+From 44143967918a67334fe92585fce5bfda298588a1 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Fri, 25 Apr 2025 20:25:00 +0530

+Subject: 8250: microchip: pci1xxxx: Add PCIe Hot reset disable support for Rev

+ C0 and later devices

+

+From: Rengarajan S <rengarajan.s@microchip.com>

+

+[ Upstream commit c40b91e38eb8d4489def095d62ab476d45871323 ]

+

+Systems that issue PCIe hot reset requests during a suspend/resume

+cycle cause PCI1XXXX device revisions prior to C0 to get its UART

+configuration registers reset to hardware default values. This results

+in device inaccessibility and data transfer failures. Starting with

+Revision C0, support was added in the device hardware (via the Hot

+Reset Disable Bit) to allow resetting only the PCIe interface and its

+associated logic, but preserving the UART configuration during a hot

+reset. This patch enables the hot reset disable feature during suspend/

+resume for C0 and later revisions of the device.

+

+Signed-off-by: Rengarajan S <rengarajan.s@microchip.com>

+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>

+Link: https://lore.kernel.org/r/20250425145500.29036-1-rengarajan.s@microchip.com

+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/tty/serial/8250/8250_pci1xxxx.c | 10 ++++++++++

+ 1 file changed, 10 insertions(+)

+

+diff --git a/drivers/tty/serial/8250/8250_pci1xxxx.c b/drivers/tty/serial/8250/8250_pci1xxxx.c

+index e9c51d4e447dd..4c149db846925 100644

+--- a/drivers/tty/serial/8250/8250_pci1xxxx.c

++++ b/drivers/tty/serial/8250/8250_pci1xxxx.c

+@@ -115,6 +115,7 @@

+

+ #define UART_RESET_REG 0x94

+ #define UART_RESET_D3_RESET_DISABLE BIT(16)

++#define UART_RESET_HOT_RESET_DISABLE BIT(17)

+

+ #define UART_BURST_STATUS_REG 0x9C

+ #define UART_TX_BURST_FIFO 0xA0

+@@ -620,6 +621,10 @@ static int pci1xxxx_suspend(struct device *dev)

+ }

+

+ data = readl(p + UART_RESET_REG);

++

++ if (priv->dev_rev >= 0xC0)

++ data |= UART_RESET_HOT_RESET_DISABLE;

++

+ writel(data | UART_RESET_D3_RESET_DISABLE, p + UART_RESET_REG);

+

+ if (wakeup)

+@@ -647,7 +652,12 @@ static int pci1xxxx_resume(struct device *dev)

+ }

+

+ data = readl(p + UART_RESET_REG);

++

++ if (priv->dev_rev >= 0xC0)

++ data &= ~UART_RESET_HOT_RESET_DISABLE;

++

+ writel(data & ~UART_RESET_D3_RESET_DISABLE, p + UART_RESET_REG);

++

+ iounmap(p);

+

+ for (i = 0; i < priv->nr; i++) {

+--

+2.39.5

+

+From b8bb5bdaa801d6552858902c2b09624a2a5252fa Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Wed, 18 Jun 2025 21:13:55 -0700

+Subject: af_unix: Don't leave consecutive consumed OOB skbs.

+

+From: Kuniyuki Iwashima <kuniyu@google.com>

+

+[ Upstream commit 32ca245464e1479bfea8592b9db227fdc1641705 ]

+

+Jann Horn reported a use-after-free in unix_stream_read_generic().

+

+The following sequences reproduce the issue:

+

+ $ python3

+ from socket import *

+ s1, s2 = socketpair(AF_UNIX, SOCK_STREAM)

+ s1.send(b'x', MSG_OOB)

+ s2.recv(1, MSG_OOB) # leave a consumed OOB skb

+ s1.send(b'y', MSG_OOB)

+ s2.recv(1, MSG_OOB) # leave a consumed OOB skb

+ s1.send(b'z', MSG_OOB)

+ s2.recv(1) # recv 'z' illegally

+ s2.recv(1, MSG_OOB) # access 'z' skb (use-after-free)

+

+Even though a user reads OOB data, the skb holding the data stays on

+the recv queue to mark the OOB boundary and break the next recv().

+

+After the last send() in the scenario above, the sk2's recv queue has

+2 leading consumed OOB skbs and 1 real OOB skb.

+

+Then, the following happens during the next recv() without MSG_OOB

+

+ 1. unix_stream_read_generic() peeks the first consumed OOB skb

+ 2. manage_oob() returns the next consumed OOB skb

+ 3. unix_stream_read_generic() fetches the next not-yet-consumed OOB skb

+ 4. unix_stream_read_generic() reads and frees the OOB skb

+

+, and the last recv(MSG_OOB) triggers KASAN splat.

+

+The 3. above occurs because of the SO_PEEK_OFF code, which does not

+expect unix_skb_len(skb) to be 0, but this is true for such consumed

+OOB skbs.

+

+ while (skip >= unix_skb_len(skb)) {

+ skip -= unix_skb_len(skb);

+ skb = skb_peek_next(skb, &sk->sk_receive_queue);

+ ...

+ }

+

+In addition to this use-after-free, there is another issue that

+ioctl(SIOCATMARK) does not function properly with consecutive consumed

+OOB skbs.

+

+So, nothing good comes out of such a situation.

+

+Instead of complicating manage_oob(), ioctl() handling, and the next

+ECONNRESET fix by introducing a loop for consecutive consumed OOB skbs,

+let's not leave such consecutive OOB unnecessarily.

+

+Now, while receiving an OOB skb in unix_stream_recv_urg(), if its

+previous skb is a consumed OOB skb, it is freed.

+

+[0]:

+BUG: KASAN: slab-use-after-free in unix_stream_read_actor (net/unix/af_unix.c:3027)

+Read of size 4 at addr ffff888106ef2904 by task python3/315

+

+CPU: 2 UID: 0 PID: 315 Comm: python3 Not tainted 6.16.0-rc1-00407-gec315832f6f9 #8 PREEMPT(voluntary)

+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014

+Call Trace:

+ <TASK>

+ dump_stack_lvl (lib/dump_stack.c:122)

+ print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)

+ kasan_report (mm/kasan/report.c:636)

+ unix_stream_read_actor (net/unix/af_unix.c:3027)

+ unix_stream_read_generic (net/unix/af_unix.c:2708 net/unix/af_unix.c:2847)

+ unix_stream_recvmsg (net/unix/af_unix.c:3048)

+ sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20))

+ __sys_recvfrom (net/socket.c:2278)

+ __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1))

+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))

+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

+RIP: 0033:0x7f8911fcea06

+Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08

+RSP: 002b:00007fffdb0dccb0 EFLAGS: 00000202 ORIG_RAX: 000000000000002d

+RAX: ffffffffffffffda RBX: 00007fffdb0dcdc8 RCX: 00007f8911fcea06

+RDX: 0000000000000001 RSI: 00007f8911a5e060 RDI: 0000000000000006

+RBP: 00007fffdb0dccd0 R08: 0000000000000000 R09: 0000000000000000

+R10: 0000000000000001 R11: 0000000000000202 R12: 00007f89119a7d20

+R13: ffffffffc4653600 R14: 0000000000000000 R15: 0000000000000000

+ </TASK>

+

+Allocated by task 315:

+ kasan_save_stack (mm/kasan/common.c:48)

+ kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))

+ __kasan_slab_alloc (mm/kasan/common.c:348)

+ kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249)

+ __alloc_skb (net/core/skbuff.c:660 (discriminator 4))

+ alloc_skb_with_frags (./include/linux/skbuff.h:1336 net/core/skbuff.c:6668)

+ sock_alloc_send_pskb (net/core/sock.c:2993)

+ unix_stream_sendmsg (./include/net/sock.h:1847 net/unix/af_unix.c:2256 net/unix/af_unix.c:2418)

+ __sys_sendto (net/socket.c:712 (discriminator 20) net/socket.c:727 (discriminator 20) net/socket.c:2226 (discriminator 20))

+ __x64_sys_sendto (net/socket.c:2233 (discriminator 1) net/socket.c:2229 (discriminator 1) net/socket.c:2229 (discriminator 1))

+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))

+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

+

+Freed by task 315:

+ kasan_save_stack (mm/kasan/common.c:48)

+ kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))

+ kasan_save_free_info (mm/kasan/generic.c:579 (discriminator 1))

+ __kasan_slab_free (mm/kasan/common.c:271)

+ kmem_cache_free (mm/slub.c:4643 (discriminator 3) mm/slub.c:4745 (discriminator 3))

+ unix_stream_read_generic (net/unix/af_unix.c:3010)

+ unix_stream_recvmsg (net/unix/af_unix.c:3048)

+ sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20))

+ __sys_recvfrom (net/socket.c:2278)

+ __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1))

+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))

+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

+

+The buggy address belongs to the object at ffff888106ef28c0

+ which belongs to the cache skbuff_head_cache of size 224

+The buggy address is located 68 bytes inside of

+ freed 224-byte region [ffff888106ef28c0, ffff888106ef29a0)

+

+The buggy address belongs to the physical page:

+page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888106ef3cc0 pfn:0x106ef2

+head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0

+flags: 0x200000000000040(head|node=0|zone=2)

+page_type: f5(slab)

+raw: 0200000000000040 ffff8881001d28c0 ffffea000422fe00 0000000000000004

+raw: ffff888106ef3cc0 0000000080190010 00000000f5000000 0000000000000000

+head: 0200000000000040 ffff8881001d28c0 ffffea000422fe00 0000000000000004

+head: ffff888106ef3cc0 0000000080190010 00000000f5000000 0000000000000000

+head: 0200000000000001 ffffea00041bbc81 00000000ffffffff 00000000ffffffff

+head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000

+page dumped because: kasan: bad access detected

+

+Memory state around the buggy address:

+ ffff888106ef2800: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc

+ ffff888106ef2880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb

+>ffff888106ef2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

+ ^

+ ffff888106ef2980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc

+ ffff888106ef2a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

+

+Fixes: 314001f0bf92 ("af_unix: Add OOB support")

+Reported-by: Jann Horn <jannh@google.com>

+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>

+Reviewed-by: Jann Horn <jannh@google.com>

+Link: https://patch.msgid.link/20250619041457.1132791-2-kuni1840@gmail.com

+Signed-off-by: Paolo Abeni <pabeni@redhat.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ net/unix/af_unix.c | 13 +++++++++++--

+ 1 file changed, 11 insertions(+), 2 deletions(-)

+

+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c

+index f78a2492826f9..af003831f4c67 100644

+--- a/net/unix/af_unix.c

++++ b/net/unix/af_unix.c

+@@ -2597,11 +2597,11 @@ struct unix_stream_read_state {

+ #if IS_ENABLED(CONFIG_AF_UNIX_OOB)

+ static int unix_stream_recv_urg(struct unix_stream_read_state *state)

+ {

++ struct sk_buff *oob_skb, *read_skb = NULL;

+ struct socket *sock = state->socket;

+ struct sock *sk = sock->sk;

+ struct unix_sock *u = unix_sk(sk);

+ int chunk = 1;

+- struct sk_buff *oob_skb;

+

+ mutex_lock(&u->iolock);

+ unix_state_lock(sk);

+@@ -2616,9 +2616,16 @@ static int unix_stream_recv_urg(struct unix_stream_read_state *state)

+

+ oob_skb = u->oob_skb;

+

+- if (!(state->flags & MSG_PEEK))

++ if (!(state->flags & MSG_PEEK)) {

+ WRITE_ONCE(u->oob_skb, NULL);

+

++ if (oob_skb->prev != (struct sk_buff *)&sk->sk_receive_queue &&

++ !unix_skb_len(oob_skb->prev)) {

++ read_skb = oob_skb->prev;

++ __skb_unlink(read_skb, &sk->sk_receive_queue);

++ }

++ }

++

+ spin_unlock(&sk->sk_receive_queue.lock);

+ unix_state_unlock(sk);

+

+@@ -2629,6 +2636,8 @@ static int unix_stream_recv_urg(struct unix_stream_read_state *state)

+

+ mutex_unlock(&u->iolock);

+

++ consume_skb(read_skb);

++

+ if (chunk < 0)

+ return -EFAULT;

+

+--

+2.39.5

+

+From 8329e9e0ce962ce1ac132c4aca94a36a29f3341b Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Thu, 29 May 2025 11:08:13 +0530

+Subject: ALSA: hda: Add new pci id for AMD GPU display HD audio controller

+

+From: Vijendar Mukunda <Vijendar.Mukunda@amd.com>

+

+[ Upstream commit ab72bfce7647522e01a181e3600c3d14ff5c143e ]

+

+Add new pci id for AMD GPU display HD audio controller(device id- 0xab40).

+

+Signed-off-by: Vijendar Mukunda <Vijendar.Mukunda@amd.com>

+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>

+Link: https://patch.msgid.link/20250529053838.2350071-1-Vijendar.Mukunda@amd.com

+Signed-off-by: Takashi Iwai <tiwai@suse.de>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ sound/pci/hda/hda_intel.c | 3 +++

+ 1 file changed, 3 insertions(+)

+

+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c

+index 77a2984c3741d..eb7ffa152b97b 100644

+--- a/sound/pci/hda/hda_intel.c

++++ b/sound/pci/hda/hda_intel.c

+@@ -2717,6 +2717,9 @@ static const struct pci_device_id azx_ids[] = {

+ { PCI_VDEVICE(ATI, 0xab38),

+ .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS |

+ AZX_DCAPS_PM_RUNTIME },

++ { PCI_VDEVICE(ATI, 0xab40),

++ .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS |

++ AZX_DCAPS_PM_RUNTIME },

+ /* GLENFLY */

+ { PCI_DEVICE(PCI_VENDOR_ID_GLENFLY, PCI_ANY_ID),

+ .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8,

+--

+2.39.5

+

+From 69dc4a578ccb21e4ef19ec6ca7f51a19621ed7a3 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Fri, 30 May 2025 16:13:09 +0200

+Subject: ALSA: hda: Ignore unsol events for cards being shut down

+MIME-Version: 1.0

+Content-Type: text/plain; charset=UTF-8

+Content-Transfer-Encoding: 8bit

+

+From: Cezary Rojewski <cezary.rojewski@intel.com>

+

+[ Upstream commit 3f100f524e75586537e337b34d18c8d604b398e7 ]

+

+For the classic snd_hda_intel driver, codec->card and bus->card point to

+the exact same thing. When snd_card_diconnect() fires, bus->shutdown is

+set thanks to azx_dev_disconnect(). card->shutdown is already set when

+that happens but both provide basically the same functionality.

+

+For the DSP snd_soc_avs driver where multiple codecs are located on

+multiple cards, bus->shutdown 'shortcut' is not sufficient. One codec

+card may be unregistered while other codecs are still operational.

+Proper check in form of card->shutdown must be used to verify whether

+the codec's card is being shut down.

+

+Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>

+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>

+Link: https://patch.msgid.link/20250530141309.2943404-1-cezary.rojewski@intel.com

+Signed-off-by: Takashi Iwai <tiwai@suse.de>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ sound/pci/hda/hda_bind.c | 2 +-

+ 1 file changed, 1 insertion(+), 1 deletion(-)

+

+diff --git a/sound/pci/hda/hda_bind.c b/sound/pci/hda/hda_bind.c

+index 1fef350d821ef..df8f88beddd07 100644

+--- a/sound/pci/hda/hda_bind.c

++++ b/sound/pci/hda/hda_bind.c

+@@ -44,7 +44,7 @@ static void hda_codec_unsol_event(struct hdac_device *dev, unsigned int ev)

+ struct hda_codec *codec = container_of(dev, struct hda_codec, core);

+

+ /* ignore unsol events during shutdown */

+- if (codec->bus->shutdown)

++ if (codec->card->shutdown || codec->bus->shutdown)

+ return;

+

+ /* ignore unsol events during system suspend/resume */

+--

+2.39.5

+

+From 2534578b8406c98690ebe36d1eca29a478bd92c4 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Tue, 27 May 2025 12:26:56 -0500

+Subject: ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock

+

+From: Mario Limonciello <mario.limonciello@amd.com>

+

+[ Upstream commit 4919353c7789b8047e06a9b2b943f775a8f72883 ]

+

+The audio controller in the Lenovo Thinkpad Thunderbolt 3 dock doesn't

+support reading the sampling rate.

+

+Add a quirk for it.

+

+Suggested-by: Takashi Iwai <tiwai@suse.de>

+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>

+Link: https://patch.msgid.link/20250527172657.1972565-1-superm1@kernel.org

+Signed-off-by: Takashi Iwai <tiwai@suse.de>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ sound/usb/quirks.c | 2 ++

+ 1 file changed, 2 insertions(+)

+

+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c

+index dbbc9eb935a4b..f302bcebaa9d0 100644

+--- a/sound/usb/quirks.c

++++ b/sound/usb/quirks.c

+@@ -2284,6 +2284,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {

+ QUIRK_FLAG_DISABLE_AUTOSUSPEND),

+ DEVICE_FLG(0x17aa, 0x104d, /* Lenovo ThinkStation P620 Internal Speaker + Front Headset */

+ QUIRK_FLAG_DISABLE_AUTOSUSPEND),

++ DEVICE_FLG(0x17ef, 0x3083, /* Lenovo TBT3 dock */

++ QUIRK_FLAG_GET_SAMPLE_RATE),

+ DEVICE_FLG(0x1852, 0x5062, /* Luxman D-08u */

+ QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY),

+ DEVICE_FLG(0x1852, 0x5065, /* Luxman DA-06 */

+--

+2.39.5

+

+From ccd0b00c69e41ea1d0990d263edb22f63573d950 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Wed, 21 May 2025 18:06:28 +0800

+Subject: amd/amdkfd: fix a kfd_process ref leak

+

+From: Yifan Zhang <yifan1.zhang@amd.com>

+

+[ Upstream commit 90237b16ec1d7afa16e2173cc9a664377214cdd9 ]

+

+This patch is to fix a kfd_prcess ref leak.

+

+Signed-off-by: Yifan Zhang <yifan1.zhang@amd.com>

+Reviewed-by: Philip Yang <Philip.Yang@amd.com>

+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/gpu/drm/amd/amdkfd/kfd_events.c | 1 +

+ 1 file changed, 1 insertion(+)

+

+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_events.c b/drivers/gpu/drm/amd/amdkfd/kfd_events.c

+index fecdb67940750..3a926eb82379b 100644

+--- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c

++++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c

+@@ -1331,6 +1331,7 @@ void kfd_signal_poison_consumed_event(struct kfd_node *dev, u32 pasid)

+ user_gpu_id = kfd_process_get_user_gpu_id(p, dev->id);

+ if (unlikely(user_gpu_id == -EINVAL)) {

+ WARN_ONCE(1, "Could not get user_gpu_id from dev->id:%x\n", dev->id);

++ kfd_unref_process(p);

+ return;

+ }

+

+--

+2.39.5

+

+From 189c66f56f29610cbe27504adf4b2ab4699466e8 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Mon, 24 Mar 2025 19:51:29 +0800

+Subject: ASoC: codec: wcd9335: Convert to GPIO descriptors

+

+From: Peng Fan <peng.fan@nxp.com>

+

+[ Upstream commit d5099bc1b56417733f4cccf10c61ee74dadd5562 ]

+

+of_gpio.h is deprecated, update the driver to use GPIO descriptors.

+- Use dev_gpiod_get to get GPIO descriptor.

+- Use gpiod_set_value to configure output value.

+

+With legacy of_gpio API, the driver set gpio value 0 to assert reset,

+and 1 to deassert reset. And the reset-gpios use GPIO_ACTIVE_LOW flag in

+DTS, so set GPIOD_OUT_LOW when get GPIO descriptors, and set value 1 means

+output low, set value 0 means output high with gpiod API.

+

+The in-tree DTS files have the right polarity set up already so we can

+expect this to "just work"

+

+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>

+Signed-off-by: Peng Fan <peng.fan@nxp.com>

+Link: https://patch.msgid.link/20250324-wcd-gpiod-v2-3-773f67ce3b56@nxp.com

+Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>

+Signed-off-by: Mark Brown <broonie@kernel.org>

+Stable-dep-of: 9079db287fc3 ("ASoC: codecs: wcd9335: Fix missing free of regulator supplies")

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ sound/soc/codecs/wcd9335.c | 15 +++++++--------

+ 1 file changed, 7 insertions(+), 8 deletions(-)

+

+diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c

+index 7cef43bb2a880..8ee4360aff929 100644

+--- a/sound/soc/codecs/wcd9335.c

++++ b/sound/soc/codecs/wcd9335.c

+@@ -17,7 +17,7 @@

+ #include <sound/soc.h>

+ #include <sound/pcm_params.h>

+ #include <sound/soc-dapm.h>

+-#include <linux/of_gpio.h>

++#include <linux/gpio/consumer.h>

+ #include <linux/of.h>

+ #include <linux/of_irq.h>

+ #include <sound/tlv.h>

+@@ -331,7 +331,7 @@ struct wcd9335_codec {

+ int comp_enabled[COMPANDER_MAX];

+

+ int intr1;

+- int reset_gpio;

++ struct gpio_desc *reset_gpio;

+ struct regulator_bulk_data supplies[WCD9335_MAX_SUPPLY];

+

+ unsigned int rx_port_value[WCD9335_RX_MAX];

+@@ -4975,12 +4975,11 @@ static const struct regmap_irq_chip wcd9335_regmap_irq1_chip = {

+ static int wcd9335_parse_dt(struct wcd9335_codec *wcd)

+ {

+ struct device *dev = wcd->dev;

+- struct device_node *np = dev->of_node;

+ int ret;

+

+- wcd->reset_gpio = of_get_named_gpio(np, "reset-gpios", 0);

+- if (wcd->reset_gpio < 0)

+- return dev_err_probe(dev, wcd->reset_gpio, "Reset GPIO missing from DT\n");

++ wcd->reset_gpio = devm_gpiod_get(dev, "reset", GPIOD_OUT_LOW);

++ if (IS_ERR(wcd->reset_gpio))

++ return dev_err_probe(dev, PTR_ERR(wcd->reset_gpio), "Reset GPIO missing from DT\n");

+

+ wcd->mclk = devm_clk_get(dev, "mclk");

+ if (IS_ERR(wcd->mclk))

+@@ -5023,9 +5022,9 @@ static int wcd9335_power_on_reset(struct wcd9335_codec *wcd)

+ */

+ usleep_range(600, 650);

+

+- gpio_direction_output(wcd->reset_gpio, 0);

++ gpiod_set_value(wcd->reset_gpio, 1);

+ msleep(20);

+- gpio_set_value(wcd->reset_gpio, 1);

++ gpiod_set_value(wcd->reset_gpio, 0);

+ msleep(20);

+

+ return 0;

+--

+2.39.5

+

+From f50aa7dc7a4c20faf77142437473855a755e5ba6 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Mon, 26 May 2025 11:47:01 +0200

+Subject: ASoC: codecs: wcd9335: Fix missing free of regulator supplies

+

+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

+

+[ Upstream commit 9079db287fc3e38e040b0edeb0a25770bb679c8e ]

+

+Driver gets and enables all regulator supplies in probe path

+(wcd9335_parse_dt() and wcd9335_power_on_reset()), but does not cleanup

+in final error paths and in unbind (missing remove() callback). This

+leads to leaked memory and unbalanced regulator enable count during

+probe errors or unbind.

+

+Fix this by converting entire code into devm_regulator_bulk_get_enable()

+which also greatly simplifies the code.

+

+Fixes: 20aedafdf492 ("ASoC: wcd9335: add support to wcd9335 codec")

+Cc: stable@vger.kernel.org

+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

+Link: https://patch.msgid.link/20250526-b4-b4-asoc-wcd9395-vdd-px-fixes-v1-1-0b8a2993b7d3@linaro.org

+Signed-off-by: Mark Brown <broonie@kernel.org>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ sound/soc/codecs/wcd9335.c | 25 +++++++------------------

+ 1 file changed, 7 insertions(+), 18 deletions(-)

+

+diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c

+index 8ee4360aff929..5e19e813748df 100644

+--- a/sound/soc/codecs/wcd9335.c

++++ b/sound/soc/codecs/wcd9335.c

+@@ -332,7 +332,6 @@ struct wcd9335_codec {

+

+ int intr1;

+ struct gpio_desc *reset_gpio;

+- struct regulator_bulk_data supplies[WCD9335_MAX_SUPPLY];

+

+ unsigned int rx_port_value[WCD9335_RX_MAX];

+ unsigned int tx_port_value[WCD9335_TX_MAX];

+@@ -355,6 +354,10 @@ struct wcd9335_irq {

+ char *name;

+ };

+

++static const char * const wcd9335_supplies[] = {

++ "vdd-buck", "vdd-buck-sido", "vdd-tx", "vdd-rx", "vdd-io",

++};

++

+ static const struct wcd9335_slim_ch wcd9335_tx_chs[WCD9335_TX_MAX] = {

+ WCD9335_SLIM_TX_CH(0),

+ WCD9335_SLIM_TX_CH(1),

+@@ -4989,30 +4992,16 @@ static int wcd9335_parse_dt(struct wcd9335_codec *wcd)

+ if (IS_ERR(wcd->native_clk))

+ return dev_err_probe(dev, PTR_ERR(wcd->native_clk), "slimbus clock not found\n");

+

+- wcd->supplies[0].supply = "vdd-buck";

+- wcd->supplies[1].supply = "vdd-buck-sido";

+- wcd->supplies[2].supply = "vdd-tx";

+- wcd->supplies[3].supply = "vdd-rx";

+- wcd->supplies[4].supply = "vdd-io";

+-

+- ret = regulator_bulk_get(dev, WCD9335_MAX_SUPPLY, wcd->supplies);

++ ret = devm_regulator_bulk_get_enable(dev, ARRAY_SIZE(wcd9335_supplies),

++ wcd9335_supplies);

+ if (ret)

+- return dev_err_probe(dev, ret, "Failed to get supplies\n");

++ return dev_err_probe(dev, ret, "Failed to get and enable supplies\n");

+

+ return 0;

+ }

+

+ static int wcd9335_power_on_reset(struct wcd9335_codec *wcd)

+ {

+- struct device *dev = wcd->dev;

+- int ret;

+-

+- ret = regulator_bulk_enable(WCD9335_MAX_SUPPLY, wcd->supplies);

+- if (ret) {

+- dev_err(dev, "Failed to get supplies: err = %d\n", ret);

+- return ret;

+- }

+-

+ /*

+ * For WCD9335, it takes about 600us for the Vout_A and

+ * Vout_D to be ready after BUCK_SIDO is powered up.

+--

+2.39.5

+

+From a0c02b07184b4fab72a63ae8bebf28aad168bfd1 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Mon, 2 Jun 2025 16:58:51 +0800

+Subject: ASoC: rt1320: fix speaker noise when volume bar is 100%

+

+From: Shuming Fan <shumingf@realtek.com>

+

+[ Upstream commit 9adf2de86611ac108d07e769a699556d87f052e2 ]

+

+This patch updates the settings to fix the speaker noise.

+

+Signed-off-by: Shuming Fan <shumingf@realtek.com>

+Link: https://patch.msgid.link/20250602085851.4081886-1-shumingf@realtek.com

+Signed-off-by: Mark Brown <broonie@kernel.org>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ sound/soc/codecs/rt1320-sdw.c | 17 ++++++++++++++++-

+ 1 file changed, 16 insertions(+), 1 deletion(-)

+

+diff --git a/sound/soc/codecs/rt1320-sdw.c b/sound/soc/codecs/rt1320-sdw.c

+index f51ba345a16e6..015cc710e6dc0 100644

+--- a/sound/soc/codecs/rt1320-sdw.c

++++ b/sound/soc/codecs/rt1320-sdw.c

+@@ -204,7 +204,7 @@ static const struct reg_sequence rt1320_vc_blind_write[] = {

+ { 0x3fc2bfc0, 0x03 },

+ { 0x0000d486, 0x43 },

+ { SDW_SDCA_CTL(FUNC_NUM_AMP, RT1320_SDCA_ENT_PDE23, RT1320_SDCA_CTL_REQ_POWER_STATE, 0), 0x00 },

+- { 0x1000db00, 0x04 },

++ { 0x1000db00, 0x07 },

+ { 0x1000db01, 0x00 },

+ { 0x1000db02, 0x11 },

+ { 0x1000db03, 0x00 },

+@@ -225,6 +225,21 @@ static const struct reg_sequence rt1320_vc_blind_write[] = {

+ { 0x1000db12, 0x00 },

+ { 0x1000db13, 0x00 },

+ { 0x1000db14, 0x45 },

++ { 0x1000db15, 0x0d },

++ { 0x1000db16, 0x01 },

++ { 0x1000db17, 0x00 },

++ { 0x1000db18, 0x00 },

++ { 0x1000db19, 0xbf },

++ { 0x1000db1a, 0x13 },

++ { 0x1000db1b, 0x09 },

++ { 0x1000db1c, 0x00 },

++ { 0x1000db1d, 0x00 },

++ { 0x1000db1e, 0x00 },

++ { 0x1000db1f, 0x12 },

++ { 0x1000db20, 0x09 },

++ { 0x1000db21, 0x00 },

++ { 0x1000db22, 0x00 },

++ { 0x1000db23, 0x00 },

+ { 0x0000d540, 0x01 },

+ { 0x0000c081, 0xfc },

+ { 0x0000f01e, 0x80 },

+--

+2.39.5

+

+From 6455f0e829479bd131de63fe1358103050c75129 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Tue, 27 May 2025 13:15:59 +0800

+Subject: bcache: fix NULL pointer in cache_set_flush()

+

+From: Linggang Zeng <linggang.zeng@easystack.cn>

+

+[ Upstream commit 1e46ed947ec658f89f1a910d880cd05e42d3763e ]

+

+1. LINE#1794 - LINE#1887 is some codes about function of

+ bch_cache_set_alloc().

+2. LINE#2078 - LINE#2142 is some codes about function of

+ register_cache_set().

+3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098.

+

+ 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)

+ 1795 {

+ ...

+ 1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) ||

+ 1861 mempool_init_slab_pool(&c->search, 32, bch_search_cache) ||

+ 1862 mempool_init_kmalloc_pool(&c->bio_meta, 2,

+ 1863 sizeof(struct bbio) + sizeof(struct bio_vec) *

+ 1864 bucket_pages(c)) ||

+ 1865 mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) ||

+ 1866 bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio),

+ 1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) ||

+ 1868 !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) ||

+ 1869 !(c->moving_gc_wq = alloc_workqueue("bcache_gc",

+ 1870 WQ_MEM_RECLAIM, 0)) ||

+ 1871 bch_journal_alloc(c) ||

+ 1872 bch_btree_cache_alloc(c) ||

+ 1873 bch_open_buckets_alloc(c) ||

+ 1874 bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages)))

+ 1875 goto err;

+ ^^^^^^^^

+ 1876

+ ...

+ 1883 return c;

+ 1884 err:

+ 1885 bch_cache_set_unregister(c);

+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^

+ 1886 return NULL;

+ 1887 }

+ ...

+ 2078 static const char *register_cache_set(struct cache *ca)

+ 2079 {

+ ...

+ 2098 c = bch_cache_set_alloc(&ca->sb);

+ 2099 if (!c)

+ 2100 return err;

+ ^^^^^^^^^^

+ ...

+ 2128 ca->set = c;

+ 2129 ca->set->cache[ca->sb.nr_this_dev] = ca;

+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

+ ...

+ 2138 return NULL;

+ 2139 err:

+ 2140 bch_cache_set_unregister(c);

+ 2141 return err;

+ 2142 }

+

+(1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and

+ call bch_cache_set_unregister()(LINE#1885).

+(2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return.

+(3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the

+ value to c->cache[], it means that c->cache[] is NULL.

+

+LINE#1624 - LINE#1665 is some codes about function of cache_set_flush().

+As (1), in LINE#1885 call

+bch_cache_set_unregister()

+---> bch_cache_set_stop()

+ ---> closure_queue()

+ -.-> cache_set_flush() (as below LINE#1624)

+

+ 1624 static void cache_set_flush(struct closure *cl)

+ 1625 {

+ ...

+ 1654 for_each_cache(ca, c, i)

+ 1655 if (ca->alloc_thread)

+ ^^

+ 1656 kthread_stop(ca->alloc_thread);

+ ...

+ 1665 }

+

+(4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the

+ kernel crash occurred as below:

+[ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory

+[ 846.713242] bcache: register_bcache() error : failed to register device

+[ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered

+[ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8

+[ 846.714790] PGD 0 P4D 0

+[ 846.715129] Oops: 0000 [#1] SMP PTI

+[ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1

+[ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018

+[ 846.716451] Workqueue: events cache_set_flush [bcache]

+[ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache]

+[ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 00 48 85 ff 74 05 e8 b6 58 a2 e1 0f b7 95 3c f7

+[ 846.718026] RSP: 0018:ffffb56dcf85fe70 EFLAGS: 00010202

+[ 846.718372] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000

+[ 846.718725] RDX: 0000000000000001 RSI: 0000000040000001 RDI: 0000000000000000

+[ 846.719076] RBP: ffffa0ccc0f20df8 R08: ffffa0ce1fedb118 R09: 000073746e657665

+[ 846.719428] R10: 8080808080808080 R11: 0000000000000000 R12: ffffa0ce1fee8700

+[ 846.719779] R13: ffffa0ccc0f211a8 R14: ffffa0cd1b902840 R15: ffffa0ccc0f20e00

+[ 846.720132] FS: 0000000000000000(0000) GS:ffffa0ce1fec0000(0000) knlGS:0000000000000000

+[ 846.720726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

+[ 846.721073] CR2: 00000000000009f8 CR3: 00000008ba00a005 CR4: 00000000007606e0

+[ 846.721426] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

+[ 846.721778] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

+[ 846.722131] PKRU: 55555554

+[ 846.722467] Call Trace:

+[ 846.722814] process_one_work+0x1a7/0x3b0

+[ 846.723157] worker_thread+0x30/0x390

+[ 846.723501] ? create_worker+0x1a0/0x1a0

+[ 846.723844] kthread+0x112/0x130

+[ 846.724184] ? kthread_flush_work_fn+0x10/0x10

+[ 846.724535] ret_from_fork+0x35/0x40

+

+Now, check whether that ca is NULL in LINE#1655 to fix the issue.

