--- /dev/null
+From 39cb59f1aa4512f33431242e6226df7c910a8699 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 May 2025 12:54:38 -0700
+Subject: apparmor: ensure WB_HISTORY_SIZE value is a power of 2
+
+From: Ryan Lee <ryan.lee@canonical.com>
+
+[ Upstream commit 6c055e62560b958354625604293652753d82bcae ]
+
+WB_HISTORY_SIZE was defined to be a value not a power of 2, despite a
+comment in the declaration of struct match_workbuf stating it is and a
+modular arithmetic usage in the inc_wb_pos macro assuming that it is. Bump
+WB_HISTORY_SIZE's value up to 32 and add a BUILD_BUG_ON_NOT_POWER_OF_2
+line to ensure that any future changes to the value of WB_HISTORY_SIZE
+respect this requirement.
+
+Fixes: 136db994852a ("apparmor: increase left match history buffer size")
+
+Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/include/match.h | 3 ++-
+ security/apparmor/match.c | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
+index 58fbf67139b9..5b6f16242e60 100644
+--- a/security/apparmor/include/match.h
++++ b/security/apparmor/include/match.h
+@@ -141,7 +141,8 @@ aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start,
+
+ void aa_dfa_free_kref(struct kref *kref);
+
+-#define WB_HISTORY_SIZE 24
++/* This needs to be a power of 2 */
++#define WB_HISTORY_SIZE 32
+ struct match_workbuf {
+ unsigned int count;
+ unsigned int pos;
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index b97ef5e1db73..76709b7c6519 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -670,6 +670,7 @@ aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start,
+
+ #define inc_wb_pos(wb) \
+ do { \
++ BUILD_BUG_ON_NOT_POWER_OF_2(WB_HISTORY_SIZE); \
+ wb->pos = (wb->pos + 1) & (WB_HISTORY_SIZE - 1); \
+ wb->len = (wb->len + 1) & (WB_HISTORY_SIZE - 1); \
+ } while (0)
+--
+2.39.5
+
--- /dev/null
+From 8e2303a6544406584be9059ffe6b913c7f080ccc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 May 2025 12:54:39 -0700
+Subject: apparmor: fix loop detection used in conflicting attachment
+ resolution
+
+From: Ryan Lee <ryan.lee@canonical.com>
+
+[ Upstream commit a88db916b8c77552f49f7d9f8744095ea01a268f ]
+
+Conflicting attachment resolution is based on the number of states
+traversed to reach an accepting state in the attachment DFA, accounting
+for DFA loops traversed during the matching process. However, the loop
+counting logic had multiple bugs:
+
+ - The inc_wb_pos macro increments both position and length, but length
+ is supposed to saturate upon hitting buffer capacity, instead of
+ wrapping around.
+ - If no revisited state is found when traversing the history, is_loop
+ would still return true, as if there was a loop found the length of
+ the history buffer, instead of returning false and signalling that
+ no loop was found. As a result, the adjustment step of
+ aa_dfa_leftmatch would sometimes produce negative counts with loop-
+ free DFAs that traversed enough states.
+ - The iteration in the is_loop for loop is supposed to stop before
+ i = wb->len, so the conditional should be < instead of <=.
+
+This patch fixes the above bugs as well as the following nits:
+ - The count and size fields in struct match_workbuf were not used,
+ so they can be removed.
+ - The history buffer in match_workbuf semantically stores aa_state_t
+ and not unsigned ints, even if aa_state_t is currently unsigned int.
+ - The local variables in is_loop are counters, and thus should be
+ unsigned ints instead of aa_state_t's.
+
+Fixes: 21f606610502 ("apparmor: improve overlapping domain attachment resolution")
+
+Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
+Co-developed-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/include/match.h | 5 +----
+ security/apparmor/match.c | 22 +++++++++++-----------
+ 2 files changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
+index 5b6f16242e60..e59305abb85a 100644
+--- a/security/apparmor/include/match.h
++++ b/security/apparmor/include/match.h
+@@ -144,15 +144,12 @@ void aa_dfa_free_kref(struct kref *kref);
+ /* This needs to be a power of 2 */
+ #define WB_HISTORY_SIZE 32
+ struct match_workbuf {
+- unsigned int count;
+ unsigned int pos;
+ unsigned int len;
+- unsigned int size; /* power of 2, same as history size */
+- unsigned int history[WB_HISTORY_SIZE];
++ aa_state_t history[WB_HISTORY_SIZE];
+ };
+ #define DEFINE_MATCH_WB(N) \
+ struct match_workbuf N = { \
+- .count = 0, \
+ .pos = 0, \
+ .len = 0, \
+ }
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index 76709b7c6519..3667b79e9366 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -668,35 +668,35 @@ aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start,
+ return state;
+ }
+
+-#define inc_wb_pos(wb) \
+-do { \
++#define inc_wb_pos(wb) \
++do { \
+ BUILD_BUG_ON_NOT_POWER_OF_2(WB_HISTORY_SIZE); \
+ wb->pos = (wb->pos + 1) & (WB_HISTORY_SIZE - 1); \
+- wb->len = (wb->len + 1) & (WB_HISTORY_SIZE - 1); \
++ wb->len = (wb->len + 1) > WB_HISTORY_SIZE ? WB_HISTORY_SIZE : \
++ wb->len + 1; \
+ } while (0)
+
+ /* For DFAs that don't support extended tagging of states */
++/* adjust is only set if is_loop returns true */
+ static bool is_loop(struct match_workbuf *wb, aa_state_t state,
+ unsigned int *adjust)
+ {
+- aa_state_t pos = wb->pos;
+- aa_state_t i;
++ int pos = wb->pos;
++ int i;
+
+ if (wb->history[pos] < state)
+ return false;
+
+- for (i = 0; i <= wb->len; i++) {
++ for (i = 0; i < wb->len; i++) {
+ if (wb->history[pos] == state) {
+ *adjust = i;
+ return true;
+ }
+- if (pos == 0)
+- pos = WB_HISTORY_SIZE;
+- pos--;
++ /* -1 wraps to WB_HISTORY_SIZE - 1 */
++ pos = (pos - 1) & (WB_HISTORY_SIZE - 1);
+ }
+
+- *adjust = i;
+- return true;
++ return false;
+ }
+
+ static aa_state_t leftmatch_fb(struct aa_dfa *dfa, aa_state_t start,
+--
+2.39.5
+
--- /dev/null
+From a5243aee1c6107a4cb8310e1c56ef20cd6c296d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Mar 2025 20:11:16 +0100
+Subject: arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX
+
+From: Johan Korsnes <johan.korsnes@gmail.com>
+
+[ Upstream commit 75cd37c5f28b85979fd5a65174013010f6b78f27 ]
+
+This option was removed from the Kconfig in commit
+8c710f75256b ("net/sched: Retire tcindex classifier") but it was not
+removed from the defconfigs.
+
+Fixes: 8c710f75256b ("net/sched: Retire tcindex classifier")
+Signed-off-by: Johan Korsnes <johan.korsnes@gmail.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20250323191116.113482-1-johan.korsnes@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/configs/ppc6xx_defconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/powerpc/configs/ppc6xx_defconfig b/arch/powerpc/configs/ppc6xx_defconfig
+index eaf3273372a9..80989e3f6780 100644
+--- a/arch/powerpc/configs/ppc6xx_defconfig
++++ b/arch/powerpc/configs/ppc6xx_defconfig
+@@ -254,7 +254,6 @@ CONFIG_NET_SCH_DSMARK=m
+ CONFIG_NET_SCH_NETEM=m
+ CONFIG_NET_SCH_INGRESS=m
+ CONFIG_NET_CLS_BASIC=m
+-CONFIG_NET_CLS_TCINDEX=m
+ CONFIG_NET_CLS_ROUTE4=m
+ CONFIG_NET_CLS_FW=m
+ CONFIG_NET_CLS_U32=m
+--
+2.39.5
+
--- /dev/null
+From deeb00d7ae7e0613823485fcb4636daf552f938c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 14:24:41 +0200
+Subject: ARM: dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485
+ interface
+
+From: Annette Kobou <annette.kobou@kontron.de>
+
+[ Upstream commit 47ef5256124fb939d8157b13ca048c902435cf23 ]
+
+The polarity of the DE signal of the transceiver is active-high for
+sending. Therefore rs485-rts-active-low is wrong and needs to be
+removed to make RS485 transmissions work.
+
+Signed-off-by: Annette Kobou <annette.kobou@kontron.de>
+Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Fixes: 1ea4b76cdfde ("ARM: dts: imx6ul-kontron-n6310: Add Kontron i.MX6UL N6310 SoM and boards")
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/nxp/imx/imx6ul-kontron-bl-common.dtsi | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/nxp/imx/imx6ul-kontron-bl-common.dtsi b/arch/arm/boot/dts/nxp/imx/imx6ul-kontron-bl-common.dtsi
+index 33d5f27285a4..9ece280d163a 100644
+--- a/arch/arm/boot/dts/nxp/imx/imx6ul-kontron-bl-common.dtsi
++++ b/arch/arm/boot/dts/nxp/imx/imx6ul-kontron-bl-common.dtsi
+@@ -169,7 +169,6 @@ &uart2 {
+ pinctrl-0 = <&pinctrl_uart2>;
+ linux,rs485-enabled-at-boot-time;
+ rs485-rx-during-tx;
+- rs485-rts-active-low;
+ uart-has-rtscts;
+ status = "okay";
+ };
+--
+2.39.5
+
--- /dev/null
+From cd6a87c4edd8dc933dc9745e2b56c9f1bb12ed78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 13:48:39 +0200
+Subject: arm: dts: ti: omap: Fixup pinheader typo
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Albin Törnqvist <albin.tornqvist@codiax.se>
+
+[ Upstream commit a3a4be32b69c99fc20a66e0de83b91f8c882bf4c ]
+
+This commit fixes a typo introduced in commit
+ee368a10d0df ("ARM: dts: am335x-boneblack.dts: unique gpio-line-names").
+gpio0_7 is located on the P9 header on the BBB.
+This was verified with a BeagleBone Black by toggling the pin and
+checking with a multimeter that it corresponds to pin 42 on the P9
+header.
+
+Signed-off-by: Albin Törnqvist <albin.tornqvist@codiax.se>
+Link: https://lore.kernel.org/r/20250624114839.1465115-2-albin.tornqvist@codiax.se
+Fixes: ee368a10d0df ("ARM: dts: am335x-boneblack.dts: unique gpio-line-names")
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/ti/omap/am335x-boneblack.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/ti/omap/am335x-boneblack.dts b/arch/arm/boot/dts/ti/omap/am335x-boneblack.dts
+index 16b567e3cb47..b4fdcf9c02b5 100644
+--- a/arch/arm/boot/dts/ti/omap/am335x-boneblack.dts
++++ b/arch/arm/boot/dts/ti/omap/am335x-boneblack.dts
+@@ -35,7 +35,7 @@ &gpio0 {
+ "P9_18 [spi0_d1]",
+ "P9_17 [spi0_cs0]",
+ "[mmc0_cd]",
+- "P8_42A [ecappwm0]",
++ "P9_42A [ecappwm0]",
+ "P8_35 [lcd d12]",
+ "P8_33 [lcd d13]",
+ "P8_31 [lcd d14]",
+--
+2.39.5
+
--- /dev/null
+From 023afedd5660533a7d49147713cee3d670658a97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 09:19:22 +0200
+Subject: ARM: dts: vfxxx: Correctly use two tuples for timer address
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit f3440dcf8b994197c968fbafe047ce27eed226e8 ]
+
+Address and size-cells are 1 and the ftm timer node takes two address
+spaces in "reg" property, so this should be in two <> tuples. Change
+has no functional impact, but original code is confusing/less readable.
+
+Fixes: 07513e1330a9 ("ARM: dts: vf610: Add Freescale FlexTimer Module timer node.")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/nxp/vf/vfxxx.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/nxp/vf/vfxxx.dtsi b/arch/arm/boot/dts/nxp/vf/vfxxx.dtsi
+index d1095b700c56..d96148abf5bb 100644
+--- a/arch/arm/boot/dts/nxp/vf/vfxxx.dtsi
++++ b/arch/arm/boot/dts/nxp/vf/vfxxx.dtsi
+@@ -612,7 +612,7 @@ usbmisc1: usb@400b4800 {
+
+ ftm: ftm@400b8000 {
+ compatible = "fsl,ftm-timer";
+- reg = <0x400b8000 0x1000 0x400b9000 0x1000>;
++ reg = <0x400b8000 0x1000>, <0x400b9000 0x1000>;
+ interrupts = <44 IRQ_TYPE_LEVEL_HIGH>;
+ clock-names = "ftm-evt", "ftm-src",
+ "ftm-evt-counter-en", "ftm-src-counter-en";
+--
+2.39.5
+
--- /dev/null
+From eb1add0dec5450a5e217ab619c28e06c8b33ce6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 16:34:45 -0500
+Subject: arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit f83f69097a302ed2a2775975ddcf12e6a5ac6ec3 ]
+
+The reference manual for the i.MX8MM states the clock rate in
+MMC mode is 1/2 of the input clock, therefore to properly run
+at HS400 rates, the input clock must be 400MHz to operate at
+200MHz. Currently the clock is set to 200MHz which is half the
+rate it should be, so the throughput is half of what it should be
+for HS400 operation.
+
+Fixes: 593816fa2f35 ("arm64: dts: imx: Add Beacon i.MX8m-Mini development kit")
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
+index 8ab0e45f2ad3..f93c2b604c57 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
+@@ -284,6 +284,8 @@ &usdhc3 {
+ pinctrl-0 = <&pinctrl_usdhc3>;
+ pinctrl-1 = <&pinctrl_usdhc3_100mhz>;
+ pinctrl-2 = <&pinctrl_usdhc3_200mhz>;
++ assigned-clocks = <&clk IMX8MM_CLK_USDHC3>;
++ assigned-clock-rates = <400000000>;
+ bus-width = <8>;
+ non-removable;
+ status = "okay";
+--
+2.39.5
+
--- /dev/null
+From c3650ef003c1e932ad86e71368f8b42df85ec713 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 16:34:46 -0500
+Subject: arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit e16ad6c79906bba5e2ac499492b6a5b29ab19d6c ]
+
+The reference manual for the i.MX8MN states the clock rate in
+MMC mode is 1/2 of the input clock, therefore to properly run
+at HS400 rates, the input clock must be 400MHz to operate at
+200MHz. Currently the clock is set to 200MHz which is half the
+rate it should be, so the throughput is half of what it should be
+for HS400 operation.
+
+Fixes: 36ca3c8ccb53 ("arm64: dts: imx: Add Beacon i.MX8M Nano development kit")
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
+index 1760062e6ffc..f5f87b389123 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
+@@ -295,6 +295,8 @@ &usdhc3 {
+ pinctrl-0 = <&pinctrl_usdhc3>;
+ pinctrl-1 = <&pinctrl_usdhc3_100mhz>;
+ pinctrl-2 = <&pinctrl_usdhc3_200mhz>;
++ assigned-clocks = <&clk IMX8MN_CLK_USDHC3>;
++ assigned-clock-rates = <400000000>;
+ bus-width = <8>;
+ non-removable;
+ status = "okay";
+--
+2.39.5
+
--- /dev/null
+From 72eaae8af04b346f5c73df9b0c52f1fd4960447a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Jun 2025 22:35:03 +0200
+Subject: arm64: dts: qcom: msm8976: Make blsp_dma controlled-remotely
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: André Apitzsch <git@apitzsch.eu>
+
+[ Upstream commit 76270a18dbdf0bb50615f1b29d2cae8d683da01e ]
+
+The blsp_dma controller is shared between the different subsystems,
+which is why it is already initialized by the firmware. We should not
+reinitialize it from Linux to avoid potential other users of the DMA
+engine to misbehave.
+
+In mainline this can be described using the "qcom,controlled-remotely"
+property. In the downstream/vendor kernel from Qualcomm there is an
+opposite "qcom,managed-locally" property. This property is *not* set
+for the qcom,sps-dma@7884000 and qcom,sps-dma@7ac4000 [1] so adding
+"qcom,controlled-remotely" upstream matches the behavior of the
+downstream/vendor kernel.
+
+Adding this fixes booting Longcheer L9360.
+
+[1]: https://git.codelinaro.org/clo/la/kernel/msm-3.10/-/blob/LA.BR.1.3.7.c26/arch/arm/boot/dts/qcom/msm8976.dtsi#L1149-1163
+
+Fixes: 0484d3ce0902 ("arm64: dts: qcom: Add DTS for MSM8976 and MSM8956 SoCs")
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Signed-off-by: André Apitzsch <git@apitzsch.eu>
+Link: https://lore.kernel.org/r/20250615-bqx5plus-v2-1-72b45c84237d@apitzsch.eu
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8976.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8976.dtsi b/arch/arm64/boot/dts/qcom/msm8976.dtsi
+index 4c5be22b47fe..e01f6e8a17f2 100644
+--- a/arch/arm64/boot/dts/qcom/msm8976.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8976.dtsi
+@@ -862,6 +862,7 @@ blsp1_dma: dma-controller@7884000 {
+ clock-names = "bam_clk";
+ #dma-cells = <1>;
+ qcom,ee = <0>;
++ qcom,controlled-remotely;
+ };
+
+ blsp1_uart1: serial@78af000 {
+@@ -982,6 +983,7 @@ blsp2_dma: dma-controller@7ac4000 {
+ clock-names = "bam_clk";
+ #dma-cells = <1>;
+ qcom,ee = <0>;
++ qcom,controlled-remotely;
+ };
+
+ blsp2_uart2: serial@7af0000 {
+--
+2.39.5
+
--- /dev/null
+From 7a45680523faec153f07fdf3f5abcaab883b98f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 01:18:18 +0200
+Subject: arm64: dts: qcom: sc7180: Expand IMEM region
+
+From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+
+[ Upstream commit 965e28cad4739b11f1bc58c0a9935e025938bb1f ]
+
+We need more than what is currently described, expand the region to its
+actual boundaries.
+
+Fixes: ede638c42c82 ("arm64: dts: qcom: sc7180: Add IMEM and pil info regions")
+Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250523-topic-ipa_mem_dts-v1-3-f7aa94fac1ab@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sc7180.dtsi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sc7180.dtsi b/arch/arm64/boot/dts/qcom/sc7180.dtsi
+index 7758136d71d6..9dc00f759f19 100644
+--- a/arch/arm64/boot/dts/qcom/sc7180.dtsi
++++ b/arch/arm64/boot/dts/qcom/sc7180.dtsi
+@@ -3435,18 +3435,18 @@ spmi_bus: spmi@c440000 {
+ #interrupt-cells = <4>;
+ };
+
+- sram@146aa000 {
++ sram@14680000 {
+ compatible = "qcom,sc7180-imem", "syscon", "simple-mfd";
+- reg = <0 0x146aa000 0 0x2000>;
++ reg = <0 0x14680000 0 0x2e000>;
+
+ #address-cells = <1>;
+ #size-cells = <1>;
+
+- ranges = <0 0 0x146aa000 0x2000>;
++ ranges = <0 0 0x14680000 0x2e000>;
+
+- pil-reloc@94c {
++ pil-reloc@2a94c {
+ compatible = "qcom,pil-reloc-info";
+- reg = <0x94c 0xc8>;
++ reg = <0x2a94c 0xc8>;
+ };
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 15337b17c8cb54954dffb83bab2a906c19f05f56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 01:18:17 +0200
+Subject: arm64: dts: qcom: sdm845: Expand IMEM region
+
+From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+
+[ Upstream commit 81a4a7de3d4031e77b5796479ef21aefb0862807 ]
+
+We need more than what is currently described, expand the region to its
+actual boundaries.
+
+Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Fixes: 948f6161c6ab ("arm64: dts: qcom: sdm845: Add IMEM and PIL info region")
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250523-topic-ipa_mem_dts-v1-2-f7aa94fac1ab@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sdm845.dtsi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm845.dtsi b/arch/arm64/boot/dts/qcom/sdm845.dtsi
+index 4ea693a07585..64ea9d73d970 100644
+--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi
++++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi
+@@ -4989,18 +4989,18 @@ spmi_bus: spmi@c440000 {
+ #interrupt-cells = <4>;
+ };
+
+- sram@146bf000 {
++ sram@14680000 {
+ compatible = "qcom,sdm845-imem", "syscon", "simple-mfd";
+- reg = <0 0x146bf000 0 0x1000>;
++ reg = <0 0x14680000 0 0x40000>;
+
+ #address-cells = <1>;
+ #size-cells = <1>;
+
+- ranges = <0 0 0x146bf000 0x1000>;
++ ranges = <0 0 0x14680000 0x40000>;
+
+- pil-reloc@94c {
++ pil-reloc@3f94c {
+ compatible = "qcom,pil-reloc-info";
+- reg = <0x94c 0xc8>;
++ reg = <0x3f94c 0xc8>;
+ };
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 6868e973364ac2abdceb3a864356cd38ca7f114f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:04:04 +0800
+Subject: ASoC: fsl_xcvr: get channel status data when PHY is not exists
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit ca592e20659e0304ebd8f4dabb273da4f9385848 ]
+
+There is no PHY for the XCVR module on i.MX93, the channel status needs
+to be obtained from FSL_XCVR_RX_CS_DATA_* registers. And channel status
+acknowledge (CSA) bit should be set once channel status is processed.
+
+Fixes: e240b9329a30 ("ASoC: fsl_xcvr: Add support for i.MX93 platform")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Link: https://patch.msgid.link/20250710030405.3370671-2-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_xcvr.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c
+index c46f64557a7f..1d7791c7fb4e 100644
+--- a/sound/soc/fsl/fsl_xcvr.c
++++ b/sound/soc/fsl/fsl_xcvr.c
+@@ -1197,6 +1197,26 @@ static irqreturn_t irq0_isr(int irq, void *devid)
+ /* clear CS control register */
+ memset_io(reg_ctrl, 0, sizeof(val));
+ }
++ } else {
++ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_0,
++ (u32 *)&xcvr->rx_iec958.status[0]);
++ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_1,
++ (u32 *)&xcvr->rx_iec958.status[4]);
++ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_2,
++ (u32 *)&xcvr->rx_iec958.status[8]);
++ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_3,
++ (u32 *)&xcvr->rx_iec958.status[12]);
++ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_4,
++ (u32 *)&xcvr->rx_iec958.status[16]);
++ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_5,
++ (u32 *)&xcvr->rx_iec958.status[20]);
++ for (i = 0; i < 6; i++) {
++ val = *(u32 *)(xcvr->rx_iec958.status + i * 4);
++ *(u32 *)(xcvr->rx_iec958.status + i * 4) =
++ bitrev32(val);
++ }
++ regmap_set_bits(xcvr->regmap, FSL_XCVR_RX_DPTH_CTRL,
++ FSL_XCVR_RX_DPTH_CTRL_CSA);
+ }
+ }
+ if (isr & FSL_XCVR_IRQ_NEW_UD) {
+--
+2.39.5
+
--- /dev/null
+From 3c3f6651b6fe68dc388c0a87c06b087d4ac14d44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 15:48:57 +0800
+Subject: ASoC: mediatek: use reserved memory or enable buffer pre-allocation
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit ec4a10ca4a68ec97f12f4d17d7abb74db34987db ]
+
+In commit 32c9c06adb5b ("ASoC: mediatek: disable buffer pre-allocation")
+buffer pre-allocation was disabled to accommodate newer platforms that
+have a limited reserved memory region for the audio frontend.
+
+Turns out disabling pre-allocation across the board impacts platforms
+that don't have this reserved memory region. Buffer allocation failures
+have been observed on MT8173 and MT8183 based Chromebooks under low
+memory conditions, which results in no audio playback for the user.
+
+Since some MediaTek platforms already have dedicated reserved memory
+pools for the audio frontend, the plan is to enable this for all of
+them. This requires device tree changes. As a fallback, reinstate the
+original policy of pre-allocating audio buffers at probe time of the
+reserved memory pool cannot be found or used.
+
+This patch covers the MT8173, MT8183, MT8186 and MT8192 platforms for
+now, the reason being that existing MediaTek platform drivers that
+supported reserved memory were all platforms that mainly supported
+ChromeOS, and is also the set of devices that I can verify.
+
+Fixes: 32c9c06adb5b ("ASoC: mediatek: disable buffer pre-allocation")
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Link: https://patch.msgid.link/20250612074901.4023253-7-wenst@chromium.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/mediatek/common/mtk-afe-platform-driver.c | 4 +++-
+ sound/soc/mediatek/common/mtk-base-afe.h | 1 +
+ sound/soc/mediatek/mt8173/mt8173-afe-pcm.c | 7 +++++++
+ sound/soc/mediatek/mt8183/mt8183-afe-pcm.c | 7 +++++++
+ sound/soc/mediatek/mt8186/mt8186-afe-pcm.c | 7 +++++++
+ sound/soc/mediatek/mt8192/mt8192-afe-pcm.c | 7 +++++++
+ 6 files changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/mediatek/common/mtk-afe-platform-driver.c b/sound/soc/mediatek/common/mtk-afe-platform-driver.c
+index 52495c930ca3..56a704ec2ea9 100644
+--- a/sound/soc/mediatek/common/mtk-afe-platform-driver.c
++++ b/sound/soc/mediatek/common/mtk-afe-platform-driver.c
+@@ -120,7 +120,9 @@ int mtk_afe_pcm_new(struct snd_soc_component *component,
+ struct mtk_base_afe *afe = snd_soc_component_get_drvdata(component);
+
+ size = afe->mtk_afe_hardware->buffer_bytes_max;
+- snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV, afe->dev, 0, size);
++ snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV, afe->dev,
++ afe->preallocate_buffers ? size : 0,
++ size);
+
+ return 0;
+ }
+diff --git a/sound/soc/mediatek/common/mtk-base-afe.h b/sound/soc/mediatek/common/mtk-base-afe.h
+index f51578b6c50a..a406f2e3e7a8 100644
+--- a/sound/soc/mediatek/common/mtk-base-afe.h
++++ b/sound/soc/mediatek/common/mtk-base-afe.h
+@@ -117,6 +117,7 @@ struct mtk_base_afe {
+ struct mtk_base_afe_irq *irqs;
+ int irqs_size;
+ int memif_32bit_supported;
++ bool preallocate_buffers;
+
+ struct list_head sub_dais;
+ struct snd_soc_dai_driver *dai_drivers;
+diff --git a/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c b/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c
+index 06269f7e3756..240b2f041a3f 100644
+--- a/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c
++++ b/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c
+@@ -13,6 +13,7 @@
+ #include <linux/module.h>
+ #include <linux/of.h>
+ #include <linux/of_address.h>
++#include <linux/of_reserved_mem.h>
+ #include <linux/dma-mapping.h>
+ #include <linux/pm_runtime.h>
+ #include <sound/soc.h>
+@@ -1070,6 +1071,12 @@ static int mt8173_afe_pcm_dev_probe(struct platform_device *pdev)
+
+ afe->dev = &pdev->dev;
+
++ ret = of_reserved_mem_device_init(&pdev->dev);
++ if (ret) {
++ dev_info(&pdev->dev, "no reserved memory found, pre-allocating buffers instead\n");
++ afe->preallocate_buffers = true;
++ }
++
+ irq_id = platform_get_irq(pdev, 0);
+ if (irq_id <= 0)
+ return irq_id < 0 ? irq_id : -ENXIO;
+diff --git a/sound/soc/mediatek/mt8183/mt8183-afe-pcm.c b/sound/soc/mediatek/mt8183/mt8183-afe-pcm.c
+index 90422ed2bbcc..cbee5a8764c3 100644
+--- a/sound/soc/mediatek/mt8183/mt8183-afe-pcm.c
++++ b/sound/soc/mediatek/mt8183/mt8183-afe-pcm.c
+@@ -10,6 +10,7 @@
+ #include <linux/mfd/syscon.h>
+ #include <linux/of.h>
+ #include <linux/of_address.h>
++#include <linux/of_reserved_mem.h>
+ #include <linux/pm_runtime.h>
+ #include <linux/reset.h>
+
+@@ -1106,6 +1107,12 @@ static int mt8183_afe_pcm_dev_probe(struct platform_device *pdev)
+ afe->dev = &pdev->dev;
+ dev = afe->dev;
+
++ ret = of_reserved_mem_device_init(dev);
++ if (ret) {
++ dev_info(dev, "no reserved memory found, pre-allocating buffers instead\n");
++ afe->preallocate_buffers = true;
++ }
++
+ /* initial audio related clock */
+ ret = mt8183_init_clock(afe);
+ if (ret) {
+diff --git a/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c b/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c
+index b86159f70a33..9ee431304a43 100644
+--- a/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c
++++ b/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c
+@@ -10,6 +10,7 @@
+ #include <linux/module.h>
+ #include <linux/of.h>
+ #include <linux/of_address.h>
++#include <linux/of_reserved_mem.h>
+ #include <linux/pm_runtime.h>
+ #include <linux/reset.h>
+ #include <sound/soc.h>
+@@ -2835,6 +2836,12 @@ static int mt8186_afe_pcm_dev_probe(struct platform_device *pdev)
+ afe_priv = afe->platform_priv;
+ afe->dev = &pdev->dev;
+
++ ret = of_reserved_mem_device_init(dev);
++ if (ret) {
++ dev_info(dev, "no reserved memory found, pre-allocating buffers instead\n");
++ afe->preallocate_buffers = true;
++ }
++
+ afe->base_addr = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(afe->base_addr))
+ return PTR_ERR(afe->base_addr);
+diff --git a/sound/soc/mediatek/mt8192/mt8192-afe-pcm.c b/sound/soc/mediatek/mt8192/mt8192-afe-pcm.c
+index d0520e7e1d79..364e43da0e24 100644
+--- a/sound/soc/mediatek/mt8192/mt8192-afe-pcm.c
++++ b/sound/soc/mediatek/mt8192/mt8192-afe-pcm.c
+@@ -12,6 +12,7 @@
+ #include <linux/mfd/syscon.h>
+ #include <linux/of.h>
+ #include <linux/of_address.h>
++#include <linux/of_reserved_mem.h>
+ #include <linux/pm_runtime.h>
+ #include <linux/reset.h>
+ #include <sound/soc.h>
+@@ -2196,6 +2197,12 @@ static int mt8192_afe_pcm_dev_probe(struct platform_device *pdev)
+ afe->dev = &pdev->dev;
+ dev = afe->dev;
+
++ ret = of_reserved_mem_device_init(dev);
++ if (ret) {
++ dev_info(dev, "no reserved memory found, pre-allocating buffers instead\n");
++ afe->preallocate_buffers = true;
++ }
++
+ /* init audio related clock */
+ ret = mt8192_init_clock(afe);
+ if (ret) {
+--
+2.39.5
+
--- /dev/null
+From 45308f7a3a6d822d38183afd049b098dd9bb36ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 11:30:53 +0200
+Subject: ASoC: ops: dynamically allocate struct snd_ctl_elem_value
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 7e10d7242ea8a5947878880b912ffa5806520705 ]
+
+This structure is really too larget to be allocated on the stack:
+
+sound/soc/soc-ops.c:435:5: error: stack frame size (1296) exceeds limit (1280) in 'snd_soc_limit_volume' [-Werror,-Wframe-larger-than]
+
+Change the function to dynamically allocate it instead.
+
+There is probably a better way to do it since only two integer fields
+inside of that structure are actually used, but this is the simplest
+rework for the moment.
+
+Fixes: 783db6851c18 ("ASoC: ops: Enforce platform maximum on initial value")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://patch.msgid.link/20250610093057.2643233-1-arnd@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-ops.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
+index eff1355cc3df..5be32c37bb8a 100644
+--- a/sound/soc/soc-ops.c
++++ b/sound/soc/soc-ops.c
+@@ -641,28 +641,32 @@ EXPORT_SYMBOL_GPL(snd_soc_get_volsw_range);
+ static int snd_soc_clip_to_platform_max(struct snd_kcontrol *kctl)
+ {
+ struct soc_mixer_control *mc = (struct soc_mixer_control *)kctl->private_value;
+- struct snd_ctl_elem_value uctl;
++ struct snd_ctl_elem_value *uctl;
+ int ret;
+
+ if (!mc->platform_max)
+ return 0;
+
+- ret = kctl->get(kctl, &uctl);
++ uctl = kzalloc(sizeof(*uctl), GFP_KERNEL);
++ if (!uctl)
++ return -ENOMEM;
++
++ ret = kctl->get(kctl, uctl);
+ if (ret < 0)
+- return ret;
++ goto out;
+
+- if (uctl.value.integer.value[0] > mc->platform_max)
+- uctl.value.integer.value[0] = mc->platform_max;
++ if (uctl->value.integer.value[0] > mc->platform_max)
++ uctl->value.integer.value[0] = mc->platform_max;
+
+ if (snd_soc_volsw_is_stereo(mc) &&
+- uctl.value.integer.value[1] > mc->platform_max)
+- uctl.value.integer.value[1] = mc->platform_max;
++ uctl->value.integer.value[1] > mc->platform_max)
++ uctl->value.integer.value[1] = mc->platform_max;
+
+- ret = kctl->put(kctl, &uctl);
+- if (ret < 0)
+- return ret;
++ ret = kctl->put(kctl, uctl);
+
+- return 0;
++out:
++ kfree(uctl);
++ return ret;
+ }
+
+ /**
+--
+2.39.5
+
--- /dev/null
+From 6130befb30e8ba5bec10211384c19fbbe5268266 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 01:59:15 +0000
+Subject: ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit f4c77d5af0a9cd0ee22617baa8b49d0e151fbda7 ]
+
+commit 7f1186a8d738661 ("ASoC: soc-dai: check return value at
+snd_soc_dai_set_tdm_slot()") checks return value of
+xlate_tdm_slot_mask() (A1)(A2).
+
+ /*
+ * ...
+(Y) * TDM mode can be disabled by passing 0 for @slots. In this case @tx_mask,
+ * @rx_mask and @slot_width will be ignored.
+ * ...
+ */
+ int snd_soc_dai_set_tdm_slot(...)
+ {
+ ...
+ if (...)
+(A1) ret = dai->driver->ops->xlate_tdm_slot_mask(...);
+ else
+(A2) ret = snd_soc_xlate_tdm_slot_mask(...);
+ if (ret)
+ goto err;
+ ...
+ }
+
+snd_soc_xlate_tdm_slot_mask() (A2) will return -EINVAL if slots was 0 (X),
+but snd_soc_dai_set_tdm_slot() allow to use it (Y).
+
+(A) static int snd_soc_xlate_tdm_slot_mask(...)
+ {
+ ...
+ if (!slots)
+(X) return -EINVAL;
+ ...
+ }
+
+Call xlate_tdm_slot_mask() only if slots was non zero.
+
+Reported-by: Giedrius Trainavičius <giedrius@blokas.io>
+Closes: https://lore.kernel.org/r/CAMONXLtSL7iKyvH6w=CzPTxQdBECf++hn8RKL6Y4=M_ou2YHow@mail.gmail.com
+Fixes: 7f1186a8d738661 ("ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot()")
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://patch.msgid.link/8734cdfx59.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-dai.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/sound/soc/soc-dai.c b/sound/soc/soc-dai.c
+index 507743c87e40..5a0fa8d1f38b 100644
+--- a/sound/soc/soc-dai.c
++++ b/sound/soc/soc-dai.c
+@@ -273,13 +273,15 @@ int snd_soc_dai_set_tdm_slot(struct snd_soc_dai *dai,
+ &rx_mask,
+ };
+
+- if (dai->driver->ops &&
+- dai->driver->ops->xlate_tdm_slot_mask)
+- ret = dai->driver->ops->xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask);
+- else
+- ret = snd_soc_xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask);
+- if (ret)
+- goto err;
++ if (slots) {
++ if (dai->driver->ops &&
++ dai->driver->ops->xlate_tdm_slot_mask)
++ ret = dai->driver->ops->xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask);
++ else
++ ret = snd_soc_xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask);
++ if (ret)
++ goto err;
++ }
+
+ for_each_pcm_streams(stream)
+ snd_soc_dai_tdm_mask_set(dai, stream, *tdm_mask[stream]);
+--
+2.39.5
+
--- /dev/null
+From cfa93a4c1fe9b92737b872b3b776db8cf4dc39fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 15:58:00 -0400
+Subject: audit,module: restore audit logging in load failure case
+
+From: Richard Guy Briggs <rgb@redhat.com>
+
+[ Upstream commit ae1ae11fb277f1335d6bcd4935ba0ea985af3c32 ]
+
+The move of the module sanity check to earlier skipped the audit logging
+call in the case of failure and to a place where the previously used
+context is unavailable.
+
+Add an audit logging call for the module loading failure case and get
+the module name when possible.
+
+Link: https://issues.redhat.com/browse/RHEL-52839
+Fixes: 02da2cbab452 ("module: move check_modinfo() early to early_mod_check()")
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/audit.h | 9 ++++-----
+ kernel/audit.h | 2 +-
+ kernel/auditsc.c | 2 +-
+ kernel/module/main.c | 6 ++++--
+ 4 files changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/audit.h b/include/linux/audit.h
+index 51b1b7054a23..335e1ba5a232 100644
+--- a/include/linux/audit.h
++++ b/include/linux/audit.h
+@@ -416,7 +416,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
+ extern void __audit_log_capset(const struct cred *new, const struct cred *old);
+ extern void __audit_mmap_fd(int fd, int flags);
+ extern void __audit_openat2_how(struct open_how *how);
+-extern void __audit_log_kern_module(char *name);
++extern void __audit_log_kern_module(const char *name);
+ extern void __audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar);
+ extern void __audit_tk_injoffset(struct timespec64 offset);
+ extern void __audit_ntp_log(const struct audit_ntp_data *ad);
+@@ -518,7 +518,7 @@ static inline void audit_openat2_how(struct open_how *how)
+ __audit_openat2_how(how);
+ }
+
+-static inline void audit_log_kern_module(char *name)
++static inline void audit_log_kern_module(const char *name)
+ {
+ if (!audit_dummy_context())
+ __audit_log_kern_module(name);
+@@ -676,9 +676,8 @@ static inline void audit_mmap_fd(int fd, int flags)
+ static inline void audit_openat2_how(struct open_how *how)
+ { }
+
+-static inline void audit_log_kern_module(char *name)
+-{
+-}
++static inline void audit_log_kern_module(const char *name)
++{ }
+
+ static inline void audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar)
+ { }
+diff --git a/kernel/audit.h b/kernel/audit.h
+index a60d2840559e..5156ecd35457 100644
+--- a/kernel/audit.h
++++ b/kernel/audit.h
+@@ -199,7 +199,7 @@ struct audit_context {
+ int argc;
+ } execve;
+ struct {
+- char *name;
++ const char *name;
+ } module;
+ struct {
+ struct audit_ntp_data ntp_data;
+diff --git a/kernel/auditsc.c b/kernel/auditsc.c
+index 6f0d6fb6523f..d48830c7e4be 100644
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -2870,7 +2870,7 @@ void __audit_openat2_how(struct open_how *how)
+ context->type = AUDIT_OPENAT2;
+ }
+
+-void __audit_log_kern_module(char *name)
++void __audit_log_kern_module(const char *name)
+ {
+ struct audit_context *context = audit_context();
+
+diff --git a/kernel/module/main.c b/kernel/module/main.c
+index b00e31721a73..9711ad14825b 100644
+--- a/kernel/module/main.c
++++ b/kernel/module/main.c
+@@ -2876,7 +2876,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
+
+ module_allocated = true;
+
+- audit_log_kern_module(mod->name);
++ audit_log_kern_module(info->name);
+
+ /* Reserve our place in the list. */
+ err = add_unformed_module(mod);
+@@ -3034,8 +3034,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
+ * failures once the proper module was allocated and
+ * before that.
+ */
+- if (!module_allocated)
++ if (!module_allocated) {
++ audit_log_kern_module(info->name ? info->name : "?");
+ mod_stat_bump_becoming(info, flags);
++ }
+ free_copy(info, flags);
+ return err;
+ }
+--
+2.39.5
+
--- /dev/null
+From 6b7a725a72a7a94a3e0d46bb509e0034526d15fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 16:30:23 +0100
+Subject: Bluetooth: hci_event: Mask data status from LE ext adv reports
+
+From: Chris Down <chris@chrisdown.name>
+
+[ Upstream commit 0cadf8534f2a727bc3a01e8c583b085d25963ee0 ]
+
+The Event_Type field in an LE Extended Advertising Report uses bits 5
+and 6 for data status (e.g. truncation or fragmentation), not the PDU
+type itself.
+
+The ext_evt_type_to_legacy() function fails to mask these status bits
+before evaluation. This causes valid advertisements with status bits set
+(e.g. a truncated non-connectable advertisement, which ends up showing
+as PDU type 0x40) to be misclassified as unknown and subsequently
+dropped. This is okay for most checks which use bitwise AND on the
+relevant event type bits, but it doesn't work for non-connectable types,
+which are checked with '== LE_EXT_ADV_NON_CONN_IND' (that is, zero).
+
+In terms of behaviour, first the device sends a truncated report:
+
+> HCI Event: LE Meta Event (0x3e) plen 26
+ LE Extended Advertising Report (0x0d)
+ Entry 0
+ Event type: 0x0040
+ Data status: Incomplete, data truncated, no more to come
+ Address type: Random (0x01)
+ Address: 1D:12:46:FA:F8:6E (Non-Resolvable)
+ SID: 0x03
+ RSSI: -98 dBm (0x9e)
+ Data length: 0x00
+
+Then, a few seconds later, it sends the subsequent complete report:
+
+> HCI Event: LE Meta Event (0x3e) plen 122
+ LE Extended Advertising Report (0x0d)
+ Entry 0
+ Event type: 0x0000
+ Data status: Complete
+ Address type: Random (0x01)
+ Address: 1D:12:46:FA:F8:6E (Non-Resolvable)
+ SID: 0x03
+ RSSI: -97 dBm (0x9f)
+ Data length: 0x60
+ Service Data: Google (0xfef3)
+ Data[92]: ...
+
+These devices often send multiple truncated reports per second.
+
+This patch introduces a PDU type mask to ensure only the relevant bits
+are evaluated, allowing for the correct translation of all valid
+extended advertising packets.
+
+Fixes: b2cc9761f144 ("Bluetooth: Handle extended ADV PDU types")
+Signed-off-by: Chris Down <chris@chrisdown.name>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci.h | 1 +
+ net/bluetooth/hci_event.c | 8 ++++++--
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
+index e4a97b2d0998..4c084a03d6bb 100644
+--- a/include/net/bluetooth/hci.h
++++ b/include/net/bluetooth/hci.h
+@@ -2577,6 +2577,7 @@ struct hci_ev_le_conn_complete {
+ #define LE_EXT_ADV_DIRECT_IND 0x0004
+ #define LE_EXT_ADV_SCAN_RSP 0x0008
+ #define LE_EXT_ADV_LEGACY_PDU 0x0010
++#define LE_EXT_ADV_DATA_STATUS_MASK 0x0060
+ #define LE_EXT_ADV_EVT_TYPE_MASK 0x007f
+
+ #define ADDR_LE_DEV_PUBLIC 0x00
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 8516ba62c545..3b22ce3aa95b 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -6216,6 +6216,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
+
+ static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
+ {
++ u16 pdu_type = evt_type & ~LE_EXT_ADV_DATA_STATUS_MASK;
++
++ if (!pdu_type)
++ return LE_ADV_NONCONN_IND;
++
+ if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
+ switch (evt_type) {
+ case LE_LEGACY_ADV_IND:
+@@ -6247,8 +6252,7 @@ static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
+ if (evt_type & LE_EXT_ADV_SCAN_IND)
+ return LE_ADV_SCAN_IND;
+
+- if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
+- evt_type & LE_EXT_ADV_DIRECT_IND)
++ if (evt_type & LE_EXT_ADV_DIRECT_IND)
+ return LE_ADV_NONCONN_IND;
+
+ invalid:
+--
+2.39.5
+
--- /dev/null
+From 62b4c47da83c9de7ce3c0aa69220310467bea1f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Aug 2025 11:47:23 +0200
+Subject: bpf: Check flow_dissector ctx accesses are aligned
+
+From: Paul Chaignon <paul.chaignon@gmail.com>
+
+[ Upstream commit ead3d7b2b6afa5ee7958620c4329982a7d9c2b78 ]
+
+flow_dissector_is_valid_access doesn't check that the context access is
+aligned. As a consequence, an unaligned access within one of the exposed
+field is considered valid and later rejected by
+flow_dissector_convert_ctx_access when we try to convert it.
+
+The later rejection is problematic because it's reported as a verifier
+bug with a kernel warning and doesn't point to the right instruction in
+verifier logs.
+
+Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook")
+Reported-by: syzbot+ccac90e482b2a81d74aa@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=ccac90e482b2a81d74aa
+Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
+Acked-by: Yonghong Song <yonghong.song@linux.dev>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/cc1b036be484c99be45eddf48bd78cc6f72839b1.1754039605.git.paul.chaignon@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 3e10b4c8338f..7afb7658c388 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -9330,6 +9330,9 @@ static bool flow_dissector_is_valid_access(int off, int size,
+ if (off < 0 || off >= sizeof(struct __sk_buff))
+ return false;
+
++ if (off % size != 0)
++ return false;
++
+ if (type == BPF_WRITE)
+ return false;
+
+--
+2.39.5
+
--- /dev/null
+From de44047027e1f773e67ad8ce6bb5037c28d4986e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Aug 2025 11:48:15 +0200
+Subject: bpf: Check netfilter ctx accesses are aligned
+
+From: Paul Chaignon <paul.chaignon@gmail.com>
+
+[ Upstream commit 9e6448f7b1efb27f8d508b067ecd33ed664a4246 ]
+
+Similarly to the previous patch fixing the flow_dissector ctx accesses,
+nf_is_valid_access also doesn't check that ctx accesses are aligned.
+Contrary to flow_dissector programs, netfilter programs don't have
+context conversion. The unaligned ctx accesses are therefore allowed by
+the verifier.
+
+Fixes: fd9c663b9ad6 ("bpf: minimal support for programs hooked into netfilter framework")
+Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
+Acked-by: Yonghong Song <yonghong.song@linux.dev>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/853ae9ed5edaa5196e8472ff0f1bb1cc24059214.1754039605.git.paul.chaignon@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_bpf_link.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
+index a851553fbbb0..658e401b7937 100644
+--- a/net/netfilter/nf_bpf_link.c
++++ b/net/netfilter/nf_bpf_link.c
+@@ -295,6 +295,9 @@ static bool nf_is_valid_access(int off, int size, enum bpf_access_type type,
+ if (off < 0 || off >= sizeof(struct bpf_nf_ctx))
+ return false;
+
++ if (off % size != 0)
++ return false;
++
+ if (type == BPF_WRITE)
+ return false;
+
+--
+2.39.5
+
--- /dev/null
+From d45714fb13310b9807eb90921dbafb37fb291cae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 22:40:37 +0000
+Subject: bpf: Disable migration in nf_hook_run_bpf().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 17ce3e5949bc37557305ad46316f41c7875d6366 ]
+
+syzbot reported that the netfilter bpf prog can be called without
+migration disabled in xmit path.
+
+Then the assertion in __bpf_prog_run() fails, triggering the splat
+below. [0]
+
+Let's use bpf_prog_run_pin_on_cpu() in nf_hook_run_bpf().
+
+[0]:
+BUG: assuming non migratable context at ./include/linux/filter.h:703
+in_atomic(): 0, irqs_disabled(): 0, migration_disabled() 0 pid: 5829, name: sshd-session
+3 locks held by sshd-session/5829:
+ #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1667 [inline]
+ #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendmsg+0x20/0x50 net/ipv4/tcp.c:1395
+ #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
+ #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
+ #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: __ip_queue_xmit+0x69/0x26c0 net/ipv4/ip_output.c:470
+ #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
+ #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
+ #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: nf_hook+0xb2/0x680 include/linux/netfilter.h:241
+CPU: 0 UID: 0 PID: 5829 Comm: sshd-session Not tainted 6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
+ __cant_migrate kernel/sched/core.c:8860 [inline]
+ __cant_migrate+0x1c7/0x250 kernel/sched/core.c:8834
+ __bpf_prog_run include/linux/filter.h:703 [inline]
+ bpf_prog_run include/linux/filter.h:725 [inline]
+ nf_hook_run_bpf+0x83/0x1e0 net/netfilter/nf_bpf_link.c:20
+ nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]
+ nf_hook_slow+0xbb/0x200 net/netfilter/core.c:623
+ nf_hook+0x370/0x680 include/linux/netfilter.h:272
+ NF_HOOK_COND include/linux/netfilter.h:305 [inline]
+ ip_output+0x1bc/0x2a0 net/ipv4/ip_output.c:433
+ dst_output include/net/dst.h:459 [inline]
+ ip_local_out net/ipv4/ip_output.c:129 [inline]
+ __ip_queue_xmit+0x1d7d/0x26c0 net/ipv4/ip_output.c:527
+ __tcp_transmit_skb+0x2686/0x3e90 net/ipv4/tcp_output.c:1479
+ tcp_transmit_skb net/ipv4/tcp_output.c:1497 [inline]
+ tcp_write_xmit+0x1274/0x84e0 net/ipv4/tcp_output.c:2838
+ __tcp_push_pending_frames+0xaf/0x390 net/ipv4/tcp_output.c:3021
+ tcp_push+0x225/0x700 net/ipv4/tcp.c:759
+ tcp_sendmsg_locked+0x1870/0x42b0 net/ipv4/tcp.c:1359
+ tcp_sendmsg+0x2e/0x50 net/ipv4/tcp.c:1396
+ inet_sendmsg+0xb9/0x140 net/ipv4/af_inet.c:851
+ sock_sendmsg_nosec net/socket.c:712 [inline]
+ __sock_sendmsg net/socket.c:727 [inline]
+ sock_write_iter+0x4aa/0x5b0 net/socket.c:1131
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0x6c7/0x1150 fs/read_write.c:686
+ ksys_write+0x1f8/0x250 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fe7d365d407
+Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
+RSP:
+
+Fixes: fd9c663b9ad67 ("bpf: minimal support for programs hooked into netfilter framework")
+Reported-by: syzbot+40f772d37250b6d10efc@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/6879466d.a00a0220.3af5df.0022.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Tested-by: syzbot+40f772d37250b6d10efc@syzkaller.appspotmail.com
+Acked-by: Florian Westphal <fw@strlen.de>
+Link: https://patch.msgid.link/20250722224041.112292-1-kuniyu@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_bpf_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
+index 2aad0562a413..a851553fbbb0 100644
+--- a/net/netfilter/nf_bpf_link.c
++++ b/net/netfilter/nf_bpf_link.c
+@@ -17,7 +17,7 @@ static unsigned int nf_hook_run_bpf(void *bpf_prog, struct sk_buff *skb,
+ .skb = skb,
+ };
+
+- return bpf_prog_run(prog, &ctx);
++ return bpf_prog_run_pin_on_cpu(prog, &ctx);
+ }
+
+ struct bpf_nf_link {
+--
+2.39.5
+
--- /dev/null
+From 20ba23a62e937fd3b2c3993dfaa708b1e0ace49a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 10:08:52 +0800
+Subject: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 178f6a5c8cb3b6be1602de0964cd440243f493c9 ]
+
+When sending plaintext data, we initially calculated the corresponding
+ciphertext length. However, if we later reduced the plaintext data length
+via socket policy, we failed to recalculate the ciphertext length.
+
+This results in transmitting buffers containing uninitialized data during
+ciphertext transmission.
+
+This causes uninitialized bytes to be appended after a complete
+"Application Data" packet, leading to errors on the receiving end when
+parsing TLS record.
+
+Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
+Reported-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/bpf/20250609020910.397930-2-jiayuan.chen@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_sw.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index 4a9a3aed5d6d..4905a81c4ac1 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -872,6 +872,19 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
+ delta = msg->sg.size;
+ psock->eval = sk_psock_msg_verdict(sk, psock, msg);
+ delta -= msg->sg.size;
++
++ if ((s32)delta > 0) {
++ /* It indicates that we executed bpf_msg_pop_data(),
++ * causing the plaintext data size to decrease.
++ * Therefore the encrypted data size also needs to
++ * correspondingly decrease. We only need to subtract
++ * delta to calculate the new ciphertext length since
++ * ktls does not support block encryption.
++ */
++ struct sk_msg *enc = &ctx->open_rec->msg_encrypted;
++
++ sk_msg_trim(sk, enc, enc->sg.size - delta);
++ }
+ }
+ if (msg->cork_bytes && msg->cork_bytes > msg->sg.size &&
+ !enospc && !full_record) {
+--
+2.39.5
+
--- /dev/null
+From 8f73c26e3cc6bf749b2d08133c6c3061a89096c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 11:04:41 +0200
+Subject: bpf/preload: Don't select USERMODE_DRIVER
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+
+[ Upstream commit 2b03164eee20eac7ce0fe3aa4fbda7efc1e5427a ]
+
+The usermode driver framework is not used anymore by the BPF
+preload code.
+
+Fixes: cb80ddc67152 ("bpf: Convert bpf_preload.ko to use light skeleton.")
+Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/bpf/20250721-remove-usermode-driver-v1-1-0d0083334382@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/preload/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/kernel/bpf/preload/Kconfig b/kernel/bpf/preload/Kconfig
+index c9d45c9d6918..f9b11d01c3b5 100644
+--- a/kernel/bpf/preload/Kconfig
++++ b/kernel/bpf/preload/Kconfig
+@@ -10,7 +10,6 @@ menuconfig BPF_PRELOAD
+ # The dependency on !COMPILE_TEST prevents it from being enabled
+ # in allmodconfig or allyesconfig configurations
+ depends on !COMPILE_TEST
+- select USERMODE_DRIVER
+ help
+ This builds kernel module with several embedded BPF programs that are
+ pinned into BPF FS mount point as human readable files that are
+--
+2.39.5
+
--- /dev/null
+From c978d113403e3a72bc230bf97b2527c0b22dc3cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 10:59:08 +0800
+Subject: bpf, sockmap: Fix psock incorrectly pointing to sk
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 76be5fae32febb1fdb848ba09f78c4b2c76cb337 ]
+
+We observed an issue from the latest selftest: sockmap_redir where
+sk_psock(psock->sk) != psock in the backlog. The root cause is the special
+behavior in sockmap_redir - it frequently performs map_update() and
+map_delete() on the same socket. During map_update(), we create a new
+psock and during map_delete(), we eventually free the psock via rcu_work
+in sk_psock_drop(). However, pending workqueues might still exist and not
+be processed yet. If users immediately perform another map_update(), a new
+psock will be allocated for the same sk, resulting in two psocks pointing
+to the same sk.
+
+When the pending workqueue is later triggered, it uses the old psock to
+access sk for I/O operations, which is incorrect.
+
+Timing Diagram:
+
+cpu0 cpu1
+
+map_update(sk):
+ sk->psock = psock1
+ psock1->sk = sk
+map_delete(sk):
+ rcu_work_free(psock1)
+
+map_update(sk):
+ sk->psock = psock2
+ psock2->sk = sk
+ workqueue:
+ wakeup with psock1, but the sk of psock1
+ doesn't belong to psock1
+rcu_handler:
+ clean psock1
+ free(psock1)
+
+Previously, we used reference counting to address the concurrency issue
+between backlog and sock_map_close(). This logic remains necessary as it
+prevents the sk from being freed while processing the backlog. But this
+patch prevents pending backlogs from using a psock after it has been
+stopped.
+
+Note: We cannot call cancel_delayed_work_sync() in map_delete() since this
+might be invoked in BPF context by BPF helper, and the function may sleep.
+
+Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20250609025908.79331-1-jiayuan.chen@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index c3169e1e6352..6225547808a6 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -655,6 +655,13 @@ static void sk_psock_backlog(struct work_struct *work)
+ bool ingress;
+ int ret;
+
++ /* If sk is quickly removed from the map and then added back, the old
++ * psock should not be scheduled, because there are now two psocks
++ * pointing to the same sk.
++ */
++ if (!sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED))
++ return;
++
+ /* Increment the psock refcnt to synchronize with close(fd) path in
+ * sock_map_close(), ensuring we wait for backlog thread completion
+ * before sk_socket freed. If refcnt increment fails, it indicates
+--
+2.39.5
+
--- /dev/null
+From 241a05972e8384b46f2c15b19b79c8eff176b8a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 09:21:33 +0800
+Subject: bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure
+
+From: Yuan Chen <chenyuan@kylinos.cn>
+
+[ Upstream commit 99fe8af069a9fa5b09140518b1364e35713a642e ]
+
+In function dump_xx_nlmsg(), when realloc() fails to allocate memory,
+the original pointer to the buffer is overwritten with NULL. This causes
+a memory leak because the previously allocated buffer becomes unreachable
+without being freed.
+
+Fixes: 7900efc19214 ("tools/bpf: bpftool: improve output format for bpftool net")
+Signed-off-by: Yuan Chen <chenyuan@kylinos.cn>
+Reviewed-by: Quentin Monnet <qmo@kernel.org>
+Link: https://lore.kernel.org/r/20250620012133.14819-1-chenyuan_fl@163.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/net.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/tools/bpf/bpftool/net.c b/tools/bpf/bpftool/net.c
+index 28e9417a5c2e..c2ca82fc21e2 100644
+--- a/tools/bpf/bpftool/net.c
++++ b/tools/bpf/bpftool/net.c
+@@ -360,17 +360,18 @@ static int dump_link_nlmsg(void *cookie, void *msg, struct nlattr **tb)
+ {
+ struct bpf_netdev_t *netinfo = cookie;
+ struct ifinfomsg *ifinfo = msg;
++ struct ip_devname_ifindex *tmp;
+
+ if (netinfo->filter_idx > 0 && netinfo->filter_idx != ifinfo->ifi_index)
+ return 0;
+
+ if (netinfo->used_len == netinfo->array_len) {
+- netinfo->devices = realloc(netinfo->devices,
+- (netinfo->array_len + 16) *
+- sizeof(struct ip_devname_ifindex));
+- if (!netinfo->devices)
++ tmp = realloc(netinfo->devices,
++ (netinfo->array_len + 16) * sizeof(struct ip_devname_ifindex));
++ if (!tmp)
+ return -ENOMEM;
+
++ netinfo->devices = tmp;
+ netinfo->array_len += 16;
+ }
+ netinfo->devices[netinfo->used_len].ifindex = ifinfo->ifi_index;
+@@ -389,6 +390,7 @@ static int dump_class_qdisc_nlmsg(void *cookie, void *msg, struct nlattr **tb)
+ {
+ struct bpf_tcinfo_t *tcinfo = cookie;
+ struct tcmsg *info = msg;
++ struct tc_kind_handle *tmp;
+
+ if (tcinfo->is_qdisc) {
+ /* skip clsact qdisc */
+@@ -400,11 +402,12 @@ static int dump_class_qdisc_nlmsg(void *cookie, void *msg, struct nlattr **tb)
+ }
+
+ if (tcinfo->used_len == tcinfo->array_len) {
+- tcinfo->handle_array = realloc(tcinfo->handle_array,
++ tmp = realloc(tcinfo->handle_array,
+ (tcinfo->array_len + 16) * sizeof(struct tc_kind_handle));
+- if (!tcinfo->handle_array)
++ if (!tmp)
+ return -ENOMEM;
+
++ tcinfo->handle_array = tmp;
+ tcinfo->array_len += 16;
+ }
+ tcinfo->handle_array[tcinfo->used_len].handle = info->tcm_handle;
+--
+2.39.5
+
--- /dev/null
+From cc7b02d4326ddf6f7ec6d86daba96feba4b0a422 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 13:22:39 +0200
+Subject: caif: reduce stack size, again
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit b630c781bcf6ff87657146661816d0d30a902139 ]
+
+I tried to fix the stack usage in this function a couple of years ago,
+but there is still a problem with the latest gcc versions in some
+configurations:
+
+net/caif/cfctrl.c:553:1: error: the frame size of 1296 bytes is larger than 1280 bytes [-Werror=frame-larger-than=]
+
+Reduce this once again, with a separate cfctrl_link_setup() function that
+holds the bulk of all the local variables. It also turns out that the
+param[] array that takes up a large portion of the stack is write-only
+and can be left out here.
+
+Fixes: ce6289661b14 ("caif: reduce stack size with KASAN")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://patch.msgid.link/20250620112244.3425554-1-arnd@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/caif/cfctrl.c | 294 +++++++++++++++++++++++-----------------------
+ 1 file changed, 144 insertions(+), 150 deletions(-)
+
+diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
+index 8480684f2762..10eeace2278b 100644
+--- a/net/caif/cfctrl.c
++++ b/net/caif/cfctrl.c
+@@ -351,17 +351,154 @@ int cfctrl_cancel_req(struct cflayer *layr, struct cflayer *adap_layer)
+ return found;
+ }
+
++static int cfctrl_link_setup(struct cfctrl *cfctrl, struct cfpkt *pkt, u8 cmdrsp)
++{
++ u8 len;
++ u8 linkid = 0;
++ enum cfctrl_srv serv;
++ enum cfctrl_srv servtype;
++ u8 endpoint;
++ u8 physlinkid;
++ u8 prio;
++ u8 tmp;
++ u8 *cp;
++ int i;
++ struct cfctrl_link_param linkparam;
++ struct cfctrl_request_info rsp, *req;
++
++ memset(&linkparam, 0, sizeof(linkparam));
++
++ tmp = cfpkt_extr_head_u8(pkt);
++
++ serv = tmp & CFCTRL_SRV_MASK;
++ linkparam.linktype = serv;
++
++ servtype = tmp >> 4;
++ linkparam.chtype = servtype;
++
++ tmp = cfpkt_extr_head_u8(pkt);
++ physlinkid = tmp & 0x07;
++ prio = tmp >> 3;
++
++ linkparam.priority = prio;
++ linkparam.phyid = physlinkid;
++ endpoint = cfpkt_extr_head_u8(pkt);
++ linkparam.endpoint = endpoint & 0x03;
++
++ switch (serv) {
++ case CFCTRL_SRV_VEI:
++ case CFCTRL_SRV_DBG:
++ if (CFCTRL_ERR_BIT & cmdrsp)
++ break;
++ /* Link ID */
++ linkid = cfpkt_extr_head_u8(pkt);
++ break;
++ case CFCTRL_SRV_VIDEO:
++ tmp = cfpkt_extr_head_u8(pkt);
++ linkparam.u.video.connid = tmp;
++ if (CFCTRL_ERR_BIT & cmdrsp)
++ break;
++ /* Link ID */
++ linkid = cfpkt_extr_head_u8(pkt);
++ break;
++
++ case CFCTRL_SRV_DATAGRAM:
++ linkparam.u.datagram.connid = cfpkt_extr_head_u32(pkt);
++ if (CFCTRL_ERR_BIT & cmdrsp)
++ break;
++ /* Link ID */
++ linkid = cfpkt_extr_head_u8(pkt);
++ break;
++ case CFCTRL_SRV_RFM:
++ /* Construct a frame, convert
++ * DatagramConnectionID
++ * to network format long and copy it out...
++ */
++ linkparam.u.rfm.connid = cfpkt_extr_head_u32(pkt);
++ cp = (u8 *) linkparam.u.rfm.volume;
++ for (tmp = cfpkt_extr_head_u8(pkt);
++ cfpkt_more(pkt) && tmp != '\0';
++ tmp = cfpkt_extr_head_u8(pkt))
++ *cp++ = tmp;
++ *cp = '\0';
++
++ if (CFCTRL_ERR_BIT & cmdrsp)
++ break;
++ /* Link ID */
++ linkid = cfpkt_extr_head_u8(pkt);
++
++ break;
++ case CFCTRL_SRV_UTIL:
++ /* Construct a frame, convert
++ * DatagramConnectionID
++ * to network format long and copy it out...
