release 6.14.3

debian/bin/genpatch-pfkernel

@@ -7,7 +7,7 @@ w=$(git rev-parse --path-format=absolute --show-toplevel) ; : "${w:?}" ; cd "$w"
 
 dst='debian/patches/pf-tmp'
 src='../linux-extras'
-branches='amd-pstate btrfs cpuidle crypto exfat fixes fuse kbuild nfs smb zstd'
+branches='amd-pstate cpuidle crypto fixes fuse kbuild smb zstd'
 
 if [ -d "${dst}" ] ; then rm -rf "${dst}" ; fi
 mkdir -p "${dst}"

debian/changelog

@@ -1,3 +1,17 @@
+linux (6.14.3-1) sid; urgency=medium
+
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.14.3
+
+ -- Konstantin Demin <rockdrilla@gmail.com>  Mon, 21 Apr 2025 01:31:34 +0300
+
+linux (6.14.2-1) sid; urgency=medium
+
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.14.2
+
+ -- Konstantin Demin <rockdrilla@gmail.com>  Fri, 11 Apr 2025 00:21:57 +0300
+
 linux (6.14.1-1) sid; urgency=medium
 
   * New upstream stable update:

debian/config/amd64/config.mobile

@@ -1394,6 +1394,7 @@ CONFIG_HID_THRUSTMASTER=m
 CONFIG_THRUSTMASTER_FF=y
 CONFIG_HID_UDRAW_PS3=m
 CONFIG_HID_U2FZERO=m
+CONFIG_HID_UNIVERSAL_PIDFF=m
 CONFIG_HID_WACOM=m
 CONFIG_HID_WIIMOTE=m
 CONFIG_HID_WINWING=m

debian/config/amd64/config.vm

@@ -808,6 +808,7 @@ CONFIG_HID_HYPERV_MOUSE=m
 # CONFIG_HID_TOPRE is not set
 # CONFIG_HID_THRUSTMASTER is not set
 # CONFIG_HID_UDRAW_PS3 is not set
+# CONFIG_HID_UNIVERSAL_PIDFF is not set
 # CONFIG_HID_WACOM is not set
 # CONFIG_HID_XINMO is not set
 # CONFIG_HID_ZEROPLUS is not set

debian/config/config

@@ -708,11 +708,6 @@ CONFIG_ASYNC_TX_DMA=y
 # CONFIG_DMABUF_HEAPS is not set
 # CONFIG_DMABUF_SYSFS_STATS is not set
 
-##
-## file: drivers/eisa/Kconfig
-##
-# CONFIG_EISA is not set
-
 ##
 ## file: drivers/firmware/Kconfig
 ##
@@ -2085,11 +2080,11 @@ CONFIG_INITRAMFS_PRESERVE_MTIME=y
 CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE_O3=y
 # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
 ## end choice
+# CONFIG_SYSFS_SYSCALL is not set
 CONFIG_EXPERT=y
 # CONFIG_UID16 is not set
 CONFIG_MULTIUSER=y
 # CONFIG_SGETMASK_SYSCALL is not set
-# CONFIG_SYSFS_SYSCALL is not set
 CONFIG_FHANDLE=y
 CONFIG_POSIX_TIMERS=y
 CONFIG_PRINTK=y
@@ -2114,7 +2109,7 @@ CONFIG_CACHESTAT_SYSCALL=y
 # CONFIG_PC104 is not set
 CONFIG_KALLSYMS=y
 # CONFIG_KALLSYMS_SELFTEST is not set
-# CONFIG_KALLSYMS_ALL is not set
+CONFIG_KALLSYMS_ALL=y
 CONFIG_PERF_EVENTS=y
 # CONFIG_DEBUG_PERF_USE_VMALLOC is not set
 CONFIG_PROFILING=y
@@ -2172,6 +2167,11 @@ CONFIG_BPF_LSM=y
 CONFIG_SPARSE_IRQ=y
 # CONFIG_GENERIC_IRQ_DEBUGFS is not set
 
+##
+## file: kernel/livepatch/Kconfig
+##
+CONFIG_LIVEPATCH=y
+
 ##
 ## file: kernel/module/Kconfig
 ##
@@ -3780,7 +3780,6 @@ CONFIG_HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y
 CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
 CONFIG_HAVE_EBPF_JIT=y
 CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
-CONFIG_HAVE_EISA=y
 CONFIG_HAVE_EXIT_THREAD=y
 CONFIG_HAVE_FENTRY=y
 CONFIG_HAVE_FTRACE_GRAPH_FUNC=y
@@ -3820,7 +3819,7 @@ CONFIG_HAVE_KVM_DIRTY_RING=y
 CONFIG_HAVE_KVM_DIRTY_RING_ACQ_REL=y
 CONFIG_HAVE_KVM_DIRTY_RING_TSO=y
 CONFIG_HAVE_KVM_IRQCHIP=y
-CONFIG_HAVE_KVM_IRQ_BYPASS=y
+CONFIG_HAVE_KVM_IRQ_BYPASS=m
 CONFIG_HAVE_KVM_IRQ_ROUTING=y
 CONFIG_HAVE_KVM_MSI=y
 CONFIG_HAVE_KVM_NO_POLL=y
@@ -3921,7 +3920,7 @@ CONFIG_IPVLAN_L3S=y
 CONFIG_IP_DCCP_TFRC_LIB=y
 CONFIG_IP_MROUTE_COMMON=y
 CONFIG_IP_ROUTE_CLASSID=y
-CONFIG_IRQ_BYPASS_MANAGER=y
+CONFIG_IRQ_BYPASS_MANAGER=m
 CONFIG_IRQ_DOMAIN=y
 CONFIG_IRQ_DOMAIN_HIERARCHY=y
 CONFIG_IRQ_FORCED_THREADING=y
@@ -3948,6 +3947,7 @@ CONFIG_KVM_PRIVATE_MEM=y
 CONFIG_KVM_VFIO=y
 CONFIG_KVM_X86=m
 CONFIG_KVM_XFER_TO_GUEST_WORK=y
+CONFIG_LD_CAN_USE_KEEP_IN_OVERLAY=y
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_ORPHAN_WARN=y
 CONFIG_LD_ORPHAN_WARN_LEVEL="warn"

debian/libcpupower1.symbols

@@ -6,6 +6,7 @@ libcpupower.so.1 libcpupower1 #MINVER#
  cpufreq_get_available_governors@Base 4.7~rc2-1~exp1
  cpufreq_get_boost_frequencies@Base 5.5.8-1~exp1
  cpufreq_get_driver@Base 4.7~rc2-1~exp1
+ cpufreq_get_energy_performance_preference@Base 6.14~
  cpufreq_get_freq_hardware@Base 4.7~rc2-1~exp1
  cpufreq_get_freq_kernel@Base 4.7~rc2-1~exp1
  cpufreq_get_hardware_limits@Base 4.7~rc2-1~exp1
@@ -23,6 +24,7 @@ libcpupower.so.1 libcpupower1 #MINVER#
  cpufreq_put_available_governors@Base 4.7~rc2-1~exp1
  cpufreq_put_boost_frequencies@Base 5.5.8-1~exp1
  cpufreq_put_driver@Base 4.7~rc2-1~exp1
+ cpufreq_put_energy_performance_preference@Base 6.14~
  cpufreq_put_policy@Base 4.7~rc2-1~exp1
  cpufreq_put_related_cpus@Base 4.7~rc2-1~exp1
  cpufreq_put_stats@Base 4.7~rc2-1~exp1

debian/patches/bugfix/all/ALSA-hda-realtek-Fix-built-in-mic-on-another-ASUS-Vi.patch

@@ -1,29 +0,0 @@
-From: Takashi Iwai <tiwai@suse.de>
-Date: Wed, 2 Apr 2025 09:42:07 +0200
-Subject: ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook model
-Origin: https://git.kernel.org/linus/8983dc1b66c0e1928a263b8af0bb06f6cb9229c4
-Bug-Debian: https://bugs.debian.org/1100928
-
-There is another VivoBook model which built-in mic got broken recently
-by the fix of the pin sort.  Apply the correct quirk
-ALC256_FIXUP_ASUS_MIC_NO_PRESENCE to this model for addressing the
-regression, too.
-
-Fixes: 3b4309546b48 ("ALSA: hda: Fix headset detection failure due to unstable sort")
-Closes: https://lore.kernel.org/Z95s5T6OXFPjRnKf@eldamar.lan
-Link: https://patch.msgid.link/20250402074208.7347-1-tiwai@suse.de
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/pci/hda/patch_realtek.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/sound/pci/hda/patch_realtek.c
-+++ b/sound/pci/hda/patch_realtek.c
-@@ -10772,6 +10772,7 @@ static const struct hda_quirk alc269_fix
- 	SND_PCI_QUIRK(0x1043, 0x1c43, "ASUS UX8406MA", ALC245_FIXUP_CS35L41_SPI_2),
- 	SND_PCI_QUIRK(0x1043, 0x1c62, "ASUS GU603", ALC289_FIXUP_ASUS_GA401),
- 	SND_PCI_QUIRK(0x1043, 0x1c63, "ASUS GU605M", ALC285_FIXUP_ASUS_GU605_SPI_SPEAKER2_TO_DAC1),
-+	SND_PCI_QUIRK(0x1043, 0x1c80, "ASUS VivoBook TP401", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE),
- 	SND_PCI_QUIRK(0x1043, 0x1c92, "ASUS ROG Strix G15", ALC285_FIXUP_ASUS_G533Z_PINS),
- 	SND_PCI_QUIRK(0x1043, 0x1c9f, "ASUS G614JU/JV/JI", ALC285_FIXUP_ASUS_HEADSET_MIC),
- 	SND_PCI_QUIRK(0x1043, 0x1caf, "ASUS G634JY/JZ/JI/JG", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS),

debian/patches/bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch

@@ -29,7 +29,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  MODULE_SOFTDEP("pre: blake2b-256");
 --- a/fs/jbd2/journal.c
 +++ b/fs/jbd2/journal.c
-@@ -3152,6 +3152,7 @@ static void __exit journal_exit(void)
+@@ -3158,6 +3158,7 @@ static void __exit journal_exit(void)
  
  MODULE_DESCRIPTION("Generic filesystem journal-writing module");
  MODULE_LICENSE("GPL");
@@ -39,7 +39,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  
 --- a/fs/nfsd/nfsctl.c
 +++ b/fs/nfsd/nfsctl.c
-@@ -2344,5 +2344,8 @@ static void __exit exit_nfsd(void)
+@@ -2349,5 +2349,8 @@ static void __exit exit_nfsd(void)
  MODULE_AUTHOR("Olaf Kirch <okir@monad.swb.de>");
  MODULE_DESCRIPTION("In-kernel NFS server");
  MODULE_LICENSE("GPL");

debian/patches/bugfix/all/hfs-hfsplus-fix-slab-out-of-bounds-in-hfs_bnode_read.patch

@@ -0,0 +1,84 @@
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+Date: Sat, 19 Oct 2024 22:13:03 +0300
+Subject: hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key
+Origin: https://git.kernel.org/linus/bb5e07cb927724e0b47be371fa081141cfb14414
+
+Syzbot reported an issue in hfs subsystem:
+
+BUG: KASAN: slab-out-of-bounds in memcpy_from_page include/linux/highmem.h:423 [inline]
+BUG: KASAN: slab-out-of-bounds in hfs_bnode_read fs/hfs/bnode.c:35 [inline]
+BUG: KASAN: slab-out-of-bounds in hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70
+Write of size 94 at addr ffff8880123cd100 by task syz-executor237/5102
+
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:488
+ kasan_report+0x143/0x180 mm/kasan/report.c:601
+ kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
+ __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
+ memcpy_from_page include/linux/highmem.h:423 [inline]
+ hfs_bnode_read fs/hfs/bnode.c:35 [inline]
+ hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70
+ hfs_brec_insert+0x7f3/0xbd0 fs/hfs/brec.c:159
+ hfs_cat_create+0x41d/0xa50 fs/hfs/catalog.c:118
+ hfs_mkdir+0x6c/0xe0 fs/hfs/dir.c:232
+ vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257
+ do_mkdirat+0x264/0x3a0 fs/namei.c:4280
+ __do_sys_mkdir fs/namei.c:4300 [inline]
+ __se_sys_mkdir fs/namei.c:4298 [inline]
+ __x64_sys_mkdir+0x6c/0x80 fs/namei.c:4298
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fbdd6057a99
+
+Add a check for key length in hfs_bnode_read_key to prevent
+out-of-bounds memory access. If the key length is invalid, the
+key buffer is cleared, improving stability and reliability.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+5f3a973ed3dfb85a6683@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=5f3a973ed3dfb85a6683
+Cc: stable@vger.kernel.org
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
+Link: https://lore.kernel.org/20241019191303.24048-1-kovalev@altlinux.org
+Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+---
+ fs/hfs/bnode.c     | 6 ++++++
+ fs/hfsplus/bnode.c | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+--- a/fs/hfs/bnode.c
++++ b/fs/hfs/bnode.c
+@@ -67,6 +67,12 @@ void hfs_bnode_read_key(struct hfs_bnode
+ 	else
+ 		key_len = tree->max_key_len + 1;
+ 
++	if (key_len > sizeof(hfs_btree_key) || key_len < 1) {
++		memset(key, 0, sizeof(hfs_btree_key));
++		pr_err("hfs: Invalid key length: %d\n", key_len);
++		return;
++	}
++
+ 	hfs_bnode_read(node, key, off, key_len);
+ }
+ 
+--- a/fs/hfsplus/bnode.c
++++ b/fs/hfsplus/bnode.c
+@@ -67,6 +67,12 @@ void hfs_bnode_read_key(struct hfs_bnode
+ 	else
+ 		key_len = tree->max_key_len + 2;
+ 
++	if (key_len > sizeof(hfsplus_btree_key) || key_len < 1) {
++		memset(key, 0, sizeof(hfsplus_btree_key));
++		pr_err("hfsplus: Invalid key length: %d\n", key_len);
++		return;
++	}
++
+ 	hfs_bnode_read(node, key, off, key_len);
+ }
+ 

debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

@@ -34,7 +34,7 @@ Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
  /*
   * Minimum number of threads to boot the kernel
   */
-@@ -2167,6 +2173,10 @@ __latent_entropy struct task_struct *cop
+@@ -2171,6 +2177,10 @@ __latent_entropy struct task_struct *cop
  	if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
  		return ERR_PTR(-EINVAL);
  
@@ -45,7 +45,7 @@ Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
  	/*
  	 * Thread groups must share signals as well, and detached threads
  	 * can only be started up within the thread group.
-@@ -3320,6 +3330,12 @@ int ksys_unshare(unsigned long unshare_f
+@@ -3324,6 +3334,12 @@ int ksys_unshare(unsigned long unshare_f
  	if (unshare_flags & CLONE_NEWNS)
  		unshare_flags |= CLONE_FS;
  

debian/patches/debian/android-enable-building-ashmem-and-binder-as-modules.patch

@@ -60,3 +60,31 @@ Consequently, the ashmem part of this patch has been removed.
  		   uint, 0644);
  
  #define binder_alloc_debug(mask, x...) \
+--- a/mm/list_lru.c
++++ b/mm/list_lru.c
+@@ -175,6 +175,7 @@ bool list_lru_add(struct list_lru *lru,
+ 	unlock_list_lru(l, false);
+ 	return false;
+ }
++EXPORT_SYMBOL_GPL(list_lru_add);
+ 
+ bool list_lru_add_obj(struct list_lru *lru, struct list_head *item)
+ {
+@@ -212,6 +213,7 @@ bool list_lru_del(struct list_lru *lru,
+ 	unlock_list_lru(l, false);
+ 	return false;
+ }
++EXPORT_SYMBOL_GPL(list_lru_del);
+ 
+ bool list_lru_del_obj(struct list_lru *lru, struct list_head *item)
+ {
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -6392,6 +6392,7 @@ inval:
+ 	count_vm_vma_lock_event(VMA_LOCK_ABORT);
+ 	return NULL;
+ }
++EXPORT_SYMBOL_GPL(lock_vma_under_rcu);
+ #endif /* CONFIG_PER_VMA_LOCK */
+ 
+ #ifndef __PAGETABLE_P4D_FOLDED

debian/patches/debian/export-symbols-needed-by-android-drivers.patch

@@ -22,7 +22,7 @@ Export the currently un-exported symbols it depends on.
 
