502999c1 100644
+--- a/drivers/net/wireless/purelifi/plfxlc/mac.h
++++ b/drivers/net/wireless/purelifi/plfxlc/mac.h
+@@ -168,7 +168,7 @@ static inline u8 *plfxlc_mac_get_perm_addr(struct plfxlc_mac *mac)
+ }
+
+ struct ieee80211_hw *plfxlc_mac_alloc_hw(struct usb_interface *intf);
+-void plfxlc_mac_release(struct plfxlc_mac *mac);
++void plfxlc_mac_release_hw(struct ieee80211_hw *hw);
+
+ int plfxlc_mac_preinit_hw(struct ieee80211_hw *hw, const u8 *hw_address);
+ int plfxlc_mac_init_hw(struct ieee80211_hw *hw);
+diff --git a/drivers/net/wireless/purelifi/plfxlc/usb.c b/drivers/net/wireless/purelifi/plfxlc/usb.c
+index d8b0b79dea1a..711902a809db 100644
+--- a/drivers/net/wireless/purelifi/plfxlc/usb.c
++++ b/drivers/net/wireless/purelifi/plfxlc/usb.c
+@@ -604,7 +604,7 @@ static int probe(struct usb_interface *intf,
+ r = plfxlc_upload_mac_and_serial(intf, hw_address, serial_number);
+ if (r) {
+ dev_err(&intf->dev, "MAC and Serial upload failed (%d)\n", r);
+- goto error;
++ goto error_free_hw;
+ }
+
+ chip->unit_type = STA;
+@@ -613,13 +613,13 @@ static int probe(struct usb_interface *intf,
+ r = plfxlc_mac_preinit_hw(hw, hw_address);
+ if (r) {
+ dev_err(&intf->dev, "Init mac failed (%d)\n", r);
+- goto error;
++ goto error_free_hw;
+ }
+
+ r = ieee80211_register_hw(hw);
+ if (r) {
+ dev_err(&intf->dev, "Register device failed (%d)\n", r);
+- goto error;
++ goto error_free_hw;
+ }
+
+ if ((le16_to_cpu(interface_to_usbdev(intf)->descriptor.idVendor) ==
+@@ -632,7 +632,7 @@ static int probe(struct usb_interface *intf,
+ }
+ if (r != 0) {
+ dev_err(&intf->dev, "FPGA download failed (%d)\n", r);
+- goto error;
++ goto error_unreg_hw;
+ }
+
+ tx->mac_fifo_full = 0;
+@@ -642,21 +642,21 @@ static int probe(struct usb_interface *intf,
+ r = plfxlc_usb_init_hw(usb);
+ if (r < 0) {
+ dev_err(&intf->dev, "usb_init_hw failed (%d)\n", r);
+- goto error;
++ goto error_unreg_hw;
+ }
+
+ msleep(PLF_MSLEEP_TIME);
+ r = plfxlc_chip_switch_radio(chip, PLFXLC_RADIO_ON);
+ if (r < 0) {
+ dev_dbg(&intf->dev, "chip_switch_radio_on failed (%d)\n", r);
+- goto error;
++ goto error_unreg_hw;
+ }
+
+ msleep(PLF_MSLEEP_TIME);
+ r = plfxlc_chip_set_rate(chip, 8);
+ if (r < 0) {
+ dev_dbg(&intf->dev, "chip_set_rate failed (%d)\n", r);
+- goto error;
++ goto error_unreg_hw;
+ }
+
+ msleep(PLF_MSLEEP_TIME);
+@@ -664,7 +664,7 @@ static int probe(struct usb_interface *intf,
+ hw_address, ETH_ALEN, USB_REQ_MAC_WR);
+ if (r < 0) {
+ dev_dbg(&intf->dev, "MAC_WR failure (%d)\n", r);
+- goto error;
++ goto error_unreg_hw;
+ }
+
+ plfxlc_chip_enable_rxtx(chip);
+@@ -691,12 +691,12 @@ static int probe(struct usb_interface *intf,
+ plfxlc_mac_init_hw(hw);
+ usb->initialized = true;
+ return 0;
++
++error_unreg_hw:
++ ieee80211_unregister_hw(hw);
++error_free_hw:
++ plfxlc_mac_release_hw(hw);
+ error:
+- if (hw) {
+- plfxlc_mac_release(plfxlc_hw_mac(hw));
+- ieee80211_unregister_hw(hw);
+- ieee80211_free_hw(hw);
+- }
+ dev_err(&intf->dev, "pureLifi:Device error");
+ return r;
+ }
+@@ -730,8 +730,7 @@ static void disconnect(struct usb_interface *intf)
+ */
+ usb_reset_device(interface_to_usbdev(intf));
+
+- plfxlc_mac_release(mac);
+- ieee80211_free_hw(hw);
++ plfxlc_mac_release_hw(hw);
+ }
+
+ static void plfxlc_usb_resume(struct plfxlc_usb *usb)
+--
+2.39.5
+
--- /dev/null
+From ce7b56ba06633af049f02130be91010c4255281c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 16:56:34 +0300
+Subject: wifi: rtl818x: Kill URBs before clearing tx status queue
+
+From: Daniil Dulov <d.dulov@aladdin.ru>
+
+[ Upstream commit 16d8fd74dbfca0ea58645cd2fca13be10cae3cdd ]
+
+In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing
+b_tx_status.queue. This change prevents callbacks from using already freed
+skb due to anchor was not killed before freeing such skb.