++ */
++ /* Fifosize KB */
++ linkparam.u.utility.fifosize_kb = cfpkt_extr_head_u16(pkt);
++ /* Fifosize bufs */
++ linkparam.u.utility.fifosize_bufs = cfpkt_extr_head_u16(pkt);
++ /* name */
++ cp = (u8 *) linkparam.u.utility.name;
++ caif_assert(sizeof(linkparam.u.utility.name)
++ >= UTILITY_NAME_LENGTH);
++ for (i = 0; i < UTILITY_NAME_LENGTH && cfpkt_more(pkt); i++) {
++ tmp = cfpkt_extr_head_u8(pkt);
++ *cp++ = tmp;
++ }
++ /* Length */
++ len = cfpkt_extr_head_u8(pkt);
++ linkparam.u.utility.paramlen = len;
++ /* Param Data */
++ cp = linkparam.u.utility.params;
++ while (cfpkt_more(pkt) && len--) {
++ tmp = cfpkt_extr_head_u8(pkt);
++ *cp++ = tmp;
++ }
++ if (CFCTRL_ERR_BIT & cmdrsp)
++ break;
++ /* Link ID */
++ linkid = cfpkt_extr_head_u8(pkt);
++ /* Length */
++ len = cfpkt_extr_head_u8(pkt);
++ /* Param Data */
++ cfpkt_extr_head(pkt, NULL, len);
++ break;
++ default:
++ pr_warn("Request setup, invalid type (%d)\n", serv);
++ return -1;
++ }
++
++ rsp.cmd = CFCTRL_CMD_LINK_SETUP;
++ rsp.param = linkparam;
++ spin_lock_bh(&cfctrl->info_list_lock);
++ req = cfctrl_remove_req(cfctrl, &rsp);
++
++ if (CFCTRL_ERR_BIT == (CFCTRL_ERR_BIT & cmdrsp) ||
++ cfpkt_erroneous(pkt)) {
++ pr_err("Invalid O/E bit or parse error "
++ "on CAIF control channel\n");
++ cfctrl->res.reject_rsp(cfctrl->serv.layer.up, 0,
++ req ? req->client_layer : NULL);
++ } else {
++ cfctrl->res.linksetup_rsp(cfctrl->serv.layer.up, linkid,
++ serv, physlinkid,
++ req ? req->client_layer : NULL);
++ }
++
++ kfree(req);
++
++ spin_unlock_bh(&cfctrl->info_list_lock);
++
++ return 0;
++}
++
+ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
+ {
+ u8 cmdrsp;
+ u8 cmd;
+- int ret = -1;
+- u8 len;
+- u8 param[255];
++ int ret = 0;
+ u8 linkid = 0;
+ struct cfctrl *cfctrl = container_obj(layer);
+- struct cfctrl_request_info rsp, *req;
+-
+
+ cmdrsp = cfpkt_extr_head_u8(pkt);
+ cmd = cmdrsp & CFCTRL_CMD_MASK;
+@@ -374,150 +511,7 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
+
+ switch (cmd) {
+ case CFCTRL_CMD_LINK_SETUP:
+- {
+- enum cfctrl_srv serv;
+- enum cfctrl_srv servtype;
+- u8 endpoint;
+- u8 physlinkid;
+- u8 prio;
+- u8 tmp;
+- u8 *cp;
+- int i;
+- struct cfctrl_link_param linkparam;
+- memset(&linkparam, 0, sizeof(linkparam));
+-
+- tmp = cfpkt_extr_head_u8(pkt);
+-
+- serv = tmp & CFCTRL_SRV_MASK;
+- linkparam.linktype = serv;
+-
+- servtype = tmp >> 4;
+- linkparam.chtype = servtype;
+-
+- tmp = cfpkt_extr_head_u8(pkt);
+- physlinkid = tmp & 0x07;
+- prio = tmp >> 3;
+-
+- linkparam.priority = prio;
+- linkparam.phyid = physlinkid;
+- endpoint = cfpkt_extr_head_u8(pkt);
+- linkparam.endpoint = endpoint & 0x03;
+-
+- switch (serv) {
+- case CFCTRL_SRV_VEI:
+- case CFCTRL_SRV_DBG:
+- if (CFCTRL_ERR_BIT & cmdrsp)
+- break;
+- /* Link ID */
+- linkid = cfpkt_extr_head_u8(pkt);
+- break;
+- case CFCTRL_SRV_VIDEO:
+- tmp = cfpkt_extr_head_u8(pkt);
+- linkparam.u.video.connid = tmp;
+- if (CFCTRL_ERR_BIT & cmdrsp)
+- break;
+- /* Link ID */
+- linkid = cfpkt_extr_head_u8(pkt);
+- break;
+-
+- case CFCTRL_SRV_DATAGRAM:
+- linkparam.u.datagram.connid =
+- cfpkt_extr_head_u32(pkt);
+- if (CFCTRL_ERR_BIT & cmdrsp)
+- break;
+- /* Link ID */
+- linkid = cfpkt_extr_head_u8(pkt);
+- break;
+- case CFCTRL_SRV_RFM:
+- /* Construct a frame, convert
+- * DatagramConnectionID
+- * to network format long and copy it out...
+- */
+- linkparam.u.rfm.connid =
+- cfpkt_extr_head_u32(pkt);
+- cp = (u8 *) linkparam.u.rfm.volume;
+- for (tmp = cfpkt_extr_head_u8(pkt);
+- cfpkt_more(pkt) && tmp != '\0';
+- tmp = cfpkt_extr_head_u8(pkt))
+- *cp++ = tmp;
+- *cp = '\0';
+-
+- if (CFCTRL_ERR_BIT & cmdrsp)
+- break;
+- /* Link ID */
+- linkid = cfpkt_extr_head_u8(pkt);
+-
+- break;
+- case CFCTRL_SRV_UTIL:
+- /* Construct a frame, convert
+- * DatagramConnectionID
+- * to network format long and copy it out...
+- */
+- /* Fifosize KB */
+- linkparam.u.utility.fifosize_kb =
+- cfpkt_extr_head_u16(pkt);
+- /* Fifosize bufs */
+- linkparam.u.utility.fifosize_bufs =
+- cfpkt_extr_head_u16(pkt);
+- /* name */
+- cp = (u8 *) linkparam.u.utility.name;
+- caif_assert(sizeof(linkparam.u.utility.name)
+- >= UTILITY_NAME_LENGTH);
+- for (i = 0;
+- i < UTILITY_NAME_LENGTH
+- && cfpkt_more(pkt); i++) {
+- tmp = cfpkt_extr_head_u8(pkt);
+- *cp++ = tmp;
+- }
+- /* Length */
+- len = cfpkt_extr_head_u8(pkt);
+- linkparam.u.utility.paramlen = len;
+- /* Param Data */
+- cp = linkparam.u.utility.params;
+- while (cfpkt_more(pkt) && len--) {
+- tmp = cfpkt_extr_head_u8(pkt);
+- *cp++ = tmp;
+- }
+- if (CFCTRL_ERR_BIT & cmdrsp)
+- break;
+- /* Link ID */
+- linkid = cfpkt_extr_head_u8(pkt);
+- /* Length */
+- len = cfpkt_extr_head_u8(pkt);
+- /* Param Data */
+- cfpkt_extr_head(pkt, ¶m, len);
+- break;
+- default:
+- pr_warn("Request setup, invalid type (%d)\n",
+- serv);
+- goto error;
+- }
+-
+- rsp.cmd = cmd;
+- rsp.param = linkparam;
+- spin_lock_bh(&cfctrl->info_list_lock);
+- req = cfctrl_remove_req(cfctrl, &rsp);
+-
+- if (CFCTRL_ERR_BIT == (CFCTRL_ERR_BIT & cmdrsp) ||
+- cfpkt_erroneous(pkt)) {
+- pr_err("Invalid O/E bit or parse error "
+- "on CAIF control channel\n");
+- cfctrl->res.reject_rsp(cfctrl->serv.layer.up,
+- 0,
+- req ? req->client_layer
+- : NULL);
+- } else {
+- cfctrl->res.linksetup_rsp(cfctrl->serv.
+- layer.up, linkid,
+- serv, physlinkid,
+- req ? req->
+- client_layer : NULL);
+- }
+-
+- kfree(req);
+-
+- spin_unlock_bh(&cfctrl->info_list_lock);
+- }
++ ret = cfctrl_link_setup(cfctrl, pkt, cmdrsp);
+ break;
+ case CFCTRL_CMD_LINK_DESTROY:
+ linkid = cfpkt_extr_head_u8(pkt);
+@@ -544,9 +538,9 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
+ break;
+ default:
+ pr_err("Unrecognized Control Frame\n");
++ ret = -1;
+ goto error;
+ }
+- ret = 0;
+ error:
+ cfpkt_destroy(pkt);
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From ef7e229930e427ced5abb48d2b97ad9ff11e6e9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 14:32:25 +0200
+Subject: can: kvaser_pciefd: Store device channel index
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+[ Upstream commit d54b16b40ddadb7d0a77fff48af7b319a0cd6aae ]
+
+Store device channel index in netdev.dev_port.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://patch.msgid.link/20250725123230.8-6-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/kvaser_pciefd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c
+index 73b448cd00f2..0b74b79b08f0 100644
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -927,6 +927,7 @@ static int kvaser_pciefd_setup_can_ctrls(struct kvaser_pciefd *pcie)
+ can->err_rep_cnt = 0;
+ can->bec.txerr = 0;
+ can->bec.rxerr = 0;
++ can->can.dev->dev_port = i;
+
+ init_completion(&can->start_comp);
+ init_completion(&can->flush_comp);
+--
+2.39.5
+
--- /dev/null
+From dfe26003ce986ad2131562ba7783b54357324f14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 14:34:44 +0200
+Subject: can: kvaser_usb: Assign netdev.dev_port based on device channel index
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+[ Upstream commit c151b06a087a61c7a1790b75ee2f1d6edb6a8a45 ]
+
+Assign netdev.dev_port based on the device channel index, to indicate the
+port number of the network device.
+While this driver already uses netdev.dev_id for that purpose, dev_port is
+more appropriate. However, retain dev_id to avoid potential regressions.
+
+Fixes: 3e66d0138c05 ("can: populate netdev::dev_id for udev discrimination")
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://patch.msgid.link/20250725123452.41-4-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+index 15f28b6fe758..022b5b79247c 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+@@ -856,6 +856,7 @@ static int kvaser_usb_init_one(struct kvaser_usb *dev, int channel)
+ }
+ SET_NETDEV_DEV(netdev, &dev->intf->dev);
+ netdev->dev_id = channel;
++ netdev->dev_port = channel;
+
+ dev->nets[channel] = priv;
+
+--
+2.39.5
+
--- /dev/null
+From 3e1d961854fdfa3abb2f61e0f72870e1bd2a76a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 10:13:19 +0200
+Subject: can: peak_usb: fix USB FD devices potential malfunction
+
+From: Stephane Grosjean <stephane.grosjean@hms-networks.com>
+
+[ Upstream commit 788199b73b6efe4ee2ade4d7457b50bb45493488 ]
+
+The latest firmware versions of USB CAN FD interfaces export the EP numbers
+to be used to dialog with the device via the "type" field of a response to
+a vendor request structure, particularly when its value is greater than or
+equal to 2.
+
+Correct the driver's test of this field.
+
+Fixes: 4f232482467a ("can: peak_usb: include support for a new MCU")
+Signed-off-by: Stephane Grosjean <stephane.grosjean@hms-networks.com>
+Link: https://patch.msgid.link/20250724081550.11694-1-stephane.grosjean@free.fr
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+[mkl: rephrase commit message]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+index 4d85b29a17b7..ebefc274b50a 100644
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+@@ -49,7 +49,7 @@ struct __packed pcan_ufd_fw_info {
+ __le32 ser_no; /* S/N */
+ __le32 flags; /* special functions */
+
+- /* extended data when type == PCAN_USBFD_TYPE_EXT */
++ /* extended data when type >= PCAN_USBFD_TYPE_EXT */
+ u8 cmd_out_ep; /* ep for cmd */
+ u8 cmd_in_ep; /* ep for replies */
+ u8 data_out_ep[2]; /* ep for CANx TX */
+@@ -982,10 +982,11 @@ static int pcan_usb_fd_init(struct peak_usb_device *dev)
+ dev->can.ctrlmode |= CAN_CTRLMODE_FD_NON_ISO;
+ }
+
+- /* if vendor rsp is of type 2, then it contains EP numbers to
+- * use for cmds pipes. If not, then default EP should be used.
++ /* if vendor rsp type is greater than or equal to 2, then it
++ * contains EP numbers to use for cmds pipes. If not, then
++ * default EP should be used.
+ */
+- if (fw_info->type != cpu_to_le16(PCAN_USBFD_TYPE_EXT)) {
++ if (le16_to_cpu(fw_info->type) < PCAN_USBFD_TYPE_EXT) {
+ fw_info->cmd_out_ep = PCAN_USBPRO_EP_CMDOUT;
+ fw_info->cmd_in_ep = PCAN_USBPRO_EP_CMDIN;
+ }
+@@ -1018,11 +1019,11 @@ static int pcan_usb_fd_init(struct peak_usb_device *dev)
+ dev->can_channel_id =
+ le32_to_cpu(pdev->usb_if->fw_info.dev_id[dev->ctrl_idx]);
+
+- /* if vendor rsp is of type 2, then it contains EP numbers to
+- * use for data pipes. If not, then statically defined EP are used
+- * (see peak_usb_create_dev()).
++ /* if vendor rsp type is greater than or equal to 2, then it contains EP
++ * numbers to use for data pipes. If not, then statically defined EP are
++ * used (see peak_usb_create_dev()).
+ */
+- if (fw_info->type == cpu_to_le16(PCAN_USBFD_TYPE_EXT)) {
++ if (le16_to_cpu(fw_info->type) >= PCAN_USBFD_TYPE_EXT) {
+ dev->ep_msg_in = fw_info->data_in_ep;
+ dev->ep_msg_out = fw_info->data_out_ep[dev->ctrl_idx];
+ }
+--
+2.39.5
+
--- /dev/null
+From 7a46979ae78b41f267fbdd812dd7d0d06cb13e4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 May 2025 16:41:06 +0100
+Subject: clk: clk-axi-clkgen: fix fpfd_max frequency for zynq
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nuno Sá <nuno.sa@analog.com>
+
+[ Upstream commit ce8a9096699500e2c5bca09dde27b16edda5f636 ]
+
+The fpfd_max frequency should be set to 450 MHz instead of 300 MHz.
+Well, it actually depends on the platform speed grade but we are being
+conservative for ultrascale so let's be consistent. In a following
+change we will set these limits at runtime.
+
+Fixes: 0e646c52cf0e ("clk: Add axi-clkgen driver")
+Signed-off-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20250519-dev-axi-clkgen-limits-v6-1-bc4b3b61d1d4@analog.com
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-axi-clkgen.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/clk-axi-clkgen.c b/drivers/clk/clk-axi-clkgen.c
+index 934e53a96ddd..00bf799964c6 100644
+--- a/drivers/clk/clk-axi-clkgen.c
++++ b/drivers/clk/clk-axi-clkgen.c
+@@ -118,7 +118,7 @@ static const struct axi_clkgen_limits axi_clkgen_zynqmp_default_limits = {
+
+ static const struct axi_clkgen_limits axi_clkgen_zynq_default_limits = {
+ .fpfd_min = 10000,
+- .fpfd_max = 300000,
++ .fpfd_max = 450000,
+ .fvco_min = 600000,
+ .fvco_max = 1200000,
+ };
+--
+2.39.5
+
--- /dev/null
+From 6ac5baa9b1976b01cabbd56167ddc1563ddb3281 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 21:13:41 +0800
+Subject: clk: davinci: Add NULL check in davinci_lpsc_clk_register()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit 13de464f445d42738fe18c9a28bab056ba3a290a ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+davinci_lpsc_clk_register() does not check for this case, which results
+in a NULL pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue and ensuring
+no resources are left allocated.
+
+Fixes: c6ed4d734bc7 ("clk: davinci: New driver for davinci PSC clocks")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Link: https://lore.kernel.org/r/20250401131341.26800-1-bsdhenrymartin@gmail.com
+Reviewed-by: David Lechner <david@lechnology.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/davinci/psc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/clk/davinci/psc.c b/drivers/clk/davinci/psc.c
+index cd85d9f158b0..6f7b8f082ad3 100644
+--- a/drivers/clk/davinci/psc.c
++++ b/drivers/clk/davinci/psc.c
+@@ -278,6 +278,11 @@ davinci_lpsc_clk_register(struct device *dev, const char *name,
+
+ lpsc->pm_domain.name = devm_kasprintf(dev, GFP_KERNEL, "%s: %s",
+ best_dev_name(dev), name);
++ if (!lpsc->pm_domain.name) {
++ clk_hw_unregister(&lpsc->hw);
++ kfree(lpsc);
++ return ERR_PTR(-ENOMEM);
++ }
+ lpsc->pm_domain.attach_dev = davinci_psc_genpd_attach_dev;
+ lpsc->pm_domain.detach_dev = davinci_psc_genpd_detach_dev;
+ lpsc->pm_domain.flags = GENPD_FLAG_PM_CLK;
+--
+2.39.5
+
--- /dev/null
+From b35bffe2d3bd63e59e80214e878d8fb63e57c703 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 17:40:07 +0200
+Subject: clk: sunxi-ng: v3s: Fix de clock definition
+
+From: Paul Kocialkowski <paulk@sys-base.io>
+
+[ Upstream commit e8ab346f9907a1a3aa2f0e5decf849925c06ae2e ]
+
+The de clock is marked with CLK_SET_RATE_PARENT, which is really not
+necessary (as confirmed from experimentation) and significantly
+restricts flexibility for other clocks using the same parent.
+
+In addition the source selection (parent) field is marked as using
+2 bits, when it the documentation reports that it uses 3.
+
+Fix both issues in the de clock definition.
+
+Fixes: d0f11d14b0bc ("clk: sunxi-ng: add support for V3s CCU")
+Signed-off-by: Paul Kocialkowski <paulk@sys-base.io>
+Link: https://patch.msgid.link/20250704154008.3463257-1-paulk@sys-base.io
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/sunxi-ng/ccu-sun8i-v3s.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c
+index f3ce8664b288..b05553faed6d 100644
+--- a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c
++++ b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c
+@@ -347,8 +347,7 @@ static SUNXI_CCU_GATE(dram_ohci_clk, "dram-ohci", "dram",
+
+ static const char * const de_parents[] = { "pll-video", "pll-periph0" };
+ static SUNXI_CCU_M_WITH_MUX_GATE(de_clk, "de", de_parents,
+- 0x104, 0, 4, 24, 2, BIT(31),
+- CLK_SET_RATE_PARENT);
++ 0x104, 0, 4, 24, 3, BIT(31), 0);
+
+ static const char * const tcon_parents[] = { "pll-video" };
+ static SUNXI_CCU_M_WITH_MUX_GATE(tcon_clk, "tcon", tcon_parents,
+--
+2.39.5
+
--- /dev/null
+From 5da38dfbb94081403e45fd7133a4dd32d899e996 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Feb 2025 03:36:13 -0800
+Subject: clk: xilinx: vcu: unregister pll_post only if registered correctly
+
+From: Rohit Visavalia <rohit.visavalia@amd.com>
+
+[ Upstream commit 3b0abc443ac22f7d4f61ddbbbbc5dbb06c87139d ]
+
+If registration of pll_post is failed, it will be set to NULL or ERR,
+unregistering same will fail with following call trace:
+
+Unable to handle kernel NULL pointer dereference at virtual address 008
+pc : clk_hw_unregister+0xc/0x20
+lr : clk_hw_unregister_fixed_factor+0x18/0x30
+sp : ffff800011923850
+...
+Call trace:
+ clk_hw_unregister+0xc/0x20
+ clk_hw_unregister_fixed_factor+0x18/0x30
+ xvcu_unregister_clock_provider+0xcc/0xf4 [xlnx_vcu]
+ xvcu_probe+0x2bc/0x53c [xlnx_vcu]
+
+Fixes: 4472e1849db7 ("soc: xilinx: vcu: make pll post divider explicit")
+Signed-off-by: Rohit Visavalia <rohit.visavalia@amd.com>
+Link: https://lore.kernel.org/r/20250210113614.4149050-2-rohit.visavalia@amd.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/xilinx/xlnx_vcu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/xilinx/xlnx_vcu.c b/drivers/clk/xilinx/xlnx_vcu.c
+index 60a3ed7c7263..299332818ba3 100644
+--- a/drivers/clk/xilinx/xlnx_vcu.c
++++ b/drivers/clk/xilinx/xlnx_vcu.c
+@@ -587,8 +587,8 @@ static void xvcu_unregister_clock_provider(struct xvcu_device *xvcu)
+ xvcu_clk_hw_unregister_leaf(hws[CLK_XVCU_ENC_MCU]);
+ if (!IS_ERR_OR_NULL(hws[CLK_XVCU_ENC_CORE]))
+ xvcu_clk_hw_unregister_leaf(hws[CLK_XVCU_ENC_CORE]);
+-
+- clk_hw_unregister_fixed_factor(xvcu->pll_post);
++ if (!IS_ERR_OR_NULL(xvcu->pll_post))
++ clk_hw_unregister_fixed_factor(xvcu->pll_post);
+ }
+
+ /**
+--
+2.39.5
+
--- /dev/null
+From b5c06faaa255bbda39c804735e176009c14a5c37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 18:41:43 +0800
+Subject: cpufreq: Init policy->rwsem before it may be possibly used
+
+From: Lifeng Zheng <zhenglifeng1@huawei.com>
+
+[ Upstream commit d1378d1d7edb3a4c4935a44fe834ae135be03564 ]
+
+In cpufreq_policy_put_kobj(), policy->rwsem is used. But in
+cpufreq_policy_alloc(), if freq_qos_add_notifier() returns an error, error
+path via err_kobj_remove or err_min_qos_notifier will be reached and
+cpufreq_policy_put_kobj() will be called before policy->rwsem is
+initialized. Thus, the calling of init_rwsem() should be moved to where
+before these two error paths can be reached.
+
+Fixes: 67d874c3b2c6 ("cpufreq: Register notifiers with the PM QoS framework")
+Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Link: https://patch.msgid.link/20250709104145.2348017-3-zhenglifeng1@huawei.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+index d48a7feba54d..cc98d8cf5433 100644
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -1287,6 +1287,8 @@ static struct cpufreq_policy *cpufreq_policy_alloc(unsigned int cpu)
+ goto err_free_real_cpus;
+ }
+
++ init_rwsem(&policy->rwsem);
++
+ freq_constraints_init(&policy->constraints);
+
+ policy->nb_min.notifier_call = cpufreq_notifier_min;
+@@ -1309,7 +1311,6 @@ static struct cpufreq_policy *cpufreq_policy_alloc(unsigned int cpu)
+ }
+
+ INIT_LIST_HEAD(&policy->policy_list);
+- init_rwsem(&policy->rwsem);
+ spin_lock_init(&policy->transition_lock);
+ init_waitqueue_head(&policy->transition_wait);
+ INIT_WORK(&policy->update, handle_update);
+--
+2.39.5
+
--- /dev/null
+From cfc7db3880e94fc59c175a0de70c13cca7552ada Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 18:41:42 +0800
+Subject: cpufreq: Initialize cpufreq-based frequency-invariance later
+
+From: Lifeng Zheng <zhenglifeng1@huawei.com>
+
+[ Upstream commit 2a6c727387062a2ea79eb6cf5004820cb1b0afe2 ]
+
+The cpufreq-based invariance is enabled in cpufreq_register_driver(),
+but never disabled after registration fails. Move the invariance
+initialization to where all other initializations have been successfully
+done to solve this problem.
+
+Fixes: 874f63531064 ("cpufreq: report whether cpufreq supports Frequency Invariance (FI)")
+Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Link: https://patch.msgid.link/20250709104145.2348017-2-zhenglifeng1@huawei.com
+[ rjw: New subject ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+index 6682f422cadd..d48a7feba54d 100644
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -2938,15 +2938,6 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
+ cpufreq_driver = driver_data;
+ write_unlock_irqrestore(&cpufreq_driver_lock, flags);
+
+- /*
+- * Mark support for the scheduler's frequency invariance engine for
+- * drivers that implement target(), target_index() or fast_switch().
+- */
+- if (!cpufreq_driver->setpolicy) {
+- static_branch_enable_cpuslocked(&cpufreq_freq_invariance);
+- pr_debug("supports frequency invariance");
+- }
+-
+ if (driver_data->setpolicy)
+ driver_data->flags |= CPUFREQ_CONST_LOOPS;
+
+@@ -2977,6 +2968,15 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
+ hp_online = ret;
+ ret = 0;
+
++ /*
++ * Mark support for the scheduler's frequency invariance engine for
++ * drivers that implement target(), target_index() or fast_switch().
++ */
++ if (!cpufreq_driver->setpolicy) {
++ static_branch_enable_cpuslocked(&cpufreq_freq_invariance);
++ pr_debug("supports frequency invariance");
++ }
++
+ pr_debug("driver %s up and running\n", driver_data->name);
+ goto out;
+
+--
+2.39.5
+
--- /dev/null
+From 45d14813f910fa5351a2353bb9f6b80259de5bf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 20:19:19 +0200
+Subject: cpufreq: intel_pstate: Always use HWP_DESIRED_PERF in passive mode
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 1cefe495cacba5fb0417da3a75a1a76e3546d176 ]
+
+In the passive mode, intel_cpufreq_update_pstate() sets HWP_MIN_PERF in
+accordance with the target frequency to ensure delivering adequate
+performance, but it sets HWP_DESIRED_PERF to 0, so the processor has no
+indication that the desired performance level is actually equal to the
+floor one. This may cause it to choose a performance point way above
+the desired level.
+
+Moreover, this is inconsistent with intel_cpufreq_adjust_perf() which
+actually sets HWP_DESIRED_PERF in accordance with the target performance
+value.
+
+Address this by adjusting intel_cpufreq_update_pstate() to pass
+target_pstate as both the minimum and the desired performance levels
+to intel_cpufreq_hwp_update().
+
+Fixes: a365ab6b9dfb ("cpufreq: intel_pstate: Implement the ->adjust_perf() callback")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Tested-by: Shashank Balaji <shashank.mahadasyam@sony.com>
+Link: https://patch.msgid.link/6173276.lOV4Wx5bFT@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/intel_pstate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
+index 8a4fdf212ce0..4f1206ff0a10 100644
+--- a/drivers/cpufreq/intel_pstate.c
++++ b/drivers/cpufreq/intel_pstate.c
+@@ -2902,8 +2902,8 @@ static int intel_cpufreq_update_pstate(struct cpufreq_policy *policy,
+ int max_pstate = policy->strict_target ?
+ target_pstate : cpu->max_perf_ratio;
+
+- intel_cpufreq_hwp_update(cpu, target_pstate, max_pstate, 0,
+- fast_switch);
++ intel_cpufreq_hwp_update(cpu, target_pstate, max_pstate,
++ target_pstate, fast_switch);
+ } else if (target_pstate != old_pstate) {
+ intel_cpufreq_perf_ctl_update(cpu, target_pstate, fast_switch);
+ }
+--
+2.39.5
+
--- /dev/null
+From 6b09e75e7f06a0ba0b91a04f670375a75d3270c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 11:32:52 +0200
+Subject: crypto: arm/aes-neonbs - work around gcc-15 warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit d5fa96dc5590915f060fee3209143313e4f5b03b ]
+
+I get a very rare -Wstringop-overread warning with gcc-15 for one function
+in aesbs_ctr_encrypt():
+
+arch/arm/crypto/aes-neonbs-glue.c: In function 'ctr_encrypt':
+arch/arm/crypto/aes-neonbs-glue.c:212:1446: error: '__builtin_memcpy' offset [17, 2147483647] is out of the bounds [0, 16] of object 'buf' with type 'u8[16]' {aka 'unsigned char[16]'} [-Werror=array-bounds=]
+ 212 | src = dst = memcpy(buf + sizeof(buf) - bytes,
+arch/arm/crypto/aes-neonbs-glue.c: In function 'ctr_encrypt':
+arch/arm/crypto/aes-neonbs-glue.c:218:17: error: 'aesbs_ctr_encrypt' reading 1 byte from a region of size 0 [-Werror=stringop-overread]
+ 218 | aesbs_ctr_encrypt(dst, src, ctx->rk, ctx->rounds, bytes, walk.iv);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+arch/arm/crypto/aes-neonbs-glue.c:218:17: note: referencing argument 2 of type 'const u8[0]' {aka 'const unsigned char[]'}
+arch/arm/crypto/aes-neonbs-glue.c:218:17: note: referencing argument 3 of type 'const u8[0]' {aka 'const unsigned char[]'}
+arch/arm/crypto/aes-neonbs-glue.c:218:17: note: referencing argument 6 of type 'u8[0]' {aka 'unsigned char[]'}
+arch/arm/crypto/aes-neonbs-glue.c:36:17: note: in a call to function 'aesbs_ctr_encrypt'
+ 36 | asmlinkage void aesbs_ctr_encrypt(u8 out[], u8 const in[], u8 const rk[],
+
+This could happen in theory if walk.nbytes is larger than INT_MAX and gets
+converted to a negative local variable.
+
+Keep the type unsigned like the orignal nbytes to be sure there is no
+integer overflow.
+
+Fixes: c8bf850e991a ("crypto: arm/aes-neonbs-ctr - deal with non-multiples of AES block size")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/crypto/aes-neonbs-glue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/crypto/aes-neonbs-glue.c b/arch/arm/crypto/aes-neonbs-glue.c
+index 0ca94b90bc4e..ba98daeb119c 100644
+--- a/arch/arm/crypto/aes-neonbs-glue.c
++++ b/arch/arm/crypto/aes-neonbs-glue.c
+@@ -245,7 +245,7 @@ static int ctr_encrypt(struct skcipher_request *req)
+ while (walk.nbytes > 0) {
+ const u8 *src = walk.src.virt.addr;
+ u8 *dst = walk.dst.virt.addr;
+- int bytes = walk.nbytes;
++ unsigned int bytes = walk.nbytes;
+
+ if (unlikely(bytes < AES_BLOCK_SIZE))
+ src = dst = memcpy(buf + sizeof(buf) - bytes,
+--
+2.39.5
+
--- /dev/null
+From a60e5760b3b5fdb2bf7edb701d2ff70a70e341c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 14:54:18 +0800
+Subject: crypto: ccp - Fix crash when rebind ccp device for ccp.ko
+
+From: Mengbiao Xiong <xisme1998@gmail.com>
+
+[ Upstream commit 181698af38d3f93381229ad89c09b5bd0496661a ]
+
+When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding
+the ccp device causes the following crash:
+
+$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind
+$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind
+
+[ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098
+[ 204.978026] #PF: supervisor write access in kernel mode
+[ 204.979126] #PF: error_code(0x0002) - not-present page
+[ 204.980226] PGD 0 P4D 0
+[ 204.981317] Oops: Oops: 0002 [#1] SMP NOPTI
+...
+[ 204.997852] Call Trace:
+[ 204.999074] <TASK>
+[ 205.000297] start_creating+0x9f/0x1c0
+[ 205.001533] debugfs_create_dir+0x1f/0x170
+[ 205.002769] ? srso_return_thunk+0x5/0x5f
+[ 205.004000] ccp5_debugfs_setup+0x87/0x170 [ccp]
+[ 205.005241] ccp5_init+0x8b2/0x960 [ccp]
+[ 205.006469] ccp_dev_init+0xd4/0x150 [ccp]
+[ 205.007709] sp_init+0x5f/0x80 [ccp]
+[ 205.008942] sp_pci_probe+0x283/0x2e0 [ccp]
+[ 205.010165] ? srso_return_thunk+0x5/0x5f
+[ 205.011376] local_pci_probe+0x4f/0xb0
+[ 205.012584] pci_device_probe+0xdb/0x230
+[ 205.013810] really_probe+0xed/0x380
+[ 205.015024] __driver_probe_device+0x7e/0x160
+[ 205.016240] device_driver_attach+0x2f/0x60
+[ 205.017457] bind_store+0x7c/0xb0
+[ 205.018663] drv_attr_store+0x28/0x40
+[ 205.019868] sysfs_kf_write+0x5f/0x70
+[ 205.021065] kernfs_fop_write_iter+0x145/0x1d0
+[ 205.022267] vfs_write+0x308/0x440
+[ 205.023453] ksys_write+0x6d/0xe0
+[ 205.024616] __x64_sys_write+0x1e/0x30
+[ 205.025778] x64_sys_call+0x16ba/0x2150
+[ 205.026942] do_syscall_64+0x56/0x1e0
+[ 205.028108] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[ 205.029276] RIP: 0033:0x7fbc36f10104
+[ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5
+
+This patch sets ccp_debugfs_dir to NULL after destroying it in
+ccp5_debugfs_destroy, allowing the directory dentry to be
+recreated when rebinding the ccp device.
+
+Tested on AMD Ryzen 7 1700X.
+
+Fixes: 3cdbe346ed3f ("crypto: ccp - Add debugfs entries for CCP information")
+Signed-off-by: Mengbiao Xiong <xisme1998@gmail.com>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/ccp-debugfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/crypto/ccp/ccp-debugfs.c b/drivers/crypto/ccp/ccp-debugfs.c
+index a1055554b47a..dc26bc22c91d 100644
+--- a/drivers/crypto/ccp/ccp-debugfs.c
++++ b/drivers/crypto/ccp/ccp-debugfs.c
+@@ -319,5 +319,8 @@ void ccp5_debugfs_setup(struct ccp_device *ccp)
+
+ void ccp5_debugfs_destroy(void)
+ {
++ mutex_lock(&ccp_debugfs_lock);
+ debugfs_remove_recursive(ccp_debugfs_dir);
++ ccp_debugfs_dir = NULL;
++ mutex_unlock(&ccp_debugfs_lock);
+ }
+--
+2.39.5
+
--- /dev/null
+From 19e6548c3f5ed11f5fd87b2b2e0c440f7f5735bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 11:16:22 +0200
+Subject: crypto: img-hash - Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 34b283636181ce02c52633551f594fec9876bec7 ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: d358f1abbf71 ("crypto: img-hash - Add Imagination Technologies hw hash accelerator")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/img-hash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/img-hash.c b/drivers/crypto/img-hash.c
+index 45063693859c..de80c95309e6 100644
+--- a/drivers/crypto/img-hash.c
++++ b/drivers/crypto/img-hash.c
+@@ -436,7 +436,7 @@ static int img_hash_write_via_dma_stop(struct img_hash_dev *hdev)
+ struct img_hash_request_ctx *ctx = ahash_request_ctx(hdev->req);
+
+ if (ctx->flags & DRIVER_FLAGS_SG)
+- dma_unmap_sg(hdev->dev, ctx->sg, ctx->dma_ct, DMA_TO_DEVICE);
++ dma_unmap_sg(hdev->dev, ctx->sg, 1, DMA_TO_DEVICE);
+
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 85f6cb7c0d2bbb5e44ed7c78388216a2345dc344 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 09:29:26 +0200
+Subject: crypto: inside-secure - Fix `dma_unmap_sg()` nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit cb7fa6b6fc71e0c801e271aa498e2f19e6df2931 ]
+
+The `dma_unmap_sg()` functions should be called with the same nents as the
+`dma_map_sg()`, not the value the map function returned.
+
+Fixes: c957f8b3e2e5 ("crypto: inside-secure - avoid unmapping DMA memory that was not mapped")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Antoine Tenart <atenart@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/inside-secure/safexcel_hash.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/inside-secure/safexcel_hash.c b/drivers/crypto/inside-secure/safexcel_hash.c
+index f44c08f5f5ec..af4b978189e5 100644
+--- a/drivers/crypto/inside-secure/safexcel_hash.c
++++ b/drivers/crypto/inside-secure/safexcel_hash.c
+@@ -249,7 +249,9 @@ static int safexcel_handle_req_result(struct safexcel_crypto_priv *priv,
+ safexcel_complete(priv, ring);
+
+ if (sreq->nents) {
+- dma_unmap_sg(priv->dev, areq->src, sreq->nents, DMA_TO_DEVICE);
++ dma_unmap_sg(priv->dev, areq->src,
++ sg_nents_for_len(areq->src, areq->nbytes),
++ DMA_TO_DEVICE);
+ sreq->nents = 0;
+ }
+
+@@ -497,7 +499,9 @@ static int safexcel_ahash_send_req(struct crypto_async_request *async, int ring,
+ DMA_FROM_DEVICE);
+ unmap_sg:
+ if (req->nents) {
+- dma_unmap_sg(priv->dev, areq->src, req->nents, DMA_TO_DEVICE);
++ dma_unmap_sg(priv->dev, areq->src,
++ sg_nents_for_len(areq->src, areq->nbytes),
++ DMA_TO_DEVICE);
+ req->nents = 0;
+ }
+ cdesc_rollback:
+--
+2.39.5
+
--- /dev/null
+From aee3009a2fc8ceba89da036ae027b055dec43942 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 10:57:06 +0200
+Subject: crypto: keembay - Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 01951a7dc5ac1a37e5fb7d86ea7eb2dfbf96e8b6 ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: 472b04444cd3 ("crypto: keembay - Add Keem Bay OCS HCU driver")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/keembay/keembay-ocs-hcu-core.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/intel/keembay/keembay-ocs-hcu-core.c b/drivers/crypto/intel/keembay/keembay-ocs-hcu-core.c
+index daba8ca05dbe..b73222303539 100644
+--- a/drivers/crypto/intel/keembay/keembay-ocs-hcu-core.c
++++ b/drivers/crypto/intel/keembay/keembay-ocs-hcu-core.c
+@@ -68,6 +68,7 @@ struct ocs_hcu_ctx {
+ * @sg_data_total: Total data in the SG list at any time.
+ * @sg_data_offset: Offset into the data of the current individual SG node.
+ * @sg_dma_nents: Number of sg entries mapped in dma_list.
++ * @nents: Number of entries in the scatterlist.
+ */
+ struct ocs_hcu_rctx {
+ struct ocs_hcu_dev *hcu_dev;
+@@ -91,6 +92,7 @@ struct ocs_hcu_rctx {
+ unsigned int sg_data_total;
+ unsigned int sg_data_offset;
+ unsigned int sg_dma_nents;
++ unsigned int nents;
+ };
+
+ /**
+@@ -199,7 +201,7 @@ static void kmb_ocs_hcu_dma_cleanup(struct ahash_request *req,
+
+ /* Unmap req->src (if mapped). */
+ if (rctx->sg_dma_nents) {
+- dma_unmap_sg(dev, req->src, rctx->sg_dma_nents, DMA_TO_DEVICE);
++ dma_unmap_sg(dev, req->src, rctx->nents, DMA_TO_DEVICE);
+ rctx->sg_dma_nents = 0;
+ }
+
+@@ -260,6 +262,10 @@ static int kmb_ocs_dma_prepare(struct ahash_request *req)
+ rc = -ENOMEM;
+ goto cleanup;
+ }
++
++ /* Save the value of nents to pass to dma_unmap_sg. */
++ rctx->nents = nents;
++
+ /*
+ * The value returned by dma_map_sg() can be < nents; so update
+ * nents accordingly.
+--
+2.39.5
+
--- /dev/null
+From 0ce2edf57779d7571341b05ce30770da51898fbd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 20:41:28 +0800
+Subject: crypto: marvell/cesa - Fix engine load inaccuracy
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 442134ab30e75b7229c4bfc1ac5641d245cffe27 ]
+
+If an error occurs during queueing the engine load will never be
+decremented. Fix this by moving the engine load adjustment into
+the cleanup function.
+
+Fixes: bf8f91e71192 ("crypto: marvell - Add load balancing between engines")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/marvell/cesa/cipher.c | 4 +++-
+ drivers/crypto/marvell/cesa/hash.c | 5 +++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/marvell/cesa/cipher.c b/drivers/crypto/marvell/cesa/cipher.c
+index 3876e3ce822f..eabed9d977df 100644
+--- a/drivers/crypto/marvell/cesa/cipher.c
++++ b/drivers/crypto/marvell/cesa/cipher.c
+@@ -75,9 +75,12 @@ mv_cesa_skcipher_dma_cleanup(struct skcipher_request *req)
+ static inline void mv_cesa_skcipher_cleanup(struct skcipher_request *req)
+ {
+ struct mv_cesa_skcipher_req *creq = skcipher_request_ctx(req);
++ struct mv_cesa_engine *engine = creq->base.engine;
+
+ if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ)
+ mv_cesa_skcipher_dma_cleanup(req);
++
++ atomic_sub(req->cryptlen, &engine->load);
+ }
+
+ static void mv_cesa_skcipher_std_step(struct skcipher_request *req)
+@@ -212,7 +215,6 @@ mv_cesa_skcipher_complete(struct crypto_async_request *req)
+ struct mv_cesa_engine *engine = creq->base.engine;
+ unsigned int ivsize;
+
+- atomic_sub(skreq->cryptlen, &engine->load);
+ ivsize = crypto_skcipher_ivsize(crypto_skcipher_reqtfm(skreq));
+
+ if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ) {
+diff --git a/drivers/crypto/marvell/cesa/hash.c b/drivers/crypto/marvell/cesa/hash.c
+index 6815eddc9068..e339ce7ad533 100644
+--- a/drivers/crypto/marvell/cesa/hash.c
++++ b/drivers/crypto/marvell/cesa/hash.c
+@@ -110,9 +110,12 @@ static inline void mv_cesa_ahash_dma_cleanup(struct ahash_request *req)
+ static inline void mv_cesa_ahash_cleanup(struct ahash_request *req)
+ {
+ struct mv_cesa_ahash_req *creq = ahash_request_ctx(req);
++ struct mv_cesa_engine *engine = creq->base.engine;
+
+ if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ)
+ mv_cesa_ahash_dma_cleanup(req);
++
++ atomic_sub(req->nbytes, &engine->load);
+ }
+
+ static void mv_cesa_ahash_last_cleanup(struct ahash_request *req)
+@@ -395,8 +398,6 @@ static void mv_cesa_ahash_complete(struct crypto_async_request *req)
+ }
+ }
+ }
+-
+- atomic_sub(ahashreq->nbytes, &engine->load);
+ }
+
+ static void mv_cesa_ahash_prepare(struct crypto_async_request *req,
+--
+2.39.5
+
--- /dev/null
+From c2c5365422d38734d364abc099c6aa1943b2be4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jul 2025 08:07:49 +0100
+Subject: crypto: qat - fix DMA direction for compression on GEN2 devices
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit d41d75fe1b751ee6b347bf1cb1cfe9accc4fcb12 ]
+
+QAT devices perform an additional integrity check during compression by
+decompressing the output. Starting from QAT GEN4, this verification is
+done in-line by the hardware. However, on GEN2 devices, the hardware
+reads back the compressed output from the destination buffer and performs
+a decompression operation using it as the source.
+
+In the current QAT driver, destination buffers are always marked as
+write-only. This is incorrect for QAT GEN2 compression, where the buffer
+is also read during verification. Since commit 6f5dc7658094
+("iommu/vt-d: Restore WO permissions on second-level paging entries"),
+merged in v6.16-rc1, write-only permissions are strictly enforced, leading
+to DMAR errors when using QAT GEN2 devices for compression, if VT-d is
+enabled.
+
+Mark the destination buffers as DMA_BIDIRECTIONAL. This ensures
+compatibility with GEN2 devices, even though it is not required for
+QAT GEN4 and later.
+
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Fixes: cf5bb835b7c8 ("crypto: qat - fix DMA transfer direction")
+Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/qat/qat_common/qat_bl.c | 6 +++---
+ drivers/crypto/intel/qat/qat_common/qat_compression.c | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/crypto/intel/qat/qat_common/qat_bl.c b/drivers/crypto/intel/qat/qat_common/qat_bl.c
+index 76baed0a76c0..0d2ce20db6d8 100644
+--- a/drivers/crypto/intel/qat/qat_common/qat_bl.c
++++ b/drivers/crypto/intel/qat/qat_common/qat_bl.c
+@@ -38,7 +38,7 @@ void qat_bl_free_bufl(struct adf_accel_dev *accel_dev,
+ for (i = 0; i < blout->num_mapped_bufs; i++) {
+ dma_unmap_single(dev, blout->buffers[i].addr,
+ blout->buffers[i].len,
+- DMA_FROM_DEVICE);
++ DMA_BIDIRECTIONAL);
+ }
+ dma_unmap_single(dev, blpout, sz_out, DMA_TO_DEVICE);
+
+@@ -160,7 +160,7 @@ static int __qat_bl_sgl_to_bufl(struct adf_accel_dev *accel_dev,
+ }
+ buffers[y].addr = dma_map_single(dev, sg_virt(sg) + left,
+ sg->length - left,
+- DMA_FROM_DEVICE);
++ DMA_BIDIRECTIONAL);
+ if (unlikely(dma_mapping_error(dev, buffers[y].addr)))
+ goto err_out;
+ buffers[y].len = sg->length;
+@@ -202,7 +202,7 @@ static int __qat_bl_sgl_to_bufl(struct adf_accel_dev *accel_dev,
+ if (!dma_mapping_error(dev, buflout->buffers[i].addr))
+ dma_unmap_single(dev, buflout->buffers[i].addr,
+ buflout->buffers[i].len,
+- DMA_FROM_DEVICE);
++ DMA_BIDIRECTIONAL);
+ }
+
+ if (!buf->sgl_dst_valid)
+diff --git a/drivers/crypto/intel/qat/qat_common/qat_compression.c b/drivers/crypto/intel/qat/qat_common/qat_compression.c
+index 2c3aa89b316a..cf94ba3011d5 100644
+--- a/drivers/crypto/intel/qat/qat_common/qat_compression.c
++++ b/drivers/crypto/intel/qat/qat_common/qat_compression.c
+@@ -205,7 +205,7 @@ static int qat_compression_alloc_dc_data(struct adf_accel_dev *accel_dev)
+ if (!obuff)
+ goto err;
+
+- obuff_p = dma_map_single(dev, obuff, ovf_buff_sz, DMA_FROM_DEVICE);
++ obuff_p = dma_map_single(dev, obuff, ovf_buff_sz, DMA_BIDIRECTIONAL);
+ if (unlikely(dma_mapping_error(dev, obuff_p)))
+ goto err;
+
+@@ -233,7 +233,7 @@ static void qat_free_dc_data(struct adf_accel_dev *accel_dev)
+ return;
+
+ dma_unmap_single(dev, dc_data->ovf_buff_p, dc_data->ovf_buff_sz,
+- DMA_FROM_DEVICE);
++ DMA_BIDIRECTIONAL);
+ kfree_sensitive(dc_data->ovf_buff);
+ kfree(dc_data);
+ accel_dev->dc_data = NULL;
+--
+2.39.5
+
--- /dev/null
+From 880300ed4de8cd5f9ce5b70e33dcfbb3302c1a76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jul 2025 08:10:29 +0100
+Subject: crypto: qat - fix seq_file position update in adf_ring_next()
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 6908c5f4f066a0412c3d9a6f543a09fa7d87824b ]
+
+The `adf_ring_next()` function in the QAT debug transport interface
+fails to correctly update the position index when reaching the end of
+the ring elements. This triggers the following kernel warning when
+reading ring files, such as
+/sys/kernel/debug/qat_c6xx_<D:B:D:F>/transport/bank_00/ring_00:
+
+ [27725.022965] seq_file: buggy .next function adf_ring_next [intel_qat] did not update position index
+
+Ensure that the `*pos` index is incremented before returning NULL when
+after the last element in the ring is found, satisfying the seq_file API
+requirements and preventing the warning.
+
+Fixes: a672a9dc872e ("crypto: qat - Intel(R) QAT transport code")
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/qat/qat_common/adf_transport_debug.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/intel/qat/qat_common/adf_transport_debug.c b/drivers/crypto/intel/qat/qat_common/adf_transport_debug.c
+index e2dd568b87b5..621b5d3dfcef 100644
+--- a/drivers/crypto/intel/qat/qat_common/adf_transport_debug.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_transport_debug.c
+@@ -31,8 +31,10 @@ static void *adf_ring_next(struct seq_file *sfile, void *v, loff_t *pos)
+ struct adf_etr_ring_data *ring = sfile->private;
+
+ if (*pos >= (ADF_SIZE_TO_RING_SIZE_IN_BYTES(ring->ring_size) /
+- ADF_MSG_SIZE_TO_BYTES(ring->msg_size)))
++ ADF_MSG_SIZE_TO_BYTES(ring->msg_size))) {
++ (*pos)++;
+ return NULL;
++ }
+
+ return ring->base_addr +
+ (ADF_MSG_SIZE_TO_BYTES(ring->msg_size) * (*pos)++);
+--
+2.39.5
+
--- /dev/null
+From 28fe041695d83aa0f831eb8f2b814d8e53d669e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 09:21:41 +0100
+Subject: crypto: qat - use unmanaged allocation for dc_data
+
+From: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
+
+[ Upstream commit 4cc871ad0173e8bc22f80e3609e34d546d30ef1a ]
+
+The dc_data structure holds data required for handling compression
+operations, such as overflow buffers. In this context, the use of
+managed memory allocation APIs (devm_kzalloc() and devm_kfree())
+is not necessary, as these data structures are freed and
+re-allocated when a device is restarted in adf_dev_down() and
+adf_dev_up().
+
+Additionally, managed APIs automatically handle memory cleanup when the
+device is detached, which can lead to conflicts with manual cleanup
+processes. Specifically, if a device driver invokes the adf_dev_down()
+function as part of the cleanup registered with
+devm_add_action_or_reset(), it may attempt to free memory that is also
+managed by the device's resource management system, potentially leading
+to a double-free.
+
+This might result in a warning similar to the following when unloading
+the device specific driver, for example qat_6xxx.ko:
+
+ qat_free_dc_data+0x4f/0x60 [intel_qat]
+ qat_compression_event_handler+0x3d/0x1d0 [intel_qat]
+ adf_dev_shutdown+0x6d/0x1a0 [intel_qat]
+ adf_dev_down+0x32/0x50 [intel_qat]
+ devres_release_all+0xb8/0x110
+ device_unbind_cleanup+0xe/0x70
+ device_release_driver_internal+0x1c1/0x200
+ driver_detach+0x48/0x90
+ bus_remove_driver+0x74/0xf0
+ pci_unregister_driver+0x2e/0xb0
+
+Use unmanaged memory allocation APIs (kzalloc_node() and kfree()) for
+the dc_data structure. This ensures that memory is explicitly allocated
+and freed under the control of the driver code, preventing manual
+deallocation from interfering with automatic cleanup.
+
+Fixes: 1198ae56c9a5 ("crypto: qat - expose deflate through acomp api for QAT GEN2")
+Signed-off-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/qat/qat_common/qat_compression.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/intel/qat/qat_common/qat_compression.c b/drivers/crypto/intel/qat/qat_common/qat_compression.c
+index 7842a9f22178..2c3aa89b316a 100644
+--- a/drivers/crypto/intel/qat/qat_common/qat_compression.c
++++ b/drivers/crypto/intel/qat/qat_common/qat_compression.c
+@@ -197,7 +197,7 @@ static int qat_compression_alloc_dc_data(struct adf_accel_dev *accel_dev)
+ struct adf_dc_data *dc_data = NULL;
+ u8 *obuff = NULL;
+
+- dc_data = devm_kzalloc(dev, sizeof(*dc_data), GFP_KERNEL);
++ dc_data = kzalloc_node(sizeof(*dc_data), GFP_KERNEL, dev_to_node(dev));
+ if (!dc_data)
+ goto err;
+
+@@ -235,7 +235,7 @@ static void qat_free_dc_data(struct adf_accel_dev *accel_dev)
+ dma_unmap_single(dev, dc_data->ovf_buff_p, dc_data->ovf_buff_sz,
+ DMA_FROM_DEVICE);
+ kfree_sensitive(dc_data->ovf_buff);
+- devm_kfree(dev, dc_data);
++ kfree(dc_data);
+ accel_dev->dc_data = NULL;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From a0438e1b2cf4ef5ef94742bcabae6e5c715f7bb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 May 2025 18:13:48 +0300
+Subject: crypto: sun8i-ce - fix nents passed to dma_unmap_sg()
+
+From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+
+[ Upstream commit b6cd3cfb5afe49952f8f6be947aeeca9ba0faebb ]
+
+In sun8i_ce_cipher_unprepare(), dma_unmap_sg() is incorrectly called with
+the number of entries returned by dma_map_sg(), rather than using the
+original number of entries passed when mapping the scatterlist.
+
+To fix this, stash the original number of entries passed to dma_map_sg()
+in the request context.
+
+Fixes: 0605fa0f7826 ("crypto: sun8i-ce - split into prepare/run/unprepare")
+Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+Acked-by: Corentin LABBE <clabbe.montjoie@gmail.com>
+Tested-by: Corentin LABBE <clabbe.montjoie@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
+index 70434601f99b..9e093d44a066 100644
+--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
+@@ -265,8 +265,8 @@ static int sun8i_ce_cipher_prepare(struct crypto_engine *engine, void *async_req
+ }
+
+ chan->timeout = areq->cryptlen;
+- rctx->nr_sgs = nr_sgs;
+- rctx->nr_sgd = nr_sgd;
++ rctx->nr_sgs = ns;
++ rctx->nr_sgd = nd;
+ return 0;
+
+ theend_sgs:
+--
+2.39.5
+
--- /dev/null
+From f368699025215fff143c0d1fe17ea70b803b9181 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 14:37:52 +0200
+Subject: dmaengine: mv_xor: Fix missing check after DMA map and missing unmap
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 60095aca6b471b7b7a79c80b7395f7e4e414b479 ]
+
+The DMA map functions can fail and should be tested for errors.
+
+In case of error, unmap the already mapped regions.
+
+Fixes: 22843545b200 ("dma: mv_xor: Add support for DMA_INTERRUPT")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250701123753.46935-2-fourier.thomas@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/mv_xor.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/mv_xor.c b/drivers/dma/mv_xor.c
+index ea48661e87ea..ca0ba1d46283 100644
+--- a/drivers/dma/mv_xor.c
++++ b/drivers/dma/mv_xor.c
+@@ -1061,8 +1061,16 @@ mv_xor_channel_add(struct mv_xor_device *xordev,
+ */
+ mv_chan->dummy_src_addr = dma_map_single(dma_dev->dev,
+ mv_chan->dummy_src, MV_XOR_MIN_BYTE_COUNT, DMA_FROM_DEVICE);
++ if (dma_mapping_error(dma_dev->dev, mv_chan->dummy_src_addr))
++ return ERR_PTR(-ENOMEM);
++
+ mv_chan->dummy_dst_addr = dma_map_single(dma_dev->dev,
+ mv_chan->dummy_dst, MV_XOR_MIN_BYTE_COUNT, DMA_TO_DEVICE);
++ if (dma_mapping_error(dma_dev->dev, mv_chan->dummy_dst_addr)) {
++ ret = -ENOMEM;
++ goto err_unmap_src;
++ }
++
+
+ /* allocate coherent memory for hardware descriptors
+ * note: writecombine gives slightly better performance, but
+@@ -1071,8 +1079,10 @@ mv_xor_channel_add(struct mv_xor_device *xordev,
+ mv_chan->dma_desc_pool_virt =
+ dma_alloc_wc(&pdev->dev, MV_XOR_POOL_SIZE, &mv_chan->dma_desc_pool,
+ GFP_KERNEL);
+- if (!mv_chan->dma_desc_pool_virt)
+- return ERR_PTR(-ENOMEM);
++ if (!mv_chan->dma_desc_pool_virt) {
++ ret = -ENOMEM;
++ goto err_unmap_dst;
++ }
+
+ /* discover transaction capabilites from the platform data */
+ dma_dev->cap_mask = cap_mask;
+@@ -1155,6 +1165,13 @@ mv_xor_channel_add(struct mv_xor_device *xordev,
+ err_free_dma:
+ dma_free_coherent(&pdev->dev, MV_XOR_POOL_SIZE,
+ mv_chan->dma_desc_pool_virt, mv_chan->dma_desc_pool);
++err_unmap_dst:
++ dma_unmap_single(dma_dev->dev, mv_chan->dummy_dst_addr,
++ MV_XOR_MIN_BYTE_COUNT, DMA_TO_DEVICE);
++err_unmap_src:
++ dma_unmap_single(dma_dev->dev, mv_chan->dummy_src_addr,
++ MV_XOR_MIN_BYTE_COUNT, DMA_FROM_DEVICE);
++
+ return ERR_PTR(ret);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From c19a442f0a31dd68bdc5ccd084a5b0ad80a411d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 09:57:16 +0200
+Subject: dmaengine: nbpfaxi: Add missing check after DMA map
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit c6ee78fc8f3e653bec427cfd06fec7877ee782bd ]
+
+The DMA map functions can fail and should be tested for errors.
+If the mapping fails, unmap and return an error.
+
+Fixes: b45b262cefd5 ("dmaengine: add a driver for AMBA AXI NBPF DMAC IP cores")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250707075752.28674-2-fourier.thomas@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/nbpfaxi.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/drivers/dma/nbpfaxi.c b/drivers/dma/nbpfaxi.c
+index a361f8c29cd3..69c80d933903 100644
+--- a/drivers/dma/nbpfaxi.c
++++ b/drivers/dma/nbpfaxi.c
+@@ -711,6 +711,9 @@ static int nbpf_desc_page_alloc(struct nbpf_channel *chan)
+ list_add_tail(&ldesc->node, &lhead);
+ ldesc->hwdesc_dma_addr = dma_map_single(dchan->device->dev,
+ hwdesc, sizeof(*hwdesc), DMA_TO_DEVICE);
++ if (dma_mapping_error(dchan->device->dev,
++ ldesc->hwdesc_dma_addr))
++ goto unmap_error;
+
+ dev_dbg(dev, "%s(): mapped 0x%p to %pad\n", __func__,
+ hwdesc, &ldesc->hwdesc_dma_addr);
+@@ -737,6 +740,16 @@ static int nbpf_desc_page_alloc(struct nbpf_channel *chan)
+ spin_unlock_irq(&chan->lock);
+
+ return ARRAY_SIZE(dpage->desc);
++
++unmap_error:
++ while (i--) {
++ ldesc--; hwdesc--;
++
++ dma_unmap_single(dchan->device->dev, ldesc->hwdesc_dma_addr,
++ sizeof(hwdesc), DMA_TO_DEVICE);
++ }
++
++ return -ENOMEM;
+ }
+
+ static void nbpf_desc_put(struct nbpf_desc *desc)
+--
+2.39.5
+
--- /dev/null
+From b8324d14320f0bbd1057fe3b59f6ea76c7f77031 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 23:26:17 +0300
+Subject: drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit a54e4639c4ef37a0241bac7d2a77f2e6ffb57099 ]
+
+There is a small typo in phm_wait_on_indirect_register().
+
+Swap mask and value arguments provided to phm_wait_on_register() so that
+they satisfy the function signature and actual usage scheme.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace static
+analysis tool.
+
+In practice this doesn't fix any issues because the only place this
+function is used uses the same value for the value and mask.
+
+Fixes: 3bace3591493 ("drm/amd/powerplay: add hardware manager sub-component")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c
+index 79a566f3564a..c305ea4ec17d 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c
+@@ -149,7 +149,7 @@ int phm_wait_on_indirect_register(struct pp_hwmgr *hwmgr,
+ }
+
+ cgs_write_register(hwmgr->device, indirect_port, index);
+- return phm_wait_on_register(hwmgr, indirect_port + 1, mask, value);
++ return phm_wait_on_register(hwmgr, indirect_port + 1, value, mask);
+ }
+
+ int phm_wait_for_register_unequal(struct pp_hwmgr *hwmgr,
+--
+2.39.5
+
--- /dev/null
+From e374ed0ecca44e7dd2f1e78ef2e1df0b01094201 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 14:50:03 +0200
+Subject: drm/msm/dpu: Fill in min_prefill_lines for SC8180X
+
+From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+
+[ Upstream commit 5136acc40afc0261802e5cb01b04f871bf6d876b ]
+
+Based on the downstream release, predictably same value as for SM8150.
+
+Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Fixes: f3af2d6ee9ab ("drm/msm/dpu: Add SC8180x to hw catalog")
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Patchwork: https://patchwork.freedesktop.org/patch/657794/
+Link: https://lore.kernel.org/r/20250610-topic-dpu_8180_mpl-v1-1-f480cd22f11c@oss.qualcomm.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h
+index 427dec0cd1d3..b77ecec50733 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h
++++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h
+@@ -378,6 +378,7 @@ static const struct dpu_perf_cfg sc8180x_perf_data = {
+ .min_core_ib = 2400000,
+ .min_llcc_ib = 800000,
+ .min_dram_ib = 800000,
++ .min_prefill_lines = 24,
+ .danger_lut_tbl = {0xf, 0xffff, 0x0},
+ .safe_lut_tbl = {0xfff0, 0xf000, 0xffff},
+ .qos_lut_tbl = {
+--
+2.39.5
+
--- /dev/null
+From 937a1bdaf8b55c48f9d5ddab1790c5e5d0dd8c80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 May 2025 11:15:59 +0800
+Subject: drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed
+
+From: Andy Yan <andy.yan@rock-chips.com>
+
+[ Upstream commit 099593a28138b48feea5be8ce700e5bc4565e31d ]
+
+In the function drm_gem_fb_init_with_funcs, the framebuffer (fb)
+and its corresponding object ID have already been registered.
+
+So we need to cleanup the drm framebuffer if the subsequent
+execution of drm_gem_fb_afbc_init fails.
+
+Directly call drm_framebuffer_put to ensure that all fb related
+resources are cleanup.
+
+Fixes: 7707f7227f09 ("drm/rockchip: Add support for afbc")
+Signed-off-by: Andy Yan <andy.yan@rock-chips.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20250509031607.2542187-1-andyshrk@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_fb.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_fb.c b/drivers/gpu/drm/rockchip/rockchip_drm_fb.c
+index cfe8b793d344..69ab8d4f289c 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_fb.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_fb.c
+@@ -52,16 +52,9 @@ rockchip_fb_create(struct drm_device *dev, struct drm_file *file,
+ }
+
+ if (drm_is_afbc(mode_cmd->modifier[0])) {
+- int ret, i;
+-
+ ret = drm_gem_fb_afbc_init(dev, mode_cmd, afbc_fb);
+ if (ret) {
+- struct drm_gem_object **obj = afbc_fb->base.obj;
+-
+- for (i = 0; i < info->num_planes; ++i)
+- drm_gem_object_put(obj[i]);
+-
+- kfree(afbc_fb);
++ drm_framebuffer_put(&afbc_fb->base);
+ return ERR_PTR(ret);
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From f797447ade05a7091fb268d05b2cb0c5ea8e9e4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Apr 2025 15:34:27 -0500
+Subject: drm/vmwgfx: Fix Host-Backed userspace on Guest-Backed kernel
+
+From: Ian Forbes <ian.forbes@broadcom.com>
+
+[ Upstream commit 7872997c048e989c7689c2995d230fdca7798000 ]
+
+Running 3D applications with SVGA_FORCE_HOST_BACKED=1 or using an
+ancient version of mesa was broken because the buffer was pinned in
+VMW_BO_DOMAIN_SYS and could not be moved to VMW_BO_DOMAIN_MOB during
+validation.
+
+The compat_shader buffer should not pinned.
+
+Fixes: 668b206601c5 ("drm/vmwgfx: Stop using raw ttm_buffer_object's")
+Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
+Reviewed-by: Maaz Mombasawala <maaz.mombasawala@broadcom.com>
+Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
+Link: https://lore.kernel.org/r/20250429203427.1742331-1-ian.forbes@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c b/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c
+index 7fb1c88bcc47..69dfe69ce0f8 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c
+@@ -896,7 +896,7 @@ int vmw_compat_shader_add(struct vmw_private *dev_priv,
+ .busy_domain = VMW_BO_DOMAIN_SYS,
+ .bo_type = ttm_bo_type_device,
+ .size = size,
+- .pin = true,
++ .pin = false,
+ .keep_resv = true,
+ };
+
+--
+2.39.5
+
--- /dev/null
+From ef27a825abec834894f79d65640b6dbb754e3f44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 14:49:25 +0800
+Subject: f2fs: doc: fix wrong quota mount option description
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 81b6ecca2f15922e8d653dc037df5871e754be6e ]
+
+We should use "{usr,grp,prj}jquota=" to disable journaled quota,
+rather than using off{usr,grp,prj}jquota.
+
+Fixes: 4b2414d04e99 ("f2fs: support journalled quota")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/filesystems/f2fs.rst | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Documentation/filesystems/f2fs.rst b/Documentation/filesystems/f2fs.rst
+index dbfbbe9ab28b..961684e9466e 100644
+--- a/Documentation/filesystems/f2fs.rst
++++ b/Documentation/filesystems/f2fs.rst
+@@ -233,9 +233,9 @@ usrjquota=<file> Appoint specified file and type during mount, so that quota
+ grpjquota=<file> information can be properly updated during recovery flow,
+ prjjquota=<file> <quota file>: must be in root directory;
+ jqfmt=<quota type> <quota type>: [vfsold,vfsv0,vfsv1].
+-offusrjquota Turn off user journalled quota.
+-offgrpjquota Turn off group journalled quota.
+-offprjjquota Turn off project journalled quota.
++usrjquota= Turn off user journalled quota.
++grpjquota= Turn off group journalled quota.
++prjjquota= Turn off project journalled quota.
+ quota Enable plain user disk quota accounting.
+ noquota Disable all plain disk quota option.
+ alloc_mode=%s Adjust block allocation policy, which supports "reuse"
+--
+2.39.5
+
--- /dev/null
+From 2a663353f8a77fa5e7e92546899f75c709b517b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 16:35:37 +0530
+Subject: f2fs: fix KMSAN uninit-value in extent_info usage
+
+From: Abinash Singh <abinashlalotra@gmail.com>
+
+[ Upstream commit 154467f4ad033473e5c903a03e7b9bca7df9a0fa ]
+
+KMSAN reported a use of uninitialized value in `__is_extent_mergeable()`
+ and `__is_back_mergeable()` via the read extent tree path.
+
+The root cause is that `get_read_extent_info()` only initializes three
+fields (`fofs`, `blk`, `len`) of `struct extent_info`, leaving the
+remaining fields uninitialized. This leads to undefined behavior
+when those fields are accessed later, especially during
+extent merging.
+
+Fix it by zero-initializing the `extent_info` struct before population.