+

+Signed-off-by: Linggang Zeng <linggang.zeng@easystack.cn>

+Signed-off-by: Mingzhe Zou <mingzhe.zou@easystack.cn>

+Signed-off-by: Coly Li <colyli@kernel.org>

+Link: https://lore.kernel.org/r/20250527051601.74407-2-colyli@kernel.org

+Signed-off-by: Jens Axboe <axboe@kernel.dk>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/md/bcache/super.c | 7 ++++++-

+ 1 file changed, 6 insertions(+), 1 deletion(-)

+

+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c

+index 813b38aec3e4e..37f5e31618c0a 100644

+--- a/drivers/md/bcache/super.c

++++ b/drivers/md/bcache/super.c

+@@ -1733,7 +1733,12 @@ static CLOSURE_CALLBACK(cache_set_flush)

+ mutex_unlock(&b->write_lock);

+ }

+

+- if (ca->alloc_thread)

++ /*

++ * If the register_cache_set() call to bch_cache_set_alloc() failed,

++ * ca has not been assigned a value and return error.

++ * So we need check ca is not NULL during bch_cache_set_unregister().

++ */

++ if (ca && ca->alloc_thread)

+ kthread_stop(ca->alloc_thread);

+

+ if (c->journal.cur) {

+--

+2.39.5

+

+From 4f682c23e4f9b4a6cc2489b82e21a9ecf1f00980 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Wed, 7 May 2025 13:05:36 +0100

+Subject: btrfs: fix qgroup reservation leak on failure to allocate ordered

+ extent

+

+From: Filipe Manana <fdmanana@suse.com>

+

+[ Upstream commit 1f2889f5594a2bc4c6a52634c4a51b93e785def5 ]

+

+If we fail to allocate an ordered extent for a COW write we end up leaking

+a qgroup data reservation since we called btrfs_qgroup_release_data() but

+we didn't call btrfs_qgroup_free_refroot() (which would happen when

+running the respective data delayed ref created by ordered extent

+completion or when finishing the ordered extent in case an error happened).

+

+So make sure we call btrfs_qgroup_free_refroot() if we fail to allocate an

+ordered extent for a COW write.

+

+Fixes: 7dbeaad0af7d ("btrfs: change timing for qgroup reserved space for ordered extents to fix reserved space leak")

+CC: stable@vger.kernel.org # 6.1+

+Reviewed-by: Boris Burkov <boris@bur.io>

+Reviewed-by: Qu Wenruo <wqu@suse.com>

+Signed-off-by: Filipe Manana <fdmanana@suse.com>

+Signed-off-by: David Sterba <dsterba@suse.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ fs/btrfs/ordered-data.c | 12 +++++++++---

+ 1 file changed, 9 insertions(+), 3 deletions(-)

+

+diff --git a/fs/btrfs/ordered-data.c b/fs/btrfs/ordered-data.c

+index f61b0bb1faccf..1d7ddd664c0d3 100644

+--- a/fs/btrfs/ordered-data.c

++++ b/fs/btrfs/ordered-data.c

+@@ -153,9 +153,10 @@ static struct btrfs_ordered_extent *alloc_ordered_extent(

+ struct btrfs_ordered_extent *entry;

+ int ret;

+ u64 qgroup_rsv = 0;

++ const bool is_nocow = (flags &

++ ((1U << BTRFS_ORDERED_NOCOW) | (1U << BTRFS_ORDERED_PREALLOC)));

+

+- if (flags &

+- ((1U << BTRFS_ORDERED_NOCOW) | (1U << BTRFS_ORDERED_PREALLOC))) {

++ if (is_nocow) {

+ /* For nocow write, we can release the qgroup rsv right now */

+ ret = btrfs_qgroup_free_data(inode, NULL, file_offset, num_bytes, &qgroup_rsv);

+ if (ret < 0)

+@@ -170,8 +171,13 @@ static struct btrfs_ordered_extent *alloc_ordered_extent(

+ return ERR_PTR(ret);

+ }

+ entry = kmem_cache_zalloc(btrfs_ordered_extent_cache, GFP_NOFS);

+- if (!entry)

++ if (!entry) {

++ if (!is_nocow)

++ btrfs_qgroup_free_refroot(inode->root->fs_info,

++ btrfs_root_id(inode->root),

++ qgroup_rsv, BTRFS_QGROUP_RSV_DATA);

+ return ERR_PTR(-ENOMEM);

++ }

+

+ entry->file_offset = file_offset;

+ entry->num_bytes = num_bytes;

+--

+2.39.5

+

+From acd59b3a901d32573c5ab3201519bbdf8d380958 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Wed, 4 Jun 2025 16:54:44 +0100

+Subject: btrfs: fix race between async reclaim worker and close_ctree()

+

+From: Filipe Manana <fdmanana@suse.com>

+

+[ Upstream commit a26bf338cdad3643a6e7c3d78a172baadba15c1a ]

+

+Syzbot reported an assertion failure due to an attempt to add a delayed

+iput after we have set BTRFS_FS_STATE_NO_DELAYED_IPUT in the fs_info

+state:

+

+ WARNING: CPU: 0 PID: 65 at fs/btrfs/inode.c:3420 btrfs_add_delayed_iput+0x2f8/0x370 fs/btrfs/inode.c:3420

+ Modules linked in:

+ CPU: 0 UID: 0 PID: 65 Comm: kworker/u8:4 Not tainted 6.15.0-next-20250530-syzkaller #0 PREEMPT(full)

+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025

+ Workqueue: btrfs-endio-write btrfs_work_helper

+ RIP: 0010:btrfs_add_delayed_iput+0x2f8/0x370 fs/btrfs/inode.c:3420

+ Code: 4e ad 5d (...)

+ RSP: 0018:ffffc9000213f780 EFLAGS: 00010293

+ RAX: ffffffff83c635b7 RBX: ffff888058920000 RCX: ffff88801c769e00

+ RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000000

+ RBP: 0000000000000001 R08: ffff888058921b67 R09: 1ffff1100b12436c

+ R10: dffffc0000000000 R11: ffffed100b12436d R12: 0000000000000001

+ R13: dffffc0000000000 R14: ffff88807d748000 R15: 0000000000000100

+ FS: 0000000000000000(0000) GS:ffff888125c53000(0000) knlGS:0000000000000000

+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

+ CR2: 00002000000bd038 CR3: 000000006a142000 CR4: 00000000003526f0

+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

+ Call Trace:

+ <TASK>

+ btrfs_put_ordered_extent+0x19f/0x470 fs/btrfs/ordered-data.c:635

+ btrfs_finish_one_ordered+0x11d8/0x1b10 fs/btrfs/inode.c:3312

+ btrfs_work_helper+0x399/0xc20 fs/btrfs/async-thread.c:312

+ process_one_work kernel/workqueue.c:3238 [inline]

+ process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321

+ worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402

+ kthread+0x70e/0x8a0 kernel/kthread.c:464

+ ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148

+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

+ </TASK>

+

+This can happen due to a race with the async reclaim worker like this:

+

+1) The async metadata reclaim worker enters shrink_delalloc(), which calls

+ btrfs_start_delalloc_roots() with an nr_pages argument that has a value

+ less than LONG_MAX, and that in turn enters start_delalloc_inodes(),

+ which sets the local variable 'full_flush' to false because

+ wbc->nr_to_write is less than LONG_MAX;

+

+2) There it finds inode X in a root's delalloc list, grabs a reference for

+ inode X (with igrab()), and triggers writeback for it with

+ filemap_fdatawrite_wbc(), which creates an ordered extent for inode X;

+

+3) The unmount sequence starts from another task, we enter close_ctree()

+ and we flush the workqueue fs_info->endio_write_workers, which waits

+ for the ordered extent for inode X to complete and when dropping the

+ last reference of the ordered extent, with btrfs_put_ordered_extent(),

+ when we call btrfs_add_delayed_iput() we don't add the inode to the

+ list of delayed iputs because it has a refcount of 2, so we decrement

+ it to 1 and return;

+

+4) Shortly after at close_ctree() we call btrfs_run_delayed_iputs() which

+ runs all delayed iputs, and then we set BTRFS_FS_STATE_NO_DELAYED_IPUT

+ in the fs_info state;

+

+5) The async reclaim worker, after calling filemap_fdatawrite_wbc(), now

+ calls btrfs_add_delayed_iput() for inode X and there we trigger an

+ assertion failure since the fs_info state has the flag

+ BTRFS_FS_STATE_NO_DELAYED_IPUT set.

+

+Fix this by setting BTRFS_FS_STATE_NO_DELAYED_IPUT only after we wait for

+the async reclaim workers to finish, after we call cancel_work_sync() for

+them at close_ctree(), and by running delayed iputs after wait for the

+reclaim workers to finish and before setting the bit.

+

+This race was recently introduced by commit 19e60b2a95f5 ("btrfs: add

+extra warning if delayed iput is added when it's not allowed"). Without

+the new validation at btrfs_add_delayed_iput(), this described scenario

+was safe because close_ctree() later calls btrfs_commit_super(). That

+will run any final delayed iputs added by reclaim workers in the window

+between the btrfs_run_delayed_iputs() and the the reclaim workers being

+shut down.

+

+Reported-by: syzbot+0ed30ad435bf6f5b7a42@syzkaller.appspotmail.com

+Link: https://lore.kernel.org/linux-btrfs/6840481c.a00a0220.d4325.000c.GAE@google.com/T/#u

+Fixes: 19e60b2a95f5 ("btrfs: add extra warning if delayed iput is added when it's not allowed")

+Reviewed-by: Boris Burkov <boris@bur.io>

+Signed-off-by: Filipe Manana <fdmanana@suse.com>

+Signed-off-by: David Sterba <dsterba@suse.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ fs/btrfs/disk-io.c | 22 ++++++++++++++++++----

+ 1 file changed, 18 insertions(+), 4 deletions(-)

+

+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c

+index aa58e0663a5d7..87501762d81fb 100644

+--- a/fs/btrfs/disk-io.c

++++ b/fs/btrfs/disk-io.c

+@@ -4385,8 +4385,8 @@ void __cold close_ctree(struct btrfs_fs_info *fs_info)

+ *

+ * So wait for all ongoing ordered extents to complete and then run

+ * delayed iputs. This works because once we reach this point no one

+- * can either create new ordered extents nor create delayed iputs

+- * through some other means.

++ * can create new ordered extents, but delayed iputs can still be added

++ * by a reclaim worker (see comments further below).

+ *

+ * Also note that btrfs_wait_ordered_roots() is not safe here, because

+ * it waits for BTRFS_ORDERED_COMPLETE to be set on an ordered extent,

+@@ -4397,15 +4397,29 @@ void __cold close_ctree(struct btrfs_fs_info *fs_info)

+ btrfs_flush_workqueue(fs_info->endio_write_workers);

+ /* Ordered extents for free space inodes. */

+ btrfs_flush_workqueue(fs_info->endio_freespace_worker);

++ /*

++ * Run delayed iputs in case an async reclaim worker is waiting for them

++ * to be run as mentioned above.

++ */

+ btrfs_run_delayed_iputs(fs_info);

+- /* There should be no more workload to generate new delayed iputs. */

+- set_bit(BTRFS_FS_STATE_NO_DELAYED_IPUT, &fs_info->fs_state);

+

+ cancel_work_sync(&fs_info->async_reclaim_work);

+ cancel_work_sync(&fs_info->async_data_reclaim_work);

+ cancel_work_sync(&fs_info->preempt_reclaim_work);

+ cancel_work_sync(&fs_info->em_shrinker_work);

+

++ /*

++ * Run delayed iputs again because an async reclaim worker may have

++ * added new ones if it was flushing delalloc:

++ *

++ * shrink_delalloc() -> btrfs_start_delalloc_roots() ->

++ * start_delalloc_inodes() -> btrfs_add_delayed_iput()

++ */

++ btrfs_run_delayed_iputs(fs_info);

++

++ /* There should be no more workload to generate new delayed iputs. */

++ set_bit(BTRFS_FS_STATE_NO_DELAYED_IPUT, &fs_info->fs_state);

++

+ /* Cancel or finish ongoing discard work */

+ btrfs_discard_cleanup(fs_info);

+

+--

+2.39.5

+

+From 6e6a047d823181b2e10aa2e4e67d9d759f088831 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Sat, 7 Jun 2025 09:18:43 +0930

+Subject: btrfs: handle csum tree error with rescue=ibadroots correctly

+

+From: Qu Wenruo <wqu@suse.com>

+

+[ Upstream commit 547e836661554dcfa15c212a3821664e85b4191a ]

+

+[BUG]

+There is syzbot based reproducer that can crash the kernel, with the

+following call trace: (With some debug output added)

+

+ DEBUG: rescue=ibadroots parsed

+ BTRFS: device fsid 14d642db-7b15-43e4-81e6-4b8fac6a25f8 devid 1 transid 8 /dev/loop0 (7:0) scanned by repro (1010)

+ BTRFS info (device loop0): first mount of filesystem 14d642db-7b15-43e4-81e6-4b8fac6a25f8

+ BTRFS info (device loop0): using blake2b (blake2b-256-generic) checksum algorithm

+ BTRFS info (device loop0): using free-space-tree

+ BTRFS warning (device loop0): checksum verify failed on logical 5312512 mirror 1 wanted 0xb043382657aede36608fd3386d6b001692ff406164733d94e2d9a180412c6003 found 0x810ceb2bacb7f0f9eb2bf3b2b15c02af867cb35ad450898169f3b1f0bd818651 level 0

+ DEBUG: read tree root path failed for tree csum, ret=-5

+ BTRFS warning (device loop0): checksum verify failed on logical 5328896 mirror 1 wanted 0x51be4e8b303da58e6340226815b70e3a93592dac3f30dd510c7517454de8567a found 0x51be4e8b303da58e634022a315b70e3a93592dac3f30dd510c7517454de8567a level 0

+ BTRFS warning (device loop0): checksum verify failed on logical 5292032 mirror 1 wanted 0x1924ccd683be9efc2fa98582ef58760e3848e9043db8649ee382681e220cdee4 found 0x0cb6184f6e8799d9f8cb335dccd1d1832da1071d12290dab3b85b587ecacca6e level 0

+ process 'repro' launched './file2' with NULL argv: empty string added

+ DEBUG: no csum root, idatacsums=0 ibadroots=134217728

+ Oops: general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] SMP KASAN NOPTI

+ KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]

+ CPU: 5 UID: 0 PID: 1010 Comm: repro Tainted: G OE 6.15.0-custom+ #249 PREEMPT(full)

+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022

+ RIP: 0010:btrfs_lookup_csum+0x93/0x3d0 [btrfs]

+ Call Trace:

+ <TASK>

+ btrfs_lookup_bio_sums+0x47a/0xdf0 [btrfs]

+ btrfs_submit_bbio+0x43e/0x1a80 [btrfs]

+ submit_one_bio+0xde/0x160 [btrfs]

+ btrfs_readahead+0x498/0x6a0 [btrfs]

+ read_pages+0x1c3/0xb20

+ page_cache_ra_order+0x4b5/0xc20

+ filemap_get_pages+0x2d3/0x19e0

+ filemap_read+0x314/0xde0

+ __kernel_read+0x35b/0x900

+ bprm_execve+0x62e/0x1140

+ do_execveat_common.isra.0+0x3fc/0x520

+ __x64_sys_execveat+0xdc/0x130

+ do_syscall_64+0x54/0x1d0

+ entry_SYSCALL_64_after_hwframe+0x76/0x7e

+ ---[ end trace 0000000000000000 ]---

+

+[CAUSE]

+Firstly the fs has a corrupted csum tree root, thus to mount the fs we

+have to go "ro,rescue=ibadroots" mount option.

+

+Normally with that mount option, a bad csum tree root should set

+BTRFS_FS_STATE_NO_DATA_CSUMS flag, so that any future data read will

+ignore csum search.

+

+But in this particular case, we have the following call trace that

+caused NULL csum root, but not setting BTRFS_FS_STATE_NO_DATA_CSUMS:

+

+load_global_roots_objectid():

+

+ ret = btrfs_search_slot();

+ /* Succeeded */

+ btrfs_item_key_to_cpu()

+ found = true;

+ /* We found the root item for csum tree. */

+ root = read_tree_root_path();

+ if (IS_ERR(root)) {

+ if (!btrfs_test_opt(fs_info, IGNOREBADROOTS))

+ /*

+ * Since we have rescue=ibadroots mount option,

+ * @ret is still 0.

+ */

+ break;

+ if (!found || ret) {

+ /* @found is true, @ret is 0, error handling for csum

+ * tree is skipped.

+ */

+ }

+

+This means we completely skipped to set BTRFS_FS_STATE_NO_DATA_CSUMS if

+the csum tree is corrupted, which results unexpected later csum lookup.

+

+[FIX]

+If read_tree_root_path() failed, always populate @ret to the error

+number.

+

+As at the end of the function, we need @ret to determine if we need to

+do the extra error handling for csum tree.

+

+Fixes: abed4aaae4f7 ("btrfs: track the csum, extent, and free space trees in a rb tree")

+Reported-by: Zhiyu Zhang <zhiyuzhang999@gmail.com>

+Reported-by: Longxing Li <coregee2000@gmail.com>

+Reviewed-by: David Sterba <dsterba@suse.com>

+Signed-off-by: Qu Wenruo <wqu@suse.com>

+Signed-off-by: David Sterba <dsterba@suse.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ fs/btrfs/disk-io.c | 3 +--

+ 1 file changed, 1 insertion(+), 2 deletions(-)

+

+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c

+index 87501762d81fb..321feb99c1797 100644

+--- a/fs/btrfs/disk-io.c

++++ b/fs/btrfs/disk-io.c

+@@ -2164,8 +2164,7 @@ static int load_global_roots_objectid(struct btrfs_root *tree_root,

+ found = true;

+ root = read_tree_root_path(tree_root, path, &key);

+ if (IS_ERR(root)) {

+- if (!btrfs_test_opt(fs_info, IGNOREBADROOTS))

+- ret = PTR_ERR(root);

++ ret = PTR_ERR(root);

+ break;

+ }

+ set_bit(BTRFS_ROOT_TRACK_DIRTY, &root->state);

+--

+2.39.5

+

+From 9a57e7a7141c5ec088033ca13e65119a83356fc0 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Tue, 22 Apr 2025 17:55:41 +0200

+Subject: btrfs: use unsigned types for constants defined as bit shifts

+

+From: David Sterba <dsterba@suse.com>

+

+[ Upstream commit 05a6ec865d091fe8244657df8063f74e704d1711 ]

+

+The unsigned type is a recommended practice (CWE-190, CWE-194) for bit

+shifts to avoid problems with potential unwanted sign extensions.

+Although there are no such cases in btrfs codebase, follow the

+recommendation.

+

+Reviewed-by: Boris Burkov <boris@bur.io>

+Signed-off-by: David Sterba <dsterba@suse.com>

+Stable-dep-of: 1f2889f5594a ("btrfs: fix qgroup reservation leak on failure to allocate ordered extent")

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ fs/btrfs/backref.h | 4 ++--

+ fs/btrfs/direct-io.c | 4 ++--

+ fs/btrfs/extent_io.h | 2 +-

+ fs/btrfs/inode.c | 12 ++++++------

+ fs/btrfs/ordered-data.c | 4 ++--

+ fs/btrfs/raid56.c | 5 ++---

+ fs/btrfs/tests/extent-io-tests.c | 6 +++---

+ fs/btrfs/zstd.c | 2 +-

+ 8 files changed, 19 insertions(+), 20 deletions(-)

+

+diff --git a/fs/btrfs/backref.h b/fs/btrfs/backref.h

+index 74e6140312747..953637115956b 100644

+--- a/fs/btrfs/backref.h

++++ b/fs/btrfs/backref.h

+@@ -423,8 +423,8 @@ struct btrfs_backref_node *btrfs_backref_alloc_node(

+ struct btrfs_backref_edge *btrfs_backref_alloc_edge(

+ struct btrfs_backref_cache *cache);

+

+-#define LINK_LOWER (1 << 0)

+-#define LINK_UPPER (1 << 1)

++#define LINK_LOWER (1U << 0)

++#define LINK_UPPER (1U << 1)

+

+ void btrfs_backref_link_edge(struct btrfs_backref_edge *edge,

+ struct btrfs_backref_node *lower,

+diff --git a/fs/btrfs/direct-io.c b/fs/btrfs/direct-io.c

+index a374ce7a1813b..7900cba56225d 100644

+--- a/fs/btrfs/direct-io.c

++++ b/fs/btrfs/direct-io.c

+@@ -151,8 +151,8 @@ static struct extent_map *btrfs_create_dio_extent(struct btrfs_inode *inode,

+ }

+

+ ordered = btrfs_alloc_ordered_extent(inode, start, file_extent,

+- (1 << type) |

+- (1 << BTRFS_ORDERED_DIRECT));

++ (1U << type) |

++ (1U << BTRFS_ORDERED_DIRECT));

+ if (IS_ERR(ordered)) {

+ if (em) {

+ free_extent_map(em);

+diff --git a/fs/btrfs/extent_io.h b/fs/btrfs/extent_io.h

+index f5b28b5c4908b..91d9cb5ff401b 100644

+--- a/fs/btrfs/extent_io.h

++++ b/fs/btrfs/extent_io.h

+@@ -79,7 +79,7 @@ enum {

+ * single word in a bitmap may straddle two pages in the extent buffer.

+ */

+ #define BIT_BYTE(nr) ((nr) / BITS_PER_BYTE)

+-#define BYTE_MASK ((1 << BITS_PER_BYTE) - 1)

++#define BYTE_MASK ((1U << BITS_PER_BYTE) - 1)

+ #define BITMAP_FIRST_BYTE_MASK(start) \

+ ((BYTE_MASK << ((start) & (BITS_PER_BYTE - 1))) & BYTE_MASK)

+ #define BITMAP_LAST_BYTE_MASK(nbits) \

+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c

+index 8a3f44302788c..867b438652ef7 100644

+--- a/fs/btrfs/inode.c

++++ b/fs/btrfs/inode.c

+@@ -1171,7 +1171,7 @@ static void submit_one_async_extent(struct async_chunk *async_chunk,

+ free_extent_map(em);

+

+ ordered = btrfs_alloc_ordered_extent(inode, start, &file_extent,

+- 1 << BTRFS_ORDERED_COMPRESSED);

++ 1U << BTRFS_ORDERED_COMPRESSED);

+ if (IS_ERR(ordered)) {

+ btrfs_drop_extent_map_range(inode, start, end, false);

+ ret = PTR_ERR(ordered);

+@@ -1418,7 +1418,7 @@ static noinline int cow_file_range(struct btrfs_inode *inode,

+ free_extent_map(em);

+

+ ordered = btrfs_alloc_ordered_extent(inode, start, &file_extent,

+- 1 << BTRFS_ORDERED_REGULAR);

++ 1U << BTRFS_ORDERED_REGULAR);

+ if (IS_ERR(ordered)) {

+ unlock_extent(&inode->io_tree, start,

+ start + cur_alloc_size - 1, &cached);

+@@ -1999,8 +1999,8 @@ static int nocow_one_range(struct btrfs_inode *inode, struct folio *locked_folio

+

+ ordered = btrfs_alloc_ordered_extent(inode, file_pos, &nocow_args->file_extent,

+ is_prealloc

+- ? (1 << BTRFS_ORDERED_PREALLOC)

+- : (1 << BTRFS_ORDERED_NOCOW));

++ ? (1U << BTRFS_ORDERED_PREALLOC)

++ : (1U << BTRFS_ORDERED_NOCOW));

+ if (IS_ERR(ordered)) {

+ if (is_prealloc)

+ btrfs_drop_extent_map_range(inode, file_pos, end, false);

+@@ -9733,8 +9733,8 @@ ssize_t btrfs_do_encoded_write(struct kiocb *iocb, struct iov_iter *from,

+ free_extent_map(em);

+

+ ordered = btrfs_alloc_ordered_extent(inode, start, &file_extent,

+- (1 << BTRFS_ORDERED_ENCODED) |

+- (1 << BTRFS_ORDERED_COMPRESSED));

++ (1U << BTRFS_ORDERED_ENCODED) |

++ (1U << BTRFS_ORDERED_COMPRESSED));

+ if (IS_ERR(ordered)) {

+ btrfs_drop_extent_map_range(inode, start, end, false);

+ ret = PTR_ERR(ordered);

+diff --git a/fs/btrfs/ordered-data.c b/fs/btrfs/ordered-data.c

+index 03c945711003c..f61b0bb1faccf 100644

+--- a/fs/btrfs/ordered-data.c

++++ b/fs/btrfs/ordered-data.c

+@@ -155,7 +155,7 @@ static struct btrfs_ordered_extent *alloc_ordered_extent(

+ u64 qgroup_rsv = 0;

+

+ if (flags &

+- ((1 << BTRFS_ORDERED_NOCOW) | (1 << BTRFS_ORDERED_PREALLOC))) {

++ ((1U << BTRFS_ORDERED_NOCOW) | (1U << BTRFS_ORDERED_PREALLOC))) {

+ /* For nocow write, we can release the qgroup rsv right now */

+ ret = btrfs_qgroup_free_data(inode, NULL, file_offset, num_bytes, &qgroup_rsv);

+ if (ret < 0)

+@@ -253,7 +253,7 @@ static void insert_ordered_extent(struct btrfs_ordered_extent *entry)

+ * @disk_bytenr: Offset of extent on disk.

+ * @disk_num_bytes: Size of extent on disk.

+ * @offset: Offset into unencoded data where file data starts.

+- * @flags: Flags specifying type of extent (1 << BTRFS_ORDERED_*).

++ * @flags: Flags specifying type of extent (1U << BTRFS_ORDERED_*).

+ * @compress_type: Compression algorithm used for data.

+ *

+ * Most of these parameters correspond to &struct btrfs_file_extent_item. The

+diff --git a/fs/btrfs/raid56.c b/fs/btrfs/raid56.c

+index cdd373c277848..7285bf7926e3a 100644

+--- a/fs/btrfs/raid56.c

++++ b/fs/btrfs/raid56.c

+@@ -200,8 +200,7 @@ int btrfs_alloc_stripe_hash_table(struct btrfs_fs_info *info)

+ struct btrfs_stripe_hash_table *x;

+ struct btrfs_stripe_hash *cur;

+ struct btrfs_stripe_hash *h;

+- int num_entries = 1 << BTRFS_STRIPE_HASH_TABLE_BITS;

+- int i;

++ unsigned int num_entries = 1U << BTRFS_STRIPE_HASH_TABLE_BITS;

+

+ if (info->stripe_hash_table)

+ return 0;

+@@ -222,7 +221,7 @@ int btrfs_alloc_stripe_hash_table(struct btrfs_fs_info *info)

+

+ h = table->table;

+

+- for (i = 0; i < num_entries; i++) {

++ for (unsigned int i = 0; i < num_entries; i++) {

+ cur = h + i;

+ INIT_LIST_HEAD(&cur->hash_list);

+ spin_lock_init(&cur->lock);

+diff --git a/fs/btrfs/tests/extent-io-tests.c b/fs/btrfs/tests/extent-io-tests.c

+index 74aca7180a5a9..400574c6e82ec 100644

+--- a/fs/btrfs/tests/extent-io-tests.c

++++ b/fs/btrfs/tests/extent-io-tests.c

+@@ -14,9 +14,9 @@

+ #include "../disk-io.h"

+ #include "../btrfs_inode.h"

+

+-#define PROCESS_UNLOCK (1 << 0)

+-#define PROCESS_RELEASE (1 << 1)

+-#define PROCESS_TEST_LOCKED (1 << 2)

++#define PROCESS_UNLOCK (1U << 0)

++#define PROCESS_RELEASE (1U << 1)

++#define PROCESS_TEST_LOCKED (1U << 2)

+

+ static noinline int process_page_range(struct inode *inode, u64 start, u64 end,

+ unsigned long flags)

+diff --git a/fs/btrfs/zstd.c b/fs/btrfs/zstd.c

+index 3541efa765c73..94c19331823a9 100644

+--- a/fs/btrfs/zstd.c

++++ b/fs/btrfs/zstd.c

+@@ -24,7 +24,7 @@

+ #include "super.h"

+

+ #define ZSTD_BTRFS_MAX_WINDOWLOG 17

+-#define ZSTD_BTRFS_MAX_INPUT (1 << ZSTD_BTRFS_MAX_WINDOWLOG)

++#define ZSTD_BTRFS_MAX_INPUT (1U << ZSTD_BTRFS_MAX_WINDOWLOG)

+ #define ZSTD_BTRFS_DEFAULT_LEVEL 3

+ #define ZSTD_BTRFS_MIN_LEVEL -15

+ #define ZSTD_BTRFS_MAX_LEVEL 15

+--

+2.39.5

+

+From ed3c2a89782c03d03b0b16ee7aba874e5ce9bd0e Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Tue, 1 Apr 2025 11:34:58 +0200

+Subject: bus: mhi: host: pci_generic: Add Telit FN920C04 modem support

+

+From: Daniele Palmas <dnlplm@gmail.com>

+

+[ Upstream commit 6348f62ef7ecc5855b710a7d4ea682425c38bb80 ]

+

+Add SDX35 based modem Telit FN920C04.

+

+$ lspci -vv

+01:00.0 Unassigned class [ff00]: Qualcomm Device 011a

+ Subsystem: Device 1c5d:2020

+

+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>

+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>

+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>

+Link: https://patch.msgid.link/20250401093458.2953872-1-dnlplm@gmail.com

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/bus/mhi/host/pci_generic.c | 39 ++++++++++++++++++++++++++++++

+ 1 file changed, 39 insertions(+)

+

+diff --git a/drivers/bus/mhi/host/pci_generic.c b/drivers/bus/mhi/host/pci_generic.c

+index 03aa887952098..059cfd77382f0 100644

+--- a/drivers/bus/mhi/host/pci_generic.c

++++ b/drivers/bus/mhi/host/pci_generic.c

+@@ -782,6 +782,42 @@ static const struct mhi_pci_dev_info mhi_telit_fe990a_info = {

+ .mru_default = 32768,

+ };

+

++static const struct mhi_channel_config mhi_telit_fn920c04_channels[] = {

++ MHI_CHANNEL_CONFIG_UL_SBL(2, "SAHARA", 32, 0),

++ MHI_CHANNEL_CONFIG_DL_SBL(3, "SAHARA", 32, 0),

++ MHI_CHANNEL_CONFIG_UL(4, "DIAG", 64, 1),

++ MHI_CHANNEL_CONFIG_DL(5, "DIAG", 64, 1),

++ MHI_CHANNEL_CONFIG_UL(14, "QMI", 32, 0),

++ MHI_CHANNEL_CONFIG_DL(15, "QMI", 32, 0),

++ MHI_CHANNEL_CONFIG_UL(32, "DUN", 32, 0),

++ MHI_CHANNEL_CONFIG_DL(33, "DUN", 32, 0),

++ MHI_CHANNEL_CONFIG_UL_FP(34, "FIREHOSE", 32, 0),

++ MHI_CHANNEL_CONFIG_DL_FP(35, "FIREHOSE", 32, 0),

++ MHI_CHANNEL_CONFIG_UL(92, "DUN2", 32, 1),

++ MHI_CHANNEL_CONFIG_DL(93, "DUN2", 32, 1),

++ MHI_CHANNEL_CONFIG_HW_UL(100, "IP_HW0", 128, 2),

++ MHI_CHANNEL_CONFIG_HW_DL(101, "IP_HW0", 128, 3),

++};

++

++static const struct mhi_controller_config modem_telit_fn920c04_config = {

++ .max_channels = 128,

++ .timeout_ms = 50000,

++ .num_channels = ARRAY_SIZE(mhi_telit_fn920c04_channels),

++ .ch_cfg = mhi_telit_fn920c04_channels,

++ .num_events = ARRAY_SIZE(mhi_telit_fn990_events),

++ .event_cfg = mhi_telit_fn990_events,

++};

++

++static const struct mhi_pci_dev_info mhi_telit_fn920c04_info = {

++ .name = "telit-fn920c04",

++ .config = &modem_telit_fn920c04_config,

++ .bar_num = MHI_PCI_DEFAULT_BAR_NUM,

++ .dma_data_width = 32,

++ .sideband_wake = false,

++ .mru_default = 32768,

++ .edl_trigger = true,

++};

++

+ static const struct mhi_pci_dev_info mhi_netprisma_lcur57_info = {

+ .name = "netprisma-lcur57",

+ .edl = "qcom/prog_firehose_sdx24.mbn",

+@@ -806,6 +842,9 @@ static const struct mhi_pci_dev_info mhi_netprisma_fcun69_info = {

+ static const struct pci_device_id mhi_pci_id_table[] = {

+ {PCI_DEVICE(PCI_VENDOR_ID_QCOM, 0x0116),

+ .driver_data = (kernel_ulong_t) &mhi_qcom_sa8775p_info },

++ /* Telit FN920C04 (sdx35) */

++ {PCI_DEVICE_SUB(PCI_VENDOR_ID_QCOM, 0x011a, 0x1c5d, 0x2020),

++ .driver_data = (kernel_ulong_t) &mhi_telit_fn920c04_info },

+ { PCI_DEVICE(PCI_VENDOR_ID_QCOM, 0x0304),

+ .driver_data = (kernel_ulong_t) &mhi_qcom_sdx24_info },

+ { PCI_DEVICE_SUB(PCI_VENDOR_ID_QCOM, 0x0306, PCI_VENDOR_ID_QCOM, 0x010c),

+--

+2.39.5

+

+From 8003c2e63910d4fd249f2356f8ced2e143f30b82 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Tue, 22 Apr 2025 12:32:04 +0300

+Subject: ceph: fix possible integer overflow in ceph_zero_objects()

+

+From: Dmitry Kandybka <d.kandybka@gmail.com>

+

+[ Upstream commit 0abd87942e0c93964e93224836944712feba1d91 ]

+

+In 'ceph_zero_objects', promote 'object_size' to 'u64' to avoid possible

+integer overflow.