 --- a/fs/file.c
 +++ b/fs/file.c
-@@ -837,6 +837,7 @@ struct file *file_close_fd(unsigned int
+@@ -845,6 +845,7 @@ struct file *file_close_fd(unsigned int
  
  	return file;
  }
@@ -82,7 +82,7 @@ Export the currently un-exported symbols it depends on.
   * task_work_cancel_match - cancel a pending work added by task_work_add()
 --- a/mm/memory.c
 +++ b/mm/memory.c
-@@ -2030,6 +2030,7 @@ void zap_page_range_single(struct vm_are
+@@ -2027,6 +2027,7 @@ void zap_page_range_single(struct vm_are
  	tlb_finish_mmu(&tlb);
  	hugetlb_zap_end(vma, details);
  }

debian/patches/debian/hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch

@@ -15,7 +15,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
 --- a/net/ax25/af_ax25.c
 +++ b/net/ax25/af_ax25.c
-@@ -2077,7 +2077,7 @@ module_init(ax25_init);
+@@ -2067,7 +2067,7 @@ module_init(ax25_init);
  MODULE_AUTHOR("Jonathan Naylor G4KLX <g4klx@g4klx.demon.co.uk>");
  MODULE_DESCRIPTION("The amateur radio AX.25 link layer protocol");
  MODULE_LICENSE("GPL");

debian/patches/debian/makefile-make-compiler-version-comparison-optional.patch

@@ -20,7 +20,7 @@ is non-empty.
 ---
 --- a/Makefile
 +++ b/Makefile
-@@ -1873,7 +1873,7 @@ PHONY += prepare
+@@ -1876,7 +1876,7 @@ PHONY += prepare
  # now expand this into a simple variable to reduce the cost of shell evaluations
  prepare: CC_VERSION_TEXT := $(CC_VERSION_TEXT)
  prepare:

debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch

@@ -0,0 +1,153 @@
+From: Linn Crosetto <linn@hpe.com>
+Date: Tue, 30 Aug 2016 11:54:38 -0600
+Subject: arm64: add kernel config option to lock down when in Secure Boot mode
+Bug-Debian: https://bugs.debian.org/831827
+Forwarded: no
+
+Add a kernel configuration option to lock down the kernel, to restrict
+userspace's ability to modify the running kernel when UEFI Secure Boot is
+enabled. Based on the x86 patch by Matthew Garrett.
+
+Determine the state of Secure Boot in the EFI stub and pass this to the
+kernel using the FDT.
+
+Signed-off-by: Linn Crosetto <linn@hpe.com>
+[bwh: Forward-ported to 4.10: adjust context]
+[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
+[bwh: Forward-ported to 4.15 and lockdown patch set:
+ - Pass result of efi_get_secureboot() in stub through to
+   efi_set_secure_boot() in main kernel
+ - Use lockdown API and naming]
+[bwh: Forward-ported to 4.19.3: adjust context in update_fdt()]
+[dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection]
+[bwh: Drop call to init_lockdown(), as efi_set_secure_boot() now calls this]
+[bwh: Forward-ported to 5.6: efi_get_secureboot() no longer takes a
+ sys_table parameter]
+[bwh: Forward-ported to 5.7: EFI initialisation from FDT was rewritten, so:
+ - Add Secure Boot mode to the parameter enumeration in fdtparams.c
+ - Add a parameter to efi_get_fdt_params() to return the Secure Boot mode
+ - Since Xen does not have a property name defined for Secure Boot mode,
+   change efi_get_fdt_prop() to handle a missing property name by clearing
+   the output variable]
+[Salvatore Bonaccorso: Forward-ported to 5.10: f30f242fb131 ("efi: Rename
+arm-init to efi-init common for all arch") renamed arm-init.c to efi-init.c]
+---
+ drivers/firmware/efi/efi-init.c    |    5 ++++-
+ drivers/firmware/efi/fdtparams.c   |   12 +++++++++++-
+ drivers/firmware/efi/libstub/fdt.c |    6 ++++++
+ include/linux/efi.h                |    3 ++-
+ 4 files changed, 23 insertions(+), 3 deletions(-)
+
+--- a/drivers/firmware/efi/efi-init.c
++++ b/drivers/firmware/efi/efi-init.c
+@@ -213,9 +213,10 @@ void __init efi_init(void)
+ {
+ 	struct efi_memory_map_data data;
+ 	u64 efi_system_table;
++	u32 secure_boot;
+ 
+ 	/* Grab UEFI information placed in FDT by stub */
+-	efi_system_table = efi_get_fdt_params(&data);
++	efi_system_table = efi_get_fdt_params(&data, &secure_boot);
+ 	if (!efi_system_table)
+ 		return;
+ 
+@@ -237,6 +238,8 @@ void __init efi_init(void)
+ 		return;
+ 	}
+ 
++	efi_set_secure_boot(secure_boot);
++
+ 	reserve_regions();
+ 	/*
+ 	 * For memblock manipulation, the cap should come after the memblock_add().
+--- a/drivers/firmware/efi/fdtparams.c
++++ b/drivers/firmware/efi/fdtparams.c
+@@ -16,6 +16,7 @@ enum {
+ 	MMSIZE,
+ 	DCSIZE,
+ 	DCVERS,
++	SBMODE,
+ 
+ 	PARAMCOUNT
+ };
+@@ -26,6 +27,7 @@ static __initconst const char name[][22]
+ 	[MMSIZE] = "MemMap Size          ",
+ 	[DCSIZE] = "MemMap Desc. Size    ",
+ 	[DCVERS] = "MemMap Desc. Version ",
++	[SBMODE] = "Secure Boot Enabled  ",
+ };
+ 
+ static __initconst const struct {
+@@ -43,6 +45,7 @@ static __initconst const struct {
+ 			[MMSIZE] = "xen,uefi-mmap-size",
+ 			[DCSIZE] = "xen,uefi-mmap-desc-size",
+ 			[DCVERS] = "xen,uefi-mmap-desc-ver",
++			[SBMODE] = "",
+ 		}
+ 	}, {
+ #endif
+@@ -53,6 +56,7 @@ static __initconst const struct {
+ 			[MMSIZE] = "linux,uefi-mmap-size",
+ 			[DCSIZE] = "linux,uefi-mmap-desc-size",
+ 			[DCVERS] = "linux,uefi-mmap-desc-ver",
++			[SBMODE] = "linux,uefi-secure-boot",
+ 		}
+ 	}
+ };
+@@ -64,6 +68,11 @@ static int __init efi_get_fdt_prop(const
+ 	int len;
+ 	u64 val;
+ 
++	if (!pname[0]) {
++		memset(var, 0, size);
++		return 0;
++	}
++
+ 	prop = fdt_getprop(fdt, node, pname, &len);
+ 	if (!prop)
+ 		return 1;
+@@ -81,7 +90,7 @@ static int __init efi_get_fdt_prop(const
+ 	return 0;
+ }
+ 
+-u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm)
++u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm, u32 *secure_boot)
+ {
+ 	const void *fdt = initial_boot_params;
+ 	unsigned long systab;
+@@ -95,6 +104,7 @@ u64 __init efi_get_fdt_params(struct efi
+ 		[MMSIZE] = { &mm->size,		sizeof(mm->size) },
+ 		[DCSIZE] = { &mm->desc_size,	sizeof(mm->desc_size) },
+ 		[DCVERS] = { &mm->desc_version,	sizeof(mm->desc_version) },
++		[SBMODE] = { secure_boot,       sizeof(*secure_boot) },
+ 	};
+ 
+ 	BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(name));
+--- a/drivers/firmware/efi/libstub/fdt.c
++++ b/drivers/firmware/efi/libstub/fdt.c
+@@ -132,6 +132,12 @@ static efi_status_t update_fdt(void *ori
+ 		}
+ 	}
+ 
++	fdt_val32 = cpu_to_fdt32(efi_get_secureboot());
++	status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
++			     &fdt_val32, sizeof(fdt_val32));
++	if (status)
++		goto fdt_set_fail;
++
+ 	/* Shrink the FDT back to its minimum size: */
+ 	fdt_pack(fdt);
+ 
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -753,7 +753,8 @@ extern int efi_mem_desc_lookup(u64 phys_
+ extern int __efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md);
+ extern void efi_mem_reserve(phys_addr_t addr, u64 size);
+ extern int efi_mem_reserve_persistent(phys_addr_t addr, u64 size);
+-extern u64 efi_get_fdt_params(struct efi_memory_map_data *data);
++extern u64 efi_get_fdt_params(struct efi_memory_map_data *data,
++			      u32 *secure_boot);
+ extern struct kobject *efi_kobj;
+ 
+ extern int efi_reboot_quirk_mode;

debian/patches/features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch

@@ -0,0 +1,153 @@
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 18 Feb 2019 12:45:03 +0000
+Subject: [28/30] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a5d70c55c603233c192b375f72116a395909da28
+
+UEFI machines can be booted in Secure Boot mode.  Add an EFI_SECURE_BOOT
+flag that can be passed to efi_enabled() to find out whether secure boot is
+enabled.
+
+Move the switch-statement in x86's setup_arch() that inteprets the
+secure_boot boot parameter to generic code and set the bit there.
+
+Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+cc: linux-efi@vger.kernel.org
+[rperier: Forward-ported to 5.5:
+ - Use pr_warn()
+ - Adjust context]
+[bwh: Forward-ported to 5.6: adjust context]
+[bwh: Forward-ported to 5.7:
+ - Use the next available bit in efi.flags
+ - Adjust context]
+---
+ arch/x86/kernel/setup.c           | 14 +----------
+ drivers/firmware/efi/Makefile     |  1 +
+ drivers/firmware/efi/secureboot.c | 39 +++++++++++++++++++++++++++++++
+ include/linux/efi.h               | 16 ++++++++-----
+ 4 files changed, 51 insertions(+), 19 deletions(-)
+ create mode 100644 drivers/firmware/efi/secureboot.c
+
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -1073,19 +1073,7 @@ void __init setup_arch(char **cmdline_p)
+ 	/* Allocate bigger log buffer */
+ 	setup_log_buf(1);
+ 
+-	if (efi_enabled(EFI_BOOT)) {
+-		switch (boot_params.secure_boot) {
+-		case efi_secureboot_mode_disabled:
+-			pr_info("Secure boot disabled\n");
+-			break;
+-		case efi_secureboot_mode_enabled:
+-			pr_info("Secure boot enabled\n");
+-			break;
+-		default:
+-			pr_info("Secure boot could not be determined\n");
+-			break;
+-		}
+-	}
++	efi_set_secure_boot(boot_params.secure_boot);
+ 
+ 	reserve_initrd();
+ 
+--- a/drivers/firmware/efi/Makefile
++++ b/drivers/firmware/efi/Makefile
+@@ -25,6 +25,7 @@ subdir-$(CONFIG_EFI_STUB)		+= libstub
+ obj-$(CONFIG_EFI_BOOTLOADER_CONTROL)	+= efibc.o
+ obj-$(CONFIG_EFI_TEST)			+= test/
+ obj-$(CONFIG_EFI_DEV_PATH_PARSER)	+= dev-path-parser.o
++obj-$(CONFIG_EFI)			+= secureboot.o
+ obj-$(CONFIG_APPLE_PROPERTIES)		+= apple-properties.o
+ obj-$(CONFIG_EFI_RCI2_TABLE)		+= rci2-table.o
+ obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE)	+= embedded-firmware.o
+--- /dev/null
++++ b/drivers/firmware/efi/secureboot.c
+@@ -0,0 +1,39 @@
++
++/* Core kernel secure boot support.
++ *
++ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
++ * Written by David Howells (dhowells@redhat.com)
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public Licence
++ * as published by the Free Software Foundation; either version
++ * 2 of the Licence, or (at your option) any later version.
++ */
++
++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
++
++#include <linux/efi.h>
++#include <linux/kernel.h>
++#include <linux/printk.h>
++
++/*
++ * Decide what to do when UEFI secure boot mode is enabled.
++ */
++void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
++{
++	if (efi_enabled(EFI_BOOT)) {
++		switch (mode) {
++		case efi_secureboot_mode_disabled:
++			pr_info("Secure boot disabled\n");
++			break;
++		case efi_secureboot_mode_enabled:
++			set_bit(EFI_SECURE_BOOT, &efi.flags);
++			pr_info("Secure boot enabled\n");
++			break;
++		default:
++			pr_warn("Secure boot could not be determined (mode %u)\n",
++				mode);
++			break;
++		}
++	}
++}
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -863,6 +863,14 @@ static inline int efi_range_is_wc(unsign
+ #define EFI_MEM_ATTR		9	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
+ #define EFI_MEM_NO_SOFT_RESERVE	10	/* Is the kernel configured to ignore soft reservations? */
+ #define EFI_PRESERVE_BS_REGIONS	11	/* Are EFI boot-services memory segments available? */
++#define EFI_SECURE_BOOT		12	/* Are we in Secure Boot mode? */
++
++enum efi_secureboot_mode {
++	efi_secureboot_mode_unset,
++	efi_secureboot_mode_unknown,
++	efi_secureboot_mode_disabled,
++	efi_secureboot_mode_enabled,
++};
+ 
+ #ifdef CONFIG_EFI
+ /*
+@@ -887,6 +895,7 @@ static inline bool efi_rt_services_suppo
+ 	return (efi.runtime_supported_mask & mask) == mask;
+ }
+ extern void efi_find_mirror(void);
++extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode);
+ #else
+ static inline bool efi_enabled(int feature)
+ {
+@@ -906,6 +915,7 @@ static inline bool efi_rt_services_suppo
+ }
+ 
+ static inline void efi_find_mirror(void) {}
++static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {}
+ #endif
+ 
+ extern int efi_status_to_err(efi_status_t status);
+@@ -1124,13 +1134,6 @@ static inline bool efi_runtime_disabled(
+ extern void efi_call_virt_check_flags(unsigned long flags, const void *caller);
+ extern unsigned long efi_call_virt_save_flags(void);
+ 
+-enum efi_secureboot_mode {
+-	efi_secureboot_mode_unset,
+-	efi_secureboot_mode_unknown,
+-	efi_secureboot_mode_disabled,
+-	efi_secureboot_mode_enabled,
+-};
+-
+ static inline
+ enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var)
+ {

debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch

@@ -0,0 +1,121 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Tue, 10 Sep 2019 11:54:28 +0100
+Subject: efi: Lock down the kernel if booted in secure boot mode
+
+Based on an earlier patch by David Howells, who wrote the following
+description:
+
+> UEFI Secure Boot provides a mechanism for ensuring that the firmware will
+> only load signed bootloaders and kernels.  Certain use cases may also
+> require that all kernel modules also be signed.  Add a configuration option
+> that to lock down the kernel - which includes requiring validly signed
+> modules - if the kernel is secure-booted.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+[Salvatore Bonaccorso: After fixing https://bugs.debian.org/956197 the
+help text for LOCK_DOWN_IN_EFI_SECURE_BOOT was adjusted to mention that
+lockdown is triggered in integrity mode (https://bugs.debian.org/1025417)]
+Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
+---
+ arch/x86/kernel/setup.c           |    4 ++--
+ drivers/firmware/efi/secureboot.c |    3 +++
+ include/linux/security.h          |    6 ++++++
+ security/lockdown/Kconfig         |   15 +++++++++++++++
+ security/lockdown/lockdown.c      |    2 +-
+ 5 files changed, 27 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -907,6 +907,8 @@ void __init setup_arch(char **cmdline_p)
+ 	if (efi_enabled(EFI_BOOT))
+ 		efi_init();
+ 
++	efi_set_secure_boot(boot_params.secure_boot);
++
+ 	reserve_ibft_region();
+ 	x86_init.resources.dmi_setup();
+ 
+@@ -1073,8 +1075,6 @@ void __init setup_arch(char **cmdline_p)
+ 	/* Allocate bigger log buffer */
+ 	setup_log_buf(1);
+ 
+-	efi_set_secure_boot(boot_params.secure_boot);
+-
+ 	reserve_initrd();
+ 
+ 	acpi_table_upgrade();
+--- a/drivers/firmware/efi/secureboot.c
++++ b/drivers/firmware/efi/secureboot.c
+@@ -15,6 +15,7 @@
+ #include <linux/efi.h>
+ #include <linux/kernel.h>
+ #include <linux/printk.h>
++#include <linux/security.h>
+ 
+ /*
+  * Decide what to do when UEFI secure boot mode is enabled.
+@@ -28,6 +29,10 @@ void __init efi_set_secure_boot(enum efi
+ 			break;
+ 		case efi_secureboot_mode_enabled:
+ 			set_bit(EFI_SECURE_BOOT, &efi.flags);
++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
++			lock_kernel_down("EFI Secure Boot",
++					 LOCKDOWN_INTEGRITY_MAX);
++#endif
+ 			pr_info("Secure boot enabled\n");
+ 			break;
+ 		default:
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -574,6 +574,7 @@ int security_inode_notifysecctx(struct i
+ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
+ int security_inode_getsecctx(struct inode *inode, struct lsm_context *cp);
+ int security_locked_down(enum lockdown_reason what);
++int lock_kernel_down(const char *where, enum lockdown_reason level);
+ int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
+ 		      void *val, size_t val_len, u64 id, u64 flags);
+ int security_bdev_alloc(struct block_device *bdev);
+@@ -1580,6 +1581,11 @@ static inline int security_locked_down(e
+ {
+ 	return 0;
+ }
++static inline int
++lock_kernel_down(const char *where, enum lockdown_reason level)
++{
++	return -EOPNOTSUPP;
++}
+ static inline int lsm_fill_user_ctx(struct lsm_ctx __user *uctx,
+ 				    u32 *uctx_len, void *val, size_t val_len,
+ 				    u64 id, u64 flags)
+--- a/security/lockdown/Kconfig
++++ b/security/lockdown/Kconfig
+@@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTI
+ 	 disabled.
+ 
+ endchoice
++
++config LOCK_DOWN_IN_EFI_SECURE_BOOT
++	bool "Lock down the kernel in EFI Secure Boot mode"
++	default n
++	depends on SECURITY_LOCKDOWN_LSM
++	depends on EFI
++	select SECURITY_LOCKDOWN_LSM_EARLY
++	help
++	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
++	  will only load signed bootloaders and kernels.  Secure boot mode may
++	  be determined from EFI variables provided by the system firmware if
++	  not indicated by the boot parameters.
++
++	  Enabling this option results in kernel lockdown being
++	  triggered in integrity mode if EFI Secure Boot is set.
+--- a/security/lockdown/lockdown.c
++++ b/security/lockdown/lockdown.c
+@@ -24,7 +24,7 @@ static const enum lockdown_reason lockdo
+ /*
+  * Put the kernel into lock-down mode.
+  */
+-static int lock_kernel_down(const char *where, enum lockdown_reason level)
++int lock_kernel_down(const char *where, enum lockdown_reason level)
+ {
+ 	if (kernel_locked_down >= level)
+ 		return -EPERM;

debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch

@@ -0,0 +1,75 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Fri, 30 Aug 2019 15:54:24 +0100
+Subject: mtd: phram,slram: Disable when the kernel is locked down
+Forwarded: https://lore.kernel.org/linux-security-module/20190830154720.eekfjt6c4jzvlbfz@decadent.org.uk/
+
+These drivers allow mapping arbitrary memory ranges as MTD devices.
+This should be disabled to preserve the kernel's integrity when it is
+locked down.
+
+* Add the HWPARAM flag to the module parameters
+* When slram is built-in, it uses __setup() to read kernel parameters,
+  so add an explicit check security_locked_down() check
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Matthew Garrett <mjg59@google.com>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Joern Engel <joern@lazybastard.org>
+Cc: linux-mtd@lists.infradead.org
+---
+ drivers/mtd/devices/phram.c | 6 +++++-
+ drivers/mtd/devices/slram.c | 9 ++++++++-
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/devices/phram.c
++++ b/drivers/mtd/devices/phram.c
+@@ -365,7 +365,11 @@ static int phram_param_call(const char *
+ #endif
+ }
+ 
+-module_param_call(phram, phram_param_call, NULL, NULL, 0200);
++static const struct kernel_param_ops phram_param_ops = {
++	.set = phram_param_call
++};
++__module_param_call(MODULE_PARAM_PREFIX, phram, &phram_param_ops, NULL,
++		    0200, -1, KERNEL_PARAM_FL_HWPARAM | hwparam_iomem);
+ MODULE_PARM_DESC(phram, "Memory region to map. \"phram=<name>,<start>,<length>[,<erasesize>]\"");
+ 
+ #ifdef CONFIG_OF
+--- a/drivers/mtd/devices/slram.c
++++ b/drivers/mtd/devices/slram.c
+@@ -43,6 +43,7 @@
+ #include <linux/ioctl.h>
+ #include <linux/init.h>
+ #include <linux/io.h>
++#include <linux/security.h>
+ 
+ #include <linux/mtd/mtd.h>
+ 
+@@ -65,7 +66,7 @@ typedef struct slram_mtd_list {
+ #ifdef MODULE
+ static char *map[SLRAM_MAX_DEVICES_PARAMS];
+ 
+-module_param_array(map, charp, NULL, 0);
++module_param_hw_array(map, charp, iomem, NULL, 0);
+ MODULE_PARM_DESC(map, "List of memory regions to map. \"map=<name>, <start>, <length / end>\"");
+ #else
+ static char *map;
+@@ -281,11 +282,17 @@ static int __init init_slram(void)
+ #ifndef MODULE
+ 	char *devstart;
+ 	char *devlength;
++	int ret;
+ 
+ 	if (!map) {
+ 		E("slram: not enough parameters.\n");
+ 		return(-EINVAL);
+ 	}
++
++	ret = security_locked_down(LOCKDOWN_MODULE_PARAMETERS);
++	if (ret)
++		return ret;
++
+ 	while (map) {
+ 		devname = devstart = devlength = NULL;
+ 

debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch

@@ -22,7 +22,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 
 --- a/include/linux/perf_event.h
 +++ b/include/linux/perf_event.h
-@@ -1659,6 +1659,11 @@ int perf_cpu_time_max_percent_handler(co
+@@ -1695,6 +1695,11 @@ int perf_cpu_time_max_percent_handler(co
  int perf_event_max_stack_handler(const struct ctl_table *table, int write,
  		void *buffer, size_t *lenp, loff_t *ppos);
  
@@ -50,7 +50,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  
  /* Minimum for 512 kiB + 1 user control page */
  int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
-@@ -12821,6 +12826,9 @@ SYSCALL_DEFINE5(perf_event_open,
+@@ -12803,6 +12808,9 @@ SYSCALL_DEFINE5(perf_event_open,
  	if (err)
  		return err;
  

debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch

@@ -29,7 +29,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -6982,6 +6982,10 @@
+@@ -6984,6 +6984,10 @@
  			later by a loaded module cannot be set this way.
  			Example: sysctl.vm.swappiness=40
  
@@ -42,7 +42,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  			Ignore sysrq setting - this boot parameter will
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -3186,6 +3186,14 @@ config COMPAT_32
+@@ -3189,6 +3189,14 @@ config COMPAT_32
  	select HAVE_UID16
  	select OLD_SIGSUSPEND3
  

debian/patches/krd/0001-Revert-objtool-dont-fail-the-kernel-build-on-fatal-errors.patch

@@ -30,7 +30,7 @@ this reverts following commit:
 
 --- a/tools/objtool/check.c
 +++ b/tools/objtool/check.c
-@@ -4771,10 +4771,14 @@ int check(struct objtool_file *file)
+@@ -4750,10 +4750,14 @@ int check(struct objtool_file *file)
  	}
  
  out:

debian/patches/mixed-arch/0002-ZEN-Restore-CONFIG_OPTIMIZE_FOR_PERFORMANCE_O3.patch

@@ -25,7 +25,7 @@ dependency on CONFIG_ARC and adds RUSTFLAGS.
  KBUILD_RUSTFLAGS += -Copt-level=s
 --- a/init/Kconfig
 +++ b/init/Kconfig
-@@ -1465,6 +1465,12 @@ config CC_OPTIMIZE_FOR_PERFORMANCE
+@@ -1470,6 +1470,12 @@ config CC_OPTIMIZE_FOR_PERFORMANCE
  	  with the "-O2" compiler flag for best performance and most
  	  helpful compile-time warnings.
  

debian/patches/patchset-pf/amd-pstate/0001-cpufreq-amd-pstate-Modify-the-min_perf-calculation-i.patch

@@ -1,59 +0,0 @@
-From c8c9ab8ff5cc5c0809cd958679614ade200a6ab3 Mon Sep 17 00:00:00 2001
-From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
-Date: Wed, 5 Feb 2025 11:25:14 +0000
-Subject: cpufreq/amd-pstate: Modify the min_perf calculation in adjust_perf
- callback
-
-Instead of setting a fixed floor at lowest_nonlinear_perf, use the
-min_limit_perf value, so that it gives the user the freedom to lower the
-floor further.
-
-There are two minimum frequency/perf limits that we need to consider in
-the adjust_perf callback. One provided by schedutil i.e. the sg_cpu->bw_min
-value passed in _min_perf arg, another is the effective value of
-min_freq_qos request that is updated in cpudata->min_limit_perf. Modify the
-code to use the bigger of these two values.
-
-Signed-off-by: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
-Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
----
- drivers/cpufreq/amd-pstate.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
---- a/drivers/cpufreq/amd-pstate.c
-+++ b/drivers/cpufreq/amd-pstate.c
-@@ -672,7 +672,7 @@ static void amd_pstate_adjust_perf(unsig
- 				   unsigned long capacity)
- {
- 	unsigned long max_perf, min_perf, des_perf,
--		      cap_perf, lowest_nonlinear_perf;
-+		      cap_perf, min_limit_perf;
- 	struct cpufreq_policy *policy = cpufreq_cpu_get(cpu);
- 	struct amd_cpudata *cpudata;
- 
-@@ -684,20 +684,20 @@ static void amd_pstate_adjust_perf(unsig
- 	if (policy->min != cpudata->min_limit_freq || policy->max != cpudata->max_limit_freq)
- 		amd_pstate_update_min_max_limit(policy);
- 
--
- 	cap_perf = READ_ONCE(cpudata->highest_perf);
--	lowest_nonlinear_perf = READ_ONCE(cpudata->lowest_nonlinear_perf);
-+	min_limit_perf = READ_ONCE(cpudata->min_limit_perf);
- 
- 	des_perf = cap_perf;
- 	if (target_perf < capacity)
- 		des_perf = DIV_ROUND_UP(cap_perf * target_perf, capacity);
- 
--	min_perf = READ_ONCE(cpudata->lowest_perf);
- 	if (_min_perf < capacity)
- 		min_perf = DIV_ROUND_UP(cap_perf * _min_perf, capacity);
-+	else
-+		min_perf = cap_perf;
- 
--	if (min_perf < lowest_nonlinear_perf)
--		min_perf = lowest_nonlinear_perf;
-+	if (min_perf < min_limit_perf)
-+		min_perf = min_limit_perf;
- 
- 	max_perf = cpudata->max_limit_perf;
- 	if (max_perf < min_perf)

debian/patches/patchset-pf/amd-pstate/0001-cpufreq-amd-pstate-Remove-the-redundant-des_perf-cla.patch

@@ -1,4 +1,4 @@
-From 16466d169a187b4c650771234de119279346f523 Mon Sep 17 00:00:00 2001
+From cb40e98d75a75567cbd10f9fc69c2ec12c87a445 Mon Sep 17 00:00:00 2001
 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
 Date: Wed, 5 Feb 2025 11:25:15 +0000
 Subject: cpufreq/amd-pstate: Remove the redundant des_perf clamping in
@@ -16,7 +16,7 @@ Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
 
 --- a/drivers/cpufreq/amd-pstate.c
 +++ b/drivers/cpufreq/amd-pstate.c
-@@ -703,8 +703,6 @@ static void amd_pstate_adjust_perf(unsig
+@@ -705,8 +705,6 @@ static void amd_pstate_adjust_perf(unsig
  	if (max_perf < min_perf)
  		max_perf = min_perf;
  

debian/patches/patchset-pf/amd-pstate/0002-cpufreq-amd-pstate-Modularize-perf-freq-conversion.patch

@@ -1,4 +1,4 @@
-From b132b889dc7aa398a789e02dd6fbd5a512b4a9e0 Mon Sep 17 00:00:00 2001
+From f58e440e56a6c8a2c04894e5d169d1a98a8ce74f Mon Sep 17 00:00:00 2001
 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
 Date: Wed, 5 Feb 2025 11:25:18 +0000
 Subject: cpufreq/amd-pstate: Modularize perf<->freq conversion
@@ -35,7 +35,7 @@ Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
  static int __init dmi_matched_7k62_bios_bug(const struct dmi_system_id *dmi)
  {
  	/**
-@@ -534,14 +548,12 @@ static inline bool amd_pstate_sample(str
+@@ -534,7 +548,6 @@ static inline bool amd_pstate_sample(str
  static void amd_pstate_update(struct amd_cpudata *cpudata, u8 min_perf,
  			      u8 des_perf, u8 max_perf, bool fast_switch, int gov_flags)
  {
@@ -43,6 +43,8 @@ Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
  	struct cpufreq_policy *policy = cpufreq_cpu_get(cpudata->cpu);
  	u8 nominal_perf = READ_ONCE(cpudata->nominal_perf);
  
+@@ -543,8 +556,7 @@ static void amd_pstate_update(struct amd
+ 
  	des_perf = clamp_t(u8, des_perf, min_perf, max_perf);
  
 -	max_freq = READ_ONCE(cpudata->max_limit_freq);
@@ -51,7 +53,7 @@ Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
  
  	if ((cppc_state == AMD_PSTATE_GUIDED) && (gov_flags & CPUFREQ_GOV_DYNAMIC_SWITCHING)) {
  		min_perf = des_perf;
-@@ -591,14 +603,11 @@ static int amd_pstate_verify(struct cpuf
+@@ -594,14 +606,11 @@ static int amd_pstate_verify(struct cpuf
  
  static int amd_pstate_update_min_max_limit(struct cpufreq_policy *policy)
  {
@@ -69,7 +71,7 @@ Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
  
  	if (cpudata->policy == CPUFREQ_POLICY_PERFORMANCE)
  		min_limit_perf = min(cpudata->nominal_perf, max_limit_perf);
-@@ -616,21 +625,15 @@ static int amd_pstate_update_freq(struct
+@@ -619,21 +628,15 @@ static int amd_pstate_update_freq(struct
  {
  	struct cpufreq_freqs freqs;
  	struct amd_cpudata *cpudata = policy->driver_data;
@@ -93,7 +95,7 @@ Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
  
  	WARN_ON(fast_switch && !policy->fast_switch_enabled);
  	/*
-@@ -905,7 +908,6 @@ static int amd_pstate_init_freq(struct a
+@@ -908,7 +911,6 @@ static int amd_pstate_init_freq(struct a
  {
  	int ret;
  	u32 min_freq, max_freq;
@@ -101,7 +103,7 @@ Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
  	u32 nominal_freq, lowest_nonlinear_freq;
  	struct cppc_perf_caps cppc_perf;
  
-@@ -923,16 +925,17 @@ static int amd_pstate_init_freq(struct a
+@@ -926,16 +928,17 @@ static int amd_pstate_init_freq(struct a
  	else
  		nominal_freq = cppc_perf.nominal_freq;
  

debian/patches/patchset-pf/amd-pstate/0003-cpufreq-amd-pstate-Pass-min-max_limit_perf-as-min-ma.patch

@@ -1,51 +0,0 @@
-From 0dfebf0094ea7c512cf3db1013cf82124d4bbc3a Mon Sep 17 00:00:00 2001
-From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
-Date: Wed, 5 Feb 2025 11:25:16 +0000
-Subject: cpufreq/amd-pstate: Pass min/max_limit_perf as min/max_perf to
- amd_pstate_update
-
-Currently, amd_pstate_update_freq passes the hardware perf limits as
-min/max_perf to amd_pstate_update, which eventually gets programmed into
-the min/max_perf fields of the CPPC_REQ register.
-
-Instead pass the effective perf limits i.e. min/max_limit_perf values to
-amd_pstate_update as min/max_perf.
-
-Signed-off-by: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
-Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
----
- drivers/cpufreq/amd-pstate.c | 9 ++++-----
- 1 file changed, 4 insertions(+), 5 deletions(-)
-
---- a/drivers/cpufreq/amd-pstate.c
-+++ b/drivers/cpufreq/amd-pstate.c
-@@ -615,7 +615,7 @@ static int amd_pstate_update_freq(struct
- {
- 	struct cpufreq_freqs freqs;
- 	struct amd_cpudata *cpudata = policy->driver_data;
--	unsigned long max_perf, min_perf, des_perf, cap_perf;
-+	unsigned long des_perf, cap_perf;
- 
- 	if (!cpudata->max_freq)
- 		return -ENODEV;
-@@ -624,8 +624,6 @@ static int amd_pstate_update_freq(struct
- 		amd_pstate_update_min_max_limit(policy);
- 
- 	cap_perf = READ_ONCE(cpudata->highest_perf);
--	min_perf = READ_ONCE(cpudata->lowest_perf);
--	max_perf = cap_perf;
- 
- 	freqs.old = policy->cur;
- 	freqs.new = target_freq;
-@@ -642,8 +640,9 @@ static int amd_pstate_update_freq(struct
- 	if (!fast_switch)
- 		cpufreq_freq_transition_begin(policy, &freqs);
- 
--	amd_pstate_update(cpudata, min_perf, des_perf,
--			max_perf, fast_switch, policy->governor->flags);
-+	amd_pstate_update(cpudata, cpudata->min_limit_perf, des_perf,
-+			  cpudata->max_limit_perf, fast_switch,
-+			  policy->governor->flags);
- 
- 	if (!fast_switch)
- 		cpufreq_freq_transition_end(policy, &freqs, false);

debian/patches/patchset-pf/amd-pstate/0003-cpufreq-amd-pstate-Remove-the-unnecessary-cpufreq_up.patch

@@ -1,4 +1,4 @@
-From 6c284985cc268da10f0e38f1f3b9af62ecfc3998 Mon Sep 17 00:00:00 2001
+From 0a12d4a3ca1a996c1073d60c6775424972e8b7b9 Mon Sep 17 00:00:00 2001
 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
 Date: Wed, 5 Feb 2025 11:25:19 +0000
 Subject: cpufreq/amd-pstate: Remove the unnecessary cpufreq_update_policy call
@@ -24,7 +24,7 @@ Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
 
 --- a/drivers/cpufreq/amd-pstate.c
 +++ b/drivers/cpufreq/amd-pstate.c
-@@ -853,10 +853,6 @@ static void amd_pstate_update_limits(uns
+@@ -856,10 +856,6 @@ static void amd_pstate_update_limits(uns
  			sched_set_itmt_core_prio((int)cur_high, cpu);
  	}
  	cpufreq_cpu_put(policy);

debian/patches/patchset-pf/amd-pstate/0004-cpufreq-amd-pstate-Convert-all-perf-values-to-u8.patch