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000080
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: Oops: 0000 [#1] SMP NOPTI
+ CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
+ RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211]
+ Call Trace:
+ <IRQ>
+ rtl8187_tx_cb+0x116/0x150 [rtl8187]
+ __usb_hcd_giveback_urb+0x9d/0x120
+ usb_giveback_urb_bh+0xbb/0x140
+ process_one_work+0x19b/0x3c0
+ bh_worker+0x1a7/0x210
+ tasklet_action+0x10/0x30
+ handle_softirqs+0xf0/0x340
+ __irq_exit_rcu+0xcd/0xf0
+ common_interrupt+0x85/0xa0
+ </IRQ>
+
+Tested on RTL8187BvE device.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: c1db52b9d27e ("rtl8187: Use usb anchor facilities to manage urbs")
+Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
+Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250617135634.21760-1-d.dulov@aladdin.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
+index 220ac5bdf279..8a57d6c72335 100644
+--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
++++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
+@@ -1041,10 +1041,11 @@ static void rtl8187_stop(struct ieee80211_hw *dev, bool suspend)
+ rtl818x_iowrite8(priv, &priv->map->CONFIG4, reg | RTL818X_CONFIG4_VCOOFF);
+ rtl818x_iowrite8(priv, &priv->map->EEPROM_CMD, RTL818X_EEPROM_CMD_NORMAL);
+
++ usb_kill_anchored_urbs(&priv->anchored);
++
+ while ((skb = skb_dequeue(&priv->b_tx_status.queue)))
+ dev_kfree_skb_any(skb);
+
+- usb_kill_anchored_urbs(&priv->anchored);
+ mutex_unlock(&priv->conf_mutex);
+
+ if (!priv->is_rtl8187b)
+--
+2.39.5
+
--- /dev/null
+From b7fe190555922556bf990685de49a4619f671d94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 14:15:22 +0200
+Subject: wifi: rtl8xxxu: Fix RX skb size for aggregation disabled
+
+From: Martin Kaistra <martin.kaistra@linutronix.de>
+
+[ Upstream commit d76a1abcf57734d2bcd4a7ec051617edd4513d7f ]
+
+Commit 1e5b3b3fe9e0 ("rtl8xxxu: Adjust RX skb size to include space for
+phystats") increased the skb size when aggregation is enabled but decreased
+it for the aggregation disabled case.
+
+As a result, if a frame near the maximum size is received,
+rtl8xxxu_rx_complete() is called with status -EOVERFLOW and then the
+driver starts to malfunction and no further communication is possible.
+
+Restore the skb size in the aggregation disabled case.
+
+Fixes: 1e5b3b3fe9e0 ("rtl8xxxu: Adjust RX skb size to include space for phystats")
+Signed-off-by: Martin Kaistra <martin.kaistra@linutronix.de>
+Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250709121522.1992366-1-martin.kaistra@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/core.c b/drivers/net/wireless/realtek/rtl8xxxu/core.c
+index 569856ca677f..c6f69d87c38d 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/core.c
+@@ -6617,7 +6617,7 @@ static int rtl8xxxu_submit_rx_urb(struct rtl8xxxu_priv *priv,
+ skb_size = fops->rx_agg_buf_size;
+ skb_size += (rx_desc_sz + sizeof(struct rtl8723au_phy_stats));
+ } else {
+- skb_size = IEEE80211_MAX_FRAME_LEN;
++ skb_size = IEEE80211_MAX_FRAME_LEN + rx_desc_sz;
+ }
+
+ skb = __netdev_alloc_skb(NULL, skb_size, GFP_KERNEL);
+--
+2.39.5
+
--- /dev/null
+From d3fe6a4f703a4e9527226144a308d055cac9ba7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Jul 2025 22:27:32 +0300
+Subject: wifi: rtw88: Fix macid assigned to TDLS station
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+[ Upstream commit 526b000991b557c40ea53e64ba24bb9e0fff0071 ]
+
+When working in station mode, TDLS peers are assigned macid 0, even
+though 0 was already assigned to the AP. This causes the connection
+with the AP to stop working after the TDLS connection is torn down.
+
+Assign the next available macid to TDLS peers, same as client stations
+in AP mode.
+
+Fixes: 902cb7b11f9a ("wifi: rtw88: assign mac_id for vif/sta and update to TX desc")
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/58648c09-8553-4bcc-a977-9dc9afd63780@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
+index c4de5d114eda..8be6e70d92d1 100644
+--- a/drivers/net/wireless/realtek/rtw88/main.c
++++ b/drivers/net/wireless/realtek/rtw88/main.c
+@@ -349,7 +349,7 @@ int rtw_sta_add(struct rtw_dev *rtwdev, struct ieee80211_sta *sta,
+ struct rtw_vif *rtwvif = (struct rtw_vif *)vif->drv_priv;
+ int i;
+
+- if (vif->type == NL80211_IFTYPE_STATION) {
++ if (vif->type == NL80211_IFTYPE_STATION && !sta->tdls) {
+ si->mac_id = rtwvif->mac_id;
+ } else {
+ si->mac_id = rtw_acquire_macid(rtwdev);
+@@ -386,7 +386,7 @@ void rtw_sta_remove(struct rtw_dev *rtwdev, struct ieee80211_sta *sta,
+
+ cancel_work_sync(&si->rc_work);
+
+- if (vif->type != NL80211_IFTYPE_STATION)
++ if (vif->type != NL80211_IFTYPE_STATION || sta->tdls)
+ rtw_release_macid(rtwdev, si->mac_id);
+ if (fw_exist)
+ rtw_fw_media_status_report(rtwdev, si->mac_id, false);
+--
+2.39.5
+
--- /dev/null
+From 7294928f7abcd55d591f273c036524694f42ce0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 20:46:47 +0800
+Subject: wifi: rtw89: avoid NULL dereference when RX problematic packet on
+ unsupported 6 GHz band
+
+From: Zong-Zhe Yang <kevin_yang@realtek.com>
+
+[ Upstream commit 7e04f01bb94fe61c73cc59f0495c3b6c16a83231 ]
+
+With a quite rare chance, RX report might be problematic to make SW think
+a packet is received on 6 GHz band even if the chip does not support 6 GHz
+band actually. Since SW won't initialize stuffs for unsupported bands, NULL
+dereference will happen then in the sequence, rtw89_vif_rx_stats_iter() ->
+rtw89_core_cancel_6ghz_probe_tx(). So, add a check to avoid it.