+

+Compile tested only.

+

+Found by Linux Verification Center (linuxtesting.org) with SVACE.

+

+Signed-off-by: Dmitry Kandybka <d.kandybka@gmail.com>

+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>

+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ fs/ceph/file.c | 2 +-

+ 1 file changed, 1 insertion(+), 1 deletion(-)

+

+diff --git a/fs/ceph/file.c b/fs/ceph/file.c

+index 851d70200c6b8..a7254cab44cc2 100644

+--- a/fs/ceph/file.c

++++ b/fs/ceph/file.c

+@@ -2616,7 +2616,7 @@ static int ceph_zero_objects(struct inode *inode, loff_t offset, loff_t length)

+ s32 stripe_unit = ci->i_layout.stripe_unit;

+ s32 stripe_count = ci->i_layout.stripe_count;

+ s32 object_size = ci->i_layout.object_size;

+- u64 object_set_size = object_size * stripe_count;

++ u64 object_set_size = (u64) object_size * stripe_count;

+ u64 nearly, t;

+

+ /* round offset up to next period boundary */

+--

+2.39.5

+

+From 26d2b524c2b9b2102922f2344b2a87911d1e629f Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Sat, 2 Nov 2024 17:58:31 +0100

+Subject: cifs: Correctly set SMB1 SessionKey field in Session Setup Request

+MIME-Version: 1.0

+Content-Type: text/plain; charset=UTF-8

+Content-Transfer-Encoding: 8bit

+

+From: Pali Rohár <pali@kernel.org>

+

+[ Upstream commit 89381c72d52094988e11d23ef24a00066a0fa458 ]

+

+[MS-CIFS] specification in section 2.2.4.53.1 where is described

+SMB_COM_SESSION_SETUP_ANDX Request, for SessionKey field says:

+

+ The client MUST set this field to be equal to the SessionKey field in

+ the SMB_COM_NEGOTIATE Response for this SMB connection.

+

+Linux SMB client currently set this field to zero. This is working fine

+against Windows NT SMB servers thanks to [MS-CIFS] product behavior <94>:

+

+ Windows NT Server ignores the client's SessionKey.

+

+For compatibility with [MS-CIFS], set this SessionKey field in Session

+Setup Request to value retrieved from Negotiate response.

+

+Signed-off-by: Pali Rohár <pali@kernel.org>

+Signed-off-by: Steve French <stfrench@microsoft.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ fs/smb/client/cifsglob.h | 1 +

+ fs/smb/client/cifspdu.h | 6 +++---

+ fs/smb/client/cifssmb.c | 1 +

+ fs/smb/client/sess.c | 1 +

+ 4 files changed, 6 insertions(+), 3 deletions(-)

+

+diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h

+index 0c80ca352f3fa..214e53acf72a8 100644

+--- a/fs/smb/client/cifsglob.h

++++ b/fs/smb/client/cifsglob.h

+@@ -773,6 +773,7 @@ struct TCP_Server_Info {

+ char workstation_RFC1001_name[RFC1001_NAME_LEN_WITH_NULL];

+ __u32 sequence_number; /* for signing, protected by srv_mutex */

+ __u32 reconnect_instance; /* incremented on each reconnect */

++ __le32 session_key_id; /* retrieved from negotiate response and send in session setup request */

+ struct session_key session_key;

+ unsigned long lstrp; /* when we got last response from this server */

+ struct cifs_secmech secmech; /* crypto sec mech functs, descriptors */

+diff --git a/fs/smb/client/cifspdu.h b/fs/smb/client/cifspdu.h

+index 1b79fe07476f6..d9cf7db0ac35e 100644

+--- a/fs/smb/client/cifspdu.h

++++ b/fs/smb/client/cifspdu.h

+@@ -597,7 +597,7 @@ typedef union smb_com_session_setup_andx {

+ __le16 MaxBufferSize;

+ __le16 MaxMpxCount;

+ __le16 VcNumber;

+- __u32 SessionKey;

++ __le32 SessionKey;

+ __le16 SecurityBlobLength;

+ __u32 Reserved;

+ __le32 Capabilities; /* see below */

+@@ -616,7 +616,7 @@ typedef union smb_com_session_setup_andx {

+ __le16 MaxBufferSize;

+ __le16 MaxMpxCount;

+ __le16 VcNumber;

+- __u32 SessionKey;

++ __le32 SessionKey;

+ __le16 CaseInsensitivePasswordLength; /* ASCII password len */

+ __le16 CaseSensitivePasswordLength; /* Unicode password length*/

+ __u32 Reserved; /* see below */

+@@ -654,7 +654,7 @@ typedef union smb_com_session_setup_andx {

+ __le16 MaxBufferSize;

+ __le16 MaxMpxCount;

+ __le16 VcNumber;

+- __u32 SessionKey;

++ __le32 SessionKey;

+ __le16 PasswordLength;

+ __u32 Reserved; /* encrypt key len and offset */

+ __le16 ByteCount;

+diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c

+index a3ba3346ed313..7216fcec79e8b 100644

+--- a/fs/smb/client/cifssmb.c

++++ b/fs/smb/client/cifssmb.c

+@@ -498,6 +498,7 @@ CIFSSMBNegotiate(const unsigned int xid,

+ server->max_rw = le32_to_cpu(pSMBr->MaxRawSize);

+ cifs_dbg(NOISY, "Max buf = %d\n", ses->server->maxBuf);

+ server->capabilities = le32_to_cpu(pSMBr->Capabilities);

++ server->session_key_id = pSMBr->SessionKey;

+ server->timeAdj = (int)(__s16)le16_to_cpu(pSMBr->ServerTimeZone);

+ server->timeAdj *= 60;

+

+diff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c

+index 12c99fb4023dc..5a24b80dc146a 100644

+--- a/fs/smb/client/sess.c

++++ b/fs/smb/client/sess.c

+@@ -631,6 +631,7 @@ static __u32 cifs_ssetup_hdr(struct cifs_ses *ses,

+ USHRT_MAX));

+ pSMB->req.MaxMpxCount = cpu_to_le16(server->maxReq);

+ pSMB->req.VcNumber = cpu_to_le16(1);

++ pSMB->req.SessionKey = server->session_key_id;

+

+ /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */

+

+--

+2.39.5

+

+From 238201cb479cffde9e90ee65f5ec1f77d897fe66 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Tue, 31 Dec 2024 16:06:22 +0100

+Subject: cifs: Fix cifs_query_path_info() for Windows NT servers

+MIME-Version: 1.0

+Content-Type: text/plain; charset=UTF-8

+Content-Transfer-Encoding: 8bit

+

+From: Pali Rohár <pali@kernel.org>

+

+[ Upstream commit a3e771afbb3bce91c8296828304903e7348003fe ]

+

+For TRANS2 QUERY_PATH_INFO request when the path does not exist, the

+Windows NT SMB server returns error response STATUS_OBJECT_NAME_NOT_FOUND

+or ERRDOS/ERRbadfile without the SMBFLG_RESPONSE flag set. Similarly it

+returns STATUS_DELETE_PENDING when the file is being deleted. And looks

+like that any error response from TRANS2 QUERY_PATH_INFO does not have

+SMBFLG_RESPONSE flag set.

+

+So relax check in check_smb_hdr() for detecting if the packet is response

+for this special case.

+

+This change fixes stat() operation against Windows NT SMB servers and also

+all operations which depends on -ENOENT result from stat like creat() or

+mkdir().

+

+Signed-off-by: Pali Rohár <pali@kernel.org>

+Signed-off-by: Steve French <stfrench@microsoft.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ fs/smb/client/misc.c | 8 ++++++++

+ 1 file changed, 8 insertions(+)

+

+diff --git a/fs/smb/client/misc.c b/fs/smb/client/misc.c

+index 7b6ed9b23e713..e77017f470845 100644

+--- a/fs/smb/client/misc.c

++++ b/fs/smb/client/misc.c

+@@ -326,6 +326,14 @@ check_smb_hdr(struct smb_hdr *smb)

+ if (smb->Command == SMB_COM_LOCKING_ANDX)

+ return 0;

+

++ /*

++ * Windows NT server returns error resposne (e.g. STATUS_DELETE_PENDING

++ * or STATUS_OBJECT_NAME_NOT_FOUND or ERRDOS/ERRbadfile or any other)

++ * for some TRANS2 requests without the RESPONSE flag set in header.

++ */

++ if (smb->Command == SMB_COM_TRANSACTION2 && smb->Status.CifsError != 0)

++ return 0;

++

+ cifs_dbg(VFS, "Server sent request, not response. mid=%u\n",

+ get_mid(smb));

+ return 1;

+--

+2.39.5

+

+From b2a240351e98ed9961357f45d0dc39fdffac5589 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Sun, 6 Oct 2024 19:24:29 +0200

+Subject: cifs: Fix encoding of SMB1 Session Setup NTLMSSP Request in

+ non-UNICODE mode

+MIME-Version: 1.0

+Content-Type: text/plain; charset=UTF-8

+Content-Transfer-Encoding: 8bit

+

+From: Pali Rohár <pali@kernel.org>

+

+[ Upstream commit 6510ef4230b68c960309e0c1d6eb3e32eb785142 ]

+

+SMB1 Session Setup NTLMSSP Request in non-UNICODE mode is similar to

+UNICODE mode, just strings are encoded in ASCII and not in UTF-16.

+

+With this change it is possible to setup SMB1 session with NTLM

+authentication in non-UNICODE mode with Windows SMB server.

+

+This change fixes mounting SMB1 servers with -o nounicode mount option

+together with -o sec=ntlmssp mount option (which is the default sec=).

+

+Signed-off-by: Pali Rohár <pali@kernel.org>

+Signed-off-by: Steve French <stfrench@microsoft.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ fs/smb/client/sess.c | 20 ++++++++++----------

+ 1 file changed, 10 insertions(+), 10 deletions(-)

+

+diff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c

+index 5a24b80dc146a..330bc3d25badd 100644

+--- a/fs/smb/client/sess.c

++++ b/fs/smb/client/sess.c

+@@ -1688,22 +1688,22 @@ _sess_auth_rawntlmssp_assemble_req(struct sess_data *sess_data)

+ pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;

+

+ capabilities = cifs_ssetup_hdr(ses, server, pSMB);

+- if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {

+- cifs_dbg(VFS, "NTLMSSP requires Unicode support\n");

+- return -ENOSYS;

+- }

+-

+ pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;

+ capabilities |= CAP_EXTENDED_SECURITY;

+ pSMB->req.Capabilities |= cpu_to_le32(capabilities);

+

+ bcc_ptr = sess_data->iov[2].iov_base;

+- /* unicode strings must be word aligned */

+- if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) {

+- *bcc_ptr = 0;

+- bcc_ptr++;

++

++ if (pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) {

++ /* unicode strings must be word aligned */

++ if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) {

++ *bcc_ptr = 0;

++ bcc_ptr++;

++ }

++ unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp);

++ } else {

++ ascii_oslm_strings(&bcc_ptr, sess_data->nls_cp);

+ }

+- unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp);

+

+ sess_data->iov[2].iov_len = (long) bcc_ptr -

+ (long) sess_data->iov[2].iov_base;

+--

+2.39.5

+

+From 9b235838090e0384b991bf39ba99b8c54994dba0 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Tue, 25 Mar 2025 11:58:47 +0000

+Subject: coresight: Only check bottom two claim bits

+

+From: James Clark <james.clark@linaro.org>

+

+[ Upstream commit a4e65842e1142aa18ef36113fbd81d614eaefe5a ]

+

+The use of the whole register and == could break the claim mechanism if

+any of the other bits are used in the future. The referenced doc "PSCI -

+ARM DEN 0022D" also says to only read and clear the bottom two bits.

+

+Use FIELD_GET() to extract only the relevant part.

+

+Reviewed-by: Leo Yan <leo.yan@arm.com>

+Reviewed-by: Yeoreum Yun <yeoreum.yun@arm.com>

+Signed-off-by: James Clark <james.clark@linaro.org>

+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>

+Link: https://lore.kernel.org/r/20250325-james-coresight-claim-tags-v4-2-dfbd3822b2e5@linaro.org

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/hwtracing/coresight/coresight-core.c | 3 ++-

+ drivers/hwtracing/coresight/coresight-priv.h | 1 +

+ 2 files changed, 3 insertions(+), 1 deletion(-)

+

+diff --git a/drivers/hwtracing/coresight/coresight-core.c b/drivers/hwtracing/coresight/coresight-core.c

+index d3523f0262af8..dfcb30da2e20b 100644

+--- a/drivers/hwtracing/coresight/coresight-core.c

++++ b/drivers/hwtracing/coresight/coresight-core.c

+@@ -131,7 +131,8 @@ coresight_find_out_connection(struct coresight_device *csdev,

+

+ static inline u32 coresight_read_claim_tags(struct coresight_device *csdev)

+ {

+- return csdev_access_relaxed_read32(&csdev->access, CORESIGHT_CLAIMCLR);

++ return FIELD_GET(CORESIGHT_CLAIM_MASK,

++ csdev_access_relaxed_read32(&csdev->access, CORESIGHT_CLAIMCLR));

+ }

+

+ static inline bool coresight_is_claimed_self_hosted(struct coresight_device *csdev)

+diff --git a/drivers/hwtracing/coresight/coresight-priv.h b/drivers/hwtracing/coresight/coresight-priv.h

+index 82644aff8d2b7..38bb4e8b50ef6 100644

+--- a/drivers/hwtracing/coresight/coresight-priv.h

++++ b/drivers/hwtracing/coresight/coresight-priv.h

+@@ -35,6 +35,7 @@ extern const struct device_type coresight_dev_type[];

+ * Coresight device CLAIM protocol.

+ * See PSCI - ARM DEN 0022D, Section: 6.8.1 Debug and Trace save and restore.

+ */

++#define CORESIGHT_CLAIM_MASK GENMASK(1, 0)

+ #define CORESIGHT_CLAIM_SELF_HOSTED BIT(1)

+

+ #define TIMEOUT_US 100

+--

+2.39.5

+

+From 9860320750b44be81d241a83757b3374e9acde00 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Wed, 2 Apr 2025 19:25:52 -0400

+Subject: cxl: core/region - ignore interleave granularity when ways=1

+

+From: Gregory Price <gourry@gourry.net>

+

+[ Upstream commit ce32b0c9c522e5a69ef9c62a56d6ca08fb036d67 ]

+

+When validating decoder IW/IG when setting up regions, the granularity

+is irrelevant when iw=1 - all accesses will always route to the only

+target anyway - so all ig values are "correct". Loosen the requirement

+that `ig = (parent_iw * parent_ig)` when iw=1.

+

+On some Zen5 platforms, the platform BIOS specifies a 256-byte

+interleave granularity window for host bridges when there is only

+one target downstream. This leads to Linux rejecting the configuration

+of a region with a x2 root with two x1 hostbridges.

+

+Decoder Programming:

+ root - iw:2 ig:256

+ hb1 - iw:1 ig:256 (Linux expects 512)

+ hb2 - iw:1 ig:256 (Linux expects 512)

+ ep1 - iw:2 ig:256

+ ep2 - iw:2 ig:256

+

+This change allows all decoders downstream of a passthrough decoder to

+also be configured as passthrough (iw:1 ig:X), but still disallows

+downstream decoders from applying subsequent interleaves.

+

+e.g. in the above example if there was another decoder south of hb1

+attempting to interleave 2 endpoints - Linux would enforce hb1.ig=512

+because the southern decoder would have iw:2 and require ig=pig*piw.

+

+[DJ: Fixed up against 6.15-rc1]

+

+Signed-off-by: Gregory Price <gourry@gourry.net>

+Reviewed-by: Dave Jiang <dave.jiang@intel.com>

+Tested-by: Li Zhijian <lizhijian@fujitsu.com>

+Reviewed-by: Davidlohr Bueso <dave@stgolabs.net>

+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

+Reviewed-by: Dan Williams <dan.j.williams@intel.com>

+Link: https://patch.msgid.link/20250402232552.999634-1-gourry@gourry.net

+Signed-off-by: Dave Jiang <dave.jiang@intel.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/cxl/core/region.c | 2 +-

+ 1 file changed, 1 insertion(+), 1 deletion(-)

+

+diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c

+index 24b161c7749f9..7585f0302f3a2 100644

+--- a/drivers/cxl/core/region.c

++++ b/drivers/cxl/core/region.c

+@@ -1446,7 +1446,7 @@ static int cxl_port_setup_targets(struct cxl_port *port,

+

+ if (test_bit(CXL_REGION_F_AUTO, &cxlr->flags)) {

+ if (cxld->interleave_ways != iw ||

+- cxld->interleave_granularity != ig ||

++ (iw > 1 && cxld->interleave_granularity != ig) ||

+ !region_res_match_cxl_range(p, &cxld->hpa_range) ||

+ ((cxld->flags & CXL_DECODER_F_ENABLE) == 0)) {

+ dev_err(&cxlr->dev,

+--

+2.39.5

+

+From 18d19aaa2002d6a6fe492bd4d1ff626c0e6a3e61 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Fri, 9 May 2025 17:06:58 +0200

+Subject: cxl/region: Add a dev_err() on missing target list entries

+

+From: Robert Richter <rrichter@amd.com>

+

+[ Upstream commit d90acdf49e18029cfe4194475c45ef143657737a ]

+

+Broken target lists are hard to discover as the driver fails at a

+later initialization stage. Add an error message for this.

+

+Example log messages:

+

+ cxl_mem mem1: failed to find endpoint6:0000:e0:01.3 in target list of decoder1.1

+ cxl_port endpoint6: failed to register decoder6.0: -6

+ cxl_port endpoint6: probe: 0

+

+Signed-off-by: Robert Richter <rrichter@amd.com>

+Reviewed-by: Gregory Price <gourry@gourry.net>

+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

+Reviewed-by: Dave Jiang <dave.jiang@intel.com>

+Reviewed-by: Dan Williams <dan.j.williams@intel.com>

+Reviewed-by: Alison Schofield <alison.schofield@intel.com>

+Reviewed-by: "Fabio M. De Francesco" <fabio.m.de.francesco@linux.intel.com>

+Tested-by: Gregory Price <gourry@gourry.net>

+Acked-by: Dan Williams <dan.j.williams@intel.com>

+Link: https://patch.msgid.link/20250509150700.2817697-14-rrichter@amd.com

+Signed-off-by: Dave Jiang <dave.jiang@intel.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/cxl/core/region.c | 7 +++++++

+ 1 file changed, 7 insertions(+)

+

+diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c

+index c3f4dc244df77..24b161c7749f9 100644

+--- a/drivers/cxl/core/region.c

++++ b/drivers/cxl/core/region.c

+@@ -1805,6 +1805,13 @@ static int find_pos_and_ways(struct cxl_port *port, struct range *range,

+ }

+ put_device(dev);

+

++ if (rc)

++ dev_err(port->uport_dev,

++ "failed to find %s:%s in target list of %s\n",

++ dev_name(&port->dev),

++ dev_name(port->parent_dport->dport_dev),

++ dev_name(&cxlsd->cxld.dev));

++

+ return rc;

+ }

+

+--

+2.39.5

+

+From ef50052315c22690f5c7eb630c3e3c06a3657c3d Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Mon, 12 May 2025 21:10:10 -0400

+Subject: dm vdo indexer: don't read request structure after enqueuing

+

+From: Matthew Sakai <msakai@redhat.com>

+

+[ Upstream commit 3da732687d72078e52cc7f334a482383e84ca156 ]

+

+The function get_volume_page_protected may place a request on

+a queue for another thread to process asynchronously. When this

+happens, the volume should not read the request from the original

+thread. This can not currently cause problems, due to the way

+request processing is handled, but it is not safe in general.

+

+Reviewed-by: Ken Raeburn <raeburn@redhat.com>

+Signed-off-by: Matthew Sakai <msakai@redhat.com>

+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/md/dm-vdo/indexer/volume.c | 24 +++++++++++++-----------

+ 1 file changed, 13 insertions(+), 11 deletions(-)

+

+diff --git a/drivers/md/dm-vdo/indexer/volume.c b/drivers/md/dm-vdo/indexer/volume.c

+index 655453bb276be..425b3a74f4dba 100644

+--- a/drivers/md/dm-vdo/indexer/volume.c

++++ b/drivers/md/dm-vdo/indexer/volume.c

+@@ -754,10 +754,11 @@ static int get_volume_page_protected(struct volume *volume, struct uds_request *

+ u32 physical_page, struct cached_page **page_ptr)

+ {

+ struct cached_page *page;

++ unsigned int zone_number = request->zone_number;

+

+ get_page_from_cache(&volume->page_cache, physical_page, &page);

+ if (page != NULL) {

+- if (request->zone_number == 0) {

++ if (zone_number == 0) {

+ /* Only one zone is allowed to update the LRU. */

+ make_page_most_recent(&volume->page_cache, page);

+ }

+@@ -767,7 +768,7 @@ static int get_volume_page_protected(struct volume *volume, struct uds_request *

+ }

+

+ /* Prepare to enqueue a read for the page. */

+- end_pending_search(&volume->page_cache, request->zone_number);

++ end_pending_search(&volume->page_cache, zone_number);

+ mutex_lock(&volume->read_threads_mutex);

+

+ /*

+@@ -787,8 +788,7 @@ static int get_volume_page_protected(struct volume *volume, struct uds_request *

+ * the order does not matter for correctness as it does below.

+ */

+ mutex_unlock(&volume->read_threads_mutex);

+- begin_pending_search(&volume->page_cache, physical_page,

+- request->zone_number);

++ begin_pending_search(&volume->page_cache, physical_page, zone_number);

+ return UDS_QUEUED;

+ }

+

+@@ -797,7 +797,7 @@ static int get_volume_page_protected(struct volume *volume, struct uds_request *

+ * "search pending" state in careful order so no other thread can mess with the data before

+ * the caller gets to look at it.

+ */

+- begin_pending_search(&volume->page_cache, physical_page, request->zone_number);

++ begin_pending_search(&volume->page_cache, physical_page, zone_number);

+ mutex_unlock(&volume->read_threads_mutex);

+ *page_ptr = page;

+ return UDS_SUCCESS;

+@@ -849,6 +849,7 @@ static int search_cached_index_page(struct volume *volume, struct uds_request *r

+ {

+ int result;

+ struct cached_page *page = NULL;

++ unsigned int zone_number = request->zone_number;

+ u32 physical_page = map_to_physical_page(volume->geometry, chapter,

+ index_page_number);

+

+@@ -858,18 +859,18 @@ static int search_cached_index_page(struct volume *volume, struct uds_request *r

+ * invalidation by the reader thread, before the reader thread has noticed that the

+ * invalidate_counter has been incremented.

+ */

+- begin_pending_search(&volume->page_cache, physical_page, request->zone_number);

++ begin_pending_search(&volume->page_cache, physical_page, zone_number);

+

+ result = get_volume_page_protected(volume, request, physical_page, &page);

+ if (result != UDS_SUCCESS) {

+- end_pending_search(&volume->page_cache, request->zone_number);

++ end_pending_search(&volume->page_cache, zone_number);

+ return result;

+ }

+

+ result = uds_search_chapter_index_page(&page->index_page, volume->geometry,

+ &request->record_name,

+ record_page_number);

+- end_pending_search(&volume->page_cache, request->zone_number);

++ end_pending_search(&volume->page_cache, zone_number);

+ return result;

+ }

+

+@@ -882,6 +883,7 @@ int uds_search_cached_record_page(struct volume *volume, struct uds_request *req

+ {

+ struct cached_page *record_page;

+ struct index_geometry *geometry = volume->geometry;

++ unsigned int zone_number = request->zone_number;

+ int result;

+ u32 physical_page, page_number;

+

+@@ -905,11 +907,11 @@ int uds_search_cached_record_page(struct volume *volume, struct uds_request *req

+ * invalidation by the reader thread, before the reader thread has noticed that the

+ * invalidate_counter has been incremented.

+ */

+- begin_pending_search(&volume->page_cache, physical_page, request->zone_number);

++ begin_pending_search(&volume->page_cache, physical_page, zone_number);

+

+ result = get_volume_page_protected(volume, request, physical_page, &record_page);

+ if (result != UDS_SUCCESS) {

+- end_pending_search(&volume->page_cache, request->zone_number);

++ end_pending_search(&volume->page_cache, zone_number);

+ return result;

+ }

+

+@@ -917,7 +919,7 @@ int uds_search_cached_record_page(struct volume *volume, struct uds_request *req

+ &request->record_name, geometry, &request->old_metadata))

+ *found = true;

+

+- end_pending_search(&volume->page_cache, request->zone_number);

++ end_pending_search(&volume->page_cache, zone_number);

+ return UDS_SUCCESS;

+ }

+

+--

+2.39.5

+

+From 1f84dfaacf959eff8eb9e251d91311c2ac6d23b3 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Fri, 9 May 2025 08:03:04 +0800

+Subject: dmaengine: idxd: Check availability of workqueue allocated by idxd wq

+ driver before using

+

+From: Yi Sun <yi.sun@intel.com>

+

+[ Upstream commit 17502e7d7b7113346296f6758324798d536c31fd ]

+

+Running IDXD workloads in a container with the /dev directory mounted can

+trigger a call trace or even a kernel panic when the parent process of the

+container is terminated.

+

+This issue occurs because, under certain configurations, Docker does not

+properly propagate the mount replica back to the original mount point.

+

+In this case, when the user driver detaches, the WQ is destroyed but it

+still calls destroy_workqueue() attempting to completes all pending work.

+It's necessary to check wq->wq and skip the drain if it no longer exists.

+

+Signed-off-by: Yi Sun <yi.sun@intel.com>

+Reviewed-by: Dave Jiang <dave.jiang@intel.com>

+Reviewed-by: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>

+

+Link: https://lore.kernel.org/r/20250509000304.1402863-1-yi.sun@intel.com

+Signed-off-by: Vinod Koul <vkoul@kernel.org>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/dma/idxd/cdev.c | 4 +++-

+ 1 file changed, 3 insertions(+), 1 deletion(-)

+

+diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c

+index 6d12033649f81..bc934bc249df1 100644

+--- a/drivers/dma/idxd/cdev.c

++++ b/drivers/dma/idxd/cdev.c

+@@ -349,7 +349,9 @@ static void idxd_cdev_evl_drain_pasid(struct idxd_wq *wq, u32 pasid)

+ set_bit(h, evl->bmap);

+ h = (h + 1) % size;

+ }

+- drain_workqueue(wq->wq);

++ if (wq->wq)

++ drain_workqueue(wq->wq);

++

+ mutex_unlock(&evl->lock);

+ }

+

+--

+2.39.5

+

+From e2f8733290c715e961ba49fd8d42efe7b9001c2d Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Wed, 7 May 2025 20:21:01 +0200

+Subject: dmaengine: xilinx_dma: Set dma_device directions

+

+From: Thomas Gessler <thomas.gessler@brueckmann-gmbh.de>

+

+[ Upstream commit 7e01511443c30a55a5ae78d3debd46d4d872517e ]

+

+Coalesce the direction bits from the enabled TX and/or RX channels into

+the directions bit mask of dma_device. Without this mask set,

+dma_get_slave_caps() in the DMAEngine fails, which prevents the driver

+from being used with an IIO DMAEngine buffer.

+

+Signed-off-by: Thomas Gessler <thomas.gessler@brueckmann-gmbh.de>

+Reviewed-by: Suraj Gupta <suraj.gupta2@amd.com>

+Tested-by: Folker Schwesinger <dev@folker-schwesinger.de>

+Link: https://lore.kernel.org/r/20250507182101.909010-1-thomas.gessler@brueckmann-gmbh.de

+Signed-off-by: Vinod Koul <vkoul@kernel.org>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/dma/xilinx/xilinx_dma.c | 2 ++

+ 1 file changed, 2 insertions(+)

+

+diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c

+index 3ad44afd0e74e..8f26b6eff3f3e 100644

+--- a/drivers/dma/xilinx/xilinx_dma.c

++++ b/drivers/dma/xilinx/xilinx_dma.c

+@@ -2909,6 +2909,8 @@ static int xilinx_dma_chan_probe(struct xilinx_dma_device *xdev,

+ return -EINVAL;

+ }

+

++ xdev->common.directions |= chan->direction;

++

+ /* Request the interrupt */

+ chan->irq = of_irq_get(node, chan->tdest);

+ if (chan->irq < 0)

+--

+2.39.5

+

+From 659b6da5ca4bc3f06532fb24c7a7beb73d905965 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Wed, 14 May 2025 11:13:52 -0400

+Subject: drm/amdgpu: seq64 memory unmap uses uninterruptible lock

+MIME-Version: 1.0

+Content-Type: text/plain; charset=UTF-8

+Content-Transfer-Encoding: 8bit

+

+From: Philip Yang <Philip.Yang@amd.com>

+

+[ Upstream commit a359288ccb4dd8edb086e7de8fdf6e36f544c922 ]

+

+To unmap and free seq64 memory when drm node close to free vm, if there

+is signal accepted, then taking vm lock failed and leaking seq64 va

+mapping, and then dmesg has error log "still active bo inside vm".

+

+Change to use uninterruptible lock fix the mapping leaking and no dmesg

+error log.

+

+Signed-off-by: Philip Yang <Philip.Yang@amd.com>

+Reviewed-by: Christian König <christian.koenig@amd.com>

+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/gpu/drm/amd/amdgpu/amdgpu_seq64.c | 2 +-

+ 1 file changed, 1 insertion(+), 1 deletion(-)

+

+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_seq64.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_seq64.c

+index e22cb2b5cd926..dba8051b8c14b 100644

+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_seq64.c

++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_seq64.c

+@@ -133,7 +133,7 @@ void amdgpu_seq64_unmap(struct amdgpu_device *adev, struct amdgpu_fpriv *fpriv)

+

+ vm = &fpriv->vm;

+

+- drm_exec_init(&exec, DRM_EXEC_INTERRUPTIBLE_WAIT, 0);

++ drm_exec_init(&exec, 0, 0);

+ drm_exec_until_all_locked(&exec) {

+ r = amdgpu_vm_lock_pd(vm, &exec, 0);

+ if (likely(!r))

+--

+2.39.5

+

+From 8522d10ab9db1e41585387320af75de8ce957c13 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Wed, 14 May 2025 18:54:01 -0400

+Subject: drm/amdgpu/vcn2.5: read back register after written

+

+From: David (Ming Qiang) Wu <David.Wu3@amd.com>

+

+[ Upstream commit d9e688b9148bb23629d32017344888dd67ec2ab1 ]

+

+The addition of register read-back in VCN v2.5 is intended to prevent

+potential race conditions.

+

+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>

+Signed-off-by: David (Ming Qiang) Wu <David.Wu3@amd.com>

+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 19 +++++++++++++++++++

+ 1 file changed, 19 insertions(+)

+

+diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c b/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c

+index 3eec1b8feaeea..58b527a6b795f 100644

+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c

++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c

+@@ -1158,6 +1158,11 @@ static int vcn_v2_5_start_dpg_mode(struct amdgpu_vcn_inst *vinst, bool indirect)

+ WREG32_P(SOC15_REG_OFFSET(VCN, inst_idx, mmUVD_POWER_STATUS),

+ 0, ~UVD_POWER_STATUS__STALL_DPG_POWER_UP_MASK);

+

++ /* Keeping one read-back to ensure all register writes are done,

++ * otherwise it may introduce race conditions.

++ */

++ RREG32_SOC15(VCN, inst_idx, mmUVD_STATUS);

++

+ return 0;

+ }

+

+@@ -1343,6 +1348,11 @@ static int vcn_v2_5_start(struct amdgpu_vcn_inst *vinst)

+ WREG32_SOC15(VCN, i, mmUVD_RB_SIZE2, ring->ring_size / 4);

+ fw_shared->multi_queue.encode_lowlatency_queue_mode &= ~FW_QUEUE_RING_RESET;

+

++ /* Keeping one read-back to ensure all register writes are done,

++ * otherwise it may introduce race conditions.

++ */

++ RREG32_SOC15(VCN, i, mmUVD_STATUS);

++

+ return 0;

+ }

+

+@@ -1569,6 +1579,11 @@ static int vcn_v2_5_stop_dpg_mode(struct amdgpu_vcn_inst *vinst)

+ WREG32_P(SOC15_REG_OFFSET(VCN, inst_idx, mmUVD_POWER_STATUS), 0,

+ ~UVD_POWER_STATUS__UVD_PG_MODE_MASK);

+

++ /* Keeping one read-back to ensure all register writes are done,

++ * otherwise it may introduce race conditions.

++ */

++ RREG32_SOC15(VCN, inst_idx, mmUVD_STATUS);

++

+ return 0;

+ }

+

+@@ -1635,6 +1650,10 @@ static int vcn_v2_5_stop(struct amdgpu_vcn_inst *vinst)

+ UVD_POWER_STATUS__UVD_POWER_STATUS_MASK,

+ ~UVD_POWER_STATUS__UVD_POWER_STATUS_MASK);

+

++ /* Keeping one read-back to ensure all register writes are done,

++ * otherwise it may introduce race conditions.

++ */

++ RREG32_SOC15(VCN, i, mmUVD_STATUS);

+ done:

+ if (adev->pm.dpm_enabled)

+ amdgpu_dpm_enable_vcn(adev, false, i);

+--

+2.39.5

+

+From 59a1a655521843da8844c282f500c1d60bb053fe Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Wed, 14 May 2025 18:54:39 -0400

+Subject: drm/amdgpu/vcn3: read back register after written

+

+From: David (Ming Qiang) Wu <David.Wu3@amd.com>

+

+[ Upstream commit b7a4842a917e3a251b5a6aa1a21a5daf6d396ef3 ]

+

+The addition of register read-back in VCN v3.0 is intended to prevent

+potential race conditions.