+
+Reported-by: syzbot+b8c1d60e95df65e827d4@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b8c1d60e95df65e827d4
+Fixes: 94afd6d6e525 ("f2fs: extent cache: support unaligned extent")
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Abinash Singh <abinashsinghlalotra@gmail.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/extent_cache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c
+index bfa2d89dc9ea..6a77581106a9 100644
+--- a/fs/f2fs/extent_cache.c
++++ b/fs/f2fs/extent_cache.c
+@@ -382,7 +382,7 @@ void f2fs_init_read_extent_tree(struct inode *inode, struct page *ipage)
+ struct f2fs_extent *i_ext = &F2FS_INODE(ipage)->i_ext;
+ struct extent_tree *et;
+ struct extent_node *en;
+- struct extent_info ei;
++ struct extent_info ei = {0};
+
+ if (!__may_extent_tree(inode, EX_READ)) {
+ /* drop largest read extent */
+--
+2.39.5
+
--- /dev/null
+From 6c01260bb93d8dfdc4178cbc86ac89f8a4ec4391 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 15:14:50 +0800
+Subject: f2fs: fix to avoid out-of-boundary access in devs.path
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 5661998536af52848cc4d52a377e90368196edea ]
+
+- touch /mnt/f2fs/012345678901234567890123456789012345678901234567890123
+- truncate -s $((1024*1024*1024)) \
+ /mnt/f2fs/012345678901234567890123456789012345678901234567890123
+- touch /mnt/f2fs/file
+- truncate -s $((1024*1024*1024)) /mnt/f2fs/file
+- mkfs.f2fs /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \
+ -c /mnt/f2fs/file
+- mount /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \
+ /mnt/f2fs/loop
+
+[16937.192225] F2FS-fs (loop0): Mount Device [ 0]: /mnt/f2fs/012345678901234567890123456789012345678901234567890123\xff\x01, 511, 0 - 3ffff
+[16937.192268] F2FS-fs (loop0): Failed to find devices
+
+If device path length equals to MAX_PATH_LEN, sbi->devs.path[] may
+not end up w/ null character due to path array is fully filled, So
+accidently, fields locate after path[] may be treated as part of
+device path, result in parsing wrong device path.
+
+struct f2fs_dev_info {
+...
+ char path[MAX_PATH_LEN];
+...
+};
+
+Let's add one byte space for sbi->devs.path[] to store null
+character of device path string.
+
+Fixes: 3c62be17d4f5 ("f2fs: support multiple devices")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index 2d9a86129bd8..7329f706da83 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -1245,7 +1245,7 @@ struct f2fs_bio_info {
+ #define RDEV(i) (raw_super->devs[i])
+ struct f2fs_dev_info {
+ struct block_device *bdev;
+- char path[MAX_PATH_LEN];
++ char path[MAX_PATH_LEN + 1];
+ unsigned int total_segments;
+ block_t start_blk;
+ block_t end_blk;
+--
+2.39.5
+
--- /dev/null
+From 4d3c85d09ef21be1adfbdd1e5c428387724d0886 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 17:56:57 +0800
+Subject: f2fs: fix to avoid panic in f2fs_evict_inode
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit a509a55f8eecc8970b3980c6f06886bbff0e2f68 ]
+
+As syzbot [1] reported as below:
+
+R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe17473450
+R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520
+ </TASK>
+---[ end trace 0000000000000000 ]---
+==================================================================
+BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62
+Read of size 8 at addr ffff88812d962278 by task syz-executor/564
+
+CPU: 1 PID: 564 Comm: syz-executor Tainted: G W 6.1.129-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
+Call Trace:
+ <TASK>
+ __dump_stack+0x21/0x24 lib/dump_stack.c:88
+ dump_stack_lvl+0xee/0x158 lib/dump_stack.c:106
+ print_address_description+0x71/0x210 mm/kasan/report.c:316
+ print_report+0x4a/0x60 mm/kasan/report.c:427
+ kasan_report+0x122/0x150 mm/kasan/report.c:531
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351
+ __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62
+ __list_del_entry include/linux/list.h:134 [inline]
+ list_del_init include/linux/list.h:206 [inline]
+ f2fs_inode_synced+0xf7/0x2e0 fs/f2fs/super.c:1531
+ f2fs_update_inode+0x74/0x1c40 fs/f2fs/inode.c:585
+ f2fs_update_inode_page+0x137/0x170 fs/f2fs/inode.c:703
+ f2fs_write_inode+0x4ec/0x770 fs/f2fs/inode.c:731
+ write_inode fs/fs-writeback.c:1460 [inline]
+ __writeback_single_inode+0x4a0/0xab0 fs/fs-writeback.c:1677
+ writeback_single_inode+0x221/0x8b0 fs/fs-writeback.c:1733
+ sync_inode_metadata+0xb6/0x110 fs/fs-writeback.c:2789
+ f2fs_sync_inode_meta+0x16d/0x2a0 fs/f2fs/checkpoint.c:1159
+ block_operations fs/f2fs/checkpoint.c:1269 [inline]
+ f2fs_write_checkpoint+0xca3/0x2100 fs/f2fs/checkpoint.c:1658
+ kill_f2fs_super+0x231/0x390 fs/f2fs/super.c:4668
+ deactivate_locked_super+0x98/0x100 fs/super.c:332
+ deactivate_super+0xaf/0xe0 fs/super.c:363
+ cleanup_mnt+0x45f/0x4e0 fs/namespace.c:1186
+ __cleanup_mnt+0x19/0x20 fs/namespace.c:1193
+ task_work_run+0x1c6/0x230 kernel/task_work.c:203
+ exit_task_work include/linux/task_work.h:39 [inline]
+ do_exit+0x9fb/0x2410 kernel/exit.c:871
+ do_group_exit+0x210/0x2d0 kernel/exit.c:1021
+ __do_sys_exit_group kernel/exit.c:1032 [inline]
+ __se_sys_exit_group kernel/exit.c:1030 [inline]
+ __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1030
+ x64_sys_call+0x7b4/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:232
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x68/0xd2
+RIP: 0033:0x7f28b1b8e169
+Code: Unable to access opcode bytes at 0x7f28b1b8e13f.
+RSP: 002b:00007ffe174710a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 00007f28b1c10879 RCX: 00007f28b1b8e169
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
+RBP: 0000000000000002 R08: 00007ffe1746ee47 R09: 00007ffe17472360
+R10: 0000000000000009 R11: 0000000000000246 R12: 00007ffe17472360
+R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520
+ </TASK>
+
+Allocated by task 569:
+ kasan_save_stack mm/kasan/common.c:45 [inline]
+ kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
+ kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505
+ __kasan_slab_alloc+0x72/0x80 mm/kasan/common.c:328
+ kasan_slab_alloc include/linux/kasan.h:201 [inline]
+ slab_post_alloc_hook+0x4f/0x2c0 mm/slab.h:737
+ slab_alloc_node mm/slub.c:3398 [inline]
+ slab_alloc mm/slub.c:3406 [inline]
+ __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
+ kmem_cache_alloc_lru+0x104/0x220 mm/slub.c:3429
+ alloc_inode_sb include/linux/fs.h:3245 [inline]
+ f2fs_alloc_inode+0x2d/0x340 fs/f2fs/super.c:1419
+ alloc_inode fs/inode.c:261 [inline]
+ iget_locked+0x186/0x880 fs/inode.c:1373
+ f2fs_iget+0x55/0x4c60 fs/f2fs/inode.c:483
+ f2fs_lookup+0x366/0xab0 fs/f2fs/namei.c:487
+ __lookup_slow+0x2a3/0x3d0 fs/namei.c:1690
+ lookup_slow+0x57/0x70 fs/namei.c:1707
+ walk_component+0x2e6/0x410 fs/namei.c:1998
+ lookup_last fs/namei.c:2455 [inline]
+ path_lookupat+0x180/0x490 fs/namei.c:2479
+ filename_lookup+0x1f0/0x500 fs/namei.c:2508
+ vfs_statx+0x10b/0x660 fs/stat.c:229
+ vfs_fstatat fs/stat.c:267 [inline]
+ vfs_lstat include/linux/fs.h:3424 [inline]
+ __do_sys_newlstat fs/stat.c:423 [inline]
+ __se_sys_newlstat+0xd5/0x350 fs/stat.c:417
+ __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417
+ x64_sys_call+0x393/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x68/0xd2
+
+Freed by task 13:
+ kasan_save_stack mm/kasan/common.c:45 [inline]
+ kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
+ kasan_save_free_info+0x31/0x50 mm/kasan/generic.c:516
+ ____kasan_slab_free+0x132/0x180 mm/kasan/common.c:236
+ __kasan_slab_free+0x11/0x20 mm/kasan/common.c:244
+ kasan_slab_free include/linux/kasan.h:177 [inline]
+ slab_free_hook mm/slub.c:1724 [inline]
+ slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1750
+ slab_free mm/slub.c:3661 [inline]
+ kmem_cache_free+0x12d/0x2a0 mm/slub.c:3683
+ f2fs_free_inode+0x24/0x30 fs/f2fs/super.c:1562
+ i_callback+0x4c/0x70 fs/inode.c:250
+ rcu_do_batch+0x503/0xb80 kernel/rcu/tree.c:2297
+ rcu_core+0x5a2/0xe70 kernel/rcu/tree.c:2557
+ rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2574
+ handle_softirqs+0x178/0x500 kernel/softirq.c:578
+ run_ksoftirqd+0x28/0x30 kernel/softirq.c:945
+ smpboot_thread_fn+0x45a/0x8c0 kernel/smpboot.c:164
+ kthread+0x270/0x310 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
+
+Last potentially related work creation:
+ kasan_save_stack+0x3a/0x60 mm/kasan/common.c:45
+ __kasan_record_aux_stack+0xb6/0xc0 mm/kasan/generic.c:486
+ kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:496
+ call_rcu+0xd4/0xf70 kernel/rcu/tree.c:2845
+ destroy_inode fs/inode.c:316 [inline]
+ evict+0x7da/0x870 fs/inode.c:720
+ iput_final fs/inode.c:1834 [inline]
+ iput+0x62b/0x830 fs/inode.c:1860
+ do_unlinkat+0x356/0x540 fs/namei.c:4397
+ __do_sys_unlink fs/namei.c:4438 [inline]
+ __se_sys_unlink fs/namei.c:4436 [inline]
+ __x64_sys_unlink+0x49/0x50 fs/namei.c:4436
+ x64_sys_call+0x958/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:88
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x68/0xd2
+
+The buggy address belongs to the object at ffff88812d961f20
+ which belongs to the cache f2fs_inode_cache of size 1200
+The buggy address is located 856 bytes inside of
+ 1200-byte region [ffff88812d961f20, ffff88812d9623d0)
+
+The buggy address belongs to the physical page:
+page:ffffea0004b65800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12d960
+head:ffffea0004b65800 order:2 compound_mapcount:0 compound_pincount:0
+flags: 0x4000000000010200(slab|head|zone=1)
+raw: 4000000000010200 0000000000000000 dead000000000122 ffff88810a94c500
+raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 2, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 569, tgid 568 (syz.2.16), ts 55943246141, free_ts 0
+ set_page_owner include/linux/page_owner.h:31 [inline]
+ post_alloc_hook+0x1d0/0x1f0 mm/page_alloc.c:2532
+ prep_new_page mm/page_alloc.c:2539 [inline]
+ get_page_from_freelist+0x2e63/0x2ef0 mm/page_alloc.c:4328
+ __alloc_pages+0x235/0x4b0 mm/page_alloc.c:5605
+ alloc_slab_page include/linux/gfp.h:-1 [inline]
+ allocate_slab mm/slub.c:1939 [inline]
+ new_slab+0xec/0x4b0 mm/slub.c:1992
+ ___slab_alloc+0x6f6/0xb50 mm/slub.c:3180
+ __slab_alloc+0x5e/0xa0 mm/slub.c:3279
+ slab_alloc_node mm/slub.c:3364 [inline]
+ slab_alloc mm/slub.c:3406 [inline]
+ __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
+ kmem_cache_alloc_lru+0x13f/0x220 mm/slub.c:3429
+ alloc_inode_sb include/linux/fs.h:3245 [inline]
+ f2fs_alloc_inode+0x2d/0x340 fs/f2fs/super.c:1419
+ alloc_inode fs/inode.c:261 [inline]
+ iget_locked+0x186/0x880 fs/inode.c:1373
+ f2fs_iget+0x55/0x4c60 fs/f2fs/inode.c:483
+ f2fs_fill_super+0x3ad7/0x6bb0 fs/f2fs/super.c:4293
+ mount_bdev+0x2ae/0x3e0 fs/super.c:1443
+ f2fs_mount+0x34/0x40 fs/f2fs/super.c:4642
+ legacy_get_tree+0xea/0x190 fs/fs_context.c:632
+ vfs_get_tree+0x89/0x260 fs/super.c:1573
+ do_new_mount+0x25a/0xa20 fs/namespace.c:3056
+page_owner free stack trace missing
+
+Memory state around the buggy address:
+ ffff88812d962100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88812d962180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff88812d962200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff88812d962280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88812d962300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+[1] https://syzkaller.appspot.com/x/report.txt?x=13448368580000
+
+This bug can be reproduced w/ the reproducer [2], once we enable
+CONFIG_F2FS_CHECK_FS config, the reproducer will trigger panic as below,
+so the direct reason of this bug is the same as the one below patch [3]
+fixed.
+
+kernel BUG at fs/f2fs/inode.c:857!
+RIP: 0010:f2fs_evict_inode+0x1204/0x1a20
+Call Trace:
+ <TASK>
+ evict+0x32a/0x7a0
+ do_unlinkat+0x37b/0x5b0
+ __x64_sys_unlink+0xad/0x100
+ do_syscall_64+0x5a/0xb0
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+RIP: 0010:f2fs_evict_inode+0x1204/0x1a20
+
+[2] https://syzkaller.appspot.com/x/repro.c?x=17495ccc580000
+[3] https://lore.kernel.org/linux-f2fs-devel/20250702120321.1080759-1-chao@kernel.org
+
+Tracepoints before panic:
+
+f2fs_unlink_enter: dev = (7,0), dir ino = 3, i_size = 4096, i_blocks = 8, name = file1
+f2fs_unlink_exit: dev = (7,0), ino = 7, ret = 0
+f2fs_evict_inode: dev = (7,0), ino = 7, pino = 3, i_mode = 0x81ed, i_size = 10, i_nlink = 0, i_blocks = 0, i_advise = 0x0
+f2fs_truncate_node: dev = (7,0), ino = 7, nid = 8, block_address = 0x3c05
+
+f2fs_unlink_enter: dev = (7,0), dir ino = 3, i_size = 4096, i_blocks = 8, name = file3
+f2fs_unlink_exit: dev = (7,0), ino = 8, ret = 0
+f2fs_evict_inode: dev = (7,0), ino = 8, pino = 3, i_mode = 0x81ed, i_size = 9000, i_nlink = 0, i_blocks = 24, i_advise = 0x4
+f2fs_truncate: dev = (7,0), ino = 8, pino = 3, i_mode = 0x81ed, i_size = 0, i_nlink = 0, i_blocks = 24, i_advise = 0x4
+f2fs_truncate_blocks_enter: dev = (7,0), ino = 8, i_size = 0, i_blocks = 24, start file offset = 0
+f2fs_truncate_blocks_exit: dev = (7,0), ino = 8, ret = -2
+
+The root cause is: in the fuzzed image, dnode #8 belongs to inode #7,
+after inode #7 eviction, dnode #8 was dropped.
+
+However there is dirent that has ino #8, so, once we unlink file3, in
+f2fs_evict_inode(), both f2fs_truncate() and f2fs_update_inode_page()
+will fail due to we can not load node #8, result in we missed to call
+f2fs_inode_synced() to clear inode dirty status.
+
+Let's fix this by calling f2fs_inode_synced() in error path of
+f2fs_evict_inode().
+
+PS: As I verified, the reproducer [2] can trigger this bug in v6.1.129,
+but it failed in v6.16-rc4, this is because the testcase will stop due to
+other corruption has been detected by f2fs:
+
+F2FS-fs (loop0): inconsistent node block, node_type:2, nid:8, node_footer[nid:8,ino:8,ofs:0,cpver:5013063228981249506,blkaddr:15366]
+F2FS-fs (loop0): f2fs_lookup: inode (ino=9) has zero i_nlink
+
+Fixes: 0f18b462b2e5 ("f2fs: flush inode metadata when checkpoint is doing")
+Closes: https://syzkaller.appspot.com/x/report.txt?x=13448368580000
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/inode.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
+index 94ed056656d8..76ec2899cbe8 100644
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -905,6 +905,19 @@ void f2fs_evict_inode(struct inode *inode)
+ f2fs_update_inode_page(inode);
+ if (dquot_initialize_needed(inode))
+ set_sbi_flag(sbi, SBI_QUOTA_NEED_REPAIR);
++
++ /*
++ * If both f2fs_truncate() and f2fs_update_inode_page() failed
++ * due to fuzzed corrupted inode, call f2fs_inode_synced() to
++ * avoid triggering later f2fs_bug_on().
++ */
++ if (is_inode_flag_set(inode, FI_DIRTY_INODE)) {
++ f2fs_warn(sbi,
++ "f2fs_evict_inode: inode is dirty, ino:%lu",
++ inode->i_ino);
++ f2fs_inode_synced(inode);
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
++ }
+ }
+ if (!is_sbi_flag_set(sbi, SBI_IS_FREEZING))
+ sb_end_intwrite(inode->i_sb);
+--
+2.39.5
+
--- /dev/null
+From 42fd382b9cb2c8fd5b55fc92b75457b2ef7b103a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 17:53:39 +0800
+Subject: f2fs: fix to avoid UAF in f2fs_sync_inode_meta()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 7c30d79930132466f5be7d0b57add14d1a016bda ]
+
+syzbot reported an UAF issue as below: [1] [2]
+
+[1] https://syzkaller.appspot.com/text?tag=CrashReport&x=16594c60580000
+
+==================================================================
+BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62
+Read of size 8 at addr ffff888100567dc8 by task kworker/u4:0/8
+
+CPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G W 6.1.129-syzkaller-00017-g642656a36791 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
+Workqueue: writeback wb_workfn (flush-7:0)
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:316 [inline]
+ print_report+0x158/0x4e0 mm/kasan/report.c:427
+ kasan_report+0x13c/0x170 mm/kasan/report.c:531
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351
+ __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62
+ __list_del_entry include/linux/list.h:134 [inline]
+ list_del_init include/linux/list.h:206 [inline]
+ f2fs_inode_synced+0x100/0x2e0 fs/f2fs/super.c:1553
+ f2fs_update_inode+0x72/0x1c40 fs/f2fs/inode.c:588
+ f2fs_update_inode_page+0x135/0x170 fs/f2fs/inode.c:706
+ f2fs_write_inode+0x416/0x790 fs/f2fs/inode.c:734
+ write_inode fs/fs-writeback.c:1460 [inline]
+ __writeback_single_inode+0x4cf/0xb80 fs/fs-writeback.c:1677
+ writeback_sb_inodes+0xb32/0x1910 fs/fs-writeback.c:1903
+ __writeback_inodes_wb+0x118/0x3f0 fs/fs-writeback.c:1974
+ wb_writeback+0x3da/0xa00 fs/fs-writeback.c:2081
+ wb_check_background_flush fs/fs-writeback.c:2151 [inline]
+ wb_do_writeback fs/fs-writeback.c:2239 [inline]
+ wb_workfn+0xbba/0x1030 fs/fs-writeback.c:2266
+ process_one_work+0x73d/0xcb0 kernel/workqueue.c:2299
+ worker_thread+0xa60/0x1260 kernel/workqueue.c:2446
+ kthread+0x26d/0x300 kernel/kthread.c:386
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
+ </TASK>
+
+Allocated by task 298:
+ kasan_save_stack mm/kasan/common.c:45 [inline]
+ kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
+ kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505
+ __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:333
+ kasan_slab_alloc include/linux/kasan.h:202 [inline]
+ slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:768
+ slab_alloc_node mm/slub.c:3421 [inline]
+ slab_alloc mm/slub.c:3431 [inline]
+ __kmem_cache_alloc_lru mm/slub.c:3438 [inline]
+ kmem_cache_alloc_lru+0x102/0x270 mm/slub.c:3454
+ alloc_inode_sb include/linux/fs.h:3255 [inline]
+ f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437
+ alloc_inode fs/inode.c:261 [inline]
+ iget_locked+0x18c/0x7e0 fs/inode.c:1373
+ f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486
+ f2fs_lookup+0x3c1/0xb50 fs/f2fs/namei.c:484
+ __lookup_slow+0x2b9/0x3e0 fs/namei.c:1689
+ lookup_slow+0x5a/0x80 fs/namei.c:1706
+ walk_component+0x2e7/0x410 fs/namei.c:1997
+ lookup_last fs/namei.c:2454 [inline]
+ path_lookupat+0x16d/0x450 fs/namei.c:2478
+ filename_lookup+0x251/0x600 fs/namei.c:2507
+ vfs_statx+0x107/0x4b0 fs/stat.c:229
+ vfs_fstatat fs/stat.c:267 [inline]
+ vfs_lstat include/linux/fs.h:3434 [inline]
+ __do_sys_newlstat fs/stat.c:423 [inline]
+ __se_sys_newlstat+0xda/0x7c0 fs/stat.c:417
+ __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417
+ x64_sys_call+0x52/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x68/0xd2
+
+Freed by task 0:
+ kasan_save_stack mm/kasan/common.c:45 [inline]
+ kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
+ kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516
+ ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241
+ __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249
+ kasan_slab_free include/linux/kasan.h:178 [inline]
+ slab_free_hook mm/slub.c:1745 [inline]
+ slab_free_freelist_hook mm/slub.c:1771 [inline]
+ slab_free mm/slub.c:3686 [inline]
+ kmem_cache_free+0x291/0x560 mm/slub.c:3711
+ f2fs_free_inode+0x24/0x30 fs/f2fs/super.c:1584
+ i_callback+0x4b/0x70 fs/inode.c:250
+ rcu_do_batch+0x552/0xbe0 kernel/rcu/tree.c:2297
+ rcu_core+0x502/0xf40 kernel/rcu/tree.c:2557
+ rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2574
+ handle_softirqs+0x1db/0x650 kernel/softirq.c:624
+ __do_softirq kernel/softirq.c:662 [inline]
+ invoke_softirq kernel/softirq.c:479 [inline]
+ __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:711
+ irq_exit_rcu+0x9/0x10 kernel/softirq.c:723
+ instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
+ sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
+ asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
+
+Last potentially related work creation:
+ kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45
+ __kasan_record_aux_stack+0xb4/0xc0 mm/kasan/generic.c:486
+ kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:496
+ __call_rcu_common kernel/rcu/tree.c:2807 [inline]
+ call_rcu+0xdc/0x10f0 kernel/rcu/tree.c:2926
+ destroy_inode fs/inode.c:316 [inline]
+ evict+0x87d/0x930 fs/inode.c:720
+ iput_final fs/inode.c:1834 [inline]
+ iput+0x616/0x690 fs/inode.c:1860
+ do_unlinkat+0x4e1/0x920 fs/namei.c:4396
+ __do_sys_unlink fs/namei.c:4437 [inline]
+ __se_sys_unlink fs/namei.c:4435 [inline]
+ __x64_sys_unlink+0x49/0x50 fs/namei.c:4435
+ x64_sys_call+0x289/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:88
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x68/0xd2
+
+The buggy address belongs to the object at ffff888100567a10
+ which belongs to the cache f2fs_inode_cache of size 1360
+The buggy address is located 952 bytes inside of
+ 1360-byte region [ffff888100567a10, ffff888100567f60)
+
+The buggy address belongs to the physical page:
+page:ffffea0004015800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100560
+head:ffffea0004015800 order:3 compound_mapcount:0 compound_pincount:0
+flags: 0x4000000000010200(slab|head|zone=1)
+raw: 4000000000010200 0000000000000000 dead000000000122 ffff8881002c4d80
+raw: 0000000000000000 0000000080160016 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 298, tgid 298 (syz-executor330), ts 26489303743, free_ts 0
+ set_page_owner include/linux/page_owner.h:33 [inline]
+ post_alloc_hook+0x213/0x220 mm/page_alloc.c:2637
+ prep_new_page+0x1b/0x110 mm/page_alloc.c:2644
+ get_page_from_freelist+0x3a98/0x3b10 mm/page_alloc.c:4539
+ __alloc_pages+0x234/0x610 mm/page_alloc.c:5837
+ alloc_slab_page+0x6c/0xf0 include/linux/gfp.h:-1
+ allocate_slab mm/slub.c:1962 [inline]
+ new_slab+0x90/0x3e0 mm/slub.c:2015
+ ___slab_alloc+0x6f9/0xb80 mm/slub.c:3203
+ __slab_alloc+0x5d/0xa0 mm/slub.c:3302
+ slab_alloc_node mm/slub.c:3387 [inline]
+ slab_alloc mm/slub.c:3431 [inline]
+ __kmem_cache_alloc_lru mm/slub.c:3438 [inline]
+ kmem_cache_alloc_lru+0x149/0x270 mm/slub.c:3454
+ alloc_inode_sb include/linux/fs.h:3255 [inline]
+ f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437
+ alloc_inode fs/inode.c:261 [inline]
+ iget_locked+0x18c/0x7e0 fs/inode.c:1373
+ f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486
+ f2fs_fill_super+0x5360/0x6dc0 fs/f2fs/super.c:4488
+ mount_bdev+0x282/0x3b0 fs/super.c:1445
+ f2fs_mount+0x34/0x40 fs/f2fs/super.c:4743
+ legacy_get_tree+0xf1/0x190 fs/fs_context.c:632
+page_owner free stack trace missing
+
+Memory state around the buggy address:
+ ffff888100567c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888100567d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff888100567d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888100567e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888100567e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+[2] https://syzkaller.appspot.com/text?tag=CrashLog&x=13654c60580000
+
+[ 24.675720][ T28] audit: type=1400 audit(1745327318.732:72): avc: denied { write } for pid=298 comm="syz-executor399" name="/" dev="loop0" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
+[ 24.705426][ T296] ------------[ cut here ]------------
+[ 24.706608][ T28] audit: type=1400 audit(1745327318.732:73): avc: denied { remove_name } for pid=298 comm="syz-executor399" name="file0" dev="loop0" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
+[ 24.711550][ T296] WARNING: CPU: 0 PID: 296 at fs/f2fs/inode.c:847 f2fs_evict_inode+0x1262/0x1540
+[ 24.734141][ T28] audit: type=1400 audit(1745327318.732:74): avc: denied { rename } for pid=298 comm="syz-executor399" name="file0" dev="loop0" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
+[ 24.742969][ T296] Modules linked in:
+[ 24.765201][ T28] audit: type=1400 audit(1745327318.732:75): avc: denied { add_name } for pid=298 comm="syz-executor399" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
+[ 24.768847][ T296] CPU: 0 PID: 296 Comm: syz-executor399 Not tainted 6.1.129-syzkaller-00017-g642656a36791 #0
+[ 24.799506][ T296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
+[ 24.809401][ T296] RIP: 0010:f2fs_evict_inode+0x1262/0x1540
+[ 24.815018][ T296] Code: 34 70 4a ff eb 0d e8 2d 70 4a ff 4d 89 e5 4c 8b 64 24 18 48 8b 5c 24 28 4c 89 e7 e8 78 38 03 00 e9 84 fc ff ff e8 0e 70 4a ff <0f> 0b 4c 89 f7 be 08 00 00 00 e8 7f 21 92 ff f0 41 80 0e 04 e9 61
+[ 24.834584][ T296] RSP: 0018:ffffc90000db7a40 EFLAGS: 00010293
+[ 24.840465][ T296] RAX: ffffffff822aca42 RBX: 0000000000000002 RCX: ffff888110948000
+[ 24.848291][ T296] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
+[ 24.856064][ T296] RBP: ffffc90000db7bb0 R08: ffffffff822ac6a8 R09: ffffed10200b005d
+[ 24.864073][ T296] R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888100580000
+[ 24.871812][ T296] R13: dffffc0000000000 R14: ffff88810fef4078 R15: 1ffff920001b6f5c
+
+The root cause is w/ a fuzzed image, f2fs may missed to clear FI_DIRTY_INODE
+flag for target inode, after f2fs_evict_inode(), the inode is still linked in
+sbi->inode_list[DIRTY_META] global list, once it triggers checkpoint,
+f2fs_sync_inode_meta() may access the released inode.
+
+In f2fs_evict_inode(), let's always call f2fs_inode_synced() to clear
+FI_DIRTY_INODE flag and drop inode from global dirty list to avoid this
+UAF issue.
+
+Fixes: 0f18b462b2e5 ("f2fs: flush inode metadata when checkpoint is doing")
+Closes: https://syzkaller.appspot.com/bug?extid=849174b2efaf0d8be6ba
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/inode.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
+index 66721c2093c0..94ed056656d8 100644
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -921,8 +921,12 @@ void f2fs_evict_inode(struct inode *inode)
+ if (likely(!f2fs_cp_error(sbi) &&
+ !is_sbi_flag_set(sbi, SBI_CP_DISABLED)))
+ f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE));
+- else
+- f2fs_inode_synced(inode);
++
++ /*
++ * anyway, it needs to remove the inode from sbi->inode_list[DIRTY_META]
++ * list to avoid UAF in f2fs_sync_inode_meta() during checkpoint.
++ */
++ f2fs_inode_synced(inode);
+
+ /* for the case f2fs_new_inode() was failed, .i_ino is zero, skip it */
+ if (inode->i_ino)
+--
+2.39.5
+
--- /dev/null
+From 209f6fa28bfe3f2096b6afc6a065d7569240e58f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 16:01:43 +0800
+Subject: f2fs: fix to calculate dirty data during has_not_enough_free_secs()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit e194e140ab7de2ce2782e64b9e086a43ca6ff4f2 ]
+
+In lfs mode, dirty data needs OPU, we'd better calculate lower_p and
+upper_p w/ them during has_not_enough_free_secs(), otherwise we may
+encounter out-of-space issue due to we missed to reclaim enough
+free section w/ foreground gc.
+
+Fixes: 36abef4e796d ("f2fs: introduce mode=lfs mount option")
+Cc: Daeho Jeong <daehojeong@google.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h
+index 66b89687fab1..a51a56bd0b61 100644
+--- a/fs/f2fs/segment.h
++++ b/fs/f2fs/segment.h
+@@ -606,8 +606,7 @@ static inline void __get_secs_required(struct f2fs_sb_info *sbi,
+ unsigned int dent_blocks = total_dent_blocks % CAP_BLKS_PER_SEC(sbi);
+ unsigned int data_blocks = 0;
+
+- if (f2fs_lfs_mode(sbi) &&
+- unlikely(is_sbi_flag_set(sbi, SBI_CP_DISABLED))) {
++ if (f2fs_lfs_mode(sbi)) {
+ total_data_blocks = get_pages(sbi, F2FS_DIRTY_DATA);
+ data_secs = total_data_blocks / CAP_BLKS_PER_SEC(sbi);
+ data_blocks = total_data_blocks % CAP_BLKS_PER_SEC(sbi);
+--
+2.39.5
+
--- /dev/null
+From 4c124e183537380a9eb7c81b600f487dc7bd53d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 16:01:44 +0800
+Subject: f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs
+ mode
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 1005a3ca28e90c7a64fa43023f866b960a60f791 ]
+
+w/ "mode=lfs" mount option, generic/299 will cause system panic as below:
+
+------------[ cut here ]------------
+kernel BUG at fs/f2fs/segment.c:2835!
+Call Trace:
+ <TASK>
+ f2fs_allocate_data_block+0x6f4/0xc50
+ f2fs_map_blocks+0x970/0x1550
+ f2fs_iomap_begin+0xb2/0x1e0
+ iomap_iter+0x1d6/0x430
+ __iomap_dio_rw+0x208/0x9a0
+ f2fs_file_write_iter+0x6b3/0xfa0
+ aio_write+0x15d/0x2e0
+ io_submit_one+0x55e/0xab0
+ __x64_sys_io_submit+0xa5/0x230
+ do_syscall_64+0x84/0x2f0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+RIP: 0010:new_curseg+0x70f/0x720
+
+The root cause of we run out-of-space is: in f2fs_map_blocks(), f2fs may
+trigger foreground gc only if it allocates any physical block, it will be
+a little bit later when there is multiple threads writing data w/
+aio/dio/bufio method in parallel, since we always use OPU in lfs mode, so
+f2fs_map_blocks() does block allocations aggressively.
+
+In order to fix this issue, let's give a chance to trigger foreground
+gc in prior to block allocation in f2fs_map_blocks().
+
+Fixes: 36abef4e796d ("f2fs: introduce mode=lfs mount option")
+Cc: Daeho Jeong <daehojeong@google.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/data.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
+index 942f358126e6..d37104aa847a 100644
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -1552,8 +1552,11 @@ int f2fs_map_blocks(struct inode *inode, struct f2fs_map_blocks *map, int flag)
+ end = pgofs + maxblocks;
+
+ next_dnode:
+- if (map->m_may_create)
++ if (map->m_may_create) {
++ if (f2fs_lfs_mode(sbi))
++ f2fs_balance_fs(sbi, true);
+ f2fs_map_lock(sbi, flag);
++ }
+
+ /* When reading holes, we need its node page */
+ set_new_dnode(&dn, inode, NULL, NULL, 0);
+--
+2.39.5
+
--- /dev/null
+From a7e3ca7301c4cc1dff6ca0b7814ed7989cf92835 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 16:01:42 +0800
+Subject: f2fs: fix to update upper_p in __get_secs_required() correctly
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 6840faddb65683b4e7bd8196f177b038a1e19faf ]
+
+Commit 1acd73edbbfe ("f2fs: fix to account dirty data in __get_secs_required()")
+missed to calculate upper_p w/ data_secs, fix it.
+
+Fixes: 1acd73edbbfe ("f2fs: fix to account dirty data in __get_secs_required()")
+Cc: Daeho Jeong <daehojeong@google.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h
+index cd2ec6acc717..66b89687fab1 100644
+--- a/fs/f2fs/segment.h
++++ b/fs/f2fs/segment.h
+@@ -616,7 +616,7 @@ static inline void __get_secs_required(struct f2fs_sb_info *sbi,
+ if (lower_p)
+ *lower_p = node_secs + dent_secs + data_secs;
+ if (upper_p)
+- *upper_p = node_secs + dent_secs +
++ *upper_p = node_secs + dent_secs + data_secs +
+ (node_blocks ? 1 : 0) + (dent_blocks ? 1 : 0) +
+ (data_blocks ? 1 : 0);
+ if (curseg_p)
+--
+2.39.5
+
--- /dev/null
+From f7f3d5039cbcafdc62de0c752c1df26c8e1d1ac2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 17:31:15 +0200
+Subject: f2fs: vm_unmap_ram() may be called from an invalid context
+
+From: Jan Prusakowski <jprusakowski@google.com>
+
+[ Upstream commit 08a7efc5b02a0620ae16aa9584060e980a69cb55 ]
+
+When testing F2FS with xfstests using UFS backed virtual disks the
+kernel complains sometimes that f2fs_release_decomp_mem() calls
+vm_unmap_ram() from an invalid context. Example trace from
+f2fs/007 test:
+
+f2fs/007 5s ... [12:59:38][ 8.902525] run fstests f2fs/007
+[ 11.468026] BUG: sleeping function called from invalid context at mm/vmalloc.c:2978
+[ 11.471849] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 68, name: irq/22-ufshcd
+[ 11.475357] preempt_count: 1, expected: 0
+[ 11.476970] RCU nest depth: 0, expected: 0
+[ 11.478531] CPU: 0 UID: 0 PID: 68 Comm: irq/22-ufshcd Tainted: G W 6.16.0-rc5-xfstests-ufs-g40f92e79b0aa #9 PREEMPT(none)
+[ 11.478535] Tainted: [W]=WARN
+[ 11.478536] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 11.478537] Call Trace:
+[ 11.478543] <TASK>
+[ 11.478545] dump_stack_lvl+0x4e/0x70
+[ 11.478554] __might_resched.cold+0xaf/0xbe
+[ 11.478557] vm_unmap_ram+0x21/0xb0
+[ 11.478560] f2fs_release_decomp_mem+0x59/0x80
+[ 11.478563] f2fs_free_dic+0x18/0x1a0
+[ 11.478565] f2fs_finish_read_bio+0xd7/0x290
+[ 11.478570] blk_update_request+0xec/0x3b0
+[ 11.478574] ? sbitmap_queue_clear+0x3b/0x60
+[ 11.478576] scsi_end_request+0x27/0x1a0
+[ 11.478582] scsi_io_completion+0x40/0x300
+[ 11.478583] ufshcd_mcq_poll_cqe_lock+0xa3/0xe0
+[ 11.478588] ufshcd_sl_intr+0x194/0x1f0
+[ 11.478592] ufshcd_threaded_intr+0x68/0xb0
+[ 11.478594] ? __pfx_irq_thread_fn+0x10/0x10
+[ 11.478599] irq_thread_fn+0x20/0x60
+[ 11.478602] ? __pfx_irq_thread_fn+0x10/0x10
+[ 11.478603] irq_thread+0xb9/0x180
+[ 11.478605] ? __pfx_irq_thread_dtor+0x10/0x10
+[ 11.478607] ? __pfx_irq_thread+0x10/0x10
+[ 11.478609] kthread+0x10a/0x230
+[ 11.478614] ? __pfx_kthread+0x10/0x10
+[ 11.478615] ret_from_fork+0x7e/0xd0
+[ 11.478619] ? __pfx_kthread+0x10/0x10
+[ 11.478621] ret_from_fork_asm+0x1a/0x30
+[ 11.478623] </TASK>
+
+This patch modifies in_task() check inside f2fs_read_end_io() to also
+check if interrupts are disabled. This ensures that pages are unmapped
+asynchronously in an interrupt handler.
+
+Fixes: bff139b49d9f ("f2fs: handle decompress only post processing in softirq")
+Signed-off-by: Jan Prusakowski <jprusakowski@google.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
+index a123bb26acd8..942f358126e6 100644
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -288,7 +288,7 @@ static void f2fs_read_end_io(struct bio *bio)
+ {
+ struct f2fs_sb_info *sbi = F2FS_P_SB(bio_first_page_all(bio));
+ struct bio_post_read_ctx *ctx;
+- bool intask = in_task();
++ bool intask = in_task() && !irqs_disabled();
+
+ iostat_update_and_unbind_ctx(bio);
+ ctx = bio->bi_private;
+--
+2.39.5
+
--- /dev/null
+From 64232479f1bfa557f35c710850ec81787f4f33cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 12:48:35 +0200
+Subject: fanotify: sanitize handle_type values when reporting fid
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+[ Upstream commit 8631e01c2c5d1fe6705bcc0d733a0b7a17d3daac ]
+
+Unlike file_handle, type and len of struct fanotify_fh are u8.
+Traditionally, filesystem return handle_type < 0xff, but there
+is no enforecement for that in vfs.
+
+Add a sanity check in fanotify to avoid truncating handle_type
+if its value is > 0xff.
+
+Fixes: 7cdafe6cc4a6 ("exportfs: check for error return value from exportfs_encode_*()")
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20250627104835.184495-1-amir73il@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/notify/fanotify/fanotify.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
+index 9dac7f6e72d2..723ff9cad9ed 100644
+--- a/fs/notify/fanotify/fanotify.c
++++ b/fs/notify/fanotify/fanotify.c
+@@ -445,7 +445,13 @@ static int fanotify_encode_fh(struct fanotify_fh *fh, struct inode *inode,
+ dwords = fh_len >> 2;
+ type = exportfs_encode_fid(inode, buf, &dwords);
+ err = -EINVAL;
+- if (type <= 0 || type == FILEID_INVALID || fh_len != dwords << 2)
++ /*
++ * Unlike file_handle, type and len of struct fanotify_fh are u8.
++ * Traditionally, filesystem return handle_type < 0xff, but there
++ * is no enforecement for that in vfs.
++ */
++ BUILD_BUG_ON(MAX_HANDLE_SZ > 0xff || FILEID_INVALID > 0xff);
++ if (type <= 0 || type >= FILEID_INVALID || fh_len != dwords << 2)
+ goto out_err;
+
+ fh->type = type;
+--
+2.39.5
+
--- /dev/null
+From e2fe58356cc7a931c33befc5c314b342555a47c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 18:34:38 +0800
+Subject: fbcon: Fix outdated registered_fb reference in comment
+
+From: Shixiong Ou <oushixiong@kylinos.cn>
+
+[ Upstream commit 0f168e7be696a17487e83d1d47e5a408a181080f ]
+
+The variable was renamed to fbcon_registered_fb, but this comment was
+not updated along with the change. Correct it to avoid confusion.
+
+Signed-off-by: Shixiong Ou <oushixiong@kylinos.cn>
+Fixes: efc3acbc105a ("fbcon: Maintain a private array of fb_info")
+[sima: Add Fixes: line.]
+Signed-off-by: Simona Vetter <simona.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250709103438.572309-1-oushixiong1025@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/core/fbcon.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
+index 9d095fe03e18..ed68ba89b80b 100644
+--- a/drivers/video/fbdev/core/fbcon.c
++++ b/drivers/video/fbdev/core/fbcon.c
+@@ -935,13 +935,13 @@ static const char *fbcon_startup(void)
+ int rows, cols;
+
+ /*
+- * If num_registered_fb is zero, this is a call for the dummy part.
++ * If fbcon_num_registered_fb is zero, this is a call for the dummy part.
+ * The frame buffer devices weren't initialized yet.
+ */
+ if (!fbcon_num_registered_fb || info_idx == -1)
+ return display_desc;
+ /*
+- * Instead of blindly using registered_fb[0], we use info_idx, set by
++ * Instead of blindly using fbcon_registered_fb[0], we use info_idx, set by
+ * fbcon_fb_registered();
+ */
+ info = fbcon_registered_fb[info_idx];
+--
+2.39.5
+
--- /dev/null
+From 1e8331daa625ebaf70e2de0fc3fe9eddc4e14ff8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 22:25:34 -0500
+Subject: fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref
+
+From: Chenyuan Yang <chenyuan0y@gmail.com>
+
+[ Upstream commit da11e6a30e0bb8e911288bdc443b3dc8f6a7cac7 ]
+
+fb_add_videomode() can fail with -ENOMEM when its internal kmalloc() cannot
+allocate a struct fb_modelist. If that happens, the modelist stays empty but
+the driver continues to register. Add a check for its return value to prevent
+poteintial null-ptr-deref, which is similar to the commit 17186f1f90d3 ("fbdev:
+Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var").
+
+Fixes: 1b6c79361ba5 ("video: imxfb: Add DT support")
+Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/imxfb.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c
+index 7042a43b81d8..5f9e98423d65 100644
+--- a/drivers/video/fbdev/imxfb.c
++++ b/drivers/video/fbdev/imxfb.c
+@@ -1004,8 +1004,13 @@ static int imxfb_probe(struct platform_device *pdev)
+ info->fix.smem_start = fbi->map_dma;
+
+ INIT_LIST_HEAD(&info->modelist);
+- for (i = 0; i < fbi->num_modes; i++)
+- fb_add_videomode(&fbi->mode[i].mode, &info->modelist);
++ for (i = 0; i < fbi->num_modes; i++) {
++ ret = fb_add_videomode(&fbi->mode[i].mode, &info->modelist);
++ if (ret) {
++ dev_err(&pdev->dev, "Failed to add videomode\n");
++ goto failed_cmap;
++ }
++ }
+
+ /*
+ * This makes sure that our colour bitfield
+--
+2.39.5
+
--- /dev/null
+From 710c6eef3e534d84edd824ddfe3426120552820d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 11:23:46 +0200
+Subject: Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 1db50f7b7a793670adcf062df9ff27798829d963 ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: ed10435d3583 ("RDMA/erdma: Implement hierarchical MTT")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20250630092346.81017-2-fourier.thomas@gmail.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/erdma/erdma_verbs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/erdma/erdma_verbs.c b/drivers/infiniband/hw/erdma/erdma_verbs.c
+index b010c4209ea3..29ad2f5ffabe 100644
+--- a/drivers/infiniband/hw/erdma/erdma_verbs.c
++++ b/drivers/infiniband/hw/erdma/erdma_verbs.c
+@@ -585,7 +585,8 @@ static struct erdma_mtt *erdma_create_cont_mtt(struct erdma_dev *dev,
+ static void erdma_destroy_mtt_buf_sg(struct erdma_dev *dev,
+ struct erdma_mtt *mtt)
+ {
+- dma_unmap_sg(&dev->pdev->dev, mtt->sglist, mtt->nsg, DMA_TO_DEVICE);
++ dma_unmap_sg(&dev->pdev->dev, mtt->sglist,
++ DIV_ROUND_UP(mtt->size, PAGE_SIZE), DMA_TO_DEVICE);
+ vfree(mtt->sglist);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 4f0612607021976f5a65c1a10a7cc96cb68336fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 15:31:57 +0800
+Subject: fs/ntfs3: cancle set bad inode after removing name fails
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit d99208b91933fd2a58ed9ed321af07dacd06ddc3 ]
+
+The reproducer uses a file0 on a ntfs3 file system with a corrupted i_link.
+When renaming, the file0's inode is marked as a bad inode because the file
+name cannot be deleted.
+
+The underlying bug is that make_bad_inode() is called on a live inode.
+In some cases it's "icache lookup finds a normal inode, d_splice_alias()
+is called to attach it to dentry, while another thread decides to call
+make_bad_inode() on it - that would evict it from icache, but we'd already
+found it there earlier".
+In some it's outright "we have an inode attached to dentry - that's how we
+got it in the first place; let's call make_bad_inode() on it just for shits
+and giggles".
+
+Fixes: 78ab59fee07f ("fs/ntfs3: Rework file operations")
+Reported-by: syzbot+1aa90f0eb1fc3e77d969@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=1aa90f0eb1fc3e77d969
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/frecord.c | 7 +++----
+ fs/ntfs3/namei.c | 10 +++-------
+ fs/ntfs3/ntfs_fs.h | 3 +--
+ 3 files changed, 7 insertions(+), 13 deletions(-)
+
+diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
+index 3c876c468c2c..5c45fec832b0 100644
+--- a/fs/ntfs3/frecord.c
++++ b/fs/ntfs3/frecord.c
+@@ -3058,8 +3058,7 @@ int ni_add_name(struct ntfs_inode *dir_ni, struct ntfs_inode *ni,
+ * ni_rename - Remove one name and insert new name.
+ */
+ int ni_rename(struct ntfs_inode *dir_ni, struct ntfs_inode *new_dir_ni,
+- struct ntfs_inode *ni, struct NTFS_DE *de, struct NTFS_DE *new_de,
+- bool *is_bad)
++ struct ntfs_inode *ni, struct NTFS_DE *de, struct NTFS_DE *new_de)
+ {
+ int err;
+ struct NTFS_DE *de2 = NULL;
+@@ -3082,8 +3081,8 @@ int ni_rename(struct ntfs_inode *dir_ni, struct ntfs_inode *new_dir_ni,
+ err = ni_add_name(new_dir_ni, ni, new_de);
+ if (!err) {
+ err = ni_remove_name(dir_ni, ni, de, &de2, &undo);
+- if (err && ni_remove_name(new_dir_ni, ni, new_de, &de2, &undo))
+- *is_bad = true;
++ WARN_ON(err && ni_remove_name(new_dir_ni, ni, new_de, &de2,
++ &undo));
+ }
+
+ /*
+diff --git a/fs/ntfs3/namei.c b/fs/ntfs3/namei.c
+index 61c4da8e6c3d..f5901c23ab93 100644
+--- a/fs/ntfs3/namei.c
++++ b/fs/ntfs3/namei.c
+@@ -261,7 +261,7 @@ static int ntfs_rename(struct mnt_idmap *idmap, struct inode *dir,
+ struct ntfs_inode *ni = ntfs_i(inode);
+ struct inode *new_inode = d_inode(new_dentry);
+ struct NTFS_DE *de, *new_de;
+- bool is_same, is_bad;
++ bool is_same;
+ /*
+ * de - memory of PATH_MAX bytes:
+ * [0-1024) - original name (dentry->d_name)
+@@ -330,12 +330,8 @@ static int ntfs_rename(struct mnt_idmap *idmap, struct inode *dir,
+ if (dir_ni != new_dir_ni)
+ ni_lock_dir2(new_dir_ni);
+
+- is_bad = false;
+- err = ni_rename(dir_ni, new_dir_ni, ni, de, new_de, &is_bad);
+- if (is_bad) {
+- /* Restore after failed rename failed too. */
+- _ntfs_bad_inode(inode);
+- } else if (!err) {
++ err = ni_rename(dir_ni, new_dir_ni, ni, de, new_de);
++ if (!err) {
+ simple_rename_timestamp(dir, dentry, new_dir, new_dentry);
+ mark_inode_dirty(inode);
+ mark_inode_dirty(dir);
+diff --git a/fs/ntfs3/ntfs_fs.h b/fs/ntfs3/ntfs_fs.h
+index c98e6868bfba..72810d8f62ee 100644
+--- a/fs/ntfs3/ntfs_fs.h
++++ b/fs/ntfs3/ntfs_fs.h
+@@ -577,8 +577,7 @@ int ni_add_name(struct ntfs_inode *dir_ni, struct ntfs_inode *ni,
+ struct NTFS_DE *de);
+
+ int ni_rename(struct ntfs_inode *dir_ni, struct ntfs_inode *new_dir_ni,
+- struct ntfs_inode *ni, struct NTFS_DE *de, struct NTFS_DE *new_de,
+- bool *is_bad);
++ struct ntfs_inode *ni, struct NTFS_DE *de, struct NTFS_DE *new_de);
+
+ bool ni_is_dirty(struct inode *inode);
+
+--
+2.39.5
+
--- /dev/null
+From c6df4b81ae542027f9f4727733328f3e3c859043 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Jul 2025 09:19:10 -0500
+Subject: fs/orangefs: Allow 2 more characters in do_c_string()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 2138e89cb066b40386b1d9ddd61253347d356474 ]
+
+The do_k_string() and do_c_string() functions do essentially the same
+thing which is they add a string and a comma onto the end of an existing
+string. At the end, the caller will overwrite the last comma with a
+newline. Later, in orangefs_kernel_debug_init(), we add a newline to
+the string.
+
+The change to do_k_string() is just cosmetic. I moved the "- 1" to
+the other side of the comparison and made it "+ 1". This has no
+effect on runtime, I just wanted the functions to match each other
+and the rest of the file.
+
+However in do_c_string(), I removed the "- 2" which allows us to print
+two extra characters. I noticed this issue while reviewing the code
+and I doubt affects anything in real life. My guess is that this was
+double counting the comma and the newline. The "+ 1" accounts for
+the newline, and the caller will delete the final comma which ensures
+there is enough space for the newline.
+
+Removing the "- 2" lets us print 2 more characters, but mainly it makes
+the code more consistent and understandable for reviewers.
+
+Fixes: 44f4641073f1 ("orangefs: clean up debugfs globals")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/orangefs/orangefs-debugfs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
+index fa41db088488..b57140ebfad0 100644
+--- a/fs/orangefs/orangefs-debugfs.c
++++ b/fs/orangefs/orangefs-debugfs.c
+@@ -728,8 +728,8 @@ static void do_k_string(void *k_mask, int index)
+
+ if (*mask & s_kmod_keyword_mask_map[index].mask_val) {
+ if ((strlen(kernel_debug_string) +
+- strlen(s_kmod_keyword_mask_map[index].keyword))
+- < ORANGEFS_MAX_DEBUG_STRING_LEN - 1) {
++ strlen(s_kmod_keyword_mask_map[index].keyword) + 1)
++ < ORANGEFS_MAX_DEBUG_STRING_LEN) {
+ strcat(kernel_debug_string,
+ s_kmod_keyword_mask_map[index].keyword);
+ strcat(kernel_debug_string, ",");
+@@ -756,7 +756,7 @@ static void do_c_string(void *c_mask, int index)
+ (mask->mask2 & cdm_array[index].mask2)) {
+ if ((strlen(client_debug_string) +
+ strlen(cdm_array[index].keyword) + 1)
+- < ORANGEFS_MAX_DEBUG_STRING_LEN - 2) {
++ < ORANGEFS_MAX_DEBUG_STRING_LEN) {
+ strcat(client_debug_string,
+ cdm_array[index].keyword);
+ strcat(client_debug_string, ",");
+--
+2.39.5
+
--- /dev/null
+From 1b967170cf75970e13d960196a0b4c002a224e7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 01:09:27 +0200
+Subject: fs_context: fix parameter name in infofc() macro
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: RubenKelevra <rubenkelevra@gmail.com>
+
+[ Upstream commit ffaf1bf3737f706e4e9be876de4bc3c8fc578091 ]
+
+The macro takes a parameter called "p" but references "fc" internally.
+This happens to compile as long as callers pass a variable named fc,
+but breaks otherwise. Rename the first parameter to “fc” to match the
+usage and to be consistent with warnfc() / errorfc().
+
+Fixes: a3ff937b33d9 ("prefix-handling analogues of errorf() and friends")
+Signed-off-by: RubenKelevra <rubenkelevra@gmail.com>
+Link: https://lore.kernel.org/20250617230927.1790401-1-rubenkelevra@gmail.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/fs_context.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/fs_context.h b/include/linux/fs_context.h
+index c13e99cbbf81..c9eae7117001 100644
+--- a/include/linux/fs_context.h
++++ b/include/linux/fs_context.h
+@@ -196,7 +196,7 @@ void logfc(struct fc_log *log, const char *prefix, char level, const char *fmt,
+ */
+ #define infof(fc, fmt, ...) __logfc(fc, 'i', fmt, ## __VA_ARGS__)
+ #define info_plog(p, fmt, ...) __plog(p, 'i', fmt, ## __VA_ARGS__)
+-#define infofc(p, fmt, ...) __plog((&(fc)->log), 'i', fmt, ## __VA_ARGS__)
++#define infofc(fc, fmt, ...) __plog((&(fc)->log), 'i', fmt, ## __VA_ARGS__)
+
+ /**
+ * warnf - Store supplementary warning message
+--
+2.39.5
+
--- /dev/null
+From 1bfe17b819e9ddff7dc82c3404d218ee1d5072f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jul 2025 23:30:32 +0200
+Subject: gfs2: No more self recovery
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit deb016c1669002e48c431d6fd32ea1c20ef41756 ]
+
+When a node withdraws and it turns out that it is the only node that has
+the filesystem mounted, gfs2 currently tries to replay the local journal
+to bring the filesystem back into a consistent state. Not only is that
+a very bad idea, it has also never worked because gfs2_recover_func()
+will refuse to do anything during a withdraw.
+
+However, before even getting to this point, gfs2_recover_func()
+dereferences sdp->sd_jdesc->jd_inode. This was a use-after-free before
+commit 04133b607a78 ("gfs2: Prevent double iput for journal on error")
+and is a NULL pointer dereference since then.
+
+Simply get rid of self recovery to fix that.
+
+Fixes: 601ef0d52e96 ("gfs2: Force withdraw to replay journals and wait for it to finish")
+Reported-by: Chunjie Zhu <chunjie.zhu@cloud.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/util.c | 31 +++++++++++--------------------
+ 1 file changed, 11 insertions(+), 20 deletions(-)
+
+diff --git a/fs/gfs2/util.c b/fs/gfs2/util.c
+index 268ff47b0396..fd921e07e12b 100644
+--- a/fs/gfs2/util.c
++++ b/fs/gfs2/util.c
+@@ -232,32 +232,23 @@ static void signal_our_withdraw(struct gfs2_sbd *sdp)
+ */
+ ret = gfs2_glock_nq(&sdp->sd_live_gh);
+
++ gfs2_glock_put(live_gl); /* drop extra reference we acquired */
++ clear_bit(SDF_WITHDRAW_RECOVERY, &sdp->sd_flags);
++
+ /*
+ * If we actually got the "live" lock in EX mode, there are no other
+- * nodes available to replay our journal. So we try to replay it
+- * ourselves. We hold the "live" glock to prevent other mounters
+- * during recovery, then just dequeue it and reacquire it in our
+- * normal SH mode. Just in case the problem that caused us to
+- * withdraw prevents us from recovering our journal (e.g. io errors
+- * and such) we still check if the journal is clean before proceeding
+- * but we may wait forever until another mounter does the recovery.
++ * nodes available to replay our journal.
+ */
+ if (ret == 0) {
+- fs_warn(sdp, "No other mounters found. Trying to recover our "
+- "own journal jid %d.\n", sdp->sd_lockstruct.ls_jid);
+- if (gfs2_recover_journal(sdp->sd_jdesc, 1))
+- fs_warn(sdp, "Unable to recover our journal jid %d.\n",
+- sdp->sd_lockstruct.ls_jid);
+- gfs2_glock_dq_wait(&sdp->sd_live_gh);
+- gfs2_holder_reinit(LM_ST_SHARED,
+- LM_FLAG_NOEXP | GL_EXACT | GL_NOPID,
+- &sdp->sd_live_gh);
+- gfs2_glock_nq(&sdp->sd_live_gh);
++ fs_warn(sdp, "No other mounters found.\n");
++ /*
++ * We are about to release the lockspace. By keeping live_gl
++ * locked here, we ensure that the next mounter coming along
++ * will be a "first" mounter which will perform recovery.
++ */
++ goto skip_recovery;
+ }
+
+- gfs2_glock_put(live_gl); /* drop extra reference we acquired */
+- clear_bit(SDF_WITHDRAW_RECOVERY, &sdp->sd_flags);
+-
+ /*
+ * At this point our journal is evicted, so we need to get a new inode
+ * for it. Once done, we need to call gfs2_find_jhead which
+--
+2.39.5
+
--- /dev/null
+From 2cd5c32c5f858f5b9d0c1887a8c43d4b12f70942 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 08:00:32 -0600
+Subject: hfs: make splice write available again
+
+From: Yangtao Li <frank.li@vivo.com>
+
+[ Upstream commit 4c831f30475a222046ded25560c3810117a6cff6 ]
+
+Since 5.10, splice() or sendfile() return EINVAL. This was
+caused by commit 36e2c7421f02 ("fs: don't allow splice read/write
+without explicit ops").
+
+This patch initializes the splice_write field in file_operations, like
+most file systems do, to restore the functionality.
+
+Fixes: 36e2c7421f02 ("fs: don't allow splice read/write without explicit ops")
+Signed-off-by: Yangtao Li <frank.li@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250529140033.2296791-2-frank.li@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/inode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
+index 61ed76d10392..6a89f22d8967 100644
+--- a/fs/hfs/inode.c
++++ b/fs/hfs/inode.c
+@@ -697,6 +697,7 @@ static const struct file_operations hfs_file_operations = {
+ .write_iter = generic_file_write_iter,
+ .mmap = generic_file_mmap,
+ .splice_read = filemap_splice_read,
++ .splice_write = iter_file_splice_write,
+ .fsync = hfs_file_fsync,
+ .open = hfs_file_open,
+ .release = hfs_file_release,
+--
+2.39.5
+
--- /dev/null
+From 2a4df47f12e42976bc8a652026c318d1596462bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 08:00:31 -0600
+Subject: hfsplus: make splice write available again
+
+From: Yangtao Li <frank.li@vivo.com>
+
+[ Upstream commit 2eafb669da0bf71fac0838bff13594970674e2b4 ]
+
+Since 5.10, splice() or sendfile() return EINVAL. This was
+caused by commit 36e2c7421f02 ("fs: don't allow splice read/write
+without explicit ops").
+
+This patch initializes the splice_write field in file_operations, like
+most file systems do, to restore the functionality.
+
+Fixes: 36e2c7421f02 ("fs: don't allow splice read/write without explicit ops")
+Signed-off-by: Yangtao Li <frank.li@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250529140033.2296791-1-frank.li@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/inode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c
+index c65c8c4b03dd..73ff191ff2ad 100644
+--- a/fs/hfsplus/inode.c
++++ b/fs/hfsplus/inode.c
+@@ -373,6 +373,7 @@ static const struct file_operations hfsplus_file_operations = {
+ .write_iter = generic_file_write_iter,
+ .mmap = generic_file_mmap,
+ .splice_read = filemap_splice_read,
++ .splice_write = iter_file_splice_write,
+ .fsync = hfsplus_file_fsync,
+ .open = hfsplus_file_open,
+ .release = hfsplus_file_release,
+--
+2.39.5
+
--- /dev/null
+From 58df852528d0818cf69ed5907979949c0ad7de5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 00:18:06 -0600
+Subject: hfsplus: remove mutex_lock check in hfsplus_free_extents
+
+From: Yangtao Li <frank.li@vivo.com>
+
+[ Upstream commit fcb96956c921f1aae7e7b477f2435c56f77a31b4 ]
+
+Syzbot reported an issue in hfsplus filesystem:
+
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346
+ hfsplus_free_extents+0x700/0xad0
+Call Trace:
+<TASK>
+hfsplus_file_truncate+0x768/0xbb0 fs/hfsplus/extents.c:606
+hfsplus_write_begin+0xc2/0xd0 fs/hfsplus/inode.c:56
+cont_expand_zero fs/buffer.c:2383 [inline]
+cont_write_begin+0x2cf/0x860 fs/buffer.c:2446
+hfsplus_write_begin+0x86/0xd0 fs/hfsplus/inode.c:52
+generic_cont_expand_simple+0x151/0x250 fs/buffer.c:2347
+hfsplus_setattr+0x168/0x280 fs/hfsplus/inode.c:263
+notify_change+0xe38/0x10f0 fs/attr.c:420
+do_truncate+0x1fb/0x2e0 fs/open.c:65
+do_sys_ftruncate+0x2eb/0x380 fs/open.c:193
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+To avoid deadlock, Commit 31651c607151 ("hfsplus: avoid deadlock
+on file truncation") unlock extree before hfsplus_free_extents(),
+and add check wheather extree is locked in hfsplus_free_extents().
+
+However, when operations such as hfsplus_file_release,
+hfsplus_setattr, hfsplus_unlink, and hfsplus_get_block are executed
+concurrently in different files, it is very likely to trigger the
+WARN_ON, which will lead syzbot and xfstest to consider it as an
+abnormality.
+
+The comment above this warning also describes one of the easy
+triggering situations, which can easily trigger and cause
+xfstest&syzbot to report errors.
+
+[task A] [task B]
+->hfsplus_file_release
+ ->hfsplus_file_truncate
+ ->hfs_find_init
+ ->mutex_lock
+ ->mutex_unlock
+ ->hfsplus_write_begin
+ ->hfsplus_get_block
+ ->hfsplus_file_extend
+ ->hfsplus_ext_read_extent
+ ->hfs_find_init
+ ->mutex_lock
+ ->hfsplus_free_extents
+ WARN_ON(mutex_is_locked) !!!
+
+Several threads could try to lock the shared extents tree.
+And warning can be triggered in one thread when another thread
+has locked the tree. This is the wrong behavior of the code and
+we need to remove the warning.
+
+Fixes: 31651c607151f ("hfsplus: avoid deadlock on file truncation")
+Reported-by: syzbot+8c0bc9f818702ff75b76@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/00000000000057fa4605ef101c4c@google.com/
+Signed-off-by: Yangtao Li <frank.li@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250529061807.2213498-1-frank.li@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/extents.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/fs/hfsplus/extents.c b/fs/hfsplus/extents.c
+index 9c51867dddc5..f6ac98b0d44f 100644
+--- a/fs/hfsplus/extents.c
++++ b/fs/hfsplus/extents.c
+@@ -342,9 +342,6 @@ static int hfsplus_free_extents(struct super_block *sb,
+ int i;
+ int err = 0;
+
+- /* Mapping the allocation file may lock the extent tree */
+- WARN_ON(mutex_is_locked(&HFSPLUS_SB(sb)->ext_tree->tree_lock));
+-
+ hfsplus_dump_extent(extent);
+ for (i = 0; i < 8; extent++, i++) {
+ count = be32_to_cpu(extent->block_count);
+--
+2.39.5
+
--- /dev/null
+From 8b74512e4545a10d8882620bd411f8def64d7e8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Jun 2025 20:31:41 +0300
+Subject: hwrng: mtk - handle devm_pm_runtime_enable errors
+
+From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+
+[ Upstream commit 522a242a18adc5c63a24836715dbeec4dc3faee1 ]
+
+Although unlikely, devm_pm_runtime_enable() call might fail, so handle
+the return value.
+
+Fixes: 78cb66caa6ab ("hwrng: mtk - Use devm_pm_runtime_enable")
+Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/mtk-rng.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/hw_random/mtk-rng.c b/drivers/char/hw_random/mtk-rng.c
+index 1e3048f2bb38..6c4e40d0365f 100644
+--- a/drivers/char/hw_random/mtk-rng.c
++++ b/drivers/char/hw_random/mtk-rng.c
+@@ -142,7 +142,9 @@ static int mtk_rng_probe(struct platform_device *pdev)
+ dev_set_drvdata(&pdev->dev, priv);
+ pm_runtime_set_autosuspend_delay(&pdev->dev, RNG_AUTOSUSPEND_TIMEOUT);
+ pm_runtime_use_autosuspend(&pdev->dev);
+- devm_pm_runtime_enable(&pdev->dev);
++ ret = devm_pm_runtime_enable(&pdev->dev);
++ if (ret)
++ return ret;
+
+ dev_info(&pdev->dev, "registered RNG driver\n");
+
+--
+2.39.5
+
--- /dev/null
+From c8cbfa6dcf9992a5c4aabe846427f84b5ebc6d60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 19:35:14 +0300
+Subject: interconnect: qcom: sc8180x: specify num_nodes
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit 7e0b59496a02d25828612721e846ea4b717a97b9 ]
+
+Specify .num_nodes for several BCMs which missed this declaration.