+
+The following is a crash log for this case.
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000032
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 1 PID: 1907 Comm: irq/131-rtw89_p Tainted: G U 6.6.56-05896-g89f5fb0eb30b #1 (HASH:1400 4)
+ Hardware name: Google Telith/Telith, BIOS Google_Telith.15217.747.0 11/12/2024
+ RIP: 0010:rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core]
+ Code: 4c 89 7d c8 48 89 55 c0 49 8d 44 24 02 48 89 45 b8 45 31 ff eb 11
+ 41 c6 45 3a 01 41 b7 01 4d 8b 6d 00 4d 39 f5 74 42 8b 43 10 <41> 33 45
+ 32 0f b7 4b 14 66 41 33 4d 36 0f b7 c9 09 c1 74 d8 4d 85
+ RSP: 0018:ffff9f3080138ca0 EFLAGS: 00010246
+ RAX: 00000000b8bf5770 RBX: ffff91b5e8c639c0 RCX: 0000000000000011
+ RDX: ffff91b582de1be8 RSI: 0000000000000000 RDI: ffff91b5e8c639e6
+ RBP: ffff9f3080138d00 R08: 0000000000000000 R09: 0000000000000000
+ R10: ffff91b59de70000 R11: ffffffffc069be50 R12: ffff91b5e8c639e4
+ R13: 0000000000000000 R14: ffff91b5828020b8 R15: 0000000000000000
+ FS: 0000000000000000(0000) GS:ffff91b8efa40000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000032 CR3: 00000002bf838000 CR4: 0000000000750ee0
+ PKRU: 55555554
+ Call Trace:
+ <IRQ>
+ ? __die_body+0x68/0xb0
+ ? page_fault_oops+0x379/0x3e0
+ ? exc_page_fault+0x4f/0xa0
+ ? asm_exc_page_fault+0x22/0x30
+ ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]
+ ? rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core (HASH:1400 5)]
+ __iterate_interfaces+0x59/0x110 [mac80211 (HASH:1400 6)]
+ ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]
+ ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]
+ ieee80211_iterate_active_interfaces_atomic+0x36/0x50 [mac80211 (HASH:1400 6)]
+ rtw89_core_rx_to_mac80211+0xfd/0x1b0 [rtw89_core (HASH:1400 5)]
+ rtw89_core_rx+0x43a/0x980 [rtw89_core (HASH:1400 5)]
+
+Fixes: c6aa9a9c4725 ("wifi: rtw89: add RNR support for 6 GHz scan")
+Signed-off-by: Zong-Zhe Yang <kevin_yang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250618124649.11436-5-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c
+index 3604a8e15df0..c886dd2a73b4 100644
+--- a/drivers/net/wireless/realtek/rtw89/core.c
++++ b/drivers/net/wireless/realtek/rtw89/core.c
+@@ -2158,6 +2158,11 @@ static void rtw89_core_cancel_6ghz_probe_tx(struct rtw89_dev *rtwdev,
+ if (rx_status->band != NL80211_BAND_6GHZ)
+ return;
+
++ if (unlikely(!(rtwdev->chip->support_bands & BIT(NL80211_BAND_6GHZ)))) {
++ rtw89_debug(rtwdev, RTW89_DBG_UNEXP, "invalid rx on unsupported 6 GHz\n");
++ return;
++ }
++
+ ssid_ie = cfg80211_find_ie(WLAN_EID_SSID, ies, skb->len);
+
+ list_for_each_entry(info, &pkt_list[NL80211_BAND_6GHZ], list) {
+--
+2.39.5
+
--- /dev/null
+From ff46a24c9d431065feba90466b2701ae77a24eb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Jun 2025 19:42:07 +0800
+Subject: wifi: rtw89: fix EHT 20MHz TX rate for non-AP STA
+
+From: Kuan-Chung Chen <damon.chen@realtek.com>
+
+[ Upstream commit fe30a8ae853bade282fce63e740b5f34bdc55f6e ]
+
+The 4-octet EHT MCS/NSS subfield is only used for 20 MHz-only
+non-AP STA. Correct the interpretation of this subfield to
+prevent improper rate limitations.
+
+Fixes: f1dfcee2eae9 ("wifi: rtw89: Correct EHT TX rate on 20MHz connection")
+Signed-off-by: Kuan-Chung Chen <damon.chen@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250605114207.12381-6-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/phy.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/phy.c b/drivers/net/wireless/realtek/rtw89/phy.c
+index 76a2e26d4a10..e45e5dd5ca0a 100644
+--- a/drivers/net/wireless/realtek/rtw89/phy.c
++++ b/drivers/net/wireless/realtek/rtw89/phy.c
+@@ -119,10 +119,12 @@ static u64 get_eht_mcs_ra_mask(u8 *max_nss, u8 start_mcs, u8 n_nss)
+ return mask;
+ }
+
+-static u64 get_eht_ra_mask(struct ieee80211_link_sta *link_sta)
++static u64 get_eht_ra_mask(struct rtw89_vif_link *rtwvif_link,
++ struct ieee80211_link_sta *link_sta)
+ {
+- struct ieee80211_sta_eht_cap *eht_cap = &link_sta->eht_cap;
++ struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link);
+ struct ieee80211_eht_mcs_nss_supp_20mhz_only *mcs_nss_20mhz;
++ struct ieee80211_sta_eht_cap *eht_cap = &link_sta->eht_cap;
+ struct ieee80211_eht_mcs_nss_supp_bw *mcs_nss;
+ u8 *he_phy_cap = link_sta->he_cap.he_cap_elem.phy_cap_info;
+
+@@ -136,8 +138,8 @@ static u64 get_eht_ra_mask(struct ieee80211_link_sta *link_sta)
+ /* MCS 9, 11, 13 */
+ return get_eht_mcs_ra_mask(mcs_nss->rx_tx_max_nss, 9, 3);
+ case IEEE80211_STA_RX_BW_20:
+- if (!(he_phy_cap[0] &
+- IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_MASK_ALL)) {
++ if (vif->type == NL80211_IFTYPE_AP &&
++ !(he_phy_cap[0] & IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_MASK_ALL)) {
+ mcs_nss_20mhz = &eht_cap->eht_mcs_nss_supp.only_20mhz;
+ /* MCS 7, 9, 11, 13 */
+ return get_eht_mcs_ra_mask(mcs_nss_20mhz->rx_tx_max_nss, 7, 4);
+@@ -332,7 +334,7 @@ static void rtw89_phy_ra_sta_update(struct rtw89_dev *rtwdev,
+ /* Set the ra mask from sta's capability */
+ if (link_sta->eht_cap.has_eht) {
+ mode |= RTW89_RA_MODE_EHT;
+- ra_mask |= get_eht_ra_mask(link_sta);
++ ra_mask |= get_eht_ra_mask(rtwvif_link, link_sta);
+
+ if (rtwdev->hal.no_mcs_12_13)
+ high_rate_masks = rtw89_ra_mask_eht_mcs0_11;
+--
+2.39.5
+
--- /dev/null
+From 7bbef6fea106bfe2e807b380d963ff1898b119b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 11:11:02 +0300
+Subject: wifi: rtw89: mcc: prevent shift wrapping in rtw89_core_mlsr_switch()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 53cf488927a0f79968f9c03c4d1e00d2a79731c3 ]
+
+The "link_id" value comes from the user via debugfs. If it's larger
+than BITS_PER_LONG then that would result in shift wrapping and
+potentially an out of bounds access later. In fact, we can limit it
+to IEEE80211_MLD_MAX_NUM_LINKS (15).