+

+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>

+Signed-off-by: David (Ming Qiang) Wu <David.Wu3@amd.com>

+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 20 ++++++++++++++++++++

+ 1 file changed, 20 insertions(+)

+

+diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c

+index 0b19f0ab4480d..9fb0d53805892 100644

+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c

++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c

+@@ -1173,6 +1173,11 @@ static int vcn_v3_0_start_dpg_mode(struct amdgpu_vcn_inst *vinst, bool indirect)

+ WREG32_P(SOC15_REG_OFFSET(VCN, inst_idx, mmUVD_POWER_STATUS),

+ 0, ~UVD_POWER_STATUS__STALL_DPG_POWER_UP_MASK);

+

++ /* Keeping one read-back to ensure all register writes are done,

++ * otherwise it may introduce race conditions.

++ */

++ RREG32_SOC15(VCN, inst_idx, mmUVD_STATUS);

++

+ return 0;

+ }

+

+@@ -1360,6 +1365,11 @@ static int vcn_v3_0_start(struct amdgpu_vcn_inst *vinst)

+ fw_shared->multi_queue.encode_lowlatency_queue_mode &= cpu_to_le32(~FW_QUEUE_RING_RESET);

+ }

+

++ /* Keeping one read-back to ensure all register writes are done,

++ * otherwise it may introduce race conditions.

++ */

++ RREG32_SOC15(VCN, i, mmUVD_STATUS);

++

+ return 0;

+ }

+

+@@ -1602,6 +1612,11 @@ static int vcn_v3_0_stop_dpg_mode(struct amdgpu_vcn_inst *vinst)

+ WREG32_P(SOC15_REG_OFFSET(VCN, inst_idx, mmUVD_POWER_STATUS), 0,

+ ~UVD_POWER_STATUS__UVD_PG_MODE_MASK);

+

++ /* Keeping one read-back to ensure all register writes are done,

++ * otherwise it may introduce race conditions.

++ */

++ RREG32_SOC15(VCN, inst_idx, mmUVD_STATUS);

++

+ return 0;

+ }

+

+@@ -1674,6 +1689,11 @@ static int vcn_v3_0_stop(struct amdgpu_vcn_inst *vinst)

+ /* enable VCN power gating */

+ vcn_v3_0_enable_static_power_gating(vinst);

+

++ /* Keeping one read-back to ensure all register writes are done,

++ * otherwise it may introduce race conditions.

++ */

++ RREG32_SOC15(VCN, i, mmUVD_STATUS);

++

+ done:

+ if (adev->pm.dpm_enabled)

+ amdgpu_dpm_enable_vcn(adev, false, i);

+--

+2.39.5

+

+From 57c2f4e28684b6b498a93233a3fbc2deda675563 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Wed, 14 May 2025 18:55:27 -0400

+Subject: drm/amdgpu/vcn4: read back register after written

+

+From: David (Ming Qiang) Wu <David.Wu3@amd.com>

+

+[ Upstream commit a3810a5e37c58329aa2c7992f3172a423f4ae194 ]

+

+The addition of register read-back in VCN v4.0.0 is intended to prevent

+potential race conditions.

+

+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>

+Signed-off-by: David (Ming Qiang) Wu <David.Wu3@amd.com>

+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 20 ++++++++++++++++++++

+ 1 file changed, 20 insertions(+)

+

+diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c

+index 1f777c125b00d..4a88a4d37aeeb 100644

+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c

++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c

+@@ -1122,6 +1122,11 @@ static int vcn_v4_0_start_dpg_mode(struct amdgpu_vcn_inst *vinst, bool indirect)

+ ring->doorbell_index << VCN_RB1_DB_CTRL__OFFSET__SHIFT |

+ VCN_RB1_DB_CTRL__EN_MASK);

+

++ /* Keeping one read-back to ensure all register writes are done,

++ * otherwise it may introduce race conditions.

++ */

++ RREG32_SOC15(VCN, inst_idx, regUVD_STATUS);

++

+ return 0;

+ }

+

+@@ -1303,6 +1308,11 @@ static int vcn_v4_0_start(struct amdgpu_vcn_inst *vinst)

+ WREG32_SOC15(VCN, i, regVCN_RB_ENABLE, tmp);

+ fw_shared->sq.queue_mode &= ~(FW_QUEUE_RING_RESET | FW_QUEUE_DPG_HOLD_OFF);

+

++ /* Keeping one read-back to ensure all register writes are done,

++ * otherwise it may introduce race conditions.

++ */

++ RREG32_SOC15(VCN, i, regUVD_STATUS);

++

+ return 0;

+ }

+

+@@ -1583,6 +1593,11 @@ static void vcn_v4_0_stop_dpg_mode(struct amdgpu_vcn_inst *vinst)

+ /* disable dynamic power gating mode */

+ WREG32_P(SOC15_REG_OFFSET(VCN, inst_idx, regUVD_POWER_STATUS), 0,

+ ~UVD_POWER_STATUS__UVD_PG_MODE_MASK);

++

++ /* Keeping one read-back to ensure all register writes are done,

++ * otherwise it may introduce race conditions.

++ */

++ RREG32_SOC15(VCN, inst_idx, regUVD_STATUS);

+ }

+

+ /**

+@@ -1666,6 +1681,11 @@ static int vcn_v4_0_stop(struct amdgpu_vcn_inst *vinst)

+ /* enable VCN power gating */

+ vcn_v4_0_enable_static_power_gating(vinst);

+

++ /* Keeping one read-back to ensure all register writes are done,

++ * otherwise it may introduce race conditions.

++ */

++ RREG32_SOC15(VCN, i, regUVD_STATUS);

++

+ done:

+ if (adev->pm.dpm_enabled)

+ amdgpu_dpm_enable_vcn(adev, false, i);

+--

+2.39.5

+

+From dbc495d7a38a59a6b45c526bac067673ccc2b7c5 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Wed, 14 May 2025 18:59:11 -0400

+Subject: drm/amdgpu/vcn5.0.1: read back register after written

+

+From: David (Ming Qiang) Wu <David.Wu3@amd.com>

+

+[ Upstream commit bf394d28548c3c0a01e113fdef20ddb6cd2df106 ]

+

+The addition of register read-back in VCN v5.0.1 is intended to prevent

+potential race conditions.

+

+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>

+Signed-off-by: David (Ming Qiang) Wu <David.Wu3@amd.com>

+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c | 15 +++++++++++++++

+ 1 file changed, 15 insertions(+)

+

+diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c

+index e0e84ef7f5686..9a142a21aaea8 100644

+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c

++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c

+@@ -809,6 +809,11 @@ static int vcn_v5_0_1_start(struct amdgpu_vcn_inst *vinst)

+ WREG32_SOC15(VCN, vcn_inst, regVCN_RB_ENABLE, tmp);

+ fw_shared->sq.queue_mode &= ~(FW_QUEUE_RING_RESET | FW_QUEUE_DPG_HOLD_OFF);

+

++ /* Keeping one read-back to ensure all register writes are done,

++ * otherwise it may introduce race conditions.

++ */

++ RREG32_SOC15(VCN, vcn_inst, regUVD_STATUS);

++

+ return 0;

+ }

+

+@@ -843,6 +848,11 @@ static void vcn_v5_0_1_stop_dpg_mode(struct amdgpu_vcn_inst *vinst)

+ /* disable dynamic power gating mode */

+ WREG32_P(SOC15_REG_OFFSET(VCN, vcn_inst, regUVD_POWER_STATUS), 0,

+ ~UVD_POWER_STATUS__UVD_PG_MODE_MASK);

++

++ /* Keeping one read-back to ensure all register writes are done,

++ * otherwise it may introduce race conditions.

++ */

++ RREG32_SOC15(VCN, vcn_inst, regUVD_STATUS);

+ }

+

+ /**

+@@ -918,6 +928,11 @@ static int vcn_v5_0_1_stop(struct amdgpu_vcn_inst *vinst)

+ /* clear status */

+ WREG32_SOC15(VCN, vcn_inst, regUVD_STATUS, 0);

+

++ /* Keeping one read-back to ensure all register writes are done,

++ * otherwise it may introduce race conditions.

++ */

++ RREG32_SOC15(VCN, vcn_inst, regUVD_STATUS);

++

+ return 0;

+ }

+

+--

+2.39.5

+

+From be7d4aae9d9d5d03209ccc8de784143814449e1e Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Fri, 16 May 2025 15:16:54 +0300

+Subject: drm/i915/display: Add check for alloc_ordered_workqueue() and

+ alloc_workqueue()

+

+From: Haoxiang Li <haoxiang_li2024@163.com>

+

+[ Upstream commit f4c7baa0699b69edb6887a992283b389761e0e81 ]

+

+Add check for the return value of alloc_ordered_workqueue()

+and alloc_workqueue(). Furthermore, if some allocations fail,

+cleanup works are added to avoid potential memory leak problem.

+

+Fixes: 40053823baad ("drm/i915/display: move modeset probe/remove functions to intel_display_driver.c")

+Cc: stable@vger.kernel.org

+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>

+Reviewed-by: Matthew Auld <matthew.auld@intel.com>

+Link: https://lore.kernel.org/r/20d3d096c6a4907636f8a1389b3b4dd753ca356e.1747397638.git.jani.nikula@intel.com

+Signed-off-by: Jani Nikula <jani.nikula@intel.com>

+(cherry picked from commit dcab7a228f4ea9cda3f5b0a1f0679e046d23d7f7)

+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ .../drm/i915/display/intel_display_driver.c | 30 +++++++++++++++----

+ 1 file changed, 25 insertions(+), 5 deletions(-)

+

+diff --git a/drivers/gpu/drm/i915/display/intel_display_driver.c b/drivers/gpu/drm/i915/display/intel_display_driver.c

+index 31740a677dd80..14c8b3259bbf5 100644

+--- a/drivers/gpu/drm/i915/display/intel_display_driver.c

++++ b/drivers/gpu/drm/i915/display/intel_display_driver.c

+@@ -241,31 +241,45 @@ int intel_display_driver_probe_noirq(struct intel_display *display)

+ intel_dmc_init(display);

+

+ display->wq.modeset = alloc_ordered_workqueue("i915_modeset", 0);

++ if (!display->wq.modeset) {

++ ret = -ENOMEM;

++ goto cleanup_vga_client_pw_domain_dmc;

++ }

++

+ display->wq.flip = alloc_workqueue("i915_flip", WQ_HIGHPRI |

+ WQ_UNBOUND, WQ_UNBOUND_MAX_ACTIVE);

++ if (!display->wq.flip) {

++ ret = -ENOMEM;

++ goto cleanup_wq_modeset;

++ }

++

+ display->wq.cleanup = alloc_workqueue("i915_cleanup", WQ_HIGHPRI, 0);

++ if (!display->wq.cleanup) {

++ ret = -ENOMEM;

++ goto cleanup_wq_flip;

++ }

+

+ intel_mode_config_init(display);

+

+ ret = intel_cdclk_init(display);

+ if (ret)

+- goto cleanup_vga_client_pw_domain_dmc;

++ goto cleanup_wq_cleanup;

+

+ ret = intel_color_init(display);

+ if (ret)

+- goto cleanup_vga_client_pw_domain_dmc;

++ goto cleanup_wq_cleanup;

+

+ ret = intel_dbuf_init(i915);

+ if (ret)

+- goto cleanup_vga_client_pw_domain_dmc;

++ goto cleanup_wq_cleanup;

+

+ ret = intel_bw_init(i915);

+ if (ret)

+- goto cleanup_vga_client_pw_domain_dmc;

++ goto cleanup_wq_cleanup;

+

+ ret = intel_pmdemand_init(display);

+ if (ret)

+- goto cleanup_vga_client_pw_domain_dmc;

++ goto cleanup_wq_cleanup;

+

+ intel_init_quirks(display);

+

+@@ -273,6 +287,12 @@ int intel_display_driver_probe_noirq(struct intel_display *display)

+

+ return 0;

+

++cleanup_wq_cleanup:

++ destroy_workqueue(display->wq.cleanup);

++cleanup_wq_flip:

++ destroy_workqueue(display->wq.flip);

++cleanup_wq_modeset:

++ destroy_workqueue(display->wq.modeset);

+ cleanup_vga_client_pw_domain_dmc:

+ intel_dmc_fini(display);

+ intel_power_domains_driver_remove(display);

+--

+2.39.5

+

+From 9abc670c831b689d5f1ad1af6f45df79795a280f Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Mon, 12 May 2025 21:22:15 +0200

+Subject: drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1

+MIME-Version: 1.0

+Content-Type: text/plain; charset=UTF-8

+Content-Transfer-Encoding: 8bit

+

+From: Ville Syrjälä <ville.syrjala@linux.intel.com>

+

+[ Upstream commit 25eeba495b2fc16037647c1a51bcdf6fc157af5c ]

+

+The intel-media-driver is currently broken on DG1 because

+it uses EXEC_CAPTURE with recovarable contexts. Relax the

+check to allow that.

+

+I've also submitted a fix for the intel-media-driver:

+https://github.com/intel/media-driver/pull/1920

+

+Cc: stable@vger.kernel.org # v6.0+

+Cc: Matthew Auld <matthew.auld@intel.com>

+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>

+Testcase: igt/gem_exec_capture/capture-invisible

+Fixes: 71b1669ea9bd ("drm/i915/uapi: tweak error capture on recoverable contexts")

+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>

+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>

+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>

+Link: https://lore.kernel.org/r/20250411144313.11660-2-ville.syrjala@linux.intel.com

+(cherry picked from commit d6e020819612a4a06207af858e0978be4d3e3140)

+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>

+Stable-dep-of: ed5915cfce2a ("Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1"")

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 2 +-

+ 1 file changed, 1 insertion(+), 1 deletion(-)

+

+diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c

+index 7796c4119ef5e..1974a300b24a1 100644

+--- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c

++++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c

+@@ -2014,7 +2014,7 @@ static int eb_capture_stage(struct i915_execbuffer *eb)

+ continue;

+

+ if (i915_gem_context_is_recoverable(eb->gem_context) &&

+- (IS_DGFX(eb->i915) || GRAPHICS_VER_FULL(eb->i915) > IP_VER(12, 0)))

++ GRAPHICS_VER_FULL(eb->i915) > IP_VER(12, 10))

+ return -EINVAL;

+

+ for_each_batch_create_order(eb, j) {

+--

+2.39.5

+

+From 1488db9c5db8e6d5663a026bf141178735c5f1f9 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Thu, 15 May 2025 10:07:13 +0800

+Subject: drm/scheduler: signal scheduled fence when kill job

+MIME-Version: 1.0

+Content-Type: text/plain; charset=UTF-8

+Content-Transfer-Encoding: 8bit

+

+From: Lin.Cao <lincao12@amd.com>

+

+[ Upstream commit 471db2c2d4f80ee94225a1ef246e4f5011733e50 ]

+

+When an entity from application B is killed, drm_sched_entity_kill()

+removes all jobs belonging to that entity through

+drm_sched_entity_kill_jobs_work(). If application A's job depends on a

+scheduled fence from application B's job, and that fence is not properly

+signaled during the killing process, application A's dependency cannot be

+cleared.

+

+This leads to application A hanging indefinitely while waiting for a

+dependency that will never be resolved. Fix this issue by ensuring that

+scheduled fences are properly signaled when an entity is killed, allowing

+dependent applications to continue execution.

+

+Signed-off-by: Lin.Cao <lincao12@amd.com>

+Reviewed-by: Philipp Stanner <phasta@kernel.org>

+Signed-off-by: Christian König <christian.koenig@amd.com>

+Link: https://lore.kernel.org/r/20250515020713.1110476-1-lincao12@amd.com

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/gpu/drm/scheduler/sched_entity.c | 1 +

+ 1 file changed, 1 insertion(+)

+

+diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c

+index bd39db7bb2408..e671aa2417206 100644

+--- a/drivers/gpu/drm/scheduler/sched_entity.c

++++ b/drivers/gpu/drm/scheduler/sched_entity.c

+@@ -176,6 +176,7 @@ static void drm_sched_entity_kill_jobs_work(struct work_struct *wrk)

+ {

+ struct drm_sched_job *job = container_of(wrk, typeof(*job), work);

+

++ drm_sched_fence_scheduled(job->s_fence, NULL);

+ drm_sched_fence_finished(job->s_fence, -ESRCH);

+ WARN_ON(job->s_fence->parent);

+ job->sched->ops->free_job(job);

+--

+2.39.5

+

+From 81b113d948a44c1edda719cd1d870e8bfdc5bd07 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Tue, 13 May 2025 19:25:38 +0800

+Subject: f2fs: don't over-report free space or inodes in statvfs

+

+From: Chao Yu <chao@kernel.org>

+

+[ Upstream commit a9201960623287927bf5776de3f70fb2fbde7e02 ]

+

+This fixes an analogus bug that was fixed in modern filesystems:

+a) xfs in commit 4b8d867ca6e2 ("xfs: don't over-report free space or

+inodes in statvfs")

+b) ext4 in commit f87d3af74193 ("ext4: don't over-report free space

+or inodes in statvfs")

+where statfs can report misleading / incorrect information where

+project quota is enabled, and the free space is less than the

+remaining quota.

+

+This commit will resolve a test failure in generic/762 which tests

+for this bug.

+

+generic/762 - output mismatch (see /share/git/fstests/results//generic/762.out.bad)

+ --- tests/generic/762.out 2025-04-15 10:21:53.371067071 +0800

+ +++ /share/git/fstests/results//generic/762.out.bad 2025-05-13 16:13:37.000000000 +0800

+ @@ -6,8 +6,10 @@

+ root blocks2 is in range

+ dir blocks2 is in range

+ root bavail2 is in range

+ -dir bavail2 is in range

+ +dir bavail2 has value of 1539066

+ +dir bavail2 is NOT in range 304734.87 .. 310891.13

+ root blocks3 is in range

+ ...

+ (Run 'diff -u /share/git/fstests/tests/generic/762.out /share/git/fstests/results//generic/762.out.bad' to see the entire diff)

+

+HINT: You _MAY_ be missing kernel fix:

+ XXXXXXXXXXXXXX xfs: don't over-report free space or inodes in statvfs

+

+Cc: stable@kernel.org

+Fixes: ddc34e328d06 ("f2fs: introduce f2fs_statfs_project")

+Signed-off-by: Chao Yu <chao@kernel.org>

+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ fs/f2fs/super.c | 30 ++++++++++++++++++------------

+ 1 file changed, 18 insertions(+), 12 deletions(-)

+

+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c

+index bc510c91f3eba..86dd30eb50b1d 100644

+--- a/fs/f2fs/super.c

++++ b/fs/f2fs/super.c

+@@ -1806,26 +1806,32 @@ static int f2fs_statfs_project(struct super_block *sb,

+

+ limit = min_not_zero(dquot->dq_dqb.dqb_bsoftlimit,

+ dquot->dq_dqb.dqb_bhardlimit);

+- if (limit)

+- limit >>= sb->s_blocksize_bits;

++ limit >>= sb->s_blocksize_bits;

++

++ if (limit) {

++ uint64_t remaining = 0;

+

+- if (limit && buf->f_blocks > limit) {

+ curblock = (dquot->dq_dqb.dqb_curspace +

+ dquot->dq_dqb.dqb_rsvspace) >> sb->s_blocksize_bits;

+- buf->f_blocks = limit;

+- buf->f_bfree = buf->f_bavail =

+- (buf->f_blocks > curblock) ?

+- (buf->f_blocks - curblock) : 0;

++ if (limit > curblock)

++ remaining = limit - curblock;

++

++ buf->f_blocks = min(buf->f_blocks, limit);

++ buf->f_bfree = min(buf->f_bfree, remaining);

++ buf->f_bavail = min(buf->f_bavail, remaining);

+ }

+

+ limit = min_not_zero(dquot->dq_dqb.dqb_isoftlimit,

+ dquot->dq_dqb.dqb_ihardlimit);

+

+- if (limit && buf->f_files > limit) {

+- buf->f_files = limit;

+- buf->f_ffree =

+- (buf->f_files > dquot->dq_dqb.dqb_curinodes) ?

+- (buf->f_files - dquot->dq_dqb.dqb_curinodes) : 0;

++ if (limit) {

++ uint64_t remaining = 0;

++

++ if (limit > dquot->dq_dqb.dqb_curinodes)

++ remaining = limit - dquot->dq_dqb.dqb_curinodes;

++

++ buf->f_files = min(buf->f_files, limit);

++ buf->f_ffree = min(buf->f_ffree, remaining);

+ }

+

+ spin_unlock(&dquot->dq_dqb_lock);

+--

+2.39.5

+

+From 51f707dabe335e675b05edcc20a1a0616175222a Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Fri, 2 May 2025 04:04:21 +0000

+Subject: fuse: fix race between concurrent setattrs from multiple nodes

+

+From: Guang Yuan Wu <gwu@ddn.com>

+

+[ Upstream commit 69efbff69f89c9b2b72c4d82ad8b59706add768a ]

+

+When mounting a user-space filesystem on multiple clients, after

+concurrent ->setattr() calls from different node, stale inode

+attributes may be cached in some node.

+

+This is caused by fuse_setattr() racing with

+fuse_reverse_inval_inode().

+

+When filesystem server receives setattr request, the client node

+with valid iattr cached will be required to update the fuse_inode's

+attr_version and invalidate the cache by fuse_reverse_inval_inode(),

+and at the next call to ->getattr() they will be fetched from user

+space.

+

+The race scenario is:

+1. client-1 sends setattr (iattr-1) request to server

+2. client-1 receives the reply from server

+3. before client-1 updates iattr-1 to the cached attributes by

+ fuse_change_attributes_common(), server receives another setattr

+ (iattr-2) request from client-2

+4. server requests client-1 to update the inode attr_version and

+ invalidate the cached iattr, and iattr-1 becomes staled

+5. client-2 receives the reply from server, and caches iattr-2

+6. continue with step 2, client-1 invokes

+ fuse_change_attributes_common(), and caches iattr-1

+

+The issue has been observed from concurrent of chmod, chown, or

+truncate, which all invoke ->setattr() call.

+

+The solution is to use fuse_inode's attr_version to check whether

+the attributes have been modified during the setattr request's

+lifetime. If so, mark the attributes as invalid in the function

+fuse_change_attributes_common().

+

+Signed-off-by: Guang Yuan Wu <gwu@ddn.com>

+Reviewed-by: Bernd Schubert <bschubert@ddn.com>

+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ fs/fuse/dir.c | 11 +++++++++++

+ 1 file changed, 11 insertions(+)

+

+diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c

+index 83ac192e7fdd1..fa90309030e21 100644

+--- a/fs/fuse/dir.c

++++ b/fs/fuse/dir.c

+@@ -1946,6 +1946,7 @@ int fuse_do_setattr(struct mnt_idmap *idmap, struct dentry *dentry,

+ int err;

+ bool trust_local_cmtime = is_wb;

+ bool fault_blocked = false;

++ u64 attr_version;

+

+ if (!fc->default_permissions)

+ attr->ia_valid |= ATTR_FORCE;

+@@ -2030,6 +2031,8 @@ int fuse_do_setattr(struct mnt_idmap *idmap, struct dentry *dentry,

+ if (fc->handle_killpriv_v2 && !capable(CAP_FSETID))

+ inarg.valid |= FATTR_KILL_SUIDGID;

+ }

++

++ attr_version = fuse_get_attr_version(fm->fc);

+ fuse_setattr_fill(fc, &args, inode, &inarg, &outarg);

+ err = fuse_simple_request(fm, &args);

+ if (err) {

+@@ -2055,6 +2058,14 @@ int fuse_do_setattr(struct mnt_idmap *idmap, struct dentry *dentry,

+ /* FIXME: clear I_DIRTY_SYNC? */

+ }

+

++ if (fi->attr_version > attr_version) {

++ /*

++ * Apply attributes, for example for fsnotify_change(), but set

++ * attribute timeout to zero.

++ */

++ outarg.attr_valid = outarg.attr_valid_nsec = 0;

++ }

++

+ fuse_change_attributes_common(inode, &outarg.attr, NULL,

+ ATTR_TIMEOUT(&outarg),

+ fuse_get_cache_mask(inode), 0);

+--

+2.39.5

+

+From d520e9108f4180c94d2b333d8dc8e8726cb0507e Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Mon, 19 May 2025 16:40:51 +0800

+Subject: hwmon: (isl28022) Fix current reading calculation

+

+From: Yikai Tsai <yikai.tsai.wiwynn@gmail.com>

+

+[ Upstream commit b2446a16dbf2347a07af0cf994ca36576d94df77 ]

+

+According to the ISL28022 datasheet, bit15 of the current register is

+representing -32768. Fix the calculation to properly handle this bit,

+ensuring correct measurements for negative values.

+

+Signed-off-by: Yikai Tsai <yikai.tsai.wiwynn@gmail.com>

+Link: https://lore.kernel.org/r/20250519084055.3787-2-yikai.tsai.wiwynn@gmail.com

+Signed-off-by: Guenter Roeck <linux@roeck-us.net>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/hwmon/isl28022.c | 6 ++++--

+ 1 file changed, 4 insertions(+), 2 deletions(-)

+

+diff --git a/drivers/hwmon/isl28022.c b/drivers/hwmon/isl28022.c

+index 1fb9864635db9..1b4fb0824d6c0 100644

+--- a/drivers/hwmon/isl28022.c

++++ b/drivers/hwmon/isl28022.c

+@@ -154,6 +154,7 @@ static int isl28022_read_current(struct device *dev, u32 attr, long *val)

+ struct isl28022_data *data = dev_get_drvdata(dev);

+ unsigned int regval;

+ int err;

++ u16 sign_bit;

+

+ switch (attr) {

+ case hwmon_curr_input:

+@@ -161,8 +162,9 @@ static int isl28022_read_current(struct device *dev, u32 attr, long *val)

+ ISL28022_REG_CURRENT, &regval);

+ if (err < 0)

+ return err;

+- *val = ((long)regval * 1250L * (long)data->gain) /

+- (long)data->shunt;

++ sign_bit = (regval >> 15) & 0x01;

++ *val = (((long)(((u16)regval) & 0x7FFF) - (sign_bit * 32768)) *

++ 1250L * (long)data->gain) / (long)data->shunt;

+ break;

+ default:

+ return -EOPNOTSUPP;

+--

+2.39.5

+

+From 2f23389a15b91a1cb9e9bd6a66c88e64d26067a7 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Mon, 7 Apr 2025 11:47:24 +0800

+Subject: hwmon: (pmbus/max34440) Fix support for max34451

+

+From: Alexis Czezar Torreno <alexisczezar.torreno@analog.com>

+

+[ Upstream commit 19932f844f3f51646f762f3eac4744ec3a405064 ]

+

+The max344** family has an issue with some PMBUS address being switched.

+This includes max34451 however version MAX34451-NA6 and later has this

+issue fixed and this commit supports that update.

+

+Signed-off-by: Alexis Czezar Torreno <alexisczezar.torreno@analog.com>

+Link: https://lore.kernel.org/r/20250407-dev_adpm12160-v3-1-9cd3095445c8@analog.com

+Signed-off-by: Guenter Roeck <linux@roeck-us.net>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/hwmon/pmbus/max34440.c | 48 +++++++++++++++++++++++++++++++---

+ 1 file changed, 44 insertions(+), 4 deletions(-)

+

+diff --git a/drivers/hwmon/pmbus/max34440.c b/drivers/hwmon/pmbus/max34440.c

+index c9dda33831ff2..d6d556b013853 100644

+--- a/drivers/hwmon/pmbus/max34440.c

++++ b/drivers/hwmon/pmbus/max34440.c

+@@ -34,16 +34,21 @@ enum chips { max34440, max34441, max34446, max34451, max34460, max34461 };

+ /*

+ * The whole max344* family have IOUT_OC_WARN_LIMIT and IOUT_OC_FAULT_LIMIT

+ * swapped from the standard pmbus spec addresses.

++ * For max34451, version MAX34451ETNA6+ and later has this issue fixed.

+ */

+ #define MAX34440_IOUT_OC_WARN_LIMIT 0x46

+ #define MAX34440_IOUT_OC_FAULT_LIMIT 0x4A

+

++#define MAX34451ETNA6_MFR_REV 0x0012

++

+ #define MAX34451_MFR_CHANNEL_CONFIG 0xe4

+ #define MAX34451_MFR_CHANNEL_CONFIG_SEL_MASK 0x3f

+

+ struct max34440_data {

+ int id;

+ struct pmbus_driver_info info;

++ u8 iout_oc_warn_limit;

++ u8 iout_oc_fault_limit;

+ };

+

+ #define to_max34440_data(x) container_of(x, struct max34440_data, info)

+@@ -60,11 +65,11 @@ static int max34440_read_word_data(struct i2c_client *client, int page,

+ switch (reg) {

+ case PMBUS_IOUT_OC_FAULT_LIMIT:

+ ret = pmbus_read_word_data(client, page, phase,

+- MAX34440_IOUT_OC_FAULT_LIMIT);

++ data->iout_oc_fault_limit);

+ break;

+ case PMBUS_IOUT_OC_WARN_LIMIT:

+ ret = pmbus_read_word_data(client, page, phase,

+- MAX34440_IOUT_OC_WARN_LIMIT);

++ data->iout_oc_warn_limit);

+ break;

+ case PMBUS_VIRT_READ_VOUT_MIN:

+ ret = pmbus_read_word_data(client, page, phase,

+@@ -133,11 +138,11 @@ static int max34440_write_word_data(struct i2c_client *client, int page,

+

+ switch (reg) {

+ case PMBUS_IOUT_OC_FAULT_LIMIT:

+- ret = pmbus_write_word_data(client, page, MAX34440_IOUT_OC_FAULT_LIMIT,

++ ret = pmbus_write_word_data(client, page, data->iout_oc_fault_limit,

+ word);

+ break;

+ case PMBUS_IOUT_OC_WARN_LIMIT:

+- ret = pmbus_write_word_data(client, page, MAX34440_IOUT_OC_WARN_LIMIT,

++ ret = pmbus_write_word_data(client, page, data->iout_oc_warn_limit,

+ word);

+ break;

+ case PMBUS_VIRT_RESET_POUT_HISTORY:

+@@ -235,6 +240,25 @@ static int max34451_set_supported_funcs(struct i2c_client *client,

+ */

+

+ int page, rv;

++ bool max34451_na6 = false;

++

++ rv = i2c_smbus_read_word_data(client, PMBUS_MFR_REVISION);

++ if (rv < 0)

++ return rv;

++

++ if (rv >= MAX34451ETNA6_MFR_REV) {

++ max34451_na6 = true;

++ data->info.format[PSC_VOLTAGE_IN] = direct;

++ data->info.format[PSC_CURRENT_IN] = direct;

++ data->info.m[PSC_VOLTAGE_IN] = 1;

++ data->info.b[PSC_VOLTAGE_IN] = 0;

++ data->info.R[PSC_VOLTAGE_IN] = 3;

++ data->info.m[PSC_CURRENT_IN] = 1;

++ data->info.b[PSC_CURRENT_IN] = 0;

++ data->info.R[PSC_CURRENT_IN] = 2;

++ data->iout_oc_fault_limit = PMBUS_IOUT_OC_FAULT_LIMIT;

++ data->iout_oc_warn_limit = PMBUS_IOUT_OC_WARN_LIMIT;

++ }

+

+ for (page = 0; page < 16; page++) {

+ rv = i2c_smbus_write_byte_data(client, PMBUS_PAGE, page);

+@@ -251,16 +275,30 @@ static int max34451_set_supported_funcs(struct i2c_client *client,

+ case 0x20:

+ data->info.func[page] = PMBUS_HAVE_VOUT |

+ PMBUS_HAVE_STATUS_VOUT;

++

++ if (max34451_na6)

++ data->info.func[page] |= PMBUS_HAVE_VIN |

++ PMBUS_HAVE_STATUS_INPUT;

+ break;

+ case 0x21:

+ data->info.func[page] = PMBUS_HAVE_VOUT;

++

++ if (max34451_na6)

++ data->info.func[page] |= PMBUS_HAVE_VIN;

+ break;

+ case 0x22:

+ data->info.func[page] = PMBUS_HAVE_IOUT |

+ PMBUS_HAVE_STATUS_IOUT;

++

++ if (max34451_na6)

++ data->info.func[page] |= PMBUS_HAVE_IIN |

++ PMBUS_HAVE_STATUS_INPUT;

+ break;

+ case 0x23:

+ data->info.func[page] = PMBUS_HAVE_IOUT;

++

++ if (max34451_na6)

++ data->info.func[page] |= PMBUS_HAVE_IIN;

+ break;

+ default:

+ break;

+@@ -494,6 +532,8 @@ static int max34440_probe(struct i2c_client *client)

+ return -ENOMEM;

+ data->id = i2c_match_id(max34440_id, client)->driver_data;

+ data->info = max34440_info[data->id];

++ data->iout_oc_fault_limit = MAX34440_IOUT_OC_FAULT_LIMIT;

++ data->iout_oc_warn_limit = MAX34440_IOUT_OC_WARN_LIMIT;

+

+ if (data->id == max34451) {

+ rv = max34451_set_supported_funcs(client, data);

+--

+2.39.5

+

+From 686f464e2f0822c17ccffb41f0919f47d1d29a8f Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Tue, 18 Mar 2025 17:52:10 -0500

+Subject: iio: adc: ad7606_spi: check error in ad7606B_sw_mode_config()

+MIME-Version: 1.0

+Content-Type: text/plain; charset=UTF-8

+Content-Transfer-Encoding: 8bit

+

+From: David Lechner <dlechner@baylibre.com>

+

+[ Upstream commit 4d71bf6021818a039a534c5954acefdfc4d6962c ]

+

+Add missing error check in ad7606B_sw_mode_config().