@@ -1,355 +0,0 @@
-From 3daf64b383bc41feb0bf23790939b4512ba9170d Mon Sep 17 00:00:00 2001
-From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
-Date: Wed, 5 Feb 2025 11:25:17 +0000
-Subject: cpufreq/amd-pstate: Convert all perf values to u8
-
-All perf values are always within 0-255 range, hence convert their
-datatype to u8 everywhere.
-
-Signed-off-by: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
-Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
----
- drivers/cpufreq/amd-pstate-trace.h | 46 +++++++++++------------
- drivers/cpufreq/amd-pstate.c       | 60 +++++++++++++++---------------
- drivers/cpufreq/amd-pstate.h       | 18 ++++-----
- 3 files changed, 62 insertions(+), 62 deletions(-)
-
---- a/drivers/cpufreq/amd-pstate-trace.h
-+++ b/drivers/cpufreq/amd-pstate-trace.h
-@@ -24,9 +24,9 @@
- 
- TRACE_EVENT(amd_pstate_perf,
- 
--	TP_PROTO(unsigned long min_perf,
--		 unsigned long target_perf,
--		 unsigned long capacity,
-+	TP_PROTO(u8 min_perf,
-+		 u8 target_perf,
-+		 u8 capacity,
- 		 u64 freq,
- 		 u64 mperf,
- 		 u64 aperf,
-@@ -47,9 +47,9 @@ TRACE_EVENT(amd_pstate_perf,
- 		),
- 
- 	TP_STRUCT__entry(
--		__field(unsigned long, min_perf)
--		__field(unsigned long, target_perf)
--		__field(unsigned long, capacity)
-+		__field(u8, min_perf)
-+		__field(u8, target_perf)
-+		__field(u8, capacity)
- 		__field(unsigned long long, freq)
- 		__field(unsigned long long, mperf)
- 		__field(unsigned long long, aperf)
-@@ -70,10 +70,10 @@ TRACE_EVENT(amd_pstate_perf,
- 		__entry->fast_switch = fast_switch;
- 		),
- 
--	TP_printk("amd_min_perf=%lu amd_des_perf=%lu amd_max_perf=%lu freq=%llu mperf=%llu aperf=%llu tsc=%llu cpu_id=%u fast_switch=%s",
--		  (unsigned long)__entry->min_perf,
--		  (unsigned long)__entry->target_perf,
--		  (unsigned long)__entry->capacity,
-+	TP_printk("amd_min_perf=%hhu amd_des_perf=%hhu amd_max_perf=%hhu freq=%llu mperf=%llu aperf=%llu tsc=%llu cpu_id=%u fast_switch=%s",
-+		  (u8)__entry->min_perf,
-+		  (u8)__entry->target_perf,
-+		  (u8)__entry->capacity,
- 		  (unsigned long long)__entry->freq,
- 		  (unsigned long long)__entry->mperf,
- 		  (unsigned long long)__entry->aperf,
-@@ -86,10 +86,10 @@ TRACE_EVENT(amd_pstate_perf,
- TRACE_EVENT(amd_pstate_epp_perf,
- 
- 	TP_PROTO(unsigned int cpu_id,
--		 unsigned int highest_perf,
--		 unsigned int epp,
--		 unsigned int min_perf,
--		 unsigned int max_perf,
-+		 u8 highest_perf,
-+		 u8 epp,
-+		 u8 min_perf,
-+		 u8 max_perf,
- 		 bool boost
- 		 ),
- 
-@@ -102,10 +102,10 @@ TRACE_EVENT(amd_pstate_epp_perf,
- 
- 	TP_STRUCT__entry(
- 		__field(unsigned int, cpu_id)
--		__field(unsigned int, highest_perf)
--		__field(unsigned int, epp)
--		__field(unsigned int, min_perf)
--		__field(unsigned int, max_perf)
-+		__field(u8, highest_perf)
-+		__field(u8, epp)
-+		__field(u8, min_perf)
-+		__field(u8, max_perf)
- 		__field(bool, boost)
- 		),
- 
-@@ -118,12 +118,12 @@ TRACE_EVENT(amd_pstate_epp_perf,
- 		__entry->boost = boost;
- 		),
- 
--	TP_printk("cpu%u: [%u<->%u]/%u, epp=%u, boost=%u",
-+	TP_printk("cpu%u: [%hhu<->%hhu]/%hhu, epp=%hhu, boost=%u",
- 		  (unsigned int)__entry->cpu_id,
--		  (unsigned int)__entry->min_perf,
--		  (unsigned int)__entry->max_perf,
--		  (unsigned int)__entry->highest_perf,
--		  (unsigned int)__entry->epp,
-+		  (u8)__entry->min_perf,
-+		  (u8)__entry->max_perf,
-+		  (u8)__entry->highest_perf,
-+		  (u8)__entry->epp,
- 		  (bool)__entry->boost
- 		 )
- );
---- a/drivers/cpufreq/amd-pstate.c
-+++ b/drivers/cpufreq/amd-pstate.c
-@@ -186,7 +186,7 @@ static inline int get_mode_idx_from_str(
- static DEFINE_MUTEX(amd_pstate_limits_lock);
- static DEFINE_MUTEX(amd_pstate_driver_lock);
- 
--static s16 msr_get_epp(struct amd_cpudata *cpudata)
-+static u8 msr_get_epp(struct amd_cpudata *cpudata)
- {
- 	u64 value;
- 	int ret;
-@@ -207,7 +207,7 @@ static inline s16 amd_pstate_get_epp(str
- 	return static_call(amd_pstate_get_epp)(cpudata);
- }
- 
--static s16 shmem_get_epp(struct amd_cpudata *cpudata)
-+static u8 shmem_get_epp(struct amd_cpudata *cpudata)
- {
- 	u64 epp;
- 	int ret;
-@@ -218,11 +218,11 @@ static s16 shmem_get_epp(struct amd_cpud
- 		return ret;
- 	}
- 
--	return (s16)(epp & 0xff);
-+	return FIELD_GET(AMD_CPPC_EPP_PERF_MASK, epp);
- }
- 
--static int msr_update_perf(struct amd_cpudata *cpudata, u32 min_perf,
--			   u32 des_perf, u32 max_perf, u32 epp, bool fast_switch)
-+static int msr_update_perf(struct amd_cpudata *cpudata, u8 min_perf,
-+			   u8 des_perf, u8 max_perf, u8 epp, bool fast_switch)
- {
- 	u64 value, prev;
- 
-@@ -257,15 +257,15 @@ static int msr_update_perf(struct amd_cp
- DEFINE_STATIC_CALL(amd_pstate_update_perf, msr_update_perf);
- 
- static inline int amd_pstate_update_perf(struct amd_cpudata *cpudata,
--					  u32 min_perf, u32 des_perf,
--					  u32 max_perf, u32 epp,
-+					  u8 min_perf, u8 des_perf,
-+					  u8 max_perf, u8 epp,
- 					  bool fast_switch)
- {
- 	return static_call(amd_pstate_update_perf)(cpudata, min_perf, des_perf,
- 						   max_perf, epp, fast_switch);
- }
- 
--static int msr_set_epp(struct amd_cpudata *cpudata, u32 epp)
-+static int msr_set_epp(struct amd_cpudata *cpudata, u8 epp)
- {
- 	u64 value, prev;
- 	int ret;
-@@ -292,12 +292,12 @@ static int msr_set_epp(struct amd_cpudat
- 
- DEFINE_STATIC_CALL(amd_pstate_set_epp, msr_set_epp);
- 
--static inline int amd_pstate_set_epp(struct amd_cpudata *cpudata, u32 epp)
-+static inline int amd_pstate_set_epp(struct amd_cpudata *cpudata, u8 epp)
- {
- 	return static_call(amd_pstate_set_epp)(cpudata, epp);
- }
- 
--static int shmem_set_epp(struct amd_cpudata *cpudata, u32 epp)
-+static int shmem_set_epp(struct amd_cpudata *cpudata, u8 epp)
- {
- 	int ret;
- 	struct cppc_perf_ctrls perf_ctrls;
-@@ -320,7 +320,7 @@ static int amd_pstate_set_energy_pref_in
- 					    int pref_index)
- {
- 	struct amd_cpudata *cpudata = policy->driver_data;
--	int epp;
-+	u8 epp;
- 
- 	if (!pref_index)
- 		epp = cpudata->epp_default;
-@@ -479,8 +479,8 @@ static inline int amd_pstate_init_perf(s
- 	return static_call(amd_pstate_init_perf)(cpudata);
- }
- 
--static int shmem_update_perf(struct amd_cpudata *cpudata, u32 min_perf,
--			     u32 des_perf, u32 max_perf, u32 epp, bool fast_switch)
-+static int shmem_update_perf(struct amd_cpudata *cpudata, u8 min_perf,
-+			     u8 des_perf, u8 max_perf, u8 epp, bool fast_switch)
- {
- 	struct cppc_perf_ctrls perf_ctrls;
- 
-@@ -531,14 +531,14 @@ static inline bool amd_pstate_sample(str
- 	return true;
- }
- 
--static void amd_pstate_update(struct amd_cpudata *cpudata, u32 min_perf,
--			      u32 des_perf, u32 max_perf, bool fast_switch, int gov_flags)
-+static void amd_pstate_update(struct amd_cpudata *cpudata, u8 min_perf,
-+			      u8 des_perf, u8 max_perf, bool fast_switch, int gov_flags)
- {
- 	unsigned long max_freq;
- 	struct cpufreq_policy *policy = cpufreq_cpu_get(cpudata->cpu);
--	u32 nominal_perf = READ_ONCE(cpudata->nominal_perf);
-+	u8 nominal_perf = READ_ONCE(cpudata->nominal_perf);
- 
--	des_perf = clamp_t(unsigned long, des_perf, min_perf, max_perf);
-+	des_perf = clamp_t(u8, des_perf, min_perf, max_perf);
- 
- 	max_freq = READ_ONCE(cpudata->max_limit_freq);
- 	policy->cur = div_u64(des_perf * max_freq, max_perf);
-@@ -550,7 +550,7 @@ static void amd_pstate_update(struct amd
- 
- 	/* limit the max perf when core performance boost feature is disabled */
- 	if (!cpudata->boost_supported)
--		max_perf = min_t(unsigned long, nominal_perf, max_perf);
-+		max_perf = min_t(u8, nominal_perf, max_perf);
- 
- 	if (trace_amd_pstate_perf_enabled() && amd_pstate_sample(cpudata)) {
- 		trace_amd_pstate_perf(min_perf, des_perf, max_perf, cpudata->freq,
-@@ -591,7 +591,8 @@ static int amd_pstate_verify(struct cpuf
- 
- static int amd_pstate_update_min_max_limit(struct cpufreq_policy *policy)
- {
--	u32 max_limit_perf, min_limit_perf, max_perf, max_freq;
-+	u8 max_limit_perf, min_limit_perf, max_perf;
-+	u32 max_freq;
- 	struct amd_cpudata *cpudata = policy->driver_data;
- 
- 	max_perf = READ_ONCE(cpudata->highest_perf);
-@@ -615,7 +616,7 @@ static int amd_pstate_update_freq(struct
- {
- 	struct cpufreq_freqs freqs;
- 	struct amd_cpudata *cpudata = policy->driver_data;
--	unsigned long des_perf, cap_perf;
-+	u8 des_perf, cap_perf;
- 
- 	if (!cpudata->max_freq)
- 		return -ENODEV;
-@@ -670,8 +671,7 @@ static void amd_pstate_adjust_perf(unsig
- 				   unsigned long target_perf,
- 				   unsigned long capacity)
- {
--	unsigned long max_perf, min_perf, des_perf,
--		      cap_perf, min_limit_perf;
-+	u8 max_perf, min_perf, des_perf, cap_perf, min_limit_perf;
- 	struct cpufreq_policy *policy = cpufreq_cpu_get(cpu);
- 	struct amd_cpudata *cpudata;
- 
-@@ -905,8 +905,8 @@ static int amd_pstate_init_freq(struct a
- {
- 	int ret;
- 	u32 min_freq, max_freq;
--	u32 highest_perf, nominal_perf, nominal_freq;
--	u32 lowest_nonlinear_perf, lowest_nonlinear_freq;
-+	u8 highest_perf, nominal_perf, lowest_nonlinear_perf;
-+	u32 nominal_freq, lowest_nonlinear_freq;
- 	struct cppc_perf_caps cppc_perf;
- 
- 	ret = cppc_get_perf_caps(cpudata->cpu, &cppc_perf);
-@@ -1113,7 +1113,7 @@ static ssize_t show_amd_pstate_lowest_no
- static ssize_t show_amd_pstate_highest_perf(struct cpufreq_policy *policy,
- 					    char *buf)
- {
--	u32 perf;
-+	u8 perf;
- 	struct amd_cpudata *cpudata = policy->driver_data;
- 
- 	perf = READ_ONCE(cpudata->highest_perf);
-@@ -1124,7 +1124,7 @@ static ssize_t show_amd_pstate_highest_p
- static ssize_t show_amd_pstate_prefcore_ranking(struct cpufreq_policy *policy,
- 						char *buf)
- {
--	u32 perf;
-+	u8 perf;
- 	struct amd_cpudata *cpudata = policy->driver_data;
- 
- 	perf = READ_ONCE(cpudata->prefcore_ranking);
-@@ -1187,7 +1187,7 @@ static ssize_t show_energy_performance_p
- 				struct cpufreq_policy *policy, char *buf)
- {
- 	struct amd_cpudata *cpudata = policy->driver_data;
--	int preference;
-+	u8 preference;
- 
- 	switch (cpudata->epp_cached) {
- 	case AMD_CPPC_EPP_PERFORMANCE:
-@@ -1549,7 +1549,7 @@ static void amd_pstate_epp_cpu_exit(stru
- static int amd_pstate_epp_update_limit(struct cpufreq_policy *policy)
- {
- 	struct amd_cpudata *cpudata = policy->driver_data;
--	u32 epp;
-+	u8 epp;
- 
- 	amd_pstate_update_min_max_limit(policy);
- 
-@@ -1598,7 +1598,7 @@ static int amd_pstate_epp_set_policy(str
- static int amd_pstate_epp_reenable(struct cpufreq_policy *policy)
- {
- 	struct amd_cpudata *cpudata = policy->driver_data;
--	u64 max_perf;
-+	u8 max_perf;
- 	int ret;
- 
- 	ret = amd_pstate_cppc_enable(true);
-@@ -1635,7 +1635,7 @@ static int amd_pstate_epp_cpu_online(str
- static int amd_pstate_epp_cpu_offline(struct cpufreq_policy *policy)
- {
- 	struct amd_cpudata *cpudata = policy->driver_data;
--	int min_perf;
-+	u8 min_perf;
- 
- 	if (cpudata->suspended)
- 		return 0;
---- a/drivers/cpufreq/amd-pstate.h
-+++ b/drivers/cpufreq/amd-pstate.h
-@@ -70,13 +70,13 @@ struct amd_cpudata {
- 	struct	freq_qos_request req[2];
- 	u64	cppc_req_cached;
- 
--	u32	highest_perf;
--	u32	nominal_perf;
--	u32	lowest_nonlinear_perf;
--	u32	lowest_perf;
--	u32     prefcore_ranking;
--	u32     min_limit_perf;
--	u32     max_limit_perf;
-+	u8	highest_perf;
-+	u8	nominal_perf;
-+	u8	lowest_nonlinear_perf;
-+	u8	lowest_perf;
-+	u8	prefcore_ranking;
-+	u8	min_limit_perf;
-+	u8	max_limit_perf;
- 	u32     min_limit_freq;
- 	u32     max_limit_freq;
- 
-@@ -93,11 +93,11 @@ struct amd_cpudata {
- 	bool	hw_prefcore;
- 
- 	/* EPP feature related attributes*/
--	s16	epp_cached;
-+	u8	epp_cached;
- 	u32	policy;
- 	u64	cppc_cap1_cached;
- 	bool	suspended;
--	s16	epp_default;
-+	u8	epp_default;
- };
- 
- /*

debian/patches/patchset-pf/amd-pstate/0004-cpufreq-amd-pstate-Use-scope-based-cleanup-for-cpufr.patch

@@ -1,4 +1,4 @@
-From b5b334f66595052e69ecaa501b8a6ebdb0fd6eed Mon Sep 17 00:00:00 2001
+From ab0520499c83ff44d468f1b2b604c85e2f78d694 Mon Sep 17 00:00:00 2001
 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
 Date: Wed, 5 Feb 2025 11:25:22 +0000
 Subject: cpufreq/amd-pstate: Use scope based cleanup for cpufreq_policy refs

debian/patches/patchset-pf/amd-pstate/0005-cpufreq-amd-pstate-Remove-the-unncecessary-driver_lo.patch

@@ -1,4 +1,4 @@
-From eff2c5a3f292e822968919a9792010de65b417b5 Mon Sep 17 00:00:00 2001
+From 658a4b7a41583e3b73477c0fbbee07aa6d6f7e0e Mon Sep 17 00:00:00 2001
 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
 Date: Wed, 5 Feb 2025 11:25:23 +0000
 Subject: cpufreq/amd-pstate: Remove the unncecessary driver_lock in

debian/patches/patchset-pf/amd-pstate/0006-cpufreq-amd-pstate-Fix-the-clamping-of-perf-values.patch

@@ -1,4 +1,4 @@
-From e836285ca35390d656adffee520d48cd7bedd5b3 Mon Sep 17 00:00:00 2001
+From 20f8507de83bc844c6ff2329e61ffc37734364e9 Mon Sep 17 00:00:00 2001
 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
 Date: Sat, 22 Feb 2025 03:32:22 +0000
 Subject: cpufreq/amd-pstate: Fix the clamping of perf values

debian/patches/patchset-pf/amd-pstate/0007-cpufreq-amd-pstate-Add-missing-NULL-ptr-check-in-amd.patch