+
+Fortunately, only root can write to debugfs files so the security
+impact is minimal.
+
+Fixes: 9dd85e739ce0 ("wifi: rtw89: debug: add mlo_mode dbgfs")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Zong-Zhe Yang <kevin_yang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/aDbFFkX09K7FrL9h@stanley.mountain
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c
+index 49447668cbf3..3604a8e15df0 100644
+--- a/drivers/net/wireless/realtek/rtw89/core.c
++++ b/drivers/net/wireless/realtek/rtw89/core.c
+@@ -5239,7 +5239,8 @@ int rtw89_core_mlsr_switch(struct rtw89_dev *rtwdev, struct rtw89_vif *rtwvif,
+ if (unlikely(!ieee80211_vif_is_mld(vif)))
+ return -EOPNOTSUPP;
+
+- if (unlikely(!(usable_links & BIT(link_id)))) {
++ if (unlikely(link_id >= IEEE80211_MLD_MAX_NUM_LINKS ||
++ !(usable_links & BIT(link_id)))) {
+ rtw89_warn(rtwdev, "%s: link id %u is not usable\n", __func__,
+ link_id);
+ return -ENOLINK;
+--
+2.39.5
+
--- /dev/null
+From 1f7971a3dc5e3d0f5850fbe503407f0c2a635f44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 19:13:33 +0300
+Subject: wifi: rtw89: sar: do not assert wiphy lock held until probing is done
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit dad7aafa5216e307b357b801668451a3b8945810 ]
+
+rtw89_sar_set_src() may be called at driver early init phase when
+applying SAR configuration via ACPI. wiphy lock is not held there.
+
+Since the assertion was initially added for rtw89_apply_sar_common() call
+path and may be helpful for other places in future changes, keep it but
+move it under RTW89_FLAG_PROBE_DONE test.
+
+Found by Linux Verification Center (linuxtesting.org).
+
+Fixes: 88ca3107d2ce ("wifi: rtw89: sar: add skeleton for SAR configuration via ACPI")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250604161339.119954-2-pchelkin@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/sar.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/sar.c b/drivers/net/wireless/realtek/rtw89/sar.c
+index 33a4b5c23fe7..7f568ffb3766 100644
+--- a/drivers/net/wireless/realtek/rtw89/sar.c
++++ b/drivers/net/wireless/realtek/rtw89/sar.c
+@@ -199,7 +199,8 @@ struct rtw89_sar_handler rtw89_sar_handlers[RTW89_SAR_SOURCE_NR] = {
+ typeof(_dev) _d = (_dev); \
+ BUILD_BUG_ON(!rtw89_sar_handlers[_s].descr_sar_source); \
+ BUILD_BUG_ON(!rtw89_sar_handlers[_s].query_sar_config); \
+- lockdep_assert_wiphy(_d->hw->wiphy); \
++ if (test_bit(RTW89_FLAG_PROBE_DONE, _d->flags)) \
++ lockdep_assert_wiphy(_d->hw->wiphy); \
+ _d->sar._cfg_name = *(_cfg_data); \
+ _d->sar.src = _s; \
+ } while (0)
+--
+2.39.5
+
--- /dev/null
+From 1efed953b0e1174d8a6da62f795fb7114ece38b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 19:13:32 +0300
+Subject: wifi: rtw89: sar: drop lockdep assertion in rtw89_set_sar_from_acpi
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 6fe21445f7e801de5527d420f8e25e97b0cdd7e2 ]
+
+The following assertion is triggered on the rtw89 driver startup. It
+looks meaningless to hold wiphy lock on the early init stage so drop the
+assertion.