+

+Reviewed-by: Nuno Sá <nuno.sa@analog.com>

+Signed-off-by: David Lechner <dlechner@baylibre.com>

+Link: https://patch.msgid.link/20250318-iio-adc-ad7606-improvements-v2-2-4b605427774c@baylibre.com

+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/iio/adc/ad7606_spi.c | 8 +++++---

+ 1 file changed, 5 insertions(+), 3 deletions(-)

+

+diff --git a/drivers/iio/adc/ad7606_spi.c b/drivers/iio/adc/ad7606_spi.c

+index b37458ce3c708..5553a44ff83bc 100644

+--- a/drivers/iio/adc/ad7606_spi.c

++++ b/drivers/iio/adc/ad7606_spi.c

+@@ -174,11 +174,13 @@ static int ad7616_sw_mode_config(struct iio_dev *indio_dev)

+ static int ad7606B_sw_mode_config(struct iio_dev *indio_dev)

+ {

+ struct ad7606_state *st = iio_priv(indio_dev);

++ int ret;

+

+ /* Configure device spi to output on a single channel */

+- st->bops->reg_write(st,

+- AD7606_CONFIGURATION_REGISTER,

+- AD7606_SINGLE_DOUT);

++ ret = st->bops->reg_write(st, AD7606_CONFIGURATION_REGISTER,

++ AD7606_SINGLE_DOUT);

++ if (ret)

++ return ret;

+

+ /*

+ * Scale can be configured individually for each channel

+--

+2.39.5

+

+From 6ed74dad3cd71cba939d5c1f0fa405267ffee216 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Thu, 10 Apr 2025 22:34:08 +0530

+Subject: iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos

+

+From: Purva Yeshi <purvayeshi550@gmail.com>

+

+[ Upstream commit e5cdb098a3cb165d52282ffc3a6448642953ea13 ]

+

+Fix Smatch-detected issue:

+drivers/iio/adc/ad_sigma_delta.c:604 ad_sd_trigger_handler() error:

+uninitialized symbol 'status_pos'.

+

+The variable `status_pos` was only initialized in specific switch cases

+(1, 2, 3, 4), which could leave it uninitialized if `reg_size` had an

+unexpected value.

+

+Fix by adding a default case to the switch block to catch unexpected

+values of `reg_size`. Use `dev_err_ratelimited()` for error logging and

+`goto irq_handled` instead of returning early.

+

+Signed-off-by: Purva Yeshi <purvayeshi550@gmail.com>

+Link: https://patch.msgid.link/20250410170408.8585-1-purvayeshi550@gmail.com

+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/iio/adc/ad_sigma_delta.c | 4 ++++

+ 1 file changed, 4 insertions(+)

+

+diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c

+index 6c37f8e21120b..4c5f8d29a559f 100644

+--- a/drivers/iio/adc/ad_sigma_delta.c

++++ b/drivers/iio/adc/ad_sigma_delta.c

+@@ -587,6 +587,10 @@ static irqreturn_t ad_sd_trigger_handler(int irq, void *p)

+ * byte set to zero. */

+ ad_sd_read_reg_raw(sigma_delta, data_reg, transfer_size, &data[1]);

+ break;

++

++ default:

++ dev_err_ratelimited(&indio_dev->dev, "Unsupported reg_size: %u\n", reg_size);

++ goto irq_handled;

+ }

+

+ /*

+--

+2.39.5

+

+From 7526149d2e7f0003f772ce070609ee2fe194d398 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Wed, 9 Apr 2025 20:36:28 +0200

+Subject: iio: dac: adi-axi-dac: add cntrl chan check

+MIME-Version: 1.0

+Content-Type: text/plain; charset=UTF-8

+Content-Transfer-Encoding: 8bit

+

+From: Angelo Dureghello <adureghello@baylibre.com>

+

+[ Upstream commit 029035636de37395124a602c830152ef39a35fab ]

+

+Add validity check on CNTRL_X channels (valid as 0 to 15).

+

+Reviewed-by: Nuno Sá <nuno.sa@analog.com>

+Signed-off-by: Angelo Dureghello <adureghello@baylibre.com>

+Link: https://patch.msgid.link/20250409-wip-bl-ad3552r-fixes-v5-1-fb429c3a6515@baylibre.com

+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/iio/dac/adi-axi-dac.c | 24 ++++++++++++++++++++++++

+ 1 file changed, 24 insertions(+)

+

+diff --git a/drivers/iio/dac/adi-axi-dac.c b/drivers/iio/dac/adi-axi-dac.c

+index 05b374e137d35..fd93ed3132835 100644

+--- a/drivers/iio/dac/adi-axi-dac.c

++++ b/drivers/iio/dac/adi-axi-dac.c

+@@ -84,6 +84,7 @@

+ #define AXI_DAC_CHAN_CNTRL_7_REG(c) (0x0418 + (c) * 0x40)

+ #define AXI_DAC_CHAN_CNTRL_7_DATA_SEL GENMASK(3, 0)

+

++#define AXI_DAC_CHAN_CNTRL_MAX 15

+ #define AXI_DAC_RD_ADDR(x) (BIT(7) | (x))

+

+ /* 360 degrees in rad */

+@@ -186,6 +187,9 @@ static int __axi_dac_frequency_get(struct axi_dac_state *st, unsigned int chan,

+ u32 reg, raw;

+ int ret;

+

++ if (chan > AXI_DAC_CHAN_CNTRL_MAX)

++ return -EINVAL;

++

+ if (!st->dac_clk) {

+ dev_err(st->dev, "Sampling rate is 0...\n");

+ return -EINVAL;

+@@ -230,6 +234,9 @@ static int axi_dac_scale_get(struct axi_dac_state *st,

+ int ret, vals[2];

+ u32 reg, raw;

+

++ if (chan->channel > AXI_DAC_CHAN_CNTRL_MAX)

++ return -EINVAL;

++

+ if (tone_2)

+ reg = AXI_DAC_CHAN_CNTRL_3_REG(chan->channel);

+ else

+@@ -264,6 +271,9 @@ static int axi_dac_phase_get(struct axi_dac_state *st,

+ u32 reg, raw, phase;

+ int ret, vals[2];

+

++ if (chan->channel > AXI_DAC_CHAN_CNTRL_MAX)

++ return -EINVAL;

++

+ if (tone_2)

+ reg = AXI_DAC_CHAN_CNTRL_4_REG(chan->channel);

+ else

+@@ -291,6 +301,9 @@ static int __axi_dac_frequency_set(struct axi_dac_state *st, unsigned int chan,

+ u16 raw;

+ int ret;

+

++ if (chan > AXI_DAC_CHAN_CNTRL_MAX)

++ return -EINVAL;

++

+ if (!sample_rate || freq > sample_rate / 2) {

+ dev_err(st->dev, "Invalid frequency(%u) dac_clk(%llu)\n",

+ freq, sample_rate);

+@@ -342,6 +355,9 @@ static int axi_dac_scale_set(struct axi_dac_state *st,

+ u32 raw = 0, reg;

+ int ret;

+

++ if (chan->channel > AXI_DAC_CHAN_CNTRL_MAX)

++ return -EINVAL;

++

+ ret = iio_str_to_fixpoint(buf, 100000, &integer, &frac);

+ if (ret)

+ return ret;

+@@ -385,6 +401,9 @@ static int axi_dac_phase_set(struct axi_dac_state *st,

+ u32 raw, reg;

+ int ret;

+

++ if (chan->channel > AXI_DAC_CHAN_CNTRL_MAX)

++ return -EINVAL;

++

+ ret = iio_str_to_fixpoint(buf, 100000, &integer, &frac);

+ if (ret)

+ return ret;

+@@ -493,6 +512,9 @@ static int axi_dac_data_source_set(struct iio_backend *back, unsigned int chan,

+ {

+ struct axi_dac_state *st = iio_backend_get_priv(back);

+

++ if (chan > AXI_DAC_CHAN_CNTRL_MAX)

++ return -EINVAL;

++

+ switch (data) {

+ case IIO_BACKEND_INTERNAL_CONTINUOUS_WAVE:

+ return regmap_update_bits(st->regmap,

+@@ -521,6 +543,8 @@ static int axi_dac_set_sample_rate(struct iio_backend *back, unsigned int chan,

+ unsigned int freq;

+ int ret, tone;

+

++ if (chan > AXI_DAC_CHAN_CNTRL_MAX)

++ return -EINVAL;

+ if (!sample_rate)

+ return -EINVAL;

+ if (st->reg_config & AXI_DAC_CONFIG_DDS_DISABLE)

+--

+2.39.5

+

+From 42c9f481c58e7fcc41639f0b05abeb5ef2d4c7f2 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Mon, 17 Mar 2025 09:36:34 +0800

+Subject: iio: hid-sensor-prox: Add support for 16-bit report size

+

+From: Zhang Lixu <lixu.zhang@intel.com>

+

+[ Upstream commit ad02ca57e44e9936fca5095840fad9d4b47c5559 ]

+

+On Intel platforms, the HID_USAGE_SENSOR_HUMAN_PROXIMITY report size is 16

+bits. This patch adds support for handling 16-bit report sizes for the

+HID_USAGE_SENSOR_HUMAN_PROXIMITY usage in the HID sensor proximity driver.

+

+Previously, the driver only supported 8-bit and 32-bit report sizes. With

+this change, the driver can now correctly process 16-bit proximity data,

+ensuring accurate human presence detection on platforms where this report

+size is used.

+

+Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>

+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>

+Link: https://patch.msgid.link/20250317013634.4117399-1-lixu.zhang@intel.com

+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/iio/light/hid-sensor-prox.c | 3 +++

+ 1 file changed, 3 insertions(+)

+

+diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c

+index 4c65b32d34ce4..46f788b0bc3e2 100644

+--- a/drivers/iio/light/hid-sensor-prox.c

++++ b/drivers/iio/light/hid-sensor-prox.c

+@@ -215,6 +215,9 @@ static int prox_capture_sample(struct hid_sensor_hub_device *hsdev,

+ case 1:

+ prox_state->human_presence[chan] = *(u8 *)raw_data * multiplier;

+ return 0;

++ case 2:

++ prox_state->human_presence[chan] = *(u16 *)raw_data * multiplier;

++ return 0;

+ case 4:

+ prox_state->human_presence[chan] = *(u32 *)raw_data * multiplier;

+ return 0;

+--

+2.39.5

+

+From e29de0a9ccacac93dd09a4eb370748a1c34ad187 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Wed, 2 Apr 2025 21:33:25 +0200

+Subject: iio: light: al3000a: Fix an error handling path in al3000a_probe()

+

+From: David Heidelberg <david@ixit.cz>

+

+[ Upstream commit c0461f8e842495041c18b2c67647501d55c17441 ]

+

+If regmap_write() fails in al3000a_init(), al3000a_set_pwr_off is

+not called.

+

+In order to avoid such a situation, move the devm_add_action_or_reset()

+which calls al3000a_set_pwr_off right after a successful

+al3000a_set_pwr_on.

+

+Signed-off-by: David Heidelberg <david@ixit.cz>

+Link: https://patch.msgid.link/20250402-al3010-iio-regmap-v4-2-d189bea87261@ixit.cz

+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/iio/light/al3000a.c | 9 +++++----

+ 1 file changed, 5 insertions(+), 4 deletions(-)

+

+diff --git a/drivers/iio/light/al3000a.c b/drivers/iio/light/al3000a.c

+index e2fbb1270040f..6d5115b2a06c5 100644

+--- a/drivers/iio/light/al3000a.c

++++ b/drivers/iio/light/al3000a.c

+@@ -85,12 +85,17 @@ static void al3000a_set_pwr_off(void *_data)

+

+ static int al3000a_init(struct al3000a_data *data)

+ {

++ struct device *dev = regmap_get_device(data->regmap);

+ int ret;

+

+ ret = al3000a_set_pwr_on(data);

+ if (ret)

+ return ret;

+

++ ret = devm_add_action_or_reset(dev, al3000a_set_pwr_off, data);

++ if (ret)

++ return dev_err_probe(dev, ret, "failed to add action\n");

++

+ ret = regmap_write(data->regmap, AL3000A_REG_SYSTEM, AL3000A_CONFIG_RESET);

+ if (ret)

+ return ret;

+@@ -157,10 +162,6 @@ static int al3000a_probe(struct i2c_client *client)

+ if (ret)

+ return dev_err_probe(dev, ret, "failed to init ALS\n");

+

+- ret = devm_add_action_or_reset(dev, al3000a_set_pwr_off, data);

+- if (ret)

+- return dev_err_probe(dev, ret, "failed to add action\n");

+-

+ return devm_iio_device_register(dev, indio_dev);

+ }

+

+--

+2.39.5

+

+From 575a270ba739e7ec07d0b939574fcbd2ed6f244e Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Sun, 13 Apr 2025 11:34:41 +0100

+Subject: iio: pressure: zpa2326: Use aligned_s64 for the timestamp

+

+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

+

+[ Upstream commit 886a446b76afddfad307488e95e87f23a08ffd51 ]

+

+On x86_32 s64 fields are only 32-bit aligned. Hence force the alignment of

+the field and padding in the structure by using aligned_s64 instead.

+

+Reviewed-by: David Lechner <dlechner@baylibre.com>

+Link: https://patch.msgid.link/20250413103443.2420727-19-jic23@kernel.org

+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/iio/pressure/zpa2326.c | 2 +-

+ 1 file changed, 1 insertion(+), 1 deletion(-)

+

+diff --git a/drivers/iio/pressure/zpa2326.c b/drivers/iio/pressure/zpa2326.c

+index 9db1c94dfc188..b2e04368532a0 100644

+--- a/drivers/iio/pressure/zpa2326.c

++++ b/drivers/iio/pressure/zpa2326.c

+@@ -582,7 +582,7 @@ static int zpa2326_fill_sample_buffer(struct iio_dev *indio_dev,

+ struct {

+ u32 pressure;

+ u16 temperature;

+- u64 timestamp;

++ aligned_s64 timestamp;

+ } sample;

+ int err;

+

+--

+2.39.5

+

+From 60da997053295181d2200bced7eb0182d1f5ffcc Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Tue, 27 May 2025 18:07:33 +0100

+Subject: io_uring/zcrx: fix area release on registration failure

+

+From: Pavel Begunkov <asml.silence@gmail.com>

+

+[ Upstream commit 0ec33c81d9c7342f03864101ddb2e717a0cce03e ]

+

+On area registration failure there might be no ifq set and it's not safe

+to access area->ifq in the release path without checking it first.

+

+Cc: stable@vger.kernel.org

+Fixes: f12ecf5e1c5ec ("io_uring/zcrx: fix late dma unmap for a dead dev")

+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>

+Link: https://lore.kernel.org/r/bc02878678a5fec28bc77d33355cdba735418484.1748365640.git.asml.silence@gmail.com

+Signed-off-by: Jens Axboe <axboe@kernel.dk>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ io_uring/zcrx.c | 3 ++-

+ 1 file changed, 2 insertions(+), 1 deletion(-)

+

+diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c

+index 7214236c14882..a53058dd6b7a1 100644

+--- a/io_uring/zcrx.c

++++ b/io_uring/zcrx.c

+@@ -222,7 +222,8 @@ static void io_free_rbuf_ring(struct io_zcrx_ifq *ifq)

+

+ static void io_zcrx_free_area(struct io_zcrx_area *area)

+ {

+- io_zcrx_unmap_area(area->ifq, area);

++ if (area->ifq)

++ io_zcrx_unmap_area(area->ifq, area);

+ io_release_area_mem(&area->mem);

+

+ kvfree(area->freelist);

+--

+2.39.5

+

+From 01bf24ba051bc30dd3e31caa00c32e6a2d074b32 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Thu, 1 May 2025 13:17:14 +0100

+Subject: io_uring/zcrx: improve area validation

+

+From: Pavel Begunkov <asml.silence@gmail.com>

+

+[ Upstream commit d760d3f59f0d8d0df2895db30d36cf23106d6b05 ]

+

+dmabuf backed area will be taking an offset instead of addresses, and

+io_buffer_validate() is not flexible enough to facilitate it. It also

+takes an iovec, which may truncate the u64 length zcrx takes. Add a new

+helper function for validation.

+

+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>

+Link: https://lore.kernel.org/r/0b3b735391a0a8f8971bf0121c19765131fddd3b.1746097431.git.asml.silence@gmail.com

+Signed-off-by: Jens Axboe <axboe@kernel.dk>

+Stable-dep-of: 0ec33c81d9c7 ("io_uring/zcrx: fix area release on registration failure")

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ io_uring/rsrc.c | 27 +++++++++++++++------------

+ io_uring/rsrc.h | 2 +-

+ io_uring/zcrx.c | 7 +++----

+ 3 files changed, 19 insertions(+), 17 deletions(-)

+

+diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c

+index 794d4ae6f0bc8..6d61683223870 100644

+--- a/io_uring/rsrc.c

++++ b/io_uring/rsrc.c

+@@ -80,10 +80,21 @@ static int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages)

+ return 0;

+ }

+

+-int io_buffer_validate(struct iovec *iov)

++int io_validate_user_buf_range(u64 uaddr, u64 ulen)

+ {

+- unsigned long tmp, acct_len = iov->iov_len + (PAGE_SIZE - 1);

++ unsigned long tmp, base = (unsigned long)uaddr;

++ unsigned long acct_len = (unsigned long)PAGE_ALIGN(ulen);

+

++ /* arbitrary limit, but we need something */

++ if (ulen > SZ_1G || !ulen)

++ return -EFAULT;

++ if (check_add_overflow(base, acct_len, &tmp))

++ return -EOVERFLOW;

++ return 0;

++}

++

++static int io_buffer_validate(struct iovec *iov)

++{

+ /*

+ * Don't impose further limits on the size and buffer

+ * constraints here, we'll -EINVAL later when IO is

+@@ -91,17 +102,9 @@ int io_buffer_validate(struct iovec *iov)

+ */

+ if (!iov->iov_base)

+ return iov->iov_len ? -EFAULT : 0;

+- if (!iov->iov_len)

+- return -EFAULT;

+-

+- /* arbitrary limit, but we need something */

+- if (iov->iov_len > SZ_1G)

+- return -EFAULT;

+

+- if (check_add_overflow((unsigned long)iov->iov_base, acct_len, &tmp))

+- return -EOVERFLOW;

+-

+- return 0;

++ return io_validate_user_buf_range((unsigned long)iov->iov_base,

++ iov->iov_len);

+ }

+

+ static void io_release_ubuf(void *priv)

+diff --git a/io_uring/rsrc.h b/io_uring/rsrc.h

+index b52242852ff34..4373524f993c7 100644

+--- a/io_uring/rsrc.h

++++ b/io_uring/rsrc.h

+@@ -83,7 +83,7 @@ int io_register_rsrc_update(struct io_ring_ctx *ctx, void __user *arg,

+ unsigned size, unsigned type);

+ int io_register_rsrc(struct io_ring_ctx *ctx, void __user *arg,

+ unsigned int size, unsigned int type);

+-int io_buffer_validate(struct iovec *iov);

++int io_validate_user_buf_range(u64 uaddr, u64 ulen);

+

+ bool io_check_coalesce_buffer(struct page **page_array, int nr_pages,

+ struct io_imu_folio_data *data);

+diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c

+index ecb59182d9b2c..0771a57d81a5b 100644

+--- a/io_uring/zcrx.c

++++ b/io_uring/zcrx.c

+@@ -205,7 +205,6 @@ static int io_zcrx_create_area(struct io_zcrx_ifq *ifq,

+ {

+ struct io_zcrx_area *area;

+ int i, ret, nr_pages, nr_iovs;

+- struct iovec iov;

+

+ if (area_reg->flags || area_reg->rq_area_token)

+ return -EINVAL;

+@@ -214,11 +213,11 @@ static int io_zcrx_create_area(struct io_zcrx_ifq *ifq,

+ if (area_reg->addr & ~PAGE_MASK || area_reg->len & ~PAGE_MASK)

+ return -EINVAL;

+

+- iov.iov_base = u64_to_user_ptr(area_reg->addr);

+- iov.iov_len = area_reg->len;

+- ret = io_buffer_validate(&iov);

++ ret = io_validate_user_buf_range(area_reg->addr, area_reg->len);

+ if (ret)

+ return ret;

++ if (!area_reg->addr)

++ return -EFAULT;

+

+ ret = -ENOMEM;

+ area = kzalloc(sizeof(*area), GFP_KERNEL);

+--

+2.39.5

+

+From 24b25ba877fdfc1b7ff5a1cbcd23a076c27332d1 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Sun, 20 Apr 2025 10:31:16 +0100

+Subject: io_uring/zcrx: move io_zcrx_iov_page

+

+From: Pavel Begunkov <asml.silence@gmail.com>

+

+[ Upstream commit a79154ae5df9e21dbacb1eb77fad984fd4c45cca ]

+

+We'll need io_zcrx_iov_page at the top to keep offset calculations

+closer together, move it there.

+

+Reviewed-by: David Wei <dw@davidwei.uk>

+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>

+Link: https://lore.kernel.org/r/575617033a8b84a5985c7eb760b7121efdbe7e56.1745141261.git.asml.silence@gmail.com

+Signed-off-by: Jens Axboe <axboe@kernel.dk>

+Stable-dep-of: 0ec33c81d9c7 ("io_uring/zcrx: fix area release on registration failure")

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ io_uring/zcrx.c | 28 ++++++++++++++--------------

+ 1 file changed, 14 insertions(+), 14 deletions(-)

+

+diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c

+index fe86606b9f304..ecb59182d9b2c 100644

+--- a/io_uring/zcrx.c

++++ b/io_uring/zcrx.c

+@@ -31,6 +31,20 @@ static inline struct io_zcrx_ifq *io_pp_to_ifq(struct page_pool *pp)

+ return pp->mp_priv;

+ }

+

++static inline struct io_zcrx_area *io_zcrx_iov_to_area(const struct net_iov *niov)

++{

++ struct net_iov_area *owner = net_iov_owner(niov);

++

++ return container_of(owner, struct io_zcrx_area, nia);

++}

++

++static inline struct page *io_zcrx_iov_page(const struct net_iov *niov)

++{

++ struct io_zcrx_area *area = io_zcrx_iov_to_area(niov);

++

++ return area->pages[net_iov_idx(niov)];

++}

++

+ #define IO_DMA_ATTR (DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_WEAK_ORDERING)

+

+ static void __io_zcrx_unmap_area(struct io_zcrx_ifq *ifq,

+@@ -118,13 +132,6 @@ struct io_zcrx_args {

+

+ static const struct memory_provider_ops io_uring_pp_zc_ops;

+

+-static inline struct io_zcrx_area *io_zcrx_iov_to_area(const struct net_iov *niov)

+-{

+- struct net_iov_area *owner = net_iov_owner(niov);

+-

+- return container_of(owner, struct io_zcrx_area, nia);

+-}

+-

+ static inline atomic_t *io_get_user_counter(struct net_iov *niov)

+ {

+ struct io_zcrx_area *area = io_zcrx_iov_to_area(niov);

+@@ -147,13 +154,6 @@ static void io_zcrx_get_niov_uref(struct net_iov *niov)

+ atomic_inc(io_get_user_counter(niov));

+ }

+

+-static inline struct page *io_zcrx_iov_page(const struct net_iov *niov)

+-{

+- struct io_zcrx_area *area = io_zcrx_iov_to_area(niov);

+-

+- return area->pages[net_iov_idx(niov)];

+-}

+-

+ static int io_allocate_rbuf_ring(struct io_zcrx_ifq *ifq,

+ struct io_uring_zcrx_ifq_reg *reg,

+ struct io_uring_region_desc *rd)

+--

+2.39.5

+

+From 0a1ec2cbc56734baff8c0d8b68fee11aa7a729e8 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Thu, 1 May 2025 13:17:16 +0100

+Subject: io_uring/zcrx: split out memory holders from area

+

+From: Pavel Begunkov <asml.silence@gmail.com>

+

+[ Upstream commit 782dfa329ac9d1b5ca7b6df56a7696bac58cb829 ]

+

+In the data path users of struct io_zcrx_area don't need to know what

+kind of memory it's backed by. Only keep there generic bits in there and

+and split out memory type dependent fields into a new structure. It also

+logically separates the step that actually imports the memory, e.g.

+pinning user pages, from the generic area initialisation.

+

+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>

+Link: https://lore.kernel.org/r/b60fc09c76921bf69e77eb17e07eb4decedb3bf4.1746097431.git.asml.silence@gmail.com

+Signed-off-by: Jens Axboe <axboe@kernel.dk>

+Stable-dep-of: 0ec33c81d9c7 ("io_uring/zcrx: fix area release on registration failure")

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ io_uring/zcrx.c | 71 ++++++++++++++++++++++++++++++++-----------------

+ io_uring/zcrx.h | 11 ++++++--

+ 2 files changed, 56 insertions(+), 26 deletions(-)

+

+diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c

+index 0771a57d81a5b..7214236c14882 100644

+--- a/io_uring/zcrx.c

++++ b/io_uring/zcrx.c

+@@ -26,6 +26,8 @@

+ #include "zcrx.h"

+ #include "rsrc.h"

+

++#define IO_DMA_ATTR (DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_WEAK_ORDERING)

++

+ static inline struct io_zcrx_ifq *io_pp_to_ifq(struct page_pool *pp)

+ {

+ return pp->mp_priv;

+@@ -42,10 +44,43 @@ static inline struct page *io_zcrx_iov_page(const struct net_iov *niov)

+ {

+ struct io_zcrx_area *area = io_zcrx_iov_to_area(niov);

+

+- return area->pages[net_iov_idx(niov)];

++ return area->mem.pages[net_iov_idx(niov)];

+ }

+

+-#define IO_DMA_ATTR (DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_WEAK_ORDERING)

++static void io_release_area_mem(struct io_zcrx_mem *mem)

++{

++ if (mem->pages) {

++ unpin_user_pages(mem->pages, mem->nr_folios);

++ kvfree(mem->pages);

++ }

++}

++

++static int io_import_area(struct io_zcrx_ifq *ifq,

++ struct io_zcrx_mem *mem,

++ struct io_uring_zcrx_area_reg *area_reg)

++{

++ struct page **pages;

++ int nr_pages;

++ int ret;

++

++ ret = io_validate_user_buf_range(area_reg->addr, area_reg->len);

++ if (ret)

++ return ret;

++ if (!area_reg->addr)

++ return -EFAULT;

++ if (area_reg->addr & ~PAGE_MASK || area_reg->len & ~PAGE_MASK)

++ return -EINVAL;

++

++ pages = io_pin_pages((unsigned long)area_reg->addr, area_reg->len,

++ &nr_pages);

++ if (IS_ERR(pages))

++ return PTR_ERR(pages);

++

++ mem->pages = pages;

++ mem->nr_folios = nr_pages;

++ mem->size = area_reg->len;

++ return 0;

++}

+

+ static void __io_zcrx_unmap_area(struct io_zcrx_ifq *ifq,

+ struct io_zcrx_area *area, int nr_mapped)

+@@ -84,8 +119,8 @@ static int io_zcrx_map_area(struct io_zcrx_ifq *ifq, struct io_zcrx_area *area)

+ struct net_iov *niov = &area->nia.niovs[i];

+ dma_addr_t dma;

+

+- dma = dma_map_page_attrs(ifq->dev, area->pages[i], 0, PAGE_SIZE,

+- DMA_FROM_DEVICE, IO_DMA_ATTR);

++ dma = dma_map_page_attrs(ifq->dev, area->mem.pages[i], 0,

++ PAGE_SIZE, DMA_FROM_DEVICE, IO_DMA_ATTR);

+ if (dma_mapping_error(ifq->dev, dma))

+ break;

+ if (net_mp_niov_set_dma_addr(niov, dma)) {

+@@ -188,14 +223,11 @@ static void io_free_rbuf_ring(struct io_zcrx_ifq *ifq)

+ static void io_zcrx_free_area(struct io_zcrx_area *area)

+ {

+ io_zcrx_unmap_area(area->ifq, area);

++ io_release_area_mem(&area->mem);

+

+ kvfree(area->freelist);

+ kvfree(area->nia.niovs);

+ kvfree(area->user_refs);

+- if (area->pages) {

+- unpin_user_pages(area->pages, area->nr_folios);

+- kvfree(area->pages);

+- }

+ kfree(area);

+ }

+

+@@ -204,36 +236,27 @@ static int io_zcrx_create_area(struct io_zcrx_ifq *ifq,

+ struct io_uring_zcrx_area_reg *area_reg)

+ {

+ struct io_zcrx_area *area;

+- int i, ret, nr_pages, nr_iovs;

++ unsigned nr_iovs;

++ int i, ret;

+

+ if (area_reg->flags || area_reg->rq_area_token)

+ return -EINVAL;

+ if (area_reg->__resv1 || area_reg->__resv2[0] || area_reg->__resv2[1])

+ return -EINVAL;

+- if (area_reg->addr & ~PAGE_MASK || area_reg->len & ~PAGE_MASK)

+- return -EINVAL;

+-

+- ret = io_validate_user_buf_range(area_reg->addr, area_reg->len);

+- if (ret)

+- return ret;

+- if (!area_reg->addr)

+- return -EFAULT;

+

+ ret = -ENOMEM;

+ area = kzalloc(sizeof(*area), GFP_KERNEL);

+ if (!area)

+ goto err;

+

+- area->pages = io_pin_pages((unsigned long)area_reg->addr, area_reg->len,

+- &nr_pages);

+- if (IS_ERR(area->pages)) {

+- ret = PTR_ERR(area->pages);

+- area->pages = NULL;

++ ret = io_import_area(ifq, &area->mem, area_reg);

++ if (ret)

+ goto err;

+- }

+- area->nr_folios = nr_iovs = nr_pages;

++

++ nr_iovs = area->mem.size >> PAGE_SHIFT;

+ area->nia.num_niovs = nr_iovs;

+

++ ret = -ENOMEM;

+ area->nia.niovs = kvmalloc_array(nr_iovs, sizeof(area->nia.niovs[0]),

+ GFP_KERNEL | __GFP_ZERO);

+ if (!area->nia.niovs)

+diff --git a/io_uring/zcrx.h b/io_uring/zcrx.h

+index f2bc811f022c6..64796c90851e1 100644

+--- a/io_uring/zcrx.h

++++ b/io_uring/zcrx.h

+@@ -7,6 +7,13 @@

+ #include <net/page_pool/types.h>

+ #include <net/net_trackers.h>

+

++struct io_zcrx_mem {

++ unsigned long size;

++

++ struct page **pages;

++ unsigned long nr_folios;

++};

++

+ struct io_zcrx_area {

+ struct net_iov_area nia;

+ struct io_zcrx_ifq *ifq;

+@@ -14,13 +21,13 @@ struct io_zcrx_area {

+

+ bool is_mapped;

+ u16 area_id;

+- struct page **pages;

+- unsigned long nr_folios;

+

+ /* freelist */

+ spinlock_t freelist_lock ____cacheline_aligned_in_smp;

+ u32 free_count;

+ u32 *freelist;

++

++ struct io_zcrx_mem mem;

+ };

+

+ struct io_zcrx_ifq {

+--

+2.39.5

+

+From bf5ceb52c04fb1f399674afe9a9c047471ad41b6 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Tue, 27 May 2025 11:23:01 +0900

+Subject: ksmbd: allow a filename to contain special characters on SMB3.1.1

+ posix extension

+

+From: Namjae Jeon <linkinjeon@kernel.org>

+

+[ Upstream commit dc3e0f17f74558e8a2fce00608855f050de10230 ]

+

+If client send SMB2_CREATE_POSIX_CONTEXT to ksmbd, Allow a filename

+to contain special characters.

+

+Reported-by: Philipp Kerling <pkerling@casix.org>

+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

+Signed-off-by: Steve French <stfrench@microsoft.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ fs/smb/server/smb2pdu.c | 53 +++++++++++++++++++++--------------------

+ 1 file changed, 27 insertions(+), 26 deletions(-)

+

+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c

+index c6b990c93bfa7..a9f9426e91acb 100644

+--- a/fs/smb/server/smb2pdu.c

++++ b/fs/smb/server/smb2pdu.c

+@@ -2875,7 +2875,7 @@ int smb2_open(struct ksmbd_work *work)

+ int req_op_level = 0, open_flags = 0, may_flags = 0, file_info = 0;

+ int rc = 0;

+ int contxt_cnt = 0, query_disk_id = 0;

+- int maximal_access_ctxt = 0, posix_ctxt = 0;

++ bool maximal_access_ctxt = false, posix_ctxt = false;

+ int s_type = 0;

+ int next_off = 0;

+ char *name = NULL;

+@@ -2904,6 +2904,27 @@ int smb2_open(struct ksmbd_work *work)

+ return create_smb2_pipe(work);

+ }

+

++ if (req->CreateContextsOffset && tcon->posix_extensions) {

++ context = smb2_find_context_vals(req, SMB2_CREATE_TAG_POSIX, 16);

++ if (IS_ERR(context)) {

++ rc = PTR_ERR(context);

++ goto err_out2;

++ } else if (context) {

++ struct create_posix *posix = (struct create_posix *)context;

++

++ if (le16_to_cpu(context->DataOffset) +

++ le32_to_cpu(context->DataLength) <

++ sizeof(struct create_posix) - 4) {

++ rc = -EINVAL;

++ goto err_out2;

++ }

++ ksmbd_debug(SMB, "get posix context\n");

++

++ posix_mode = le32_to_cpu(posix->Mode);

++ posix_ctxt = true;

++ }

++ }

++

+ if (req->NameLength) {

+ name = smb2_get_name((char *)req + le16_to_cpu(req->NameOffset),

+ le16_to_cpu(req->NameLength),

+@@ -2926,9 +2947,11 @@ int smb2_open(struct ksmbd_work *work)

+ goto err_out2;

+ }

+

+- rc = ksmbd_validate_filename(name);

+- if (rc < 0)

+- goto err_out2;

++ if (posix_ctxt == false) {

++ rc = ksmbd_validate_filename(name);

++ if (rc < 0)

++ goto err_out2;

++ }

+

+ if (ksmbd_share_veto_filename(share, name)) {

+ rc = -ENOENT;

+@@ -3086,28 +3109,6 @@ int smb2_open(struct ksmbd_work *work)

+ rc = -EBADF;

+ goto err_out2;

+ }

+-

+- if (tcon->posix_extensions) {

+- context = smb2_find_context_vals(req,

+- SMB2_CREATE_TAG_POSIX, 16);

+- if (IS_ERR(context)) {

+- rc = PTR_ERR(context);

+- goto err_out2;

+- } else if (context) {

+- struct create_posix *posix =

+- (struct create_posix *)context;

+- if (le16_to_cpu(context->DataOffset) +

+- le32_to_cpu(context->DataLength) <

+- sizeof(struct create_posix) - 4) {

+- rc = -EINVAL;

+- goto err_out2;

+- }

+- ksmbd_debug(SMB, "get posix context\n");

+-

+- posix_mode = le32_to_cpu(posix->Mode);

+- posix_ctxt = 1;

+- }

+- }

+ }

+

+ if (ksmbd_override_fsids(work)) {

+--

+2.39.5

+

+From 1c9892193ce02e4d561c972c481a9c08fe48c352 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Wed, 21 May 2025 09:02:29 +0900

+Subject: ksmbd: provide zero as a unique ID to the Mac client

+

+From: Namjae Jeon <linkinjeon@kernel.org>

+

+[ Upstream commit 571781eb7ffefa65b0e922c8031e42b4411a40d4 ]

+

+The Mac SMB client code seems to expect the on-disk file identifier

+to have the semantics of HFS+ Catalog Node Identifier (CNID).