+
+Fixes: 04548d4e2798 ("interconnect: qcom: sc8180x: Reformat node and bcm definitions")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250704-rework-icc-v2-2-875fac996ef5@oss.qualcomm.com
+Signed-off-by: Georgi Djakov <djakov@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/interconnect/qcom/sc8180x.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/interconnect/qcom/sc8180x.c b/drivers/interconnect/qcom/sc8180x.c
+index a741badaa966..4dd1d2f2e821 100644
+--- a/drivers/interconnect/qcom/sc8180x.c
++++ b/drivers/interconnect/qcom/sc8180x.c
+@@ -1492,34 +1492,40 @@ static struct qcom_icc_bcm bcm_sh3 = {
+
+ static struct qcom_icc_bcm bcm_sn0 = {
+ .name = "SN0",
++ .num_nodes = 1,
+ .nodes = { &slv_qns_gemnoc_sf }
+ };
+
+ static struct qcom_icc_bcm bcm_sn1 = {
+ .name = "SN1",
++ .num_nodes = 1,
+ .nodes = { &slv_qxs_imem }
+ };
+
+ static struct qcom_icc_bcm bcm_sn2 = {
+ .name = "SN2",
+ .keepalive = true,
++ .num_nodes = 1,
+ .nodes = { &slv_qns_gemnoc_gc }
+ };
+
+ static struct qcom_icc_bcm bcm_co2 = {
+ .name = "CO2",
++ .num_nodes = 1,
+ .nodes = { &mas_qnm_npu }
+ };
+
+ static struct qcom_icc_bcm bcm_sn3 = {
+ .name = "SN3",
+ .keepalive = true,
++ .num_nodes = 2,
+ .nodes = { &slv_srvc_aggre1_noc,
+ &slv_qns_cnoc }
+ };
+
+ static struct qcom_icc_bcm bcm_sn4 = {
+ .name = "SN4",
++ .num_nodes = 1,
+ .nodes = { &slv_qxs_pimem }
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 12f7641ea2174f882cd4dd6c781d11f0ac286c18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 19:35:13 +0300
+Subject: interconnect: qcom: sc8280xp: specify num_links for qnm_a1noc_cfg
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit 02ee375506dceb7d32007821a2bff31504d64b99 ]
+
+The qnm_a1noc_cfg declaration didn't include .num_links definition, fix
+it.
+
+Fixes: f29dabda7917 ("interconnect: qcom: Add SC8280XP interconnect provider")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250704-rework-icc-v2-1-875fac996ef5@oss.qualcomm.com
+Signed-off-by: Georgi Djakov <djakov@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/interconnect/qcom/sc8280xp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/interconnect/qcom/sc8280xp.c b/drivers/interconnect/qcom/sc8280xp.c
+index 0270f6c64481..c646cdf8a19b 100644
+--- a/drivers/interconnect/qcom/sc8280xp.c
++++ b/drivers/interconnect/qcom/sc8280xp.c
+@@ -48,6 +48,7 @@ static struct qcom_icc_node qnm_a1noc_cfg = {
+ .id = SC8280XP_MASTER_A1NOC_CFG,
+ .channels = 1,
+ .buswidth = 4,
++ .num_links = 1,
+ .links = { SC8280XP_SLAVE_SERVICE_A1NOC },
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 7e89ffd532f929bbc4a732cce09599e22e89d51e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 20:58:05 -0300
+Subject: iommu/amd: Fix geometry.aperture_end for V2 tables
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 8637afa79cfa6123f602408cfafe8c9a73620ff1 ]
+
+The AMD IOMMU documentation seems pretty clear that the V2 table follows
+the normal CPU expectation of sign extension. This is shown in
+
+ Figure 25: AMD64 Long Mode 4-Kbyte Page Address Translation
+
+Where bits Sign-Extend [63:57] == [56]. This is typical for x86 which
+would have three regions in the page table: lower, non-canonical, upper.
+
+The manual describes that the V1 table does not sign extend in section
+2.2.4 Sharing AMD64 Processor and IOMMU Page Tables GPA-to-SPA
+
+Further, Vasant has checked this and indicates the HW has an addtional
+behavior that the manual does not yet describe. The AMDv2 table does not
+have the sign extended behavior when attached to PASID 0, which may
+explain why this has gone unnoticed.
+
+The iommu domain geometry does not directly support sign extended page
+tables. The driver should report only one of the lower/upper spaces. Solve
+this by removing the top VA bit from the geometry to use only the lower
+space.
+
+This will also make the iommu_domain work consistently on all PASID 0 and
+PASID != 1.
+
+Adjust dma_max_address() to remove the top VA bit. It now returns:
+
+5 Level:
+ Before 0x1ffffffffffffff
+ After 0x0ffffffffffffff
+4 Level:
+ Before 0xffffffffffff
+ After 0x7fffffffffff
+
+Fixes: 11c439a19466 ("iommu/amd/pgtbl_v2: Fix domain max address")
+Link: https://lore.kernel.org/all/8858d4d6-d360-4ef0-935c-bfd13ea54f42@amd.com/
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/0-v2-0615cc99b88a+1ce-amdv2_geo_jgg@nvidia.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/iommu.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
+index a5d6d786dba5..23cfb98fe90a 100644
+--- a/drivers/iommu/amd/iommu.c
++++ b/drivers/iommu/amd/iommu.c
+@@ -2159,8 +2159,21 @@ static inline u64 dma_max_address(void)
+ if (amd_iommu_pgtable == AMD_IOMMU_V1)
+ return ~0ULL;
+
+- /* V2 with 4/5 level page table */
+- return ((1ULL << PM_LEVEL_SHIFT(amd_iommu_gpt_level)) - 1);
++ /*
++ * V2 with 4/5 level page table. Note that "2.2.6.5 AMD64 4-Kbyte Page
++ * Translation" shows that the V2 table sign extends the top of the
++ * address space creating a reserved region in the middle of the
++ * translation, just like the CPU does. Further Vasant says the docs are
++ * incomplete and this only applies to non-zero PASIDs. If the AMDv2
++ * page table is assigned to the 0 PASID then there is no sign extension
++ * check.
++ *
++ * Since the IOMMU must have a fixed geometry, and the core code does
++ * not understand sign extended addressing, we have to chop off the high
++ * bit to get consistent behavior with attachments of the domain to any
++ * PASID.
++ */
++ return ((1ULL << (PM_LEVEL_SHIFT(amd_iommu_gpt_level) - 1)) - 1);
+ }
+
+ static struct iommu_domain *amd_iommu_domain_alloc(unsigned type)
+--
+2.39.5
+
--- /dev/null
+From 59cbbb02674adc28c6ce8ac2529368868fe21864 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 14:07:25 +0000
+Subject: ipv6: annotate data-races around rt->fib6_nsiblings
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 31d7d67ba1274f42494256d52e86da80ed09f3cb ]
+
+rt->fib6_nsiblings can be read locklessly, add corresponding
+READ_ONCE() and WRITE_ONCE() annotations.
+
+Fixes: 66f5d6ce53e6 ("ipv6: replace rwlock with rcu and spinlock in fib6_table")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250725140725.3626540-5-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_fib.c | 20 +++++++++++++-------
+ net/ipv6/route.c | 5 +++--
+ 2 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
+index 65702bddb21f..c44136cbbaa1 100644
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -437,15 +437,17 @@ struct fib6_dump_arg {
+ static int fib6_rt_dump(struct fib6_info *rt, struct fib6_dump_arg *arg)
+ {
+ enum fib_event_type fib_event = FIB_EVENT_ENTRY_REPLACE;
++ unsigned int nsiblings;
+ int err;
+
+ if (!rt || rt == arg->net->ipv6.fib6_null_entry)
+ return 0;
+
+- if (rt->fib6_nsiblings)
++ nsiblings = READ_ONCE(rt->fib6_nsiblings);
++ if (nsiblings)
+ err = call_fib6_multipath_entry_notifier(arg->nb, fib_event,
+ rt,
+- rt->fib6_nsiblings,
++ nsiblings,
+ arg->extack);
+ else
+ err = call_fib6_entry_notifier(arg->nb, fib_event, rt,
+@@ -1118,7 +1120,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt,
+
+ if (rt6_duplicate_nexthop(iter, rt)) {
+ if (rt->fib6_nsiblings)
+- rt->fib6_nsiblings = 0;
++ WRITE_ONCE(rt->fib6_nsiblings, 0);
+ if (!(iter->fib6_flags & RTF_EXPIRES))
+ return -EEXIST;
+ if (!(rt->fib6_flags & RTF_EXPIRES))
+@@ -1144,7 +1146,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt,
+ */
+ if (rt_can_ecmp &&
+ rt6_qualify_for_ecmp(iter))
+- rt->fib6_nsiblings++;
++ WRITE_ONCE(rt->fib6_nsiblings,
++ rt->fib6_nsiblings + 1);
+ }
+
+ if (iter->fib6_metric > rt->fib6_metric)
+@@ -1194,7 +1197,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt,
+ fib6_nsiblings = 0;
+ list_for_each_entry_safe(sibling, temp_sibling,
+ &rt->fib6_siblings, fib6_siblings) {
+- sibling->fib6_nsiblings++;
++ WRITE_ONCE(sibling->fib6_nsiblings,
++ sibling->fib6_nsiblings + 1);
+ BUG_ON(sibling->fib6_nsiblings != rt->fib6_nsiblings);
+ fib6_nsiblings++;
+ }
+@@ -1239,7 +1243,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt,
+ list_for_each_entry_safe(sibling, next_sibling,
+ &rt->fib6_siblings,
+ fib6_siblings)
+- sibling->fib6_nsiblings--;
++ WRITE_ONCE(sibling->fib6_nsiblings,
++ sibling->fib6_nsiblings - 1);
+ WRITE_ONCE(rt->fib6_nsiblings, 0);
+ list_del_rcu(&rt->fib6_siblings);
+ rt6_multipath_rebalance(next_sibling);
+@@ -1952,7 +1957,8 @@ static void fib6_del_route(struct fib6_table *table, struct fib6_node *fn,
+ notify_del = true;
+ list_for_each_entry_safe(sibling, next_sibling,
+ &rt->fib6_siblings, fib6_siblings)
+- sibling->fib6_nsiblings--;
++ WRITE_ONCE(sibling->fib6_nsiblings,
++ sibling->fib6_nsiblings - 1);
+ WRITE_ONCE(rt->fib6_nsiblings, 0);
+ list_del_rcu(&rt->fib6_siblings);
+ rt6_multipath_rebalance(next_sibling);
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index f180b7bc9f57..eb9e505f71f9 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -5230,7 +5230,8 @@ static void ip6_route_mpath_notify(struct fib6_info *rt,
+ */
+ rcu_read_lock();
+
+- if ((nlflags & NLM_F_APPEND) && rt_last && rt_last->fib6_nsiblings) {
++ if ((nlflags & NLM_F_APPEND) && rt_last &&
++ READ_ONCE(rt_last->fib6_nsiblings)) {
+ rt = list_first_or_null_rcu(&rt_last->fib6_siblings,
+ struct fib6_info,
+ fib6_siblings);
+@@ -5763,7 +5764,7 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb,
+ if (dst->lwtstate &&
+ lwtunnel_fill_encap(skb, dst->lwtstate, RTA_ENCAP, RTA_ENCAP_TYPE) < 0)
+ goto nla_put_failure;
+- } else if (rt->fib6_nsiblings) {
++ } else if (READ_ONCE(rt->fib6_nsiblings)) {
+ struct fib6_info *sibling;
+ struct nlattr *mp;
+
+--
+2.39.5
+
--- /dev/null
+From e4efa4ea845c1a7d044d127e7911de5a05e8240a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 14:07:24 +0000
+Subject: ipv6: fix possible infinite loop in fib6_info_uses_dev()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f8d8ce1b515a0a6af72b30502670a406cfb75073 ]
+
+fib6_info_uses_dev() seems to rely on RCU without an explicit
+protection.
+
+Like the prior fix in rt6_nlmsg_size(),
+we need to make sure fib6_del_route() or fib6_add_rt2node()
+have not removed the anchor from the list, or we risk an infinite loop.
+
+Fixes: d9ccb18f83ea ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250725140725.3626540-4-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 41d358dd58c0..f180b7bc9f57 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -5865,16 +5865,21 @@ static bool fib6_info_uses_dev(const struct fib6_info *f6i,
+ if (f6i->fib6_nh->fib_nh_dev == dev)
+ return true;
+
+- if (f6i->fib6_nsiblings) {
+- struct fib6_info *sibling, *next_sibling;
++ if (READ_ONCE(f6i->fib6_nsiblings)) {
++ const struct fib6_info *sibling;
+
+- list_for_each_entry_safe(sibling, next_sibling,
+- &f6i->fib6_siblings, fib6_siblings) {
+- if (sibling->fib6_nh->fib_nh_dev == dev)
++ rcu_read_lock();
++ list_for_each_entry_rcu(sibling, &f6i->fib6_siblings,
++ fib6_siblings) {
++ if (sibling->fib6_nh->fib_nh_dev == dev) {
++ rcu_read_unlock();
+ return true;
++ }
++ if (!READ_ONCE(f6i->fib6_nsiblings))
++ break;
+ }
++ rcu_read_unlock();
+ }
+-
+ return false;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 2261f1b6f2cf206bac2ef24b369ef7928365eac3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 14:07:23 +0000
+Subject: ipv6: prevent infinite loop in rt6_nlmsg_size()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 54e6fe9dd3b0e7c481c2228782c9494d653546da ]
+
+While testing prior patch, I was able to trigger
+an infinite loop in rt6_nlmsg_size() in the following place:
+
+list_for_each_entry_rcu(sibling, &f6i->fib6_siblings,
+ fib6_siblings) {
+ rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len);
+}
+
+This is because fib6_del_route() and fib6_add_rt2node()
+uses list_del_rcu(), which can confuse rcu readers,
+because they might no longer see the head of the list.
+
+Restart the loop if f6i->fib6_nsiblings is zero.
+
+Fixes: d9ccb18f83ea ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250725140725.3626540-3-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_fib.c | 4 ++--
+ net/ipv6/route.c | 34 ++++++++++++++++++----------------
+ 2 files changed, 20 insertions(+), 18 deletions(-)
+
+diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
+index 023ac39041a2..65702bddb21f 100644
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -1240,7 +1240,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt,
+ &rt->fib6_siblings,
+ fib6_siblings)
+ sibling->fib6_nsiblings--;
+- rt->fib6_nsiblings = 0;
++ WRITE_ONCE(rt->fib6_nsiblings, 0);
+ list_del_rcu(&rt->fib6_siblings);
+ rt6_multipath_rebalance(next_sibling);
+ return err;
+@@ -1953,7 +1953,7 @@ static void fib6_del_route(struct fib6_table *table, struct fib6_node *fn,
+ list_for_each_entry_safe(sibling, next_sibling,
+ &rt->fib6_siblings, fib6_siblings)
+ sibling->fib6_nsiblings--;
+- rt->fib6_nsiblings = 0;
++ WRITE_ONCE(rt->fib6_nsiblings, 0);
+ list_del_rcu(&rt->fib6_siblings);
+ rt6_multipath_rebalance(next_sibling);
+ }
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 53197087353a..41d358dd58c0 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -5577,32 +5577,34 @@ static int rt6_nh_nlmsg_size(struct fib6_nh *nh, void *arg)
+
+ static size_t rt6_nlmsg_size(struct fib6_info *f6i)
+ {
++ struct fib6_info *sibling;
++ struct fib6_nh *nh;
+ int nexthop_len;
+
+ if (f6i->nh) {
+ nexthop_len = nla_total_size(4); /* RTA_NH_ID */
+ nexthop_for_each_fib6_nh(f6i->nh, rt6_nh_nlmsg_size,
+ &nexthop_len);
+- } else {
+- struct fib6_nh *nh = f6i->fib6_nh;
+- struct fib6_info *sibling;
+-
+- nexthop_len = 0;
+- if (f6i->fib6_nsiblings) {
+- rt6_nh_nlmsg_size(nh, &nexthop_len);
+-
+- rcu_read_lock();
++ goto common;
++ }
+
+- list_for_each_entry_rcu(sibling, &f6i->fib6_siblings,
+- fib6_siblings) {
+- rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len);
+- }
++ rcu_read_lock();
++retry:
++ nh = f6i->fib6_nh;
++ nexthop_len = 0;
++ if (READ_ONCE(f6i->fib6_nsiblings)) {
++ rt6_nh_nlmsg_size(nh, &nexthop_len);
+
+- rcu_read_unlock();
++ list_for_each_entry_rcu(sibling, &f6i->fib6_siblings,
++ fib6_siblings) {
++ rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len);
++ if (!READ_ONCE(f6i->fib6_nsiblings))
++ goto retry;
+ }
+- nexthop_len += lwtunnel_get_encap_size(nh->fib_nh_lws);
+ }
+-
++ rcu_read_unlock();
++ nexthop_len += lwtunnel_get_encap_size(nh->fib_nh_lws);
++common:
+ return NLMSG_ALIGN(sizeof(struct rtmsg))
+ + nla_total_size(16) /* RTA_SRC */
+ + nla_total_size(16) /* RTA_DST */
+--
+2.39.5
+
--- /dev/null
+From 6bf088f2be076c41d4b71d35559c44cde9ade437 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jan 2023 09:48:48 +0800
+Subject: iwlwifi: Add missing check for alloc_ordered_workqueue
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 90a0d9f339960448a3acc1437a46730f975efd6a ]
+
+Add check for the return value of alloc_ordered_workqueue since it may
+return NULL pointer.
+
+Fixes: b481de9ca074 ("[IWLWIFI]: add iwlwifi wireless drivers")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Link: https://patch.msgid.link/20230110014848.28226-1-jiasheng@iscas.ac.cn
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/dvm/main.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/main.c b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+index a873be109f43..b490a88b97ca 100644
+--- a/drivers/net/wireless/intel/iwlwifi/dvm/main.c
++++ b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+@@ -1048,9 +1048,11 @@ static void iwl_bg_restart(struct work_struct *data)
+ *
+ *****************************************************************************/
+
+-static void iwl_setup_deferred_work(struct iwl_priv *priv)
++static int iwl_setup_deferred_work(struct iwl_priv *priv)
+ {
+ priv->workqueue = alloc_ordered_workqueue(DRV_NAME, 0);
++ if (!priv->workqueue)
++ return -ENOMEM;
+
+ INIT_WORK(&priv->restart, iwl_bg_restart);
+ INIT_WORK(&priv->beacon_update, iwl_bg_beacon_update);
+@@ -1067,6 +1069,8 @@ static void iwl_setup_deferred_work(struct iwl_priv *priv)
+ timer_setup(&priv->statistics_periodic, iwl_bg_statistics_periodic, 0);
+
+ timer_setup(&priv->ucode_trace, iwl_bg_ucode_trace, 0);
++
++ return 0;
+ }
+
+ void iwl_cancel_deferred_work(struct iwl_priv *priv)
+@@ -1456,7 +1460,9 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ /********************
+ * 6. Setup services
+ ********************/
+- iwl_setup_deferred_work(priv);
++ if (iwl_setup_deferred_work(priv))
++ goto out_uninit_drv;
++
+ iwl_setup_rx_handlers(priv);
+
+ iwl_power_initialize(priv);
+@@ -1494,6 +1500,7 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ iwl_cancel_deferred_work(priv);
+ destroy_workqueue(priv->workqueue);
+ priv->workqueue = NULL;
++out_uninit_drv:
+ iwl_uninit_drv(priv);
+ out_free_eeprom_blob:
+ kfree(priv->eeprom_blob);
+--
+2.39.5
+
--- /dev/null
+From 929238af5cfcceada48b63185be3102a03e98c87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 01:22:14 +0000
+Subject: jfs: fix metapage reference count leak in dbAllocCtl
+
+From: Zheng Yu <zheng.yu@northwestern.edu>
+
+[ Upstream commit 856db37592021e9155384094e331e2d4589f28b1 ]
+
+In dbAllocCtl(), read_metapage() increases the reference count of the
+metapage. However, when dp->tree.budmin < 0, the function returns -EIO
+without calling release_metapage() to decrease the reference count,
+leading to a memory leak.
+
+Add release_metapage(mp) before the error return to properly manage
+the metapage reference count and prevent the leak.
+
+Fixes: a5f5e4698f8abbb25fe4959814093fb5bfa1aa9d ("jfs: fix shift-out-of-bounds in dbSplit")
+
+Signed-off-by: Zheng Yu <zheng.yu@northwestern.edu>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index 35e063c9f3a4..5a877261c3fe 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -1809,8 +1809,10 @@ dbAllocCtl(struct bmap * bmp, s64 nblocks, int l2nb, s64 blkno, s64 * results)
+ return -EIO;
+ dp = (struct dmap *) mp->data;
+
+- if (dp->tree.budmin < 0)
++ if (dp->tree.budmin < 0) {
++ release_metapage(mp);
+ return -EIO;
++ }
+
+ /* try to allocate the blocks.
+ */
+--
+2.39.5
+
--- /dev/null
+From a452c8c4b6949ff5f2895cac4aae6eec028b1e04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 03:48:56 +0900
+Subject: kconfig: qconf: fix ConfigList::updateListAllforAll()
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit 721bfe583c52ba1ea74b3736a31a9dcfe6dd6d95 ]
+
+ConfigList::updateListForAll() and ConfigList::updateListAllforAll()
+are identical.
+
+Commit f9b918fae678 ("kconfig: qconf: move ConfigView::updateList(All)
+to ConfigList class") was a misconversion.
+
+Fixes: f9b918fae678 ("kconfig: qconf: move ConfigView::updateList(All) to ConfigList class")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/qconf.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/kconfig/qconf.cc b/scripts/kconfig/qconf.cc
+index 4f3ba3debc08..119997c8bf1f 100644
+--- a/scripts/kconfig/qconf.cc
++++ b/scripts/kconfig/qconf.cc
+@@ -480,7 +480,7 @@ void ConfigList::updateListAllForAll()
+ while (it.hasNext()) {
+ ConfigList *list = it.next();
+
+- list->updateList();
++ list->updateListAll();
+ }
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 22d9e57602012fb36a73c5a35f3cb8d1136fd73d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 20:19:17 +0200
+Subject: kcsan: test: Initialize dummy variable
+
+From: Marco Elver <elver@google.com>
+
+[ Upstream commit 9872916ad1a1a5e7d089e05166c85dbd65e5b0e8 ]
+
+Newer compiler versions rightfully point out:
+
+ kernel/kcsan/kcsan_test.c:591:41: error: variable 'dummy' is
+ uninitialized when passed as a const pointer argument here
+ [-Werror,-Wuninitialized-const-pointer]
+ 591 | KCSAN_EXPECT_READ_BARRIER(atomic_read(&dummy), false);
+ | ^~~~~
+ 1 error generated.
+
+Although this particular test does not care about the value stored in
+the dummy atomic variable, let's silence the warning.
+
+Link: https://lkml.kernel.org/r/CA+G9fYu8JY=k-r0hnBRSkQQrFJ1Bz+ShdXNwC1TNeMt0eXaxeA@mail.gmail.com
+Fixes: 8bc32b348178 ("kcsan: test: Add test cases for memory barrier instrumentation")
+Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Reviewed-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: Marco Elver <elver@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kcsan/kcsan_test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/kcsan/kcsan_test.c b/kernel/kcsan/kcsan_test.c
+index 0ddbdab5903d..9d8c95defdd6 100644
+--- a/kernel/kcsan/kcsan_test.c
++++ b/kernel/kcsan/kcsan_test.c
+@@ -530,7 +530,7 @@ static void test_barrier_nothreads(struct kunit *test)
+ struct kcsan_scoped_access *reorder_access = NULL;
+ #endif
+ arch_spinlock_t arch_spinlock = __ARCH_SPIN_LOCK_UNLOCKED;
+- atomic_t dummy;
++ atomic_t dummy = ATOMIC_INIT(0);
+
+ KCSAN_TEST_REQUIRES(test, reorder_access != NULL);
+ KCSAN_TEST_REQUIRES(test, IS_ENABLED(CONFIG_SMP));
+--
+2.39.5
+
--- /dev/null
+From 3dfdd57b9227f33c604864984ce574fab9926ca8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 13:12:12 +0200
+Subject: kernel: trace: preemptirq_delay_test: use offstack cpu mask
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit adc353c0bfb243ebfd29b6222fa3bf149169a6de ]
+
+A CPU mask on the stack is broken for large values of CONFIG_NR_CPUS:
+
+kernel/trace/preemptirq_delay_test.c: In function ‘preemptirq_delay_run’:
+kernel/trace/preemptirq_delay_test.c:143:1: error: the frame size of 8512 bytes is larger than 1536 bytes [-Werror=frame-larger-than=]
+
+Fall back to dynamic allocation here.
+
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Song Chen <chensong_2000@189.cn>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Link: https://lore.kernel.org/20250620111215.3365305-1-arnd@kernel.org
+Fixes: 4b9091e1c194 ("kernel: trace: preemptirq_delay_test: add cpu affinity")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/preemptirq_delay_test.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/trace/preemptirq_delay_test.c b/kernel/trace/preemptirq_delay_test.c
+index cb0871fbdb07..8af92dbe98f0 100644
+--- a/kernel/trace/preemptirq_delay_test.c
++++ b/kernel/trace/preemptirq_delay_test.c
+@@ -119,12 +119,15 @@ static int preemptirq_delay_run(void *data)
+ {
+ int i;
+ int s = MIN(burst_size, NR_TEST_FUNCS);
+- struct cpumask cpu_mask;
++ cpumask_var_t cpu_mask;
++
++ if (!alloc_cpumask_var(&cpu_mask, GFP_KERNEL))
++ return -ENOMEM;
+
+ if (cpu_affinity > -1) {
+- cpumask_clear(&cpu_mask);
+- cpumask_set_cpu(cpu_affinity, &cpu_mask);
+- if (set_cpus_allowed_ptr(current, &cpu_mask))
++ cpumask_clear(cpu_mask);
++ cpumask_set_cpu(cpu_affinity, cpu_mask);
++ if (set_cpus_allowed_ptr(current, cpu_mask))
+ pr_err("cpu_affinity:%d, failed\n", cpu_affinity);
+ }
+
+@@ -141,6 +144,8 @@ static int preemptirq_delay_run(void *data)
+
+ __set_current_state(TASK_RUNNING);
+
++ free_cpumask_var(cpu_mask);
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From edad3aa39a05219078daced00753638843bb8807 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 16:25:31 +0100
+Subject: kselftest/arm64: Fix check for setting new VLs in sve-ptrace
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit 867446f090589626497638f70b10be5e61a0b925 ]
+
+The check that the new vector length we set was the expected one was typoed
+to an assignment statement which for some reason the compilers didn't spot,
+most likely due to the macros involved.
+
+Fixes: a1d7111257cd ("selftests: arm64: More comprehensively test the SVE ptrace interface")
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Acked-by: Dev Jain <dev.jain@arm.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20250609-kselftest-arm64-ssve-fixups-v2-1-998fcfa6f240@kernel.org
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/arm64/fp/sve-ptrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/arm64/fp/sve-ptrace.c b/tools/testing/selftests/arm64/fp/sve-ptrace.c
+index 6d61992fe8a0..c6228176dd1a 100644
+--- a/tools/testing/selftests/arm64/fp/sve-ptrace.c
++++ b/tools/testing/selftests/arm64/fp/sve-ptrace.c
+@@ -251,7 +251,7 @@ static void ptrace_set_get_vl(pid_t child, const struct vec_type *type,
+ return;
+ }
+
+- ksft_test_result(new_sve->vl = prctl_vl, "Set %s VL %u\n",
++ ksft_test_result(new_sve->vl == prctl_vl, "Set %s VL %u\n",
+ type->name, vl);
+
+ free(new_sve);
+--
+2.39.5
+
--- /dev/null
+From 9a4934f5d50c1c3e61fa53310c3ea954847c3d08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 11:26:44 +1100
+Subject: m68k: Don't unregister boot console needlessly
+
+From: Finn Thain <fthain@linux-m68k.org>
+
+[ Upstream commit 83f672a7f69ec38b1bbb27221e342937f68c11c7 ]
+
+When MACH_IS_MVME147, the boot console calls mvme147_scc_write() to
+generate console output. That will continue to work even after
+debug_cons_nputs() becomes unavailable so there's no need to
+unregister the boot console.
+
+Take the opportunity to remove a repeated MACH_IS_* test. Use the
+actual .write method (instead of a wrapper) and test that pointer
+instead. This means adding an unused parameter to debug_cons_nputs() for
+consistency with the struct console API.
+
+early_printk.c is only built when CONFIG_EARLY_PRINTK=y. As of late,
+head.S is only built when CONFIG_MMU_MOTOROLA=y. So let the former symbol
+depend on the latter, to obviate some ifdef conditionals.
+
+Cc: Daniel Palmer <daniel@0x0f.com>
+Fixes: 077b33b9e283 ("m68k: mvme147: Reinstate early console")
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/d1d4328e5aa9a87bd8352529ce62b767731c0530.1743467205.git.fthain@linux-m68k.org
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/Kconfig.debug | 2 +-
+ arch/m68k/kernel/early_printk.c | 42 +++++++++++----------------------
+ arch/m68k/kernel/head.S | 8 +++----
+ 3 files changed, 19 insertions(+), 33 deletions(-)
+
+diff --git a/arch/m68k/Kconfig.debug b/arch/m68k/Kconfig.debug
+index 30638a6e8edc..d036f903864c 100644
+--- a/arch/m68k/Kconfig.debug
++++ b/arch/m68k/Kconfig.debug
+@@ -10,7 +10,7 @@ config BOOTPARAM_STRING
+
+ config EARLY_PRINTK
+ bool "Early printk"
+- depends on !(SUN3 || M68000 || COLDFIRE)
++ depends on MMU_MOTOROLA
+ help
+ Write kernel log output directly to a serial port.
+ Where implemented, output goes to the framebuffer as well.
+diff --git a/arch/m68k/kernel/early_printk.c b/arch/m68k/kernel/early_printk.c
+index f11ef9f1f56f..521cbb8a150c 100644
+--- a/arch/m68k/kernel/early_printk.c
++++ b/arch/m68k/kernel/early_printk.c
+@@ -16,25 +16,10 @@
+ #include "../mvme147/mvme147.h"
+ #include "../mvme16x/mvme16x.h"
+
+-asmlinkage void __init debug_cons_nputs(const char *s, unsigned n);
+-
+-static void __ref debug_cons_write(struct console *c,
+- const char *s, unsigned n)
+-{
+-#if !(defined(CONFIG_SUN3) || defined(CONFIG_M68000) || \
+- defined(CONFIG_COLDFIRE))
+- if (MACH_IS_MVME147)
+- mvme147_scc_write(c, s, n);
+- else if (MACH_IS_MVME16x)
+- mvme16x_cons_write(c, s, n);
+- else
+- debug_cons_nputs(s, n);
+-#endif
+-}
++asmlinkage void __init debug_cons_nputs(struct console *c, const char *s, unsigned int n);
+
+ static struct console early_console_instance = {
+ .name = "debug",
+- .write = debug_cons_write,
+ .flags = CON_PRINTBUFFER | CON_BOOT,
+ .index = -1
+ };
+@@ -44,6 +29,12 @@ static int __init setup_early_printk(char *buf)
+ if (early_console || buf)
+ return 0;
+
++ if (MACH_IS_MVME147)
++ early_console_instance.write = mvme147_scc_write;
++ else if (MACH_IS_MVME16x)
++ early_console_instance.write = mvme16x_cons_write;
++ else
++ early_console_instance.write = debug_cons_nputs;
+ early_console = &early_console_instance;
+ register_console(early_console);
+
+@@ -51,20 +42,15 @@ static int __init setup_early_printk(char *buf)
+ }
+ early_param("earlyprintk", setup_early_printk);
+
+-/*
+- * debug_cons_nputs() defined in arch/m68k/kernel/head.S cannot be called
+- * after init sections are discarded (for platforms that use it).
+- */
+-#if !(defined(CONFIG_SUN3) || defined(CONFIG_M68000) || \
+- defined(CONFIG_COLDFIRE))
+-
+ static int __init unregister_early_console(void)
+ {
+- if (!early_console || MACH_IS_MVME16x)
+- return 0;
++ /*
++ * debug_cons_nputs() defined in arch/m68k/kernel/head.S cannot be
++ * called after init sections are discarded (for platforms that use it).
++ */
++ if (early_console && early_console->write == debug_cons_nputs)
++ return unregister_console(early_console);
+
+- return unregister_console(early_console);
++ return 0;
+ }
+ late_initcall(unregister_early_console);
+-
+-#endif
+diff --git a/arch/m68k/kernel/head.S b/arch/m68k/kernel/head.S
+index 9e812d8606be..397114962a14 100644
+--- a/arch/m68k/kernel/head.S
++++ b/arch/m68k/kernel/head.S
+@@ -3267,8 +3267,8 @@ func_return putn
+ * turns around and calls the internal routines. This routine
+ * is used by the boot console.
+ *
+- * The calling parameters are:
+- * void debug_cons_nputs(const char *str, unsigned length)
++ * The function signature is -
++ * void debug_cons_nputs(struct console *c, const char *s, unsigned int n)
+ *
+ * This routine does NOT understand variable arguments only
+ * simple strings!
+@@ -3277,8 +3277,8 @@ ENTRY(debug_cons_nputs)
+ moveml %d0/%d1/%a0,%sp@-
+ movew %sr,%sp@-
+ ori #0x0700,%sr
+- movel %sp@(18),%a0 /* fetch parameter */
+- movel %sp@(22),%d1 /* fetch parameter */
++ movel %sp@(22),%a0 /* char *s */
++ movel %sp@(26),%d1 /* unsigned int n */
+ jra 2f
+ 1:
+ #ifdef CONSOLE_DEBUG
+--
+2.39.5
+
--- /dev/null
+From a32a783d9c067f662ae49e0f647bda29dd73bbfd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 14:38:48 +0000
+Subject: media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check
+
+From: James Cowgill <james.cowgill@blaize.com>
+
+[ Upstream commit 803b9eabc649c778986449eb0596e5ffeb7a8aed ]
+
+The `separate_colour_plane_flag` element is only present in the SPS if
+`chroma_format_idc == 3`, so the corresponding flag should be disabled
+whenever that is not the case and not just on profiles where
+`chroma_format_idc` is not present.
+
+Fixes: b32e48503df0 ("media: controls: Validate H264 stateless controls")
+Signed-off-by: James Cowgill <james.cowgill@blaize.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/v4l2-ctrls-core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/v4l2-core/v4l2-ctrls-core.c b/drivers/media/v4l2-core/v4l2-ctrls-core.c
+index a662fb60f73f..84fbf4e06cd3 100644
+--- a/drivers/media/v4l2-core/v4l2-ctrls-core.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls-core.c
+@@ -894,12 +894,12 @@ static int std_validate_compound(const struct v4l2_ctrl *ctrl, u32 idx,
+
+ p_h264_sps->flags &=
+ ~V4L2_H264_SPS_FLAG_QPPRIME_Y_ZERO_TRANSFORM_BYPASS;
+-
+- if (p_h264_sps->chroma_format_idc < 3)
+- p_h264_sps->flags &=
+- ~V4L2_H264_SPS_FLAG_SEPARATE_COLOUR_PLANE;
+ }
+
++ if (p_h264_sps->chroma_format_idc < 3)
++ p_h264_sps->flags &=
++ ~V4L2_H264_SPS_FLAG_SEPARATE_COLOUR_PLANE;
++
+ if (p_h264_sps->flags & V4L2_H264_SPS_FLAG_FRAME_MBS_ONLY)
+ p_h264_sps->flags &=
+ ~V4L2_H264_SPS_FLAG_MB_ADAPTIVE_FRAME_FIELD;
+--
+2.39.5
+
--- /dev/null
+From 2442c979adcdf5b6bf299e4602f9032e30f742fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 16:32:34 +0200
+Subject: module: Restore the moduleparam prefix length check
+
+From: Petr Pavlu <petr.pavlu@suse.com>
+
+[ Upstream commit bdc877ba6b7ff1b6d2ebeff11e63da4a50a54854 ]
+
+The moduleparam code allows modules to provide their own definition of
+MODULE_PARAM_PREFIX, instead of using the default KBUILD_MODNAME ".".
+
+Commit 730b69d22525 ("module: check kernel param length at compile time,
+not runtime") added a check to ensure the prefix doesn't exceed
+MODULE_NAME_LEN, as this is what param_sysfs_builtin() expects.
+
+Later, commit 58f86cc89c33 ("VERIFY_OCTAL_PERMISSIONS: stricter checking
+for sysfs perms.") removed this check, but there is no indication this was
+intentional.
+
+Since the check is still useful for param_sysfs_builtin() to function
+properly, reintroduce it in __module_param_call(), but in a modernized form
+using static_assert().
+
+While here, clean up the __module_param_call() comments. In particular,
+remove the comment "Default value instead of permissions?", which comes
+from commit 9774a1f54f17 ("[PATCH] Compile-time check re world-writeable
+module params"). This comment was related to the test variable
+__param_perm_check_##name, which was removed in the previously mentioned
+commit 58f86cc89c33.
+
+Fixes: 58f86cc89c33 ("VERIFY_OCTAL_PERMISSIONS: stricter checking for sysfs perms.")
+Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
+Reviewed-by: Daniel Gomez <da.gomez@samsung.com>
+Link: https://lore.kernel.org/r/20250630143535.267745-4-petr.pavlu@suse.com
+Signed-off-by: Daniel Gomez <da.gomez@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/moduleparam.h | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h
+index 962cd41a2cb5..061e19c94a6b 100644
+--- a/include/linux/moduleparam.h
++++ b/include/linux/moduleparam.h
+@@ -282,10 +282,9 @@ struct kparam_array
+ #define __moduleparam_const const
+ #endif
+
+-/* This is the fundamental function for registering boot/module
+- parameters. */
++/* This is the fundamental function for registering boot/module parameters. */
+ #define __module_param_call(prefix, name, ops, arg, perm, level, flags) \
+- /* Default value instead of permissions? */ \
++ static_assert(sizeof(""prefix) - 1 <= MAX_PARAM_PREFIX_LEN); \
+ static const char __param_str_##name[] = prefix #name; \
+ static struct kernel_param __moduleparam_const __param_##name \
+ __used __section("__param") \
+--
+2.39.5
+
--- /dev/null
+From f685f1503ddd70d620559a889874aba4fb3ea787 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 17:53:13 +0300
+Subject: mtd: fix possible integer overflow in erase_xfer()
+
+From: Ivan Stepchenko <sid@itb.spb.ru>
+
+[ Upstream commit 9358bdb9f9f54d94ceafc650deffefd737d19fdd ]
+
+The expression '1 << EraseUnitSize' is evaluated in int, which causes
+a negative result when shifting by 31 - the upper bound of the valid
+range [10, 31], enforced by scan_header(). This leads to incorrect
+extension when storing the result in 'erase->len' (uint64_t), producing
+a large unexpected value.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Ivan Stepchenko <sid@itb.spb.ru>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ftl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/ftl.c b/drivers/mtd/ftl.c
+index 8c22064ead38..f2bd1984609c 100644
+--- a/drivers/mtd/ftl.c
++++ b/drivers/mtd/ftl.c
+@@ -344,7 +344,7 @@ static int erase_xfer(partition_t *part,
+ return -ENOMEM;
+
+ erase->addr = xfer->Offset;
+- erase->len = 1 << part->header.EraseUnitSize;
++ erase->len = 1ULL << part->header.EraseUnitSize;
+
+ ret = mtd_erase(part->mbd.mtd, erase);
+ if (!ret) {
+--
+2.39.5
+
--- /dev/null
+From f514c9decb51f97d3c9c7d3aa58ea1dfb38791e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 08:45:11 +0200
+Subject: mtd: rawnand: atmel: Fix dma_mapping_error() address
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit e1e6b933c56b1e9fda93caa0b8bae39f3f421e5c ]
+
+It seems like what was intended is to test if the dma_map of the
+previous line failed but the wrong dma address was passed.
+
+Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Rule: add
+Link: https://lore.kernel.org/stable/20250702064515.18145-2-fourier.thomas%40gmail.com
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/atmel/nand-controller.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/raw/atmel/nand-controller.c b/drivers/mtd/nand/raw/atmel/nand-controller.c
+index 3f494f7c7ecb..d4fd1302008e 100644
+--- a/drivers/mtd/nand/raw/atmel/nand-controller.c
++++ b/drivers/mtd/nand/raw/atmel/nand-controller.c
+@@ -373,7 +373,7 @@ static int atmel_nand_dma_transfer(struct atmel_nand_controller *nc,
+ dma_cookie_t cookie;
+
+ buf_dma = dma_map_single(nc->dev, buf, len, dir);
+- if (dma_mapping_error(nc->dev, dev_dma)) {
++ if (dma_mapping_error(nc->dev, buf_dma)) {
+ dev_err(nc->dev,
+ "Failed to prepare a buffer for DMA access\n");
+ goto err;
+--
+2.39.5
+
--- /dev/null
+From 0deab944f7fffb7f7c209c3e4eed7fe47348995a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 16:13:40 +0530
+Subject: mtd: rawnand: atmel: set pmecc data setup time
+
+From: Balamanikandan Gunasundar <balamanikandan.gunasundar@microchip.com>
+
+[ Upstream commit f552a7c7e0a14215cb8a6fd89e60fa3932a74786 ]
+
+Setup the pmecc data setup time as 3 clock cycles for 133MHz as recommended
+by the datasheet.
+
+Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
+Reported-by: Zixun LI <admin@hifiphile.com>
+Closes: https://lore.kernel.org/all/c015bb20-6a57-4f63-8102-34b3d83e0f5b@microchip.com
+Suggested-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
+Signed-off-by: Balamanikandan Gunasundar <balamanikandan.gunasundar@microchip.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/atmel/pmecc.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/mtd/nand/raw/atmel/pmecc.c b/drivers/mtd/nand/raw/atmel/pmecc.c
+index 3c7dee1be21d..0b402823b619 100644
+--- a/drivers/mtd/nand/raw/atmel/pmecc.c
++++ b/drivers/mtd/nand/raw/atmel/pmecc.c
+@@ -143,6 +143,7 @@ struct atmel_pmecc_caps {
+ int nstrengths;
+ int el_offset;
+ bool correct_erased_chunks;
++ bool clk_ctrl;
+ };
+
+ struct atmel_pmecc {
+@@ -843,6 +844,10 @@ static struct atmel_pmecc *atmel_pmecc_create(struct platform_device *pdev,
+ if (IS_ERR(pmecc->regs.errloc))
+ return ERR_CAST(pmecc->regs.errloc);
+
++ /* pmecc data setup time */
++ if (caps->clk_ctrl)
++ writel(PMECC_CLK_133MHZ, pmecc->regs.base + ATMEL_PMECC_CLK);
++
+ /* Disable all interrupts before registering the PMECC handler. */
+ writel(0xffffffff, pmecc->regs.base + ATMEL_PMECC_IDR);
+ atmel_pmecc_reset(pmecc);
+@@ -896,6 +901,7 @@ static struct atmel_pmecc_caps at91sam9g45_caps = {
+ .strengths = atmel_pmecc_strengths,
+ .nstrengths = 5,
+ .el_offset = 0x8c,
++ .clk_ctrl = true,
+ };
+
+ static struct atmel_pmecc_caps sama5d4_caps = {
+--
+2.39.5
+
--- /dev/null
+From 1428e264befb7f816ae9049f51adf16873fabc1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 09:15:50 +0200
+Subject: mtd: rawnand: rockchip: Add missing check after DMA map
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 3b36f86dc47261828f96f826077131a35dd825fd ]
+
+The DMA map functions can fail and should be tested for errors.
+
+Fixes: 058e0e847d54 ("mtd: rawnand: rockchip: NFC driver for RK3308, RK2928 and others")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/rockchip-nand-controller.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/drivers/mtd/nand/raw/rockchip-nand-controller.c b/drivers/mtd/nand/raw/rockchip-nand-controller.c
+index 2a95dd63b8c2..f68600ce5bfa 100644
+--- a/drivers/mtd/nand/raw/rockchip-nand-controller.c
++++ b/drivers/mtd/nand/raw/rockchip-nand-controller.c
+@@ -656,9 +656,16 @@ static int rk_nfc_write_page_hwecc(struct nand_chip *chip, const u8 *buf,
+
+ dma_data = dma_map_single(nfc->dev, (void *)nfc->page_buf,
+ mtd->writesize, DMA_TO_DEVICE);
++ if (dma_mapping_error(nfc->dev, dma_data))
++ return -ENOMEM;
++
+ dma_oob = dma_map_single(nfc->dev, nfc->oob_buf,
+ ecc->steps * oob_step,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(nfc->dev, dma_oob)) {
++ dma_unmap_single(nfc->dev, dma_data, mtd->writesize, DMA_TO_DEVICE);
++ return -ENOMEM;
++ }
+
+ reinit_completion(&nfc->done);
+ writel(INT_DMA, nfc->regs + nfc->cfg->int_en_off);
+@@ -772,9 +779,17 @@ static int rk_nfc_read_page_hwecc(struct nand_chip *chip, u8 *buf, int oob_on,
+ dma_data = dma_map_single(nfc->dev, nfc->page_buf,
+ mtd->writesize,
+ DMA_FROM_DEVICE);
++ if (dma_mapping_error(nfc->dev, dma_data))
++ return -ENOMEM;
++
+ dma_oob = dma_map_single(nfc->dev, nfc->oob_buf,
+ ecc->steps * oob_step,
+ DMA_FROM_DEVICE);
++ if (dma_mapping_error(nfc->dev, dma_oob)) {
++ dma_unmap_single(nfc->dev, dma_data, mtd->writesize,
++ DMA_FROM_DEVICE);
++ return -ENOMEM;
++ }
+
+ /*
+ * The first blocks (4, 8 or 16 depending on the device)
+--
+2.39.5
+
--- /dev/null
+From 70853b6d587053b804edeaa4072bc4d7b6cb2cd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 13:13:34 +0200
+Subject: mwl8k: Add missing check after DMA map
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 50459501b9a212dbe7a673727589ee105a8a9954 ]
+
+The DMA map functions can fail and should be tested for errors.
+If the mapping fails, unmap and return an error.
+
+Fixes: 788838ebe8a4 ("mwl8k: use pci_unmap_addr{,set}() to keep track of unmap addresses on rx")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20250709111339.25360-2-fourier.thomas@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwl8k.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c
+index c0ecd769ada7..1a48914e6f82 100644
+--- a/drivers/net/wireless/marvell/mwl8k.c
++++ b/drivers/net/wireless/marvell/mwl8k.c
+@@ -1222,6 +1222,10 @@ static int rxq_refill(struct ieee80211_hw *hw, int index, int limit)
+
+ addr = dma_map_single(&priv->pdev->dev, skb->data,
+ MWL8K_RX_MAXSZ, DMA_FROM_DEVICE);
++ if (dma_mapping_error(&priv->pdev->dev, addr)) {
++ kfree_skb(skb);
++ break;
++ }
+
+ rxq->rxd_count++;
+ rx = rxq->tail++;
+--
+2.39.5
+
--- /dev/null
+From b862bec856deea3bd77977975a92c95cbb85678b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 12:19:28 +0000
+Subject: net: dst: annotate data-races around dst->input
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f1c5fd34891a1c242885f48c2e4dc52df180f311 ]
+
+dst_dev_put() can overwrite dst->input while other
+cpus might read this field (for instance from dst_input())
+
+Add READ_ONCE()/WRITE_ONCE() annotations to suppress
+potential issues.
+
+We will likely need full RCU protection later.
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250630121934.3399505-5-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/dst.h | 2 +-
+ include/net/lwtunnel.h | 4 ++--
+ net/core/dst.c | 2 +-
+ net/ipv4/route.c | 2 +-
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/include/net/dst.h b/include/net/dst.h
+index 16b7b99b5f30..ef7f88f01881 100644
+--- a/include/net/dst.h
++++ b/include/net/dst.h
+@@ -474,7 +474,7 @@ INDIRECT_CALLABLE_DECLARE(int ip_local_deliver(struct sk_buff *));
+ /* Input packet from network to transport. */
+ static inline int dst_input(struct sk_buff *skb)
+ {
+- return INDIRECT_CALL_INET(skb_dst(skb)->input,
++ return INDIRECT_CALL_INET(READ_ONCE(skb_dst(skb)->input),
+ ip6_input, ip_local_deliver, skb);
+ }
+
+diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h
+index 53bd2d02a4f0..a4632a64daae 100644
+--- a/include/net/lwtunnel.h
++++ b/include/net/lwtunnel.h
+@@ -142,8 +142,8 @@ static inline void lwtunnel_set_redirect(struct dst_entry *dst)
+ dst->output = lwtunnel_output;
+ }
+ if (lwtunnel_input_redirect(dst->lwtstate)) {
+- dst->lwtstate->orig_input = dst->input;
+- dst->input = lwtunnel_input;
++ dst->lwtstate->orig_input = READ_ONCE(dst->input);
++ WRITE_ONCE(dst->input, lwtunnel_input);
+ }
+ }
+ #else
+diff --git a/net/core/dst.c b/net/core/dst.c
+index aad197e761cb..def3dbbd37e3 100644
+--- a/net/core/dst.c
++++ b/net/core/dst.c
+@@ -150,7 +150,7 @@ void dst_dev_put(struct dst_entry *dst)
+ dst->obsolete = DST_OBSOLETE_DEAD;
+ if (dst->ops->ifdown)
+ dst->ops->ifdown(dst, dev);
+- dst->input = dst_discard;
++ WRITE_ONCE(dst->input, dst_discard);
+ dst->output = dst_discard_out;
+ dst->dev = blackhole_netdev;
+ netdev_ref_replace(dev, blackhole_netdev, &dst->dev_tracker,
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 8ee1ad2d8c13..f8538507ce3f 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1699,7 +1699,7 @@ struct rtable *rt_dst_clone(struct net_device *dev, struct rtable *rt)
+ else if (rt->rt_gw_family == AF_INET6)
+ new_rt->rt_gw6 = rt->rt_gw6;
+
+- new_rt->dst.input = rt->dst.input;
++ new_rt->dst.input = READ_ONCE(rt->dst.input);
+ new_rt->dst.output = rt->dst.output;
+ new_rt->dst.error = rt->dst.error;
+ new_rt->dst.lastuse = jiffies;
+--
+2.39.5
+
--- /dev/null
+From 83d75d17b3aac12cd21fc12bd2834fc519f5eb15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 12:19:29 +0000
+Subject: net: dst: annotate data-races around dst->output
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2dce8c52a98995c4719def6f88629ab1581c0b82 ]
+
+dst_dev_put() can overwrite dst->output while other
+cpus might read this field (for instance from dst_output())
+
+Add READ_ONCE()/WRITE_ONCE() annotations to suppress
+potential issues.
+
+We will likely need RCU protection in the future.
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250630121934.3399505-6-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/dst.h | 2 +-
+ include/net/lwtunnel.h | 4 ++--
+ net/core/dst.c | 2 +-
+ net/ipv4/route.c | 2 +-
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/include/net/dst.h b/include/net/dst.h
+index ef7f88f01881..60fb5d2faf43 100644
+--- a/include/net/dst.h
++++ b/include/net/dst.h
+@@ -464,7 +464,7 @@ INDIRECT_CALLABLE_DECLARE(int ip_output(struct net *, struct sock *,
+ /* Output packet to network from transport. */
+ static inline int dst_output(struct net *net, struct sock *sk, struct sk_buff *skb)
+ {
+- return INDIRECT_CALL_INET(skb_dst(skb)->output,
++ return INDIRECT_CALL_INET(READ_ONCE(skb_dst(skb)->output),
+ ip6_output, ip_output,
+ net, sk, skb);
+ }
+diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h
+index a4632a64daae..09791f5d9b6e 100644
+--- a/include/net/lwtunnel.h
++++ b/include/net/lwtunnel.h
+@@ -138,8 +138,8 @@ int bpf_lwt_push_ip_encap(struct sk_buff *skb, void *hdr, u32 len,
+ static inline void lwtunnel_set_redirect(struct dst_entry *dst)
+ {
+ if (lwtunnel_output_redirect(dst->lwtstate)) {
+- dst->lwtstate->orig_output = dst->output;
+- dst->output = lwtunnel_output;
++ dst->lwtstate->orig_output = READ_ONCE(dst->output);
++ WRITE_ONCE(dst->output, lwtunnel_output);
+ }
+ if (lwtunnel_input_redirect(dst->lwtstate)) {
+ dst->lwtstate->orig_input = READ_ONCE(dst->input);
+diff --git a/net/core/dst.c b/net/core/dst.c
+index def3dbbd37e3..2513665696f6 100644
+--- a/net/core/dst.c
++++ b/net/core/dst.c
+@@ -151,7 +151,7 @@ void dst_dev_put(struct dst_entry *dst)
+ if (dst->ops->ifdown)
+ dst->ops->ifdown(dst, dev);
+ WRITE_ONCE(dst->input, dst_discard);
+- dst->output = dst_discard_out;
++ WRITE_ONCE(dst->output, dst_discard_out);
+ dst->dev = blackhole_netdev;
+ netdev_ref_replace(dev, blackhole_netdev, &dst->dev_tracker,
+ GFP_ATOMIC);
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index f8538507ce3f..6ee77f7f9114 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1700,7 +1700,7 @@ struct rtable *rt_dst_clone(struct net_device *dev, struct rtable *rt)
+ new_rt->rt_gw6 = rt->rt_gw6;
+
+ new_rt->dst.input = READ_ONCE(rt->dst.input);
+- new_rt->dst.output = rt->dst.output;
++ new_rt->dst.output = READ_ONCE(rt->dst.output);
+ new_rt->dst.error = rt->dst.error;
+ new_rt->dst.lastuse = jiffies;
+ new_rt->dst.lwtstate = lwtstate_get(rt->dst.lwtstate);
+--
+2.39.5
+
--- /dev/null
+From cb82f392b19eabff585f8626e1d6c0308ad93085 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 00:44:15 +0200
+Subject: net: ipv6: ip6mr: Fix in/out netdev to pass to the FORWARD chain
+
+From: Petr Machata <petrm@nvidia.com>
+
+[ Upstream commit 3365afd3abda5f6a54f4a822dad5c9314e94c3fc ]
+
+The netfilter hook is invoked with skb->dev for input netdevice, and
+vif_dev for output netdevice. However at the point of invocation, skb->dev
+is already set to vif_dev, and MR-forwarded packets are reported with
+in=out:
+
+ # ip6tables -A FORWARD -j LOG --log-prefix '[forw]'
+ # cd tools/testing/selftests/net/forwarding
+ # ./router_multicast.sh
+ # dmesg | fgrep '[forw]'
+ [ 1670.248245] [forw]IN=v5 OUT=v5 [...]
+
+For reference, IPv4 MR code shows in and out as appropriate.
+Fix by caching skb->dev and using the updated value for output netdev.
+
+Fixes: 7bc570c8b4f7 ("[IPV6] MROUTE: Support multicast forwarding.")
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/3141ae8386fbe13fef4b793faa75e6bae58d798a.1750113335.git.petrm@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6mr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
+index 7f19868d7d6c..18451dfeae68 100644
+--- a/net/ipv6/ip6mr.c
++++ b/net/ipv6/ip6mr.c
+@@ -2035,6 +2035,7 @@ static int ip6mr_forward2(struct net *net, struct mr_table *mrt,
+ struct sk_buff *skb, int vifi)
+ {
+ struct vif_device *vif = &mrt->vif_table[vifi];
++ struct net_device *indev = skb->dev;
+ struct net_device *vif_dev;
+ struct ipv6hdr *ipv6h;
+ struct dst_entry *dst;
+@@ -2097,7 +2098,7 @@ static int ip6mr_forward2(struct net *net, struct mr_table *mrt,
+ IP6CB(skb)->flags |= IP6SKB_FORWARDED;
+
+ return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD,
+- net, NULL, skb, skb->dev, vif_dev,
++ net, NULL, skb, indev, skb->dev,
+ ip6mr_forward2_finish);
+
+ out_free:
+--
+2.39.5
+
--- /dev/null
+From 4f6f6ca797499e86735bcea8746ec1addf4dae46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 15:08:12 +0300
+Subject: net/mlx5: Check device memory pointer before usage
+
+From: Stav Aviram <saviram@nvidia.com>
+
+[ Upstream commit 70f238c902b8c0461ae6fbb8d1a0bbddc4350eea ]
+
+Add a NULL check before accessing device memory to prevent a crash if
+dev->dm allocation in mlx5_init_once() fails.
+
+Fixes: c9b9dcb430b3 ("net/mlx5: Move device memory management to mlx5_core")
+Signed-off-by: Stav Aviram <saviram@nvidia.com>
+Link: https://patch.msgid.link/c88711327f4d74d5cebc730dc629607e989ca187.1751370035.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/dm.c | 2 +-
+ drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c | 4 ++--
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 3 ---
+ 3 files changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/dm.c b/drivers/infiniband/hw/mlx5/dm.c
+index 3669c90b2dad..672e5cfd2fca 100644
+--- a/drivers/infiniband/hw/mlx5/dm.c
++++ b/drivers/infiniband/hw/mlx5/dm.c
+@@ -282,7 +282,7 @@ static struct ib_dm *handle_alloc_dm_memic(struct ib_ucontext *ctx,
+ int err;
+ u64 address;
+
+- if (!MLX5_CAP_DEV_MEM(dm_db->dev, memic))
++ if (!dm_db || !MLX5_CAP_DEV_MEM(dm_db->dev, memic))
+ return ERR_PTR(-EOPNOTSUPP);
+
+ dm = kzalloc(sizeof(*dm), GFP_KERNEL);
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c
+index 9482e51ac82a..bdbbfaf504d9 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c
+@@ -28,7 +28,7 @@ struct mlx5_dm *mlx5_dm_create(struct mlx5_core_dev *dev)
+
+ dm = kzalloc(sizeof(*dm), GFP_KERNEL);
+ if (!dm)
+- return ERR_PTR(-ENOMEM);
++ return NULL;
+
+ spin_lock_init(&dm->lock);
+
+@@ -80,7 +80,7 @@ struct mlx5_dm *mlx5_dm_create(struct mlx5_core_dev *dev)
+ err_steering:
+ kfree(dm);
+
+- return ERR_PTR(-ENOMEM);
++ return NULL;
+ }
+
+ void mlx5_dm_cleanup(struct mlx5_core_dev *dev)
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+index 32fa789a6960..62a85f09b52f 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1055,9 +1055,6 @@ static int mlx5_init_once(struct mlx5_core_dev *dev)
+ }
+
+ dev->dm = mlx5_dm_create(dev);
+- if (IS_ERR(dev->dm))
+- mlx5_core_warn(dev, "Failed to init device memory %ld\n", PTR_ERR(dev->dm));
+-
+ dev->tracer = mlx5_fw_tracer_create(dev);
+ dev->hv_vhca = mlx5_hv_vhca_create(dev);
+ dev->rsc_dump = mlx5_rsc_dump_create(dev);
+--
+2.39.5
+
--- /dev/null
+From a193c7a6b998acbed53e41fa7d32736842d60a2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 10:44:30 +0300
+Subject: net/mlx5e: Clear Read-Only port buffer size in PBMC before update
+
+From: Alexei Lazar <alazar@nvidia.com>
+
+[ Upstream commit fd4b97246a23c1149479b88490946bcfbd28de63 ]
+
+When updating the PBMC register, we read its current value,
+modify desired fields, then write it back.
+
+The port_buffer_size field within PBMC is Read-Only (RO).
+If this RO field contains a non-zero value when read,
+attempting to write it back will cause the entire PBMC
+register update to fail.
+
+This commit ensures port_buffer_size is explicitly cleared
+to zero after reading the PBMC register but before writing
+back the modified value.
+This allows updates to other fields in the PBMC register to succeed.
+
+Fixes: 0696d60853d5 ("net/mlx5e: Receive buffer configuration")
+Signed-off-by: Alexei Lazar <alazar@nvidia.com>
+Reviewed-by: Yael Chemla <ychemla@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1753256672-337784-2-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c
+index 8e25f4ef5ccc..5ae787656a7c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c
+@@ -331,6 +331,9 @@ static int port_set_buffer(struct mlx5e_priv *priv,
+ if (err)
+ goto out;
+
++ /* RO bits should be set to 0 on write */
++ MLX5_SET(pbmc_reg, in, port_buffer_size, 0);
++
+ err = mlx5e_port_set_pbmc(mdev, in);
+ out:
+ kfree(in);
+--
+2.39.5
+
--- /dev/null
+From 972eff12c439cbc2c7f622b2f75b342eb096ecda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 10:44:31 +0300
+Subject: net/mlx5e: Remove skb secpath if xfrm state is not found
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 6d19c44b5c6dd72f9a357d0399604ec16a77de3c ]
+
+Hardware returns a unique identifier for a decrypted packet's xfrm
+state, this state is looked up in an xarray. However, the state might
+have been freed by the time of this lookup.
+
+Currently, if the state is not found, only a counter is incremented.
+The secpath (sp) extension on the skb is not removed, resulting in
+sp->len becoming 0.
+
+Subsequently, functions like __xfrm_policy_check() attempt to access
+fields such as xfrm_input_state(skb)->xso.type (which dereferences
+sp->xvec[sp->len - 1]) without first validating sp->len. This leads to
+a crash when dereferencing an invalid state pointer.
+
+This patch prevents the crash by explicitly removing the secpath
+extension from the skb if the xfrm state is not found after hardware
+decryption. This ensures downstream functions do not operate on a
+zero-length secpath.
+
+ BUG: unable to handle page fault for address: ffffffff000002c8
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 282e067 P4D 282e067 PUD 0
+ Oops: Oops: 0000 [#1] SMP
+ CPU: 12 UID: 0 PID: 0 Comm: swapper/12 Not tainted 6.15.0-rc7_for_upstream_min_debug_2025_05_27_22_44 #1 NONE
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:__xfrm_policy_check+0x61a/0xa30
+ Code: b6 77 7f 83 e6 02 74 14 4d 8b af d8 00 00 00 41 0f b6 45 05 c1 e0 03 48 98 49 01 c5 41 8b 45 00 83 e8 01 48 98 49 8b 44 c5 10 <0f> b6 80 c8 02 00 00 83 e0 0c 3c 04 0f 84 0c 02 00 00 31 ff 80 fa
+ RSP: 0018:ffff88885fb04918 EFLAGS: 00010297
+ RAX: ffffffff00000000 RBX: 0000000000000002 RCX: 0000000000000000
+ RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000000
+ RBP: ffffffff8311af80 R08: 0000000000000020 R09: 00000000c2eda353
+ R10: ffff88812be2bbc8 R11: 000000001faab533 R12: ffff88885fb049c8
+ R13: ffff88812be2bbc8 R14: 0000000000000000 R15: ffff88811896ae00
+ FS: 0000000000000000(0000) GS:ffff8888dca82000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: ffffffff000002c8 CR3: 0000000243050002 CR4: 0000000000372eb0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ <IRQ>
+ ? try_to_wake_up+0x108/0x4c0
+ ? udp4_lib_lookup2+0xbe/0x150
+ ? udp_lib_lport_inuse+0x100/0x100
+ ? __udp4_lib_lookup+0x2b0/0x410
+ __xfrm_policy_check2.constprop.0+0x11e/0x130
+ udp_queue_rcv_one_skb+0x1d/0x530
+ udp_unicast_rcv_skb+0x76/0x90
+ __udp4_lib_rcv+0xa64/0xe90
+ ip_protocol_deliver_rcu+0x20/0x130
+ ip_local_deliver_finish+0x75/0xa0
+ ip_local_deliver+0xc1/0xd0
+ ? ip_protocol_deliver_rcu+0x130/0x130
+ ip_sublist_rcv+0x1f9/0x240
+ ? ip_rcv_finish_core+0x430/0x430
+ ip_list_rcv+0xfc/0x130
+ __netif_receive_skb_list_core+0x181/0x1e0
+ netif_receive_skb_list_internal+0x200/0x360
+ ? mlx5e_build_rx_skb+0x1bc/0xda0 [mlx5_core]
+ gro_receive_skb+0xfd/0x210
+ mlx5e_handle_rx_cqe_mpwrq+0x141/0x280 [mlx5_core]
+ mlx5e_poll_rx_cq+0xcc/0x8e0 [mlx5_core]
+ ? mlx5e_handle_rx_dim+0x91/0xd0 [mlx5_core]
+ mlx5e_napi_poll+0x114/0xab0 [mlx5_core]
+ __napi_poll+0x25/0x170
+ net_rx_action+0x32d/0x3a0
+ ? mlx5_eq_comp_int+0x8d/0x280 [mlx5_core]
+ ? notifier_call_chain+0x33/0xa0
+ handle_softirqs+0xda/0x250
+ irq_exit_rcu+0x6d/0xc0
+ common_interrupt+0x81/0xa0
+ </IRQ>
+
+Fixes: b2ac7541e377 ("net/mlx5e: IPsec: Add Connect-X IPsec Rx data path offload")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
+Reviewed-by: Yael Chemla <ychemla@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1753256672-337784-3-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c
+index 51a144246ea6..f96e9bbf8fc6 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c
+@@ -333,6 +333,10 @@ void mlx5e_ipsec_offload_handle_rx_skb(struct net_device *netdev,
+ if (unlikely(!sa_entry)) {
+ rcu_read_unlock();
+ atomic64_inc(&ipsec->sw_stats.ipsec_rx_drop_sadb_miss);
++ /* Clear secpath to prevent invalid dereference
++ * in downstream XFRM policy checks.