+
+ WARNING: CPU: 7 PID: 629 at drivers/net/wireless/realtek/rtw89/sar.c:502 rtw89_set_sar_from_acpi+0x365/0x4d0 [rtw89_core]
+ CPU: 7 UID: 0 PID: 629 Comm: (udev-worker) Not tainted 6.15.0+ #29 PREEMPT(lazy)
+ Hardware name: LENOVO 21D0/LNVNB161216, BIOS J6CN50WW 09/27/2024
+ RIP: 0010:rtw89_set_sar_from_acpi+0x365/0x4d0 [rtw89_core]
+ Call Trace:
+ <TASK>
+ rtw89_sar_init+0x68/0x2c0 [rtw89_core]
+ rtw89_core_init+0x188e/0x1e50 [rtw89_core]
+ rtw89_pci_probe+0x530/0xb50 [rtw89_pci]
+ local_pci_probe+0xd9/0x190
+ pci_call_probe+0x183/0x540
+ pci_device_probe+0x171/0x2c0
+ really_probe+0x1e1/0x890
+ __driver_probe_device+0x18c/0x390
+ driver_probe_device+0x4a/0x120
+ __driver_attach+0x1a0/0x530
+ bus_for_each_dev+0x10b/0x190
+ bus_add_driver+0x2eb/0x540
+ driver_register+0x1a3/0x3a0
+ do_one_initcall+0xd5/0x450
+ do_init_module+0x2cc/0x8f0
+ init_module_from_file+0xe1/0x150
+ idempotent_init_module+0x226/0x760
+ __x64_sys_finit_module+0xcd/0x150
+ do_syscall_64+0x94/0x380
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Found by Linux Verification Center (linuxtesting.org).
+
+Fixes: 88ca3107d2ce ("wifi: rtw89: sar: add skeleton for SAR configuration via ACPI")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250604161339.119954-1-pchelkin@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/sar.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/sar.c b/drivers/net/wireless/realtek/rtw89/sar.c
+index 517b66022f18..33a4b5c23fe7 100644
+--- a/drivers/net/wireless/realtek/rtw89/sar.c
++++ b/drivers/net/wireless/realtek/rtw89/sar.c
+@@ -499,8 +499,6 @@ static void rtw89_set_sar_from_acpi(struct rtw89_dev *rtwdev)
+ struct rtw89_sar_cfg_acpi *cfg;
+ int ret;
+
+- lockdep_assert_wiphy(rtwdev->hw->wiphy);
+-
+ cfg = kzalloc(sizeof(*cfg), GFP_KERNEL);
+ if (!cfg)
+ return;
+--
+2.39.5
+
--- /dev/null
+From f04ed967c0a46c0422e66c14d51ac10aa083572f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 10:30:33 -0700
+Subject: x86/bugs: Allow ITS stuffing in eIBRS+retpoline mode also
+
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+
+[ Upstream commit ab9f2388e0b99cd164ddbd74a6133d3070e2788d ]
+
+After a recent restructuring of the ITS mitigation, RSB stuffing can no longer
+be enabled in eIBRS+Retpoline mode. Before ITS, retbleed mitigation only
+allowed stuffing when eIBRS was not enabled. This was perfectly fine since
+eIBRS mitigates retbleed.
+
+However, RSB stuffing mitigation for ITS is still needed with eIBRS. The
+restructuring solely relies on retbleed to deploy stuffing, and does not allow
+it when eIBRS is enabled. This behavior is different from what was before the
+restructuring. Fix it by allowing stuffing in eIBRS+retpoline mode also.
+
+Fixes: 61ab72c2c6bf ("x86/bugs: Restructure ITS mitigation")
+Closes: https://lore.kernel.org/lkml/20250519235101.2vm6sc5txyoykb2r@desk/
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/20250611-eibrs-fix-v4-7-5ff86cac6c61@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/bugs.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index 0426500307f0..f2721801d8d4 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1131,7 +1131,8 @@ static inline bool cdt_possible(enum spectre_v2_mitigation mode)
+ !IS_ENABLED(CONFIG_MITIGATION_RETPOLINE))
+ return false;
+
+- if (mode == SPECTRE_V2_RETPOLINE)
++ if (mode == SPECTRE_V2_RETPOLINE ||
++ mode == SPECTRE_V2_EIBRS_RETPOLINE)
+ return true;
+
+ return false;
+@@ -1286,7 +1287,7 @@ static void __init retbleed_update_mitigation(void)
+
+ if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF &&
+ !cdt_possible(spectre_v2_enabled)) {
+- pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
++ pr_err("WARNING: retbleed=stuff depends on retpoline\n");
+ retbleed_mitigation = RETBLEED_MITIGATION_NONE;
+ }
+
+@@ -1459,6 +1460,7 @@ static void __init its_update_mitigation(void)
+ its_mitigation = ITS_MITIGATION_OFF;
+ break;
+ case SPECTRE_V2_RETPOLINE:
++ case SPECTRE_V2_EIBRS_RETPOLINE:
+ /* Retpoline+CDT mitigates ITS */
+ if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF)
+ its_mitigation = ITS_MITIGATION_RETPOLINE_STUFF;
+--
+2.39.5
+
--- /dev/null
+From 7937f41854badc149294bba15ebc42ea59978654 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 10:29:00 -0700
+Subject: x86/bugs: Avoid AUTO after the select step in the retbleed mitigation
+
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+
+[ Upstream commit 98ff5c071d1cde9426b0bfa449c43d49ec58f1c4 ]
+
+The retbleed select function leaves the mitigation to AUTO in some cases.
+Moreover, the update function can also set the mitigation to AUTO. This
+is inconsistent with other mitigations and requires explicit handling of
+AUTO at the end of update step.
+
+Make sure a mitigation gets selected in the select step, and do not change
+it to AUTO in the update step. When no mitigation can be selected leave it
+to NONE, which is what AUTO was getting changed to in the end.