+ksmbd provides the inode number as a unique ID to the client,

+but in the case of subvolumes of btrfs, there are cases where different

+files have the same inode number, so the mac smb client treats it

+as an error. There is a report that a similar problem occurs

+when the share is ZFS.

+Returning UniqueId of zero will make the Mac client to stop using and

+trusting the file id returned from the server.

+

+Reported-by: Justin Turner Arthur <justinarthur@gmail.com>

+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

+Signed-off-by: Steve French <stfrench@microsoft.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ fs/smb/server/connection.h | 1 +

+ fs/smb/server/smb2pdu.c | 19 +++++++++++++++++--

+ fs/smb/server/smb2pdu.h | 3 +++

+ 3 files changed, 21 insertions(+), 2 deletions(-)

+

+diff --git a/fs/smb/server/connection.h b/fs/smb/server/connection.h

+index 572102098c108..dd3e0e3f7bf04 100644

+--- a/fs/smb/server/connection.h

++++ b/fs/smb/server/connection.h

+@@ -108,6 +108,7 @@ struct ksmbd_conn {

+ __le16 signing_algorithm;

+ bool binding;

+ atomic_t refcnt;

++ bool is_aapl;

+ };

+

+ struct ksmbd_conn_ops {

+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c

+index a9f9426e91acb..ad2b15ec3b561 100644

+--- a/fs/smb/server/smb2pdu.c

++++ b/fs/smb/server/smb2pdu.c

+@@ -3541,6 +3541,15 @@ int smb2_open(struct ksmbd_work *work)

+ ksmbd_debug(SMB, "get query on disk id context\n");

+ query_disk_id = 1;

+ }

++

++ if (conn->is_aapl == false) {

++ context = smb2_find_context_vals(req, SMB2_CREATE_AAPL, 4);

++ if (IS_ERR(context)) {

++ rc = PTR_ERR(context);

++ goto err_out1;

++ } else if (context)

++ conn->is_aapl = true;

++ }

+ }

+

+ rc = ksmbd_vfs_getattr(&path, &stat);

+@@ -3980,7 +3989,10 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level,

+ if (dinfo->EaSize)

+ dinfo->ExtFileAttributes = FILE_ATTRIBUTE_REPARSE_POINT_LE;

+ dinfo->Reserved = 0;

+- dinfo->UniqueId = cpu_to_le64(ksmbd_kstat->kstat->ino);

++ if (conn->is_aapl)

++ dinfo->UniqueId = 0;

++ else

++ dinfo->UniqueId = cpu_to_le64(ksmbd_kstat->kstat->ino);

+ if (d_info->hide_dot_file && d_info->name[0] == '.')

+ dinfo->ExtFileAttributes |= FILE_ATTRIBUTE_HIDDEN_LE;

+ memcpy(dinfo->FileName, conv_name, conv_len);

+@@ -3997,7 +4009,10 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level,

+ smb2_get_reparse_tag_special_file(ksmbd_kstat->kstat->mode);

+ if (fibdinfo->EaSize)

+ fibdinfo->ExtFileAttributes = FILE_ATTRIBUTE_REPARSE_POINT_LE;

+- fibdinfo->UniqueId = cpu_to_le64(ksmbd_kstat->kstat->ino);

++ if (conn->is_aapl)

++ fibdinfo->UniqueId = 0;

++ else

++ fibdinfo->UniqueId = cpu_to_le64(ksmbd_kstat->kstat->ino);

+ fibdinfo->ShortNameLength = 0;

+ fibdinfo->Reserved = 0;

+ fibdinfo->Reserved2 = cpu_to_le16(0);

+diff --git a/fs/smb/server/smb2pdu.h b/fs/smb/server/smb2pdu.h

+index 17a0b18a8406b..16ae8a10490be 100644

+--- a/fs/smb/server/smb2pdu.h

++++ b/fs/smb/server/smb2pdu.h

+@@ -63,6 +63,9 @@ struct preauth_integrity_info {

+

+ #define SMB2_SESSION_TIMEOUT (10 * HZ)

+

++/* Apple Defined Contexts */

++#define SMB2_CREATE_AAPL "AAPL"

++

+ struct create_durable_req_v2 {

+ struct create_context_hdr ccontext;

+ __u8 Name[8];

+--

+2.39.5

+

+From 06744561b276e091b99daa9aae024f7ccd42a129 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Fri, 4 Apr 2025 20:40:36 +0200

+Subject: leds: multicolor: Fix intensity setting while SW blinking

+

+From: Sven Schwermer <sven.schwermer@disruptive-technologies.com>

+

+[ Upstream commit e35ca991a777ef513040cbb36bc8245a031a2633 ]

+

+When writing to the multi_intensity file, don't unconditionally call

+led_set_brightness. By only doing this if blinking is inactive we

+prevent blinking from stopping if the blinking is in its off phase while

+the file is written.

+

+Instead, if blinking is active, the changed intensity values are applied

+upon the next blink. This is consistent with changing the brightness on

+monochrome LEDs with active blinking.

+

+Suggested-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>

+Acked-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>

+Acked-by: Pavel Machek <pavel@ucw.cz>

+Reviewed-by: Tobias Deiminger <tobias.deiminger@linutronix.de>

+Tested-by: Sven Schuchmann <schuchmann@schleissheimer.de>

+Signed-off-by: Sven Schwermer <sven.schwermer@disruptive-technologies.com>

+Link: https://lore.kernel.org/r/20250404184043.227116-1-sven@svenschwermer.de

+Signed-off-by: Lee Jones <lee@kernel.org>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/leds/led-class-multicolor.c | 3 ++-

+ 1 file changed, 2 insertions(+), 1 deletion(-)

+

+diff --git a/drivers/leds/led-class-multicolor.c b/drivers/leds/led-class-multicolor.c

+index b2a87c9948165..fd66d2bdeace8 100644

+--- a/drivers/leds/led-class-multicolor.c

++++ b/drivers/leds/led-class-multicolor.c

+@@ -59,7 +59,8 @@ static ssize_t multi_intensity_store(struct device *dev,

+ for (i = 0; i < mcled_cdev->num_colors; i++)

+ mcled_cdev->subled_info[i].intensity = intensity_value[i];

+

+- led_set_brightness(led_cdev, led_cdev->brightness);

++ if (!test_bit(LED_BLINK_SW, &led_cdev->work_flags))

++ led_set_brightness(led_cdev, led_cdev->brightness);

+ ret = size;

+ err_out:

+ mutex_unlock(&led_cdev->led_access);

+--

+2.39.5

+

+From a72ccda91d04b14a3eb0b21942321bfd7238bff8 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Fri, 11 Apr 2025 21:14:10 +0800

+Subject: mailbox: Not protect module_put with spin_lock_irqsave

+

+From: Peng Fan <peng.fan@nxp.com>

+

+[ Upstream commit dddbd233e67e792bb0a3f9694a4707e6be29b2c6 ]

+

+&chan->lock is not supposed to protect 'chan->mbox'.

+And in __mbox_bind_client, try_module_get is also not protected

+by &chan->lock. So move module_put out of the lock protected

+region.

+

+Signed-off-by: Peng Fan <peng.fan@nxp.com>

+Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/mailbox/mailbox.c | 2 +-

+ 1 file changed, 1 insertion(+), 1 deletion(-)

+

+diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c

+index 0593b4d036859..aea0e690b63ee 100644

+--- a/drivers/mailbox/mailbox.c

++++ b/drivers/mailbox/mailbox.c

+@@ -486,8 +486,8 @@ void mbox_free_channel(struct mbox_chan *chan)

+ if (chan->txdone_method == TXDONE_BY_ACK)

+ chan->txdone_method = TXDONE_BY_POLL;

+

+- module_put(chan->mbox->dev->driver->owner);

+ spin_unlock_irqrestore(&chan->lock, flags);

++ module_put(chan->mbox->dev->driver->owner);

+ }

+ EXPORT_SYMBOL_GPL(mbox_free_channel);

+

+--

+2.39.5

+

+From df9d43b0008e510b6783ac6edfc94d319c479ad0 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Sat, 24 May 2025 14:13:10 +0800

+Subject: md/md-bitmap: fix dm-raid max_write_behind setting

+

+From: Yu Kuai <yukuai3@huawei.com>

+

+[ Upstream commit 2afe17794cfed5f80295b1b9facd66e6f65e5002 ]

+

+It's supposed to be COUNTER_MAX / 2, not COUNTER_MAX.

+

+Link: https://lore.kernel.org/linux-raid/20250524061320.370630-14-yukuai1@huaweicloud.com

+Signed-off-by: Yu Kuai <yukuai3@huawei.com>

+Reviewed-by: Christoph Hellwig <hch@lst.de>

+Reviewed-by: Hannes Reinecke <hare@suse.de>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/md/md-bitmap.c | 2 +-

+ 1 file changed, 1 insertion(+), 1 deletion(-)

+

+diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c

+index 37b08f26c62f5..45dd3d9f01a8e 100644

+--- a/drivers/md/md-bitmap.c

++++ b/drivers/md/md-bitmap.c

+@@ -789,7 +789,7 @@ static int md_bitmap_new_disk_sb(struct bitmap *bitmap)

+ * is a good choice? We choose COUNTER_MAX / 2 arbitrarily.

+ */

+ write_behind = bitmap->mddev->bitmap_info.max_write_behind;

+- if (write_behind > COUNTER_MAX)

++ if (write_behind > COUNTER_MAX / 2)

+ write_behind = COUNTER_MAX / 2;

+ sb->write_behind = cpu_to_le32(write_behind);

+ bitmap->mddev->bitmap_info.max_write_behind = write_behind;

+--

+2.39.5

+

+From 5f9d6b4e4f05df03dffbbbf9a1d08438abd219de Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Thu, 27 Mar 2025 21:05:28 +0000

+Subject: media: uvcvideo: Create uvc_pm_(get|put) functions

+

+From: Ricardo Ribalda <ribalda@chromium.org>

+

+[ Upstream commit 2f101572c0a3ae4630f2a57c8033b78ee84ac5a6 ]

+

+Most of the times that we have to call uvc_status_(get|put) we need to

+call the usb_autopm_ functions.

+

+Create a new pair of functions that automate this for us. This

+simplifies the current code and future PM changes in the driver.

+

+Reviewed-by: Hans de Goede <hdegoede@redhat.com>

+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>

+Message-ID: <20250327-uvc-granpower-ng-v6-2-35a2357ff348@chromium.org>

+Signed-off-by: Hans de Goede <hdegoede@redhat.com>

+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>

+Stable-dep-of: a70705d3c020 ("media: uvcvideo: Rollback non processed entities on error")

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/media/usb/uvc/uvc_v4l2.c | 36 +++++++++++++++++++++-----------

+ drivers/media/usb/uvc/uvcvideo.h | 4 ++++

+ 2 files changed, 28 insertions(+), 12 deletions(-)

+

+diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c

+index 22886b47d81c2..1d5be045d04ec 100644

+--- a/drivers/media/usb/uvc/uvc_v4l2.c

++++ b/drivers/media/usb/uvc/uvc_v4l2.c

+@@ -26,6 +26,27 @@

+

+ #include "uvcvideo.h"

+

++int uvc_pm_get(struct uvc_device *dev)

++{

++ int ret;

++

++ ret = usb_autopm_get_interface(dev->intf);

++ if (ret)

++ return ret;

++

++ ret = uvc_status_get(dev);

++ if (ret)

++ usb_autopm_put_interface(dev->intf);

++

++ return ret;

++}

++

++void uvc_pm_put(struct uvc_device *dev)

++{

++ uvc_status_put(dev);

++ usb_autopm_put_interface(dev->intf);

++}

++

+ static int uvc_acquire_privileges(struct uvc_fh *handle);

+

+ static int uvc_control_add_xu_mapping(struct uvc_video_chain *chain,

+@@ -642,20 +663,13 @@ static int uvc_v4l2_open(struct file *file)

+ stream = video_drvdata(file);

+ uvc_dbg(stream->dev, CALLS, "%s\n", __func__);

+

+- ret = usb_autopm_get_interface(stream->dev->intf);

+- if (ret < 0)

+- return ret;

+-

+ /* Create the device handle. */

+ handle = kzalloc(sizeof(*handle), GFP_KERNEL);

+- if (handle == NULL) {

+- usb_autopm_put_interface(stream->dev->intf);

++ if (!handle)

+ return -ENOMEM;

+- }

+

+- ret = uvc_status_get(stream->dev);

++ ret = uvc_pm_get(stream->dev);

+ if (ret) {

+- usb_autopm_put_interface(stream->dev->intf);

+ kfree(handle);

+ return ret;

+ }

+@@ -690,9 +704,7 @@ static int uvc_v4l2_release(struct file *file)

+ kfree(handle);

+ file->private_data = NULL;

+

+- uvc_status_put(stream->dev);

+-

+- usb_autopm_put_interface(stream->dev->intf);

++ uvc_pm_put(stream->dev);

+ return 0;

+ }

+

+diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h

+index 5ceb01e7831a8..b9f8eb62ba1d8 100644

+--- a/drivers/media/usb/uvc/uvcvideo.h

++++ b/drivers/media/usb/uvc/uvcvideo.h

+@@ -768,6 +768,10 @@ void uvc_status_suspend(struct uvc_device *dev);

+ int uvc_status_get(struct uvc_device *dev);

+ void uvc_status_put(struct uvc_device *dev);

+

++/* PM */

++int uvc_pm_get(struct uvc_device *dev);

++void uvc_pm_put(struct uvc_device *dev);

++

+ /* Controls */

+ extern const struct v4l2_subscribed_event_ops uvc_ctrl_sub_ev_ops;

+

+--

+2.39.5

+

+From c0b04b3084198c842813f08d4c68085705ecf750 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Thu, 27 Mar 2025 21:05:29 +0000

+Subject: media: uvcvideo: Increase/decrease the PM counter per IOCTL

+

+From: Ricardo Ribalda <ribalda@chromium.org>

+

+[ Upstream commit 10acb9101355484c3e4f2625003cd1b6c203cfe4 ]

+

+Now we call uvc_pm_get/put from the device open/close. This low

+level of granularity might leave the camera powered on in situations

+where it is not needed.

+

+Increase the granularity by increasing and decreasing the Power

+Management counter per ioctl. There are two special cases where the

+power management outlives the ioctl: async controls and streamon. Handle

+those cases as well.

+

+In a future patch, we will remove the uvc_pm_get/put from open/close.

+

+Reviewed-by: Hans de Goede <hdegoede@redhat.com>

+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>

+Message-ID: <20250327-uvc-granpower-ng-v6-3-35a2357ff348@chromium.org>

+Signed-off-by: Hans de Goede <hdegoede@redhat.com>

+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>

+Stable-dep-of: a70705d3c020 ("media: uvcvideo: Rollback non processed entities on error")

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/media/usb/uvc/uvc_ctrl.c | 38 ++++++++++++++++++++++---------

+ drivers/media/usb/uvc/uvc_v4l2.c | 39 ++++++++++++++++++++++++++++++--

+ 2 files changed, 64 insertions(+), 13 deletions(-)

+

+diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c

+index bc7e2005fc6c7..636ce1eb2a6bf 100644

+--- a/drivers/media/usb/uvc/uvc_ctrl.c

++++ b/drivers/media/usb/uvc/uvc_ctrl.c

+@@ -1812,38 +1812,49 @@ static void uvc_ctrl_send_slave_event(struct uvc_video_chain *chain,

+ uvc_ctrl_send_event(chain, handle, ctrl, mapping, val, changes);

+ }

+

+-static void uvc_ctrl_set_handle(struct uvc_fh *handle, struct uvc_control *ctrl,

+- struct uvc_fh *new_handle)

++static int uvc_ctrl_set_handle(struct uvc_fh *handle, struct uvc_control *ctrl,

++ struct uvc_fh *new_handle)

+ {

+ lockdep_assert_held(&handle->chain->ctrl_mutex);

+

+ if (new_handle) {

++ int ret;

++

+ if (ctrl->handle)

+ dev_warn_ratelimited(&handle->stream->dev->udev->dev,

+ "UVC non compliance: Setting an async control with a pending operation.");

+

+ if (new_handle == ctrl->handle)

+- return;

++ return 0;

+

+ if (ctrl->handle) {

+ WARN_ON(!ctrl->handle->pending_async_ctrls);

+ if (ctrl->handle->pending_async_ctrls)

+ ctrl->handle->pending_async_ctrls--;

++ ctrl->handle = new_handle;

++ handle->pending_async_ctrls++;

++ return 0;

+ }

+

++ ret = uvc_pm_get(handle->chain->dev);

++ if (ret)

++ return ret;

++

+ ctrl->handle = new_handle;

+ handle->pending_async_ctrls++;

+- return;

++ return 0;

+ }

+

+ /* Cannot clear the handle for a control not owned by us.*/

+ if (WARN_ON(ctrl->handle != handle))

+- return;

++ return -EINVAL;

+

+ ctrl->handle = NULL;

+ if (WARN_ON(!handle->pending_async_ctrls))

+- return;

++ return -EINVAL;

+ handle->pending_async_ctrls--;

++ uvc_pm_put(handle->chain->dev);

++ return 0;

+ }

+

+ void uvc_ctrl_status_event(struct uvc_video_chain *chain,

+@@ -2150,15 +2161,15 @@ static int uvc_ctrl_commit_entity(struct uvc_device *dev,

+

+ ctrl->dirty = 0;

+

++ if (!rollback && handle && !ret &&

++ ctrl->info.flags & UVC_CTRL_FLAG_ASYNCHRONOUS)

++ ret = uvc_ctrl_set_handle(handle, ctrl, handle);

++

+ if (ret < 0) {

+ if (err_ctrl)

+ *err_ctrl = ctrl;

+ return ret;

+ }

+-

+- if (!rollback && handle &&

+- ctrl->info.flags & UVC_CTRL_FLAG_ASYNCHRONOUS)

+- uvc_ctrl_set_handle(handle, ctrl, handle);

+ }

+

+ return processed_ctrls;

+@@ -3237,6 +3248,7 @@ int uvc_ctrl_init_device(struct uvc_device *dev)

+ void uvc_ctrl_cleanup_fh(struct uvc_fh *handle)

+ {

+ struct uvc_entity *entity;

++ int i;

+

+ guard(mutex)(&handle->chain->ctrl_mutex);

+

+@@ -3251,7 +3263,11 @@ void uvc_ctrl_cleanup_fh(struct uvc_fh *handle)

+ }

+ }

+

+- WARN_ON(handle->pending_async_ctrls);

++ if (!WARN_ON(handle->pending_async_ctrls))

++ return;

++

++ for (i = 0; i < handle->pending_async_ctrls; i++)

++ uvc_pm_put(handle->stream->dev);

+ }

+

+ /*

+diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c

+index 1d5be045d04ec..8bccf7e17528b 100644

+--- a/drivers/media/usb/uvc/uvc_v4l2.c

++++ b/drivers/media/usb/uvc/uvc_v4l2.c

+@@ -697,6 +697,9 @@ static int uvc_v4l2_release(struct file *file)

+ if (uvc_has_privileges(handle))

+ uvc_queue_release(&stream->queue);

+

++ if (handle->is_streaming)

++ uvc_pm_put(stream->dev);

++

+ /* Release the file handle. */

+ uvc_dismiss_privileges(handle);

+ v4l2_fh_del(&handle->vfh);

+@@ -862,6 +865,11 @@ static int uvc_ioctl_streamon(struct file *file, void *fh,

+ if (ret)

+ return ret;

+

++ ret = uvc_pm_get(stream->dev);

++ if (ret) {

++ uvc_queue_streamoff(&stream->queue, type);

++ return ret;

++ }

+ handle->is_streaming = true;

+

+ return 0;

+@@ -879,7 +887,10 @@ static int uvc_ioctl_streamoff(struct file *file, void *fh,

+ guard(mutex)(&stream->mutex);

+

+ uvc_queue_streamoff(&stream->queue, type);

+- handle->is_streaming = false;

++ if (handle->is_streaming) {

++ handle->is_streaming = false;

++ uvc_pm_put(stream->dev);

++ }

+

+ return 0;

+ }

+@@ -1378,9 +1389,11 @@ static int uvc_v4l2_put_xu_query(const struct uvc_xu_control_query *kp,

+ #define UVCIOC_CTRL_MAP32 _IOWR('u', 0x20, struct uvc_xu_control_mapping32)

+ #define UVCIOC_CTRL_QUERY32 _IOWR('u', 0x21, struct uvc_xu_control_query32)

+

++DEFINE_FREE(uvc_pm_put, struct uvc_device *, if (_T) uvc_pm_put(_T))

+ static long uvc_v4l2_compat_ioctl32(struct file *file,

+ unsigned int cmd, unsigned long arg)

+ {

++ struct uvc_device *uvc_device __free(uvc_pm_put) = NULL;

+ struct uvc_fh *handle = file->private_data;

+ union {

+ struct uvc_xu_control_mapping xmap;

+@@ -1389,6 +1402,12 @@ static long uvc_v4l2_compat_ioctl32(struct file *file,

+ void __user *up = compat_ptr(arg);

+ long ret;

+

++ ret = uvc_pm_get(handle->stream->dev);

++ if (ret)

++ return ret;

++

++ uvc_device = handle->stream->dev;

++

+ switch (cmd) {

+ case UVCIOC_CTRL_MAP32:

+ ret = uvc_v4l2_get_xu_mapping(&karg.xmap, up);

+@@ -1423,6 +1442,22 @@ static long uvc_v4l2_compat_ioctl32(struct file *file,

+ }

+ #endif

+

++static long uvc_v4l2_unlocked_ioctl(struct file *file,

++ unsigned int cmd, unsigned long arg)

++{

++ struct uvc_fh *handle = file->private_data;

++ int ret;

++

++ ret = uvc_pm_get(handle->stream->dev);

++ if (ret)

++ return ret;

++

++ ret = video_ioctl2(file, cmd, arg);

++

++ uvc_pm_put(handle->stream->dev);

++ return ret;

++}

++

+ static ssize_t uvc_v4l2_read(struct file *file, char __user *data,

+ size_t count, loff_t *ppos)

+ {

+@@ -1507,7 +1542,7 @@ const struct v4l2_file_operations uvc_fops = {

+ .owner = THIS_MODULE,

+ .open = uvc_v4l2_open,

+ .release = uvc_v4l2_release,

+- .unlocked_ioctl = video_ioctl2,

++ .unlocked_ioctl = uvc_v4l2_unlocked_ioctl,

+ #ifdef CONFIG_COMPAT

+ .compat_ioctl32 = uvc_v4l2_compat_ioctl32,

+ #endif

+--

+2.39.5

+

+From df56336a215a0781bf901647283d47c1e5b88245 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Thu, 27 Mar 2025 21:05:27 +0000

+Subject: media: uvcvideo: Keep streaming state in the file handle

+

+From: Ricardo Ribalda <ribalda@chromium.org>

+

+[ Upstream commit 14f6e205e5599c2217b68c05b903ce162e7c1e27 ]

+

+Add a variable in the file handle state to figure out if a camera is in

+the streaming state or not. This variable will be used in the future for

+power management policies.

+

+Now that we are at it, make use of guards to simplify the code.

+

+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

+Reviewed-by: Hans de Goede <hdegoede@redhat.com>

+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>

+Message-ID: <20250327-uvc-granpower-ng-v6-1-35a2357ff348@chromium.org>

+Signed-off-by: Hans de Goede <hdegoede@redhat.com>

+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>

+Stable-dep-of: a70705d3c020 ("media: uvcvideo: Rollback non processed entities on error")

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/media/usb/uvc/uvc_v4l2.c | 18 +++++++++++++-----

+ drivers/media/usb/uvc/uvcvideo.h | 1 +

+ 2 files changed, 14 insertions(+), 5 deletions(-)

+

+diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c

+index 39065db44e864..22886b47d81c2 100644

+--- a/drivers/media/usb/uvc/uvc_v4l2.c

++++ b/drivers/media/usb/uvc/uvc_v4l2.c

+@@ -841,11 +841,18 @@ static int uvc_ioctl_streamon(struct file *file, void *fh,

+ if (!uvc_has_privileges(handle))

+ return -EBUSY;

+

+- mutex_lock(&stream->mutex);

++ guard(mutex)(&stream->mutex);

++

++ if (handle->is_streaming)

++ return 0;

++

+ ret = uvc_queue_streamon(&stream->queue, type);

+- mutex_unlock(&stream->mutex);

++ if (ret)

++ return ret;

+

+- return ret;

++ handle->is_streaming = true;

++

++ return 0;

+ }

+

+ static int uvc_ioctl_streamoff(struct file *file, void *fh,

+@@ -857,9 +864,10 @@ static int uvc_ioctl_streamoff(struct file *file, void *fh,

+ if (!uvc_has_privileges(handle))

+ return -EBUSY;

+

+- mutex_lock(&stream->mutex);

++ guard(mutex)(&stream->mutex);

++

+ uvc_queue_streamoff(&stream->queue, type);

+- mutex_unlock(&stream->mutex);

++ handle->is_streaming = false;

+

+ return 0;

+ }

+diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h

+index b4ee701835fc0..5ceb01e7831a8 100644

+--- a/drivers/media/usb/uvc/uvcvideo.h

++++ b/drivers/media/usb/uvc/uvcvideo.h

+@@ -630,6 +630,7 @@ struct uvc_fh {

+ struct uvc_streaming *stream;

+ enum uvc_handle_state state;

+ unsigned int pending_async_ctrls;

++ bool is_streaming;

+ };

+

+ /* ------------------------------------------------------------------------

+--

+2.39.5

+

+From 7d8d2893044cfca43319dfef46b5a4f31a78ddb7 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Mon, 24 Feb 2025 10:34:55 +0000

+Subject: media: uvcvideo: Rollback non processed entities on error

+

+From: Ricardo Ribalda <ribalda@chromium.org>

+

+[ Upstream commit a70705d3c020d0d5c3ab6a5cc93e011ac35e7d48 ]

+

+If we fail to commit an entity, we need to restore the

+UVC_CTRL_DATA_BACKUP for the other uncommitted entities. Otherwise the

+control cache and the device would be out of sync.

+

+Cc: stable@kernel.org

+Fixes: b4012002f3a3 ("[media] uvcvideo: Add support for control events")

+Reported-by: Hans de Goede <hdegoede@redhat.com>

+Closes: https://lore.kernel.org/linux-media/fe845e04-9fde-46ee-9763-a6f00867929a@redhat.com/

+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>

+Message-ID: <20250224-uvc-data-backup-v2-3-de993ed9823b@chromium.org>

+Signed-off-by: Hans de Goede <hdegoede@redhat.com>

+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/media/usb/uvc/uvc_ctrl.c | 32 ++++++++++++++++++++++----------

+ 1 file changed, 22 insertions(+), 10 deletions(-)

+

+diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c

+index 636ce1eb2a6bf..44b6513c52642 100644

+--- a/drivers/media/usb/uvc/uvc_ctrl.c

++++ b/drivers/media/usb/uvc/uvc_ctrl.c

+@@ -2119,7 +2119,7 @@ static int uvc_ctrl_commit_entity(struct uvc_device *dev,

+ unsigned int processed_ctrls = 0;

+ struct uvc_control *ctrl;

+ unsigned int i;

+- int ret;

++ int ret = 0;

+

+ if (entity == NULL)

+ return 0;

+@@ -2148,8 +2148,6 @@ static int uvc_ctrl_commit_entity(struct uvc_device *dev,

+ dev->intfnum, ctrl->info.selector,

+ uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT),

+ ctrl->info.size);

+- else

+- ret = 0;

+

+ if (!ret)

+ processed_ctrls++;

+@@ -2165,13 +2163,20 @@ static int uvc_ctrl_commit_entity(struct uvc_device *dev,

+ ctrl->info.flags & UVC_CTRL_FLAG_ASYNCHRONOUS)

+ ret = uvc_ctrl_set_handle(handle, ctrl, handle);

+

+- if (ret < 0) {

++ if (ret < 0 && !rollback) {

+ if (err_ctrl)

+ *err_ctrl = ctrl;

+- return ret;

++ /*

++ * If we fail to set a control, we need to rollback

++ * the next ones.

++ */

++ rollback = 1;

+ }

+ }

+

++ if (ret)

++ return ret;

++

+ return processed_ctrls;

+ }

+

+@@ -2202,7 +2207,8 @@ int __uvc_ctrl_commit(struct uvc_fh *handle, int rollback,

+ struct uvc_video_chain *chain = handle->chain;

+ struct uvc_control *err_ctrl;

+ struct uvc_entity *entity;

+- int ret = 0;

++ int ret_out = 0;

++ int ret;

+

+ /* Find the control. */

+ list_for_each_entry(entity, &chain->entities, chain) {

+@@ -2213,17 +2219,23 @@ int __uvc_ctrl_commit(struct uvc_fh *handle, int rollback,

+ ctrls->error_idx =

+ uvc_ctrl_find_ctrl_idx(entity, ctrls,

+ err_ctrl);

+- goto done;

++ /*

++ * When we fail to commit an entity, we need to

++ * restore the UVC_CTRL_DATA_BACKUP for all the

++ * controls in the other entities, otherwise our cache

++ * and the hardware will be out of sync.

++ */

++ rollback = 1;

++

++ ret_out = ret;

+ } else if (ret > 0 && !rollback) {

+ uvc_ctrl_send_events(handle, entity,

+ ctrls->controls, ctrls->count);

+ }

+ }

+

+- ret = 0;

+-done:

+ mutex_unlock(&chain->ctrl_mutex);

+- return ret;

++ return ret_out;

+ }

+

+ static int uvc_mapping_get_xctrl_compound(struct uvc_video_chain *chain,

+--

+2.39.5

+

+From dd06d3843e66b372fef9b9d44bd3dc5885615509 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Sun, 6 Apr 2025 21:50:09 +0200

+Subject: mfd: 88pm886: Fix wakeup source leaks on device unbind

+

+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

+

+[ Upstream commit 6d0b2398b2638208d68ba06601f776cd5d983b75 ]

+

+Device can be unbound, so driver must also release memory for the wakeup

+source.

+

+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

+Reviewed-by: Karel Balej <balejk@matfyz.cz>

+Link: https://lore.kernel.org/r/20250406-mfd-device-wakekup-leak-v1-1-318e14bdba0a@linaro.org

+Signed-off-by: Lee Jones <lee@kernel.org>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/mfd/88pm886.c | 6 +++++-

+ 1 file changed, 5 insertions(+), 1 deletion(-)

+

+diff --git a/drivers/mfd/88pm886.c b/drivers/mfd/88pm886.c

+index 891fdce5d8c12..177878aa32f86 100644

+--- a/drivers/mfd/88pm886.c

++++ b/drivers/mfd/88pm886.c

+@@ -124,7 +124,11 @@ static int pm886_probe(struct i2c_client *client)

+ if (err)

+ return dev_err_probe(dev, err, "Failed to register power off handler\n");

+

+- device_init_wakeup(dev, device_property_read_bool(dev, "wakeup-source"));

++ if (device_property_read_bool(dev, "wakeup-source")) {

++ err = devm_device_init_wakeup(dev);

++ if (err)

++ return dev_err_probe(dev, err, "Failed to init wakeup\n");

++ }

+

+ return 0;

+ }

+--

+2.39.5

+

+From d1f5166072d14417186c3e4923107b7250900ab6 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Sun, 6 Apr 2025 21:50:11 +0200

+Subject: mfd: max14577: Fix wakeup source leaks on device unbind

+

+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

+

+[ Upstream commit d905d06e64b0eb3da43af6186c132f5282197998 ]

+

+Device can be unbound, so driver must also release memory for the wakeup

+source.

+

+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

+Link: https://lore.kernel.org/r/20250406-mfd-device-wakekup-leak-v1-3-318e14bdba0a@linaro.org

+Signed-off-by: Lee Jones <lee@kernel.org>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/mfd/max14577.c | 1 +

+ 1 file changed, 1 insertion(+)

+

+diff --git a/drivers/mfd/max14577.c b/drivers/mfd/max14577.c

+index 6fce79ec2dc64..7e7e8af9af224 100644

+--- a/drivers/mfd/max14577.c

++++ b/drivers/mfd/max14577.c

+@@ -456,6 +456,7 @@ static void max14577_i2c_remove(struct i2c_client *i2c)

+ {

+ struct max14577 *max14577 = i2c_get_clientdata(i2c);

+

++ device_init_wakeup(max14577->dev, false);

+ mfd_remove_devices(max14577->dev);

+ regmap_del_irq_chip(max14577->irq, max14577->irq_data);

+ if (max14577->dev_type == MAXIM_DEVICE_TYPE_MAX77836)

+--

+2.39.5

+

+From df87a218e46e4f8989cc465b67fc6bb4d244813d Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Sun, 6 Apr 2025 21:50:12 +0200

+Subject: mfd: max77541: Fix wakeup source leaks on device unbind

+

+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

+

+[ Upstream commit 6c7115cdf6440e1e2f15e21efe92e2b757940627 ]

+

+Device can be unbound, so driver must also release memory for the wakeup

+source.