++ */
++ secpath_reset(skb);
+ return;
+ }
+ xfrm_state_hold(sa_entry->x);
+--
+2.39.5
+
--- /dev/null
+From 485b1acf6120ef0268a386cab5cdce653963fb49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 16:43:26 +0000
+Subject: net/sched: Restrict conditions for adding duplicating netems to qdisc
+ tree
+
+From: William Liu <will@willsroot.io>
+
+[ Upstream commit ec8e0e3d7adef940cdf9475e2352c0680189d14e ]
+
+netem_enqueue's duplication prevention logic breaks when a netem
+resides in a qdisc tree with other netems - this can lead to a
+soft lockup and OOM loop in netem_dequeue, as seen in [1].
+Ensure that a duplicating netem cannot exist in a tree with other
+netems.
+
+Previous approaches suggested in discussions in chronological order:
+
+1) Track duplication status or ttl in the sk_buff struct. Considered
+too specific a use case to extend such a struct, though this would
+be a resilient fix and address other previous and potential future
+DOS bugs like the one described in loopy fun [2].
+
+2) Restrict netem_enqueue recursion depth like in act_mirred with a
+per cpu variable. However, netem_dequeue can call enqueue on its
+child, and the depth restriction could be bypassed if the child is a
+netem.
+
+3) Use the same approach as in 2, but add metadata in netem_skb_cb
+to handle the netem_dequeue case and track a packet's involvement
+in duplication. This is an overly complex approach, and Jamal
+notes that the skb cb can be overwritten to circumvent this
+safeguard.
+
+4) Prevent the addition of a netem to a qdisc tree if its ancestral
+path contains a netem. However, filters and actions can cause a
+packet to change paths when re-enqueued to the root from netem
+duplication, leading us to the current solution: prevent a
+duplicating netem from inhabiting the same tree as other netems.
+
+[1] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/
+[2] https://lwn.net/Articles/719297/
+
+Fixes: 0afb51e72855 ("[PKT_SCHED]: netem: reinsert for duplication")
+Reported-by: William Liu <will@willsroot.io>
+Reported-by: Savino Dicanosa <savy@syst3mfailure.io>
+Signed-off-by: William Liu <will@willsroot.io>
+Signed-off-by: Savino Dicanosa <savy@syst3mfailure.io>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20250708164141.875402-1-will@willsroot.io
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_netem.c | 40 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
+index 447d3e836a24..0ad231e94e14 100644
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -972,6 +972,41 @@ static int parse_attr(struct nlattr *tb[], int maxtype, struct nlattr *nla,
+ return 0;
+ }
+
++static const struct Qdisc_class_ops netem_class_ops;
++
++static int check_netem_in_tree(struct Qdisc *sch, bool duplicates,
++ struct netlink_ext_ack *extack)
++{
++ struct Qdisc *root, *q;
++ unsigned int i;
++
++ root = qdisc_root_sleeping(sch);
++
++ if (sch != root && root->ops->cl_ops == &netem_class_ops) {
++ if (duplicates ||
++ ((struct netem_sched_data *)qdisc_priv(root))->duplicate)
++ goto err;
++ }
++
++ if (!qdisc_dev(root))
++ return 0;
++
++ hash_for_each(qdisc_dev(root)->qdisc_hash, i, q, hash) {
++ if (sch != q && q->ops->cl_ops == &netem_class_ops) {
++ if (duplicates ||
++ ((struct netem_sched_data *)qdisc_priv(q))->duplicate)
++ goto err;
++ }
++ }
++
++ return 0;
++
++err:
++ NL_SET_ERR_MSG(extack,
++ "netem: cannot mix duplicating netems with other netems in tree");
++ return -EINVAL;
++}
++
+ /* Parse netlink message to set options */
+ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
+ struct netlink_ext_ack *extack)
+@@ -1030,6 +1065,11 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
+ q->gap = qopt->gap;
+ q->counter = 0;
+ q->loss = qopt->loss;
++
++ ret = check_netem_in_tree(sch, qopt->duplicate, extack);
++ if (ret)
++ goto unlock;
++
+ q->duplicate = qopt->duplicate;
+
+ /* for compatibility with earlier versions.
+--
+2.39.5
+
--- /dev/null
+From cefefa102a725bb76b52d6629db982e01ba65833 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 09:01:57 +0000
+Subject: net_sched: act_ctinfo: use atomic64_t for three counters
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d300335b4e18672913dd792ff9f49e6cccf41d26 ]
+
+Commit 21c167aa0ba9 ("net/sched: act_ctinfo: use percpu stats")
+missed that stats_dscp_set, stats_dscp_error and stats_cpmark_set
+might be written (and read) locklessly.
+
+Use atomic64_t for these three fields, I doubt act_ctinfo is used
+heavily on big SMP hosts anyway.
+
+Fixes: 24ec483cec98 ("net: sched: Introduce act_ctinfo action")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Pedro Tammela <pctammela@mojatatu.com>
+Link: https://patch.msgid.link/20250709090204.797558-6-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/tc_act/tc_ctinfo.h | 6 +++---
+ net/sched/act_ctinfo.c | 19 +++++++++++--------
+ 2 files changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/include/net/tc_act/tc_ctinfo.h b/include/net/tc_act/tc_ctinfo.h
+index f071c1d70a25..a04bcac7adf4 100644
+--- a/include/net/tc_act/tc_ctinfo.h
++++ b/include/net/tc_act/tc_ctinfo.h
+@@ -18,9 +18,9 @@ struct tcf_ctinfo_params {
+ struct tcf_ctinfo {
+ struct tc_action common;
+ struct tcf_ctinfo_params __rcu *params;
+- u64 stats_dscp_set;
+- u64 stats_dscp_error;
+- u64 stats_cpmark_set;
++ atomic64_t stats_dscp_set;
++ atomic64_t stats_dscp_error;
++ atomic64_t stats_cpmark_set;
+ };
+
+ enum {
+diff --git a/net/sched/act_ctinfo.c b/net/sched/act_ctinfo.c
+index 4d15b6a6169c..8792244620b9 100644
+--- a/net/sched/act_ctinfo.c
++++ b/net/sched/act_ctinfo.c
+@@ -44,9 +44,9 @@ static void tcf_ctinfo_dscp_set(struct nf_conn *ct, struct tcf_ctinfo *ca,
+ ipv4_change_dsfield(ip_hdr(skb),
+ INET_ECN_MASK,
+ newdscp);
+- ca->stats_dscp_set++;
++ atomic64_inc(&ca->stats_dscp_set);
+ } else {
+- ca->stats_dscp_error++;
++ atomic64_inc(&ca->stats_dscp_error);
+ }
+ }
+ break;
+@@ -57,9 +57,9 @@ static void tcf_ctinfo_dscp_set(struct nf_conn *ct, struct tcf_ctinfo *ca,
+ ipv6_change_dsfield(ipv6_hdr(skb),
+ INET_ECN_MASK,
+ newdscp);
+- ca->stats_dscp_set++;
++ atomic64_inc(&ca->stats_dscp_set);
+ } else {
+- ca->stats_dscp_error++;
++ atomic64_inc(&ca->stats_dscp_error);
+ }
+ }
+ break;
+@@ -72,7 +72,7 @@ static void tcf_ctinfo_cpmark_set(struct nf_conn *ct, struct tcf_ctinfo *ca,
+ struct tcf_ctinfo_params *cp,
+ struct sk_buff *skb)
+ {
+- ca->stats_cpmark_set++;
++ atomic64_inc(&ca->stats_cpmark_set);
+ skb->mark = READ_ONCE(ct->mark) & cp->cpmarkmask;
+ }
+
+@@ -323,15 +323,18 @@ static int tcf_ctinfo_dump(struct sk_buff *skb, struct tc_action *a,
+ }
+
+ if (nla_put_u64_64bit(skb, TCA_CTINFO_STATS_DSCP_SET,
+- ci->stats_dscp_set, TCA_CTINFO_PAD))
++ atomic64_read(&ci->stats_dscp_set),
++ TCA_CTINFO_PAD))
+ goto nla_put_failure;
+
+ if (nla_put_u64_64bit(skb, TCA_CTINFO_STATS_DSCP_ERROR,
+- ci->stats_dscp_error, TCA_CTINFO_PAD))
++ atomic64_read(&ci->stats_dscp_error),
++ TCA_CTINFO_PAD))
+ goto nla_put_failure;
+
+ if (nla_put_u64_64bit(skb, TCA_CTINFO_STATS_CPMARK_SET,
+- ci->stats_cpmark_set, TCA_CTINFO_PAD))
++ atomic64_read(&ci->stats_cpmark_set),
++ TCA_CTINFO_PAD))
+ goto nla_put_failure;
+
+ spin_unlock_bh(&ci->tcf_lock);
+--
+2.39.5
+
--- /dev/null
+From 9a482fa0d6a6ab2981c8a183857e18a3c59582ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 14:12:15 +0300
+Subject: netfilter: nf_tables: adjust lockdep assertions handling
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 8df1b40de76979bb8e975201d07b71103d5de820 ]
+
+It's needed to check the return value of lockdep_commit_lock_is_held(),
+otherwise there's no point in this assertion as it doesn't print any
+debug information on itself.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace static
+analysis tool.
+
+Fixes: b04df3da1b5c ("netfilter: nf_tables: do not defer rule destruction via call_rcu")
+Reported-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index c9582f008983..4ffb5ef79ca1 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3775,7 +3775,7 @@ void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
+ /* can only be used if rule is no longer visible to dumps */
+ static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
+ {
+- lockdep_commit_lock_is_held(ctx->net);
++ WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net));
+
+ nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
+ nf_tables_rule_destroy(ctx, rule);
+@@ -5571,7 +5571,7 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
+ struct nft_set_binding *binding,
+ enum nft_trans_phase phase)
+ {
+- lockdep_commit_lock_is_held(ctx->net);
++ WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net));
+
+ switch (phase) {
+ case NFT_TRANS_PREPARE_ERROR:
+--
+2.39.5
+
--- /dev/null
+From 4ab622c5e3da580322f564cfbe4dcf363b7ce7ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 15:37:02 +0200
+Subject: netfilter: nf_tables: Drop dead code from fill_*_info routines
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 8080357a8c6cf4905bbd8969412c19d34be3395e ]
+
+This practically reverts commit 28339b21a365 ("netfilter: nf_tables: do
+not send complete notification of deletions"): The feature was never
+effective, due to prior modification of 'event' variable the conditional
+early return never happened.
+
+User space also relies upon the current behaviour, so better reintroduce
+the shortened deletion notifications once it is fixed.
+
+Fixes: 28339b21a365 ("netfilter: nf_tables: do not send complete notification of deletions")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 25 -------------------------
+ 1 file changed, 25 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 18ae39cf4188..c9582f008983 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -979,11 +979,6 @@ static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
+ NFTA_TABLE_PAD))
+ goto nla_put_failure;
+
+- if (event == NFT_MSG_DELTABLE) {
+- nlmsg_end(skb, nlh);
+- return 0;
+- }
+-
+ if (nla_put_be32(skb, NFTA_TABLE_FLAGS,
+ htonl(table->flags & NFT_TABLE_F_MASK)))
+ goto nla_put_failure;
+@@ -1827,11 +1822,6 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
+ NFTA_CHAIN_PAD))
+ goto nla_put_failure;
+
+- if (event == NFT_MSG_DELCHAIN && !hook_list) {
+- nlmsg_end(skb, nlh);
+- return 0;
+- }
+-
+ if (nft_is_base_chain(chain)) {
+ const struct nft_base_chain *basechain = nft_base_chain(chain);
+ struct nft_stats __percpu *stats;
+@@ -4584,11 +4574,6 @@ static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
+ NFTA_SET_PAD))
+ goto nla_put_failure;
+
+- if (event == NFT_MSG_DELSET) {
+- nlmsg_end(skb, nlh);
+- return 0;
+- }
+-
+ if (set->flags != 0)
+ if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
+ goto nla_put_failure;
+@@ -7828,11 +7813,6 @@ static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
+ NFTA_OBJ_PAD))
+ goto nla_put_failure;
+
+- if (event == NFT_MSG_DELOBJ) {
+- nlmsg_end(skb, nlh);
+- return 0;
+- }
+-
+ if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
+ nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
+ nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
+@@ -8851,11 +8831,6 @@ static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
+ NFTA_FLOWTABLE_PAD))
+ goto nla_put_failure;
+
+- if (event == NFT_MSG_DELFLOWTABLE && !hook_list) {
+- nlmsg_end(skb, nlh);
+- return 0;
+- }
+-
+ if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
+ nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
+ goto nla_put_failure;
+--
+2.39.5
+
--- /dev/null
+From 23a9bdfedfdb912308e04cb49934881fb8af21d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jul 2025 13:27:13 +0200
+Subject: netfilter: xt_nfacct: don't assume acct name is null-terminated
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit bf58e667af7d96c8eb9411f926a0a0955f41ce21 ]
+
+BUG: KASAN: slab-out-of-bounds in .. lib/vsprintf.c:721
+Read of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851
+[..]
+ string+0x231/0x2b0 lib/vsprintf.c:721
+ vsnprintf+0x739/0xf00 lib/vsprintf.c:2874
+ [..]
+ nfacct_mt_checkentry+0xd2/0xe0 net/netfilter/xt_nfacct.c:41
+ xt_check_match+0x3d1/0xab0 net/netfilter/x_tables.c:523
+
+nfnl_acct_find_get() handles non-null input, but the error
+printk relied on its presence.
+
+Reported-by: syzbot+4ff165b9251e4d295690@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=4ff165b9251e4d295690
+Tested-by: syzbot+4ff165b9251e4d295690@syzkaller.appspotmail.com
+Fixes: ceb98d03eac5 ("netfilter: xtables: add nfacct match to support extended accounting")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_nfacct.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c
+index 7c6bf1c16813..0ca1cdfc4095 100644
+--- a/net/netfilter/xt_nfacct.c
++++ b/net/netfilter/xt_nfacct.c
+@@ -38,8 +38,8 @@ nfacct_mt_checkentry(const struct xt_mtchk_param *par)
+
+ nfacct = nfnl_acct_find_get(par->net, info->name);
+ if (nfacct == NULL) {
+- pr_info_ratelimited("accounting object `%s' does not exists\n",
+- info->name);
++ pr_info_ratelimited("accounting object `%.*s' does not exist\n",
++ NFACCT_NAME_MAX, info->name);
+ return -ENOENT;
+ }
+ info->nfacct = nfacct;
+--
+2.39.5
+
--- /dev/null
+From 36ca2c44b271ab46629a61068f306a9d7882d840 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 18:20:22 +0530
+Subject: PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem
+ attribute
+
+From: Manivannan Sadhasivam <mani@kernel.org>
+
+[ Upstream commit 61ae7f8694fb4b57a8c02a1a8d2b601806afc999 ]
+
+__iomem attribute is supposed to be used only with variables holding the
+MMIO pointer. But here, 'mw_addr' variable is just holding a 'void *'
+returned by pci_epf_alloc_space(). So annotating it with __iomem is clearly
+wrong. Hence, drop the attribute.
+
+This also fixes the below sparse warning:
+
+ drivers/pci/endpoint/functions/pci-epf-vntb.c:524:17: warning: incorrect type in assignment (different address spaces)
+ drivers/pci/endpoint/functions/pci-epf-vntb.c:524:17: expected void [noderef] __iomem *mw_addr
+ drivers/pci/endpoint/functions/pci-epf-vntb.c:524:17: got void *
+ drivers/pci/endpoint/functions/pci-epf-vntb.c:530:21: warning: incorrect type in assignment (different address spaces)
+ drivers/pci/endpoint/functions/pci-epf-vntb.c:530:21: expected unsigned int [usertype] *epf_db
+ drivers/pci/endpoint/functions/pci-epf-vntb.c:530:21: got void [noderef] __iomem *mw_addr
+ drivers/pci/endpoint/functions/pci-epf-vntb.c:542:38: warning: incorrect type in argument 2 (different address spaces)
+ drivers/pci/endpoint/functions/pci-epf-vntb.c:542:38: expected void *addr
+ drivers/pci/endpoint/functions/pci-epf-vntb.c:542:38: got void [noderef] __iomem *mw_addr
+
+Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP")
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/20250709125022.22524-1-mani@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/endpoint/functions/pci-epf-vntb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c
+index 8bdd295f21cc..33c3f9b980e6 100644
+--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c
++++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c
+@@ -531,7 +531,7 @@ static int epf_ntb_db_bar_init(struct epf_ntb *ntb)
+ struct device *dev = &ntb->epf->dev;
+ int ret;
+ struct pci_epf_bar *epf_bar;
+- void __iomem *mw_addr;
++ void *mw_addr;
+ enum pci_barno barno;
+ size_t size = sizeof(u32) * ntb->db_count;
+
+--
+2.39.5
+
--- /dev/null
+From 6c860372a26caad67d26d29b96ea9a8f914b5fe5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 19:03:38 +0200
+Subject: PCI: endpoint: pci-epf-vntb: Return -ENOENT if
+ pci_epc_get_next_free_bar() fails
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit 7ea488cce73263231662e426639dd3e836537068 ]
+
+According the function documentation of epf_ntb_init_epc_bar(), the
+function should return an error code on error. However, it returns -1 when
+no BAR is available i.e., when pci_epc_get_next_free_bar() fails.
+
+Return -ENOENT instead.
+
+Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+[mani: changed err code to -ENOENT]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/20250603-pci-vntb-bar-mapping-v2-1-fc685a22ad28@baylibre.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/endpoint/functions/pci-epf-vntb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c
+index 3368f483f818..8bdd295f21cc 100644
+--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c
++++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c
+@@ -711,7 +711,7 @@ static int epf_ntb_init_epc_bar(struct epf_ntb *ntb)
+ barno = pci_epc_get_next_free_bar(epc_features, barno);
+ if (barno < 0) {
+ dev_err(dev, "Fail to get NTB function BAR\n");
+- return barno;
++ return -ENOENT;
+ }
+ ntb->epf_ntb_bar[bar] = barno;
+ }
+--
+2.39.5
+
--- /dev/null
+From 7526aee5f7fffdd6eb0cdb92118ac99d80c2bc38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 16:36:07 -0500
+Subject: PCI: pnv_php: Clean up allocated IRQs on unplug
+
+From: Timothy Pearson <tpearson@raptorengineering.com>
+
+[ Upstream commit 4668619092554e1b95c9a5ac2941ca47ba6d548a ]
+
+When the root of a nested PCIe bridge configuration is unplugged, the
+pnv_php driver leaked the allocated IRQ resources for the child bridges'
+hotplug event notifications, resulting in a panic.
+
+Fix this by walking all child buses and deallocating all its IRQ resources
+before calling pci_hp_remove_devices().
+
+Also modify the lifetime of the workqueue at struct pnv_php_slot::wq so
+that it is only destroyed in pnv_php_free_slot(), instead of
+pnv_php_disable_irq(). This is required since pnv_php_disable_irq() will
+now be called by workers triggered by hot unplug interrupts, so the
+workqueue needs to stay allocated.
+
+The abridged kernel panic that occurs without this patch is as follows:
+
+ WARNING: CPU: 0 PID: 687 at kernel/irq/msi.c:292 msi_device_data_release+0x6c/0x9c
+ CPU: 0 UID: 0 PID: 687 Comm: bash Not tainted 6.14.0-rc5+ #2
+ Call Trace:
+ msi_device_data_release+0x34/0x9c (unreliable)
+ release_nodes+0x64/0x13c
+ devres_release_all+0xc0/0x140
+ device_del+0x2d4/0x46c
+ pci_destroy_dev+0x5c/0x194
+ pci_hp_remove_devices+0x90/0x128
+ pci_hp_remove_devices+0x44/0x128
+ pnv_php_disable_slot+0x54/0xd4
+ power_write_file+0xf8/0x18c
+ pci_slot_attr_store+0x40/0x5c
+ sysfs_kf_write+0x64/0x78
+ kernfs_fop_write_iter+0x1b0/0x290
+ vfs_write+0x3bc/0x50c
+ ksys_write+0x84/0x140
+ system_call_exception+0x124/0x230
+ system_call_vectored_common+0x15c/0x2ec
+
+Signed-off-by: Shawn Anastasio <sanastasio@raptorengineering.com>
+Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
+[bhelgaas: tidy comments]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/2013845045.1359852.1752615367790.JavaMail.zimbra@raptorengineeringinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/pnv_php.c | 96 ++++++++++++++++++++++++++++-------
+ 1 file changed, 77 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c
+index 092c9ac0d26d..6989b8a0dc6b 100644
+--- a/drivers/pci/hotplug/pnv_php.c
++++ b/drivers/pci/hotplug/pnv_php.c
+@@ -3,6 +3,7 @@
+ * PCI Hotplug Driver for PowerPC PowerNV platform.
+ *
+ * Copyright Gavin Shan, IBM Corporation 2016.
++ * Copyright (C) 2025 Raptor Engineering, LLC
+ */
+
+ #include <linux/libfdt.h>
+@@ -35,8 +36,10 @@ static void pnv_php_register(struct device_node *dn);
+ static void pnv_php_unregister_one(struct device_node *dn);
+ static void pnv_php_unregister(struct device_node *dn);
+
++static void pnv_php_enable_irq(struct pnv_php_slot *php_slot);
++
+ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot,
+- bool disable_device)
++ bool disable_device, bool disable_msi)
+ {
+ struct pci_dev *pdev = php_slot->pdev;
+ u16 ctrl;
+@@ -52,19 +55,15 @@ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot,
+ php_slot->irq = 0;
+ }
+
+- if (php_slot->wq) {
+- destroy_workqueue(php_slot->wq);
+- php_slot->wq = NULL;
+- }
+-
+- if (disable_device) {
++ if (disable_device || disable_msi) {
+ if (pdev->msix_enabled)
+ pci_disable_msix(pdev);
+ else if (pdev->msi_enabled)
+ pci_disable_msi(pdev);
++ }
+
++ if (disable_device)
+ pci_disable_device(pdev);
+- }
+ }
+
+ static void pnv_php_free_slot(struct kref *kref)
+@@ -73,7 +72,8 @@ static void pnv_php_free_slot(struct kref *kref)
+ struct pnv_php_slot, kref);
+
+ WARN_ON(!list_empty(&php_slot->children));
+- pnv_php_disable_irq(php_slot, false);
++ pnv_php_disable_irq(php_slot, false, false);
++ destroy_workqueue(php_slot->wq);
+ kfree(php_slot->name);
+ kfree(php_slot);
+ }
+@@ -560,8 +560,58 @@ static int pnv_php_reset_slot(struct hotplug_slot *slot, bool probe)
+ static int pnv_php_enable_slot(struct hotplug_slot *slot)
+ {
+ struct pnv_php_slot *php_slot = to_pnv_php_slot(slot);
++ u32 prop32;
++ int ret;
++
++ ret = pnv_php_enable(php_slot, true);
++ if (ret)
++ return ret;
++
++ /* (Re-)enable interrupt if the slot supports surprise hotplug */
++ ret = of_property_read_u32(php_slot->dn, "ibm,slot-surprise-pluggable",
++ &prop32);
++ if (!ret && prop32)
++ pnv_php_enable_irq(php_slot);
+
+- return pnv_php_enable(php_slot, true);
++ return 0;
++}
++
++/*
++ * Disable any hotplug interrupts for all slots on the provided bus, as well as
++ * all downstream slots in preparation for a hot unplug.
++ */
++static int pnv_php_disable_all_irqs(struct pci_bus *bus)
++{
++ struct pci_bus *child_bus;
++ struct pci_slot *slot;
++
++ /* First go down child buses */
++ list_for_each_entry(child_bus, &bus->children, node)
++ pnv_php_disable_all_irqs(child_bus);
++
++ /* Disable IRQs for all pnv_php slots on this bus */
++ list_for_each_entry(slot, &bus->slots, list) {
++ struct pnv_php_slot *php_slot = to_pnv_php_slot(slot->hotplug);
++
++ pnv_php_disable_irq(php_slot, false, true);
++ }
++
++ return 0;
++}
++
++/*
++ * Disable any hotplug interrupts for all downstream slots on the provided
++ * bus in preparation for a hot unplug.
++ */
++static int pnv_php_disable_all_downstream_irqs(struct pci_bus *bus)
++{
++ struct pci_bus *child_bus;
++
++ /* Go down child buses, recursively deactivating their IRQs */
++ list_for_each_entry(child_bus, &bus->children, node)
++ pnv_php_disable_all_irqs(child_bus);
++
++ return 0;
+ }
+
+ static int pnv_php_disable_slot(struct hotplug_slot *slot)
+@@ -578,6 +628,13 @@ static int pnv_php_disable_slot(struct hotplug_slot *slot)
+ php_slot->state != PNV_PHP_STATE_REGISTERED)
+ return 0;
+
++ /*
++ * Free all IRQ resources from all child slots before remove.
++ * Note that we do not disable the root slot IRQ here as that
++ * would also deactivate the slot hot (re)plug interrupt!
++ */
++ pnv_php_disable_all_downstream_irqs(php_slot->bus);
++
+ /* Remove all devices behind the slot */
+ pci_lock_rescan_remove();
+ pci_hp_remove_devices(php_slot->bus);
+@@ -646,6 +703,15 @@ static struct pnv_php_slot *pnv_php_alloc_slot(struct device_node *dn)
+ return NULL;
+ }
+
++ /* Allocate workqueue for this slot's interrupt handling */
++ php_slot->wq = alloc_workqueue("pciehp-%s", 0, 0, php_slot->name);
++ if (!php_slot->wq) {
++ SLOT_WARN(php_slot, "Cannot alloc workqueue\n");
++ kfree(php_slot->name);
++ kfree(php_slot);
++ return NULL;
++ }
++
+ if (dn->child && PCI_DN(dn->child))
+ php_slot->slot_no = PCI_SLOT(PCI_DN(dn->child)->devfn);
+ else
+@@ -842,14 +908,6 @@ static void pnv_php_init_irq(struct pnv_php_slot *php_slot, int irq)
+ u16 sts, ctrl;
+ int ret;
+
+- /* Allocate workqueue */
+- php_slot->wq = alloc_workqueue("pciehp-%s", 0, 0, php_slot->name);
+- if (!php_slot->wq) {
+- SLOT_WARN(php_slot, "Cannot alloc workqueue\n");
+- pnv_php_disable_irq(php_slot, true);
+- return;
+- }
+-
+ /* Check PDC (Presence Detection Change) is broken or not */
+ ret = of_property_read_u32(php_slot->dn, "ibm,slot-broken-pdc",
+ &broken_pdc);
+@@ -868,7 +926,7 @@ static void pnv_php_init_irq(struct pnv_php_slot *php_slot, int irq)
+ ret = request_irq(irq, pnv_php_interrupt, IRQF_SHARED,
+ php_slot->name, php_slot);
+ if (ret) {
+- pnv_php_disable_irq(php_slot, true);
++ pnv_php_disable_irq(php_slot, true, true);
+ SLOT_WARN(php_slot, "Error %d enabling IRQ %d\n", ret, irq);
+ return;
+ }
+--
+2.39.5
+
--- /dev/null
+From 758c9dab4f50a1e2b12d272d4d30ab231a52fdf0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 16:39:06 -0500
+Subject: PCI: pnv_php: Fix surprise plug detection and recovery
+
+From: Timothy Pearson <tpearson@raptorengineering.com>
+
+[ Upstream commit a2a2a6fc2469524caa713036297c542746d148dc ]
+
+The existing PowerNV hotplug code did not handle surprise plug events
+correctly, leading to a complete failure of the hotplug system after device
+removal and a required reboot to detect new devices.
+
+This comes down to two issues:
+
+ 1) When a device is surprise removed, often the bridge upstream
+ port will cause a PE freeze on the PHB. If this freeze is not
+ cleared, the MSI interrupts from the bridge hotplug notification
+ logic will not be received by the kernel, stalling all plug events
+ on all slots associated with the PE.
+
+ 2) When a device is removed from a slot, regardless of surprise or
+ programmatic removal, the associated PHB/PE ls left frozen.
+ If this freeze is not cleared via a fundamental reset, skiboot
+ is unable to clear the freeze and cannot retrain / rescan the
+ slot. This also requires a reboot to clear the freeze and redetect
+ the device in the slot.
+
+Issue the appropriate unfreeze and rescan commands on hotplug events,
+and don't oops on hotplug if pci_bus_to_OF_node() returns NULL.
+
+Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
+[bhelgaas: tidy comments]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/171044224.1359864.1752615546988.JavaMail.zimbra@raptorengineeringinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/pci-hotplug.c | 3 +
+ drivers/pci/hotplug/pnv_php.c | 110 +++++++++++++++++++++++++++++-
+ 2 files changed, 110 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/kernel/pci-hotplug.c b/arch/powerpc/kernel/pci-hotplug.c
+index 0fe251c6ac2c..ac70e85b0df8 100644
+--- a/arch/powerpc/kernel/pci-hotplug.c
++++ b/arch/powerpc/kernel/pci-hotplug.c
+@@ -111,6 +111,9 @@ void pci_hp_add_devices(struct pci_bus *bus)
+ struct pci_controller *phb;
+ struct device_node *dn = pci_bus_to_OF_node(bus);
+
++ if (!dn)
++ return;
++
+ phb = pci_bus_to_host(bus);
+
+ mode = PCI_PROBE_NORMAL;
+diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c
+index d37faa53bcd8..ec7828ad6661 100644
+--- a/drivers/pci/hotplug/pnv_php.c
++++ b/drivers/pci/hotplug/pnv_php.c
+@@ -4,11 +4,13 @@
+ *
+ * Copyright Gavin Shan, IBM Corporation 2016.
+ * Copyright (C) 2025 Raptor Engineering, LLC
++ * Copyright (C) 2025 Raptor Computing Systems, LLC
+ */
+
+ #include <linux/libfdt.h>
+ #include <linux/module.h>
+ #include <linux/pci.h>
++#include <linux/delay.h>
+ #include <linux/pci_hotplug.h>
+ #include <linux/of_fdt.h>
+
+@@ -468,6 +470,61 @@ static int pnv_php_set_attention_state(struct hotplug_slot *slot, u8 state)
+ return 0;
+ }
+
++static int pnv_php_activate_slot(struct pnv_php_slot *php_slot,
++ struct hotplug_slot *slot)
++{
++ int ret, i;
++
++ /*
++ * Issue initial slot activation command to firmware
++ *
++ * Firmware will power slot on, attempt to train the link, and
++ * discover any downstream devices. If this process fails, firmware
++ * will return an error code and an invalid device tree. Failure
++ * can be caused for multiple reasons, including a faulty
++ * downstream device, poor connection to the downstream device, or
++ * a previously latched PHB fence. On failure, issue fundamental
++ * reset up to three times before aborting.
++ */
++ ret = pnv_php_set_slot_power_state(slot, OPAL_PCI_SLOT_POWER_ON);
++ if (ret) {
++ SLOT_WARN(
++ php_slot,
++ "PCI slot activation failed with error code %d, possible frozen PHB",
++ ret);
++ SLOT_WARN(
++ php_slot,
++ "Attempting complete PHB reset before retrying slot activation\n");
++ for (i = 0; i < 3; i++) {
++ /*
++ * Slot activation failed, PHB may be fenced from a
++ * prior device failure.
++ *
++ * Use the OPAL fundamental reset call to both try a
++ * device reset and clear any potentially active PHB
++ * fence / freeze.
++ */
++ SLOT_WARN(php_slot, "Try %d...\n", i + 1);
++ pci_set_pcie_reset_state(php_slot->pdev,
++ pcie_warm_reset);
++ msleep(250);
++ pci_set_pcie_reset_state(php_slot->pdev,
++ pcie_deassert_reset);
++
++ ret = pnv_php_set_slot_power_state(
++ slot, OPAL_PCI_SLOT_POWER_ON);
++ if (!ret)
++ break;
++ }
++
++ if (i >= 3)
++ SLOT_WARN(php_slot,
++ "Failed to bring slot online, aborting!\n");
++ }
++
++ return ret;
++}
++
+ static int pnv_php_enable(struct pnv_php_slot *php_slot, bool rescan)
+ {
+ struct hotplug_slot *slot = &php_slot->slot;
+@@ -530,7 +587,7 @@ static int pnv_php_enable(struct pnv_php_slot *php_slot, bool rescan)
+ goto scan;
+
+ /* Power is off, turn it on and then scan the slot */
+- ret = pnv_php_set_slot_power_state(slot, OPAL_PCI_SLOT_POWER_ON);
++ ret = pnv_php_activate_slot(php_slot, slot);
+ if (ret)
+ return ret;
+
+@@ -837,16 +894,63 @@ static int pnv_php_enable_msix(struct pnv_php_slot *php_slot)
+ return entry.vector;
+ }
+
++static void
++pnv_php_detect_clear_suprise_removal_freeze(struct pnv_php_slot *php_slot)
++{
++ struct pci_dev *pdev = php_slot->pdev;
++ struct eeh_dev *edev;
++ struct eeh_pe *pe;
++ int i, rc;
++
++ /*
++ * When a device is surprise removed from a downstream bridge slot,
++ * the upstream bridge port can still end up frozen due to related EEH
++ * events, which will in turn block the MSI interrupts for slot hotplug
++ * detection.
++ *
++ * Detect and thaw any frozen upstream PE after slot deactivation.
++ */
++ edev = pci_dev_to_eeh_dev(pdev);
++ pe = edev ? edev->pe : NULL;
++ rc = eeh_pe_get_state(pe);
++ if ((rc == -ENODEV) || (rc == -ENOENT)) {
++ SLOT_WARN(
++ php_slot,
++ "Upstream bridge PE state unknown, hotplug detect may fail\n");
++ } else {
++ if (pe->state & EEH_PE_ISOLATED) {
++ SLOT_WARN(
++ php_slot,
++ "Upstream bridge PE %02x frozen, thawing...\n",
++ pe->addr);
++ for (i = 0; i < 3; i++)
++ if (!eeh_unfreeze_pe(pe))
++ break;
++ if (i >= 3)
++ SLOT_WARN(
++ php_slot,
++ "Unable to thaw PE %02x, hotplug detect will fail!\n",
++ pe->addr);
++ else
++ SLOT_WARN(php_slot,
++ "PE %02x thawed successfully\n",
++ pe->addr);
++ }
++ }
++}
++
+ static void pnv_php_event_handler(struct work_struct *work)
+ {
+ struct pnv_php_event *event =
+ container_of(work, struct pnv_php_event, work);
+ struct pnv_php_slot *php_slot = event->php_slot;
+
+- if (event->added)
++ if (event->added) {
+ pnv_php_enable_slot(&php_slot->slot);
+- else
++ } else {
+ pnv_php_disable_slot(&php_slot->slot);
++ pnv_php_detect_clear_suprise_removal_freeze(php_slot);
++ }
+
+ kfree(event);
+ }
+--
+2.39.5
+
--- /dev/null
+From aad6de0b740035d246bda1137ec2f631cd8a4bc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 16:36:55 -0500
+Subject: PCI: pnv_php: Work around switches with broken presence detection
+
+From: Timothy Pearson <tpearson@raptorengineering.com>
+
+[ Upstream commit 80f9fc2362797538ebd4fd70a1dfa838cc2c2cdb ]
+
+The Microsemi Switchtec PM8533 PFX 48xG3 [11f8:8533] PCIe switch system
+was observed to incorrectly assert the Presence Detect Set bit in its
+capabilities when tested on a Raptor Computing Systems Blackbird system,
+resulting in the hot insert path never attempting a rescan of the bus
+and any downstream devices not being re-detected.
+
+Work around this by additionally checking whether the PCIe data link is
+active or not when performing presence detection on downstream switches'
+ports, similar to the pciehp_hpc.c driver.
+
+Signed-off-by: Shawn Anastasio <sanastasio@raptorengineering.com>
+Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/505981576.1359853.1752615415117.JavaMail.zimbra@raptorengineeringinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/pnv_php.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c
+index 6989b8a0dc6b..d37faa53bcd8 100644
+--- a/drivers/pci/hotplug/pnv_php.c
++++ b/drivers/pci/hotplug/pnv_php.c
+@@ -390,6 +390,20 @@ static int pnv_php_get_power_state(struct hotplug_slot *slot, u8 *state)
+ return 0;
+ }
+
++static int pcie_check_link_active(struct pci_dev *pdev)
++{
++ u16 lnk_status;
++ int ret;
++
++ ret = pcie_capability_read_word(pdev, PCI_EXP_LNKSTA, &lnk_status);
++ if (ret == PCIBIOS_DEVICE_NOT_FOUND || PCI_POSSIBLE_ERROR(lnk_status))
++ return -ENODEV;
++
++ ret = !!(lnk_status & PCI_EXP_LNKSTA_DLLLA);
++
++ return ret;
++}
++
+ static int pnv_php_get_adapter_state(struct hotplug_slot *slot, u8 *state)
+ {
+ struct pnv_php_slot *php_slot = to_pnv_php_slot(slot);
+@@ -402,6 +416,19 @@ static int pnv_php_get_adapter_state(struct hotplug_slot *slot, u8 *state)
+ */
+ ret = pnv_pci_get_presence_state(php_slot->id, &presence);
+ if (ret >= 0) {
++ if (pci_pcie_type(php_slot->pdev) == PCI_EXP_TYPE_DOWNSTREAM &&
++ presence == OPAL_PCI_SLOT_EMPTY) {
++ /*
++ * Similar to pciehp_hpc, check whether the Link Active
++ * bit is set to account for broken downstream bridges
++ * that don't properly assert Presence Detect State, as
++ * was observed on the Microsemi Switchtec PM8533 PFX
++ * [11f8:8533].
++ */
++ if (pcie_check_link_active(php_slot->pdev) > 0)
++ presence = OPAL_PCI_SLOT_PRESENT;
++ }
++
+ *state = presence;
+ ret = 0;
+ } else {
+--
+2.39.5
+
--- /dev/null
+From 109e2fc1a4bdf8bf31f2e4e786a919969c0b44d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Jun 2025 00:01:59 +0800
+Subject: PCI: rockchip-host: Fix "Unexpected Completion" log message
+
+From: Hans Zhang <18255117159@163.com>
+
+[ Upstream commit fcc5f586c4edbcc10de23fb9b8c0972a84e945cd ]
+
+Fix the debug message for the PCIE_CORE_INT_UCR interrupt to clearly
+indicate "Unexpected Completion" instead of a duplicate "malformed TLP"
+message.
+
+Fixes: e77f847df54c ("PCI: rockchip: Add Rockchip PCIe controller support")
+Signed-off-by: Hans Zhang <18255117159@163.com>
+[mani: added fixes tag]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
+Acked-by: Shawn Lin <shawn.lin@rock-chips.com>
+Link: https://patch.msgid.link/20250607160201.807043-2-18255117159@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-rockchip-host.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/pcie-rockchip-host.c b/drivers/pci/controller/pcie-rockchip-host.c
+index afbbdccd195d..6ff20d585396 100644
+--- a/drivers/pci/controller/pcie-rockchip-host.c
++++ b/drivers/pci/controller/pcie-rockchip-host.c
+@@ -436,7 +436,7 @@ static irqreturn_t rockchip_pcie_subsys_irq_handler(int irq, void *arg)
+ dev_dbg(dev, "malformed TLP received from the link\n");
+
+ if (sub_reg & PCIE_CORE_INT_UCR)
+- dev_dbg(dev, "malformed TLP received from the link\n");
++ dev_dbg(dev, "Unexpected Completion received from the link\n");
+
+ if (sub_reg & PCIE_CORE_INT_FCE)
+ dev_dbg(dev, "an error was observed in the flow control advertisements from the other side\n");
+--
+2.39.5
+
--- /dev/null
+From b4ac62e8dd94545d8249eb1f5007374b04ad623d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 12:03:21 -0700
+Subject: perf dso: Add missed dso__put to dso__load_kcore
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 63a088e999de3f431f87d9a367933da894ddb613 ]
+
+The kcore loading creates a set of list nodes that have reference
+counted references to maps of the kcore. The list node freeing in the
+success path wasn't releasing the maps, add the missing puts. It is
+unclear why this leak was being missed by leak sanitizer.
+
+Fixes: 83720209961f ("perf map: Move map list node into symbol")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250624190326.2038704-2-irogers@google.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/symbol.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/util/symbol.c b/tools/perf/util/symbol.c
+index ea24f21aafc3..4f0bbebcb6d6 100644
+--- a/tools/perf/util/symbol.c
++++ b/tools/perf/util/symbol.c
+@@ -1366,6 +1366,7 @@ static int dso__load_kcore(struct dso *dso, struct map *map,
+ goto out_err;
+ }
+ }
++ map__zput(new_node->map);
+ free(new_node);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 2153fba15a61e645d391309e7dfddcabd0324a05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 18:49:39 -0700
+Subject: perf sched: Fix memory leaks for evsel->priv in timehist
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 117e5c33b1c44037af016d77ce6c0b086d55535f ]
+
+It uses evsel->priv to save per-cpu timing information. It should be
+freed when the evsel is released.
+
+Add the priv destructor for evsel same as thread to handle that.
+
+Fixes: 49394a2a24c78ce0 ("perf sched timehist: Introduce timehist command")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Tested-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250703014942.1369397-6-namhyung@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-sched.c | 12 ++++++++++++
+ tools/perf/util/evsel.c | 11 +++++++++++
+ tools/perf/util/evsel.h | 2 ++
+ 3 files changed, 25 insertions(+)
+
+diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
+index 5f4fb1ce1ea9..a1fab1a52b6a 100644
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -1949,6 +1949,16 @@ static u64 evsel__get_time(struct evsel *evsel, u32 cpu)
+ return r->last_time[cpu];
+ }
+
++static void timehist__evsel_priv_destructor(void *priv)
++{
++ struct evsel_runtime *r = priv;
++
++ if (r) {
++ free(r->last_time);
++ free(r);
++ }
++}
++
+ static int comm_width = 30;
+
+ static char *timehist_get_commstr(struct thread *thread)
+@@ -3080,6 +3090,8 @@ static int perf_sched__timehist(struct perf_sched *sched)
+
+ setup_pager();
+
++ evsel__set_priv_destructor(timehist__evsel_priv_destructor);
++
+ /* prefer sched_waking if it is captured */
+ if (evlist__find_tracepoint_by_name(session->evlist, "sched:sched_waking"))
+ handlers[1].handler = timehist_sched_wakeup_ignore;
+diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
+index 6d2b056232f6..2a6295f1ac1b 100644
+--- a/tools/perf/util/evsel.c
++++ b/tools/perf/util/evsel.c
+@@ -1460,6 +1460,15 @@ static void evsel__free_config_terms(struct evsel *evsel)
+ free_config_terms(&evsel->config_terms);
+ }
+
++static void (*evsel__priv_destructor)(void *priv);
++
++void evsel__set_priv_destructor(void (*destructor)(void *priv))
++{
++ assert(evsel__priv_destructor == NULL);
++
++ evsel__priv_destructor = destructor;
++}
++
+ void evsel__exit(struct evsel *evsel)
+ {
+ assert(list_empty(&evsel->core.node));
+@@ -1485,6 +1494,8 @@ void evsel__exit(struct evsel *evsel)
+ hashmap__free(evsel->per_pkg_mask);
+ evsel->per_pkg_mask = NULL;
+ zfree(&evsel->metric_events);
++ if (evsel__priv_destructor)
++ evsel__priv_destructor(evsel->priv);
+ perf_evsel__object.fini(evsel);
+ }
+
+diff --git a/tools/perf/util/evsel.h b/tools/perf/util/evsel.h
+index 848534ec74fa..ac396d6f95cb 100644
+--- a/tools/perf/util/evsel.h
++++ b/tools/perf/util/evsel.h
+@@ -252,6 +252,8 @@ void evsel__init(struct evsel *evsel, struct perf_event_attr *attr, int idx);
+ void evsel__exit(struct evsel *evsel);
+ void evsel__delete(struct evsel *evsel);
+
++void evsel__set_priv_destructor(void (*destructor)(void *priv));
++
+ struct callchain_param;
+
+ void evsel__config(struct evsel *evsel, struct record_opts *opts,
+--
+2.39.5
+
--- /dev/null
+From 1d87a5ff68f3ab3fc7b65d0a3378d30abd4c9318 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 18:49:41 -0700
+Subject: perf sched: Fix memory leaks in 'perf sched latency'
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit e68b1c0098b959cb88afce5c93dd6a9324e6da78 ]
+
+The work_atoms should be freed after use. Add free_work_atoms() to
+make sure to release all. It should use list_splice_init() when merging
+atoms to prevent accessing invalid pointers.
+
+Fixes: b1ffe8f3e0c96f552 ("perf sched: Finish latency => atom rename and misc cleanups")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Tested-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250703014942.1369397-8-namhyung@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-sched.c | 27 ++++++++++++++++++++++++---
+ 1 file changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
+index a1fab1a52b6a..16cb7278faba 100644
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -1125,6 +1125,21 @@ add_sched_in_event(struct work_atoms *atoms, u64 timestamp)
+ atoms->nb_atoms++;
+ }
+
++static void free_work_atoms(struct work_atoms *atoms)
++{
++ struct work_atom *atom, *tmp;
++
++ if (atoms == NULL)
++ return;
++
++ list_for_each_entry_safe(atom, tmp, &atoms->work_list, list) {
++ list_del(&atom->list);
++ free(atom);
++ }
++ thread__zput(atoms->thread);
++ free(atoms);
++}
++
+ static int latency_switch_event(struct perf_sched *sched,
+ struct evsel *evsel,
+ struct perf_sample *sample,
+@@ -3192,13 +3207,13 @@ static void __merge_work_atoms(struct rb_root_cached *root, struct work_atoms *d
+ this->total_runtime += data->total_runtime;
+ this->nb_atoms += data->nb_atoms;
+ this->total_lat += data->total_lat;
+- list_splice(&data->work_list, &this->work_list);
++ list_splice_init(&data->work_list, &this->work_list);
+ if (this->max_lat < data->max_lat) {
+ this->max_lat = data->max_lat;
+ this->max_lat_start = data->max_lat_start;
+ this->max_lat_end = data->max_lat_end;
+ }
+- zfree(&data);
++ free_work_atoms(data);
+ return;
+ }
+ }
+@@ -3277,7 +3292,6 @@ static int perf_sched__lat(struct perf_sched *sched)
+ work_list = rb_entry(next, struct work_atoms, node);
+ output_lat_thread(sched, work_list);
+ next = rb_next(next);
+- thread__zput(work_list->thread);
+ }
+
+ printf(" -----------------------------------------------------------------------------------------------------------------\n");
+@@ -3291,6 +3305,13 @@ static int perf_sched__lat(struct perf_sched *sched)
+
+ rc = 0;
+
++ while ((next = rb_first_cached(&sched->sorted_atom_root))) {
++ struct work_atoms *data;
++
++ data = rb_entry(next, struct work_atoms, node);
++ rb_erase_cached(next, &sched->sorted_atom_root);
++ free_work_atoms(data);
++ }
+ out_free_cpus_switch_event:
+ free_cpus_switch_event(sched);
+ return rc;
+--
+2.39.5
+
--- /dev/null
+From b9e6ac29ce20c7db21f836294bce8c461a597441 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 18:49:36 -0700
+Subject: perf sched: Free thread->priv using priv_destructor
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit aa9fdd106bab8c478d37eba5703c0950ad5c0d4f ]
+
+In many perf sched subcommand saves priv data structure in the thread
+but it forgot to free them. As it's an opaque type with 'void *', it
+needs to register that knows how to free the data. In this case, just
+regular 'free()' is fine.
+
+Fixes: 04cb4fc4d40a5bf1 ("perf thread: Allow tools to register a thread->priv destructor")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Tested-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250703014942.1369397-3-namhyung@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-sched.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
+index ac9d94dbbeef..5f4fb1ce1ea9 100644
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -3678,6 +3678,8 @@ int cmd_sched(int argc, const char **argv)
+ if (!argc)
+ usage_with_options(sched_usage, sched_options);
+
++ thread__set_priv_destructor(free);
++
+ /*
+ * Aliased to 'perf script' for now:
+ */
+--
+2.39.5
+
--- /dev/null
+From 3fd5775e9b3560e51cb7b989c63a1f20d9222b38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 12:10:15 +0100
+Subject: perf tests bp_account: Fix leaked file descriptor
+
+From: Leo Yan <leo.yan@arm.com>
+
+[ Upstream commit 4a6cdecaa1497f1fbbd1d5307a225b6ca5a62a90 ]
+
+Since the commit e9846f5ead26 ("perf test: In forked mode add check that
+fds aren't leaked"), the test "Breakpoint accounting" reports the error:
+
+ # perf test -vvv "Breakpoint accounting"
+ 20: Breakpoint accounting:
+ --- start ---
+ test child forked, pid 373
+ failed opening event 0
+ failed opening event 0
+ watchpoints count 4, breakpoints count 6, has_ioctl 1, share 0
+ wp 0 created
+ wp 1 created
+ wp 2 created
+ wp 3 created
+ wp 0 modified to bp
+ wp max created
+ ---- end(0) ----
+ Leak of file descriptor 7 that opened: 'anon_inode:[perf_event]'
+
+A watchpoint's file descriptor was not properly released. This patch
+fixes the leak.
+
+Fixes: 032db28e5fa3 ("perf tests: Add breakpoint accounting/modify test")
+Reported-by: Aishwarya TCV <aishwarya.tcv@arm.com>
+Signed-off-by: Leo Yan <leo.yan@arm.com>
+Reviewed-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250711-perf_fix_breakpoint_accounting-v1-1-b314393023f9@arm.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/bp_account.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/tests/bp_account.c b/tools/perf/tests/bp_account.c
+index 6f921db33cf9..855b81c3326c 100644
+--- a/tools/perf/tests/bp_account.c
++++ b/tools/perf/tests/bp_account.c
+@@ -102,6 +102,7 @@ static int bp_accounting(int wp_cnt, int share)
+ fd_wp = wp_event((void *)&the_var, &attr_new);
+ TEST_ASSERT_VAL("failed to create max wp\n", fd_wp != -1);
+ pr_debug("wp max created\n");
++ close(fd_wp);
+ }
+
+ for (i = 0; i < wp_cnt; i++)
+--
+2.39.5
+
--- /dev/null
+From 94e01c34d38bb949faeab690bfbb80bab60bf7dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 13:10:27 -0700
+Subject: perf tools: Fix use-after-free in help_unknown_cmd()
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 1fdf938168c4d26fa279d4f204768690d1f9c4ae ]
+
+Currently perf aborts when it finds an invalid command. I guess it
+depends on the environment as I have some custom commands in the path.
+
+ $ perf bad-command
+ perf: 'bad-command' is not a perf-command. See 'perf --help'.
+ Aborted (core dumped)
+
+It's because the exclude_cmds() in libsubcmd has a use-after-free when
+it removes some entries. After copying one to another entry, it keeps
+the pointer in the both position. And the next copy operation will free
+the later one but it's the same entry in the previous one.
+
+For example, let's say cmds = { A, B, C, D, E } and excludes = { B, E }.
+
+ ci cj ei cmds-name excludes
+ -----------+--------------------
+ 0 0 0 | A B : cmp < 0, ci == cj
+ 1 1 0 | B B : cmp == 0
+ 2 1 1 | C E : cmp < 0, ci != cj
+
+At this point, it frees cmds->names[1] and cmds->names[1] is assigned to
+cmds->names[2].
+
+ 3 2 1 | D E : cmp < 0, ci != cj
+
+Now it frees cmds->names[2] but it's the same as cmds->names[1]. So
+accessing cmds->names[1] will be invalid.
+
+This makes the subcmd tests succeed.
+
+ $ perf test subcmd
+ 69: libsubcmd help tests :
+ 69.1: Load subcmd names : Ok
+ 69.2: Uniquify subcmd names : Ok
+ 69.3: Exclude duplicate subcmd names : Ok
+
+Fixes: 4b96679170c6 ("libsubcmd: Avoid SEGV/use-after-free when commands aren't excluded")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250701201027.1171561-3-namhyung@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/subcmd/help.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/tools/lib/subcmd/help.c b/tools/lib/subcmd/help.c
+index 8561b0f01a24..9ef569492560 100644
+--- a/tools/lib/subcmd/help.c
++++ b/tools/lib/subcmd/help.c
+@@ -9,6 +9,7 @@
+ #include <sys/stat.h>
+ #include <unistd.h>
+ #include <dirent.h>
++#include <assert.h>
+ #include "subcmd-util.h"
+ #include "help.h"
+ #include "exec-cmd.h"
+@@ -82,10 +83,11 @@ void exclude_cmds(struct cmdnames *cmds, struct cmdnames *excludes)
+ ci++;
+ cj++;
+ } else {
+- zfree(&cmds->names[cj]);
+- cmds->names[cj++] = cmds->names[ci++];
++ cmds->names[cj++] = cmds->names[ci];
++ cmds->names[ci++] = NULL;
+ }
+ } else if (cmp == 0) {
++ zfree(&cmds->names[ci]);
+ ci++;
+ ei++;
+ } else if (cmp > 0) {
+@@ -94,12 +96,12 @@ void exclude_cmds(struct cmdnames *cmds, struct cmdnames *excludes)
+ }
+ if (ci != cj) {
+ while (ci < cmds->cnt) {
+- zfree(&cmds->names[cj]);
+- cmds->names[cj++] = cmds->names[ci++];
++ cmds->names[cj++] = cmds->names[ci];
++ cmds->names[ci++] = NULL;
+ }
+ }
+ for (ci = cj; ci < cmds->cnt; ci++)
+- zfree(&cmds->names[ci]);
++ assert(cmds->names[ci] == NULL);
+ cmds->cnt = cj;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 7015e51a350df66646aa0bbb25ef204a8f45980e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Jul 2025 19:15:32 +0800
+Subject: perf tools: Remove libtraceevent in .gitignore
+
+From: Chen Pei <cp0613@linux.alibaba.com>
+
+[ Upstream commit af470fb532fc803c4c582d15b4bd394682a77a15 ]
+
+The libtraceevent has been removed from the source tree, and .gitignore
+needs to be updated as well.
+
+Fixes: 4171925aa9f3f7bf ("tools lib traceevent: Remove libtraceevent")
+Signed-off-by: Chen Pei <cp0613@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20250726111532.8031-1-cp0613@linux.alibaba.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/.gitignore | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/tools/perf/.gitignore b/tools/perf/.gitignore
+index f533e76fb480..5a8617eb5419 100644
+--- a/tools/perf/.gitignore
++++ b/tools/perf/.gitignore
+@@ -45,7 +45,5 @@ libbpf/
+ libperf/
+ libsubcmd/
+ libsymbol/
+-libtraceevent/
+-libtraceevent_plugins/
+ fixdep
+ Documentation/doc.dep
+--
+2.39.5
+
--- /dev/null
+From 20787679adc1aae3c6ee7fb582a07ccfc2d4b972 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 09:27:08 +0800
+Subject: pinctrl: sunxi: Fix memory leak on krealloc failure
+
+From: Yuan Chen <chenyuan@kylinos.cn>
+
+[ Upstream commit e3507c56cbb208d4f160942748c527ef6a528ba1 ]
+
+In sunxi_pctrl_dt_node_to_map(), when krealloc() fails to resize
+the pinctrl_map array, the function returns -ENOMEM directly
+without freeing the previously allocated *map buffer. This results
+in a memory leak of the original kmalloc_array allocation.
+
+Fixes: e11dee2e98f8 ("pinctrl: sunxi: Deal with configless pins")
+Signed-off-by: Yuan Chen <chenyuan@kylinos.cn>
+Link: https://lore.kernel.org/20250620012708.16709-1-chenyuan_fl@163.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/sunxi/pinctrl-sunxi.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pinctrl/sunxi/pinctrl-sunxi.c b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
+index 73bcf806af0e..fc11c3d55fa8 100644
+--- a/drivers/pinctrl/sunxi/pinctrl-sunxi.c
++++ b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
+@@ -395,6 +395,7 @@ static int sunxi_pctrl_dt_node_to_map(struct pinctrl_dev *pctldev,
+ const char *function, *pin_prop;
+ const char *group;
+ int ret, npins, nmaps, configlen = 0, i = 0;
++ struct pinctrl_map *new_map;
+
+ *map = NULL;
+ *num_maps = 0;
+@@ -469,9 +470,13 @@ static int sunxi_pctrl_dt_node_to_map(struct pinctrl_dev *pctldev,
+ * We know have the number of maps we need, we can resize our
+ * map array
+ */
+- *map = krealloc(*map, i * sizeof(struct pinctrl_map), GFP_KERNEL);
+- if (!*map)
+- return -ENOMEM;
++ new_map = krealloc(*map, i * sizeof(struct pinctrl_map), GFP_KERNEL);
++ if (!new_map) {
++ ret = -ENOMEM;
++ goto err_free_map;
++ }
++
++ *map = new_map;
+
+ return 0;
+
+--
+2.39.5
+
--- /dev/null
+From 0bcdc753dcc08879e6060b73b6525ec2b7a74ffe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 13:28:38 +0530
+Subject: pinmux: fix race causing mux_owner NULL with active mux_usecount
+
+From: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+
+[ Upstream commit 0b075c011032f88d1cfde3b45d6dcf08b44140eb ]
+
+commit 5a3e85c3c397 ("pinmux: Use sequential access to access
+desc->pinmux data") tried to address the issue when two client of the
+same gpio calls pinctrl_select_state() for the same functionality, was
+resulting in NULL pointer issue while accessing desc->mux_owner.
+However, issue was not completely fixed due to the way it was handled
+and it can still result in the same NULL pointer.
+
+The issue occurs due to the following interleaving:
+
+ cpu0 (process A) cpu1 (process B)
+
+ pin_request() { pin_free() {
+
+ mutex_lock()
+ desc->mux_usecount--; //becomes 0
+ ..
+ mutex_unlock()
+
+ mutex_lock(desc->mux)
+ desc->mux_usecount++; // becomes 1
+ desc->mux_owner = owner;
+ mutex_unlock(desc->mux)
+
+ mutex_lock(desc->mux)
+ desc->mux_owner = NULL;
+ mutex_unlock(desc->mux)
+
+This sequence leads to a state where the pin appears to be in use
+(`mux_usecount == 1`) but has no owner (`mux_owner == NULL`), which can
+cause NULL pointer on next pin_request on the same pin.
+
+Ensure that updates to mux_usecount and mux_owner are performed
+atomically under the same lock. Only clear mux_owner when mux_usecount
+reaches zero and no new owner has been assigned.
+
+Fixes: 5a3e85c3c397 ("pinmux: Use sequential access to access desc->pinmux data")
+Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Link: https://lore.kernel.org/20250708-pinmux-race-fix-v2-1-8ae9e8a0d1a1@oss.qualcomm.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinmux.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/pinctrl/pinmux.c b/drivers/pinctrl/pinmux.c
+index 97e8af88df85..ab853d6c586b 100644
+--- a/drivers/pinctrl/pinmux.c
++++ b/drivers/pinctrl/pinmux.c
+@@ -238,18 +238,7 @@ static const char *pin_free(struct pinctrl_dev *pctldev, int pin,
+ if (desc->mux_usecount)
+ return NULL;
+ }
+- }
+-
+- /*
+- * If there is no kind of request function for the pin we just assume
+- * we got it by default and proceed.
+- */
+- if (gpio_range && ops->gpio_disable_free)
+- ops->gpio_disable_free(pctldev, gpio_range, pin);
+- else if (ops->free)
+- ops->free(pctldev, pin);
+
+- scoped_guard(mutex, &desc->mux_lock) {
+ if (gpio_range) {
+ owner = desc->gpio_owner;
+ desc->gpio_owner = NULL;
+@@ -260,6 +249,15 @@ static const char *pin_free(struct pinctrl_dev *pctldev, int pin,
+ }
+ }
+
++ /*
++ * If there is no kind of request function for the pin we just assume
++ * we got it by default and proceed.
++ */
++ if (gpio_range && ops->gpio_disable_free)
++ ops->gpio_disable_free(pctldev, gpio_range, pin);
++ else if (ops->free)
++ ops->free(pctldev, pin);
++
+ module_put(pctldev->owner);
+
+ return owner;
+--
+2.39.5
+
--- /dev/null
+From 7707c23d289e709db300a2b6e7858c9e7aaf472f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Apr 2025 11:00:20 +0800
+Subject: PM / devfreq: Check governor before using governor->name
+
+From: Lifeng Zheng <zhenglifeng1@huawei.com>
+
+[ Upstream commit bab7834c03820eb11269bc48f07c3800192460d2 ]
+
+Commit 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from
+struct devfreq") removes governor_name and uses governor->name to replace
+it. But devfreq->governor may be NULL and directly using
+devfreq->governor->name may cause null pointer exception. Move the check of
+governor to before using governor->name.
+
+Fixes: 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from struct devfreq")
+Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Link: https://lore.kernel.org/lkml/20250421030020.3108405-5-zhenglifeng1@huawei.com/
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/devfreq/devfreq.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
+index 49c542ecccde..7b991bbef489 100644
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -1382,15 +1382,11 @@ int devfreq_remove_governor(struct devfreq_governor *governor)
+ int ret;
+ struct device *dev = devfreq->dev.parent;
+
++ if (!devfreq->governor)
++ continue;
++
+ if (!strncmp(devfreq->governor->name, governor->name,
+ DEVFREQ_NAME_LEN)) {
+- /* we should have a devfreq governor! */
+- if (!devfreq->governor) {
+- dev_warn(dev, "%s: Governor %s NOT present\n",
+- __func__, governor->name);
+- continue;
+- /* Fall through */
+- }
+ ret = devfreq->governor->event_handler(devfreq,
+ DEVFREQ_GOV_STOP, NULL);
+ if (ret) {
+--
+2.39.5
+
--- /dev/null
+From d767b847f3d0b92a93d17438b098c75bd5d4b4e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 May 2025 10:47:41 +0800
+Subject: power: supply: cpcap-charger: Fix null check for
+ power_supply_get_by_name
+
+From: Charles Han <hanchunchao@inspur.com>
+
+[ Upstream commit d9fa3aae08f99493e67fb79413c0e95d30fca5e9 ]
+
+In the cpcap_usb_detect() function, the power_supply_get_by_name()
+function may return `NULL` instead of an error pointer.
+To prevent potential null pointer dereferences, Added a null check.
+
+Fixes: eab4e6d953c1 ("power: supply: cpcap-charger: get the battery inserted infomation from cpcap-battery")
+Signed-off-by: Charles Han <hanchunchao@inspur.com>
+Link: https://lore.kernel.org/r/20250519024741.5846-1-hanchunchao@inspur.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/cpcap-charger.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/power/supply/cpcap-charger.c b/drivers/power/supply/cpcap-charger.c
+index be9764541d52..05a3f4b208a4 100644
+--- a/drivers/power/supply/cpcap-charger.c
++++ b/drivers/power/supply/cpcap-charger.c
+@@ -689,9 +689,8 @@ static void cpcap_usb_detect(struct work_struct *work)
+ struct power_supply *battery;
+
+ battery = power_supply_get_by_name("battery");
+- if (IS_ERR_OR_NULL(battery)) {
+- dev_err(ddata->dev, "battery power_supply not available %li\n",
+- PTR_ERR(battery));
++ if (!battery) {
++ dev_err(ddata->dev, "battery power_supply not available\n");
+ return;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 6a91966c95218e05ae9a39ae63d1c287a15a1457 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 May 2025 14:16:01 +0800
+Subject: power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set
+
+From: Charles Han <hanchunchao@inspur.com>
+
+[ Upstream commit 2937f5d2e24eefef8cb126244caec7fe3307f724 ]
+
+When the kernel is not configured CONFIG_OF, the max14577_charger_dt_init
+function returns NULL. Fix the max14577_charger_probe functionby returning
+-ENODATA instead of potentially passing a NULL pointer to PTR_ERR.