+
+Suggested-by: Borislav Petkov <bp@alien8.de>
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/20250611-eibrs-fix-v4-1-5ff86cac6c61@linux.intel.com
+Stable-dep-of: ab9f2388e0b9 ("x86/bugs: Allow ITS stuffing in eIBRS+retpoline mode also")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/bugs.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index f4d3abb12317..0bf2566d21b6 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1251,6 +1251,14 @@ static void __init retbleed_select_mitigation(void)
+ retbleed_mitigation = RETBLEED_MITIGATION_IBPB;
+ else
+ retbleed_mitigation = RETBLEED_MITIGATION_NONE;
++ } else if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) {
++ /* Final mitigation depends on spectre-v2 selection */
++ if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED))
++ retbleed_mitigation = RETBLEED_MITIGATION_EIBRS;
++ else if (boot_cpu_has(X86_FEATURE_IBRS))
++ retbleed_mitigation = RETBLEED_MITIGATION_IBRS;
++ else
++ retbleed_mitigation = RETBLEED_MITIGATION_NONE;
+ }
+ }
+
+@@ -1259,9 +1267,6 @@ static void __init retbleed_update_mitigation(void)
+ if (!boot_cpu_has_bug(X86_BUG_RETBLEED) || cpu_mitigations_off())
+ return;
+
+- if (retbleed_mitigation == RETBLEED_MITIGATION_NONE)
+- goto out;
+-
+ /*
+ * retbleed=stuff is only allowed on Intel. If stuffing can't be used
+ * then a different mitigation will be selected below.
+@@ -1272,7 +1277,7 @@ static void __init retbleed_update_mitigation(void)
+ its_mitigation == ITS_MITIGATION_RETPOLINE_STUFF) {
+ if (spectre_v2_enabled != SPECTRE_V2_RETPOLINE) {
+ pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
+- retbleed_mitigation = RETBLEED_MITIGATION_AUTO;
++ retbleed_mitigation = RETBLEED_MITIGATION_NONE;
+ } else {
+ if (retbleed_mitigation != RETBLEED_MITIGATION_STUFF)
+ pr_info("Retbleed mitigation updated to stuffing\n");
+@@ -1298,15 +1303,11 @@ static void __init retbleed_update_mitigation(void)
+ if (retbleed_mitigation != RETBLEED_MITIGATION_STUFF)
+ pr_err(RETBLEED_INTEL_MSG);
+ }
+- /* If nothing has set the mitigation yet, default to NONE. */
+- if (retbleed_mitigation == RETBLEED_MITIGATION_AUTO)
+- retbleed_mitigation = RETBLEED_MITIGATION_NONE;
+ }
+-out:
++
+ pr_info("%s\n", retbleed_strings[retbleed_mitigation]);
+ }
+
+-
+ static void __init retbleed_apply_mitigation(void)
+ {
+ bool mitigate_smt = false;
+--
+2.39.5
+
--- /dev/null
+From 9fac79150b89921ed91dea0f94606ba3d2418ca1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 10:30:03 -0700
+Subject: x86/bugs: Introduce cdt_possible()
+
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+
+[ Upstream commit 8374a2719df2a00781e6821e373d7de71390d1b4 ]
+
+In preparation to allow ITS to also enable stuffing aka Call Depth
+Tracking (CDT) independently of retbleed, introduce a helper
+cdt_possible().
+
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/20250611-eibrs-fix-v4-5-5ff86cac6c61@linux.intel.com
+Stable-dep-of: ab9f2388e0b9 ("x86/bugs: Allow ITS stuffing in eIBRS+retpoline mode also")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/bugs.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index 937971fde749..0426500307f0 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1124,6 +1124,19 @@ early_param("nospectre_v1", nospectre_v1_cmdline);
+
+ enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = SPECTRE_V2_NONE;
+
++/* Depends on spectre_v2 mitigation selected already */
++static inline bool cdt_possible(enum spectre_v2_mitigation mode)
++{
++ if (!IS_ENABLED(CONFIG_MITIGATION_CALL_DEPTH_TRACKING) ||
++ !IS_ENABLED(CONFIG_MITIGATION_RETPOLINE))
++ return false;
++
++ if (mode == SPECTRE_V2_RETPOLINE)
++ return true;
++
++ return false;
++}
++
+ #undef pr_fmt
+ #define pr_fmt(fmt) "RETBleed: " fmt
+
+@@ -1272,7 +1285,7 @@ static void __init retbleed_update_mitigation(void)
+ retbleed_mitigation = RETBLEED_MITIGATION_STUFF;
+
+ if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF &&
+- spectre_v2_enabled != SPECTRE_V2_RETPOLINE) {
++ !cdt_possible(spectre_v2_enabled)) {
+ pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
+ retbleed_mitigation = RETBLEED_MITIGATION_NONE;
+ }
+--
+2.39.5
+
--- /dev/null
+From 47b352de1dc892a3b08e7c85bdcc9718dce10219 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 10:29:15 -0700
+Subject: x86/bugs: Simplify the retbleed=stuff checks
+
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+
+[ Upstream commit 530e80648bff083e1d19ad7248c0540812a9a35f ]
+
+Simplify the nested checks, remove redundant print and comment.
+
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/20250611-eibrs-fix-v4-2-5ff86cac6c61@linux.intel.com
+Stable-dep-of: ab9f2388e0b9 ("x86/bugs: Allow ITS stuffing in eIBRS+retpoline mode also")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/bugs.c | 24 ++++++++----------------
+ 1 file changed, 8 insertions(+), 16 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index 0bf2566d21b6..937971fde749 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1267,24 +1267,16 @@ static void __init retbleed_update_mitigation(void)
+ if (!boot_cpu_has_bug(X86_BUG_RETBLEED) || cpu_mitigations_off())
+ return;
+
+- /*
+- * retbleed=stuff is only allowed on Intel. If stuffing can't be used
+- * then a different mitigation will be selected below.
+- *
+- * its=stuff will also attempt to enable stuffing.