+

+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

+Link: https://lore.kernel.org/r/20250406-mfd-device-wakekup-leak-v1-4-318e14bdba0a@linaro.org

+Signed-off-by: Lee Jones <lee@kernel.org>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/mfd/max77541.c | 2 +-

+ 1 file changed, 1 insertion(+), 1 deletion(-)

+

+diff --git a/drivers/mfd/max77541.c b/drivers/mfd/max77541.c

+index d77c31c86e435..f91b4f5373ce9 100644

+--- a/drivers/mfd/max77541.c

++++ b/drivers/mfd/max77541.c

+@@ -152,7 +152,7 @@ static int max77541_pmic_setup(struct device *dev)

+ if (ret)

+ return dev_err_probe(dev, ret, "Failed to initialize IRQ\n");

+

+- ret = device_init_wakeup(dev, true);

++ ret = devm_device_init_wakeup(dev);

+ if (ret)

+ return dev_err_probe(dev, ret, "Unable to init wakeup\n");

+

+--

+2.39.5

+

+From 2a2045257fcc2b92e6be1969de2511ed71b47534 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Sun, 6 Apr 2025 21:50:13 +0200

+Subject: mfd: max77705: Fix wakeup source leaks on device unbind

+

+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

+

+[ Upstream commit a59a56cc4fb1f7d101f7ce1f5396ceaa2e304b71 ]

+

+Device can be unbound, so driver must also release memory for the wakeup

+source.

+

+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

+Link: https://lore.kernel.org/r/20250406-mfd-device-wakekup-leak-v1-5-318e14bdba0a@linaro.org

+Signed-off-by: Lee Jones <lee@kernel.org>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/mfd/max77705.c | 4 +++-

+ 1 file changed, 3 insertions(+), 1 deletion(-)

+

+diff --git a/drivers/mfd/max77705.c b/drivers/mfd/max77705.c

+index 60c457c21d952..6b263bacb8c28 100644

+--- a/drivers/mfd/max77705.c

++++ b/drivers/mfd/max77705.c

+@@ -131,7 +131,9 @@ static int max77705_i2c_probe(struct i2c_client *i2c)

+ if (ret)

+ return dev_err_probe(dev, ret, "Failed to register child devices\n");

+

+- device_init_wakeup(dev, true);

++ ret = devm_device_init_wakeup(dev);

++ if (ret)

++ return dev_err_probe(dev, ret, "Failed to init wakeup\n");

+

+ return 0;

+ }

+--

+2.39.5

+

+From 0b1865eb891b2b2e39079d0f0543491d5734734c Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Sun, 6 Apr 2025 21:50:16 +0200

+Subject: mfd: sprd-sc27xx: Fix wakeup source leaks on device unbind

+

+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

+

+[ Upstream commit 37ef4aa4039c42f4b15dc7e40d3e437b7f031522 ]

+

+Device can be unbound, so driver must also release memory for the wakeup

+source.

+

+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

+Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>

+Link: https://lore.kernel.org/r/20250406-mfd-device-wakekup-leak-v1-8-318e14bdba0a@linaro.org

+Signed-off-by: Lee Jones <lee@kernel.org>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/mfd/sprd-sc27xx-spi.c | 5 ++++-

+ 1 file changed, 4 insertions(+), 1 deletion(-)

+

+diff --git a/drivers/mfd/sprd-sc27xx-spi.c b/drivers/mfd/sprd-sc27xx-spi.c

+index 7186e2108108f..d6b4350779e6a 100644

+--- a/drivers/mfd/sprd-sc27xx-spi.c

++++ b/drivers/mfd/sprd-sc27xx-spi.c

+@@ -210,7 +210,10 @@ static int sprd_pmic_probe(struct spi_device *spi)

+ return ret;

+ }

+

+- device_init_wakeup(&spi->dev, true);

++ ret = devm_device_init_wakeup(&spi->dev);

++ if (ret)

++ return dev_err_probe(&spi->dev, ret, "Failed to init wakeup\n");

++

+ return 0;

+ }

+

+--

+2.39.5

+

+From d0d5783e7c1484bc82bf747edfcbecdd26c2fe77 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Mon, 10 Mar 2025 20:05:11 -0500

+Subject: misc: tps6594-pfsm: Add NULL pointer check in tps6594_pfsm_probe()

+

+From: Chenyuan Yang <chenyuan0y@gmail.com>

+

+[ Upstream commit a99b598d836c9c6411110c70a2da134c78d96e67 ]

+

+The returned value, pfsm->miscdev.name, from devm_kasprintf()

+could be NULL.

+A pointer check is added to prevent potential NULL pointer dereference.

+This is similar to the fix in commit 3027e7b15b02

+("ice: Fix some null pointer dereference issues in ice_ptp.c").

+

+This issue is found by our static analysis tool.

+

+Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>

+Link: https://lore.kernel.org/r/20250311010511.1028269-1-chenyuan0y@gmail.com

+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/misc/tps6594-pfsm.c | 3 +++

+ 1 file changed, 3 insertions(+)

+

+diff --git a/drivers/misc/tps6594-pfsm.c b/drivers/misc/tps6594-pfsm.c

+index 0a24ce44cc37c..6db1c9d48f8fc 100644

+--- a/drivers/misc/tps6594-pfsm.c

++++ b/drivers/misc/tps6594-pfsm.c

+@@ -281,6 +281,9 @@ static int tps6594_pfsm_probe(struct platform_device *pdev)

+ pfsm->miscdev.minor = MISC_DYNAMIC_MINOR;

+ pfsm->miscdev.name = devm_kasprintf(dev, GFP_KERNEL, "pfsm-%ld-0x%02x",

+ tps->chip_id, tps->reg);

++ if (!pfsm->miscdev.name)

++ return -ENOMEM;

++

+ pfsm->miscdev.fops = &tps6594_pfsm_fops;

+ pfsm->miscdev.parent = dev->parent;

+ pfsm->chip_id = tps->chip_id;

+--

+2.39.5

+

+From 0e93b854dea45bd77b421d0f62115872216632e8 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Sun, 4 May 2025 20:57:04 +0800

+Subject: NFSv4: Always set NLINK even if the server doesn't support it

+

+From: Han Young <hanyang.tony@bytedance.com>

+

+[ Upstream commit 3a3065352f73381d3a1aa0ccab44aec3a5a9b365 ]

+

+fattr4_numlinks is a recommended attribute, so the client should emulate

+it even if the server doesn't support it. In decode_attr_nlink function

+in nfs4xdr.c, nlink is initialized to 1. However, this default value

+isn't set to the inode due to the check in nfs_fhget.

+

+So if the server doesn't support numlinks, inode's nlink will be zero,

+the mount will fail with error "Stale file handle". Set the nlink to 1

+if the server doesn't support it.

+

+Signed-off-by: Han Young <hanyang.tony@bytedance.com>

+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ fs/nfs/inode.c | 2 ++

+ 1 file changed, 2 insertions(+)

+

+diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c

+index 119e447758b99..4695292378bbe 100644

+--- a/fs/nfs/inode.c

++++ b/fs/nfs/inode.c

+@@ -557,6 +557,8 @@ nfs_fhget(struct super_block *sb, struct nfs_fh *fh, struct nfs_fattr *fattr)

+ set_nlink(inode, fattr->nlink);

+ else if (fattr_supported & NFS_ATTR_FATTR_NLINK)

+ nfs_set_cache_invalid(inode, NFS_INO_INVALID_NLINK);

++ else

++ set_nlink(inode, 1);

+ if (fattr->valid & NFS_ATTR_FATTR_OWNER)

+ inode->i_uid = fattr->uid;

+ else if (fattr_supported & NFS_ATTR_FATTR_OWNER)

+--

+2.39.5

+

+From b11eef736fa346084f9c59c74a63ffb7ba1095a0 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Wed, 16 Apr 2025 11:23:38 -0400

+Subject: NFSv4: xattr handlers should check for absent nfs filehandles

+

+From: Scott Mayhew <smayhew@redhat.com>

+

+[ Upstream commit 6e9a2f8dbe93c8004c2af2c0158888628b7ca034 ]

+

+The nfs inodes for referral anchors that have not yet been followed have

+their filehandles zeroed out.

+

+Attempting to call getxattr() on one of these will cause the nfs client

+to send a GETATTR to the nfs server with the preceding PUTFH sans

+filehandle. The server will reply NFS4ERR_NOFILEHANDLE, leading to -EIO

+being returned to the application.

+

+For example:

+

+$ strace -e trace=getxattr getfattr -n system.nfs4_acl /mnt/t/ref

+getxattr("/mnt/t/ref", "system.nfs4_acl", NULL, 0) = -1 EIO (Input/output error)

+/mnt/t/ref: system.nfs4_acl: Input/output error

++++ exited with 1 +++

+

+Have the xattr handlers return -ENODATA instead.

+

+Signed-off-by: Scott Mayhew <smayhew@redhat.com>

+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ fs/nfs/nfs4proc.c | 5 +++++

+ 1 file changed, 5 insertions(+)

+

+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c

+index 6c3896a9b9d0f..2f5a6aa3fd48e 100644

+--- a/fs/nfs/nfs4proc.c

++++ b/fs/nfs/nfs4proc.c

+@@ -6220,6 +6220,8 @@ static ssize_t nfs4_proc_get_acl(struct inode *inode, void *buf, size_t buflen,

+ struct nfs_server *server = NFS_SERVER(inode);

+ int ret;

+

++ if (unlikely(NFS_FH(inode)->size == 0))

++ return -ENODATA;

+ if (!nfs4_server_supports_acls(server, type))

+ return -EOPNOTSUPP;

+ ret = nfs_revalidate_inode(inode, NFS_INO_INVALID_CHANGE);

+@@ -6294,6 +6296,9 @@ static int nfs4_proc_set_acl(struct inode *inode, const void *buf,

+ {

+ struct nfs4_exception exception = { };

+ int err;

++

++ if (unlikely(NFS_FH(inode)->size == 0))

++ return -ENODATA;

+ do {

+ err = __nfs4_proc_set_acl(inode, buf, buflen, type);

+ trace_nfs4_set_acl(inode, err);

+--

+2.39.5

+

+From 3f3d1db4af58c3b4679646285b4bf71ef8eef4d9 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Fri, 25 Apr 2025 14:09:21 -0400

+Subject: NFSv4.2: fix listxattr to return selinux security label

+

+From: Olga Kornievskaia <okorniev@redhat.com>

+

+[ Upstream commit 243fea134633ba3d64aceb4c16129c59541ea2c6 ]

+

+Currently, when NFS is queried for all the labels present on the

+file via a command example "getfattr -d -m . /mnt/testfile", it

+does not return the security label. Yet when asked specifically for

+the label (getfattr -n security.selinux) it will be returned.

+Include the security label when all attributes are queried.

+

+Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>

+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ fs/nfs/nfs4proc.c | 12 ++++++++++--

+ 1 file changed, 10 insertions(+), 2 deletions(-)

+

+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c

+index 9db317e7dea17..56f41ec327397 100644

+--- a/fs/nfs/nfs4proc.c

++++ b/fs/nfs/nfs4proc.c

+@@ -10861,7 +10861,7 @@ const struct nfs4_minor_version_ops *nfs_v4_minor_ops[] = {

+

+ static ssize_t nfs4_listxattr(struct dentry *dentry, char *list, size_t size)

+ {

+- ssize_t error, error2, error3;

++ ssize_t error, error2, error3, error4;

+ size_t left = size;

+

+ error = generic_listxattr(dentry, list, left);

+@@ -10884,8 +10884,16 @@ static ssize_t nfs4_listxattr(struct dentry *dentry, char *list, size_t size)

+ error3 = nfs4_listxattr_nfs4_user(d_inode(dentry), list, left);

+ if (error3 < 0)

+ return error3;

++ if (list) {

++ list += error3;

++ left -= error3;

++ }

++

++ error4 = security_inode_listsecurity(d_inode(dentry), list, left);

++ if (error4 < 0)

++ return error4;

+

+- error += error2 + error3;

++ error += error2 + error3 + error4;

+ if (size && error > size)

+ return -ERANGE;

+ return error;

+--

+2.39.5

+

+From c79a2b3b14391311b369c0cbaadd95c11b306caf Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Fri, 25 Apr 2025 15:49:19 +0300

+Subject: NFSv4.2: fix setattr caching of TIME_[MODIFY|ACCESS]_SET when

+ timestamps are delegated

+

+From: Sagi Grimberg <sagi@grimberg.me>

+

+[ Upstream commit aba41e90aadeca8d4656f90639aa5f91ce564f1c ]

+

+nfs_setattr will flush all pending writes before updating a file time

+attributes. However when the client holds delegated timestamps, it can

+update its timestamps locally as it is the authority for the file

+times attributes. The client will later set the file attributes by

+adding a setattr to the delegreturn compound updating the server time

+attributes.

+

+Fix nfs_setattr to avoid flushing pending writes when the file time

+attributes are delegated and the mtime/atime are set to a fixed

+timestamp (ATTR_[MODIFY|ACCESS]_SET. Also, when sending the setattr

+procedure over the wire, we need to clear the correct attribute bits

+from the bitmask.

+

+I was able to measure a noticable speedup when measuring untar performance.

+Test: $ time tar xzf ~/dir.tgz

+Baseline: 1m13.072s

+Patched: 0m49.038s

+

+Which is more than 30% latency improvement.

+

+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>

+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ fs/nfs/inode.c | 49 +++++++++++++++++++++++++++++++++++++++++++----

+ fs/nfs/nfs4proc.c | 8 ++++----

+ 2 files changed, 49 insertions(+), 8 deletions(-)

+

+diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c

+index 4695292378bbe..8ab7868807a7d 100644

+--- a/fs/nfs/inode.c

++++ b/fs/nfs/inode.c

+@@ -635,6 +635,34 @@ nfs_fattr_fixup_delegated(struct inode *inode, struct nfs_fattr *fattr)

+ }

+ }

+

++static void nfs_set_timestamps_to_ts(struct inode *inode, struct iattr *attr)

++{

++ unsigned int cache_flags = 0;

++

++ if (attr->ia_valid & ATTR_MTIME_SET) {

++ struct timespec64 ctime = inode_get_ctime(inode);

++ struct timespec64 mtime = inode_get_mtime(inode);

++ struct timespec64 now;

++ int updated = 0;

++

++ now = inode_set_ctime_current(inode);

++ if (!timespec64_equal(&now, &ctime))

++ updated |= S_CTIME;

++

++ inode_set_mtime_to_ts(inode, attr->ia_mtime);

++ if (!timespec64_equal(&now, &mtime))

++ updated |= S_MTIME;

++

++ inode_maybe_inc_iversion(inode, updated);

++ cache_flags |= NFS_INO_INVALID_CTIME | NFS_INO_INVALID_MTIME;

++ }

++ if (attr->ia_valid & ATTR_ATIME_SET) {

++ inode_set_atime_to_ts(inode, attr->ia_atime);

++ cache_flags |= NFS_INO_INVALID_ATIME;

++ }

++ NFS_I(inode)->cache_validity &= ~cache_flags;

++}

++

+ static void nfs_update_timestamps(struct inode *inode, unsigned int ia_valid)

+ {

+ enum file_time_flags time_flags = 0;

+@@ -703,14 +731,27 @@ nfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,

+

+ if (nfs_have_delegated_mtime(inode) && attr->ia_valid & ATTR_MTIME) {

+ spin_lock(&inode->i_lock);

+- nfs_update_timestamps(inode, attr->ia_valid);

++ if (attr->ia_valid & ATTR_MTIME_SET) {

++ nfs_set_timestamps_to_ts(inode, attr);

++ attr->ia_valid &= ~(ATTR_MTIME|ATTR_MTIME_SET|

++ ATTR_ATIME|ATTR_ATIME_SET);

++ } else {

++ nfs_update_timestamps(inode, attr->ia_valid);

++ attr->ia_valid &= ~(ATTR_MTIME|ATTR_ATIME);

++ }

+ spin_unlock(&inode->i_lock);

+- attr->ia_valid &= ~(ATTR_MTIME | ATTR_ATIME);

+ } else if (nfs_have_delegated_atime(inode) &&

+ attr->ia_valid & ATTR_ATIME &&

+ !(attr->ia_valid & ATTR_MTIME)) {

+- nfs_update_delegated_atime(inode);

+- attr->ia_valid &= ~ATTR_ATIME;

++ if (attr->ia_valid & ATTR_ATIME_SET) {

++ spin_lock(&inode->i_lock);

++ nfs_set_timestamps_to_ts(inode, attr);

++ spin_unlock(&inode->i_lock);

++ attr->ia_valid &= ~(ATTR_ATIME|ATTR_ATIME_SET);

++ } else {

++ nfs_update_delegated_atime(inode);

++ attr->ia_valid &= ~ATTR_ATIME;

++ }

+ }

+

+ /* Optimization: if the end result is no change, don't RPC */

+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c

+index 56f41ec327397..6c3896a9b9d0f 100644

+--- a/fs/nfs/nfs4proc.c

++++ b/fs/nfs/nfs4proc.c

+@@ -325,14 +325,14 @@ static void nfs4_bitmap_copy_adjust(__u32 *dst, const __u32 *src,

+

+ if (nfs_have_delegated_mtime(inode)) {

+ if (!(cache_validity & NFS_INO_INVALID_ATIME))

+- dst[1] &= ~FATTR4_WORD1_TIME_ACCESS;

++ dst[1] &= ~(FATTR4_WORD1_TIME_ACCESS|FATTR4_WORD1_TIME_ACCESS_SET);

+ if (!(cache_validity & NFS_INO_INVALID_MTIME))

+- dst[1] &= ~FATTR4_WORD1_TIME_MODIFY;

++ dst[1] &= ~(FATTR4_WORD1_TIME_MODIFY|FATTR4_WORD1_TIME_MODIFY_SET);

+ if (!(cache_validity & NFS_INO_INVALID_CTIME))

+- dst[1] &= ~FATTR4_WORD1_TIME_METADATA;

++ dst[1] &= ~(FATTR4_WORD1_TIME_METADATA|FATTR4_WORD1_TIME_MODIFY_SET);

+ } else if (nfs_have_delegated_atime(inode)) {

+ if (!(cache_validity & NFS_INO_INVALID_ATIME))

+- dst[1] &= ~FATTR4_WORD1_TIME_ACCESS;

++ dst[1] &= ~(FATTR4_WORD1_TIME_ACCESS|FATTR4_WORD1_TIME_ACCESS_SET);

+ }

+ }

+

+--

+2.39.5

+

+From 67fd157ea429bb81bf89f0d5272992272f758a88 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Wed, 28 May 2025 08:45:34 +0200

+Subject: nvme-tcp: fix I/O stalls on congested sockets

+

+From: Hannes Reinecke <hare@kernel.org>

+

+[ Upstream commit f42d4796ee100fade86086d1cf98537fb4d326c8 ]

+

+When the socket is busy processing nvme_tcp_try_recv() might return

+-EAGAIN, but this doesn't automatically imply that the sending side is

+blocked, too. So check if there are pending requests once

+nvme_tcp_try_recv() returns -EAGAIN and continue with the sending loop

+to avoid I/O stalls.

+

+Signed-off-by: Hannes Reinecke <hare@kernel.org>

+Acked-by: Chris Leech <cleech@redhat.com>

+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>

+Signed-off-by: Christoph Hellwig <hch@lst.de>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/nvme/host/tcp.c | 7 ++++++-

+ 1 file changed, 6 insertions(+), 1 deletion(-)

+

+diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c

+index 947fac9128b30..9f4f6464dee04 100644

+--- a/drivers/nvme/host/tcp.c

++++ b/drivers/nvme/host/tcp.c

+@@ -1348,7 +1348,7 @@ static int nvme_tcp_try_recv(struct nvme_tcp_queue *queue)

+ queue->nr_cqe = 0;

+ consumed = sock->ops->read_sock(sk, &rd_desc, nvme_tcp_recv_skb);

+ release_sock(sk);

+- return consumed;

++ return consumed == -EAGAIN ? 0 : consumed;

+ }

+

+ static void nvme_tcp_io_work(struct work_struct *w)

+@@ -1376,6 +1376,11 @@ static void nvme_tcp_io_work(struct work_struct *w)

+ else if (unlikely(result < 0))

+ return;

+

++ /* did we get some space after spending time in recv? */

++ if (nvme_tcp_queue_has_pending(queue) &&

++ sk_stream_is_writeable(queue->sock->sk))

++ pending = true;

++

+ if (!pending || !queue->rd_enabled)

+ return;

+

+--

+2.39.5

+

+From a296677c6ceac5a597bde22d017a56a4b912ca9d Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Wed, 28 May 2025 08:45:33 +0200

+Subject: nvme-tcp: sanitize request list handling

+

+From: Hannes Reinecke <hare@kernel.org>

+

+[ Upstream commit 0bf04c874fcb1ae46a863034296e4b33d8fbd66c ]

+

+Validate the request in nvme_tcp_handle_r2t() to ensure it's not part of

+any list, otherwise a malicious R2T PDU might inject a loop in request

+list processing.

+

+Signed-off-by: Hannes Reinecke <hare@kernel.org>

+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>

+Signed-off-by: Christoph Hellwig <hch@lst.de>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/nvme/host/tcp.c | 15 ++++++++++++++-

+ 1 file changed, 14 insertions(+), 1 deletion(-)

+

+diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c

+index 9f4f6464dee04..b882ee6ef40f6 100644

+--- a/drivers/nvme/host/tcp.c

++++ b/drivers/nvme/host/tcp.c

+@@ -452,7 +452,8 @@ nvme_tcp_fetch_request(struct nvme_tcp_queue *queue)

+ return NULL;

+ }

+

+- list_del(&req->entry);

++ list_del_init(&req->entry);

++ init_llist_node(&req->lentry);

+ return req;

+ }

+

+@@ -560,6 +561,8 @@ static int nvme_tcp_init_request(struct blk_mq_tag_set *set,

+ req->queue = queue;

+ nvme_req(rq)->ctrl = &ctrl->ctrl;

+ nvme_req(rq)->cmd = &pdu->cmd;

++ init_llist_node(&req->lentry);

++ INIT_LIST_HEAD(&req->entry);

+

+ return 0;

+ }

+@@ -764,6 +767,14 @@ static int nvme_tcp_handle_r2t(struct nvme_tcp_queue *queue,

+ return -EPROTO;

+ }

+

++ if (llist_on_list(&req->lentry) ||

++ !list_empty(&req->entry)) {

++ dev_err(queue->ctrl->ctrl.device,

++ "req %d unexpected r2t while processing request\n",

++ rq->tag);

++ return -EPROTO;

++ }

++

+ req->pdu_len = 0;

+ req->h2cdata_left = r2t_length;

+ req->h2cdata_offset = r2t_offset;

+@@ -2641,6 +2652,8 @@ static void nvme_tcp_submit_async_event(struct nvme_ctrl *arg)

+ ctrl->async_req.offset = 0;

+ ctrl->async_req.curr_bio = NULL;

+ ctrl->async_req.data_len = 0;

++ init_llist_node(&ctrl->async_req.lentry);

++ INIT_LIST_HEAD(&ctrl->async_req.entry);

+

+ nvme_tcp_queue_request(&ctrl->async_req, true, true);

+ }

+--

+2.39.5

+

+From 463e25f99ba1eb0545cf7262184fc0896f427d88 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Mon, 21 Apr 2025 16:15:19 -0700

+Subject: ovl: Check for NULL d_inode() in ovl_dentry_upper()

+

+From: Kees Cook <kees@kernel.org>

+

+[ Upstream commit 8a39f1c870e9d6fbac5638f3a42a6a6363829c49 ]

+

+In ovl_path_type() and ovl_is_metacopy_dentry() GCC notices that it is

+possible for OVL_E() to return NULL (which implies that d_inode(dentry)

+may be NULL). This would result in out of bounds reads via container_of(),

+seen with GCC 15's -Warray-bounds -fdiagnostics-details. For example:

+

+In file included from arch/x86/include/generated/asm/rwonce.h:1,

+ from include/linux/compiler.h:339,

+ from include/linux/export.h:5,

+ from include/linux/linkage.h:7,

+ from include/linux/fs.h:5,

+ from fs/overlayfs/util.c:7:

+In function 'ovl_upperdentry_dereference',

+ inlined from 'ovl_dentry_upper' at ../fs/overlayfs/util.c:305:9,

+ inlined from 'ovl_path_type' at ../fs/overlayfs/util.c:216:6:

+include/asm-generic/rwonce.h:44:26: error: array subscript 0 is outside array bounds of 'struct inode[7486503276667837]' [-Werror=array-bounds=]

+ 44 | #define __READ_ONCE(x) (*(const volatile __unqual_scalar_typeof(x) *)&(x))

+ | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+include/asm-generic/rwonce.h:50:9: note: in expansion of macro '__READ_ONCE'

+ 50 | __READ_ONCE(x); \

+ | ^~~~~~~~~~~

+fs/overlayfs/ovl_entry.h:195:16: note: in expansion of macro 'READ_ONCE'

+ 195 | return READ_ONCE(oi->__upperdentry);

+ | ^~~~~~~~~

+ 'ovl_path_type': event 1

+ 185 | return inode ? OVL_I(inode)->oe : NULL;

+ 'ovl_path_type': event 2

+

+Avoid this by allowing ovl_dentry_upper() to return NULL if d_inode() is

+NULL, as that means the problematic dereferencing can never be reached.

+Note that this fixes the over-eager compiler warning in an effort to

+being able to enable -Warray-bounds globally. There is no known

+behavioral bug here.

+

+Suggested-by: Amir Goldstein <amir73il@gmail.com>

+Signed-off-by: Kees Cook <kees@kernel.org>

+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ fs/overlayfs/util.c | 4 +++-

+ 1 file changed, 3 insertions(+), 1 deletion(-)

+

+diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c

+index 0819c739cc2ff..5d6b60d56c275 100644

+--- a/fs/overlayfs/util.c

++++ b/fs/overlayfs/util.c

+@@ -305,7 +305,9 @@ enum ovl_path_type ovl_path_realdata(struct dentry *dentry, struct path *path)

+

+ struct dentry *ovl_dentry_upper(struct dentry *dentry)

+ {

+- return ovl_upperdentry_dereference(OVL_I(d_inode(dentry)));

++ struct inode *inode = d_inode(dentry);

++

++ return inode ? ovl_upperdentry_dereference(OVL_I(inode)) : NULL;

+ }

+

+ struct dentry *ovl_dentry_lower(struct dentry *dentry)

+--

+2.39.5

+

+From ed859a9d26cbadf6d6dcde62048ce14c5f9191ce Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Tue, 1 Apr 2025 10:17:08 +0100

+Subject: PCI: apple: Fix missing OF node reference in apple_pcie_setup_port

+

+From: Hector Martin <marcan@marcan.st>

+

+[ Upstream commit 7fa9fbf39116b061f8a41cd84f1884c545f322c4 ]

+

+In the success path, we hang onto a reference to the node, so make sure

+to grab one. The caller iterator puts our borrowed reference when we

+return.

+

+Signed-off-by: Hector Martin <marcan@marcan.st>

+Signed-off-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>

+Signed-off-by: Marc Zyngier <maz@kernel.org>

+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>

+Tested-by: Janne Grunau <j@jannau.net>

+Reviewed-by: Rob Herring (Arm) <robh@kernel.org>

+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>

+Acked-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>

+Link: https://patch.msgid.link/20250401091713.2765724-9-maz@kernel.org

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/pci/controller/pcie-apple.c | 3 +++

+ 1 file changed, 3 insertions(+)

+

+diff --git a/drivers/pci/controller/pcie-apple.c b/drivers/pci/controller/pcie-apple.c

+index 32f57b8a6ecbd..8f7fc9161760c 100644

+--- a/drivers/pci/controller/pcie-apple.c

++++ b/drivers/pci/controller/pcie-apple.c

+@@ -584,6 +584,9 @@ static int apple_pcie_setup_port(struct apple_pcie *pcie,

+ list_add_tail(&port->entry, &pcie->ports);

+ init_completion(&pcie->event);

+

++ /* In the success path, we keep a reference to np around */

++ of_node_get(np);

++

+ ret = apple_pcie_port_register_irqs(port);

+ WARN_ON(ret);

+

+--

+2.39.5

+

+From 18cfae82a0e1f9a25144ce9cb0ae788d1a17bc55 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Tue, 22 Apr 2025 18:36:23 +0800

+Subject: PCI: dwc: Make link training more robust by setting

+ PORT_LOGIC_LINK_WIDTH to one lane

+

+From: Wenbin Yao <quic_wenbyao@quicinc.com>

+

+[ Upstream commit af3c6eacce0c464f28fe0e3d365b3860aba07931 ]

+

+As per DWC PCIe registers description 4.30a, section 1.13.43, NUM_OF_LANES

+named as PORT_LOGIC_LINK_WIDTH in PCIe DWC driver, is referred to as the

+"Predetermined Number of Lanes" in PCIe r6.0, sec 4.2.7.2.1, which explains

+the conditions required to enter Polling.Configuration:

+

+ Next state is Polling.Configuration after at least 1024 TS1 Ordered Sets

+ were transmitted, and all Lanes that detected a Receiver during Detect

+ receive eight consecutive training sequences ...

+

+ Otherwise, after a 24 ms timeout the next state is:

+

+ Polling.Configuration if,

+

+ (i) Any Lane, which detected a Receiver during Detect, received eight

+ consecutive training sequences ... and a minimum of 1024 TS1 Ordered

+ Sets are transmitted after receiving one TS1 or TS2 Ordered Set.

+

+ And

+

+ (ii) At least a predetermined set of Lanes that detected a Receiver

+ during Detect have detected an exit from Electrical Idle at least

+ once since entering Polling.Active.

+

+ Note: This may prevent one or more bad Receivers or Transmitters

+ from holding up a valid Link from being configured, and allow for

+ additional training in Polling.Configuration. The exact set of

+ predetermined Lanes is implementation specific.

+

+ Note: Any Lane that receives eight consecutive TS1 or TS2 Ordered

+ Sets should have detected an exit from Electrical Idle at least

+ once since entering Polling.Active.

+

+In a PCIe link supporting multiple lanes, if PORT_LOGIC_LINK_WIDTH is set

+to lane width the hardware supports, all lanes that detect a receiver

+during the Detect phase must receive eight consecutive training sequences.

+Otherwise, LTSSM will not enter Polling.Configuration and link training

+will fail.

+

+Therefore, always set PORT_LOGIC_LINK_WIDTH to 1, regardless of the number

+of lanes the port actually supports, to make link up more robust. This

+setting will not affect the intended link width if all lanes are

+functional. Additionally, the link can still be established with at least

+one lane if other lanes are faulty.

+

+Co-developed-by: Qiang Yu <quic_qianyu@quicinc.com>

+Signed-off-by: Qiang Yu <quic_qianyu@quicinc.com>

+Signed-off-by: Wenbin Yao <quic_wenbyao@quicinc.com>

+[mani: subject change]

+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>

+[bhelgaas: update PCIe spec citation, format quote]

+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>

+Tested-by: Niklas Cassel <cassel@kernel.org>

+Link: https://patch.msgid.link/20250422103623.462277-1-quic_wenbyao@quicinc.com

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/pci/controller/dwc/pcie-designware.c | 5 +----

+ 1 file changed, 1 insertion(+), 4 deletions(-)

+

+diff --git a/drivers/pci/controller/dwc/pcie-designware.c b/drivers/pci/controller/dwc/pcie-designware.c

+index 97d76d3dc066e..be348b341e3cf 100644

+--- a/drivers/pci/controller/dwc/pcie-designware.c

++++ b/drivers/pci/controller/dwc/pcie-designware.c

+@@ -797,22 +797,19 @@ static void dw_pcie_link_set_max_link_width(struct dw_pcie *pci, u32 num_lanes)

+ /* Set link width speed control register */

+ lwsc = dw_pcie_readl_dbi(pci, PCIE_LINK_WIDTH_SPEED_CONTROL);

+ lwsc &= ~PORT_LOGIC_LINK_WIDTH_MASK;

++ lwsc |= PORT_LOGIC_LINK_WIDTH_1_LANES;

+ switch (num_lanes) {

+ case 1:

+ plc |= PORT_LINK_MODE_1_LANES;

+- lwsc |= PORT_LOGIC_LINK_WIDTH_1_LANES;

+ break;

+ case 2:

+ plc |= PORT_LINK_MODE_2_LANES;

+- lwsc |= PORT_LOGIC_LINK_WIDTH_2_LANES;

+ break;

+ case 4:

+ plc |= PORT_LINK_MODE_4_LANES;

+- lwsc |= PORT_LOGIC_LINK_WIDTH_4_LANES;

+ break;

+ case 8:

+ plc |= PORT_LINK_MODE_8_LANES;

+- lwsc |= PORT_LOGIC_LINK_WIDTH_8_LANES;

+ break;

+ default:

+ dev_err(pci->dev, "num-lanes %u: invalid value\n", num_lanes);

+--

+2.39.5

+

+From 82bae92628b84df89d1b7172f2a4d3ccfe4e3d36 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Wed, 16 Apr 2025 16:13:11 +0800

+Subject: PCI: imx6: Add workaround for errata ERR051624

+

+From: Richard Zhu <hongxing.zhu@nxp.com>

+

+[ Upstream commit ce0c43e855c7f652b6351110aaaabf9b521debd7 ]

+

+ERR051624: The Controller Without Vaux Cannot Exit L23 Ready Through Beacon

+or PERST# De-assertion

+

+When the auxiliary power is not available, the controller cannot exit from

+L23 Ready with beacon or PERST# de-assertion when main power is not

+removed. So the workaround is to set SS_RW_REG_1[SYS_AUX_PWR_DET] to 1.