+
+This fixes the below smatch warning:
+max14577_charger_probe() warn: passing zero to 'PTR_ERR'
+
+Fixes: e30110e9c96f ("charger: max14577: Configure battery-dependent settings from DTS and sysfs")
+Signed-off-by: Charles Han <hanchunchao@inspur.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20250519061601.8755-1-hanchunchao@inspur.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/max14577_charger.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/power/supply/max14577_charger.c b/drivers/power/supply/max14577_charger.c
+index 96f9de775043..daa5a6d41bb4 100644
+--- a/drivers/power/supply/max14577_charger.c
++++ b/drivers/power/supply/max14577_charger.c
+@@ -501,7 +501,7 @@ static struct max14577_charger_platform_data *max14577_charger_dt_init(
+ static struct max14577_charger_platform_data *max14577_charger_dt_init(
+ struct platform_device *pdev)
+ {
+- return NULL;
++ return ERR_PTR(-ENODATA);
+ }
+ #endif /* CONFIG_OF */
+
+@@ -572,7 +572,7 @@ static int max14577_charger_probe(struct platform_device *pdev)
+ chg->max14577 = max14577;
+
+ chg->pdata = max14577_charger_dt_init(pdev);
+- if (IS_ERR_OR_NULL(chg->pdata))
++ if (IS_ERR(chg->pdata))
+ return PTR_ERR(chg->pdata);
+
+ ret = max14577_charger_reg_init(chg);
+--
+2.39.5
+
--- /dev/null
+From fdf8d7219d8bf8a05da379d2faadfdc2fa33a744 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 01:13:55 +0300
+Subject: powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw()
+
+From: Sivan Zohar-Kotzer <sivany32@gmail.com>
+
+[ Upstream commit 46dc57406887dd02565cb264224194a6776d882b ]
+
+The get_pd_power_uw() function can crash with a NULL pointer dereference
+when em_cpu_get() returns NULL. This occurs when a CPU becomes impossible
+during runtime, causing get_cpu_device() to return NULL, which propagates
+through em_cpu_get() and leads to a crash when em_span_cpus() dereferences
+the NULL pointer.
+
+Add a NULL check after em_cpu_get() and return 0 if unavailable,
+matching the existing fallback behavior in __dtpm_cpu_setup().
+
+Fixes: eb82bace8931 ("powercap/drivers/dtpm: Scale the power with the load")
+Signed-off-by: Sivan Zohar-Kotzer <sivany32@gmail.com>
+Link: https://patch.msgid.link/20250701221355.96916-1-sivany32@gmail.com
+[ rjw: Drop an excess empty code line ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/powercap/dtpm_cpu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/powercap/dtpm_cpu.c b/drivers/powercap/dtpm_cpu.c
+index ae7ee611978b..99a82060ead9 100644
+--- a/drivers/powercap/dtpm_cpu.c
++++ b/drivers/powercap/dtpm_cpu.c
+@@ -93,6 +93,8 @@ static u64 get_pd_power_uw(struct dtpm *dtpm)
+ int i;
+
+ pd = em_cpu_get(dtpm_cpu->cpu);
++ if (!pd)
++ return 0;
+
+ pd_mask = em_span_cpus(pd);
+
+--
+2.39.5
+
--- /dev/null
+From 991ca3af064e73085ac58093ca63e071af758a1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 16:37:34 -0500
+Subject: powerpc/eeh: Export eeh_unfreeze_pe()
+
+From: Timothy Pearson <tpearson@raptorengineering.com>
+
+[ Upstream commit e82b34eed04b0ddcff4548b62633467235672fd3 ]
+
+The PowerNV hotplug driver needs to be able to clear any frozen PE(s)
+on the PHB after suprise removal of a downstream device.
+
+Export the eeh_unfreeze_pe() symbol to allow implementation of this
+functionality in the php_nv module.
+
+Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/1778535414.1359858.1752615454618.JavaMail.zimbra@raptorengineeringinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/eeh.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c
+index 2e286bba2f64..82626363a309 100644
+--- a/arch/powerpc/kernel/eeh.c
++++ b/arch/powerpc/kernel/eeh.c
+@@ -1130,6 +1130,7 @@ int eeh_unfreeze_pe(struct eeh_pe *pe)
+
+ return ret;
+ }
++EXPORT_SYMBOL_GPL(eeh_unfreeze_pe);
+
+
+ static struct pci_device_id eeh_reset_ids[] = {
+--
+2.39.5
+
--- /dev/null
+From 03785bd6b566e78740228adfa2fe66b5455efc32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 16:38:23 -0500
+Subject: powerpc/eeh: Make EEH driver device hotplug safe
+
+From: Timothy Pearson <tpearson@raptorengineering.com>
+
+[ Upstream commit 1010b4c012b0d78dfb9d3132b49aa2ef024a07a7 ]
+
+Multiple race conditions existed between the PCIe hotplug driver and the
+EEH driver, leading to a variety of kernel oopses of the same general
+nature:
+
+<pcie device unplug>
+<eeh driver trigger>
+<hotplug removal trigger>
+<pcie tree reconfiguration>
+<eeh recovery next step>
+<oops in EEH driver bus iteration loop>
+
+A second class of oops is also seen when the underlying bus disappears
+during device recovery.
+
+Refactor the EEH module to be PCI rescan and remove safe. Also clean
+up a few minor formatting / readability issues.
+
+Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/1334208367.1359861.1752615503144.JavaMail.zimbra@raptorengineeringinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/eeh_driver.c | 48 +++++++++++++++++++++-----------
+ arch/powerpc/kernel/eeh_pe.c | 10 ++++---
+ 2 files changed, 38 insertions(+), 20 deletions(-)
+
+diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c
+index 438568a472d0..9ba4adc214af 100644
+--- a/arch/powerpc/kernel/eeh_driver.c
++++ b/arch/powerpc/kernel/eeh_driver.c
+@@ -257,13 +257,12 @@ static void eeh_pe_report_edev(struct eeh_dev *edev, eeh_report_fn fn,
+ struct pci_driver *driver;
+ enum pci_ers_result new_result;
+
+- pci_lock_rescan_remove();
+ pdev = edev->pdev;
+ if (pdev)
+ get_device(&pdev->dev);
+- pci_unlock_rescan_remove();
+ if (!pdev) {
+ eeh_edev_info(edev, "no device");
++ *result = PCI_ERS_RESULT_DISCONNECT;
+ return;
+ }
+ device_lock(&pdev->dev);
+@@ -304,8 +303,9 @@ static void eeh_pe_report(const char *name, struct eeh_pe *root,
+ struct eeh_dev *edev, *tmp;
+
+ pr_info("EEH: Beginning: '%s'\n", name);
+- eeh_for_each_pe(root, pe) eeh_pe_for_each_dev(pe, edev, tmp)
+- eeh_pe_report_edev(edev, fn, result);
++ eeh_for_each_pe(root, pe)
++ eeh_pe_for_each_dev(pe, edev, tmp)
++ eeh_pe_report_edev(edev, fn, result);
+ if (result)
+ pr_info("EEH: Finished:'%s' with aggregate recovery state:'%s'\n",
+ name, pci_ers_result_name(*result));
+@@ -383,6 +383,8 @@ static void eeh_dev_restore_state(struct eeh_dev *edev, void *userdata)
+ if (!edev)
+ return;
+
++ pci_lock_rescan_remove();
++
+ /*
+ * The content in the config space isn't saved because
+ * the blocked config space on some adapters. We have
+@@ -393,14 +395,19 @@ static void eeh_dev_restore_state(struct eeh_dev *edev, void *userdata)
+ if (list_is_last(&edev->entry, &edev->pe->edevs))
+ eeh_pe_restore_bars(edev->pe);
+
++ pci_unlock_rescan_remove();
+ return;
+ }
+
+ pdev = eeh_dev_to_pci_dev(edev);
+- if (!pdev)
++ if (!pdev) {
++ pci_unlock_rescan_remove();
+ return;
++ }
+
+ pci_restore_state(pdev);
++
++ pci_unlock_rescan_remove();
+ }
+
+ /**
+@@ -647,9 +654,7 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus,
+ if (any_passed || driver_eeh_aware || (pe->type & EEH_PE_VF)) {
+ eeh_pe_dev_traverse(pe, eeh_rmv_device, rmv_data);
+ } else {
+- pci_lock_rescan_remove();
+ pci_hp_remove_devices(bus);
+- pci_unlock_rescan_remove();
+ }
+
+ /*
+@@ -665,8 +670,6 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus,
+ if (rc)
+ return rc;
+
+- pci_lock_rescan_remove();
+-
+ /* Restore PE */
+ eeh_ops->configure_bridge(pe);
+ eeh_pe_restore_bars(pe);
+@@ -674,7 +677,6 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus,
+ /* Clear frozen state */
+ rc = eeh_clear_pe_frozen_state(pe, false);
+ if (rc) {
+- pci_unlock_rescan_remove();
+ return rc;
+ }
+
+@@ -709,7 +711,6 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus,
+ pe->tstamp = tstamp;
+ pe->freeze_count = cnt;
+
+- pci_unlock_rescan_remove();
+ return 0;
+ }
+
+@@ -843,10 +844,13 @@ void eeh_handle_normal_event(struct eeh_pe *pe)
+ {LIST_HEAD_INIT(rmv_data.removed_vf_list), 0};
+ int devices = 0;
+
++ pci_lock_rescan_remove();
++
+ bus = eeh_pe_bus_get(pe);
+ if (!bus) {
+ pr_err("%s: Cannot find PCI bus for PHB#%x-PE#%x\n",
+ __func__, pe->phb->global_number, pe->addr);
++ pci_unlock_rescan_remove();
+ return;
+ }
+
+@@ -1085,10 +1089,15 @@ void eeh_handle_normal_event(struct eeh_pe *pe)
+ eeh_pe_state_clear(pe, EEH_PE_PRI_BUS, true);
+ eeh_pe_dev_mode_mark(pe, EEH_DEV_REMOVED);
+
+- pci_lock_rescan_remove();
+- pci_hp_remove_devices(bus);
+- pci_unlock_rescan_remove();
++ bus = eeh_pe_bus_get(pe);
++ if (bus)
++ pci_hp_remove_devices(bus);
++ else
++ pr_err("%s: PCI bus for PHB#%x-PE#%x disappeared\n",
++ __func__, pe->phb->global_number, pe->addr);
++
+ /* The passed PE should no longer be used */
++ pci_unlock_rescan_remove();
+ return;
+ }
+
+@@ -1105,6 +1114,8 @@ void eeh_handle_normal_event(struct eeh_pe *pe)
+ eeh_clear_slot_attention(edev->pdev);
+
+ eeh_pe_state_clear(pe, EEH_PE_RECOVERING, true);
++
++ pci_unlock_rescan_remove();
+ }
+
+ /**
+@@ -1123,6 +1134,7 @@ void eeh_handle_special_event(void)
+ unsigned long flags;
+ int rc;
+
++ pci_lock_rescan_remove();
+
+ do {
+ rc = eeh_ops->next_error(&pe);
+@@ -1162,10 +1174,12 @@ void eeh_handle_special_event(void)
+
+ break;
+ case EEH_NEXT_ERR_NONE:
++ pci_unlock_rescan_remove();
+ return;
+ default:
+ pr_warn("%s: Invalid value %d from next_error()\n",
+ __func__, rc);
++ pci_unlock_rescan_remove();
+ return;
+ }
+
+@@ -1177,7 +1191,9 @@ void eeh_handle_special_event(void)
+ if (rc == EEH_NEXT_ERR_FROZEN_PE ||
+ rc == EEH_NEXT_ERR_FENCED_PHB) {
+ eeh_pe_state_mark(pe, EEH_PE_RECOVERING);
++ pci_unlock_rescan_remove();
+ eeh_handle_normal_event(pe);
++ pci_lock_rescan_remove();
+ } else {
+ eeh_for_each_pe(pe, tmp_pe)
+ eeh_pe_for_each_dev(tmp_pe, edev, tmp_edev)
+@@ -1190,7 +1206,6 @@ void eeh_handle_special_event(void)
+ eeh_report_failure, NULL);
+ eeh_set_channel_state(pe, pci_channel_io_perm_failure);
+
+- pci_lock_rescan_remove();
+ list_for_each_entry(hose, &hose_list, list_node) {
+ phb_pe = eeh_phb_pe_get(hose);
+ if (!phb_pe ||
+@@ -1209,7 +1224,6 @@ void eeh_handle_special_event(void)
+ }
+ pci_hp_remove_devices(bus);
+ }
+- pci_unlock_rescan_remove();
+ }
+
+ /*
+@@ -1219,4 +1233,6 @@ void eeh_handle_special_event(void)
+ if (rc == EEH_NEXT_ERR_DEAD_IOC)
+ break;
+ } while (rc != EEH_NEXT_ERR_NONE);
++
++ pci_unlock_rescan_remove();
+ }
+diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c
+index 7d1b50599dd6..08095aeba5c9 100644
+--- a/arch/powerpc/kernel/eeh_pe.c
++++ b/arch/powerpc/kernel/eeh_pe.c
+@@ -671,10 +671,12 @@ static void eeh_bridge_check_link(struct eeh_dev *edev)
+ eeh_ops->write_config(edev, cap + PCI_EXP_LNKCTL, 2, val);
+
+ /* Check link */
+- if (!edev->pdev->link_active_reporting) {
+- eeh_edev_dbg(edev, "No link reporting capability\n");
+- msleep(1000);
+- return;
++ if (edev->pdev) {
++ if (!edev->pdev->link_active_reporting) {
++ eeh_edev_dbg(edev, "No link reporting capability\n");
++ msleep(1000);
++ return;
++ }
+ }
+
+ /* Wait the link is up until timeout (5s) */
+--
+2.39.5
+
--- /dev/null
+From 6bc513103dbcf7867c8126f2ad49ac482a83dceb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 12:57:50 +0200
+Subject: pps: fix poll support
+
+From: Denis OSTERLAND-HEIM <denis.osterland@diehl.com>
+
+[ Upstream commit 12c409aa1ec2592280a2ddcc66ff8f3c7f7bb171 ]
+
+Because pps_cdev_poll() returns unconditionally EPOLLIN,
+a user space program that calls select/poll get always an immediate data
+ready-to-read response. As a result the intended use to wait until next
+data becomes ready does not work.
+
+User space snippet:
+
+ struct pollfd pollfd = {
+ .fd = open("/dev/pps0", O_RDONLY),
+ .events = POLLIN|POLLERR,
+ .revents = 0 };
+ while(1) {
+ poll(&pollfd, 1, 2000/*ms*/); // returns immediate, but should wait
+ if(revents & EPOLLIN) { // always true
+ struct pps_fdata fdata;
+ memset(&fdata, 0, sizeof(memdata));
+ ioctl(PPS_FETCH, &fdata); // currently fetches data at max speed
+ }
+ }
+
+Lets remember the last fetch event counter and compare this value
+in pps_cdev_poll() with most recent event counter
+and return 0 if they are equal.
+
+Signed-off-by: Denis OSTERLAND-HEIM <denis.osterland@diehl.com>
+Co-developed-by: Rodolfo Giometti <giometti@enneenne.com>
+Signed-off-by: Rodolfo Giometti <giometti@enneenne.com>
+Fixes: eae9d2ba0cfc ("LinuxPPS: core support")
+Link: https://lore.kernel.org/all/f6bed779-6d59-4f0f-8a59-b6312bd83b4e@enneenne.com/
+Acked-by: Rodolfo Giometti <giometti@enneenne.com>
+Link: https://lore.kernel.org/r/c3c50ad1eb19ef553eca8a57c17f4c006413ab70.camel@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pps/pps.c | 11 +++++++++--
+ include/linux/pps_kernel.h | 1 +
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pps/pps.c b/drivers/pps/pps.c
+index 63f96357eb9f..e1689957736d 100644
+--- a/drivers/pps/pps.c
++++ b/drivers/pps/pps.c
+@@ -41,6 +41,9 @@ static __poll_t pps_cdev_poll(struct file *file, poll_table *wait)
+
+ poll_wait(file, &pps->queue, wait);
+
++ if (pps->last_fetched_ev == pps->last_ev)
++ return 0;
++
+ return EPOLLIN | EPOLLRDNORM;
+ }
+
+@@ -186,9 +189,11 @@ static long pps_cdev_ioctl(struct file *file,
+ if (err)
+ return err;
+
+- /* Return the fetched timestamp */
++ /* Return the fetched timestamp and save last fetched event */
+ spin_lock_irq(&pps->lock);
+
++ pps->last_fetched_ev = pps->last_ev;
++
+ fdata.info.assert_sequence = pps->assert_sequence;
+ fdata.info.clear_sequence = pps->clear_sequence;
+ fdata.info.assert_tu = pps->assert_tu;
+@@ -272,9 +277,11 @@ static long pps_cdev_compat_ioctl(struct file *file,
+ if (err)
+ return err;
+
+- /* Return the fetched timestamp */
++ /* Return the fetched timestamp and save last fetched event */
+ spin_lock_irq(&pps->lock);
+
++ pps->last_fetched_ev = pps->last_ev;
++
+ compat.info.assert_sequence = pps->assert_sequence;
+ compat.info.clear_sequence = pps->clear_sequence;
+ compat.info.current_mode = pps->current_mode;
+diff --git a/include/linux/pps_kernel.h b/include/linux/pps_kernel.h
+index c7abce28ed29..aab0aebb529e 100644
+--- a/include/linux/pps_kernel.h
++++ b/include/linux/pps_kernel.h
+@@ -52,6 +52,7 @@ struct pps_device {
+ int current_mode; /* PPS mode at event time */
+
+ unsigned int last_ev; /* last PPS event id */
++ unsigned int last_fetched_ev; /* last fetched PPS event id */
+ wait_queue_head_t queue; /* PPS event queue */
+
+ unsigned int id; /* PPS source unique ID */
+--
+2.39.5
+
--- /dev/null
+From 40a3818be3686dfe3f22263d280f1396dd510c98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Jun 2025 10:13:53 +0800
+Subject: proc: use the same treatment to check proc_lseek as ones for
+ proc_read_iter et.al
+
+From: wangzijie <wangzijie1@honor.com>
+
+[ Upstream commit ff7ec8dc1b646296f8d94c39339e8d3833d16c05 ]
+
+Check pde->proc_ops->proc_lseek directly may cause UAF in rmmod scenario.
+It's a gap in proc_reg_open() after commit 654b33ada4ab("proc: fix UAF in
+proc_get_inode()"). Followed by AI Viro's suggestion, fix it in same
+manner.
+
+Link: https://lkml.kernel.org/r/20250607021353.1127963-1-wangzijie1@honor.com
+Fixes: 3f61631d47f1 ("take care to handle NULL ->proc_lseek()")
+Signed-off-by: wangzijie <wangzijie1@honor.com>
+Reviewed-by: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
+Cc: Kirill A. Shuemov <kirill.shutemov@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/generic.c | 2 ++
+ fs/proc/inode.c | 2 +-
+ fs/proc/internal.h | 5 +++++
+ include/linux/proc_fs.h | 1 +
+ 4 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/fs/proc/generic.c b/fs/proc/generic.c
+index c8785d68e870..2187d9ca351c 100644
+--- a/fs/proc/generic.c
++++ b/fs/proc/generic.c
+@@ -567,6 +567,8 @@ static void pde_set_flags(struct proc_dir_entry *pde)
+ if (pde->proc_ops->proc_compat_ioctl)
+ pde->flags |= PROC_ENTRY_proc_compat_ioctl;
+ #endif
++ if (pde->proc_ops->proc_lseek)
++ pde->flags |= PROC_ENTRY_proc_lseek;
+ }
+
+ struct proc_dir_entry *proc_create_data(const char *name, umode_t mode,
+diff --git a/fs/proc/inode.c b/fs/proc/inode.c
+index 4b3ae7e0def3..92772702d369 100644
+--- a/fs/proc/inode.c
++++ b/fs/proc/inode.c
+@@ -494,7 +494,7 @@ static int proc_reg_open(struct inode *inode, struct file *file)
+ typeof_member(struct proc_ops, proc_release) release;
+ struct pde_opener *pdeo;
+
+- if (!pde->proc_ops->proc_lseek)
++ if (!pde_has_proc_lseek(pde))
+ file->f_mode &= ~FMODE_LSEEK;
+
+ if (pde_is_permanent(pde)) {
+diff --git a/fs/proc/internal.h b/fs/proc/internal.h
+index 445c74a39a93..fe3781360120 100644
+--- a/fs/proc/internal.h
++++ b/fs/proc/internal.h
+@@ -98,6 +98,11 @@ static inline bool pde_has_proc_compat_ioctl(const struct proc_dir_entry *pde)
+ #endif
+ }
+
++static inline bool pde_has_proc_lseek(const struct proc_dir_entry *pde)
++{
++ return pde->flags & PROC_ENTRY_proc_lseek;
++}
++
+ extern struct kmem_cache *proc_dir_entry_cache;
+ void pde_free(struct proc_dir_entry *pde);
+
+diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
+index 1aca3f332d9c..85672adc7349 100644
+--- a/include/linux/proc_fs.h
++++ b/include/linux/proc_fs.h
+@@ -27,6 +27,7 @@ enum {
+
+ PROC_ENTRY_proc_read_iter = 1U << 1,
+ PROC_ENTRY_proc_compat_ioctl = 1U << 2,
++ PROC_ENTRY_proc_lseek = 1U << 3,
+ };
+
+ struct proc_ops {
+--
+2.39.5
+
--- /dev/null
+From 297d5494b57dacaf1ff8d68f58703beffd095d80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 19:39:05 +0800
+Subject: RDMA/hns: Fix -Wframe-larger-than issue
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit 79d56805c5068f2bc81518043e043c3dedd1c82a ]
+
+Fix -Wframe-larger-than issue by allocating memory for qpc struct
+with kzalloc() instead of using stack memory.
+
+Fixes: 606bf89e98ef ("RDMA/hns: Refactor for hns_roce_v2_modify_qp function")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202506240032.CSgIyFct-lkp@intel.com/
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20250703113905.3597124-7-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 9d23d4b5c128..4a10b826d15a 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -5192,11 +5192,10 @@ static int hns_roce_v2_modify_qp(struct ib_qp *ibqp,
+ {
+ struct hns_roce_dev *hr_dev = to_hr_dev(ibqp->device);
+ struct hns_roce_qp *hr_qp = to_hr_qp(ibqp);
+- struct hns_roce_v2_qp_context ctx[2];
+- struct hns_roce_v2_qp_context *context = ctx;
+- struct hns_roce_v2_qp_context *qpc_mask = ctx + 1;
++ struct hns_roce_v2_qp_context *context;
++ struct hns_roce_v2_qp_context *qpc_mask;
+ struct ib_device *ibdev = &hr_dev->ib_dev;
+- int ret;
++ int ret = -ENOMEM;
+
+ if (attr_mask & ~IB_QP_ATTR_STANDARD_BITS)
+ return -EOPNOTSUPP;
+@@ -5207,7 +5206,11 @@ static int hns_roce_v2_modify_qp(struct ib_qp *ibqp,
+ * we should set all bits of the relevant fields in context mask to
+ * 0 at the same time, else set them to 0x1.
+ */
+- memset(context, 0, hr_dev->caps.qpc_sz);
++ context = kvzalloc(sizeof(*context), GFP_KERNEL);
++ qpc_mask = kvzalloc(sizeof(*qpc_mask), GFP_KERNEL);
++ if (!context || !qpc_mask)
++ goto out;
++
+ memset(qpc_mask, 0xff, hr_dev->caps.qpc_sz);
+
+ ret = hns_roce_v2_set_abs_fields(ibqp, attr, attr_mask, cur_state,
+@@ -5249,6 +5252,8 @@ static int hns_roce_v2_modify_qp(struct ib_qp *ibqp,
+ clear_qp(hr_qp);
+
+ out:
++ kvfree(qpc_mask);
++ kvfree(context);
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 217d74cc2cf0d1f9933d6601179e106b62d6fbad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 17:45:29 +0200
+Subject: Reapply "wifi: mac80211: Update skb's control block key in
+ ieee80211_tx_dequeue()"
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit 754fe848b3b297fc85ec24cd959bad22b6df8cb8 ]
+
+This reverts commit 0937cb5f345c ("Revert "wifi: mac80211: Update
+skb's control block key in ieee80211_tx_dequeue()"").
+
+This commit broke TX with 802.11 encapsulation HW offloading, now that
+this is fixed, reapply it.
+
+Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Link: https://patch.msgid.link/66b8fc39fb0194fa06c9ca7eeb6ffe0118dcb3ec.1752765971.git.repk@triplefau.lt
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index e4797eb9c2ba..7eddcb6f9645 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3884,6 +3884,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
+ * The key can be removed while the packet was queued, so need to call
+ * this here to get the current key.
+ */
++ info->control.hw_key = NULL;
+ r = ieee80211_tx_h_select_key(&tx);
+ if (r != TX_CONTINUE) {
+ ieee80211_free_txskb(&local->hw, skb);
+--
+2.39.5
+
--- /dev/null
+From a279ccf9aa0b8ff4dfd22456ccdeaba632316c21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 15:11:32 +0200
+Subject: Revert "fs/ntfs3: Replace inode_trylock with inode_lock"
+
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+
+[ Upstream commit a49f0abd8959048af18c6c690b065eb0d65b2d21 ]
+
+This reverts commit 69505fe98f198ee813898cbcaf6770949636430b.
+
+Initially, conditional lock acquisition was removed to fix an xfstest bug
+that was observed during internal testing. The deadlock reported by syzbot
+is resolved by reintroducing conditional acquisition. The xfstest bug no
+longer occurs on kernel version 6.16-rc1 during internal testing. I
+assume that changes in other modules may have contributed to this.
+
+Fixes: 69505fe98f19 ("fs/ntfs3: Replace inode_trylock with inode_lock")
+Reported-by: syzbot+a91fcdbd2698f99db8f4@syzkaller.appspotmail.com
+Suggested-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/file.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c
+index 4aea45821611..a7fe2e02c32e 100644
+--- a/fs/ntfs3/file.c
++++ b/fs/ntfs3/file.c
+@@ -299,7 +299,10 @@ static int ntfs_file_mmap(struct file *file, struct vm_area_struct *vma)
+ }
+
+ if (ni->i_valid < to) {
+- inode_lock(inode);
++ if (!inode_trylock(inode)) {
++ err = -EAGAIN;
++ goto out;
++ }
+ err = ntfs_extend_initialized_size(file, ni,
+ ni->i_valid, to);
+ inode_unlock(inode);
+--
+2.39.5
+
--- /dev/null
+From 0d1af2d49bcec6771813c4b351d830d5cb3f1c9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 10:30:09 +0200
+Subject: Revert "vmci: Prevent the dispatching of uninitialized payloads"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit 8f5d9bed6122b8d96508436e5ad2498bb797eb6b ]
+
+This reverts commit bfb4cf9fb97e4063f0aa62e9e398025fb6625031.
+
+While the code "looks" correct, the compiler has no way to know that
+doing "fun" pointer math like this really isn't a write off the end of
+the structure as there is no hint anywhere that the structure has data
+at the end of it.
+
+This causes the following build warning:
+
+In function 'fortify_memset_chk',
+ inlined from 'ctx_fire_notification.isra' at drivers/misc/vmw_vmci/vmci_context.c:254:3:
+include/linux/fortify-string.h:480:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
+ 480 | __write_overflow_field(p_size_field, size);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+So revert it for now and it can come back in the future in a "sane" way
+that either correctly makes the structure know that there is trailing
+data, OR just the payload structure is properly referenced and zeroed
+out.
+
+Fixes: bfb4cf9fb97e ("vmci: Prevent the dispatching of uninitialized payloads")
+Cc: Stephen Rothwell <sfr@canb.auug.org.au>
+Cc: Lizhi Xu <lizhi.xu@windriver.com>
+Link: https://lore.kernel.org/r/20250703171021.0aee1482@canb.auug.org.au
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/vmw_vmci/vmci_context.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/misc/vmw_vmci/vmci_context.c b/drivers/misc/vmw_vmci/vmci_context.c
+index d566103caa27..f22b44827e92 100644
+--- a/drivers/misc/vmw_vmci/vmci_context.c
++++ b/drivers/misc/vmw_vmci/vmci_context.c
+@@ -251,8 +251,6 @@ static int ctx_fire_notification(u32 context_id, u32 priv_flags)
+ ev.msg.hdr.src = vmci_make_handle(VMCI_HYPERVISOR_CONTEXT_ID,
+ VMCI_CONTEXT_RESOURCE_ID);
+ ev.msg.hdr.payload_size = sizeof(ev) - sizeof(ev.msg.hdr);
+- memset((char*)&ev.msg.hdr + sizeof(ev.msg.hdr), 0,
+- ev.msg.hdr.payload_size);
+ ev.msg.event_data.event = VMCI_EVENT_CTX_REMOVED;
+ ev.payload.context_id = context_id;
+
+--
+2.39.5
+
--- /dev/null
+From ac0bd25dfdee120ef3420ab551720fb4c81d7ffb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:20:21 -0400
+Subject: rtc: ds1307: fix incorrect maximum clock rate handling
+
+From: Brian Masney <bmasney@redhat.com>
+
+[ Upstream commit cf6eb547a24af7ad7bbd2abe9c5327f956bbeae8 ]
+
+When ds3231_clk_sqw_round_rate() is called with a requested rate higher
+than the highest supported rate, it currently returns 0, which disables
+the clock. According to the clk API, round_rate() should instead return
+the highest supported rate. Update the function to return the maximum
+supported rate in this case.
+
+Fixes: 6c6ff145b3346 ("rtc: ds1307: add clock provider support for DS3231")
+Signed-off-by: Brian Masney <bmasney@redhat.com>
+Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-1-33140bb2278e@redhat.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
+index 0c7845196092..e14981383c01 100644
+--- a/drivers/rtc/rtc-ds1307.c
++++ b/drivers/rtc/rtc-ds1307.c
+@@ -1461,7 +1461,7 @@ static long ds3231_clk_sqw_round_rate(struct clk_hw *hw, unsigned long rate,
+ return ds3231_clk_sqw_rates[i];
+ }
+
+- return 0;
++ return ds3231_clk_sqw_rates[ARRAY_SIZE(ds3231_clk_sqw_rates) - 1];
+ }
+
+ static int ds3231_clk_sqw_set_rate(struct clk_hw *hw, unsigned long rate,
+--
+2.39.5
+
--- /dev/null
+From f87f1b7744b116cba5fd076ded47111e358c4d26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:20:22 -0400
+Subject: rtc: hym8563: fix incorrect maximum clock rate handling
+
+From: Brian Masney <bmasney@redhat.com>
+
+[ Upstream commit d0a518eb0a692a2ab8357e844970660c5ea37720 ]
+
+When hym8563_clkout_round_rate() is called with a requested rate higher
+than the highest supported rate, it currently returns 0, which disables
+the clock. According to the clk API, round_rate() should instead return
+the highest supported rate. Update the function to return the maximum
+supported rate in this case.
+
+Fixes: dcaf038493525 ("rtc: add hym8563 rtc-driver")
+Signed-off-by: Brian Masney <bmasney@redhat.com>
+Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-2-33140bb2278e@redhat.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-hym8563.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-hym8563.c b/drivers/rtc/rtc-hym8563.c
+index b018535c842b..b873918042e3 100644
+--- a/drivers/rtc/rtc-hym8563.c
++++ b/drivers/rtc/rtc-hym8563.c
+@@ -294,7 +294,7 @@ static long hym8563_clkout_round_rate(struct clk_hw *hw, unsigned long rate,
+ if (clkout_rates[i] <= rate)
+ return clkout_rates[i];
+
+- return 0;
++ return clkout_rates[0];
+ }
+
+ static int hym8563_clkout_set_rate(struct clk_hw *hw, unsigned long rate,
+--
+2.39.5
+
--- /dev/null
+From 0d87fa5160992bfbad894a11bd62e92f8a82fe48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:20:23 -0400
+Subject: rtc: nct3018y: fix incorrect maximum clock rate handling
+
+From: Brian Masney <bmasney@redhat.com>
+
+[ Upstream commit 437c59e4b222cd697b4cf95995d933e7d583c5f1 ]
+
+When nct3018y_clkout_round_rate() is called with a requested rate higher
+than the highest supported rate, it currently returns 0, which disables
+the clock. According to the clk API, round_rate() should instead return
+the highest supported rate. Update the function to return the maximum
+supported rate in this case.
+
+Fixes: 5adbaed16cc63 ("rtc: Add NCT3018Y real time clock driver")
+Signed-off-by: Brian Masney <bmasney@redhat.com>
+Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-3-33140bb2278e@redhat.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-nct3018y.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-nct3018y.c b/drivers/rtc/rtc-nct3018y.c
+index c4533c0f5389..5e7a8c7ad58c 100644
+--- a/drivers/rtc/rtc-nct3018y.c
++++ b/drivers/rtc/rtc-nct3018y.c
+@@ -342,7 +342,7 @@ static long nct3018y_clkout_round_rate(struct clk_hw *hw, unsigned long rate,
+ if (clkout_rates[i] <= rate)
+ return clkout_rates[i];
+
+- return 0;
++ return clkout_rates[0];
+ }
+
+ static int nct3018y_clkout_set_rate(struct clk_hw *hw, unsigned long rate,
+--
+2.39.5
+
--- /dev/null
+From c0d9c9b17b4a462366db341f2c218e6e8bbb2f6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:20:24 -0400
+Subject: rtc: pcf85063: fix incorrect maximum clock rate handling
+
+From: Brian Masney <bmasney@redhat.com>
+
+[ Upstream commit 186ae1869880e58bb3f142d222abdb35ecb4df0f ]
+
+When pcf85063_clkout_round_rate() is called with a requested rate higher
+than the highest supported rate, it currently returns 0, which disables
+the clock. According to the clk API, round_rate() should instead return
+the highest supported rate. Update the function to return the maximum
+supported rate in this case.
+
+Fixes: 8c229ab6048b7 ("rtc: pcf85063: Add pcf85063 clkout control to common clock framework")
+Signed-off-by: Brian Masney <bmasney@redhat.com>
+Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-4-33140bb2278e@redhat.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-pcf85063.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c
+index 73848f764559..2b4921c23467 100644
+--- a/drivers/rtc/rtc-pcf85063.c
++++ b/drivers/rtc/rtc-pcf85063.c
+@@ -410,7 +410,7 @@ static long pcf85063_clkout_round_rate(struct clk_hw *hw, unsigned long rate,
+ if (clkout_rates[i] <= rate)
+ return clkout_rates[i];
+
+- return 0;
++ return clkout_rates[0];
+ }
+
+ static int pcf85063_clkout_set_rate(struct clk_hw *hw, unsigned long rate,
+--
+2.39.5
+
--- /dev/null
+From 984b68c2f070c30e77474118e3a74709fa387691 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:20:25 -0400
+Subject: rtc: pcf8563: fix incorrect maximum clock rate handling
+
+From: Brian Masney <bmasney@redhat.com>
+
+[ Upstream commit 906726a5efeefe0ef0103ccff5312a09080c04ae ]
+
+When pcf8563_clkout_round_rate() is called with a requested rate higher
+than the highest supported rate, it currently returns 0, which disables
+the clock. According to the clk API, round_rate() should instead return
+the highest supported rate. Update the function to return the maximum
+supported rate in this case.
+
+Fixes: a39a6405d5f94 ("rtc: pcf8563: add CLKOUT to common clock framework")
+Signed-off-by: Brian Masney <bmasney@redhat.com>
+Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-5-33140bb2278e@redhat.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-pcf8563.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-pcf8563.c b/drivers/rtc/rtc-pcf8563.c
+index ea82b89d8929..61be91c25cf1 100644
+--- a/drivers/rtc/rtc-pcf8563.c
++++ b/drivers/rtc/rtc-pcf8563.c
+@@ -386,7 +386,7 @@ static long pcf8563_clkout_round_rate(struct clk_hw *hw, unsigned long rate,
+ if (clkout_rates[i] <= rate)
+ return clkout_rates[i];
+
+- return 0;
++ return clkout_rates[0];
+ }
+
+ static int pcf8563_clkout_set_rate(struct clk_hw *hw, unsigned long rate,
+--
+2.39.5
+
--- /dev/null
+From 6bca0a9521fefc52a0bdbd7d31a20335cd4b2478 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:20:26 -0400
+Subject: rtc: rv3028: fix incorrect maximum clock rate handling
+
+From: Brian Masney <bmasney@redhat.com>
+
+[ Upstream commit b574acb3cf7591d2513a9f29f8c2021ad55fb881 ]
+
+When rv3028_clkout_round_rate() is called with a requested rate higher
+than the highest supported rate, it currently returns 0, which disables
+the clock. According to the clk API, round_rate() should instead return
+the highest supported rate. Update the function to return the maximum
+supported rate in this case.
+
+Fixes: f583c341a515f ("rtc: rv3028: add clkout support")
+Signed-off-by: Brian Masney <bmasney@redhat.com>
+Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-6-33140bb2278e@redhat.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-rv3028.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-rv3028.c b/drivers/rtc/rtc-rv3028.c
+index 2f001c59c61d..86b7f821e937 100644
+--- a/drivers/rtc/rtc-rv3028.c
++++ b/drivers/rtc/rtc-rv3028.c
+@@ -738,7 +738,7 @@ static long rv3028_clkout_round_rate(struct clk_hw *hw, unsigned long rate,
+ if (clkout_rates[i] <= rate)
+ return clkout_rates[i];
+
+- return 0;
++ return clkout_rates[0];
+ }
+
+ static int rv3028_clkout_set_rate(struct clk_hw *hw, unsigned long rate,
+--
+2.39.5
+
--- /dev/null
+From 31c942a3cae755c03ba2bfbd2bd50e3151bc81f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 19:29:55 +0530
+Subject: samples: mei: Fix building on musl libc
+
+From: Brahmajit Das <listout@listout.xyz>
+
+[ Upstream commit 239df3e4b4752524e7c0fb3417c218d8063654b4 ]
+
+The header bits/wordsize.h is glibc specific and on building on musl
+with allyesconfig results in
+
+samples/mei/mei-amt-version.c:77:10: fatal error: bits/wordsize.h: No such file or directory
+ 77 | #include <bits/wordsize.h>
+ | ^~~~~~~~~~~~~~~~~
+
+mei-amt-version.c build file without bits/wordsize.h on musl and glibc.
+
+However on musl we get the follwing error without sys/time.h
+
+samples/mei/mei-amt-version.c: In function 'mei_recv_msg':
+samples/mei/mei-amt-version.c:159:24: error: storage size of 'tv' isn't known
+ 159 | struct timeval tv;
+ | ^~
+samples/mei/mei-amt-version.c:160:9: error: unknown type name 'fd_set'
+ 160 | fd_set set;
+ | ^~~~~~
+samples/mei/mei-amt-version.c:168:9: error: implicit declaration of function 'FD_ZERO' [-Wimplicit-function-declaration]
+ 168 | FD_ZERO(&set);
+ | ^~~~~~~
+samples/mei/mei-amt-version.c:169:9: error: implicit declaration of function 'FD_SET'; did you mean 'L_SET'? [-Wimplicit-function-declaration]
+ 169 | FD_SET(me->fd, &set);
+ | ^~~~~~
+ | L_SET
+samples/mei/mei-amt-version.c:170:14: error: implicit declaration of function 'select' [-Wimplicit-function-declaration]
+ 170 | rc = select(me->fd + 1, &set, NULL, NULL, &tv);
+ | ^~~~~~
+samples/mei/mei-amt-version.c:171:23: error: implicit declaration of function 'FD_ISSET' [-Wimplicit-function-declaration]
+ 171 | if (rc > 0 && FD_ISSET(me->fd, &set)) {
+ | ^~~~~~~~
+samples/mei/mei-amt-version.c:159:24: warning: unused variable 'tv' [-Wunused-variable]
+ 159 | struct timeval tv;
+ | ^~
+
+Hence the the file has been included.
+
+Fixes: c52827cc4ddf ("staging/mei: add mei user space example")
+Signed-off-by: Brahmajit Das <listout@listout.xyz>
+Link: https://lore.kernel.org/r/20250702135955.24955-1-listout@listout.xyz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/mei/mei-amt-version.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/samples/mei/mei-amt-version.c b/samples/mei/mei-amt-version.c
+index 867debd3b912..1d7254bcb44c 100644
+--- a/samples/mei/mei-amt-version.c
++++ b/samples/mei/mei-amt-version.c
+@@ -69,11 +69,11 @@
+ #include <string.h>
+ #include <fcntl.h>
+ #include <sys/ioctl.h>
++#include <sys/time.h>
+ #include <unistd.h>
+ #include <errno.h>
+ #include <stdint.h>
+ #include <stdbool.h>
+-#include <bits/wordsize.h>
+ #include <linux/mei.h>
+
+ /*****************************************************************************
+--
+2.39.5
+
--- /dev/null
+From 8b5d51432765dd4d2c08a92607727eab3832ae24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 11:03:59 -0300
+Subject: sched: Do not call __put_task_struct() on rt if pi_blocked_on is set
+
+From: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
+
+[ Upstream commit 8671bad873ebeb082afcf7b4501395c374da6023 ]
+
+With PREEMPT_RT enabled, some of the calls to put_task_struct() coming
+from rt_mutex_adjust_prio_chain() could happen in preemptible context and
+with a mutex enqueued. That could lead to this sequence:
+
+ rt_mutex_adjust_prio_chain()
+ put_task_struct()
+ __put_task_struct()
+ sched_ext_free()
+ spin_lock_irqsave()
+ rtlock_lock() ---> TRIGGERS
+ lockdep_assert(!current->pi_blocked_on);
+
+This is not a SCHED_EXT bug. The first cleanup function called by
+__put_task_struct() is sched_ext_free() and it happens to take a
+(RT) spin_lock, which in the scenario described above, would trigger
+the lockdep assertion of "!current->pi_blocked_on".
+
+Crystal Wood was able to identify the problem as __put_task_struct()
+being called during rt_mutex_adjust_prio_chain(), in the context of
+a process with a mutex enqueued.
+
+Instead of adding more complex conditions to decide when to directly
+call __put_task_struct() and when to defer the call, unconditionally
+resort to the deferred call on PREEMPT_RT to simplify the code.
+
+Fixes: 893cdaaa3977 ("sched: avoid false lockdep splat in put_task_struct()")
+Suggested-by: Crystal Wood <crwood@redhat.com>
+Signed-off-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Wander Lairson Costa <wander@redhat.com>
+Reviewed-by: Valentin Schneider <vschneid@redhat.com>
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Link: https://lore.kernel.org/r/aGvTz5VaPFyj0pBV@uudg.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sched/task.h | 27 ++++++++++-----------------
+ 1 file changed, 10 insertions(+), 17 deletions(-)
+
+diff --git a/include/linux/sched/task.h b/include/linux/sched/task.h
+index 8dbecab4c400..d440ee805900 100644
+--- a/include/linux/sched/task.h
++++ b/include/linux/sched/task.h
+@@ -127,24 +127,17 @@ static inline void put_task_struct(struct task_struct *t)
+ return;
+
+ /*
+- * In !RT, it is always safe to call __put_task_struct().
+- * Under RT, we can only call it in preemptible context.
+- */
+- if (!IS_ENABLED(CONFIG_PREEMPT_RT) || preemptible()) {
+- static DEFINE_WAIT_OVERRIDE_MAP(put_task_map, LD_WAIT_SLEEP);
+-
+- lock_map_acquire_try(&put_task_map);
+- __put_task_struct(t);
+- lock_map_release(&put_task_map);
+- return;
+- }
+-
+- /*
+- * under PREEMPT_RT, we can't call put_task_struct
++ * Under PREEMPT_RT, we can't call __put_task_struct
+ * in atomic context because it will indirectly
+- * acquire sleeping locks.
++ * acquire sleeping locks. The same is true if the
++ * current process has a mutex enqueued (blocked on
++ * a PI chain).
++ *
++ * In !RT, it is always safe to call __put_task_struct().
++ * Though, in order to simplify the code, resort to the
++ * deferred call too.
+ *
+- * call_rcu() will schedule delayed_put_task_struct_rcu()
++ * call_rcu() will schedule __put_task_struct_rcu_cb()
+ * to be called in process context.
+ *
+ * __put_task_struct() is called when
+@@ -157,7 +150,7 @@ static inline void put_task_struct(struct task_struct *t)
+ *
+ * delayed_free_task() also uses ->rcu, but it is only called
+ * when it fails to fork a process. Therefore, there is no
+- * way it can conflict with put_task_struct().
++ * way it can conflict with __put_task_struct().
+ */
+ call_rcu(&t->rcu, __put_task_struct_rcu_cb);
+ }
+--
+2.39.5
+
--- /dev/null
+From 2877b4e3930a32e22af07c7b45a6fe4110a2dc60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 15:11:14 -0400
+Subject: sched/psi: Fix psi_seq initialization
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 99b773d720aeea1ef2170dce5fcfa80649e26b78 ]
+
+With the seqcount moved out of the group into a global psi_seq,
+re-initializing the seqcount on group creation is causing seqcount
+corruption.
+
+Fixes: 570c8efd5eb7 ("sched/psi: Optimize psi_group_change() cpu_clock() usage")
+Reported-by: Chris Mason <clm@meta.com>
+Suggested-by: Beata Michalska <beata.michalska@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/psi.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c
+index 837b065749ce..08a9a9f909d5 100644
+--- a/kernel/sched/psi.c
++++ b/kernel/sched/psi.c
+@@ -172,7 +172,7 @@ struct psi_group psi_system = {
+ .pcpu = &system_group_pcpu,
+ };
+
+-static DEFINE_PER_CPU(seqcount_t, psi_seq);
++static DEFINE_PER_CPU(seqcount_t, psi_seq) = SEQCNT_ZERO(psi_seq);
+
+ static inline void psi_write_begin(int cpu)
+ {
+@@ -200,11 +200,7 @@ static void poll_timer_fn(struct timer_list *t);
+
+ static void group_init(struct psi_group *group)
+ {
+- int cpu;
+-
+ group->enabled = true;
+- for_each_possible_cpu(cpu)
+- seqcount_init(per_cpu_ptr(&psi_seq, cpu));
+ group->avg_last_update = sched_clock();
+ group->avg_next_update = group->avg_last_update + psi_period;
+ mutex_init(&group->avgs_lock);
+--
+2.39.5
+
--- /dev/null
+From 0c0acd714c937e689d6a6149ac585e7151540c67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 17:28:00 +0200
+Subject: sched/psi: Optimize psi_group_change() cpu_clock() usage
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 570c8efd5eb79c3725ba439ce105ed1bedc5acd9 ]
+
+Dietmar reported that commit 3840cbe24cf0 ("sched: psi: fix bogus
+pressure spikes from aggregation race") caused a regression for him on
+a high context switch rate benchmark (schbench) due to the now
+repeating cpu_clock() calls.
+
+In particular the problem is that get_recent_times() will extrapolate
+the current state to 'now'. But if an update uses a timestamp from
+before the start of the update, it is possible to get two reads
+with inconsistent results. It is effectively back-dating an update.
+
+(note that this all hard-relies on the clock being synchronized across
+CPUs -- if this is not the case, all bets are off).
+
+Combine this problem with the fact that there are per-group-per-cpu
+seqcounts, the commit in question pushed the clock read into the group
+iteration, causing tree-depth cpu_clock() calls. On architectures
+where cpu_clock() has appreciable overhead, this hurts.
+
+Instead move to a per-cpu seqcount, which allows us to have a single
+clock read for all group updates, increasing internal consistency and
+lowering update overhead. This comes at the cost of a longer update
+side (proportional to the tree depth) which can cause the read side to
+retry more often.
+
+Fixes: 3840cbe24cf0 ("sched: psi: fix bogus pressure spikes from aggregation race")
+Reported-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>,
+Link: https://lkml.kernel.org/20250522084844.GC31726@noisy.programming.kicks-ass.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/psi_types.h | 6 +-
+ kernel/sched/psi.c | 121 +++++++++++++++++++++-----------------
+ 2 files changed, 68 insertions(+), 59 deletions(-)
+
+diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h
+index f1fd3a8044e0..dd10c22299ab 100644
+--- a/include/linux/psi_types.h
++++ b/include/linux/psi_types.h
+@@ -84,11 +84,9 @@ enum psi_aggregators {
+ struct psi_group_cpu {
+ /* 1st cacheline updated by the scheduler */
+
+- /* Aggregator needs to know of concurrent changes */
+- seqcount_t seq ____cacheline_aligned_in_smp;
+-
+ /* States of the tasks belonging to this group */
+- unsigned int tasks[NR_PSI_TASK_COUNTS];
++ unsigned int tasks[NR_PSI_TASK_COUNTS]
++ ____cacheline_aligned_in_smp;
+
+ /* Aggregate pressure state derived from the tasks */
+ u32 state_mask;
+diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c
+index f97e1473389f..837b065749ce 100644
+--- a/kernel/sched/psi.c
++++ b/kernel/sched/psi.c
+@@ -172,6 +172,28 @@ struct psi_group psi_system = {
+ .pcpu = &system_group_pcpu,
+ };
+
++static DEFINE_PER_CPU(seqcount_t, psi_seq);
++
++static inline void psi_write_begin(int cpu)
++{
++ write_seqcount_begin(per_cpu_ptr(&psi_seq, cpu));
++}
++
++static inline void psi_write_end(int cpu)
++{
++ write_seqcount_end(per_cpu_ptr(&psi_seq, cpu));
++}
++
++static inline u32 psi_read_begin(int cpu)
++{
++ return read_seqcount_begin(per_cpu_ptr(&psi_seq, cpu));
++}
++
++static inline bool psi_read_retry(int cpu, u32 seq)
++{
++ return read_seqcount_retry(per_cpu_ptr(&psi_seq, cpu), seq);
++}
++
+ static void psi_avgs_work(struct work_struct *work);
+
+ static void poll_timer_fn(struct timer_list *t);
+@@ -182,7 +204,7 @@ static void group_init(struct psi_group *group)
+
+ group->enabled = true;
+ for_each_possible_cpu(cpu)
+- seqcount_init(&per_cpu_ptr(group->pcpu, cpu)->seq);
++ seqcount_init(per_cpu_ptr(&psi_seq, cpu));
+ group->avg_last_update = sched_clock();
+ group->avg_next_update = group->avg_last_update + psi_period;
+ mutex_init(&group->avgs_lock);
+@@ -258,14 +280,14 @@ static void get_recent_times(struct psi_group *group, int cpu,
+
+ /* Snapshot a coherent view of the CPU state */
+ do {
+- seq = read_seqcount_begin(&groupc->seq);
++ seq = psi_read_begin(cpu);
+ now = cpu_clock(cpu);
+ memcpy(times, groupc->times, sizeof(groupc->times));
+ state_mask = groupc->state_mask;
+ state_start = groupc->state_start;
+ if (cpu == current_cpu)
+ memcpy(tasks, groupc->tasks, sizeof(groupc->tasks));
+- } while (read_seqcount_retry(&groupc->seq, seq));
++ } while (psi_read_retry(cpu, seq));
+
+ /* Calculate state time deltas against the previous snapshot */
+ for (s = 0; s < NR_PSI_STATES; s++) {
+@@ -775,31 +797,21 @@ static void record_times(struct psi_group_cpu *groupc, u64 now)
+ groupc->times[PSI_NONIDLE] += delta;
+ }
+
++#define for_each_group(iter, group) \
++ for (typeof(group) iter = group; iter; iter = iter->parent)
++
+ static void psi_group_change(struct psi_group *group, int cpu,
+ unsigned int clear, unsigned int set,
+- bool wake_clock)
++ u64 now, bool wake_clock)
+ {
+ struct psi_group_cpu *groupc;
+ unsigned int t, m;
+ enum psi_states s;
+ u32 state_mask;
+- u64 now;
+
+ lockdep_assert_rq_held(cpu_rq(cpu));
+ groupc = per_cpu_ptr(group->pcpu, cpu);
+
+- /*
+- * First we update the task counts according to the state
+- * change requested through the @clear and @set bits.
+- *
+- * Then if the cgroup PSI stats accounting enabled, we
+- * assess the aggregate resource states this CPU's tasks
+- * have been in since the last change, and account any
+- * SOME and FULL time these may have resulted in.
+- */
+- write_seqcount_begin(&groupc->seq);
+- now = cpu_clock(cpu);
+-
+ /*
+ * Start with TSK_ONCPU, which doesn't have a corresponding
+ * task count - it's just a boolean flag directly encoded in
+@@ -851,7 +863,6 @@ static void psi_group_change(struct psi_group *group, int cpu,
+
+ groupc->state_mask = state_mask;
+
+- write_seqcount_end(&groupc->seq);
+ return;
+ }
+
+@@ -875,8 +886,6 @@ static void psi_group_change(struct psi_group *group, int cpu,
+
+ groupc->state_mask = state_mask;
+
+- write_seqcount_end(&groupc->seq);
+-
+ if (state_mask & group->rtpoll_states)
+ psi_schedule_rtpoll_work(group, 1, false);
+
+@@ -911,24 +920,29 @@ static void psi_flags_change(struct task_struct *task, int clear, int set)
+ void psi_task_change(struct task_struct *task, int clear, int set)
+ {
+ int cpu = task_cpu(task);
+- struct psi_group *group;
++ u64 now;
+
+ if (!task->pid)
+ return;
+
+ psi_flags_change(task, clear, set);
+
+- group = task_psi_group(task);
+- do {
+- psi_group_change(group, cpu, clear, set, true);
+- } while ((group = group->parent));
++ psi_write_begin(cpu);
++ now = cpu_clock(cpu);
++ for_each_group(group, task_psi_group(task))
++ psi_group_change(group, cpu, clear, set, now, true);
++ psi_write_end(cpu);
+ }
+
+ void psi_task_switch(struct task_struct *prev, struct task_struct *next,
+ bool sleep)
+ {
+- struct psi_group *group, *common = NULL;
++ struct psi_group *common = NULL;
+ int cpu = task_cpu(prev);
++ u64 now;
++
++ psi_write_begin(cpu);
++ now = cpu_clock(cpu);
+
+ if (next->pid) {
+ psi_flags_change(next, 0, TSK_ONCPU);
+@@ -937,16 +951,15 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next,
+ * ancestors with @prev, those will already have @prev's
+ * TSK_ONCPU bit set, and we can stop the iteration there.
+ */
+- group = task_psi_group(next);
+- do {
+- if (per_cpu_ptr(group->pcpu, cpu)->state_mask &
+- PSI_ONCPU) {
++ for_each_group(group, task_psi_group(next)) {
++ struct psi_group_cpu *groupc = per_cpu_ptr(group->pcpu, cpu);
++
++ if (groupc->state_mask & PSI_ONCPU) {
+ common = group;
+ break;
+ }
+-
+- psi_group_change(group, cpu, 0, TSK_ONCPU, true);
+- } while ((group = group->parent));
++ psi_group_change(group, cpu, 0, TSK_ONCPU, now, true);
++ }
+ }
+
+ if (prev->pid) {
+@@ -979,12 +992,11 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next,
+
+ psi_flags_change(prev, clear, set);
+
+- group = task_psi_group(prev);
+- do {
++ for_each_group(group, task_psi_group(prev)) {
+ if (group == common)
+ break;
+- psi_group_change(group, cpu, clear, set, wake_clock);
+- } while ((group = group->parent));
++ psi_group_change(group, cpu, clear, set, now, wake_clock);
++ }
+
+ /*
+ * TSK_ONCPU is handled up to the common ancestor. If there are
+@@ -994,27 +1006,27 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next,
+ */
+ if ((prev->psi_flags ^ next->psi_flags) & ~TSK_ONCPU) {
+ clear &= ~TSK_ONCPU;
+- for (; group; group = group->parent)
+- psi_group_change(group, cpu, clear, set, wake_clock);
++ for_each_group(group, common)
++ psi_group_change(group, cpu, clear, set, now, wake_clock);
+ }
+ }
++ psi_write_end(cpu);
+ }
+
+ #ifdef CONFIG_IRQ_TIME_ACCOUNTING
+ void psi_account_irqtime(struct rq *rq, struct task_struct *curr, struct task_struct *prev)
+ {
+ int cpu = task_cpu(curr);
+- struct psi_group *group;
+ struct psi_group_cpu *groupc;
+ s64 delta;
+ u64 irq;
++ u64 now;
+
+ if (!curr->pid)
+ return;
+
+ lockdep_assert_rq_held(rq);
+- group = task_psi_group(curr);
+- if (prev && task_psi_group(prev) == group)
++ if (prev && task_psi_group(prev) == task_psi_group(curr))
+ return;
+
+ irq = irq_time_read(cpu);
+@@ -1023,25 +1035,22 @@ void psi_account_irqtime(struct rq *rq, struct task_struct *curr, struct task_st
+ return;
+ rq->psi_irq_time = irq;
+
+- do {
+- u64 now;
++ psi_write_begin(cpu);
++ now = cpu_clock(cpu);
+
++ for_each_group(group, task_psi_group(curr)) {
+ if (!group->enabled)
+ continue;
+
+ groupc = per_cpu_ptr(group->pcpu, cpu);
+
+- write_seqcount_begin(&groupc->seq);
+- now = cpu_clock(cpu);
+-
+ record_times(groupc, now);
+ groupc->times[PSI_IRQ_FULL] += delta;
+
+- write_seqcount_end(&groupc->seq);
+-
+ if (group->rtpoll_states & (1 << PSI_IRQ_FULL))
+ psi_schedule_rtpoll_work(group, 1, false);
+- } while ((group = group->parent));
++ }
++ psi_write_end(cpu);
+ }
+ #endif
+
+@@ -1229,12 +1238,14 @@ void psi_cgroup_restart(struct psi_group *group)
+ return;
+
+ for_each_possible_cpu(cpu) {
+- struct rq *rq = cpu_rq(cpu);
+- struct rq_flags rf;
++ u64 now;
+
+- rq_lock_irq(rq, &rf);
+- psi_group_change(group, cpu, 0, 0, true);
+- rq_unlock_irq(rq, &rf);
++ guard(rq_lock_irq)(cpu_rq(cpu));
++
++ psi_write_begin(cpu);
++ now = cpu_clock(cpu);
++ psi_group_change(group, cpu, 0, 0, now, true);
++ psi_write_end(cpu);
+ }
+ }
+ #endif /* CONFIG_CGROUPS */
+--
+2.39.5
+
--- /dev/null
+From a6d797bd719ed69c33be035b1d2f8459ff967aa4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 13:41:13 +0200
+Subject: scsi: elx: efct: Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 3a988d0b65d7d1713ce7596eae288a293f3b938e ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: 692e5d73a811 ("scsi: elx: efct: LIO backend interface routines")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250627114117.188480-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/elx/efct/efct_lio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/elx/efct/efct_lio.c b/drivers/scsi/elx/efct/efct_lio.c
+index a982b9cf9870..49d7fe150684 100644
+--- a/drivers/scsi/elx/efct/efct_lio.c
++++ b/drivers/scsi/elx/efct/efct_lio.c
+@@ -382,7 +382,7 @@ efct_lio_sg_unmap(struct efct_io *io)
+ return;
+
+ dma_unmap_sg(&io->efct->pci->dev, cmd->t_data_sg,
+- ocp->seg_map_cnt, cmd->data_direction);
++ cmd->t_data_nents, cmd->data_direction);
+ ocp->seg_map_cnt = 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 9efd0cd3a223c1a4dc64cc3208908719f7bc2b94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 13:18:02 +0200
+Subject: scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 023a293b9cd0bb86a9b50cd7688a3d9d266826db ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: 88a678bbc34c ("ibmvscsis: Initial commit of IBM VSCSI Tgt Driver")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250630111803.94389-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ibmvscsi_tgt/libsrp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/ibmvscsi_tgt/libsrp.c b/drivers/scsi/ibmvscsi_tgt/libsrp.c
+index 8a0e28aec928..0ecad398ed3d 100644
+--- a/drivers/scsi/ibmvscsi_tgt/libsrp.c
++++ b/drivers/scsi/ibmvscsi_tgt/libsrp.c
+@@ -184,7 +184,8 @@ static int srp_direct_data(struct ibmvscsis_cmd *cmd, struct srp_direct_buf *md,
+ err = rdma_io(cmd, sg, nsg, md, 1, dir, len);
+
+ if (dma_map)
+- dma_unmap_sg(iue->target->dev, sg, nsg, DMA_BIDIRECTIONAL);
++ dma_unmap_sg(iue->target->dev, sg, cmd->se_cmd.t_data_nents,
++ DMA_BIDIRECTIONAL);
+
+ return err;
+ }
+@@ -256,7 +257,8 @@ static int srp_indirect_data(struct ibmvscsis_cmd *cmd, struct srp_cmd *srp_cmd,
+ err = rdma_io(cmd, sg, nsg, md, nmd, dir, len);
+
+ if (dma_map)
+- dma_unmap_sg(iue->target->dev, sg, nsg, DMA_BIDIRECTIONAL);
++ dma_unmap_sg(iue->target->dev, sg, cmd->se_cmd.t_data_nents,
++ DMA_BIDIRECTIONAL);
+
+ free_mem:
+ if (token && dma_map) {
+--
+2.39.5
+
--- /dev/null
+From 1aa244adebdbd5278c4ff8aca47b206cb31e8965 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 16:24:47 +0200
+Subject: scsi: isci: Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 063bec4444d54e5f35d11949c5c90eaa1ff84c11 ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: ddcc7e347a89 ("isci: fix dma_unmap_sg usage")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250627142451.241713-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/isci/request.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/isci/request.c b/drivers/scsi/isci/request.c
+index 7162a5029b37..3841db665fe4 100644
+--- a/drivers/scsi/isci/request.c
++++ b/drivers/scsi/isci/request.c
+@@ -2907,7 +2907,7 @@ static void isci_request_io_request_complete(struct isci_host *ihost,
+ task->total_xfer_len, task->data_dir);
+ else /* unmap the sgl dma addresses */
+ dma_unmap_sg(&ihost->pdev->dev, task->scatter,
+- request->num_sg_entries, task->data_dir);
++ task->num_scatter, task->data_dir);
+ break;
+ case SAS_PROTOCOL_SMP: {
+ struct scatterlist *sg = &task->smp_task.smp_req;
+--
+2.39.5
+
--- /dev/null
+From 5a4d81b51f62110865cc0cf4c8edb5404f4b4853 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 17:30:18 +0200
+Subject: scsi: mpt3sas: Fix a fw_event memory leak
+
+From: Tomas Henzl <thenzl@redhat.com>
+
+[ Upstream commit 3e90b38781e3bdd651edaf789585687611638862 ]
+
+In _mpt3sas_fw_work() the fw_event reference is removed, it should also
+be freed in all cases.
+
+Fixes: 4318c7347847 ("scsi: mpt3sas: Handle NVMe PCIe device related events generated from firmware.")
+Signed-off-by: Tomas Henzl <thenzl@redhat.com>
+Link: https://lore.kernel.org/r/20250723153018.50518-1-thenzl@redhat.com
+Acked-by: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+index f270b0d829f6..0afa485fb300 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -10818,8 +10818,7 @@ _mpt3sas_fw_work(struct MPT3SAS_ADAPTER *ioc, struct fw_event_work *fw_event)
+ break;
+ case MPI2_EVENT_PCIE_TOPOLOGY_CHANGE_LIST:
+ _scsih_pcie_topology_change_event(ioc, fw_event);
+- ioc->current_event = NULL;
+- return;
++ break;
+ }
+ out:
+ fw_event_work_put(fw_event);
+--
+2.39.5
+
--- /dev/null
+From 56f708a940e02a11c9c26820275645ac35ad69a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 15:48:18 +0200
+Subject: scsi: mvsas: Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 0141618727bc929fe868153d21797f10ce5bef3f ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: b5762948263d ("[SCSI] mvsas: Add Marvell 6440 SAS/SATA driver")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250627134822.234813-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mvsas/mv_sas.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c
+index 1444b1f1c4c8..d6897432cf0f 100644
+--- a/drivers/scsi/mvsas/mv_sas.c
++++ b/drivers/scsi/mvsas/mv_sas.c
+@@ -828,7 +828,7 @@ static int mvs_task_prep(struct sas_task *task, struct mvs_info *mvi, int is_tmf
+ dev_printk(KERN_ERR, mvi->dev, "mvsas prep failed[%d]!\n", rc);
+ if (!sas_protocol_ata(task->task_proto))
+ if (n_elem)
+- dma_unmap_sg(mvi->dev, task->scatter, n_elem,
++ dma_unmap_sg(mvi->dev, task->scatter, task->num_scatter,
+ task->data_dir);
+ prep_out:
+ return rc;
+@@ -874,7 +874,7 @@ static void mvs_slot_task_free(struct mvs_info *mvi, struct sas_task *task,
+ if (!sas_protocol_ata(task->task_proto))
+ if (slot->n_elem)
+ dma_unmap_sg(mvi->dev, task->scatter,
+- slot->n_elem, task->data_dir);
++ task->num_scatter, task->data_dir);
+
+ switch (task->task_proto) {
+ case SAS_PROTOCOL_SMP:
+--
+2.39.5
+
--- /dev/null
+From fa7ab8ad356a168b66482a33eeb96e0dd973dd3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 15:39:26 +0800
+Subject: scsi: Revert "scsi: iscsi: Fix HW conn removal use after free"
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+[ Upstream commit 7bdc68921481c19cd8c85ddf805a834211c19e61 ]
+
+This reverts commit c577ab7ba5f3bf9062db8a58b6e89d4fe370447e.