+- */
+- if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF ||
+- its_mitigation == ITS_MITIGATION_RETPOLINE_STUFF) {
+- if (spectre_v2_enabled != SPECTRE_V2_RETPOLINE) {
+- pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
+- retbleed_mitigation = RETBLEED_MITIGATION_NONE;
+- } else {
+- if (retbleed_mitigation != RETBLEED_MITIGATION_STUFF)
+- pr_info("Retbleed mitigation updated to stuffing\n");
++ /* ITS can also enable stuffing */
++ if (its_mitigation == ITS_MITIGATION_RETPOLINE_STUFF)
++ retbleed_mitigation = RETBLEED_MITIGATION_STUFF;
+
+- retbleed_mitigation = RETBLEED_MITIGATION_STUFF;
+- }
++ if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF &&
++ spectre_v2_enabled != SPECTRE_V2_RETPOLINE) {
++ pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
++ retbleed_mitigation = RETBLEED_MITIGATION_NONE;
+ }
++
+ /*
+ * Let IBRS trump all on Intel without affecting the effects of the
+ * retbleed= cmdline option except for call depth based stuffing
+--
+2.39.5
+
--- /dev/null
+From 82a28c3243b56d7bb50fc69d7aab6ed7e4b0d1c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jul 2025 06:09:16 +0100
+Subject: xen: fix UAF in dmabuf_exp_from_pages()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 532c8b51b3a8676cbf533a291f8156774f30ea87 ]
+
+[dma_buf_fd() fixes; no preferences regarding the tree it goes through -
+up to xen folks]
+
+As soon as we'd inserted a file reference into descriptor table, another
+thread could close it. That's fine for the case when all we are doing is
+returning that descriptor to userland (it's a race, but it's a userland
+race and there's nothing the kernel can do about it). However, if we
+follow fd_install() with any kind of access to objects that would be
+destroyed on close (be it the struct file itself or anything destroyed
+by its ->release()), we have a UAF.
+
+dma_buf_fd() is a combination of reserving a descriptor and fd_install().
+gntdev dmabuf_exp_from_pages() calls it and then proceeds to access the
+objects destroyed on close - starting with gntdev_dmabuf itself.
+
+Fix that by doing reserving descriptor before anything else and do
+fd_install() only when everything had been set up.
+
+Fixes: a240d6e42e28 ("xen/gntdev: Implement dma-buf export functionality")
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Juergen Gross <jgross@suse.com>
+Message-ID: <20250712050916.GY1880847@ZenIV>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/gntdev-dmabuf.c | 28 ++++++++++------------------
+ 1 file changed, 10 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/xen/gntdev-dmabuf.c b/drivers/xen/gntdev-dmabuf.c
+index 5453d86324f6..82855105ab85 100644
+--- a/drivers/xen/gntdev-dmabuf.c
++++ b/drivers/xen/gntdev-dmabuf.c
+@@ -357,8 +357,11 @@ struct gntdev_dmabuf_export_args {
+ static int dmabuf_exp_from_pages(struct gntdev_dmabuf_export_args *args)
+ {
+ DEFINE_DMA_BUF_EXPORT_INFO(exp_info);
+- struct gntdev_dmabuf *gntdev_dmabuf;
+- int ret;
++ struct gntdev_dmabuf *gntdev_dmabuf __free(kfree) = NULL;
++ CLASS(get_unused_fd, ret)(O_CLOEXEC);
++
++ if (ret < 0)
++ return ret;
+
+ gntdev_dmabuf = kzalloc(sizeof(*gntdev_dmabuf), GFP_KERNEL);
+ if (!gntdev_dmabuf)
+@@ -383,32 +386,21 @@ static int dmabuf_exp_from_pages(struct gntdev_dmabuf_export_args *args)
+ exp_info.priv = gntdev_dmabuf;
+
+ gntdev_dmabuf->dmabuf = dma_buf_export(&exp_info);
+- if (IS_ERR(gntdev_dmabuf->dmabuf)) {
+- ret = PTR_ERR(gntdev_dmabuf->dmabuf);
+- gntdev_dmabuf->dmabuf = NULL;
+- goto fail;
+- }
+-
+- ret = dma_buf_fd(gntdev_dmabuf->dmabuf, O_CLOEXEC);
+- if (ret < 0)
+- goto fail;
++ if (IS_ERR(gntdev_dmabuf->dmabuf))
++ return PTR_ERR(gntdev_dmabuf->dmabuf);
+
+ gntdev_dmabuf->fd = ret;
+ args->fd = ret;
+
+ pr_debug("Exporting DMA buffer with fd %d\n", ret);
+
++ get_file(gntdev_dmabuf->priv->filp);
+ mutex_lock(&args->dmabuf_priv->lock);
+ list_add(&gntdev_dmabuf->next, &args->dmabuf_priv->exp_list);
+ mutex_unlock(&args->dmabuf_priv->lock);
+- get_file(gntdev_dmabuf->priv->filp);
+- return 0;
+
+-fail:
+- if (gntdev_dmabuf->dmabuf)
+- dma_buf_put(gntdev_dmabuf->dmabuf);
+- kfree(gntdev_dmabuf);
+- return ret;
++ fd_install(take_fd(ret), no_free_ptr(gntdev_dmabuf)->dmabuf->file);
++ return 0;
+ }
+
+ static struct gntdev_grant_map *
+--
+2.39.5
+
--- /dev/null
+From 42186fd221cf83665df172a7429b10c8fc475265 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 09:32:59 +0200
+Subject: xen/gntdev: remove struct gntdev_copy_batch from stack
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 70045cf6593cbf0740956ea9b7b4269142c6ee38 ]
+
+When compiling the kernel with LLVM, the following warning was issued:
+
+ drivers/xen/gntdev.c:991: warning: stack frame size (1160) exceeds
+ limit (1024) in function 'gntdev_ioctl'
+
+The main reason is struct gntdev_copy_batch which is located on the
+stack and has a size of nearly 1kb.
+
+For performance reasons it shouldn't by just dynamically allocated
+instead, so allocate a new instance when needed and instead of freeing
+it put it into a list of free structs anchored in struct gntdev_priv.