@@ -1,26 +0,0 @@
-From f50ac94149bc07092ecf5b68558f02920436f77c Mon Sep 17 00:00:00 2001
-From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
-Date: Wed, 5 Feb 2025 11:25:21 +0000
-Subject: cpufreq/amd-pstate: Add missing NULL ptr check in amd_pstate_update
-
-Check if policy is NULL before dereferencing it in amd_pstate_update.
-
-Fixes: e8f555daacd3 ("cpufreq/amd-pstate: fix setting policy current frequency value")
-Signed-off-by: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
-Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
----
- drivers/cpufreq/amd-pstate.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/drivers/cpufreq/amd-pstate.c
-+++ b/drivers/cpufreq/amd-pstate.c
-@@ -551,6 +551,9 @@ static void amd_pstate_update(struct amd
- 	struct cpufreq_policy *policy = cpufreq_cpu_get(cpudata->cpu);
- 	u8 nominal_perf = READ_ONCE(cpudata->nominal_perf);
- 
-+	if (!policy)
-+		return;
-+
- 	des_perf = clamp_t(u8, des_perf, min_perf, max_perf);
- 
- 	policy->cur = perf_to_freq(cpudata, des_perf);

debian/patches/patchset-pf/amd-pstate/0007-cpufreq-amd-pstate-Show-a-warning-when-a-CPU-fails-t.patch

@@ -1,4 +1,4 @@
-From ea1821eae465dfff9a9ef90662c2ce79e5abfe6e Mon Sep 17 00:00:00 2001
+From 240a074b7f92278755df715be1ea5ea5d3d2f5ac Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:17 -0600
 Subject: cpufreq/amd-pstate: Show a warning when a CPU fails to setup

debian/patches/patchset-pf/amd-pstate/0008-cpufreq-amd-pstate-Drop-min-and-max-cached-frequenci.patch

@@ -1,4 +1,4 @@
-From 72016df62985637e59f075e25233d8ca942eb391 Mon Sep 17 00:00:00 2001
+From 82520910e91d62f19c944ff17ba8f966553e79d6 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:18 -0600
 Subject: cpufreq/amd-pstate: Drop min and max cached frequencies

debian/patches/patchset-pf/amd-pstate/0009-cpufreq-amd-pstate-Move-perf-values-into-a-union.patch

@@ -1,4 +1,4 @@
-From 289c4432443c54497bfe75410a516ca24475504d Mon Sep 17 00:00:00 2001
+From 21109b42429e0d9f0ee1bfadddae38fb5b0b23c3 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:19 -0600
 Subject: cpufreq/amd-pstate: Move perf values into a union

debian/patches/patchset-pf/amd-pstate/0010-cpufreq-amd-pstate-Overhaul-locking.patch

@@ -1,4 +1,4 @@
-From 34925ac1038d19197f0a2ac8574496e77645fdf5 Mon Sep 17 00:00:00 2001
+From 0daee82069cfe4a322bed954a4a5f19226e49e95 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:20 -0600
 Subject: cpufreq/amd-pstate: Overhaul locking

debian/patches/patchset-pf/amd-pstate/0011-cpufreq-amd-pstate-Drop-cppc_cap1_cached.patch

@@ -1,4 +1,4 @@
-From 33c2b6f10f140e35f44d2be9bd8dc9eb459fb29a Mon Sep 17 00:00:00 2001
+From 7c820a91ffd02aa7e426e8801893575f218a7a80 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:21 -0600
 Subject: cpufreq/amd-pstate: Drop `cppc_cap1_cached`

debian/patches/patchset-pf/amd-pstate/0011-cpufreq-amd-pstate-Invalidate-cppc_req_cached-during.patch

@@ -1,42 +0,0 @@
-From 0a417434299b27aebbb444e7545a7d668c40d288 Mon Sep 17 00:00:00 2001
-From: Mario Limonciello <mario.limonciello@amd.com>
-Date: Wed, 26 Feb 2025 01:49:16 -0600
-Subject: cpufreq/amd-pstate: Invalidate cppc_req_cached during suspend
-
-During resume it's possible the firmware didn't restore the CPPC request
-MSR but the kernel thinks the values line up. This leads to incorrect
-performance after resume from suspend.
-
-To fix the issue invalidate the cached value at suspend. During resume use
-the saved values programmed as cached limits.
-
-Reviewed-by: Gautham R. Shenoy <gautham.shenoy@amd.com>
-Reviewed-by: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
-Reported-by: Miroslav Pavleski <miroslav@pavleski.net>
-Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217931
-Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
----
- drivers/cpufreq/amd-pstate.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/drivers/cpufreq/amd-pstate.c
-+++ b/drivers/cpufreq/amd-pstate.c
-@@ -1605,7 +1605,7 @@ static int amd_pstate_epp_reenable(struc
- 					  max_perf, policy->boost_enabled);
- 	}
- 
--	return amd_pstate_update_perf(cpudata, 0, 0, max_perf, cpudata->epp_cached, false);
-+	return amd_pstate_epp_update_limit(policy);
- }
- 
- static int amd_pstate_epp_cpu_online(struct cpufreq_policy *policy)
-@@ -1654,6 +1654,9 @@ static int amd_pstate_epp_suspend(struct
- 	if (cppc_state != AMD_PSTATE_ACTIVE)
- 		return 0;
- 
-+	/* invalidate to ensure it's rewritten during resume */
-+	cpudata->cppc_req_cached = 0;
-+
- 	/* set this flag to avoid setting core offline*/
- 	cpudata->suspended = true;
- 

debian/patches/patchset-pf/amd-pstate/0012-cpufreq-amd-pstate-ut-Use-_free-macro-to-free-put-po.patch

@@ -1,4 +1,4 @@
-From 22a3d411de53a42057ab0dc45bb00306fd855807 Mon Sep 17 00:00:00 2001
+From 5d0c340db98de378a11abfbaf587b6e601e7291c Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:22 -0600
 Subject: cpufreq/amd-pstate-ut: Use _free macro to free put policy

debian/patches/patchset-pf/amd-pstate/0013-cpufreq-amd-pstate-ut-Allow-lowest-nonlinear-and-low.patch

@@ -1,4 +1,4 @@
-From e42e4d9ee2e953137488e531be82c4d2d1c10d1c Mon Sep 17 00:00:00 2001
+From 8937b7068ca30072c4c4cf4c22000112afbd6839 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:23 -0600
 Subject: cpufreq/amd-pstate-ut: Allow lowest nonlinear and lowest to be the

debian/patches/patchset-pf/amd-pstate/0014-cpufreq-amd-pstate-ut-Drop-SUCCESS-and-FAIL-enums.patch

@@ -1,4 +1,4 @@
-From 141c02d0bbbca11a1fceae703a6b7dbfe6315b18 Mon Sep 17 00:00:00 2001
+From 8cb701e059fa08dcb9ab74e3c84abc224ff72714 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:24 -0600
 Subject: cpufreq/amd-pstate-ut: Drop SUCCESS and FAIL enums

debian/patches/patchset-pf/amd-pstate/0015-cpufreq-amd-pstate-ut-Run-on-all-of-the-correct-CPUs.patch

@@ -1,4 +1,4 @@
-From 2fe00ce7f79ef57185bdd84e736d8bf47286eb8f Mon Sep 17 00:00:00 2001
+From c553e0165997349a3f831fa04bdd7f61913a3442 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:25 -0600
 Subject: cpufreq/amd-pstate-ut: Run on all of the correct CPUs

debian/patches/patchset-pf/amd-pstate/0016-cpufreq-amd-pstate-ut-Adjust-variable-scope.patch

@@ -1,4 +1,4 @@
-From 95bbcd16b467dceea295dbd97c7347e7dd15dabc Mon Sep 17 00:00:00 2001
+From c4197fd693cb98a8a71557187a7cf592d6b68b3c Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:26 -0600
 Subject: cpufreq/amd-pstate-ut: Adjust variable scope

debian/patches/patchset-pf/amd-pstate/0017-cpufreq-amd-pstate-Replace-all-AMD_CPPC_-macros-with.patch

@@ -1,4 +1,4 @@
-From 98519671cd3691a45f23a7de4862ec0642b5921e Mon Sep 17 00:00:00 2001
+From 19c375251767f49b62894d3b4782f0b8b01313b8 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:27 -0600
 Subject: cpufreq/amd-pstate: Replace all AMD_CPPC_* macros with masks

debian/patches/patchset-pf/amd-pstate/0018-cpufreq-amd-pstate-Cache-CPPC-request-in-shared-mem-.patch

@@ -1,4 +1,4 @@
-From fc5fe86b4f63ed2ff8230c48e737185451e9c3a4 Mon Sep 17 00:00:00 2001
+From bb7fadf4a86e19b52cbe850c9274bfa643d3ce52 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:28 -0600
 Subject: cpufreq/amd-pstate: Cache CPPC request in shared mem case too

debian/patches/patchset-pf/amd-pstate/0019-cpufreq-amd-pstate-Move-all-EPP-tracing-into-_update.patch

@@ -1,4 +1,4 @@
-From e1b5c43aa7bf8d75d2043809ff38fee0b7d26259 Mon Sep 17 00:00:00 2001
+From e02f8a14d44223160d348d5841cc3dd916a14401 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:29 -0600
 Subject: cpufreq/amd-pstate: Move all EPP tracing into *_update_perf and

debian/patches/patchset-pf/amd-pstate/0020-cpufreq-amd-pstate-Update-cppc_req_cached-for-shared.patch

@@ -1,4 +1,4 @@
-From d53216c4c9f67163c9dec656862f1135d6f4af63 Mon Sep 17 00:00:00 2001
+From 5f0b3bf5497422293576a0783e47d203c52ed863 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:30 -0600
 Subject: cpufreq/amd-pstate: Update cppc_req_cached for shared mem EPP writes

debian/patches/patchset-pf/amd-pstate/0021-cpufreq-amd-pstate-Drop-debug-statements-for-policy-.patch

@@ -1,4 +1,4 @@
-From cecd79d237f4b5d19adac7fb9d57c59c77e40547 Mon Sep 17 00:00:00 2001
+From 6c2201fe880d7d35fbde67d74ec1989f053cc0bd Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:31 -0600
 Subject: cpufreq/amd-pstate: Drop debug statements for policy setting

debian/patches/patchset-pf/amd-pstate/0022-cpufreq-amd-pstate-Rework-CPPC-enabling.patch

@@ -1,4 +1,4 @@
-From bbb0d5ec2d1d757fc7b71086f505113845cc2aab Mon Sep 17 00:00:00 2001
+From 3c5030a27361deff20bec5d43339109901f3198c Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:32 -0600
 Subject: cpufreq/amd-pstate: Rework CPPC enabling

debian/patches/patchset-pf/amd-pstate/0023-cpufreq-amd-pstate-Stop-caching-EPP.patch

@@ -1,4 +1,4 @@
-From f11b0be50d2c87af1a401397f8918015e15199c6 Mon Sep 17 00:00:00 2001
+From c06cca99a6d74e7a6d6f020dbf982b0b9bf704e6 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:33 -0600
 Subject: cpufreq/amd-pstate: Stop caching EPP

debian/patches/patchset-pf/amd-pstate/0024-cpufreq-amd-pstate-Drop-actions-in-amd_pstate_epp_cp.patch

@@ -1,4 +1,4 @@
-From 509a6a82d6558983a84407e77aa398501b5c814a Mon Sep 17 00:00:00 2001
+From a82e4f4eb6e5e9806c66285cb3cefde644b8ea6b Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:34 -0600
 Subject: cpufreq/amd-pstate: Drop actions in amd_pstate_epp_cpu_offline()

debian/patches/patchset-pf/amd-pstate/0025-cpufreq-amd-pstate-fix-warning-noticed-by-kernel-tes.patch

@@ -1,4 +1,4 @@
-From 476817b414eddbf798161c3b33ef1209098bdf50 Mon Sep 17 00:00:00 2001
+From de3dd387423b30565e846e0ff4424e2c99164030 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <superm1@kernel.org>
 Date: Thu, 27 Feb 2025 14:09:08 -0600
 Subject: cpufreq/amd-pstate: fix warning noticed by kernel test robot

debian/patches/patchset-pf/amd-pstate/0026-cpufreq-amd-pstate-Fix-min_limit-perf-and-freq-updat.patch

@@ -0,0 +1,42 @@
+From 7e68278a4a90d52966b923404a2d280e3a83b66f Mon Sep 17 00:00:00 2001
+From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
+Date: Mon, 7 Apr 2025 08:19:26 +0000
+Subject: cpufreq/amd-pstate: Fix min_limit perf and freq updation for
+ performance governor
+
+The min_limit perf and freq values can get disconnected with performance
+governor, as we only modify the perf value in the special case. Fix that
+by modifying the perf and freq values together
+
+Fixes: 009d1c29a451 ("cpufreq/amd-pstate: Move perf values into a union")
+Signed-off-by: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://lore.kernel.org/r/20250407081925.850473-1-dhananjay.ugwekar@amd.com
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+---
+ drivers/cpufreq/amd-pstate.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/cpufreq/amd-pstate.c
++++ b/drivers/cpufreq/amd-pstate.c
+@@ -607,13 +607,16 @@ static void amd_pstate_update_min_max_li
+ 	union perf_cached perf = READ_ONCE(cpudata->perf);
+ 
+ 	perf.max_limit_perf = freq_to_perf(perf, cpudata->nominal_freq, policy->max);
+-	perf.min_limit_perf = freq_to_perf(perf, cpudata->nominal_freq, policy->min);
++	WRITE_ONCE(cpudata->max_limit_freq, policy->max);
+ 
+-	if (cpudata->policy == CPUFREQ_POLICY_PERFORMANCE)
++	if (cpudata->policy == CPUFREQ_POLICY_PERFORMANCE) {
+ 		perf.min_limit_perf = min(perf.nominal_perf, perf.max_limit_perf);
++		WRITE_ONCE(cpudata->min_limit_freq, min(cpudata->nominal_freq, cpudata->max_limit_freq));
++	} else {
++		perf.min_limit_perf = freq_to_perf(perf, cpudata->nominal_freq, policy->min);
++		WRITE_ONCE(cpudata->min_limit_freq, policy->min);
++	}
+ 
+-	WRITE_ONCE(cpudata->max_limit_freq, policy->max);
+-	WRITE_ONCE(cpudata->min_limit_freq, policy->min);
+ 	WRITE_ONCE(cpudata->perf, perf);
+ }
+ 

debian/patches/patchset-pf/btrfs/0001-btrfs-fix-non-empty-delayed-iputs-list-on-unmount-du.patch

@@ -1,76 +0,0 @@
-From 361b73ca6606d8bace6fe78b63d508d747c6689a Mon Sep 17 00:00:00 2001
-From: Filipe Manana <fdmanana@suse.com>
-Date: Wed, 5 Mar 2025 16:52:26 +0000
-Subject: btrfs: fix non-empty delayed iputs list on unmount due to compressed
- write workers
-
-At close_ctree() after we have ran delayed iputs either through explicitly
-calling btrfs_run_delayed_iputs() or later during the call to
-btrfs_commit_super() or btrfs_error_commit_super(), we assert that the
-delayed iputs list is empty.
-
-When we have compressed writes this assertion may fail because delayed
-iputs may have been added to the list after we last ran delayed iputs.
-This happens like this:
-
-1) We have a compressed write bio executing;
-
-2) We enter close_ctree() and flush the fs_info->endio_write_workers
-   queue which is the queue used for running ordered extent completion;
-
-3) The compressed write bio finishes and enters
-   btrfs_finish_compressed_write_work(), where it calls
-   btrfs_finish_ordered_extent() which in turn calls
-   btrfs_queue_ordered_fn(), which queues a work item in the
-   fs_info->endio_write_workers queue that we have flushed before;
-
-4) At close_ctree() we proceed, run all existing delayed iputs and
-   call btrfs_commit_super() (which also runs delayed iputs), but before
-   we run the following assertion below:
-
-      ASSERT(list_empty(&fs_info->delayed_iputs))
-
-   A delayed iput is added by the step below...
-
-5) The ordered extent completion job queued in step 3 runs and results in
-   creating a delayed iput when dropping the last reference of the ordered
-   extent (a call to btrfs_put_ordered_extent() made from
-   btrfs_finish_one_ordered());
-
-6) At this point the delayed iputs list is not empty, so the assertion at
-   close_ctree() fails.
-
-Fix this by flushing the fs_info->compressed_write_workers queue at
-close_ctree() before flushing the fs_info->endio_write_workers queue,
-respecting the queue dependency as the later is responsible for the
-execution of ordered extent completion.
-
-CC: stable@vger.kernel.org # 5.15+
-Reviewed-by: Qu Wenruo <wqu@suse.com>
-Signed-off-by: Filipe Manana <fdmanana@suse.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
----
- fs/btrfs/disk-io.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
---- a/fs/btrfs/disk-io.c
-+++ b/fs/btrfs/disk-io.c
-@@ -4346,6 +4346,18 @@ void __cold close_ctree(struct btrfs_fs_
- 	btrfs_flush_workqueue(fs_info->delalloc_workers);
- 
- 	/*
-+	 * When finishing a compressed write bio we schedule a work queue item
-+	 * to finish an ordered extent - btrfs_finish_compressed_write_work()
-+	 * calls btrfs_finish_ordered_extent() which in turns does a call to
-+	 * btrfs_queue_ordered_fn(), and that queues the ordered extent
-+	 * completion either in the endio_write_workers work queue or in the
-+	 * fs_info->endio_freespace_worker work queue. We flush those queues
-+	 * below, so before we flush them we must flush this queue for the
-+	 * workers of compressed writes.
-+	 */
-+	flush_workqueue(fs_info->compressed_write_workers);
-+
-+	/*
- 	 * After we parked the cleaner kthread, ordered extents may have
- 	 * completed and created new delayed iputs. If one of the async reclaim
- 	 * tasks is running and in the RUN_DELAYED_IPUTS flush state, then we

debian/patches/patchset-pf/btrfs/0002-btrfs-tests-fix-chunk-map-leak-after-failure-to-add-.patch