+
+The invocation of iscsi_put_conn() in iscsi_iter_destory_conn_fn() is
+used to free the initial reference counter of iscsi_cls_conn. For
+non-qla4xxx cases, the ->destroy_conn() callback (e.g.,
+iscsi_conn_teardown) will call iscsi_remove_conn() and iscsi_put_conn()
+to remove the connection from the children list of session and free the
+connection at last. However for qla4xxx, it is not the case. The
+->destroy_conn() callback of qla4xxx will keep the connection in the
+session conn_list and doesn't use iscsi_put_conn() to free the initial
+reference counter. Therefore, it seems necessary to keep the
+iscsi_put_conn() in the iscsi_iter_destroy_conn_fn(), otherwise, there
+will be memory leak problem.
+
+Link: https://lore.kernel.org/all/88334658-072b-4b90-a949-9c74ef93cfd1@huawei.com/
+Fixes: c577ab7ba5f3 ("scsi: iscsi: Fix HW conn removal use after free")
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Link: https://lore.kernel.org/r/20250715073926.3529456-1-lilingfeng3@huawei.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index f2c31e74d8ed..22bec2453bac 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -2169,6 +2169,8 @@ static int iscsi_iter_destroy_conn_fn(struct device *dev, void *data)
+ return 0;
+
+ iscsi_remove_conn(iscsi_dev_to_conn(dev));
++ iscsi_put_conn(iscsi_dev_to_conn(dev));
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From a9625eb489adac33c24cd95f8af565be4906193e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 21:45:20 +0000
+Subject: scsi: sd: Make sd shutdown issue START STOP UNIT appropriately
+
+From: Salomon Dushimirimana <salomondush@google.com>
+
+[ Upstream commit 8e48727c26c4d839ff9b4b73d1cae486bea7fe19 ]
+
+Commit aa3998dbeb3a ("ata: libata-scsi: Disable scsi device
+manage_system_start_stop") enabled libata EH to manage device power mode
+trasitions for system suspend/resume and removed the flag from
+ata_scsi_dev_config. However, since the sd_shutdown() function still
+relies on the manage_system_start_stop flag, a spin-down command is not
+issued to the disk with command "echo 1 > /sys/block/sdb/device/delete"
+
+sd_shutdown() can be called for both system/runtime start stop
+operations, so utilize the manage_run_time_start_stop flag set in the
+ata_scsi_dev_config and issue a spin-down command during disk removal
+when the system is running. This is in addition to when the system is
+powering off and manage_shutdown flag is set. The
+manage_system_start_stop flag will still be used for drivers that still
+set the flag.
+
+Fixes: aa3998dbeb3a ("ata: libata-scsi: Disable scsi device manage_system_start_stop")
+Signed-off-by: Salomon Dushimirimana <salomondush@google.com>
+Link: https://lore.kernel.org/r/20250724214520.112927-1-salomondush@google.com
+Tested-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index fe694fec16b5..873c920eb0cf 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -3895,7 +3895,9 @@ static void sd_shutdown(struct device *dev)
+ if ((system_state != SYSTEM_RESTART &&
+ sdkp->device->manage_system_start_stop) ||
+ (system_state == SYSTEM_POWER_OFF &&
+- sdkp->device->manage_shutdown)) {
++ sdkp->device->manage_shutdown) ||
++ (system_state == SYSTEM_RUNNING &&
++ sdkp->device->manage_runtime_start_stop)) {
+ sd_printk(KERN_NOTICE, sdkp, "Stopping disk\n");
+ sd_start_stop_device(sdkp, 0);
+ }
+--
+2.39.5
+
--- /dev/null
+From e1161a3b29e34821c623236ae09a12b437163913 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 17:12:13 +0900
+Subject: scsi: ufs: core: Use link recovery when h8 exit fails during runtime
+ resume
+
+From: Seunghui Lee <sh043.lee@samsung.com>
+
+[ Upstream commit 35dabf4503b94a697bababe94678a8bc989c3223 ]
+
+If the h8 exit fails during runtime resume process, the runtime thread
+enters runtime suspend immediately and the error handler operates at the
+same time. It becomes stuck and cannot be recovered through the error
+handler. To fix this, use link recovery instead of the error handler.
+
+Fixes: 4db7a2360597 ("scsi: ufs: Fix concurrency of error handler and other error recovery paths")
+Signed-off-by: Seunghui Lee <sh043.lee@samsung.com>
+Link: https://lore.kernel.org/r/20250717081213.6811-1-sh043.lee@samsung.com
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Acked-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/core/ufshcd.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
+index da20bd3d46bc..7dcdaac31546 100644
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -4274,7 +4274,7 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd)
+ hba->uic_async_done = NULL;
+ if (reenable_intr)
+ ufshcd_enable_intr(hba, UIC_COMMAND_COMPL);
+- if (ret) {
++ if (ret && !hba->pm_op_in_progress) {
+ ufshcd_set_link_broken(hba);
+ ufshcd_schedule_eh_work(hba);
+ }
+@@ -4282,6 +4282,14 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd)
+ spin_unlock_irqrestore(hba->host->host_lock, flags);
+ mutex_unlock(&hba->uic_cmd_mutex);
+
++ /*
++ * If the h8 exit fails during the runtime resume process, it becomes
++ * stuck and cannot be recovered through the error handler. To fix
++ * this, use link recovery instead of the error handler.
++ */
++ if (ret && hba->pm_op_in_progress)
++ ret = ufshcd_link_recovery(hba);
++
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 19da99731696dd33147a1770c0a5e944a69a9a6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 16:42:08 +0800
+Subject: selftests/bpf: fix signedness bug in redir_partial()
+
+From: Fushuai Wang <wangfushuai@baidu.com>
+
+[ Upstream commit 6a4bd31f680a1d1cf06492fe6dc4f08da09769e6 ]
+
+When xsend() returns -1 (error), the check 'n < sizeof(buf)' incorrectly
+treats it as success due to unsigned promotion. Explicitly check for -1
+first.
+
+Fixes: a4b7193d8efd ("selftests/bpf: Add sockmap test for redirecting partial skb data")
+Signed-off-by: Fushuai Wang <wangfushuai@baidu.com>
+Link: https://lore.kernel.org/r/20250612084208.27722-1-wangfushuai@baidu.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/sockmap_listen.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/sockmap_listen.c b/tools/testing/selftests/bpf/prog_tests/sockmap_listen.c
+index 84d59419e4eb..a6d8aa8c2a9a 100644
+--- a/tools/testing/selftests/bpf/prog_tests/sockmap_listen.c
++++ b/tools/testing/selftests/bpf/prog_tests/sockmap_listen.c
+@@ -894,6 +894,8 @@ static void redir_partial(int family, int sotype, int sock_map, int parser_map)
+ goto close;
+
+ n = xsend(c1, buf, sizeof(buf), 0);
++ if (n == -1)
++ goto close;
+ if (n < sizeof(buf))
+ FAIL("incomplete write");
+
+--
+2.39.5
+
--- /dev/null
+From ffc30e345bce66febc6cb6eac41848ce1f6e8d91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 17:04:28 +0200
+Subject: selftests: Fix errno checking in syscall_user_dispatch test
+
+From: Dmitry Vyukov <dvyukov@google.com>
+
+[ Upstream commit b89732c8c8357487185f260a723a060b3476144e ]
+
+Successful syscalls don't change errno, so checking errno is wrong
+to ensure that a syscall has failed. For example for the following
+sequence:
+
+ prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0xff, 0);
+ EXPECT_EQ(EINVAL, errno);
+ prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x0, &sel);
+ EXPECT_EQ(EINVAL, errno);
+
+only the first syscall may fail and set errno, but the second may succeed
+and keep errno intact, and the check will falsely pass.
+Or if errno happened to be EINVAL before, even the first check may falsely
+pass.
+
+Also use EXPECT/ASSERT consistently. Currently there is an inconsistent mix
+without obvious reasons for usage of one or another.
+
+Fixes: 179ef035992e ("selftests: Add kselftest for syscall user dispatch")
+Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/all/af6a04dbfef9af8570f5bab43e3ef1416b62699a.1747839857.git.dvyukov@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../syscall_user_dispatch/sud_test.c | 50 +++++++++----------
+ 1 file changed, 25 insertions(+), 25 deletions(-)
+
+diff --git a/tools/testing/selftests/syscall_user_dispatch/sud_test.c b/tools/testing/selftests/syscall_user_dispatch/sud_test.c
+index d975a6767329..48cf01aeec3e 100644
+--- a/tools/testing/selftests/syscall_user_dispatch/sud_test.c
++++ b/tools/testing/selftests/syscall_user_dispatch/sud_test.c
+@@ -79,6 +79,21 @@ TEST_SIGNAL(dispatch_trigger_sigsys, SIGSYS)
+ }
+ }
+
++static void prctl_valid(struct __test_metadata *_metadata,
++ unsigned long op, unsigned long off,
++ unsigned long size, void *sel)
++{
++ EXPECT_EQ(0, prctl(PR_SET_SYSCALL_USER_DISPATCH, op, off, size, sel));
++}
++
++static void prctl_invalid(struct __test_metadata *_metadata,
++ unsigned long op, unsigned long off,
++ unsigned long size, void *sel, int err)
++{
++ EXPECT_EQ(-1, prctl(PR_SET_SYSCALL_USER_DISPATCH, op, off, size, sel));
++ EXPECT_EQ(err, errno);
++}
++
+ TEST(bad_prctl_param)
+ {
+ char sel = SYSCALL_DISPATCH_FILTER_ALLOW;
+@@ -86,57 +101,42 @@ TEST(bad_prctl_param)
+
+ /* Invalid op */
+ op = -1;
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0, 0, &sel);
+- ASSERT_EQ(EINVAL, errno);
++ prctl_invalid(_metadata, op, 0, 0, &sel, EINVAL);
+
+ /* PR_SYS_DISPATCH_OFF */
+ op = PR_SYS_DISPATCH_OFF;
+
+ /* offset != 0 */
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x1, 0x0, 0);
+- EXPECT_EQ(EINVAL, errno);
++ prctl_invalid(_metadata, op, 0x1, 0x0, 0, EINVAL);
+
+ /* len != 0 */
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0xff, 0);
+- EXPECT_EQ(EINVAL, errno);
++ prctl_invalid(_metadata, op, 0x0, 0xff, 0, EINVAL);
+
+ /* sel != NULL */
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x0, &sel);
+- EXPECT_EQ(EINVAL, errno);
++ prctl_invalid(_metadata, op, 0x0, 0x0, &sel, EINVAL);
+
+ /* Valid parameter */
+- errno = 0;
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x0, 0x0);
+- EXPECT_EQ(0, errno);
++ prctl_valid(_metadata, op, 0x0, 0x0, 0x0);
+
+ /* PR_SYS_DISPATCH_ON */
+ op = PR_SYS_DISPATCH_ON;
+
+ /* Dispatcher region is bad (offset > 0 && len == 0) */
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x1, 0x0, &sel);
+- EXPECT_EQ(EINVAL, errno);
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, -1L, 0x0, &sel);
+- EXPECT_EQ(EINVAL, errno);
++ prctl_invalid(_metadata, op, 0x1, 0x0, &sel, EINVAL);
++ prctl_invalid(_metadata, op, -1L, 0x0, &sel, EINVAL);
+
+ /* Invalid selector */
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x1, (void *) -1);
+- ASSERT_EQ(EFAULT, errno);
++ prctl_invalid(_metadata, op, 0x0, 0x1, (void *) -1, EFAULT);
+
+ /*
+ * Dispatcher range overflows unsigned long
+ */
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, PR_SYS_DISPATCH_ON, 1, -1L, &sel);
+- ASSERT_EQ(EINVAL, errno) {
+- TH_LOG("Should reject bad syscall range");
+- }
++ prctl_invalid(_metadata, PR_SYS_DISPATCH_ON, 1, -1L, &sel, EINVAL);
+
+ /*
+ * Allowed range overflows usigned long
+ */
+- prctl(PR_SET_SYSCALL_USER_DISPATCH, PR_SYS_DISPATCH_ON, -1L, 0x1, &sel);
+- ASSERT_EQ(EINVAL, errno) {
+- TH_LOG("Should reject bad syscall range");
+- }
++ prctl_invalid(_metadata, PR_SYS_DISPATCH_ON, -1L, 0x1, &sel, EINVAL);
+ }
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From 60b39dbd06008761e988489033f0751440dfcd52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 11:50:28 +0800
+Subject: selftests: rtnetlink.sh: remove esp4_offload after test
+
+From: Xiumei Mu <xmu@redhat.com>
+
+[ Upstream commit 5b32321fdaf3fd1a92ec726af18765e225b0ee2b ]
+
+The esp4_offload module, loaded during IPsec offload tests, should
+be reset to its default settings after testing.
+Otherwise, leaving it enabled could unintentionally affect subsequence
+test cases by keeping offload active.
+
+Without this fix:
+$ lsmod | grep offload; ./rtnetlink.sh -t kci_test_ipsec_offload ; lsmod | grep offload;
+PASS: ipsec_offload
+esp4_offload 12288 0
+esp4 32768 1 esp4_offload
+
+With this fix:
+$ lsmod | grep offload; ./rtnetlink.sh -t kci_test_ipsec_offload ; lsmod | grep offload;
+PASS: ipsec_offload
+
+Fixes: 2766a11161cc ("selftests: rtnetlink: add ipsec offload API test")
+Signed-off-by: Xiumei Mu <xmu@redhat.com>
+Reviewed-by: Shannon Nelson <sln@onemain.com>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://patch.msgid.link/6d3a1d777c4de4eb0ca94ced9e77be8d48c5b12f.1753415428.git.xmu@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/rtnetlink.sh | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh
+index 855505c40ed8..c9ba4d269c38 100755
+--- a/tools/testing/selftests/net/rtnetlink.sh
++++ b/tools/testing/selftests/net/rtnetlink.sh
+@@ -854,6 +854,11 @@ kci_test_ipsec_offload()
+ sysfsf=$sysfsd/ipsec
+ sysfsnet=/sys/bus/netdevsim/devices/netdevsim0/net/
+ probed=false
++ esp4_offload_probed_default=false
++
++ if lsmod | grep -q esp4_offload; then
++ esp4_offload_probed_default=true
++ fi
+
+ # setup netdevsim since dummydev doesn't have offload support
+ if [ ! -w /sys/bus/netdevsim/new_device ] ; then
+@@ -943,6 +948,7 @@ EOF
+ fi
+
+ # clean up any leftovers
++ ! "$esp4_offload_probed_default" && lsmod | grep -q esp4_offload && rmmod esp4_offload
+ echo 0 > /sys/bus/netdevsim/del_device
+ $probed && rmmod netdevsim
+
+--
+2.39.5
+
--- /dev/null
+From 4a95b0ed12c0ec08e3431def1cc670ef6ef0c420 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 13:42:12 -0400
+Subject: selftests/tracing: Fix false failure of subsystem event test
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+[ Upstream commit 213879061a9c60200ba971330dbefec6df3b4a30 ]
+
+The subsystem event test enables all "sched" events and makes sure there's
+at least 3 different events in the output. It used to cat the entire trace
+file to | wc -l, but on slow machines, that could last a very long time.
+To solve that, it was changed to just read the first 100 lines of the
+trace file. This can cause false failures as some events repeat so often,
+that the 100 lines that are examined could possibly be of only one event.
+
+Instead, create an awk script that looks for 3 different events and will
+exit out after it finds them. This will find the 3 events the test looks
+for (eventually if it works), and still exit out after the test is
+satisfied and not cause slower machines to run forever.
+
+Link: https://lore.kernel.org/r/20250721134212.53c3e140@batman.local.home
+Reported-by: Tengda Wu <wutengda@huaweicloud.com>
+Closes: https://lore.kernel.org/all/20250710130134.591066-1-wutengda@huaweicloud.com/
+Fixes: 1a4ea83a6e67 ("selftests/ftrace: Limit length in subsystem-enable tests")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ftrace/test.d/event/subsystem-enable.tc | 28 +++++++++++++++++--
+ 1 file changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc b/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc
+index b7c8f29c09a9..65916bb55dfb 100644
+--- a/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc
++++ b/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc
+@@ -14,11 +14,35 @@ fail() { #msg
+ exit_fail
+ }
+
++# As reading trace can last forever, simply look for 3 different
++# events then exit out of reading the file. If there's not 3 different
++# events, then the test has failed.
++check_unique() {
++ cat trace | grep -v '^#' | awk '
++ BEGIN { cnt = 0; }
++ {
++ for (i = 0; i < cnt; i++) {
++ if (event[i] == $5) {
++ break;
++ }
++ }
++ if (i == cnt) {
++ event[cnt++] = $5;
++ if (cnt > 2) {
++ exit;
++ }
++ }
++ }
++ END {
++ printf "%d", cnt;
++ }'
++}
++
+ echo 'sched:*' > set_event
+
+ yield
+
+-count=`head -n 100 trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l`
++count=`check_unique`
+ if [ $count -lt 3 ]; then
+ fail "at least fork, exec and exit events should be recorded"
+ fi
+@@ -29,7 +53,7 @@ echo 1 > events/sched/enable
+
+ yield
+
+-count=`head -n 100 trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l`
++count=`check_unique`
+ if [ $count -lt 3 ]; then
+ fail "at least fork, exec and exit events should be recorded"
+ fi
+--
+2.39.5
+
asoc-amd-yc-add-dmi-entries-to-support-hp-15-fb1xxx.patch
asoc-intel-fix-snd_soc_sof-dependencies.patch
asoc-amd-yc-add-dmi-quirk-for-asus-m6501rm.patch
+audit-module-restore-audit-logging-in-load-failure-c.patch
+fs_context-fix-parameter-name-in-infofc-macro.patch
+fs-ntfs3-cancle-set-bad-inode-after-removing-name-fa.patch
+ublk-use-vmalloc-for-ublk_device-s-__queues.patch
+hfsplus-make-splice-write-available-again.patch
+hfs-make-splice-write-available-again.patch
+hfsplus-remove-mutex_lock-check-in-hfsplus_free_exte.patch
+revert-fs-ntfs3-replace-inode_trylock-with-inode_loc.patch
+gfs2-no-more-self-recovery.patch
+asoc-soc-dai-tidyup-return-value-of-snd_soc_xlate_td.patch
+asoc-ops-dynamically-allocate-struct-snd_ctl_elem_va.patch
+asoc-mediatek-use-reserved-memory-or-enable-buffer-p.patch
+selftests-fix-errno-checking-in-syscall_user_dispatc.patch
+soc-qcom-qmi-encoding-decoding-for-big-endian.patch
+arm64-dts-qcom-sdm845-expand-imem-region.patch
+arm64-dts-qcom-sc7180-expand-imem-region.patch
+arm64-dts-qcom-msm8976-make-blsp_dma-controlled-remo.patch
+arm-dts-vfxxx-correctly-use-two-tuples-for-timer-add.patch
+usb-host-xhci-plat-fix-incorrect-type-for-of_match-v.patch
+usb-misc-apple-mfi-fastcharge-make-power-supply-name.patch
+spi-stm32-check-for-cfg-availability-in-stm32_spi_pr.patch
+staging-fbtft-fix-potential-memory-leak-in-fbtft_fra.patch
+vmci-prevent-the-dispatching-of-uninitialized-payloa.patch
+pps-fix-poll-support.patch
+revert-vmci-prevent-the-dispatching-of-uninitialized.patch
+powercap-dtpm_cpu-fix-null-pointer-dereference-in-ge.patch
+usb-early-xhci-dbc-fix-early_ioremap-leak.patch
+arm-dts-ti-omap-fixup-pinheader-typo.patch
+soc-tegra-cbb-clear-err_force-register-with-err_stat.patch
+arm-dts-imx6ul-kontron-bl-common-fix-rts-polarity-fo.patch
+arm64-dts-imx8mm-beacon-fix-hs400-usdhc-clock-speed.patch
+arm64-dts-imx8mn-beacon-fix-hs400-usdhc-clock-speed.patch
+pm-devfreq-check-governor-before-using-governor-name.patch
+cpufreq-intel_pstate-always-use-hwp_desired_perf-in-.patch
+cpufreq-initialize-cpufreq-based-frequency-invarianc.patch
+cpufreq-init-policy-rwsem-before-it-may-be-possibly-.patch
+samples-mei-fix-building-on-musl-libc.patch
+soc-qcom-pmic_glink-fix-of-node-leak.patch
+interconnect-qcom-sc8280xp-specify-num_links-for-qnm.patch
+interconnect-qcom-sc8180x-specify-num_nodes.patch
+staging-nvec-fix-incorrect-null-termination-of-batte.patch
+selftests-tracing-fix-false-failure-of-subsystem-eve.patch
+drm-rockchip-cleanup-fb-when-drm_gem_fb_afbc_init-fa.patch
+bpf-sockmap-fix-psock-incorrectly-pointing-to-sk.patch
+bpf-ktls-fix-data-corruption-when-using-bpf_msg_pop_.patch
+selftests-bpf-fix-signedness-bug-in-redir_partial.patch
+net-ipv6-ip6mr-fix-in-out-netdev-to-pass-to-the-forw.patch
+drm-vmwgfx-fix-host-backed-userspace-on-guest-backed.patch
+bpftool-fix-memory-leak-in-dump_xx_nlmsg-on-realloc-.patch
+caif-reduce-stack-size-again.patch
+wifi-rtw89-avoid-null-dereference-when-rx-problemati.patch
+wifi-rtl818x-kill-urbs-before-clearing-tx-status-que.patch
+wifi-iwlwifi-fix-memory-leak-in-iwl_mvm_init.patch
+iwlwifi-add-missing-check-for-alloc_ordered_workqueu.patch
+wifi-ath11k-clear-initialized-flag-for-deinit-ed-srn.patch
+tcp-fix-tcp_ofo_queue-to-avoid-including-too-much-du.patch
+net-mlx5-check-device-memory-pointer-before-usage.patch
+net-dst-annotate-data-races-around-dst-input.patch
+net-dst-annotate-data-races-around-dst-output.patch
+kselftest-arm64-fix-check-for-setting-new-vls-in-sve.patch
+drm-msm-dpu-fill-in-min_prefill_lines-for-sc8180x.patch
+m68k-don-t-unregister-boot-console-needlessly.patch
+drm-amd-pm-powerplay-hwmgr-smu_helper-fix-order-of-m.patch
+sched-psi-optimize-psi_group_change-cpu_clock-usage.patch
+fbcon-fix-outdated-registered_fb-reference-in-commen.patch
+netfilter-nf_tables-drop-dead-code-from-fill_-_info-.patch
+netfilter-nf_tables-adjust-lockdep-assertions-handli.patch
+arch-powerpc-defconfig-drop-obsolete-config_net_cls_.patch
+um-rtc-avoid-shadowing-err-in-uml_rtc_start.patch
+net-sched-restrict-conditions-for-adding-duplicating.patch
+net_sched-act_ctinfo-use-atomic64_t-for-three-counte.patch
+xen-gntdev-remove-struct-gntdev_copy_batch-from-stac.patch
+sched-do-not-call-__put_task_struct-on-rt-if-pi_bloc.patch
+tcp-call-tcp_measure_rcv_mss-for-ooo-packets.patch
+wifi-rtl8xxxu-fix-rx-skb-size-for-aggregation-disabl.patch
+mwl8k-add-missing-check-after-dma-map.patch
+iommu-amd-fix-geometry.aperture_end-for-v2-tables.patch
+wifi-mac80211-reject-tdls-operations-when-station-is.patch
+wifi-plfxlc-fix-error-handling-in-usb-driver-probe.patch
+wifi-mac80211-do-not-schedule-stopped-txqs.patch
+wifi-mac80211-don-t-call-fq_flow_idx-for-management-.patch
+wifi-mac80211-check-802.11-encaps-offloading-in-ieee.patch
+reapply-wifi-mac80211-update-skb-s-control-block-key.patch
+wifi-ath12k-fix-endianness-handling-while-accessing-.patch
+wifi-brcmfmac-fix-p2p-discovery-failure-in-p2p-peer-.patch
+wifi-mac80211-write-cnt-before-copying-in-ieee80211_.patch
+kcsan-test-initialize-dummy-variable.patch
+bluetooth-hci_event-mask-data-status-from-le-ext-adv.patch
+bpf-disable-migration-in-nf_hook_run_bpf.patch
+tools-rv-do-not-skip-idle-in-trace.patch
+can-peak_usb-fix-usb-fd-devices-potential-malfunctio.patch
+can-kvaser_pciefd-store-device-channel-index.patch
+can-kvaser_usb-assign-netdev.dev_port-based-on-devic.patch
+netfilter-xt_nfacct-don-t-assume-acct-name-is-null-t.patch
+net-mlx5e-clear-read-only-port-buffer-size-in-pbmc-b.patch
+net-mlx5e-remove-skb-secpath-if-xfrm-state-is-not-fo.patch
+selftests-rtnetlink.sh-remove-esp4_offload-after-tes.patch
+vrf-drop-existing-dst-reference-in-vrf_ip6_input_dst.patch
+ipv6-prevent-infinite-loop-in-rt6_nlmsg_size.patch
+ipv6-fix-possible-infinite-loop-in-fib6_info_uses_de.patch
+ipv6-annotate-data-races-around-rt-fib6_nsiblings.patch
+bpf-preload-don-t-select-usermode_driver.patch
+pci-rockchip-host-fix-unexpected-completion-log-mess.patch
+crypto-sun8i-ce-fix-nents-passed-to-dma_unmap_sg.patch
+crypto-qat-use-unmanaged-allocation-for-dc_data.patch
+crypto-marvell-cesa-fix-engine-load-inaccuracy.patch
+mtd-fix-possible-integer-overflow-in-erase_xfer.patch
+clk-davinci-add-null-check-in-davinci_lpsc_clk_regis.patch
+media-v4l2-ctrls-fix-h264-separate_colour_plane-chec.patch
+clk-xilinx-vcu-unregister-pll_post-only-if-registere.patch
+power-supply-cpcap-charger-fix-null-check-for-power_.patch
+power-supply-max14577-handle-null-pdata-when-config_.patch
+crypto-arm-aes-neonbs-work-around-gcc-15-warning.patch
+pci-endpoint-pci-epf-vntb-return-enoent-if-pci_epc_g.patch
+pinctrl-sunxi-fix-memory-leak-on-krealloc-failure.patch
+fanotify-sanitize-handle_type-values-when-reporting-.patch
+clk-clk-axi-clkgen-fix-fpfd_max-frequency-for-zynq.patch
+fix-dma_unmap_sg-nents-value.patch
+perf-tools-fix-use-after-free-in-help_unknown_cmd.patch
+perf-dso-add-missed-dso__put-to-dso__load_kcore.patch
+perf-sched-free-thread-priv-using-priv_destructor.patch
+perf-sched-fix-memory-leaks-for-evsel-priv-in-timehi.patch
+perf-sched-fix-memory-leaks-in-perf-sched-latency.patch
+crypto-inside-secure-fix-dma_unmap_sg-nents-value.patch
+crypto-ccp-fix-crash-when-rebind-ccp-device-for-ccp..patch
+rdma-hns-fix-wframe-larger-than-issue.patch
+kernel-trace-preemptirq_delay_test-use-offstack-cpu-.patch
+proc-use-the-same-treatment-to-check-proc_lseek-as-o.patch
+pinmux-fix-race-causing-mux_owner-null-with-active-m.patch
+perf-tests-bp_account-fix-leaked-file-descriptor.patch
+clk-sunxi-ng-v3s-fix-de-clock-definition.patch
+scsi-ibmvscsi_tgt-fix-dma_unmap_sg-nents-value.patch
+scsi-elx-efct-fix-dma_unmap_sg-nents-value.patch
+scsi-mvsas-fix-dma_unmap_sg-nents-value.patch
+scsi-isci-fix-dma_unmap_sg-nents-value.patch
+watchdog-ziirave_wdt-check-record-length-in-ziirave_.patch
+hwrng-mtk-handle-devm_pm_runtime_enable-errors.patch
+crypto-keembay-fix-dma_unmap_sg-nents-value.patch
+crypto-img-hash-fix-dma_unmap_sg-nents-value.patch
+soundwire-stream-restore-params-when-prepare-ports-f.patch
+pci-endpoint-pci-epf-vntb-fix-the-incorrect-usage-of.patch
+fs-orangefs-allow-2-more-characters-in-do_c_string.patch
+dmaengine-mv_xor-fix-missing-check-after-dma-map-and.patch
+dmaengine-nbpfaxi-add-missing-check-after-dma-map.patch
+asoc-fsl_xcvr-get-channel-status-data-when-phy-is-no.patch
+sh-do-not-use-hyphen-in-exported-variable-name.patch
+perf-tools-remove-libtraceevent-in-.gitignore.patch
+crypto-qat-fix-dma-direction-for-compression-on-gen2.patch
+crypto-qat-fix-seq_file-position-update-in-adf_ring_.patch
+fbdev-imxfb-check-fb_add_videomode-to-prevent-null-p.patch
+jfs-fix-metapage-reference-count-leak-in-dballocctl.patch
+mtd-rawnand-atmel-fix-dma_mapping_error-address.patch
+mtd-rawnand-rockchip-add-missing-check-after-dma-map.patch
+mtd-rawnand-atmel-set-pmecc-data-setup-time.patch
+vhost-scsi-fix-log-flooding-with-target-does-not-exi.patch
+bpf-check-flow_dissector-ctx-accesses-are-aligned.patch
+bpf-check-netfilter-ctx-accesses-are-aligned.patch
+apparmor-ensure-wb_history_size-value-is-a-power-of-.patch
+apparmor-fix-loop-detection-used-in-conflicting-atta.patch
+module-restore-the-moduleparam-prefix-length-check.patch
+ucount-fix-atomic_long_inc_below-argument-type.patch
+rtc-ds1307-fix-incorrect-maximum-clock-rate-handling.patch
+rtc-hym8563-fix-incorrect-maximum-clock-rate-handlin.patch
+rtc-nct3018y-fix-incorrect-maximum-clock-rate-handli.patch
+rtc-pcf85063-fix-incorrect-maximum-clock-rate-handli.patch
+rtc-pcf8563-fix-incorrect-maximum-clock-rate-handlin.patch
+rtc-rv3028-fix-incorrect-maximum-clock-rate-handling.patch
+f2fs-fix-kmsan-uninit-value-in-extent_info-usage.patch
+f2fs-doc-fix-wrong-quota-mount-option-description.patch
+f2fs-fix-to-avoid-uaf-in-f2fs_sync_inode_meta.patch
+f2fs-fix-to-avoid-panic-in-f2fs_evict_inode.patch
+f2fs-fix-to-avoid-out-of-boundary-access-in-devs.pat.patch
+f2fs-vm_unmap_ram-may-be-called-from-an-invalid-cont.patch
+f2fs-fix-to-update-upper_p-in-__get_secs_required-co.patch
+f2fs-fix-to-calculate-dirty-data-during-has_not_enou.patch
+f2fs-fix-to-trigger-foreground-gc-during-f2fs_map_bl.patch
+vfio-fix-unbalanced-vfio_df_close-call-in-no-iommu-m.patch
+vfio-prevent-open_count-decrement-to-negative.patch
+vfio-pds-fix-missing-detach_ioas-op.patch
+vfio-pci-separate-sr-iov-vf-dev_set.patch
+scsi-mpt3sas-fix-a-fw_event-memory-leak.patch
+scsi-revert-scsi-iscsi-fix-hw-conn-removal-use-after.patch
+scsi-ufs-core-use-link-recovery-when-h8-exit-fails-d.patch
+scsi-sd-make-sd-shutdown-issue-start-stop-unit-appro.patch
+kconfig-qconf-fix-configlist-updatelistallforall.patch
+sched-psi-fix-psi_seq-initialization.patch
+pci-pnv_php-clean-up-allocated-irqs-on-unplug.patch
+pci-pnv_php-work-around-switches-with-broken-presenc.patch
+powerpc-eeh-export-eeh_unfreeze_pe.patch
+powerpc-eeh-make-eeh-driver-device-hotplug-safe.patch
+pci-pnv_php-fix-surprise-plug-detection-and-recovery.patch
--- /dev/null
+From 186d0048404adcd366a28e99ca6f20f6752b8bfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 16:47:32 +0200
+Subject: sh: Do not use hyphen in exported variable name
+
+From: Ben Hutchings <benh@debian.org>
+
+[ Upstream commit c32969d0362a790fbc6117e0b6a737a7e510b843 ]
+
+arch/sh/Makefile defines and exports ld-bfd to be used by
+arch/sh/boot/compressed/Makefile and arch/sh/boot/romimage/Makefile.
+However some shells, including dash, will not pass through environment
+variables whose name includes a hyphen. Usually GNU make does not use
+a shell to recurse, but if e.g. $(srctree) contains '~' it will use a
+shell here.
+
+Other instances of this problem were previously fixed by commits
+2bfbe7881ee0 "kbuild: Do not use hyphen in exported variable name"
+and 82977af93a0d "sh: rename suffix-y to suffix_y".
+
+Rename the variable to ld_bfd.
+
+References: https://buildd.debian.org/status/fetch.php?pkg=linux&arch=sh4&ver=4.13%7Erc5-1%7Eexp1&stamp=1502943967&raw=0
+Fixes: 7b022d07a0fd ("sh: Tidy up the ldscript output format specifier.")
+Signed-off-by: Ben Hutchings <benh@debian.org>
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/Makefile | 10 +++++-----
+ arch/sh/boot/compressed/Makefile | 4 ++--
+ arch/sh/boot/romimage/Makefile | 4 ++--
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/arch/sh/Makefile b/arch/sh/Makefile
+index cab2f9c011a8..7b420424b6d7 100644
+--- a/arch/sh/Makefile
++++ b/arch/sh/Makefile
+@@ -103,16 +103,16 @@ UTS_MACHINE := sh
+ LDFLAGS_vmlinux += -e _stext
+
+ ifdef CONFIG_CPU_LITTLE_ENDIAN
+-ld-bfd := elf32-sh-linux
+-LDFLAGS_vmlinux += --defsym jiffies=jiffies_64 --oformat $(ld-bfd)
++ld_bfd := elf32-sh-linux
++LDFLAGS_vmlinux += --defsym jiffies=jiffies_64 --oformat $(ld_bfd)
+ KBUILD_LDFLAGS += -EL
+ else
+-ld-bfd := elf32-shbig-linux
+-LDFLAGS_vmlinux += --defsym jiffies=jiffies_64+4 --oformat $(ld-bfd)
++ld_bfd := elf32-shbig-linux
++LDFLAGS_vmlinux += --defsym jiffies=jiffies_64+4 --oformat $(ld_bfd)
+ KBUILD_LDFLAGS += -EB
+ endif
+
+-export ld-bfd
++export ld_bfd
+
+ # Mach groups
+ machdir-$(CONFIG_SOLUTION_ENGINE) += mach-se
+diff --git a/arch/sh/boot/compressed/Makefile b/arch/sh/boot/compressed/Makefile
+index b5e29f99c02c..5d5b2da2a3f1 100644
+--- a/arch/sh/boot/compressed/Makefile
++++ b/arch/sh/boot/compressed/Makefile
+@@ -29,7 +29,7 @@ endif
+
+ ccflags-remove-$(CONFIG_MCOUNT) += -pg
+
+-LDFLAGS_vmlinux := --oformat $(ld-bfd) -Ttext $(IMAGE_OFFSET) -e startup \
++LDFLAGS_vmlinux := --oformat $(ld_bfd) -Ttext $(IMAGE_OFFSET) -e startup \
+ -T $(obj)/../../kernel/vmlinux.lds
+
+ KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING
+@@ -53,7 +53,7 @@ $(obj)/vmlinux.bin.lzo: $(obj)/vmlinux.bin FORCE
+
+ OBJCOPYFLAGS += -R .empty_zero_page
+
+-LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T
++LDFLAGS_piggy.o := -r --format binary --oformat $(ld_bfd) -T
+
+ $(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/vmlinux.bin.$(suffix_y) FORCE
+ $(call if_changed,ld)
+diff --git a/arch/sh/boot/romimage/Makefile b/arch/sh/boot/romimage/Makefile
+index c7c8be58400c..17b03df0a8de 100644
+--- a/arch/sh/boot/romimage/Makefile
++++ b/arch/sh/boot/romimage/Makefile
+@@ -13,7 +13,7 @@ mmcif-obj-$(CONFIG_CPU_SUBTYPE_SH7724) := $(obj)/mmcif-sh7724.o
+ load-$(CONFIG_ROMIMAGE_MMCIF) := $(mmcif-load-y)
+ obj-$(CONFIG_ROMIMAGE_MMCIF) := $(mmcif-obj-y)
+
+-LDFLAGS_vmlinux := --oformat $(ld-bfd) -Ttext $(load-y) -e romstart \
++LDFLAGS_vmlinux := --oformat $(ld_bfd) -Ttext $(load-y) -e romstart \
+ -T $(obj)/../../kernel/vmlinux.lds
+
+ $(obj)/vmlinux: $(obj)/head.o $(obj-y) $(obj)/piggy.o FORCE
+@@ -24,7 +24,7 @@ OBJCOPYFLAGS += -j .empty_zero_page
+ $(obj)/zeropage.bin: vmlinux FORCE
+ $(call if_changed,objcopy)
+
+-LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T
++LDFLAGS_piggy.o := -r --format binary --oformat $(ld_bfd) -T
+
+ $(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/zeropage.bin arch/sh/boot/zImage FORCE
+ $(call if_changed,ld)
+--
+2.39.5
+
--- /dev/null
+From e6c37ecec868a0aebedbfae9b86a6180bb0e3204 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 10:57:17 +0200
+Subject: soc: qcom: pmic_glink: fix OF node leak
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 65702c3d293e45d3cac5e4e175296a9c90404326 ]
+
+Make sure to drop the OF node reference taken when registering the
+auxiliary devices when the devices are later released.
+
+Fixes: 58ef4ece1e41 ("soc: qcom: pmic_glink: Introduce base PMIC GLINK driver")
+Cc: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250708085717.15922-1-johan@kernel.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/pmic_glink.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/qcom/pmic_glink.c b/drivers/soc/qcom/pmic_glink.c
+index 7e50eeb4cc6f..2222ca4fa6e2 100644
+--- a/drivers/soc/qcom/pmic_glink.c
++++ b/drivers/soc/qcom/pmic_glink.c
+@@ -145,7 +145,10 @@ static int pmic_glink_rpmsg_callback(struct rpmsg_device *rpdev, void *data,
+ return 0;
+ }
+
+-static void pmic_glink_aux_release(struct device *dev) {}
++static void pmic_glink_aux_release(struct device *dev)
++{
++ of_node_put(dev->of_node);
++}
+
+ static int pmic_glink_add_aux_device(struct pmic_glink *pg,
+ struct auxiliary_device *aux,
+@@ -159,8 +162,10 @@ static int pmic_glink_add_aux_device(struct pmic_glink *pg,
+ aux->dev.release = pmic_glink_aux_release;
+ device_set_of_node_from_dev(&aux->dev, parent);
+ ret = auxiliary_device_init(aux);
+- if (ret)
++ if (ret) {
++ of_node_put(aux->dev.of_node);
+ return ret;
++ }
+
+ ret = auxiliary_device_add(aux);
+ if (ret)
+--
+2.39.5
+
--- /dev/null
+From ae13121433b06cbce5fd37cb86b95a2a5e57ea64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 16:35:29 +0200
+Subject: soc: qcom: QMI encoding/decoding for big endian
+
+From: Alexander Wilhelm <alexander.wilhelm@westermo.com>
+
+[ Upstream commit 3ced38da5f7de4c260f9eaa86fc805827953243a ]
+
+The QMI_DATA_LEN type may have different sizes. Taking the element's
+address of that type and interpret it as a smaller sized ones works fine
+for little endian platforms but not for big endian ones. Instead use
+temporary variables of smaller sized types and cast them correctly to
+support big endian platforms.
+
+Signed-off-by: Alexander Wilhelm <alexander.wilhelm@westermo.com>
+Fixes: 9b8a11e82615 ("soc: qcom: Introduce QMI encoder/decoder")
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250522143530.3623809-2-alexander.wilhelm@westermo.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/qmi_encdec.c | 46 +++++++++++++++++++++++++++++------
+ 1 file changed, 38 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/soc/qcom/qmi_encdec.c b/drivers/soc/qcom/qmi_encdec.c
+index 5c7161b18b72..645c4ee24f5b 100644
+--- a/drivers/soc/qcom/qmi_encdec.c
++++ b/drivers/soc/qcom/qmi_encdec.c
+@@ -304,6 +304,8 @@ static int qmi_encode(const struct qmi_elem_info *ei_array, void *out_buf,
+ const void *buf_src;
+ int encode_tlv = 0;
+ int rc;
++ u8 val8;
++ u16 val16;
+
+ if (!ei_array)
+ return 0;
+@@ -338,7 +340,6 @@ static int qmi_encode(const struct qmi_elem_info *ei_array, void *out_buf,
+ break;
+
+ case QMI_DATA_LEN:
+- memcpy(&data_len_value, buf_src, temp_ei->elem_size);
+ data_len_sz = temp_ei->elem_size == sizeof(u8) ?
+ sizeof(u8) : sizeof(u16);
+ /* Check to avoid out of range buffer access */
+@@ -348,8 +349,17 @@ static int qmi_encode(const struct qmi_elem_info *ei_array, void *out_buf,
+ __func__);
+ return -ETOOSMALL;
+ }
+- rc = qmi_encode_basic_elem(buf_dst, &data_len_value,
+- 1, data_len_sz);
++ if (data_len_sz == sizeof(u8)) {
++ val8 = *(u8 *)buf_src;
++ data_len_value = (u32)val8;
++ rc = qmi_encode_basic_elem(buf_dst, &val8,
++ 1, data_len_sz);
++ } else {
++ val16 = *(u16 *)buf_src;
++ data_len_value = (u32)le16_to_cpu(val16);
++ rc = qmi_encode_basic_elem(buf_dst, &val16,
++ 1, data_len_sz);
++ }
+ UPDATE_ENCODE_VARIABLES(temp_ei, buf_dst,
+ encoded_bytes, tlv_len,
+ encode_tlv, rc);
+@@ -523,14 +533,23 @@ static int qmi_decode_string_elem(const struct qmi_elem_info *ei_array,
+ u32 string_len = 0;
+ u32 string_len_sz = 0;
+ const struct qmi_elem_info *temp_ei = ei_array;
++ u8 val8;
++ u16 val16;
+
+ if (dec_level == 1) {
+ string_len = tlv_len;
+ } else {
+ string_len_sz = temp_ei->elem_len <= U8_MAX ?
+ sizeof(u8) : sizeof(u16);
+- rc = qmi_decode_basic_elem(&string_len, buf_src,
+- 1, string_len_sz);
++ if (string_len_sz == sizeof(u8)) {
++ rc = qmi_decode_basic_elem(&val8, buf_src,
++ 1, string_len_sz);
++ string_len = (u32)val8;
++ } else {
++ rc = qmi_decode_basic_elem(&val16, buf_src,
++ 1, string_len_sz);
++ string_len = (u32)val16;
++ }
+ decoded_bytes += rc;
+ }
+
+@@ -604,6 +623,9 @@ static int qmi_decode(const struct qmi_elem_info *ei_array, void *out_c_struct,
+ u32 decoded_bytes = 0;
+ const void *buf_src = in_buf;
+ int rc;
++ u8 val8;
++ u16 val16;
++ u32 val32;
+
+ while (decoded_bytes < in_buf_len) {
+ if (dec_level >= 2 && temp_ei->data_type == QMI_EOTI)
+@@ -642,9 +664,17 @@ static int qmi_decode(const struct qmi_elem_info *ei_array, void *out_c_struct,
+ if (temp_ei->data_type == QMI_DATA_LEN) {
+ data_len_sz = temp_ei->elem_size == sizeof(u8) ?
+ sizeof(u8) : sizeof(u16);
+- rc = qmi_decode_basic_elem(&data_len_value, buf_src,
+- 1, data_len_sz);
+- memcpy(buf_dst, &data_len_value, sizeof(u32));
++ if (data_len_sz == sizeof(u8)) {
++ rc = qmi_decode_basic_elem(&val8, buf_src,
++ 1, data_len_sz);
++ data_len_value = (u32)val8;
++ } else {
++ rc = qmi_decode_basic_elem(&val16, buf_src,
++ 1, data_len_sz);
++ data_len_value = (u32)val16;
++ }
++ val32 = cpu_to_le32(data_len_value);
++ memcpy(buf_dst, &val32, sizeof(u32));
+ temp_ei = temp_ei + 1;
+ buf_dst = out_c_struct + temp_ei->offset;
+ tlv_len -= data_len_sz;
+--
+2.39.5
+
--- /dev/null
+From b7d6e0e14eff43e724cf1446c6cbaa85b2a1083f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 16:08:22 +0530
+Subject: soc/tegra: cbb: Clear ERR_FORCE register with ERR_STATUS
+
+From: Sumit Gupta <sumitg@nvidia.com>
+
+[ Upstream commit a0647bca8966db04b79af72851ebd04224a4da40 ]
+
+When error is injected with the ERR_FORCE register, then this register
+is not auto cleared on clearing the ERR_STATUS register. This causes
+repeated interrupts on error injection. To fix, set the ERR_FORCE to
+zero along with clearing the ERR_STATUS register after handling error.
+
+Fixes: fc2f151d2314 ("soc/tegra: cbb: Add driver for Tegra234 CBB 2.0")
+Signed-off-by: Sumit Gupta <sumitg@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/tegra/cbb/tegra234-cbb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/soc/tegra/cbb/tegra234-cbb.c b/drivers/soc/tegra/cbb/tegra234-cbb.c
+index 5cf0e8c34164..e8cc46874c72 100644
+--- a/drivers/soc/tegra/cbb/tegra234-cbb.c
++++ b/drivers/soc/tegra/cbb/tegra234-cbb.c
+@@ -185,6 +185,8 @@ static void tegra234_cbb_error_clear(struct tegra_cbb *cbb)
+ {
+ struct tegra234_cbb *priv = to_tegra234_cbb(cbb);
+
++ writel(0, priv->mon + FABRIC_MN_MASTER_ERR_FORCE_0);
++
+ writel(0x3f, priv->mon + FABRIC_MN_MASTER_ERR_STATUS_0);
+ dsb(sy);
+ }
+--
+2.39.5
+
--- /dev/null
+From 72697c05f6e89d9502165e7a6499cbd87c0ab551 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 14:09:52 +0800
+Subject: soundwire: stream: restore params when prepare ports fail
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bard Liao <yung-chuan.liao@linux.intel.com>
+
+[ Upstream commit dba7d9dbfdc4389361ff3a910e767d3cfca22587 ]
+
+The bus->params should be restored if the stream is failed to prepare.
+The issue exists since beginning. The Fixes tag just indicates the
+first commit that the commit can be applied to.
+
+Fixes: 17ed5bef49f4 ("soundwire: add missing newlines in dynamic debug logs")
+Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Link: https://lore.kernel.org/r/20250626060952.405996-1-yung-chuan.liao@linux.intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/stream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c
+index 68d54887992d..8ebfa44078e8 100644
+--- a/drivers/soundwire/stream.c
++++ b/drivers/soundwire/stream.c
+@@ -1409,7 +1409,7 @@ static int _sdw_prepare_stream(struct sdw_stream_runtime *stream,
+ if (ret < 0) {
+ dev_err(bus->dev, "Prepare port(s) failed ret = %d\n",
+ ret);
+- return ret;
++ goto restore_params;
+ }
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 70b3b9c637bd8fa2ac10fcdb5216bb7df5e01ff9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 11:21:03 +0200
+Subject: spi: stm32: Check for cfg availability in stm32_spi_probe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Clément Le Goffic <clement.legoffic@foss.st.com>
+
+[ Upstream commit 21f1c800f6620e43f31dfd76709dbac8ebaa5a16 ]
+
+The stm32_spi_probe function now includes a check to ensure that the
+pointer returned by of_device_get_match_data is not NULL before
+accessing its members. This resolves a warning where a potential NULL
+pointer dereference could occur when accessing cfg->has_device_mode.
+
+Before accessing the 'has_device_mode' member, we verify that 'cfg' is
+not NULL. If 'cfg' is NULL, an error message is logged.
+
+This change ensures that the driver does not attempt to access
+configuration data if it is not available, thus preventing a potential
+system crash due to a NULL pointer dereference.
+
+Signed-off-by: Clément Le Goffic <clement.legoffic@foss.st.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202310191831.MLwx1c6x-lkp@intel.com/
+Fixes: fee681646fc8 ("spi: stm32: disable device mode with st,stm32f4-spi compatible")
+Link: https://patch.msgid.link/20250616-spi-upstream-v1-2-7e8593f3f75d@foss.st.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-stm32.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c
+index 40680b5fffc9..211d9c76665b 100644
+--- a/drivers/spi/spi-stm32.c
++++ b/drivers/spi/spi-stm32.c
+@@ -1808,9 +1808,15 @@ static int stm32_spi_probe(struct platform_device *pdev)
+ struct resource *res;
+ struct reset_control *rst;
+ struct device_node *np = pdev->dev.of_node;
++ const struct stm32_spi_cfg *cfg;
+ bool device_mode;
+ int ret;
+- const struct stm32_spi_cfg *cfg = of_device_get_match_data(&pdev->dev);
++
++ cfg = of_device_get_match_data(&pdev->dev);
++ if (!cfg) {
++ dev_err(&pdev->dev, "Failed to get match data for platform\n");
++ return -ENODEV;
++ }
+
+ device_mode = of_property_read_bool(np, "spi-slave");
+ if (!cfg->has_device_mode && device_mode) {
+--
+2.39.5
+
--- /dev/null
+From aeab19e591ac4702928498e82d2532e9b6d4cc7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 22:54:10 +0530
+Subject: staging: fbtft: fix potential memory leak in
+ fbtft_framebuffer_alloc()
+
+From: Abdun Nihaal <abdun.nihaal@gmail.com>
+
+[ Upstream commit eb2cb7dab60f9be0b435ac4a674255429a36d72c ]
+
+In the error paths after fb_info structure is successfully allocated,
+the memory allocated in fb_deferred_io_init() for info->pagerefs is not
+freed. Fix that by adding the cleanup function on the error path.
+
+Fixes: c296d5f9957c ("staging: fbtft: core support")
+Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/20250626172412.18355-1-abdun.nihaal@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/fbtft/fbtft-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c
+index eac1d570f437..dce721f440c5 100644
+--- a/drivers/staging/fbtft/fbtft-core.c
++++ b/drivers/staging/fbtft/fbtft-core.c
+@@ -744,6 +744,7 @@ struct fb_info *fbtft_framebuffer_alloc(struct fbtft_display *display,
+ return info;
+
+ release_framebuf:
++ fb_deferred_io_cleanup(info);
+ framebuffer_release(info);
+
+ alloc_fail:
+--
+2.39.5
+
--- /dev/null
+From 54765e02cc47df266b8cea620f5a2690fd04ae05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Jul 2025 01:07:42 -0700
+Subject: staging: nvec: Fix incorrect null termination of battery manufacturer
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit a8934352ba01081c51d2df428e9d540aae0e88b5 ]
+
+The battery manufacturer string was incorrectly null terminated using
+bat_model instead of bat_manu. This could result in an unintended
+write to the wrong field and potentially incorrect behavior.
+
+fixe the issue by correctly null terminating the bat_manu string.
+
+Fixes: 32890b983086 ("Staging: initial version of the nvec driver")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/20250719080755.3954373-1-alok.a.tiwari@oracle.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/nvec/nvec_power.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/nvec/nvec_power.c b/drivers/staging/nvec/nvec_power.c
+index 9943b1fff190..573521e1703b 100644
+--- a/drivers/staging/nvec/nvec_power.c
++++ b/drivers/staging/nvec/nvec_power.c
+@@ -194,7 +194,7 @@ static int nvec_power_bat_notifier(struct notifier_block *nb,
+ break;
+ case MANUFACTURER:
+ memcpy(power->bat_manu, &res->plc, res->length - 2);
+- power->bat_model[res->length - 2] = '\0';
++ power->bat_manu[res->length - 2] = '\0';
+ break;
+ case MODEL:
+ memcpy(power->bat_model, &res->plc, res->length - 2);
+--
+2.39.5
+
--- /dev/null
+From 07bfcff9a07b612ba2d1734e046a57bc792664fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 11:40:02 +0000
+Subject: tcp: call tcp_measure_rcv_mss() for ooo packets
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 38d7e444336567bae1c7b21fc18b7ceaaa5643a0 ]
+
+tcp_measure_rcv_mss() is used to update icsk->icsk_ack.rcv_mss
+(tcpi_rcv_mss in tcp_info) and tp->scaling_ratio.
+
+Calling it from tcp_data_queue_ofo() makes sure these
+fields are updated, and permits a better tuning
+of sk->sk_rcvbuf, in the case a new flow receives many ooo
+packets.
+
+Fixes: dfa2f0483360 ("tcp: get rid of sysctl_tcp_adv_win_scale")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250711114006.480026-5-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_input.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 8520c43726e2..c6d00817ad3f 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -4941,6 +4941,7 @@ static void tcp_data_queue_ofo(struct sock *sk, struct sk_buff *skb)
+ return;
+ }
+
++ tcp_measure_rcv_mss(sk, skb);
+ /* Disable header prediction. */
+ tp->pred_flags = 0;
+ inet_csk_schedule_ack(sk);
+--
+2.39.5
+
--- /dev/null
+From 5f8d356888b3ecea784957383d2a2d63ba8d8946 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 12:34:19 +0000
+Subject: tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range
+
+From: xin.guo <guoxin0309@gmail.com>
+
+[ Upstream commit a041f70e573e185d5d5fdbba53f0db2fbe7257ad ]
+
+If the new coming segment covers more than one skbs in the ofo queue,
+and which seq is equal to rcv_nxt, then the sequence range
+that is duplicated will be sent as DUP SACK, the detail as below,
+in step6, the {501,2001} range is clearly including too much
+DUP SACK range, in violation of RFC 2883 rules.
+
+1. client > server: Flags [.], seq 501:1001, ack 1325288529, win 20000, length 500
+2. server > client: Flags [.], ack 1, [nop,nop,sack 1 {501:1001}], length 0
+3. client > server: Flags [.], seq 1501:2001, ack 1325288529, win 20000, length 500
+4. server > client: Flags [.], ack 1, [nop,nop,sack 2 {1501:2001} {501:1001}], length 0
+5. client > server: Flags [.], seq 1:2001, ack 1325288529, win 20000, length 2000
+6. server > client: Flags [.], ack 2001, [nop,nop,sack 1 {501:2001}], length 0
+
+After this fix, the final ACK is as below:
+
+6. server > client: Flags [.], ack 2001, options [nop,nop,sack 1 {501:1001}], length 0
+
+[edumazet] added a new packetdrill test in the following patch.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: xin.guo <guoxin0309@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250626123420.1933835-2-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_input.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index f7b95bc8ad60..8520c43726e2 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -4872,8 +4872,9 @@ static void tcp_ofo_queue(struct sock *sk)
+
+ if (before(TCP_SKB_CB(skb)->seq, dsack_high)) {
+ __u32 dsack = dsack_high;
++
+ if (before(TCP_SKB_CB(skb)->end_seq, dsack_high))
+- dsack_high = TCP_SKB_CB(skb)->end_seq;
++ dsack = TCP_SKB_CB(skb)->end_seq;
+ tcp_dsack_extend(sk, TCP_SKB_CB(skb)->seq, dsack);
+ }
+ p = rb_next(p);
+--
+2.39.5
+
--- /dev/null
+From 71151b7c8cd934af1e38b912eed9b1fde85b26cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 18:12:36 +0200
+Subject: tools/rv: Do not skip idle in trace
+
+From: Gabriele Monaco <gmonaco@redhat.com>
+
+[ Upstream commit f60227f3448911b682c45041c3fbd94f6d3b15a2 ]
+
+Currently, the userspace RV tool skips trace events triggered by the RV
+tool itself, this can be changed by passing the parameter -s, which sets
+the variable config_my_pid to 0 (instead of the tool's PID).
+This has the side effect of skipping events generated by idle (PID 0).
+
+Set config_my_pid to -1 (an invalid pid) to avoid skipping idle.
+
+Cc: Nam Cao <namcao@linutronix.de>
+Cc: Tomas Glozar <tglozar@redhat.com>
+Cc: Juri Lelli <jlelli@redhat.com>
+Cc: Clark Williams <williams@redhat.com>
+Cc: John Kacur <jkacur@redhat.com>
+Link: https://lore.kernel.org/20250723161240.194860-2-gmonaco@redhat.com
+Fixes: 6d60f89691fc ("tools/rv: Add in-kernel monitor interface")
+Signed-off-by: Gabriele Monaco <gmonaco@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/verification/rv/src/in_kernel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/verification/rv/src/in_kernel.c b/tools/verification/rv/src/in_kernel.c
+index f04479ecc96c..ced72950cb1e 100644
+--- a/tools/verification/rv/src/in_kernel.c
++++ b/tools/verification/rv/src/in_kernel.c
+@@ -353,7 +353,7 @@ ikm_event_handler(struct trace_seq *s, struct tep_record *record,
+
+ if (config_has_id && (config_my_pid == id))
+ return 0;
+- else if (config_my_pid && (config_my_pid == pid))
++ else if (config_my_pid == pid)
+ return 0;
+
+ tep_print_event(trace_event->tep, s, record, "%16s-%-8d ", TEP_PRINT_COMM, TEP_PRINT_PID);
+@@ -595,7 +595,7 @@ static int parse_arguments(char *monitor_name, int argc, char **argv)
+ config_reactor = optarg;
+ break;
+ case 's':
+- config_my_pid = 0;
++ config_my_pid = -1;
+ break;
+ case 't':
+ config_trace = 1;
+--
+2.39.5
+
--- /dev/null
+From bf5d2f4eefdc4394d259f38325382a86e0f9f1d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 09:09:55 -0600
+Subject: ublk: use vmalloc for ublk_device's __queues
+
+From: Caleb Sander Mateos <csander@purestorage.com>
+
+[ Upstream commit c2f48453b7806d41f5a3270f206a5cd5640ed207 ]
+
+struct ublk_device's __queues points to an allocation with up to
+UBLK_MAX_NR_QUEUES (4096) queues, each of which have:
+- struct ublk_queue (48 bytes)
+- Tail array of up to UBLK_MAX_QUEUE_DEPTH (4096) struct ublk_io's,
+ 32 bytes each
+This means the full allocation can exceed 512 MB, which may well be
+impossible to service with contiguous physical pages. Switch to
+kvcalloc() and kvfree(), since there is no need for physically
+contiguous memory.
+
+Signed-off-by: Caleb Sander Mateos <csander@purestorage.com>
+Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver")
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20250620151008.3976463-2-csander@purestorage.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ublk_drv.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
+index 8c873a8e39cd..ec6d7a08104d 100644
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -2030,7 +2030,7 @@ static void ublk_deinit_queues(struct ublk_device *ub)
+
+ for (i = 0; i < nr_queues; i++)
+ ublk_deinit_queue(ub, i);
+- kfree(ub->__queues);
++ kvfree(ub->__queues);
+ }
+
+ static int ublk_init_queues(struct ublk_device *ub)
+@@ -2041,7 +2041,7 @@ static int ublk_init_queues(struct ublk_device *ub)
+ int i, ret = -ENOMEM;
+
+ ub->queue_size = ubq_size;
+- ub->__queues = kcalloc(nr_queues, ubq_size, GFP_KERNEL);
++ ub->__queues = kvcalloc(nr_queues, ubq_size, GFP_KERNEL);
+ if (!ub->__queues)
+ return ret;
+
+--
+2.39.5
+
--- /dev/null
+From 607594ba4b1ce588c8394574ee07170c633f5f76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 19:45:57 +0200
+Subject: ucount: fix atomic_long_inc_below() argument type
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uros Bizjak <ubizjak@gmail.com>
+
+[ Upstream commit f8cd9193b62e92ad25def5370ca8ea2bc7585381 ]
+
+The type of u argument of atomic_long_inc_below() should be long to avoid
+unwanted truncation to int.
+
+The patch fixes the wrong argument type of an internal function to
+prevent unwanted argument truncation. It fixes an internal locking
+primitive; it should not have any direct effect on userspace.
+
+Mark said
+
+: AFAICT there's no problem in practice because atomic_long_inc_below()
+: is only used by inc_ucount(), and it looks like the value is
+: constrained between 0 and INT_MAX.
+:
+: In inc_ucount() the limit value is taken from
+: user_namespace::ucount_max[], and AFAICT that's only written by
+: sysctls, to the table setup by setup_userns_sysctls(), where
+: UCOUNT_ENTRY() limits the value between 0 and INT_MAX.
+:
+: This is certainly a cleanup, but there might be no functional issue in
+: practice as above.
+
+Link: https://lkml.kernel.org/r/20250721174610.28361-1-ubizjak@gmail.com
+Fixes: f9c82a4ea89c ("Increase size of ucounts to atomic_long_t")
+Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
+Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Cc: "Paul E. McKenney" <paulmck@kernel.org>
+Cc: Alexey Gladkov <legion@kernel.org>
+Cc: Roman Gushchin <roman.gushchin@linux.dev>
+Cc: MengEn Sun <mengensun@tencent.com>
+Cc: "Thomas Weißschuh" <linux@weissschuh.net>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/ucount.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/ucount.c b/kernel/ucount.c
+index 3456018730b6..a7fd89693bd2 100644
+--- a/kernel/ucount.c
++++ b/kernel/ucount.c
+@@ -213,7 +213,7 @@ void put_ucounts(struct ucounts *ucounts)
+ }
+ }
+
+-static inline bool atomic_long_inc_below(atomic_long_t *v, int u)
++static inline bool atomic_long_inc_below(atomic_long_t *v, long u)
+ {
+ long c, old;
+ c = atomic_long_read(v);
+--
+2.39.5
+
--- /dev/null
+From 2d4eaf2dce75689d9fb7909c866fe0528e41ebb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 17:04:03 +0800
+Subject: um: rtc: Avoid shadowing err in uml_rtc_start()
+
+From: Tiwei Bie <tiwei.btw@antgroup.com>
+
+[ Upstream commit 4c916e3b224a02019b3cc3983a15f32bfd9a22df ]
+
+Remove the declaration of 'err' inside the 'if (timetravel)' block,
+as it would otherwise be unavailable outside that block, potentially
+leading to uml_rtc_start() returning an uninitialized value.
+
+Fixes: dde8b58d5127 ("um: add a pseudo RTC")
+Signed-off-by: Tiwei Bie <tiwei.btw@antgroup.com>
+Link: https://patch.msgid.link/20250708090403.1067440-5-tiwei.bie@linux.dev
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/drivers/rtc_user.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/um/drivers/rtc_user.c b/arch/um/drivers/rtc_user.c
+index 7c3cec4c68cf..006a5a164ea9 100644
+--- a/arch/um/drivers/rtc_user.c
++++ b/arch/um/drivers/rtc_user.c
+@@ -28,7 +28,7 @@ int uml_rtc_start(bool timetravel)
+ int err;
+
+ if (timetravel) {
+- int err = os_pipe(uml_rtc_irq_fds, 1, 1);
++ err = os_pipe(uml_rtc_irq_fds, 1, 1);
+ if (err)
+ goto fail;
+ } else {
+--
+2.39.5
+
--- /dev/null
+From 0ce03c33526a4c8c9f5044aadf9c147f6d8f233d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 14:47:47 -0700
+Subject: usb: early: xhci-dbc: Fix early_ioremap leak
+
+From: Lucas De Marchi <lucas.demarchi@intel.com>
+
+[ Upstream commit 2b7eec2ec3015f52fc74cf45d0408925e984ecd1 ]
+
+Using the kernel param earlyprintk=xdbc,keep without proper hardware
+setup leads to this:
+
+ [ ] xhci_dbc:early_xdbc_parse_parameter: dbgp_num: 0
+ ...
+ [ ] xhci_dbc:early_xdbc_setup_hardware: failed to setup the connection to host
+ ...
+ [ ] calling kmemleak_late_init+0x0/0xa0 @ 1
+ [ ] kmemleak: Kernel memory leak detector initialized (mem pool available: 14919)
+ [ ] kmemleak: Automatic memory scanning thread started
+ [ ] initcall kmemleak_late_init+0x0/0xa0 returned 0 after 417 usecs
+ [ ] calling check_early_ioremap_leak+0x0/0x70 @ 1
+ [ ] ------------[ cut here ]------------
+ [ ] Debug warning: early ioremap leak of 1 areas detected.
+ please boot with early_ioremap_debug and report the dmesg.
+ [ ] WARNING: CPU: 11 PID: 1 at mm/early_ioremap.c:90 check_early_ioremap_leak+0x4e/0x70
+
+When early_xdbc_setup_hardware() fails, make sure to call
+early_iounmap() since xdbc_init() won't handle it.