+
+Fixes: a4cdb556cae0 ("xen/gntdev: add ioctl for grant copy")
+Reported-by: Abinash Singh <abinashsinghlalotra@gmail.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Message-ID: <20250703073259.17356-1-jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/gntdev-common.h | 4 +++
+ drivers/xen/gntdev.c | 71 ++++++++++++++++++++++++++-----------
+ 2 files changed, 54 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/xen/gntdev-common.h b/drivers/xen/gntdev-common.h
+index 9c286b2a1900..ac8ce3179ba2 100644
+--- a/drivers/xen/gntdev-common.h
++++ b/drivers/xen/gntdev-common.h
+@@ -26,6 +26,10 @@ struct gntdev_priv {
+ /* lock protects maps and freeable_maps. */
+ struct mutex lock;
+
++ /* Free instances of struct gntdev_copy_batch. */
++ struct gntdev_copy_batch *batch;
++ struct mutex batch_lock;
++
+ #ifdef CONFIG_XEN_GRANT_DMA_ALLOC
+ /* Device for which DMA memory is allocated. */
+ struct device *dma_dev;
+diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
+index 61faea1f0663..1f2160765618 100644
+--- a/drivers/xen/gntdev.c
++++ b/drivers/xen/gntdev.c
+@@ -56,6 +56,18 @@ MODULE_AUTHOR("Derek G. Murray <Derek.Murray@cl.cam.ac.uk>, "
+ "Gerd Hoffmann <kraxel@redhat.com>");
+ MODULE_DESCRIPTION("User-space granted page access driver");
+
++#define GNTDEV_COPY_BATCH 16
++
++struct gntdev_copy_batch {
++ struct gnttab_copy ops[GNTDEV_COPY_BATCH];
++ struct page *pages[GNTDEV_COPY_BATCH];
++ s16 __user *status[GNTDEV_COPY_BATCH];
++ unsigned int nr_ops;
++ unsigned int nr_pages;
++ bool writeable;
++ struct gntdev_copy_batch *next;
++};
++
+ static unsigned int limit = 64*1024;
+ module_param(limit, uint, 0644);
+ MODULE_PARM_DESC(limit,
+@@ -584,6 +596,8 @@ static int gntdev_open(struct inode *inode, struct file *flip)
+ INIT_LIST_HEAD(&priv->maps);
+ mutex_init(&priv->lock);
+
++ mutex_init(&priv->batch_lock);
++
+ #ifdef CONFIG_XEN_GNTDEV_DMABUF
+ priv->dmabuf_priv = gntdev_dmabuf_init(flip);
+ if (IS_ERR(priv->dmabuf_priv)) {
+@@ -608,6 +622,7 @@ static int gntdev_release(struct inode *inode, struct file *flip)
+ {
+ struct gntdev_priv *priv = flip->private_data;
+ struct gntdev_grant_map *map;
++ struct gntdev_copy_batch *batch;
+
+ pr_debug("priv %p\n", priv);
+
+@@ -620,6 +635,14 @@ static int gntdev_release(struct inode *inode, struct file *flip)
+ }
+ mutex_unlock(&priv->lock);
+
++ mutex_lock(&priv->batch_lock);
++ while (priv->batch) {
++ batch = priv->batch;
++ priv->batch = batch->next;
++ kfree(batch);
++ }
++ mutex_unlock(&priv->batch_lock);
++
+ #ifdef CONFIG_XEN_GNTDEV_DMABUF
+ gntdev_dmabuf_fini(priv->dmabuf_priv);
+ #endif
+@@ -785,17 +808,6 @@ static long gntdev_ioctl_notify(struct gntdev_priv *priv, void __user *u)
+ return rc;
+ }
+
+-#define GNTDEV_COPY_BATCH 16
+-
+-struct gntdev_copy_batch {
+- struct gnttab_copy ops[GNTDEV_COPY_BATCH];
+- struct page *pages[GNTDEV_COPY_BATCH];
+- s16 __user *status[GNTDEV_COPY_BATCH];
+- unsigned int nr_ops;
+- unsigned int nr_pages;
+- bool writeable;
+-};
+-
+ static int gntdev_get_page(struct gntdev_copy_batch *batch, void __user *virt,
+ unsigned long *gfn)
+ {
+@@ -953,36 +965,53 @@ static int gntdev_grant_copy_seg(struct gntdev_copy_batch *batch,
+ static long gntdev_ioctl_grant_copy(struct gntdev_priv *priv, void __user *u)
+ {
+ struct ioctl_gntdev_grant_copy copy;
+- struct gntdev_copy_batch batch;
++ struct gntdev_copy_batch *batch;
+ unsigned int i;
+ int ret = 0;
+
+ if (copy_from_user(©, u, sizeof(copy)))
+ return -EFAULT;
+
+- batch.nr_ops = 0;
+- batch.nr_pages = 0;
++ mutex_lock(&priv->batch_lock);
++ if (!priv->batch) {
++ batch = kmalloc(sizeof(*batch), GFP_KERNEL);
++ } else {
++ batch = priv->batch;
++ priv->batch = batch->next;
++ }
++ mutex_unlock(&priv->batch_lock);
++ if (!batch)
++ return -ENOMEM;
++
++ batch->nr_ops = 0;
++ batch->nr_pages = 0;
+
+ for (i = 0; i < copy.count; i++) {
+ struct gntdev_grant_copy_segment seg;
+
+ if (copy_from_user(&seg, ©.segments[i], sizeof(seg))) {
+ ret = -EFAULT;
++ gntdev_put_pages(batch);
+ goto out;
+ }
+
+- ret = gntdev_grant_copy_seg(&batch, &seg, ©.segments[i].status);
+- if (ret < 0)
++ ret = gntdev_grant_copy_seg(batch, &seg, ©.segments[i].status);
++ if (ret < 0) {
++ gntdev_put_pages(batch);
+ goto out;
++ }
+
+ cond_resched();
+ }
+- if (batch.nr_ops)
+- ret = gntdev_copy(&batch);
+- return ret;
++ if (batch->nr_ops)
++ ret = gntdev_copy(batch);
++
++ out:
++ mutex_lock(&priv->batch_lock);
++ batch->next = priv->batch;
++ priv->batch = batch;
++ mutex_unlock(&priv->batch_lock);
+
+- out:
+- gntdev_put_pages(&batch);
+ return ret;
+ }
+
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