@@ -1,30 +0,0 @@
-From 9ac804f2001675a05f01a2f74af0c85861801e59 Mon Sep 17 00:00:00 2001
-From: Filipe Manana <fdmanana@suse.com>
-Date: Tue, 11 Mar 2025 15:50:50 +0000
-Subject: btrfs: tests: fix chunk map leak after failure to add it to the tree
-
-If we fail to add the chunk map to the fs mapping tree we exit
-test_rmap_block() without freeing the chunk map. Fix this by adding a
-call to btrfs_free_chunk_map() before exiting the test function if the
-call to btrfs_add_chunk_map() failed.
-
-Fixes: 7dc66abb5a47 ("btrfs: use a dedicated data structure for chunk maps")
-CC: stable@vger.kernel.org # 6.12+
-Reviewed-by: Boris Burkov <boris@bur.io>
-Signed-off-by: Filipe Manana <fdmanana@suse.com>
-Reviewed-by: David Sterba <dsterba@suse.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
----
- fs/btrfs/tests/extent-map-tests.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/fs/btrfs/tests/extent-map-tests.c
-+++ b/fs/btrfs/tests/extent-map-tests.c
-@@ -1045,6 +1045,7 @@ static int test_rmap_block(struct btrfs_
- 	ret = btrfs_add_chunk_map(fs_info, map);
- 	if (ret) {
- 		test_err("error adding chunk map to mapping tree");
-+		btrfs_free_chunk_map(map);
- 		goto out_free;
- 	}
- 

debian/patches/patchset-pf/btrfs/0003-btrfs-zoned-fix-zone-activation-with-missing-devices.patch

@@ -1,36 +0,0 @@
-From 2d168cd506ec0b7a7619433aa0299b0be05ce655 Mon Sep 17 00:00:00 2001
-From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
-Date: Mon, 17 Mar 2025 12:24:58 +0100
-Subject: btrfs: zoned: fix zone activation with missing devices
-
-If btrfs_zone_activate() is called with a filesystem that has missing
-devices (e.g. a RAID file system mounted in degraded mode) it is accessing
-the btrfs_device::zone_info pointer, which will not be set if the device in
-question is missing.
-
-Check if the device is present (by checking if it has a valid block
-device pointer associated) and if not, skip zone activation for it.
-
-Fixes: f9a912a3c45f ("btrfs: zoned: make zone activation multi stripe capable")
-CC: stable@vger.kernel.org # 6.1+
-Reviewed-by: Naohiro Aota <naohiro.aota@wdc.com>
-Reviewed-by: Anand Jain <anand.jain@oracle.com>
-Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
-Reviewed-by: David Sterba <dsterba@suse.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
----
- fs/btrfs/zoned.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/fs/btrfs/zoned.c
-+++ b/fs/btrfs/zoned.c
-@@ -2111,6 +2111,9 @@ bool btrfs_zone_activate(struct btrfs_bl
- 		physical = map->stripes[i].physical;
- 		zinfo = device->zone_info;
- 
-+		if (!device->bdev)
-+			continue;
-+
- 		if (zinfo->max_active_zones == 0)
- 			continue;
- 

debian/patches/patchset-pf/btrfs/0004-btrfs-zoned-fix-zone-finishing-with-missing-devices.patch

@@ -1,36 +0,0 @@
-From 5d05bf549f00ac4b04476b749847a7fcb019a73f Mon Sep 17 00:00:00 2001
-From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
-Date: Mon, 17 Mar 2025 12:24:59 +0100
-Subject: btrfs: zoned: fix zone finishing with missing devices
-
-If do_zone_finish() is called with a filesystem that has missing devices
-(e.g. a RAID file system mounted in degraded mode) it is accessing the
-btrfs_device::zone_info pointer, which will not be set if the device
-in question is missing.
-
-Check if the device is present (by checking if it has a valid block device
-pointer associated) and if not, skip zone finishing for it.
-
-Fixes: 4dcbb8ab31c1 ("btrfs: zoned: make zone finishing multi stripe capable")
-CC: stable@vger.kernel.org # 6.1+
-Reviewed-by: Naohiro Aota <naohiro.aota@wdc.com>
-Reviewed-by: Anand Jain <anand.jain@oracle.com>
-Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
-Reviewed-by: David Sterba <dsterba@suse.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
----
- fs/btrfs/zoned.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/fs/btrfs/zoned.c
-+++ b/fs/btrfs/zoned.c
-@@ -2275,6 +2275,9 @@ static int do_zone_finish(struct btrfs_b
- 		struct btrfs_zoned_device_info *zinfo = device->zone_info;
- 		unsigned int nofs_flags;
- 
-+		if (!device->bdev)
-+			continue;
-+
- 		if (zinfo->max_active_zones == 0)
- 			continue;
- 

debian/patches/patchset-pf/exfat/0001-exfat-fix-random-stack-corruption-after-get_block.patch

@@ -1,122 +0,0 @@
-From 99d63b3e3be79190d3bb4759bfb3a47fd00cfdbe Mon Sep 17 00:00:00 2001
-From: Sungjong Seo <sj1557.seo@samsung.com>
-Date: Fri, 21 Mar 2025 15:34:42 +0900
-Subject: exfat: fix random stack corruption after get_block
-
-When get_block is called with a buffer_head allocated on the stack, such
-as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in
-the following race condition situation.
-
-     <CPU 0>                      <CPU 1>
-mpage_read_folio
-  <<bh on stack>>
-  do_mpage_readpage
-    exfat_get_block
-      bh_read
-        __bh_read
-	  get_bh(bh)
-          submit_bh
-          wait_on_buffer
-                              ...
-                              end_buffer_read_sync
-                                __end_buffer_read_notouch
-                                   unlock_buffer
-          <<keep going>>
-        ...
-      ...
-    ...
-  ...
-<<bh is not valid out of mpage_read_folio>>
-   .
-   .
-another_function
-  <<variable A on stack>>
-                                   put_bh(bh)
-                                     atomic_dec(bh->b_count)
-  * stack corruption here *
-
-This patch returns -EAGAIN if a folio does not have buffers when bh_read
-needs to be called. By doing this, the caller can fallback to functions
-like block_read_full_folio(), create a buffer_head in the folio, and then
-call get_block again.
-
-Let's do not call bh_read() with on-stack buffer_head.
-
-Fixes: 11a347fb6cef ("exfat: change to get file size from DataLength")
-Cc: stable@vger.kernel.org
-Tested-by: Yeongjin Gil <youngjin.gil@samsung.com>
-Signed-off-by: Sungjong Seo <sj1557.seo@samsung.com>
-Reviewed-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
-Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
----
- fs/exfat/inode.c | 39 +++++++++++++++++++++++++++++++++------
- 1 file changed, 33 insertions(+), 6 deletions(-)
-
---- a/fs/exfat/inode.c
-+++ b/fs/exfat/inode.c
-@@ -344,7 +344,8 @@ static int exfat_get_block(struct inode
- 			 * The block has been partially written,
- 			 * zero the unwritten part and map the block.
- 			 */
--			loff_t size, off, pos;
-+			loff_t size, pos;
-+			void *addr;
- 
- 			max_blocks = 1;
- 
-@@ -355,17 +356,41 @@ static int exfat_get_block(struct inode
- 			if (!bh_result->b_folio)
- 				goto done;
- 
-+			/*
-+			 * No buffer_head is allocated.
-+			 * (1) bmap: It's enough to fill bh_result without I/O.
-+			 * (2) read: The unwritten part should be filled with 0
-+			 *           If a folio does not have any buffers,
-+			 *           let's returns -EAGAIN to fallback to
-+			 *           per-bh IO like block_read_full_folio().
-+			 */
-+			if (!folio_buffers(bh_result->b_folio)) {
-+				err = -EAGAIN;
-+				goto done;
-+			}
-+
- 			pos = EXFAT_BLK_TO_B(iblock, sb);
- 			size = ei->valid_size - pos;
--			off = pos & (PAGE_SIZE - 1);
-+			addr = folio_address(bh_result->b_folio) +
-+			       offset_in_folio(bh_result->b_folio, pos);
- 
--			folio_set_bh(bh_result, bh_result->b_folio, off);
-+			/* Check if bh->b_data points to proper addr in folio */
-+			if (bh_result->b_data != addr) {
-+				exfat_fs_error_ratelimit(sb,
-+					"b_data(%p) != folio_addr(%p)",
-+					bh_result->b_data, addr);
-+				err = -EINVAL;
-+				goto done;
-+			}
-+
-+			/* Read a block */
- 			err = bh_read(bh_result, 0);
- 			if (err < 0)
--				goto unlock_ret;
-+				goto done;
- 
--			folio_zero_segment(bh_result->b_folio, off + size,
--					off + sb->s_blocksize);
-+			/* Zero unwritten part of a block */
-+			memset(bh_result->b_data + size, 0,
-+			       bh_result->b_size - size);
- 		} else {
- 			/*
- 			 * The range has not been written, clear the mapped flag
-@@ -376,6 +401,8 @@ static int exfat_get_block(struct inode
- 	}
- done:
- 	bh_result->b_size = EXFAT_BLK_TO_B(max_blocks, sb);
-+	if (err < 0)
-+		clear_buffer_mapped(bh_result);
- unlock_ret:
- 	mutex_unlock(&sbi->s_lock);
- 	return err;

debian/patches/patchset-pf/exfat/0002-exfat-fix-potential-wrong-error-return-from-get_bloc.patch

@@ -1,30 +0,0 @@
-From 8a19bb487633ff4dcf9c247cd3913ea4db26abca Mon Sep 17 00:00:00 2001
-From: Sungjong Seo <sj1557.seo@samsung.com>
-Date: Wed, 26 Mar 2025 23:48:48 +0900
-Subject: exfat: fix potential wrong error return from get_block
-
-If there is no error, get_block() should return 0. However, when bh_read()
-returns 1, get_block() also returns 1 in the same manner.
-
-Let's set err to 0, if there is no error from bh_read()
-
-Fixes: 11a347fb6cef ("exfat: change to get file size from DataLength")
-Cc: stable@vger.kernel.org
-Signed-off-by: Sungjong Seo <sj1557.seo@samsung.com>
-Reviewed-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
-Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
----
- fs/exfat/inode.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/fs/exfat/inode.c
-+++ b/fs/exfat/inode.c
-@@ -391,6 +391,8 @@ static int exfat_get_block(struct inode
- 			/* Zero unwritten part of a block */
- 			memset(bh_result->b_data + size, 0,
- 			       bh_result->b_size - size);
-+
-+			err = 0;
- 		} else {
- 			/*
- 			 * The range has not been written, clear the mapped flag

debian/patches/patchset-pf/fixes/0001-Kunit-to-check-the-longest-symbol-length.patch

@@ -0,0 +1,176 @@
+From a1eb9a3160dc9e3cee6abdeab8e41c2265a2d7a1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sergio=20Gonz=C3=A1lez=20Collado?=
+ <sergio.collado@gmail.com>
+Date: Sun, 2 Mar 2025 23:15:18 +0100
+Subject: Kunit to check the longest symbol length
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The longest length of a symbol (KSYM_NAME_LEN) was increased to 512
+in the reference [1]. This patch adds kunit test suite to check the longest
+symbol length. These tests verify that the longest symbol length defined
+is supported.
+
+This test can also help other efforts for longer symbol length,
+like [2].
+
+The test suite defines one symbol with the longest possible length.
+
+The first test verify that functions with names of the created
+symbol, can be called or not.
+
+The second test, verify that the symbols are created (or
+not) in the kernel symbol table.
+
+[1] https://lore.kernel.org/lkml/20220802015052.10452-6-ojeda@kernel.org/
+[2] https://lore.kernel.org/lkml/20240605032120.3179157-1-song@kernel.org/
+
+Tested-by: Martin Rodriguez Reboredo <yakoyoku@gmail.com>
+Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
+Reviewed-by: Rae Moar <rmoar@google.com>
+Signed-off-by: Sergio González Collado <sergio.collado@gmail.com>
+Link: https://github.com/Rust-for-Linux/linux/issues/504
+Source: https://lore.kernel.org/rust-for-linux/20250302221518.76874-1-sergio.collado@gmail.com/
+Cherry-picked-for: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/issues/63
+---
+ arch/x86/tools/insn_decoder_test.c |  3 +-
+ lib/Kconfig.debug                  |  9 ++++
+ lib/Makefile                       |  2 +
+ lib/longest_symbol_kunit.c         | 82 ++++++++++++++++++++++++++++++
+ 4 files changed, 95 insertions(+), 1 deletion(-)
+ create mode 100644 lib/longest_symbol_kunit.c
+
+--- a/arch/x86/tools/insn_decoder_test.c
++++ b/arch/x86/tools/insn_decoder_test.c
+@@ -10,6 +10,7 @@
+ #include <assert.h>
+ #include <unistd.h>
+ #include <stdarg.h>
++#include <linux/kallsyms.h>
+ 
+ #define unlikely(cond) (cond)
+ 
+@@ -106,7 +107,7 @@ static void parse_args(int argc, char **
+ 	}
+ }
+ 
+-#define BUFSIZE 256
++#define BUFSIZE (256 + KSYM_NAME_LEN)
+ 
+ int main(int argc, char **argv)
+ {
+--- a/lib/Kconfig.debug
++++ b/lib/Kconfig.debug
+@@ -2838,6 +2838,15 @@ config FORTIFY_KUNIT_TEST
+ 	  by the str*() and mem*() family of functions. For testing runtime
+ 	  traps of FORTIFY_SOURCE, see LKDTM's "FORTIFY_*" tests.
+ 
++config LONGEST_SYM_KUNIT_TEST
++	tristate "Test the longest symbol possible" if !KUNIT_ALL_TESTS
++	depends on KUNIT && KPROBES
++	default KUNIT_ALL_TESTS
++	help
++	  Tests the longest symbol possible
++
++	  If unsure, say N.
++
+ config HW_BREAKPOINT_KUNIT_TEST
+ 	bool "Test hw_breakpoint constraints accounting" if !KUNIT_ALL_TESTS
+ 	depends on HAVE_HW_BREAKPOINT
+--- a/lib/Makefile
++++ b/lib/Makefile
+@@ -398,6 +398,8 @@ obj-$(CONFIG_FORTIFY_KUNIT_TEST) += fort
+ obj-$(CONFIG_CRC_KUNIT_TEST) += crc_kunit.o
+ obj-$(CONFIG_SIPHASH_KUNIT_TEST) += siphash_kunit.o
+ obj-$(CONFIG_USERCOPY_KUNIT_TEST) += usercopy_kunit.o
++obj-$(CONFIG_LONGEST_SYM_KUNIT_TEST) += longest_symbol_kunit.o
++CFLAGS_longest_symbol_kunit.o += $(call cc-disable-warning, missing-prototypes)
+ 
+ obj-$(CONFIG_GENERIC_LIB_DEVMEM_IS_ALLOWED) += devmem_is_allowed.o
+ 
+--- /dev/null
++++ b/lib/longest_symbol_kunit.c
+@@ -0,0 +1,82 @@
++// SPDX-License-Identifier: GPL-2.0
++/*
++ * Test the longest symbol length. Execute with:
++ *  ./tools/testing/kunit/kunit.py run longest-symbol
++ *  --arch=x86_64 --kconfig_add CONFIG_KPROBES=y --kconfig_add CONFIG_MODULES=y
++ *  --kconfig_add CONFIG_RETPOLINE=n --kconfig_add CONFIG_CFI_CLANG=n
++ *  --kconfig_add CONFIG_MITIGATION_RETPOLINE=n
++ */
++
++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
++
++#include <kunit/test.h>
++#include <linux/stringify.h>
++#include <linux/kprobes.h>
++#include <linux/kallsyms.h>
++
++#define DI(name) s##name##name
++#define DDI(name) DI(n##name##name)
++#define DDDI(name) DDI(n##name##name)
++#define DDDDI(name) DDDI(n##name##name)
++#define DDDDDI(name) DDDDI(n##name##name)
++
++/*Generate a symbol whose name length is 511 */
++#define LONGEST_SYM_NAME  DDDDDI(g1h2i3j4k5l6m7n)
++
++#define RETURN_LONGEST_SYM 0xAAAAA
++
++noinline int LONGEST_SYM_NAME(void);
++noinline int LONGEST_SYM_NAME(void)
++{
++	return RETURN_LONGEST_SYM;
++}
++
++_Static_assert(sizeof(__stringify(LONGEST_SYM_NAME)) == KSYM_NAME_LEN,
++"Incorrect symbol length found. Expected KSYM_NAME_LEN: "
++__stringify(KSYM_NAME_LEN) ", but found: "
++__stringify(sizeof(LONGEST_SYM_NAME)));
++
++static void test_longest_symbol(struct kunit *test)
++{
++	KUNIT_EXPECT_EQ(test, RETURN_LONGEST_SYM, LONGEST_SYM_NAME());
++};
++
++static void test_longest_symbol_kallsyms(struct kunit *test)
++{
++	unsigned long (*kallsyms_lookup_name)(const char *name);
++	static int (*longest_sym)(void);
++
++	struct kprobe kp = {
++		.symbol_name = "kallsyms_lookup_name",
++	};
++
++	if (register_kprobe(&kp) < 0) {
++		pr_info("%s: kprobe not registered", __func__);
++		KUNIT_FAIL(test, "test_longest_symbol kallsyms: kprobe not registered\n");
++		return;
++	}
++
++	kunit_warn(test, "test_longest_symbol kallsyms: kprobe registered\n");
++	kallsyms_lookup_name = (unsigned long (*)(const char *name))kp.addr;
++	unregister_kprobe(&kp);
++
++	longest_sym =
++		(void *) kallsyms_lookup_name(__stringify(LONGEST_SYM_NAME));
++	KUNIT_EXPECT_EQ(test, RETURN_LONGEST_SYM, longest_sym());
++};
++
++static struct kunit_case longest_symbol_test_cases[] = {
++	KUNIT_CASE(test_longest_symbol),
++	KUNIT_CASE(test_longest_symbol_kallsyms),
++	{}
++};
++
++static struct kunit_suite longest_symbol_test_suite = {
++	.name = "longest-symbol",
++	.test_cases = longest_symbol_test_cases,
++};
++kunit_test_suite(longest_symbol_test_suite);
++
++MODULE_LICENSE("GPL");
++MODULE_DESCRIPTION("Test the longest symbol length");
++MODULE_AUTHOR("Sergio González Collado");

debian/patches/patchset-pf/fixes/0001-tpm-do-not-start-chip-while-suspended.patch