+
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Fixes: aeb9dd1de98c ("usb/early: Add driver for xhci debug capability")
+Link: https://lore.kernel.org/r/20250627-xdbc-v1-1-43cc8c317b1b@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/early/xhci-dbc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/usb/early/xhci-dbc.c b/drivers/usb/early/xhci-dbc.c
+index 341408410ed9..41118bba9197 100644
+--- a/drivers/usb/early/xhci-dbc.c
++++ b/drivers/usb/early/xhci-dbc.c
+@@ -681,6 +681,10 @@ int __init early_xdbc_setup_hardware(void)
+
+ xdbc.table_base = NULL;
+ xdbc.out_buf = NULL;
++
++ early_iounmap(xdbc.xhci_base, xdbc.xhci_length);
++ xdbc.xhci_base = NULL;
++ xdbc.xhci_length = 0;
+ }
+
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From 309ba3d90b477072762f015782e6bb5be3deca99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 01:57:47 -0400
+Subject: usb: host: xhci-plat: fix incorrect type for of_match variable in
+ xhci_plat_probe()
+
+From: Seungjin Bae <eeodqql09@gmail.com>
+
+[ Upstream commit d9e496a9fb4021a9e6b11e7ba221a41a2597ac27 ]
+
+The variable `of_match` was incorrectly declared as a `bool`.
+It is assigned the return value of of_match_device(), which is a pointer of
+type `const struct of_device_id *`.
+
+Fixes: 16b7e0cccb243 ("USB: xhci-plat: fix legacy PHY double init")
+Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
+Link: https://lore.kernel.org/r/20250619055746.176112-2-eeodqql09@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-plat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
+index 749ba3596c2b..b350ee080236 100644
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -149,7 +149,7 @@ int xhci_plat_probe(struct platform_device *pdev, struct device *sysdev, const s
+ int ret;
+ int irq;
+ struct xhci_plat_priv *priv = NULL;
+- bool of_match;
++ const struct of_device_id *of_match;
+
+ if (usb_disabled())
+ return -ENODEV;
+--
+2.39.5
+
--- /dev/null
+From 5c60fcdb6370cedb52c6f63d5c8bd2c009f2431a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Jun 2025 18:26:17 +0000
+Subject: usb: misc: apple-mfi-fastcharge: Make power supply names unique
+
+From: Charalampos Mitrodimas <charmitro@posteo.net>
+
+[ Upstream commit 43007b89fb2de746443fbbb84aedd1089afdf582 ]
+
+When multiple Apple devices are connected concurrently, the
+apple-mfi-fastcharge driver fails to probe the subsequent devices with
+the following error:
+
+ sysfs: cannot create duplicate filename '/class/power_supply/apple_mfi_fastcharge'
+ apple-mfi-fastcharge 5-2.4.3.3: probe of 5-2.4.3.3 failed with error -17
+
+This happens because the driver uses a fixed power supply name
+("apple_mfi_fastcharge") for all devices, causing a sysfs name
+conflict when a second device is connected.
+
+Fix this by generating unique names using the USB bus and device
+number (e.g., "apple_mfi_fastcharge_5-12"). This ensures each
+connected device gets a unique power supply entry in sysfs.
+
+The change requires storing a copy of the power_supply_desc structure
+in the per-device mfi_device struct, since the name pointer needs to
+remain valid for the lifetime of the power supply registration.
+
+Fixes: 249fa8217b84 ("USB: Add driver to control USB fast charge for iOS devices")
+Signed-off-by: Charalampos Mitrodimas <charmitro@posteo.net>
+Link: https://lore.kernel.org/r/20250602-apple-mfi-fastcharge-duplicate-sysfs-v1-1-5d84de34fac6@posteo.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/misc/apple-mfi-fastcharge.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/misc/apple-mfi-fastcharge.c b/drivers/usb/misc/apple-mfi-fastcharge.c
+index ac8695195c13..8e852f4b8262 100644
+--- a/drivers/usb/misc/apple-mfi-fastcharge.c
++++ b/drivers/usb/misc/apple-mfi-fastcharge.c
+@@ -44,6 +44,7 @@ MODULE_DEVICE_TABLE(usb, mfi_fc_id_table);
+ struct mfi_device {
+ struct usb_device *udev;
+ struct power_supply *battery;
++ struct power_supply_desc battery_desc;
+ int charge_type;
+ };
+
+@@ -178,6 +179,7 @@ static int mfi_fc_probe(struct usb_device *udev)
+ {
+ struct power_supply_config battery_cfg = {};
+ struct mfi_device *mfi = NULL;
++ char *battery_name;
+ int err;
+
+ if (!mfi_fc_match(udev))
+@@ -187,23 +189,38 @@ static int mfi_fc_probe(struct usb_device *udev)
+ if (!mfi)
+ return -ENOMEM;
+
++ battery_name = kasprintf(GFP_KERNEL, "apple_mfi_fastcharge_%d-%d",
++ udev->bus->busnum, udev->devnum);
++ if (!battery_name) {
++ err = -ENOMEM;
++ goto err_free_mfi;
++ }
++
++ mfi->battery_desc = apple_mfi_fc_desc;
++ mfi->battery_desc.name = battery_name;
++
+ battery_cfg.drv_data = mfi;
+
+ mfi->charge_type = POWER_SUPPLY_CHARGE_TYPE_TRICKLE;
+ mfi->battery = power_supply_register(&udev->dev,
+- &apple_mfi_fc_desc,
++ &mfi->battery_desc,
+ &battery_cfg);
+ if (IS_ERR(mfi->battery)) {
+ dev_err(&udev->dev, "Can't register battery\n");
+ err = PTR_ERR(mfi->battery);
+- kfree(mfi);
+- return err;
++ goto err_free_name;
+ }
+
+ mfi->udev = usb_get_dev(udev);
+ dev_set_drvdata(&udev->dev, mfi);
+
+ return 0;
++
++err_free_name:
++ kfree(battery_name);
++err_free_mfi:
++ kfree(mfi);
++ return err;
+ }
+
+ static void mfi_fc_disconnect(struct usb_device *udev)
+@@ -213,6 +230,7 @@ static void mfi_fc_disconnect(struct usb_device *udev)
+ mfi = dev_get_drvdata(&udev->dev);
+ if (mfi->battery)
+ power_supply_unregister(mfi->battery);
++ kfree(mfi->battery_desc.name);
+ dev_set_drvdata(&udev->dev, NULL);
+ usb_put_dev(mfi->udev);
+ kfree(mfi);
+--
+2.39.5
+
--- /dev/null
+From 76be4a757d3c990691b2b517033158e35bf8e3b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 16:46:17 -0700
+Subject: vfio: Fix unbalanced vfio_df_close call in no-iommu mode
+
+From: Jacob Pan <jacob.pan@linux.microsoft.com>
+
+[ Upstream commit b25e271b377999191b12f0afbe1861edcf57e3fe ]
+
+For devices with no-iommu enabled in IOMMUFD VFIO compat mode, the group open
+path skips vfio_df_open(), leaving open_count at 0. This causes a warning in
+vfio_assert_device_open(device) when vfio_df_close() is called during group
+close.
+
+The correct behavior is to skip only the IOMMUFD bind in the device open path
+for no-iommu devices. Commit 6086efe73498 omitted vfio_df_open(), which was
+too broad. This patch restores the previous behavior, ensuring
+the vfio_df_open is called in the group open path.
+
+Fixes: 6086efe73498 ("vfio-iommufd: Move noiommu compat validation out of vfio_iommufd_bind()")
+Suggested-by: Alex Williamson <alex.williamson@redhat.com>
+Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Jacob Pan <jacob.pan@linux.microsoft.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/20250618234618.1910456-1-jacob.pan@linux.microsoft.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/group.c | 7 +++----
+ drivers/vfio/iommufd.c | 4 ++++
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/vfio/group.c b/drivers/vfio/group.c
+index 610a429c6191..54c3079031e1 100644
+--- a/drivers/vfio/group.c
++++ b/drivers/vfio/group.c
+@@ -194,11 +194,10 @@ static int vfio_df_group_open(struct vfio_device_file *df)
+ * implies they expected translation to exist
+ */
+ if (!capable(CAP_SYS_RAWIO) ||
+- vfio_iommufd_device_has_compat_ioas(device, df->iommufd))
++ vfio_iommufd_device_has_compat_ioas(device, df->iommufd)) {
+ ret = -EPERM;
+- else
+- ret = 0;
+- goto out_put_kvm;
++ goto out_put_kvm;
++ }
+ }
+
+ ret = vfio_df_open(df);
+diff --git a/drivers/vfio/iommufd.c b/drivers/vfio/iommufd.c
+index 82eba6966fa5..02852899c2ae 100644
+--- a/drivers/vfio/iommufd.c
++++ b/drivers/vfio/iommufd.c
+@@ -25,6 +25,10 @@ int vfio_df_iommufd_bind(struct vfio_device_file *df)
+
+ lockdep_assert_held(&vdev->dev_set->lock);
+
++ /* Returns 0 to permit device opening under noiommu mode */
++ if (vfio_device_is_noiommu(vdev))
++ return 0;
++
+ return vdev->ops->bind_iommufd(vdev, ictx, &df->devid);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 33f60604cd6f657fcf459d1c77787d11883887a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 16:56:18 -0600
+Subject: vfio/pci: Separate SR-IOV VF dev_set
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+[ Upstream commit e908f58b6beb337cbe4481d52c3f5c78167b1aab ]
+
+In the below noted Fixes commit we introduced a reflck mutex to allow
+better scaling between devices for open and close. The reflck was
+based on the hot reset granularity, device level for root bus devices
+which cannot support hot reset or bus/slot reset otherwise. Overlooked
+in this were SR-IOV VFs, where there's also no bus reset option, but
+the default for a non-root-bus, non-slot-based device is bus level
+reflck granularity.
+
+The reflck mutex has since become the dev_set mutex (via commit
+2cd8b14aaa66 ("vfio/pci: Move to the device set infrastructure")) and
+is our defacto serialization for various operations and ioctls. It
+still seems to be the case though that sets of vfio-pci devices really
+only need serialization relative to hot resets affecting the entire
+set, which is not relevant to SR-IOV VFs. As described in the Closes
+link below, this serialization contributes to startup latency when
+multiple VFs sharing the same "bus" are opened concurrently.
+
+Mark the device itself as the basis of the dev_set for SR-IOV VFs.
+
+Reported-by: Aaron Lewis <aaronlewis@google.com>
+Closes: https://lore.kernel.org/all/20250626180424.632628-1-aaronlewis@google.com
+Tested-by: Aaron Lewis <aaronlewis@google.com>
+Fixes: e309df5b0c9e ("vfio/pci: Parallelize device open and release")
+Reviewed-by: Yi Liu <yi.l.liu@intel.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/20250626225623.1180952-1-alex.williamson@redhat.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/vfio_pci_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
+index fa168b434239..3f139360752e 100644
+--- a/drivers/vfio/pci/vfio_pci_core.c
++++ b/drivers/vfio/pci/vfio_pci_core.c
+@@ -2235,7 +2235,7 @@ int vfio_pci_core_register_device(struct vfio_pci_core_device *vdev)
+ return -EBUSY;
+ }
+
+- if (pci_is_root_bus(pdev->bus)) {
++ if (pci_is_root_bus(pdev->bus) || pdev->is_virtfn) {
+ ret = vfio_assign_device_set(&vdev->vdev, vdev);
+ } else if (!pci_probe_reset_slot(pdev->slot)) {
+ ret = vfio_assign_device_set(&vdev->vdev, pdev->slot);
+--
+2.39.5
+
--- /dev/null
+From 36f8f9458364287fee069a742932dbdd123f8066 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 09:37:44 -0700
+Subject: vfio/pds: Fix missing detach_ioas op
+
+From: Brett Creeley <brett.creeley@amd.com>
+
+[ Upstream commit fe24d5bc635e103a517ec201c3cb571eeab8be2f ]
+
+When CONFIG_IOMMUFD is enabled and a device is bound to the pds_vfio_pci
+driver, the following WARN_ON() trace is seen and probe fails:
+
+WARNING: CPU: 0 PID: 5040 at drivers/vfio/vfio_main.c:317 __vfio_register_dev+0x130/0x140 [vfio]
+<...>
+pds_vfio_pci 0000:08:00.1: probe with driver pds_vfio_pci failed with error -22
+
+This is because the driver's vfio_device_ops.detach_ioas isn't set.
+
+Fix this by using the generic vfio_iommufd_physical_detach_ioas
+function.
+
+Fixes: 38fe3975b4c2 ("vfio/pds: Initial support for pds VFIO driver")
+Signed-off-by: Brett Creeley <brett.creeley@amd.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Link: https://lore.kernel.org/r/20250702163744.69767-1-brett.creeley@amd.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/pds/vfio_dev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/vfio/pci/pds/vfio_dev.c b/drivers/vfio/pci/pds/vfio_dev.c
+index a286ebcc7112..69d1bcefd7c3 100644
+--- a/drivers/vfio/pci/pds/vfio_dev.c
++++ b/drivers/vfio/pci/pds/vfio_dev.c
+@@ -231,6 +231,7 @@ static const struct vfio_device_ops pds_vfio_ops = {
+ .bind_iommufd = vfio_iommufd_physical_bind,
+ .unbind_iommufd = vfio_iommufd_physical_unbind,
+ .attach_ioas = vfio_iommufd_physical_attach_ioas,
++ .detach_ioas = vfio_iommufd_physical_detach_ioas,
+ };
+
+ const struct vfio_device_ops *pds_vfio_ops_info(void)
+--
+2.39.5
+
--- /dev/null
+From 097843d7964ac95e730e3fbfb47071751fb270d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 16:46:18 -0700
+Subject: vfio: Prevent open_count decrement to negative
+
+From: Jacob Pan <jacob.pan@linux.microsoft.com>
+
+[ Upstream commit 982ddd59ed97dc7e63efd97ed50273ffb817bd41 ]
+
+When vfio_df_close() is called with open_count=0, it triggers a warning in
+vfio_assert_device_open() but still decrements open_count to -1. This allows
+a subsequent open to incorrectly pass the open_count == 0 check, leading to
+unintended behavior, such as setting df->access_granted = true.
+
+For example, running an IOMMUFD compat no-IOMMU device with VFIO tests
+(https://github.com/awilliam/tests/blob/master/vfio-noiommu-pci-device-open.c)
+results in a warning and a failed VFIO_GROUP_GET_DEVICE_FD ioctl on the first
+run, but the second run succeeds incorrectly.
+
+Add checks to avoid decrementing open_count below zero.
+
+Fixes: 05f37e1c03b6 ("vfio: Pass struct vfio_device_file * to vfio_device_open/close()")
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Yi Liu <yi.l.liu@intel.com>
+Signed-off-by: Jacob Pan <jacob.pan@linux.microsoft.com>
+Link: https://lore.kernel.org/r/20250618234618.1910456-2-jacob.pan@linux.microsoft.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/vfio_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/vfio_main.c b/drivers/vfio/vfio_main.c
+index 40732e8ed4c6..edb631e5e7ec 100644
+--- a/drivers/vfio/vfio_main.c
++++ b/drivers/vfio/vfio_main.c
+@@ -537,7 +537,8 @@ void vfio_df_close(struct vfio_device_file *df)
+
+ lockdep_assert_held(&device->dev_set->lock);
+
+- vfio_assert_device_open(device);
++ if (!vfio_assert_device_open(device))
++ return;
+ if (device->open_count == 1)
+ vfio_df_device_last_close(df);
+ device->open_count--;
+--
+2.39.5
+
--- /dev/null
+From 0d03d32d21242cdebc6c02cbc7f8d3601d561f72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 16:01:13 -0500
+Subject: vhost-scsi: Fix log flooding with target does not exist errors
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit 69cd720a8a5e9ef0f05ce5dd8c9ea6e018245c82 ]
+
+As part of the normal initiator side scanning the guest's scsi layer
+will loop over all possible targets and send an inquiry. Since the
+max number of targets for virtio-scsi is 256, this can result in 255
+error messages about targets not existing if you only have a single
+target. When there's more than 1 vhost-scsi device each with a single
+target, then you get N * 255 log messages.
+
+It looks like the log message was added by accident in:
+
+commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code from
+control queue handler")
+
+when we added common helpers. Then in:
+
+commit 09d7583294aa ("vhost/scsi: Use common handling code in request
+queue handler")
+
+we converted the scsi command processing path to use the new
+helpers so we started to see the extra log messages during scanning.
+
+The patches were just making some code common but added the vq_err
+call and I'm guessing the patch author forgot to enable the vq_err
+call (vq_err is implemented by pr_debug which defaults to off). So
+this patch removes the call since it's expected to hit this path
+during device discovery.
+
+Fixes: 09d7583294aa ("vhost/scsi: Use common handling code in request queue handler")
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Message-Id: <20250611210113.10912-1-michael.christie@oracle.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/scsi.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
+index 662351511157..90a3c0fc5ab0 100644
+--- a/drivers/vhost/scsi.c
++++ b/drivers/vhost/scsi.c
+@@ -1032,10 +1032,8 @@ vhost_scsi_get_req(struct vhost_virtqueue *vq, struct vhost_scsi_ctx *vc,
+ /* validated at handler entry */
+ vs_tpg = vhost_vq_get_backend(vq);
+ tpg = READ_ONCE(vs_tpg[*vc->target]);
+- if (unlikely(!tpg)) {
+- vq_err(vq, "Target 0x%x does not exist\n", *vc->target);
++ if (unlikely(!tpg))
+ goto out;
+- }
+ }
+
+ if (tpgp)
+--
+2.39.5
+
--- /dev/null
+From a9af856453489f3cc11826cd0a5484d87e8143b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 13:52:14 +0800
+Subject: vmci: Prevent the dispatching of uninitialized payloads
+
+From: Lizhi Xu <lizhi.xu@windriver.com>
+
+[ Upstream commit bfb4cf9fb97e4063f0aa62e9e398025fb6625031 ]
+
+The reproducer executes the host's unlocked_ioctl call in two different
+tasks. When init_context fails, the struct vmci_event_ctx is not fully
+initialized when executing vmci_datagram_dispatch() to send events to all
+vm contexts. This affects the datagram taken from the datagram queue of
+its context by another task, because the datagram payload is not initialized
+according to the size payload_size, which causes the kernel data to leak
+to the user space.
+
+Before dispatching the datagram, and before setting the payload content,
+explicitly set the payload content to 0 to avoid data leakage caused by
+incomplete payload initialization.
+
+Fixes: 28d6692cd8fb ("VMCI: context implementation.")
+Reported-by: syzbot+9b9124ae9b12d5af5d95@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=9b9124ae9b12d5af5d95
+Tested-by: syzbot+9b9124ae9b12d5af5d95@syzkaller.appspotmail.com
+Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
+Link: https://lore.kernel.org/r/20250627055214.2967129-1-lizhi.xu@windriver.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/vmw_vmci/vmci_context.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/misc/vmw_vmci/vmci_context.c b/drivers/misc/vmw_vmci/vmci_context.c
+index f22b44827e92..d566103caa27 100644
+--- a/drivers/misc/vmw_vmci/vmci_context.c
++++ b/drivers/misc/vmw_vmci/vmci_context.c
+@@ -251,6 +251,8 @@ static int ctx_fire_notification(u32 context_id, u32 priv_flags)
+ ev.msg.hdr.src = vmci_make_handle(VMCI_HYPERVISOR_CONTEXT_ID,
+ VMCI_CONTEXT_RESOURCE_ID);
+ ev.msg.hdr.payload_size = sizeof(ev) - sizeof(ev.msg.hdr);
++ memset((char*)&ev.msg.hdr + sizeof(ev.msg.hdr), 0,
++ ev.msg.hdr.payload_size);
+ ev.msg.event_data.event = VMCI_EVENT_CTX_REMOVED;
+ ev.payload.context_id = context_id;
+
+--
+2.39.5
+
--- /dev/null
+From c8e28e1ef4bd3534ab737ba0c1a42aa87a7cb6e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 09:00:43 -0700
+Subject: vrf: Drop existing dst reference in vrf_ip6_input_dst
+
+From: Stanislav Fomichev <sdf@fomichev.me>
+
+[ Upstream commit f388f807eca1de9e6e70f9ffb1a573c3811c4215 ]
+
+Commit ff3fbcdd4724 ("selftests: tc: Add generic erspan_opts matching support
+for tc-flower") started triggering the following kmemleak warning:
+
+unreferenced object 0xffff888015fb0e00 (size 512):
+ comm "softirq", pid 0, jiffies 4294679065
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 40 d2 85 9e ff ff ff ff ........@.......
+ 41 69 59 9d ff ff ff ff 00 00 00 00 00 00 00 00 AiY.............
+ backtrace (crc 30b71e8b):
+ __kmalloc_noprof+0x359/0x460
+ metadata_dst_alloc+0x28/0x490
+ erspan_rcv+0x4f1/0x1160 [ip_gre]
+ gre_rcv+0x217/0x240 [ip_gre]
+ gre_rcv+0x1b8/0x400 [gre]
+ ip_protocol_deliver_rcu+0x31d/0x3a0
+ ip_local_deliver_finish+0x37d/0x620
+ ip_local_deliver+0x174/0x460
+ ip_rcv+0x52b/0x6b0
+ __netif_receive_skb_one_core+0x149/0x1a0
+ process_backlog+0x3c8/0x1390
+ __napi_poll.constprop.0+0xa1/0x390
+ net_rx_action+0x59b/0xe00
+ handle_softirqs+0x22b/0x630
+ do_softirq+0xb1/0xf0
+ __local_bh_enable_ip+0x115/0x150
+
+vrf_ip6_input_dst unconditionally sets skb dst entry, add a call to
+skb_dst_drop to drop any existing entry.
+
+Cc: David Ahern <dsahern@kernel.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Fixes: 9ff74384600a ("net: vrf: Handle ipv6 multicast and link-local addresses")
+Signed-off-by: Stanislav Fomichev <sdf@fomichev.me>
+Link: https://patch.msgid.link/20250725160043.350725-1-sdf@fomichev.me
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vrf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
+index 5968a3ab8177..64114e98d75d 100644
+--- a/drivers/net/vrf.c
++++ b/drivers/net/vrf.c
+@@ -1345,6 +1345,8 @@ static void vrf_ip6_input_dst(struct sk_buff *skb, struct net_device *vrf_dev,
+ struct net *net = dev_net(vrf_dev);
+ struct rt6_info *rt6;
+
++ skb_dst_drop(skb);
++
+ rt6 = vrf_ip6_route_lookup(net, vrf_dev, &fl6, ifindex, skb,
+ RT6_LOOKUP_F_HAS_SADDR | RT6_LOOKUP_F_IFACE);
+ if (unlikely(!rt6))
+--
+2.39.5
+
--- /dev/null
+From f9d1febc2d8d1b631233387a7974a6c3369adbd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 23:22:19 +0300
+Subject: watchdog: ziirave_wdt: check record length in ziirave_firm_verify()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 8b61d8ca751bc15875b50e0ff6ac3ba0cf95a529 ]
+
+The "rec->len" value comes from the firmware. We generally do
+trust firmware, but it's always better to double check. If
+the length value is too large it would lead to memory corruption
+when we set "data[i] = ret;"
+
+Fixes: 217209db0204 ("watchdog: ziirave_wdt: Add support to upload the firmware.")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/3b58b453f0faa8b968c90523f52c11908b56c346.1748463049.git.dan.carpenter@linaro.org
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/ziirave_wdt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/watchdog/ziirave_wdt.c b/drivers/watchdog/ziirave_wdt.c
+index 5ed33df68e9a..e611d60316c6 100644
+--- a/drivers/watchdog/ziirave_wdt.c
++++ b/drivers/watchdog/ziirave_wdt.c
+@@ -302,6 +302,9 @@ static int ziirave_firm_verify(struct watchdog_device *wdd,
+ const u16 len = be16_to_cpu(rec->len);
+ const u32 addr = be32_to_cpu(rec->addr);
+
++ if (len > sizeof(data))
++ return -EINVAL;
++
+ if (ziirave_firm_addr_readonly(addr))
+ continue;
+
+--
+2.39.5
+
--- /dev/null
+From 3d37569d1ad7a346c3e5bbffd5bb511e3626fb0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 17:45:06 +0900
+Subject: wifi: ath11k: clear initialized flag for deinit-ed srng lists
+
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+
+[ Upstream commit a5b46aa7cf5f05c213316a018e49a8e086efd98e ]
+
+In a number of cases we see kernel panics on resume due
+to ath11k kernel page fault, which happens under the
+following circumstances:
+
+1) First ath11k_hal_dump_srng_stats() call
+
+ Last interrupt received for each group:
+ ath11k_pci 0000:01:00.0: group_id 0 22511ms before
+ ath11k_pci 0000:01:00.0: group_id 1 14440788ms before
+ [..]
+ ath11k_pci 0000:01:00.0: failed to receive control response completion, polling..
+ ath11k_pci 0000:01:00.0: Service connect timeout
+ ath11k_pci 0000:01:00.0: failed to connect to HTT: -110
+ ath11k_pci 0000:01:00.0: failed to start core: -110
+ ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM
+ ath11k_pci 0000:01:00.0: already resetting count 2
+ ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110
+ ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110
+ ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery
+ [..]
+
+2) At this point reconfiguration fails (we have 2 resets) and
+ ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit()
+ which destroys srng lists. However, it does not reset per-list
+ ->initialized flag.
+
+3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized
+ flag and attempts to dump srng stats:
+
+ Last interrupt received for each group:
+ ath11k_pci 0000:01:00.0: group_id 0 66785ms before
+ ath11k_pci 0000:01:00.0: group_id 1 14485062ms before
+ ath11k_pci 0000:01:00.0: group_id 2 14485062ms before
+ ath11k_pci 0000:01:00.0: group_id 3 14485062ms before
+ ath11k_pci 0000:01:00.0: group_id 4 14780845ms before
+ ath11k_pci 0000:01:00.0: group_id 5 14780845ms before
+ ath11k_pci 0000:01:00.0: group_id 6 14485062ms before
+ ath11k_pci 0000:01:00.0: group_id 7 66814ms before
+ ath11k_pci 0000:01:00.0: group_id 8 68997ms before
+ ath11k_pci 0000:01:00.0: group_id 9 67588ms before
+ ath11k_pci 0000:01:00.0: group_id 10 69511ms before
+ BUG: unable to handle page fault for address: ffffa007404eb010
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]
+ Call Trace:
+ <TASK>
+ ? __die_body+0xae/0xb0
+ ? page_fault_oops+0x381/0x3e0
+ ? exc_page_fault+0x69/0xa0
+ ? asm_exc_page_fault+0x22/0x30
+ ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]
+ ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]
+ worker_thread+0x389/0x930
+ kthread+0x149/0x170
+
+Clear per-list ->initialized flag in ath11k_hal_srng_deinit().
+
+Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Reviewed-by: Baochen Qiang <quic_bqiang@quicinc.com>
+Fixes: 5118935b1bc2 ("ath11k: dump SRNG stats during FW assert")
+Link: https://patch.msgid.link/20250612084551.702803-1-senozhatsky@chromium.org
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/hal.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c
+index f32fa104ded9..df493d176062 100644
+--- a/drivers/net/wireless/ath/ath11k/hal.c
++++ b/drivers/net/wireless/ath/ath11k/hal.c
+@@ -1319,6 +1319,10 @@ EXPORT_SYMBOL(ath11k_hal_srng_init);
+ void ath11k_hal_srng_deinit(struct ath11k_base *ab)
+ {
+ struct ath11k_hal *hal = &ab->hal;
++ int i;
++
++ for (i = 0; i < HAL_SRNG_RING_ID_MAX; i++)
++ ab->hal.srng_list[i].initialized = 0;
+
+ ath11k_hal_unregister_srng_key(ab);
+ ath11k_hal_free_cont_rdp(ab);
+--
+2.39.5
+
--- /dev/null
+From cfe190c7cae549090b897babfb5b8466f2a5f594 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 23:05:38 +0530
+Subject: wifi: ath12k: fix endianness handling while accessing wmi service bit
+
+From: Tamizh Chelvam Raja <tamizh.raja@oss.qualcomm.com>
+
+[ Upstream commit 8f1a078842d4af4877fb686f3907788024d0d1b7 ]
+
+Currently there is no endian conversion in ath12k_wmi_tlv_services_parser()
+so the service bit parsing will be incorrect on a big endian platform and
+to fix this by using appropriate endian conversion.
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00217-QCAHKSWPL_SILICONZ-1
+Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
+
+Fixes: 342527f35338 ("wifi: ath12k: Add support to parse new WMI event for 6 GHz regulatory")
+Signed-off-by: Tamizh Chelvam Raja <tamizh.raja@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250717173539.2523396-2-tamizh.raja@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/wmi.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
+index 958ac4ed5c34..e918218ce2d6 100644
+--- a/drivers/net/wireless/ath/ath12k/wmi.c
++++ b/drivers/net/wireless/ath/ath12k/wmi.c
+@@ -6303,7 +6303,7 @@ static int ath12k_wmi_tlv_services_parser(struct ath12k_base *ab,
+ void *data)
+ {
+ const struct wmi_service_available_event *ev;
+- u32 *wmi_ext2_service_bitmap;
++ __le32 *wmi_ext2_service_bitmap;
+ int i, j;
+ u16 expected_len;
+
+@@ -6335,12 +6335,12 @@ static int ath12k_wmi_tlv_services_parser(struct ath12k_base *ab,
+ ev->wmi_service_segment_bitmap[3]);
+ break;
+ case WMI_TAG_ARRAY_UINT32:
+- wmi_ext2_service_bitmap = (u32 *)ptr;
++ wmi_ext2_service_bitmap = (__le32 *)ptr;
+ for (i = 0, j = WMI_MAX_EXT_SERVICE;
+ i < WMI_SERVICE_SEGMENT_BM_SIZE32 && j < WMI_MAX_EXT2_SERVICE;
+ i++) {
+ do {
+- if (wmi_ext2_service_bitmap[i] &
++ if (__le32_to_cpu(wmi_ext2_service_bitmap[i]) &
+ BIT(j % WMI_AVAIL_SERVICE_BITS_IN_SIZE32))
+ set_bit(j, ab->wmi_ab.svc_map);
+ } while (++j % WMI_AVAIL_SERVICE_BITS_IN_SIZE32);
+@@ -6348,8 +6348,10 @@ static int ath12k_wmi_tlv_services_parser(struct ath12k_base *ab,
+
+ ath12k_dbg(ab, ATH12K_DBG_WMI,
+ "wmi_ext2_service_bitmap 0x%04x 0x%04x 0x%04x 0x%04x",
+- wmi_ext2_service_bitmap[0], wmi_ext2_service_bitmap[1],
+- wmi_ext2_service_bitmap[2], wmi_ext2_service_bitmap[3]);
++ __le32_to_cpu(wmi_ext2_service_bitmap[0]),
++ __le32_to_cpu(wmi_ext2_service_bitmap[1]),
++ __le32_to_cpu(wmi_ext2_service_bitmap[2]),
++ __le32_to_cpu(wmi_ext2_service_bitmap[3]));
+ break;
+ }
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From d77a22091f331a1641bb5a4c05008ad1b4e9273e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 10:37:02 +0530
+Subject: wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing
+ P2P IE
+
+From: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
+
+[ Upstream commit 579bf8037b70b644a674c126a32bbb2212cf5c21 ]
+
+After commit bd99a3013bdc ("brcmfmac: move configuration of probe request
+IEs"), the probe request MGMT IE addition operation brcmf_vif_set_mgmt_ie()
+got moved from the brcmf_p2p_scan_prep() to the brcmf_cfg80211_scan().
+
+Because of this, as part of the scan request handler for the P2P Discovery,
+vif struct used for adding the Probe Request P2P IE in firmware got changed
+from the P2PAPI_BSSCFG_DEVICE vif to P2PAPI_BSSCFG_PRIMARY vif incorrectly.
+So the firmware stopped adding P2P IE to the outgoing P2P Discovery probe
+requests frames and the other P2P peers were unable to discover this device
+causing a regression on the P2P feature.
+
+To fix this, while setting the P2P IE in firmware, properly use the vif of
+the P2P discovery wdev on which the driver received the P2P scan request.
+This is done by not changing the vif pointer, until brcmf_vif_set_mgmt_ie()
+is completed.
+
+Fixes: bd99a3013bdc ("brcmfmac: move configuration of probe request IEs")
+Signed-off-by: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Link: https://patch.msgid.link/20250626050706.7271-1-gokulkumar.sivakumar@infineon.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index c708ae91c3ce..e883cf80f506 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -1541,10 +1541,6 @@ brcmf_cfg80211_scan(struct wiphy *wiphy, struct cfg80211_scan_request *request)
+ return -EAGAIN;
+ }
+
+- /* If scan req comes for p2p0, send it over primary I/F */
+- if (vif == cfg->p2p.bss_idx[P2PAPI_BSSCFG_DEVICE].vif)
+- vif = cfg->p2p.bss_idx[P2PAPI_BSSCFG_PRIMARY].vif;
+-
+ brcmf_dbg(SCAN, "START ESCAN\n");
+
+ cfg->scan_request = request;
+@@ -1560,6 +1556,10 @@ brcmf_cfg80211_scan(struct wiphy *wiphy, struct cfg80211_scan_request *request)
+ if (err)
+ goto scan_out;
+
++ /* If scan req comes for p2p0, send it over primary I/F */
++ if (vif == cfg->p2p.bss_idx[P2PAPI_BSSCFG_DEVICE].vif)
++ vif = cfg->p2p.bss_idx[P2PAPI_BSSCFG_PRIMARY].vif;
++
+ err = brcmf_do_escan(vif->ifp, request);
+ if (err)
+ goto scan_out;
+--
+2.39.5
+
--- /dev/null
+From 0e0c9748d01d4f1d691c92decb407b6e70927875 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 11:52:13 +0800
+Subject: wifi: iwlwifi: Fix memory leak in iwl_mvm_init()
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit ed2e916c890944633d6826dce267579334f63ea5 ]
+
+When iwl_opmode_register() fails, it does not unregster rate control,
+which will cause a memory leak issue, this patch fixes it.
+
+Fixes: 9f66a397c877 ("iwlwifi: mvm: rs: add ops for the new rate scaling in the FW")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Link: https://patch.msgid.link/20221109035213.570-1-xiujianfeng@huawei.com
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+index b2cf5aeff7e3..d2dbbc9fe384 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+@@ -65,8 +65,10 @@ static int __init iwl_mvm_init(void)
+ }
+
+ ret = iwl_opmode_register("iwlmvm", &iwl_mvm_ops);
+- if (ret)
++ if (ret) {
+ pr_err("Unable to register MVM op_mode: %d\n", ret);
++ iwl_mvm_rate_control_unregister();
++ }
+
+ return ret;
+ }
+--
+2.39.5
+
--- /dev/null
+From 3281af26b3b64fa01627b901576fb266d71f8bf6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 17:45:28 +0200
+Subject: wifi: mac80211: Check 802.11 encaps offloading in
+ ieee80211_tx_h_select_key()
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit 4037c468d1b3c508d69e6df0ef47fdee3d440e39 ]
+
+With 802.11 encapsulation offloading, ieee80211_tx_h_select_key() is
+called on 802.3 frames. In that case do not try to use skb data as
+valid 802.11 headers.
+
+Reported-by: Bert Karwatzki <spasswolf@web.de>
+Closes: https://lore.kernel.org/linux-wireless/20250410215527.3001-1-spasswolf@web.de
+Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Link: https://patch.msgid.link/1af4b5b903a5fca5ebe67333d5854f93b2be5abe.1752765971.git.repk@triplefau.lt
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index f54792c4b910..e4797eb9c2ba 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -629,6 +629,12 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
+ else
+ tx->key = NULL;
+
++ if (info->flags & IEEE80211_TX_CTL_HW_80211_ENCAP) {
++ if (tx->key && tx->key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE)
++ info->control.hw_key = &tx->key->conf;
++ return TX_CONTINUE;
++ }
++
+ if (tx->key) {
+ bool skip_hw = false;
+
+--
+2.39.5
+
--- /dev/null
+From 62f06dfe62da34d4ed8ea6545313970f6504e8c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 18:25:46 +0200
+Subject: wifi: mac80211: Do not schedule stopped TXQs
+
+From: Alexander Wetzel <Alexander@wetzel-home.de>
+
+[ Upstream commit 11e3e22fa533f5d7cf04e32343b05a27eda3c7a5 ]
+
+Ignore TXQs with the flag IEEE80211_TXQ_STOP when scheduling a queue.
+
+The flag is only set after all fragments have been dequeued and won't
+allow dequeueing other frames as long as the flag is set.
+
+For drivers using ieee80211_txq_schedule_start() this prevents an
+loop trying to push the queued frames while IEEE80211_TXQ_STOP is set:
+
+After setting IEEE80211_TXQ_STOP the driver will call
+ieee80211_return_txq(). Which calls __ieee80211_schedule_txq(), detects
+that there sill are frames in the queue and immediately restarts the
+stopped TXQ. Which can't dequeue any frame and thus starts over the loop.
+
+Signed-off-by: Alexander Wetzel <Alexander@wetzel-home.de>
+Fixes: ba8c3d6f16a1 ("mac80211: add an intermediate software queue implementation")
+Link: https://patch.msgid.link/20250717162547.94582-2-Alexander@wetzel-home.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index ec5469add68a..bdf7c7ca5654 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -4099,7 +4099,9 @@ void __ieee80211_schedule_txq(struct ieee80211_hw *hw,
+
+ spin_lock_bh(&local->active_txq_lock[txq->ac]);
+
+- has_queue = force || txq_has_queue(txq);
++ has_queue = force ||
++ (!test_bit(IEEE80211_TXQ_STOP, &txqi->flags) &&
++ txq_has_queue(txq));
+ if (list_empty(&txqi->schedule_order) &&
+ (has_queue || ieee80211_txq_keep_active(txqi))) {
+ /* If airtime accounting is active, always enqueue STAs at the
+--
+2.39.5
+
--- /dev/null
+From 7098262701e6646fbb9c09ecb2625ff9ececb540 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 18:25:47 +0200
+Subject: wifi: mac80211: Don't call fq_flow_idx() for management frames
+
+From: Alexander Wetzel <Alexander@wetzel-home.de>
+
+[ Upstream commit cb3bb3d88dfcd177a1050c0a009a3ee147b2e5b9 ]
+
+skb_get_hash() can only be used when the skb is linked to a netdev
+device.
+
+Signed-off-by: Alexander Wetzel <Alexander@wetzel-home.de>
+Fixes: 73bc9e0af594 ("mac80211: don't apply flow control on management frames")
+Link: https://patch.msgid.link/20250717162547.94582-3-Alexander@wetzel-home.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index bdf7c7ca5654..f54792c4b910 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -1451,7 +1451,7 @@ static void ieee80211_txq_enqueue(struct ieee80211_local *local,
+ {
+ struct fq *fq = &local->fq;
+ struct fq_tin *tin = &txqi->tin;
+- u32 flow_idx = fq_flow_idx(fq, skb);
++ u32 flow_idx;
+
+ ieee80211_set_skb_enqueue_time(skb);
+
+@@ -1467,6 +1467,7 @@ static void ieee80211_txq_enqueue(struct ieee80211_local *local,
+ IEEE80211_TX_INTCFL_NEED_TXPROCESSING;
+ __skb_queue_tail(&txqi->frags, skb);
+ } else {
++ flow_idx = fq_flow_idx(fq, skb);
+ fq_tin_enqueue(fq, tin, flow_idx, skb,
+ fq_skb_free_func);
+ }
+--
+2.39.5
+
--- /dev/null
+From ca60aee88f4cf7d5864baede9a042efd91c213bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 16:09:05 -0700
+Subject: wifi: mac80211: reject TDLS operations when station is not associated
+
+From: Moon Hee Lee <moonhee.lee.ca@gmail.com>
+
+[ Upstream commit 16ecdab5446f15a61ec88eb0d23d25d009821db0 ]
+
+syzbot triggered a WARN in ieee80211_tdls_oper() by sending
+NL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,
+before association completed and without prior TDLS setup.
+
+This left internal state like sdata->u.mgd.tdls_peer uninitialized,
+leading to a WARN_ON() in code paths that assumed it was valid.
+
+Reject the operation early if not in station mode or not associated.
+
+Reported-by: syzbot+f73f203f8c9b19037380@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=f73f203f8c9b19037380
+Fixes: 81dd2b882241 ("mac80211: move TDLS data to mgd private part")
+Tested-by: syzbot+f73f203f8c9b19037380@syzkaller.appspotmail.com
+Signed-off-by: Moon Hee Lee <moonhee.lee.ca@gmail.com>
+Link: https://patch.msgid.link/20250715230904.661092-2-moonhee.lee.ca@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tdls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
+index a4af3b7675ef..f3cdbd2133f6 100644
+--- a/net/mac80211/tdls.c
++++ b/net/mac80211/tdls.c
+@@ -1450,7 +1450,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev,
+ if (!(wiphy->flags & WIPHY_FLAG_SUPPORTS_TDLS))
+ return -ENOTSUPP;
+
+- if (sdata->vif.type != NL80211_IFTYPE_STATION)
++ if (sdata->vif.type != NL80211_IFTYPE_STATION || !sdata->vif.cfg.assoc)
+ return -EINVAL;
+
+ switch (oper) {
+--
+2.39.5
+
--- /dev/null
+From 9b045661a7744a8621906b8a5c4608b3c0544e37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 11:25:22 -0700
+Subject: wifi: mac80211: Write cnt before copying in
+ ieee80211_copy_rnr_beacon()
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit a37192c432adaec9e8ef29e4ddb319ea2f443aa6 ]
+
+While I caught the need for setting cnt early in nl80211_parse_rnr_elems()
+in the original annotation of struct cfg80211_rnr_elems with __counted_by,
+I missed a similar pattern in ieee80211_copy_rnr_beacon(). Fix this by
+moving the cnt assignment to before the loop.
+
+Fixes: 7b6d7087031b ("wifi: cfg80211: Annotate struct cfg80211_rnr_elems with __counted_by")
+Signed-off-by: Kees Cook <kees@kernel.org>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Link: https://patch.msgid.link/20250721182521.work.540-kees@kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index a3c5d4d995db..3ff7f38394a6 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1099,13 +1099,13 @@ ieee80211_copy_rnr_beacon(u8 *pos, struct cfg80211_rnr_elems *dst,
+ {
+ int i, offset = 0;
+
++ dst->cnt = src->cnt;
+ for (i = 0; i < src->cnt; i++) {
+ memcpy(pos + offset, src->elem[i].data, src->elem[i].len);
+ dst->elem[i].len = src->elem[i].len;
+ dst->elem[i].data = pos + offset;
+ offset += dst->elem[i].len;
+ }
+- dst->cnt = src->cnt;
+
+ return offset;
+ }
+--
+2.39.5
+
--- /dev/null
+From b0ac011517549fe43f0dc026613728309293a5d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Mar 2025 21:52:26 +0300
+Subject: wifi: plfxlc: Fix error handling in usb driver probe
+
+From: Murad Masimov <m.masimov@mt-integration.ru>
+
+[ Upstream commit 3fe79a25c3cd54d25d30bc235c0c57f8a123d9d5 ]
+
+If probe fails before ieee80211_register_hw() is successfully done,
+ieee80211_unregister_hw() will be called anyway. This may lead to various
+bugs as the implementation of ieee80211_unregister_hw() assumes that
+ieee80211_register_hw() has been called.
+
+Divide error handling section into relevant subsections, so that
+ieee80211_unregister_hw() is called only when it is appropriate. Correct
+the order of the calls: ieee80211_unregister_hw() should go before
+plfxlc_mac_release(). Also move ieee80211_free_hw() to plfxlc_mac_release()
+as it supposed to be the opposite to plfxlc_mac_alloc_hw() that calls
+ieee80211_alloc_hw().
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 68d57a07bfe5 ("wireless: add plfxlc driver for pureLiFi X, XL, XC devices")
+Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
+Link: https://patch.msgid.link/20250321185226.71-3-m.masimov@mt-integration.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/purelifi/plfxlc/mac.c | 11 ++++----
+ drivers/net/wireless/purelifi/plfxlc/mac.h | 2 +-
+ drivers/net/wireless/purelifi/plfxlc/usb.c | 29 +++++++++++-----------
+ 3 files changed, 21 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/net/wireless/purelifi/plfxlc/mac.c b/drivers/net/wireless/purelifi/plfxlc/mac.c
+index 7ebc0df0944c..f9f7532c32fd 100644
+--- a/drivers/net/wireless/purelifi/plfxlc/mac.c
++++ b/drivers/net/wireless/purelifi/plfxlc/mac.c
+@@ -100,11 +100,6 @@ int plfxlc_mac_init_hw(struct ieee80211_hw *hw)
+ return r;
+ }
+
+-void plfxlc_mac_release(struct plfxlc_mac *mac)
+-{
+- plfxlc_chip_release(&mac->chip);
+-}
+-
+ int plfxlc_op_start(struct ieee80211_hw *hw)
+ {
+ plfxlc_hw_mac(hw)->chip.usb.initialized = 1;
+@@ -752,3 +747,9 @@ struct ieee80211_hw *plfxlc_mac_alloc_hw(struct usb_interface *intf)
+ SET_IEEE80211_DEV(hw, &intf->dev);
+ return hw;
+ }
++
++void plfxlc_mac_release_hw(struct ieee80211_hw *hw)
++{
++ plfxlc_chip_release(&plfxlc_hw_mac(hw)->chip);
++ ieee80211_free_hw(hw);
++}
+diff --git a/drivers/net/wireless/purelifi/plfxlc/mac.h b/drivers/net/wireless/purelifi/plfxlc/mac.h
+index 49b92413729b..c0445932b2e8 100644
+--- a/drivers/net/wireless/purelifi/plfxlc/mac.h
++++ b/drivers/net/wireless/purelifi/plfxlc/mac.h
+@@ -168,7 +168,7 @@ static inline u8 *plfxlc_mac_get_perm_addr(struct plfxlc_mac *mac)
+ }
+
+ struct ieee80211_hw *plfxlc_mac_alloc_hw(struct usb_interface *intf);
+-void plfxlc_mac_release(struct plfxlc_mac *mac);
++void plfxlc_mac_release_hw(struct ieee80211_hw *hw);
+
+ int plfxlc_mac_preinit_hw(struct ieee80211_hw *hw, const u8 *hw_address);
+ int plfxlc_mac_init_hw(struct ieee80211_hw *hw);
+diff --git a/drivers/net/wireless/purelifi/plfxlc/usb.c b/drivers/net/wireless/purelifi/plfxlc/usb.c
+index 8151bc5e00cc..901e0139969e 100644
+--- a/drivers/net/wireless/purelifi/plfxlc/usb.c
++++ b/drivers/net/wireless/purelifi/plfxlc/usb.c
+@@ -604,7 +604,7 @@ static int probe(struct usb_interface *intf,
+ r = plfxlc_upload_mac_and_serial(intf, hw_address, serial_number);
+ if (r) {
+ dev_err(&intf->dev, "MAC and Serial upload failed (%d)\n", r);
+- goto error;
++ goto error_free_hw;
+ }
+
+ chip->unit_type = STA;
+@@ -613,13 +613,13 @@ static int probe(struct usb_interface *intf,
+ r = plfxlc_mac_preinit_hw(hw, hw_address);
+ if (r) {
+ dev_err(&intf->dev, "Init mac failed (%d)\n", r);
+- goto error;
++ goto error_free_hw;
+ }
+
+ r = ieee80211_register_hw(hw);
+ if (r) {
+ dev_err(&intf->dev, "Register device failed (%d)\n", r);
+- goto error;
++ goto error_free_hw;
+ }
+
+ if ((le16_to_cpu(interface_to_usbdev(intf)->descriptor.idVendor) ==
+@@ -632,7 +632,7 @@ static int probe(struct usb_interface *intf,
+ }
+ if (r != 0) {
+ dev_err(&intf->dev, "FPGA download failed (%d)\n", r);
+- goto error;
++ goto error_unreg_hw;
+ }
+
+ tx->mac_fifo_full = 0;
+@@ -642,21 +642,21 @@ static int probe(struct usb_interface *intf,
+ r = plfxlc_usb_init_hw(usb);
+ if (r < 0) {
+ dev_err(&intf->dev, "usb_init_hw failed (%d)\n", r);
+- goto error;
++ goto error_unreg_hw;
+ }
+
+ msleep(PLF_MSLEEP_TIME);
+ r = plfxlc_chip_switch_radio(chip, PLFXLC_RADIO_ON);
+ if (r < 0) {
+ dev_dbg(&intf->dev, "chip_switch_radio_on failed (%d)\n", r);
+- goto error;
++ goto error_unreg_hw;
+ }
+
+ msleep(PLF_MSLEEP_TIME);
+ r = plfxlc_chip_set_rate(chip, 8);
+ if (r < 0) {
+ dev_dbg(&intf->dev, "chip_set_rate failed (%d)\n", r);
+- goto error;
++ goto error_unreg_hw;
+ }
+
+ msleep(PLF_MSLEEP_TIME);
+@@ -664,7 +664,7 @@ static int probe(struct usb_interface *intf,
+ hw_address, ETH_ALEN, USB_REQ_MAC_WR);
+ if (r < 0) {
+ dev_dbg(&intf->dev, "MAC_WR failure (%d)\n", r);
+- goto error;
++ goto error_unreg_hw;
+ }
+
+ plfxlc_chip_enable_rxtx(chip);
+@@ -691,12 +691,12 @@ static int probe(struct usb_interface *intf,
+ plfxlc_mac_init_hw(hw);
+ usb->initialized = true;
+ return 0;
++
++error_unreg_hw:
++ ieee80211_unregister_hw(hw);
++error_free_hw:
++ plfxlc_mac_release_hw(hw);
+ error:
+- if (hw) {
+- plfxlc_mac_release(plfxlc_hw_mac(hw));
+- ieee80211_unregister_hw(hw);
+- ieee80211_free_hw(hw);
+- }
+ dev_err(&intf->dev, "pureLifi:Device error");
+ return r;
+ }
+@@ -730,8 +730,7 @@ static void disconnect(struct usb_interface *intf)
+ */
+ usb_reset_device(interface_to_usbdev(intf));
+
+- plfxlc_mac_release(mac);
+- ieee80211_free_hw(hw);
++ plfxlc_mac_release_hw(hw);
+ }
+
+ static void plfxlc_usb_resume(struct plfxlc_usb *usb)
+--
+2.39.5
+
--- /dev/null
+From d696b00bbd9ae2cbf26280cc14eaae91ef01939e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 16:56:34 +0300
+Subject: wifi: rtl818x: Kill URBs before clearing tx status queue
+
+From: Daniil Dulov <d.dulov@aladdin.ru>
+
+[ Upstream commit 16d8fd74dbfca0ea58645cd2fca13be10cae3cdd ]
+
+In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing
+b_tx_status.queue. This change prevents callbacks from using already freed
+skb due to anchor was not killed before freeing such skb.
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000080
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: Oops: 0000 [#1] SMP NOPTI
+ CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
+ RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211]
+ Call Trace:
+ <IRQ>
+ rtl8187_tx_cb+0x116/0x150 [rtl8187]
+ __usb_hcd_giveback_urb+0x9d/0x120
+ usb_giveback_urb_bh+0xbb/0x140
+ process_one_work+0x19b/0x3c0
+ bh_worker+0x1a7/0x210
+ tasklet_action+0x10/0x30
+ handle_softirqs+0xf0/0x340
+ __irq_exit_rcu+0xcd/0xf0
+ common_interrupt+0x85/0xa0
+ </IRQ>
+
+Tested on RTL8187BvE device.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: c1db52b9d27e ("rtl8187: Use usb anchor facilities to manage urbs")
+Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
+Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250617135634.21760-1-d.dulov@aladdin.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
+index 04945f905d6d..f6528469022b 100644
+--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
++++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
+@@ -1041,10 +1041,11 @@ static void rtl8187_stop(struct ieee80211_hw *dev)
+ rtl818x_iowrite8(priv, &priv->map->CONFIG4, reg | RTL818X_CONFIG4_VCOOFF);
+ rtl818x_iowrite8(priv, &priv->map->EEPROM_CMD, RTL818X_EEPROM_CMD_NORMAL);
+
++ usb_kill_anchored_urbs(&priv->anchored);
++
+ while ((skb = skb_dequeue(&priv->b_tx_status.queue)))
+ dev_kfree_skb_any(skb);
+
+- usb_kill_anchored_urbs(&priv->anchored);
+ mutex_unlock(&priv->conf_mutex);
+
+ if (!priv->is_rtl8187b)
+--
+2.39.5
+
--- /dev/null
+From 1ffaa2da17eb52f76d546bbf0cfd75be540026e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 14:15:22 +0200
+Subject: wifi: rtl8xxxu: Fix RX skb size for aggregation disabled
+
+From: Martin Kaistra <martin.kaistra@linutronix.de>
+
+[ Upstream commit d76a1abcf57734d2bcd4a7ec051617edd4513d7f ]
+
+Commit 1e5b3b3fe9e0 ("rtl8xxxu: Adjust RX skb size to include space for
+phystats") increased the skb size when aggregation is enabled but decreased
+it for the aggregation disabled case.
+
+As a result, if a frame near the maximum size is received,
+rtl8xxxu_rx_complete() is called with status -EOVERFLOW and then the
+driver starts to malfunction and no further communication is possible.
+
+Restore the skb size in the aggregation disabled case.
+
+Fixes: 1e5b3b3fe9e0 ("rtl8xxxu: Adjust RX skb size to include space for phystats")
+Signed-off-by: Martin Kaistra <martin.kaistra@linutronix.de>
+Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250709121522.1992366-1-martin.kaistra@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index 05e77d2bda37..03aacb7a4317 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -6501,7 +6501,7 @@ static int rtl8xxxu_submit_rx_urb(struct rtl8xxxu_priv *priv,
+ skb_size = fops->rx_agg_buf_size;
+ skb_size += (rx_desc_sz + sizeof(struct rtl8723au_phy_stats));
+ } else {
+- skb_size = IEEE80211_MAX_FRAME_LEN;
++ skb_size = IEEE80211_MAX_FRAME_LEN + rx_desc_sz;
+ }
+
+ skb = __netdev_alloc_skb(NULL, skb_size, GFP_KERNEL);
+--
+2.39.5
+
--- /dev/null
+From a1a3739aa3e79d0d38132289dced0137ec60bebf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 20:46:47 +0800
+Subject: wifi: rtw89: avoid NULL dereference when RX problematic packet on
+ unsupported 6 GHz band
+
+From: Zong-Zhe Yang <kevin_yang@realtek.com>
+
+[ Upstream commit 7e04f01bb94fe61c73cc59f0495c3b6c16a83231 ]
+
+With a quite rare chance, RX report might be problematic to make SW think
+a packet is received on 6 GHz band even if the chip does not support 6 GHz
+band actually. Since SW won't initialize stuffs for unsupported bands, NULL
+dereference will happen then in the sequence, rtw89_vif_rx_stats_iter() ->
+rtw89_core_cancel_6ghz_probe_tx(). So, add a check to avoid it.
+
+The following is a crash log for this case.
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000032
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 1 PID: 1907 Comm: irq/131-rtw89_p Tainted: G U 6.6.56-05896-g89f5fb0eb30b #1 (HASH:1400 4)
+ Hardware name: Google Telith/Telith, BIOS Google_Telith.15217.747.0 11/12/2024
+ RIP: 0010:rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core]
+ Code: 4c 89 7d c8 48 89 55 c0 49 8d 44 24 02 48 89 45 b8 45 31 ff eb 11
+ 41 c6 45 3a 01 41 b7 01 4d 8b 6d 00 4d 39 f5 74 42 8b 43 10 <41> 33 45
+ 32 0f b7 4b 14 66 41 33 4d 36 0f b7 c9 09 c1 74 d8 4d 85
+ RSP: 0018:ffff9f3080138ca0 EFLAGS: 00010246
+ RAX: 00000000b8bf5770 RBX: ffff91b5e8c639c0 RCX: 0000000000000011
+ RDX: ffff91b582de1be8 RSI: 0000000000000000 RDI: ffff91b5e8c639e6
+ RBP: ffff9f3080138d00 R08: 0000000000000000 R09: 0000000000000000
+ R10: ffff91b59de70000 R11: ffffffffc069be50 R12: ffff91b5e8c639e4
+ R13: 0000000000000000 R14: ffff91b5828020b8 R15: 0000000000000000
+ FS: 0000000000000000(0000) GS:ffff91b8efa40000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000032 CR3: 00000002bf838000 CR4: 0000000000750ee0
+ PKRU: 55555554
+ Call Trace:
+ <IRQ>
+ ? __die_body+0x68/0xb0
+ ? page_fault_oops+0x379/0x3e0
+ ? exc_page_fault+0x4f/0xa0
+ ? asm_exc_page_fault+0x22/0x30
+ ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]
+ ? rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core (HASH:1400 5)]
+ __iterate_interfaces+0x59/0x110 [mac80211 (HASH:1400 6)]
+ ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]
+ ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]
+ ieee80211_iterate_active_interfaces_atomic+0x36/0x50 [mac80211 (HASH:1400 6)]
+ rtw89_core_rx_to_mac80211+0xfd/0x1b0 [rtw89_core (HASH:1400 5)]
+ rtw89_core_rx+0x43a/0x980 [rtw89_core (HASH:1400 5)]
+
+Fixes: c6aa9a9c4725 ("wifi: rtw89: add RNR support for 6 GHz scan")
+Signed-off-by: Zong-Zhe Yang <kevin_yang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250618124649.11436-5-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c
+index d1d8fd812cbf..21e9ec8768b5 100644
+--- a/drivers/net/wireless/realtek/rtw89/core.c
++++ b/drivers/net/wireless/realtek/rtw89/core.c
+@@ -1597,6 +1597,11 @@ static void rtw89_core_cancel_6ghz_probe_tx(struct rtw89_dev *rtwdev,
+ if (rx_status->band != NL80211_BAND_6GHZ)
+ return;
+
++ if (unlikely(!(rtwdev->chip->support_bands & BIT(NL80211_BAND_6GHZ)))) {
++ rtw89_debug(rtwdev, RTW89_DBG_UNEXP, "invalid rx on unsupported 6 GHz\n");
++ return;
++ }
++
+ ssid_ie = cfg80211_find_ie(WLAN_EID_SSID, ies, skb->len);
+
+ list_for_each_entry(info, &pkt_list[NL80211_BAND_6GHZ], list) {
+--
+2.39.5
+
--- /dev/null
+From 545e7ab5de834644b6861ac420cf423034fba2df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 09:32:59 +0200
+Subject: xen/gntdev: remove struct gntdev_copy_batch from stack
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 70045cf6593cbf0740956ea9b7b4269142c6ee38 ]
+
+When compiling the kernel with LLVM, the following warning was issued:
+
+ drivers/xen/gntdev.c:991: warning: stack frame size (1160) exceeds
+ limit (1024) in function 'gntdev_ioctl'
+
+The main reason is struct gntdev_copy_batch which is located on the
+stack and has a size of nearly 1kb.
+
+For performance reasons it shouldn't by just dynamically allocated
+instead, so allocate a new instance when needed and instead of freeing
+it put it into a list of free structs anchored in struct gntdev_priv.
+
+Fixes: a4cdb556cae0 ("xen/gntdev: add ioctl for grant copy")
+Reported-by: Abinash Singh <abinashsinghlalotra@gmail.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Message-ID: <20250703073259.17356-1-jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/gntdev-common.h | 4 +++
+ drivers/xen/gntdev.c | 71 ++++++++++++++++++++++++++-----------
+ 2 files changed, 54 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/xen/gntdev-common.h b/drivers/xen/gntdev-common.h
+index 9c286b2a1900..ac8ce3179ba2 100644
+--- a/drivers/xen/gntdev-common.h
++++ b/drivers/xen/gntdev-common.h
+@@ -26,6 +26,10 @@ struct gntdev_priv {
+ /* lock protects maps and freeable_maps. */
+ struct mutex lock;
+
++ /* Free instances of struct gntdev_copy_batch. */
++ struct gntdev_copy_batch *batch;
++ struct mutex batch_lock;
++
+ #ifdef CONFIG_XEN_GRANT_DMA_ALLOC
+ /* Device for which DMA memory is allocated. */
+ struct device *dma_dev;
+diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
+index 61faea1f0663..1f2160765618 100644
+--- a/drivers/xen/gntdev.c
++++ b/drivers/xen/gntdev.c
+@@ -56,6 +56,18 @@ MODULE_AUTHOR("Derek G. Murray <Derek.Murray@cl.cam.ac.uk>, "
+ "Gerd Hoffmann <kraxel@redhat.com>");
+ MODULE_DESCRIPTION("User-space granted page access driver");
+
++#define GNTDEV_COPY_BATCH 16
++
++struct gntdev_copy_batch {
++ struct gnttab_copy ops[GNTDEV_COPY_BATCH];
++ struct page *pages[GNTDEV_COPY_BATCH];
++ s16 __user *status[GNTDEV_COPY_BATCH];
++ unsigned int nr_ops;
++ unsigned int nr_pages;
++ bool writeable;
++ struct gntdev_copy_batch *next;
++};
++
+ static unsigned int limit = 64*1024;
+ module_param(limit, uint, 0644);
+ MODULE_PARM_DESC(limit,
+@@ -584,6 +596,8 @@ static int gntdev_open(struct inode *inode, struct file *flip)
+ INIT_LIST_HEAD(&priv->maps);
+ mutex_init(&priv->lock);
+
++ mutex_init(&priv->batch_lock);
++
+ #ifdef CONFIG_XEN_GNTDEV_DMABUF
+ priv->dmabuf_priv = gntdev_dmabuf_init(flip);
+ if (IS_ERR(priv->dmabuf_priv)) {
+@@ -608,6 +622,7 @@ static int gntdev_release(struct inode *inode, struct file *flip)
+ {
+ struct gntdev_priv *priv = flip->private_data;
+ struct gntdev_grant_map *map;
++ struct gntdev_copy_batch *batch;
+
+ pr_debug("priv %p\n", priv);
+
+@@ -620,6 +635,14 @@ static int gntdev_release(struct inode *inode, struct file *flip)
+ }
+ mutex_unlock(&priv->lock);
+
++ mutex_lock(&priv->batch_lock);
++ while (priv->batch) {
++ batch = priv->batch;
++ priv->batch = batch->next;
++ kfree(batch);
++ }
++ mutex_unlock(&priv->batch_lock);
++
+ #ifdef CONFIG_XEN_GNTDEV_DMABUF
+ gntdev_dmabuf_fini(priv->dmabuf_priv);
+ #endif
+@@ -785,17 +808,6 @@ static long gntdev_ioctl_notify(struct gntdev_priv *priv, void __user *u)
+ return rc;
+ }
+
+-#define GNTDEV_COPY_BATCH 16
+-
+-struct gntdev_copy_batch {
+- struct gnttab_copy ops[GNTDEV_COPY_BATCH];
+- struct page *pages[GNTDEV_COPY_BATCH];
+- s16 __user *status[GNTDEV_COPY_BATCH];
+- unsigned int nr_ops;
+- unsigned int nr_pages;
+- bool writeable;
+-};
+-
+ static int gntdev_get_page(struct gntdev_copy_batch *batch, void __user *virt,
+ unsigned long *gfn)
+ {
+@@ -953,36 +965,53 @@ static int gntdev_grant_copy_seg(struct gntdev_copy_batch *batch,
+ static long gntdev_ioctl_grant_copy(struct gntdev_priv *priv, void __user *u)
+ {
+ struct ioctl_gntdev_grant_copy copy;
+- struct gntdev_copy_batch batch;
++ struct gntdev_copy_batch *batch;
+ unsigned int i;
+ int ret = 0;
+
+ if (copy_from_user(©, u, sizeof(copy)))
+ return -EFAULT;
+
+- batch.nr_ops = 0;
+- batch.nr_pages = 0;
++ mutex_lock(&priv->batch_lock);
++ if (!priv->batch) {
++ batch = kmalloc(sizeof(*batch), GFP_KERNEL);
++ } else {
++ batch = priv->batch;
++ priv->batch = batch->next;
++ }
++ mutex_unlock(&priv->batch_lock);
++ if (!batch)
++ return -ENOMEM;
++
++ batch->nr_ops = 0;
++ batch->nr_pages = 0;
+
+ for (i = 0; i < copy.count; i++) {
+ struct gntdev_grant_copy_segment seg;
+
+ if (copy_from_user(&seg, ©.segments[i], sizeof(seg))) {
+ ret = -EFAULT;
++ gntdev_put_pages(batch);
+ goto out;
+ }
+
+- ret = gntdev_grant_copy_seg(&batch, &seg, ©.segments[i].status);
+- if (ret < 0)
++ ret = gntdev_grant_copy_seg(batch, &seg, ©.segments[i].status);
++ if (ret < 0) {
++ gntdev_put_pages(batch);
+ goto out;
++ }
+
+ cond_resched();
+ }
+- if (batch.nr_ops)
+- ret = gntdev_copy(&batch);
+- return ret;
++ if (batch->nr_ops)
++ ret = gntdev_copy(batch);
++
++ out:
++ mutex_lock(&priv->batch_lock);
++ batch->next = priv->batch;
++ priv->batch = batch;
++ mutex_unlock(&priv->batch_lock);
+
+- out:
+- gntdev_put_pages(&batch);
+ return ret;
+ }
+
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