+

+This workaround is required irrespective of whether Vaux is supplied to the

+link partner or not.

+

+Signed-off-by: Richard Zhu <hongxing.zhu@nxp.com>

+[mani: subject and description rewording]

+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>

+Reviewed-by: Frank Li <Frank.Li@nxp.com>

+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>

+Link: https://patch.msgid.link/20250416081314.3929794-5-hongxing.zhu@nxp.com

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/pci/controller/dwc/pci-imx6.c | 15 +++++++++++++++

+ 1 file changed, 15 insertions(+)

+

+diff --git a/drivers/pci/controller/dwc/pci-imx6.c b/drivers/pci/controller/dwc/pci-imx6.c

+index ea5c06371171f..1b6fbf507166f 100644

+--- a/drivers/pci/controller/dwc/pci-imx6.c

++++ b/drivers/pci/controller/dwc/pci-imx6.c

+@@ -48,6 +48,8 @@

+ #define IMX95_PCIE_SS_RW_REG_0 0xf0

+ #define IMX95_PCIE_REF_CLKEN BIT(23)

+ #define IMX95_PCIE_PHY_CR_PARA_SEL BIT(9)

++#define IMX95_PCIE_SS_RW_REG_1 0xf4

++#define IMX95_PCIE_SYS_AUX_PWR_DET BIT(31)

+

+ #define IMX95_PE0_GEN_CTRL_1 0x1050

+ #define IMX95_PCIE_DEVICE_TYPE GENMASK(3, 0)

+@@ -231,6 +233,19 @@ static unsigned int imx_pcie_grp_offset(const struct imx_pcie *imx_pcie)

+

+ static int imx95_pcie_init_phy(struct imx_pcie *imx_pcie)

+ {

++ /*

++ * ERR051624: The Controller Without Vaux Cannot Exit L23 Ready

++ * Through Beacon or PERST# De-assertion

++ *

++ * When the auxiliary power is not available, the controller

++ * cannot exit from L23 Ready with beacon or PERST# de-assertion

++ * when main power is not removed.

++ *

++ * Workaround: Set SS_RW_REG_1[SYS_AUX_PWR_DET] to 1.

++ */

++ regmap_set_bits(imx_pcie->iomuxc_gpr, IMX95_PCIE_SS_RW_REG_1,

++ IMX95_PCIE_SYS_AUX_PWR_DET);

++

+ regmap_update_bits(imx_pcie->iomuxc_gpr,

+ IMX95_PCIE_SS_RW_REG_0,

+ IMX95_PCIE_PHY_CR_PARA_SEL,

+--

+2.39.5

+

+From c551d280d7c000cec6c0e71fe088d172d6d4c513 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Thu, 22 May 2025 09:41:27 +0300

+Subject: Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on

+ DG1"

+MIME-Version: 1.0

+Content-Type: text/plain; charset=UTF-8

+Content-Transfer-Encoding: 8bit

+

+From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>

+

+[ Upstream commit ed5915cfce2abb9a553c3737badebd4a11d6c9c7 ]

+

+This reverts commit d6e020819612a4a06207af858e0978be4d3e3140.

+

+The IS_DGFX check was put in place because error capture of buffer

+objects is expected to be broken on devices with VRAM.

+

+Userspace fix[1] to the impacted media driver has been submitted, merged

+and a new driver release is out as 25.2.3 where the capture flag is

+dropped on DG1 thus unblocking the usage of media driver on DG1.

+

+[1] https://github.com/intel/media-driver/commit/93c07d9b4b96a78bab21f6acd4eb863f4313ea4a

+

+Cc: stable@vger.kernel.org # v6.0+

+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>

+Cc: Andi Shyti <andi.shyti@linux.intel.com>

+Cc: Matthew Auld <matthew.auld@intel.com>

+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>

+Cc: Tvrtko Ursulin <tursulin@ursulin.net>

+Acked-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>

+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>

+Link: https://lore.kernel.org/r/20250522064127.24293-1-joonas.lahtinen@linux.intel.com

+[Joonas: Update message to point out the merged userspace fix]

+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>

+(cherry picked from commit d2dc30e0aa252830f908c8e793d3139d51321370)

+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 2 +-

+ 1 file changed, 1 insertion(+), 1 deletion(-)

+

+diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c

+index 1974a300b24a1..7796c4119ef5e 100644

+--- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c

++++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c

+@@ -2014,7 +2014,7 @@ static int eb_capture_stage(struct i915_execbuffer *eb)

+ continue;

+

+ if (i915_gem_context_is_recoverable(eb->gem_context) &&

+- GRAPHICS_VER_FULL(eb->i915) > IP_VER(12, 10))

++ (IS_DGFX(eb->i915) || GRAPHICS_VER_FULL(eb->i915) > IP_VER(12, 0)))

+ return -EINVAL;

+

+ for_each_batch_create_order(eb, j) {

+--

+2.39.5

+

+From dc9201183da1397962428249e42c7f7233afbfba Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Fri, 25 Apr 2025 11:24:21 +0200

+Subject: Revert "iommu/amd: Prevent binding other PCI drivers to IOMMU PCI

+ devices"

+MIME-Version: 1.0

+Content-Type: text/plain; charset=UTF-8

+Content-Transfer-Encoding: 8bit

+

+From: Lukas Wunner <lukas@wunner.de>

+

+[ Upstream commit 3be5fa236649da6404f1bca1491bf02d4b0d5cce ]

+

+Commit 991de2e59090 ("PCI, x86: Implement pcibios_alloc_irq() and

+pcibios_free_irq()") changed IRQ handling on PCI driver probing.

+It inadvertently broke resume from system sleep on AMD platforms:

+

+ https://lore.kernel.org/r/20150926164651.GA3640@pd.tnic/

+

+This was fixed by two independent commits:

+

+* 8affb487d4a4 ("x86/PCI: Don't alloc pcibios-irq when MSI is enabled")

+* cbbc00be2ce3 ("iommu/amd: Prevent binding other PCI drivers to IOMMU PCI devices")

+

+The breaking change and one of these two fixes were subsequently reverted:

+

+* fe25d078874f ("Revert "x86/PCI: Don't alloc pcibios-irq when MSI is enabled"")

+* 6c777e8799a9 ("Revert "PCI, x86: Implement pcibios_alloc_irq() and pcibios_free_irq()"")

+

+This rendered the second fix unnecessary, so revert it as well. It used

+the match_driver flag in struct pci_dev, which is internal to the PCI core

+and not supposed to be touched by arbitrary drivers.

+

+Signed-off-by: Lukas Wunner <lukas@wunner.de>

+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>

+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>

+Acked-by: Joerg Roedel <jroedel@suse.de>

+Link: https://patch.msgid.link/9a3ddff5cc49512044f963ba0904347bd404094d.1745572340.git.lukas@wunner.de

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/iommu/amd/init.c | 3 ---

+ 1 file changed, 3 deletions(-)

+

+diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c

+index 14aa0d77df26d..f9037dad53f31 100644

+--- a/drivers/iommu/amd/init.c

++++ b/drivers/iommu/amd/init.c

+@@ -2030,9 +2030,6 @@ static int __init iommu_init_pci(struct amd_iommu *iommu)

+ if (!iommu->dev)

+ return -ENODEV;

+

+- /* Prevent binding other PCI device drivers to IOMMU devices */

+- iommu->dev->match_driver = false;

+-

+ /* ACPI _PRT won't have an IRQ for IOMMU */

+ iommu->dev->irq_managed = 1;

+

+--

+2.39.5

+

+From 5aa894bff3828a8432bfd017152f5b2fd11e9b39 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Tue, 8 Apr 2025 02:08:32 +0800

+Subject: riscv: add a data fence for CMODX in the kernel mode

+MIME-Version: 1.0

+Content-Type: text/plain; charset=UTF-8

+Content-Transfer-Encoding: 8bit

+

+From: Andy Chiu <andybnac@gmail.com>

+

+[ Upstream commit ca358692de41b273468e625f96926fa53e13bd8c ]

+

+RISC-V spec explicitly calls out that a local fence.i is not enough for

+the code modification to be visble from a remote hart. In fact, it

+states:

+

+To make a store to instruction memory visible to all RISC-V harts, the

+writing hart also has to execute a data FENCE before requesting that all

+remote RISC-V harts execute a FENCE.I.

+

+Although current riscv drivers for IPI use ordered MMIO when sending IPIs

+in order to synchronize the action between previous csd writes, riscv

+does not restrict itself to any particular flavor of IPI. Any driver or

+firmware implementation that does not order data writes before the IPI

+may pose a risk for code-modifying race.

+

+Thus, add a fence here to order data writes before making the IPI.

+

+Signed-off-by: Andy Chiu <andybnac@gmail.com>

+Reviewed-by: Björn Töpel <bjorn@rivosinc.com>

+Link: https://lore.kernel.org/r/20250407180838.42877-8-andybnac@gmail.com

+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>

+Signed-off-by: Palmer Dabbelt <palmer@dabbelt.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ arch/riscv/mm/cacheflush.c | 15 ++++++++++++++-

+ 1 file changed, 14 insertions(+), 1 deletion(-)

+

+diff --git a/arch/riscv/mm/cacheflush.c b/arch/riscv/mm/cacheflush.c

+index b816727298872..b2e4b81763f88 100644

+--- a/arch/riscv/mm/cacheflush.c

++++ b/arch/riscv/mm/cacheflush.c

+@@ -24,7 +24,20 @@ void flush_icache_all(void)

+

+ if (num_online_cpus() < 2)

+ return;

+- else if (riscv_use_sbi_for_rfence())

++

++ /*

++ * Make sure all previous writes to the D$ are ordered before making

++ * the IPI. The RISC-V spec states that a hart must execute a data fence

++ * before triggering a remote fence.i in order to make the modification

++ * visable for remote harts.

++ *

++ * IPIs on RISC-V are triggered by MMIO writes to either CLINT or

++ * S-IMSIC, so the fence ensures previous data writes "happen before"

++ * the MMIO.

++ */

++ RISCV_FENCE(w, o);

++

++ if (riscv_use_sbi_for_rfence())

+ sbi_remote_fence_i(NULL);

+ else

+ on_each_cpu(ipi_remote_fence_i, NULL, 1);

+--

+2.39.5

+

+From a0684b34376892feebb2f5b5af75943d9e1d6673 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Fri, 23 May 2025 12:19:25 +0200

+Subject: riscv: misaligned: declare misaligned_access_speed under

+ CONFIG_RISCV_MISALIGNED

+MIME-Version: 1.0

+Content-Type: text/plain; charset=UTF-8

+Content-Transfer-Encoding: 8bit

+

+From: Clément Léger <cleger@rivosinc.com>

+

+[ Upstream commit 1317045a7d6f397904d105f6d40dc9787876a34b ]

+

+While misaligned_access_speed was defined in a file compile with

+CONFIG_RISCV_MISALIGNED, its definition was under

+CONFIG_RISCV_SCALAR_MISALIGNED. This resulted in compilation problems

+when using it in a file compiled with CONFIG_RISCV_MISALIGNED.

+

+Move the declaration under CONFIG_RISCV_MISALIGNED so that it can be

+used unconditionnally when compiled with that config and remove the check

+for that variable in traps_misaligned.c.

+

+Signed-off-by: Clément Léger <cleger@rivosinc.com>

+Reviewed-by: Charlie Jenkins <charlie@rivosinc.com>

+Tested-by: Charlie Jenkins <charlie@rivosinc.com>

+Reviewed-by: Andrew Jones <ajones@ventanamicro.com>

+Link: https://lore.kernel.org/r/20250523101932.1594077-9-cleger@rivosinc.com

+Signed-off-by: Palmer Dabbelt <palmer@dabbelt.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ arch/riscv/include/asm/cpufeature.h | 5 ++++-

+ arch/riscv/kernel/traps_misaligned.c | 2 --

+ 2 files changed, 4 insertions(+), 3 deletions(-)

+

+diff --git a/arch/riscv/include/asm/cpufeature.h b/arch/riscv/include/asm/cpufeature.h

+index f56b409361fbe..7201da46694f7 100644

+--- a/arch/riscv/include/asm/cpufeature.h

++++ b/arch/riscv/include/asm/cpufeature.h

+@@ -71,7 +71,6 @@ bool __init check_unaligned_access_emulated_all_cpus(void);

+ void check_unaligned_access_emulated(struct work_struct *work __always_unused);

+ void unaligned_emulation_finish(void);

+ bool unaligned_ctl_available(void);

+-DECLARE_PER_CPU(long, misaligned_access_speed);

+ #else

+ static inline bool unaligned_ctl_available(void)

+ {

+@@ -79,6 +78,10 @@ static inline bool unaligned_ctl_available(void)

+ }

+ #endif

+

++#if defined(CONFIG_RISCV_MISALIGNED)

++DECLARE_PER_CPU(long, misaligned_access_speed);

++#endif

++

+ bool __init check_vector_unaligned_access_emulated_all_cpus(void);

+ #if defined(CONFIG_RISCV_VECTOR_MISALIGNED)

+ void check_vector_unaligned_access_emulated(struct work_struct *work __always_unused);

+diff --git a/arch/riscv/kernel/traps_misaligned.c b/arch/riscv/kernel/traps_misaligned.c

+index 56f06a27d45fb..a6b6047693105 100644

+--- a/arch/riscv/kernel/traps_misaligned.c

++++ b/arch/riscv/kernel/traps_misaligned.c

+@@ -368,9 +368,7 @@ static int handle_scalar_misaligned_load(struct pt_regs *regs)

+

+ perf_sw_event(PERF_COUNT_SW_ALIGNMENT_FAULTS, 1, regs, addr);

+

+-#ifdef CONFIG_RISCV_PROBE_UNALIGNED_ACCESS

+ *this_cpu_ptr(&misaligned_access_speed) = RISCV_HWPROBE_MISALIGNED_SCALAR_EMULATED;

+-#endif

+

+ if (!unaligned_enabled)

+ return -1;

+--

+2.39.5

+

+From 3391661043bc6c8f8ac874589b1f9395ac104434 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Thu, 10 Apr 2025 07:05:22 +0000

+Subject: riscv: save the SR_SUM status over switches

+

+From: Ben Dooks <ben.dooks@codethink.co.uk>

+

+[ Upstream commit 788aa64c01f1262310b4c1fb827a36df170d86ea ]

+

+When threads/tasks are switched we need to ensure the old execution's

+SR_SUM state is saved and the new thread has the old SR_SUM state

+restored.

+

+The issue was seen under heavy load especially with the syz-stress tool

+running, with crashes as follows in schedule_tail:

+

+Unable to handle kernel access to user memory without uaccess routines

+at virtual address 000000002749f0d0

+Oops [#1]

+Modules linked in:

+CPU: 1 PID: 4875 Comm: syz-executor.0 Not tainted

+5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0

+Hardware name: riscv-virtio,qemu (DT)

+epc : schedule_tail+0x72/0xb2 kernel/sched/core.c:4264

+ ra : task_pid_vnr include/linux/sched.h:1421 [inline]

+ ra : schedule_tail+0x70/0xb2 kernel/sched/core.c:4264

+epc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp : ffffffe025d17ec0

+ gp : ffffffe005d25378 tp : ffffffe00f0d0000 t0 : 0000000000000000

+ t1 : 0000000000000001 t2 : 00000000000f4240 s0 : ffffffe025d17ee0

+ s1 : 000000002749f0d0 a0 : 000000000000002a a1 : 0000000000000003

+ a2 : 1ffffffc0cfac500 a3 : ffffffe0000c80cc a4 : 5ae9db91c19bbe00

+ a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000082eba

+ s2 : 0000000000040000 s3 : ffffffe00eef96c0 s4 : ffffffe022c77fe0

+ s5 : 0000000000004000 s6 : ffffffe067d74e00 s7 : ffffffe067d74850

+ s8 : ffffffe067d73e18 s9 : ffffffe067d74e00 s10: ffffffe00eef96e8

+ s11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2

+ t5 : ffffffc4043cafba t6 : 0000000000040000

+status: 0000000000000120 badaddr: 000000002749f0d0 cause:

+000000000000000f

+Call Trace:

+[<ffffffe00008c8b0>] schedule_tail+0x72/0xb2 kernel/sched/core.c:4264

+[<ffffffe000005570>] ret_from_exception+0x0/0x14

+Dumping ftrace buffer:

+ (ftrace buffer empty)

+---[ end trace b5f8f9231dc87dda ]---

+

+The issue comes from the put_user() in schedule_tail

+(kernel/sched/core.c) doing the following:

+

+asmlinkage __visible void schedule_tail(struct task_struct *prev)

+{

+...

+ if (current->set_child_tid)

+ put_user(task_pid_vnr(current), current->set_child_tid);

+...

+}

+

+the put_user() macro causes the code sequence to come out as follows:

+

+1: __enable_user_access()

+2: reg = task_pid_vnr(current);

+3: *current->set_child_tid = reg;

+4: __disable_user_access()

+

+The problem is that we may have a sleeping function as argument which

+could clear SR_SUM causing the panic above. This was fixed by

+evaluating the argument of the put_user() macro outside the user-enabled

+section in commit 285a76bb2cf5 ("riscv: evaluate put_user() arg before

+enabling user access")"

+

+In order for riscv to take advantage of unsafe_get/put_XXX() macros and

+to avoid the same issue we had with put_user() and sleeping functions we

+must ensure code flow can go through switch_to() from within a region of

+code with SR_SUM enabled and come back with SR_SUM still enabled. This

+patch addresses the problem allowing future work to enable full use of

+unsafe_get/put_XXX() macros without needing to take a CSR bit flip cost

+on every access. Make switch_to() save and restore SR_SUM.

+

+Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com

+Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>

+Signed-off-by: Cyril Bur <cyrilbur@tenstorrent.com>

+Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>

+Reviewed-by: Deepak Gupta <debug@rivosinc.com>

+Link: https://lore.kernel.org/r/20250410070526.3160847-2-cyrilbur@tenstorrent.com

+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ arch/riscv/include/asm/processor.h | 1 +

+ arch/riscv/kernel/asm-offsets.c | 5 +++++

+ arch/riscv/kernel/entry.S | 8 ++++++++

+ 3 files changed, 14 insertions(+)

+

+diff --git a/arch/riscv/include/asm/processor.h b/arch/riscv/include/asm/processor.h

+index 5f56eb9d114a9..58fd11c89fe9f 100644

+--- a/arch/riscv/include/asm/processor.h

++++ b/arch/riscv/include/asm/processor.h

+@@ -103,6 +103,7 @@ struct thread_struct {

+ struct __riscv_d_ext_state fstate;

+ unsigned long bad_cause;

+ unsigned long envcfg;

++ unsigned long status;

+ u32 riscv_v_flags;

+ u32 vstate_ctrl;

+ struct __riscv_v_ext_state vstate;

+diff --git a/arch/riscv/kernel/asm-offsets.c b/arch/riscv/kernel/asm-offsets.c

+index 16490755304e0..969c65b1fe41d 100644

+--- a/arch/riscv/kernel/asm-offsets.c

++++ b/arch/riscv/kernel/asm-offsets.c

+@@ -34,6 +34,7 @@ void asm_offsets(void)

+ OFFSET(TASK_THREAD_S9, task_struct, thread.s[9]);

+ OFFSET(TASK_THREAD_S10, task_struct, thread.s[10]);

+ OFFSET(TASK_THREAD_S11, task_struct, thread.s[11]);

++ OFFSET(TASK_THREAD_STATUS, task_struct, thread.status);

+

+ OFFSET(TASK_TI_CPU, task_struct, thread_info.cpu);

+ OFFSET(TASK_TI_PREEMPT_COUNT, task_struct, thread_info.preempt_count);

+@@ -346,6 +347,10 @@ void asm_offsets(void)

+ offsetof(struct task_struct, thread.s[11])

+ - offsetof(struct task_struct, thread.ra)

+ );

++ DEFINE(TASK_THREAD_STATUS_RA,

++ offsetof(struct task_struct, thread.status)

++ - offsetof(struct task_struct, thread.ra)

++ );

+

+ DEFINE(TASK_THREAD_F0_F0,

+ offsetof(struct task_struct, thread.fstate.f[0])

+diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S

+index 33a5a9f2a0d4e..00bd0de9faa28 100644

+--- a/arch/riscv/kernel/entry.S

++++ b/arch/riscv/kernel/entry.S

+@@ -397,9 +397,17 @@ SYM_FUNC_START(__switch_to)

+ REG_S s9, TASK_THREAD_S9_RA(a3)

+ REG_S s10, TASK_THREAD_S10_RA(a3)

+ REG_S s11, TASK_THREAD_S11_RA(a3)

++

++ /* save the user space access flag */

++ li s0, SR_SUM

++ csrr s1, CSR_STATUS

++ REG_S s1, TASK_THREAD_STATUS_RA(a3)

++

+ /* Save the kernel shadow call stack pointer */

+ scs_save_current

+ /* Restore context from next->thread */

++ REG_L s0, TASK_THREAD_STATUS_RA(a4)

++ csrs CSR_STATUS, s0

+ REG_L ra, TASK_THREAD_RA_RA(a4)

+ REG_L sp, TASK_THREAD_SP_RA(a4)

+ REG_L s0, TASK_THREAD_S0_RA(a4)

+--

+2.39.5

+

+From 1880157f9b459a1c1e5cd0c8cbb5c03b8fb780da Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Thu, 22 May 2025 05:02:31 -0700

+Subject: rust: arm: fix unknown (to Clang) argument '-mno-fdpic'

+

+From: Rudraksha Gupta <guptarud@gmail.com>

+

+[ Upstream commit 977c4308ee4270cf46e2c66b37de8e04670daa0c ]

+

+Currently rust on arm fails to compile due to '-mno-fdpic'. This flag

+disables a GCC feature that we don't want for kernel builds, so let's

+skip it as it doesn't apply to Clang.

+

+ UPD include/generated/asm-offsets.h

+ CALL scripts/checksyscalls.sh

+ RUSTC L rust/core.o

+ BINDGEN rust/bindings/bindings_generated.rs

+ BINDGEN rust/bindings/bindings_helpers_generated.rs

+ CC rust/helpers/helpers.o

+ Unable to generate bindings: clang diagnosed error: error: unknown argument: '-mno-fdpic'

+ make[2]: *** [rust/Makefile:369: rust/bindings/bindings_helpers_generated.rs] Error 1

+ make[2]: *** Deleting file 'rust/bindings/bindings_helpers_generated.rs'

+ make[2]: *** Waiting for unfinished jobs....

+ Unable to generate bindings: clang diagnosed error: error: unknown argument: '-mno-fdpic'

+ make[2]: *** [rust/Makefile:349: rust/bindings/bindings_generated.rs] Error 1

+ make[2]: *** Deleting file 'rust/bindings/bindings_generated.rs'

+ make[1]: *** [/home/pmos/build/src/linux-next-next-20250521/Makefile:1285: prepare] Error 2

+ make: *** [Makefile:248: __sub-make] Error 2

+

+[ Naresh provided the draft diff [1].

+

+ Ben explained [2]:

+

+ FDPIC is only relevant with no-MMU targets, and then only for userspace.

+ When configured for the arm-*-uclinuxfdpiceabi target, GCC enables FDPIC

+ by default to facilitate compiling userspace programs. FDPIC is never

+ used for the kernel, and we pass -mno-fdpic when building the kernel to

+ override the default and make sure FDPIC is disabled.

+

+ and [3]:

+

+ -mno-fdpic disables a GCC feature that we don't want for kernel builds.

+ clang does not support this feature, so it always behaves as though

+ -mno-fdpic is passed. Therefore, it should be fine to mix the two, at

+ least as far as FDPIC is concerned.

+

+ [1] https://lore.kernel.org/rust-for-linux/CA+G9fYt4otQK4pHv8pJBW9e28yHSGCDncKquwuJiJ_1ou0pq0w@mail.gmail.com/

+ [2] https://lore.kernel.org/rust-for-linux/aAKrq2InExQk7f_k@dell-precision-5540/

+ [3] https://lore.kernel.org/rust-for-linux/aAo_F_UP1Gd4jHlZ@dell-precision-5540/

+

+ - Miguel ]

+

+Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>

+Closes: https://lore.kernel.org/all/CA+G9fYvOanQBYXKSg7C6EU30k8sTRC0JRPJXYu7wWK51w38QUQ@mail.gmail.com/

+Suggested-by: Miguel Ojeda <ojeda@kernel.org>

+Acked-by: Naresh Kamboju <naresh.kamboju@linaro.org>

+Signed-off-by: Rudraksha Gupta <guptarud@gmail.com>

+Link: https://lore.kernel.org/r/20250522-rust-mno-fdpic-arm-fix-v2-1-a6f691d9c198@gmail.com

+[ Reworded title. - Miguel ]

+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ rust/Makefile | 2 +-

+ 1 file changed, 1 insertion(+), 1 deletion(-)

+

+diff --git a/rust/Makefile b/rust/Makefile

+index 313a200112ce1..d62b58d0a55cc 100644

+--- a/rust/Makefile

++++ b/rust/Makefile

+@@ -275,7 +275,7 @@ bindgen_skip_c_flags := -mno-fp-ret-in-387 -mpreferred-stack-boundary=% \

+ -fzero-call-used-regs=% -fno-stack-clash-protection \

+ -fno-inline-functions-called-once -fsanitize=bounds-strict \

+ -fstrict-flex-arrays=% -fmin-function-alignment=% \

+- -fzero-init-padding-bits=% \

++ -fzero-init-padding-bits=% -mno-fdpic \

+ --param=% --param asan-%

+

+ # Derived from `scripts/Makefile.clang`.

+--

+2.39.5

+

+From 07ad1cfcd0f5724025927a8b7cf6855af0e2b47b Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Sat, 8 Mar 2025 13:45:06 +0900

+Subject: rust: module: place cleanup_module() in .exit.text section

+

+From: FUJITA Tomonori <fujita.tomonori@gmail.com>

+

+[ Upstream commit 249c3a0e53acefc2b06d3b3e1fc28fb2081f878d ]

+

+Place cleanup_module() in .exit.text section. Currently,

+cleanup_module() is likely placed in the .text section. It's

+inconsistent with the layout of C modules, where cleanup_module() is

+placed in .exit.text.

+

+[ Boqun asked for an example of how the section changed to be

+ put in the log. Tomonori provided the following examples:

+

+ C module:

+

+ $ objdump -t ~/build/x86/drivers/block/loop.o|grep clean

+ 0000000000000000 l O .exit.data 0000000000000008 __UNIQUE_ID___addressable_cleanup_module412

+ 0000000000000000 g F .exit.text 000000000000009c cleanup_module

+

+ Rust module without this patch:

+

+ $ objdump -t ~/build/x86/samples/rust/rust_minimal.o|grep clean

+ 00000000000002b0 g F .text 00000000000000c6 cleanup_module

+ 0000000000000000 g O .exit.data 0000000000000008 _R...___UNIQUE_ID___addressable_cleanup_module

+

+ Rust module with this patch:

+

+ $ objdump -t ~/build/x86/samples/rust/rust_minimal.o|grep clean

+ 0000000000000000 g F .exit.text 00000000000000c6 cleanup_module

+ 0000000000000000 g O .exit.data 0000000000000008 _R...___UNIQUE_ID___addressable_cleanup_module

+

+ - Miguel ]

+

+Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>

+Acked-by: Jarkko Sakkinen <jarkko@kernel.org>

+Link: https://lore.kernel.org/r/20250308044506.14458-1-fujita.tomonori@gmail.com

+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ rust/macros/module.rs | 1 +

+ 1 file changed, 1 insertion(+)

+

+diff --git a/rust/macros/module.rs b/rust/macros/module.rs

+index 2f66107847f78..44e5cb108cea7 100644

+--- a/rust/macros/module.rs

++++ b/rust/macros/module.rs

+@@ -278,6 +278,7 @@ pub(crate) fn module(ts: TokenStream) -> TokenStream {

+ #[cfg(MODULE)]

+ #[doc(hidden)]

+ #[no_mangle]

++ #[link_section = \".exit.text\"]

+ pub extern \"C\" fn cleanup_module() {{

+ // SAFETY:

+ // - This function is inaccessible to the outside due to the double

+--

+2.39.5

+

+From 4661c4b1972ab71ee9e402e688029308091e08f0 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Tue, 3 Jun 2025 15:49:36 +0200

+Subject: s390/mm: Fix in_atomic() handling in do_secure_storage_access()

+

+From: Heiko Carstens <hca@linux.ibm.com>

+

+[ Upstream commit 11709abccf93b08adde95ef313c300b0d4bc28f1 ]

+

+Kernel user spaces accesses to not exported pages in atomic context

+incorrectly try to resolve the page fault.

+With debug options enabled call traces like this can be seen:

+

+BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1523

+in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 419074, name: qemu-system-s39

+preempt_count: 1, expected: 0

+RCU nest depth: 0, expected: 0

+INFO: lockdep is turned off.

+Preemption disabled at:

+[<00000383ea47cfa2>] copy_page_from_iter_atomic+0xa2/0x8a0

+CPU: 12 UID: 0 PID: 419074 Comm: qemu-system-s39

+Tainted: G W 6.16.0-20250531.rc0.git0.69b3a602feac.63.fc42.s390x+debug #1 PREEMPT

+Tainted: [W]=WARN

+Hardware name: IBM 3931 A01 703 (LPAR)

+Call Trace:

+ [<00000383e990d282>] dump_stack_lvl+0xa2/0xe8

+ [<00000383e99bf152>] __might_resched+0x292/0x2d0

+ [<00000383eaa7c374>] down_read+0x34/0x2d0

+ [<00000383e99432f8>] do_secure_storage_access+0x108/0x360

+ [<00000383eaa724b0>] __do_pgm_check+0x130/0x220

+ [<00000383eaa842e4>] pgm_check_handler+0x114/0x160

+ [<00000383ea47d028>] copy_page_from_iter_atomic+0x128/0x8a0

+([<00000383ea47d016>] copy_page_from_iter_atomic+0x116/0x8a0)

+ [<00000383e9c45eae>] generic_perform_write+0x16e/0x310

+ [<00000383e9eb87f4>] ext4_buffered_write_iter+0x84/0x160

+ [<00000383e9da0de4>] vfs_write+0x1c4/0x460

+ [<00000383e9da123c>] ksys_write+0x7c/0x100

+ [<00000383eaa7284e>] __do_syscall+0x15e/0x280

+ [<00000383eaa8417e>] system_call+0x6e/0x90

+INFO: lockdep is turned off.

+

+It is not allowed to take the mmap_lock while in atomic context. Therefore

+handle such a secure storage access fault as if the accessed page is not

+mapped: the uaccess function will return -EFAULT, and the caller has to

+deal with this. Usually this means that the access is retried in process

+context, which allows to resolve the page fault (or in this case export the

+page).

+

+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>

+Acked-by: Alexander Gordeev <agordeev@linux.ibm.com>

+Acked-by: Christian Borntraeger <borntraeger@linux.ibm.com>

+Link: https://lore.kernel.org/r/20250603134936.1314139-1-hca@linux.ibm.com

+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ arch/s390/mm/fault.c | 2 ++

+ 1 file changed, 2 insertions(+)

+

+diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c

+index da84ff6770dec..8b3f6dd00eab2 100644

+--- a/arch/s390/mm/fault.c

++++ b/arch/s390/mm/fault.c

+@@ -442,6 +442,8 @@ void do_secure_storage_access(struct pt_regs *regs)

+ if (rc)

+ BUG();

+ } else {

++ if (faulthandler_disabled())

++ return handle_fault_error_nolock(regs, 0);

+ mm = current->mm;

+ mmap_read_lock(mm);

+ vma = find_vma(mm, addr);

+--

+2.39.5

+

+From 60a206ed6d2f0c7cca3226fc2137585a6683bae9 Mon Sep 17 00:00:00 2001

+From: Sasha Levin <sashal@kernel.org>

+Date: Thu, 22 May 2025 16:12:28 +0800

+Subject: scsi: ufs: core: Don't perform UFS clkscaling during host async scan

+

+From: Ziqi Chen <quic_ziqichen@quicinc.com>

+

+[ Upstream commit e97633492f5a3eca7b3ff03b4ef6f993017f7955 ]

+

+When preparing for UFS clock scaling, the UFS driver will quiesce all

+sdevs queues in the UFS SCSI host tagset list and then unquiesce them in

+ufshcd_clock_scaling_unprepare(). If the UFS SCSI host async scan is in

+progress at this time, some LUs may be added to the tagset list between

+UFS clkscale prepare and unprepare. This can cause two issues:

+

+1. During clock scaling, there may be I/O requests issued through new

+added queues that have not been quiesced, leading to task abort issue.

+

+2. These new added queues that have not been quiesced will be unquiesced

+as well when UFS clkscale is unprepared, resulting in warning prints.

+

+Therefore, use the mutex lock scan_mutex in

+ufshcd_clock_scaling_prepare() and ufshcd_clock_scaling_unprepare() to

+protect it.

+

+Co-developed-by: Can Guo <quic_cang@quicinc.com>

+Signed-off-by: Can Guo <quic_cang@quicinc.com>

+Signed-off-by: Ziqi Chen <quic_ziqichen@quicinc.com>

+Link: https://lore.kernel.org/r/20250522081233.2358565-1-quic_ziqichen@quicinc.com

+Suggested-by: Bart Van Assche <bvanassche@acm.org>

+Reviewed-by: Bart Van Assche <bvanassche@acm.org>

+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

+Signed-off-by: Sasha Levin <sashal@kernel.org>

+---

+ drivers/ufs/core/ufshcd.c | 3 +++

+ 1 file changed, 3 insertions(+)

+

+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c

+index 04f769d907a44..ea24080c26e89 100644

+--- a/drivers/ufs/core/ufshcd.c

++++ b/drivers/ufs/core/ufshcd.c

+@@ -1379,6 +1379,7 @@ static int ufshcd_clock_scaling_prepare(struct ufs_hba *hba, u64 timeout_us)