@@ -1,94 +0,0 @@
-From 9efac88375330a6f29f091e9dd5fd6154670ba56 Mon Sep 17 00:00:00 2001
-From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
-Date: Fri, 7 Feb 2025 15:07:46 -0300
-Subject: tpm: do not start chip while suspended
-
-Checking TPM_CHIP_FLAG_SUSPENDED after the call to tpm_find_get_ops() can
-lead to a spurious tpm_chip_start() call:
-
-[35985.503771] i2c i2c-1: Transfer while suspended
-[35985.503796] WARNING: CPU: 0 PID: 74 at drivers/i2c/i2c-core.h:56 __i2c_transfer+0xbe/0x810
-[35985.503802] Modules linked in:
-[35985.503808] CPU: 0 UID: 0 PID: 74 Comm: hwrng Tainted: G        W          6.13.0-next-20250203-00005-gfa0cb5642941 #19 9c3d7f78192f2d38e32010ac9c90fdc71109ef6f
-[35985.503814] Tainted: [W]=WARN
-[35985.503817] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023
-[35985.503819] RIP: 0010:__i2c_transfer+0xbe/0x810
-[35985.503825] Code: 30 01 00 00 4c 89 f7 e8 40 fe d8 ff 48 8b 93 80 01 00 00 48 85 d2 75 03 49 8b 16 48 c7 c7 0a fb 7c a7 48 89 c6 e8 32 ad b0 fe <0f> 0b b8 94 ff ff ff e9 33 04 00 00 be 02 00 00 00 83 fd 02 0f 5
-[35985.503828] RSP: 0018:ffffa106c0333d30 EFLAGS: 00010246
-[35985.503833] RAX: 074ba64aa20f7000 RBX: ffff8aa4c1167120 RCX: 0000000000000000
-[35985.503836] RDX: 0000000000000000 RSI: ffffffffa77ab0e4 RDI: 0000000000000001
-[35985.503838] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
-[35985.503841] R10: 0000000000000004 R11: 00000001000313d5 R12: ffff8aa4c10f1820
-[35985.503843] R13: ffff8aa4c0e243c0 R14: ffff8aa4c1167250 R15: ffff8aa4c1167120
-[35985.503846] FS:  0000000000000000(0000) GS:ffff8aa4eae00000(0000) knlGS:0000000000000000
-[35985.503849] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-[35985.503852] CR2: 00007fab0aaf1000 CR3: 0000000105328000 CR4: 00000000003506f0
-[35985.503855] Call Trace:
-[35985.503859]  <TASK>
-[35985.503863]  ? __warn+0xd4/0x260
-[35985.503868]  ? __i2c_transfer+0xbe/0x810
-[35985.503874]  ? report_bug+0xf3/0x210
-[35985.503882]  ? handle_bug+0x63/0xb0
-[35985.503887]  ? exc_invalid_op+0x16/0x50
-[35985.503892]  ? asm_exc_invalid_op+0x16/0x20
-[35985.503904]  ? __i2c_transfer+0xbe/0x810
-[35985.503913]  tpm_cr50_i2c_transfer_message+0x24/0xf0
-[35985.503920]  tpm_cr50_i2c_read+0x8e/0x120
-[35985.503928]  tpm_cr50_request_locality+0x75/0x170
-[35985.503935]  tpm_chip_start+0x116/0x160
-[35985.503942]  tpm_try_get_ops+0x57/0x90
-[35985.503948]  tpm_find_get_ops+0x26/0xd0
-[35985.503955]  tpm_get_random+0x2d/0x80
-
-Don't move forward with tpm_chip_start() inside tpm_try_get_ops(), unless
-TPM_CHIP_FLAG_SUSPENDED is not set. tpm_find_get_ops() will return NULL in
-such a failure case.
-
-Fixes: 9265fed6db60 ("tpm: Lock TPM chip in tpm_pm_suspend() first")
-Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
-Cc: stable@vger.kernel.org
-Cc: Jerry Snitselaar <jsnitsel@redhat.com>
-Cc: Mike Seo <mikeseohyungjin@gmail.com>
-Cc: Jarkko Sakkinen <jarkko@kernel.org>
-Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
-Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
----
- drivers/char/tpm/tpm-chip.c      | 5 +++++
- drivers/char/tpm/tpm-interface.c | 7 -------
- 2 files changed, 5 insertions(+), 7 deletions(-)
-
---- a/drivers/char/tpm/tpm-chip.c
-+++ b/drivers/char/tpm/tpm-chip.c
-@@ -168,6 +168,11 @@ int tpm_try_get_ops(struct tpm_chip *chi
- 		goto out_ops;
- 
- 	mutex_lock(&chip->tpm_mutex);
-+
-+	/* tmp_chip_start may issue IO that is denied while suspended */
-+	if (chip->flags & TPM_CHIP_FLAG_SUSPENDED)
-+		goto out_lock;
-+
- 	rc = tpm_chip_start(chip);
- 	if (rc)
- 		goto out_lock;
---- a/drivers/char/tpm/tpm-interface.c
-+++ b/drivers/char/tpm/tpm-interface.c
-@@ -445,18 +445,11 @@ int tpm_get_random(struct tpm_chip *chip
- 	if (!chip)
- 		return -ENODEV;
- 
--	/* Give back zero bytes, as TPM chip has not yet fully resumed: */
--	if (chip->flags & TPM_CHIP_FLAG_SUSPENDED) {
--		rc = 0;
--		goto out;
--	}
--
- 	if (chip->flags & TPM_CHIP_FLAG_TPM2)
- 		rc = tpm2_get_random(chip, out, max);
- 	else
- 		rc = tpm1_get_random(chip, out, max);
- 
--out:
- 	tpm_put_ops(chip);
- 	return rc;
- }

debian/patches/patchset-pf/fixes/0002-x86-insn_decoder_test-allow-longer-symbol-names.patch

@@ -1,45 +0,0 @@
-From 2c26fd36ffb4bed4d55f9c7ba8d4f22db093eba2 Mon Sep 17 00:00:00 2001
-From: David Rheinsberg <david@readahead.eu>
-Date: Tue, 24 Jan 2023 12:04:59 +0100
-Subject: x86/insn_decoder_test: allow longer symbol-names
-
-Increase the allowed line-length of the insn-decoder-test to 4k to allow
-for symbol-names longer than 256 characters.
-
-The insn-decoder-test takes objdump output as input, which may contain
-symbol-names as instruction arguments. With rust-code entering the
-kernel, those symbol-names will include mangled-symbols which might
-exceed the current line-length-limit of the tool.
-
-By bumping the line-length-limit of the tool to 4k, we get a reasonable
-buffer for all objdump outputs I have seen so far. Unfortunately, ELF
-symbol-names are not restricted in length, so technically this might
-still end up failing if we encounter longer names in the future.
-
-My compile-failure looks like this:
-
-    arch/x86/tools/insn_decoder_test: error: malformed line 1152000:
-    tBb_+0xf2>
-
-..which overflowed by 10 characters reading this line:
-
-    ffffffff81458193:   74 3d                   je     ffffffff814581d2 <_RNvXse_NtNtNtCshGpAVYOtgW1_4core4iter8adapters7flattenINtB5_13FlattenCompatINtNtB7_3map3MapNtNtNtBb_3str4iter5CharsNtB1v_17CharEscapeDefaultENtNtBb_4char13EscapeDefaultENtNtBb_3fmt5Debug3fmtBb_+0xf2>
-
-Signed-off-by: David Rheinsberg <david@readahead.eu>
-Signed-off-by: Scott Weaver <scweaver@redhat.com>
-Cherry-picked-for: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/issues/63
----
- arch/x86/tools/insn_decoder_test.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/arch/x86/tools/insn_decoder_test.c
-+++ b/arch/x86/tools/insn_decoder_test.c
-@@ -106,7 +106,7 @@ static void parse_args(int argc, char **
- 	}
- }
- 
--#define BUFSIZE 256
-+#define BUFSIZE 4096
- 
- int main(int argc, char **argv)
- {

debian/patches/patchset-pf/fixes/0002-x86-tools-Drop-duplicate-unlikely-definition-in-insn.patch

@@ -1,4 +1,4 @@
-From b40bdfdcffa333ad169327c5b8fe1b93542c7e0a Mon Sep 17 00:00:00 2001
+From 1ff7499aaa4cec11be79e97c118978fd781073a6 Mon Sep 17 00:00:00 2001
 From: Nathan Chancellor <nathan@kernel.org>
 Date: Tue, 18 Mar 2025 15:32:30 -0700
 Subject: x86/tools: Drop duplicate unlikely() definition in
@@ -25,9 +25,9 @@ Link: https://lore.kernel.org/r/20250318-x86-decoder-test-fix-unlikely-redef-v1-
 
 --- a/arch/x86/tools/insn_decoder_test.c
 +++ b/arch/x86/tools/insn_decoder_test.c
-@@ -11,8 +11,6 @@
- #include <unistd.h>
+@@ -12,8 +12,6 @@
  #include <stdarg.h>
+ #include <linux/kallsyms.h>
  
 -#define unlikely(cond) (cond)
 -

debian/patches/patchset-pf/fixes/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.patch

@@ -1,56 +0,0 @@
-From 8886788eed16c79124bc530950f09c3f2fa881a8 Mon Sep 17 00:00:00 2001
-From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
-Date: Wed, 12 Feb 2025 16:33:54 +0800
-Subject: EDAC/igen6: Fix the flood of invalid error reports
-
-The ECC_ERROR_LOG register of certain SoCs may contain the invalid value
-~0, which results in a flood of invalid error reports in polling mode.
-
-Fix the flood of invalid error reports by skipping the invalid ECC error
-log value ~0.
-
-Fixes: e14232afa944 ("EDAC/igen6: Add polling support")
-Reported-by: Ramses <ramses@well-founded.dev>
-Closes: https://lore.kernel.org/all/OISL8Rv--F-9@well-founded.dev/
-Tested-by: Ramses <ramses@well-founded.dev>
-Reported-by: John <therealgraysky@proton.me>
-Closes: https://lore.kernel.org/all/p5YcxOE6M3Ncxpn2-Ia_wCt61EM4LwIiN3LroQvT_-G2jMrFDSOW5k2A9D8UUzD2toGpQBN1eI0sL5dSKnkO8iteZegLoQEj-DwQaMhGx4A=@proton.me/
-Tested-by: John <therealgraysky@proton.me>
-Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
-Signed-off-by: Tony Luck <tony.luck@intel.com>
-Link: https://lore.kernel.org/r/20250212083354.31919-1-qiuxu.zhuo@intel.com
----
- drivers/edac/igen6_edac.c | 21 +++++++++++++++------
- 1 file changed, 15 insertions(+), 6 deletions(-)
-
---- a/drivers/edac/igen6_edac.c
-+++ b/drivers/edac/igen6_edac.c
-@@ -785,13 +785,22 @@ static u64 ecclog_read_and_clear(struct
- {
- 	u64 ecclog = readq(imc->window + ECC_ERROR_LOG_OFFSET);
- 
--	if (ecclog & (ECC_ERROR_LOG_CE | ECC_ERROR_LOG_UE)) {
--		/* Clear CE/UE bits by writing 1s */
--		writeq(ecclog, imc->window + ECC_ERROR_LOG_OFFSET);
--		return ecclog;
--	}
-+	/*
-+	 * Quirk: The ECC_ERROR_LOG register of certain SoCs may contain
-+	 *        the invalid value ~0. This will result in a flood of invalid
-+	 *        error reports in polling mode. Skip it.
-+	 */
-+	if (ecclog == ~0)
-+		return 0;
- 
--	return 0;
-+	/* Neither a CE nor a UE. Skip it.*/
-+	if (!(ecclog & (ECC_ERROR_LOG_CE | ECC_ERROR_LOG_UE)))
-+		return 0;
-+
-+	/* Clear CE/UE bits by writing 1s */
-+	writeq(ecclog, imc->window + ECC_ERROR_LOG_OFFSET);
-+
-+	return ecclog;
- }
- 
- static void errsts_clear(struct igen6_imc *imc)

debian/patches/patchset-pf/fixes/0003-drm-amdgpu-mes11-optimize-MES-pipe-FW-version-fetchi.patch

@@ -0,0 +1,29 @@
+From 72096487bfe8ebc52731c264536418c51854d999 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Thu, 27 Mar 2025 17:33:49 -0400
+Subject: drm/amdgpu/mes11: optimize MES pipe FW version fetching
+
+Don't fetch it again if we already have it.  It seems the
+don't reliably have the proper value at resume in some
+cases.
+
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4083
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cherry-picked-for: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/issues/121
+---
+ drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c
+@@ -899,6 +899,10 @@ static void mes_v11_0_get_fw_version(str
+ {
+ 	int pipe;
+ 
++	/* return early if we have already fetched these */
++	if (adev->mes.sched_version && adev->mes.kiq_version)
++		return;
++
+ 	/* get MES scheduler/KIQ versions */
+ 	mutex_lock(&adev->srbm_mutex);
+ 

debian/patches/patchset-pf/fixes/0004-tpm-Mask-TPM-RC-in-tpm2_start_auth_session.patch

@@ -0,0 +1,99 @@
+From a1dfb99dca82ff97b00ce76f8f987ade471875d1 Mon Sep 17 00:00:00 2001
+From: Jarkko Sakkinen <jarkko@kernel.org>
+Date: Mon, 7 Apr 2025 15:28:05 +0300
+Subject: tpm: Mask TPM RC in tpm2_start_auth_session()
+
+tpm2_start_auth_session() does not mask TPM RC correctly from the callers:
+
+[   28.766528] tpm tpm0: A TPM error (2307) occurred start auth session
+
+Process TPM RCs inside tpm2_start_auth_session(), and map them to POSIX
+error codes.
+
+Cc: stable@vger.kernel.org # v6.10+
+Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions")
+Reported-by: Herbert Xu <herbert@gondor.apana.org.au>
+Closes: https://lore.kernel.org/linux-integrity/Z_NgdRHuTKP6JK--@gondor.apana.org.au/
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+---
+ drivers/char/tpm/tpm2-sessions.c | 20 ++++++--------------
+ include/linux/tpm.h              | 21 +++++++++++++++++++++
+ 2 files changed, 27 insertions(+), 14 deletions(-)
+
+--- a/drivers/char/tpm/tpm2-sessions.c
++++ b/drivers/char/tpm/tpm2-sessions.c
+@@ -40,11 +40,6 @@
+  *
+  * These are the usage functions:
+  *
+- * tpm2_start_auth_session() which allocates the opaque auth structure
+- *	and gets a session from the TPM.  This must be called before
+- *	any of the following functions.  The session is protected by a
+- *	session_key which is derived from a random salt value
+- *	encrypted to the NULL seed.
+  * tpm2_end_auth_session() kills the session and frees the resources.
+  *	Under normal operation this function is done by
+  *	tpm_buf_check_hmac_response(), so this is only to be used on
+@@ -963,16 +958,13 @@ err:
+ }
+ 
+ /**
+- * tpm2_start_auth_session() - create a HMAC authentication session with the TPM
+- * @chip: the TPM chip structure to create the session with
++ * tpm2_start_auth_session() - Create an a HMAC authentication session
++ * @chip:	A TPM chip
+  *
+- * This function loads the NULL seed from its saved context and starts
+- * an authentication session on the null seed, fills in the
+- * @chip->auth structure to contain all the session details necessary
+- * for performing the HMAC, encrypt and decrypt operations and
+- * returns.  The NULL seed is flushed before this function returns.
++ * Loads the ephemeral key (null seed), and starts an HMAC authenticated
++ * session. The null seed is flushed before the return.
+  *
+- * Return: zero on success or actual error encountered.
++ * Returns zero on success, or a POSIX error code.
+  */
+ int tpm2_start_auth_session(struct tpm_chip *chip)
+ {
+@@ -1024,7 +1016,7 @@ int tpm2_start_auth_session(struct tpm_c
+ 	/* hash algorithm for session */
+ 	tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
+ 
+-	rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session");
++	rc = tpm_to_ret(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession"));
+ 	tpm2_flush_context(chip, null_key);
+ 
+ 	if (rc == TPM2_RC_SUCCESS)
+--- a/include/linux/tpm.h
++++ b/include/linux/tpm.h
+@@ -257,8 +257,29 @@ enum tpm2_return_codes {
+ 	TPM2_RC_TESTING		= 0x090A, /* RC_WARN */
+ 	TPM2_RC_REFERENCE_H0	= 0x0910,
+ 	TPM2_RC_RETRY		= 0x0922,
++	TPM2_RC_SESSION_MEMORY	= 0x0903,
+ };
+ 
++/*
++ * Convert a return value from tpm_transmit_cmd() to a POSIX return value. The
++ * fallback return value is -EFAULT.
++ */
++static inline ssize_t tpm_to_ret(ssize_t ret)
++{
++	/* Already a POSIX error: */
++	if (ret < 0)
++		return ret;
++
++	switch (ret) {
++	case TPM2_RC_SUCCESS:
++		return 0;
++	case TPM2_RC_SESSION_MEMORY:
++		return -ENOMEM;
++	default:
++		return -EFAULT;
++	}
++}
++
+ enum tpm2_command_codes {
+ 	TPM2_CC_FIRST		        = 0x011F,
+ 	TPM2_CC_HIERARCHY_CONTROL       = 0x0121,

debian/patches/patchset-pf/fixes/0005-ice-mark-ice_write_prof_mask_reg-as-noinline.patch

@@ -0,0 +1,34 @@
+From 7b594a3c7b41db58884da466607417ca27c08a1d Mon Sep 17 00:00:00 2001
+From: Oleksandr Natalenko <oleksandr@natalenko.name>
+Date: Tue, 8 Apr 2025 12:02:36 +0200
+Subject: ice: mark ice_write_prof_mask_reg() as noinline
+
+The following happens during build:
+
+```
+drivers/net/ethernet/intel/ice/ice.o: error: objtool: ice_free_prof_mask.isra.0() falls through to next function ice_free_flow_profs.cold()
+drivers/net/ethernet/intel/ice/ice.o: error: objtool: ice_free_prof_mask.isra.0.cold() is missing an ELF size annotation
+```
+
+Marking ice_write_prof_mask_reg() as noinline solves this, although I'm
+not sure if this is a proper solution. Apparently, this happens with -O3
+only, the `default` case is never reachable, but the optimiser generates
+branching to a random code location.
+
+Link: https://lore.kernel.org/lkml/6nzfoyak4cewjpmdflg5yi7jh2mqqdsfqgljoolx5lvdo2p65p@rwjfl7cqkfoo/
+Signed-off-by: Oleksandr Natalenko <oleksandr@natalenko.name>
+---
+ drivers/net/ethernet/intel/ice/ice_flex_pipe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/ice/ice_flex_pipe.c
++++ b/drivers/net/ethernet/intel/ice/ice_flex_pipe.c
+@@ -1404,7 +1404,7 @@ static int ice_prof_inc_ref(struct ice_h
+  * @idx: index of the FV which will use the mask
+  * @mask: the 16-bit mask
+  */
+-static void
++static noinline void
+ ice_write_prof_mask_reg(struct ice_hw *hw, enum ice_block blk, u16 mask_idx,
+ 			u16 idx, u16 mask)
+ {

debian/patches/patchset-pf/fixes/0005-tpm-tpm_tis-Fix-timeout-handling-when-waiting-for-TP.patch

@@ -1,44 +0,0 @@
-From 073fb5ff9a001882fa884a0a8efddc88860ad791 Mon Sep 17 00:00:00 2001
-From: Jonathan McDowell <noodles@meta.com>
-Date: Wed, 12 Mar 2025 07:31:57 +0200
-Subject: tpm, tpm_tis: Fix timeout handling when waiting for TPM status
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The change to only use interrupts to handle supported status changes
-introduced an issue when it is necessary to poll for the status. Rather
-than checking for the status after sleeping the code now sleeps after
-the check. This means a correct, but slower, status change on the part
-of the TPM can be missed, resulting in a spurious timeout error,
-especially on a more loaded system. Switch back to sleeping *then*
-checking. An up front check of the status has been done at the start of
-the function, so this does not cause an additional delay when the status
-is already what we're looking for.
-
-Cc: stable@vger.kernel.org # v6.4+
-Fixes: e87fcf0dc2b4 ("tpm, tpm_tis: Only handle supported interrupts")
-Signed-off-by: Jonathan McDowell <noodles@meta.com>
-Reviewed-by: Michal Suchánek <msuchanek@suse.de>
-Reviewed-by: Lino Sanfilippo <l.sanfilippo@kunbus.com>
-Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
-Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
----
- drivers/char/tpm/tpm_tis_core.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
---- a/drivers/char/tpm/tpm_tis_core.c
-+++ b/drivers/char/tpm/tpm_tis_core.c
-@@ -114,11 +114,10 @@ again:
- 		return 0;
- 	/* process status changes without irq support */
- 	do {
-+		usleep_range(priv->timeout_min, priv->timeout_max);
- 		status = chip->ops->status(chip);
- 		if ((status & mask) == mask)
- 			return 0;
--		usleep_range(priv->timeout_min,
--			     priv->timeout_max);
- 	} while (time_before(jiffies, stop));
- 	return -ETIME;
- }

debian/patches/patchset-pf/fixes/0006-fixes-6.14-update-tpm2_start_auth_session-fix.patch

@@ -0,0 +1,76 @@
+From 42a4f494db975d62916c73f5d637aef9be343d70 Mon Sep 17 00:00:00 2001
+From: Oleksandr Natalenko <oleksandr@natalenko.name>
+Date: Tue, 8 Apr 2025 19:51:44 +0200
+Subject: fixes-6.14: update tpm2_start_auth_session() fix
+
+Signed-off-by: Oleksandr Natalenko <oleksandr@natalenko.name>
+---
+ drivers/char/tpm/tpm2-sessions.c |  2 +-
+ include/linux/tpm.h              | 38 +++++++++++++++-----------------
+ 2 files changed, 19 insertions(+), 21 deletions(-)
+
+--- a/drivers/char/tpm/tpm2-sessions.c
++++ b/drivers/char/tpm/tpm2-sessions.c
+@@ -1016,7 +1016,7 @@ int tpm2_start_auth_session(struct tpm_c
+ 	/* hash algorithm for session */
+ 	tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
+ 
+-	rc = tpm_to_ret(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession"));
++	rc = tpm_ret_to_err(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession"));
+ 	tpm2_flush_context(chip, null_key);
+ 
+ 	if (rc == TPM2_RC_SUCCESS)
+--- a/include/linux/tpm.h
++++ b/include/linux/tpm.h
+@@ -260,26 +260,6 @@ enum tpm2_return_codes {
+ 	TPM2_RC_SESSION_MEMORY	= 0x0903,
+ };
+ 
+-/*
+- * Convert a return value from tpm_transmit_cmd() to a POSIX return value. The
+- * fallback return value is -EFAULT.
+- */
+-static inline ssize_t tpm_to_ret(ssize_t ret)
+-{
+-	/* Already a POSIX error: */
+-	if (ret < 0)
+-		return ret;
+-
+-	switch (ret) {
+-	case TPM2_RC_SUCCESS:
+-		return 0;
+-	case TPM2_RC_SESSION_MEMORY:
+-		return -ENOMEM;
+-	default:
+-		return -EFAULT;
+-	}
+-}
+-
+ enum tpm2_command_codes {
+ 	TPM2_CC_FIRST		        = 0x011F,
+ 	TPM2_CC_HIERARCHY_CONTROL       = 0x0121,
+@@ -458,6 +438,24 @@ static inline u32 tpm2_rc_value(u32 rc)
+ 	return (rc & BIT(7)) ? rc & 0xbf : rc;
+ }
+ 
++/*
++ * Convert a return value from tpm_transmit_cmd() to POSIX error code.
++ */
++static inline ssize_t tpm_ret_to_err(ssize_t ret)
++{
++	if (ret < 0)
++		return ret;
++
++	switch (tpm2_rc_value(ret)) {
++	case TPM2_RC_SUCCESS:
++		return 0;
++	case TPM2_RC_SESSION_MEMORY:
++		return -ENOMEM;
++	default:
++		return -EFAULT;
++	}
++}
++
+ #if defined(CONFIG_TCG_TPM) || defined(CONFIG_TCG_TPM_MODULE)
+ 
+ extern int tpm_is_tpm2(struct tpm_chip *chip);

debian/patches/patchset-pf/fixes/0006-x86-mm-Fix-flush_tlb_range-when-used-for-zapping-nor.patch

@@ -1,50 +0,0 @@
-From e24882a961e2d85cc4c8319a56734a0d7c7867fc Mon Sep 17 00:00:00 2001
-From: Jann Horn <jannh@google.com>
-Date: Fri, 3 Jan 2025 19:39:38 +0100
-Subject: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs
-
-On the following path, flush_tlb_range() can be used for zapping normal
-PMD entries (PMD entries that point to page tables) together with the PTE
-entries in the pointed-to page table:
-
-    collapse_pte_mapped_thp
-      pmdp_collapse_flush
-        flush_tlb_range
-
-The arm64 version of flush_tlb_range() has a comment describing that it can
-be used for page table removal, and does not use any last-level
-invalidation optimizations. Fix the X86 version by making it behave the
-same way.
-
-Currently, X86 only uses this information for the following two purposes,
-which I think means the issue doesn't have much impact:
-
- - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be
-   IPI'd to avoid issues with speculative page table walks.
- - In Hyper-V TLB paravirtualization, again for lazy TLB stuff.
-
-The patch "x86/mm: only invalidate final translations with INVLPGB" which
-is currently under review (see
-<https://lore.kernel.org/all/20241230175550.4046587-13-riel@surriel.com/>)
-would probably be making the impact of this a lot worse.
-
-Fixes: 016c4d92cd16 ("x86/mm/tlb: Add freed_tables argument to flush_tlb_mm_range")
-Signed-off-by: Jann Horn <jannh@google.com>
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Cc: stable@vger.kernel.org
-Link: https://lkml.kernel.org/r/20250103-x86-collapse-flush-fix-v1-1-3c521856cfa6@google.com
----
- arch/x86/include/asm/tlbflush.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/arch/x86/include/asm/tlbflush.h
-+++ b/arch/x86/include/asm/tlbflush.h
-@@ -311,7 +311,7 @@ static inline bool mm_in_asid_transition
- 	flush_tlb_mm_range((vma)->vm_mm, start, end,			\
- 			   ((vma)->vm_flags & VM_HUGETLB)		\
- 				? huge_page_shift(hstate_vma(vma))	\
--				: PAGE_SHIFT, false)
-+				: PAGE_SHIFT, true)
- 
- extern void flush_tlb_all(void);
- extern void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,

debian/patches/patchset-pf/fixes/0007-drm-amdgpu-mes12-optimize-MES-pipe-FW-version-fetchi.patch

@@ -0,0 +1,47 @@
+From f1e8e30bef3757904d9e963f02ef297cd0c33240 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Fri, 28 Mar 2025 09:08:57 -0400
+Subject: drm/amdgpu/mes12: optimize MES pipe FW version fetching
+
+Don't fetch it again if we already have it.  It seems the
+registers don't reliably have the value at resume in some
+cases.
+
+Fixes: 785f0f9fe742 ("drm/amdgpu: Add mes v12_0 ip block support (v4)")
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+---
+ drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/mes_v12_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/mes_v12_0.c
+@@ -1390,17 +1390,20 @@ static int mes_v12_0_queue_init(struct a
+ 		mes_v12_0_queue_init_register(ring);
+ 	}
+ 
+-	/* get MES scheduler/KIQ versions */
+-	mutex_lock(&adev->srbm_mutex);
+-	soc21_grbm_select(adev, 3, pipe, 0, 0);
++	if (((pipe == AMDGPU_MES_SCHED_PIPE) && !adev->mes.sched_version) ||
++	    ((pipe == AMDGPU_MES_KIQ_PIPE) && !adev->mes.kiq_version)) {
++		/* get MES scheduler/KIQ versions */
++		mutex_lock(&adev->srbm_mutex);
++		soc21_grbm_select(adev, 3, pipe, 0, 0);
+ 
+-	if (pipe == AMDGPU_MES_SCHED_PIPE)
+-		adev->mes.sched_version = RREG32_SOC15(GC, 0, regCP_MES_GP3_LO);
+-	else if (pipe == AMDGPU_MES_KIQ_PIPE && adev->enable_mes_kiq)
+-		adev->mes.kiq_version = RREG32_SOC15(GC, 0, regCP_MES_GP3_LO);
++		if (pipe == AMDGPU_MES_SCHED_PIPE)
++			adev->mes.sched_version = RREG32_SOC15(GC, 0, regCP_MES_GP3_LO);
++		else if (pipe == AMDGPU_MES_KIQ_PIPE && adev->enable_mes_kiq)
++			adev->mes.kiq_version = RREG32_SOC15(GC, 0, regCP_MES_GP3_LO);
+ 
+-	soc21_grbm_select(adev, 0, 0, 0, 0);
+-	mutex_unlock(&adev->srbm_mutex);
++		soc21_grbm_select(adev, 0, 0, 0, 0);
++		mutex_unlock(&adev->srbm_mutex);
++	}
+ 
+ 	return 0;
+ }

debian/patches/patchset-pf/fixes/0007-x86-tsc-Always-save-restore-TSC-sched_clock-on-suspe.patch

@@ -1,68 +0,0 @@
-From 7a0abf17cceb511425b7af34291243b4a270e770 Mon Sep 17 00:00:00 2001
-From: "Guilherme G. Piccoli" <gpiccoli@igalia.com>
-Date: Sat, 15 Feb 2025 17:58:16 -0300
-Subject: x86/tsc: Always save/restore TSC sched_clock() on suspend/resume
-
-TSC could be reset in deep ACPI sleep states, even with invariant TSC.
-
-That's the reason we have sched_clock() save/restore functions, to deal
-with this situation. But what happens is that such functions are guarded
-with a check for the stability of sched_clock - if not considered stable,
-the save/restore routines aren't executed.
-
-On top of that, we have a clear comment in native_sched_clock() saying
-that *even* with TSC unstable, we continue using TSC for sched_clock due
-to its speed.
-
-In other words, if we have a situation of TSC getting detected as unstable,
-it marks the sched_clock as unstable as well, so subsequent S3 sleep cycles
-could bring bogus sched_clock values due to the lack of the save/restore
-mechanism, causing warnings like this:
-
-  [22.954918] ------------[ cut here ]------------
-  [22.954923] Delta way too big! 18446743750843854390 ts=18446744072977390405 before=322133536015 after=322133536015 write stamp=18446744072977390405
-  [22.954923] If you just came from a suspend/resume,
-  [22.954923] please switch to the trace global clock:
-  [22.954923]   echo global > /sys/kernel/tracing/trace_clock
-  [22.954923] or add trace_clock=global to the kernel command line
-  [22.954937] WARNING: CPU: 2 PID: 5728 at kernel/trace/ring_buffer.c:2890 rb_add_timestamp+0x193/0x1c0
-
-Notice that the above was reproduced even with "trace_clock=global".
-
-The fix for that is to _always_ save/restore the sched_clock on suspend
-cycle _if TSC is used_ as sched_clock - only if we fallback to jiffies
-the sched_clock_stable() check becomes relevant to save/restore the
-sched_clock.
-
-Debugged-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
-Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Cc: stable@vger.kernel.org
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Link: https://lore.kernel.org/r/20250215210314.351480-1-gpiccoli@igalia.com
----
- arch/x86/kernel/tsc.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/arch/x86/kernel/tsc.c
-+++ b/arch/x86/kernel/tsc.c
-@@ -959,7 +959,7 @@ static unsigned long long cyc2ns_suspend
- 
- void tsc_save_sched_clock_state(void)
- {
--	if (!sched_clock_stable())
-+	if (!static_branch_likely(&__use_tsc) && !sched_clock_stable())
- 		return;
- 
- 	cyc2ns_suspend = sched_clock();
-@@ -979,7 +979,7 @@ void tsc_restore_sched_clock_state(void)
- 	unsigned long flags;
- 	int cpu;
- 
--	if (!sched_clock_stable())
-+	if (!static_branch_likely(&__use_tsc) && !sched_clock_stable())
- 		return;
- 
- 	local_irq_save(flags);

debian/patches/patchset-pf/fixes/0008-uprobes-x86-Harden-uretprobe-syscall-trampoline-chec.patch

@@ -1,87 +0,0 @@
-From bbbc88e65bb8036be1fe3386c0061d9be4c5a442 Mon Sep 17 00:00:00 2001
-From: Jiri Olsa <jolsa@kernel.org>
-Date: Wed, 12 Feb 2025 23:04:33 +0100
-Subject: uprobes/x86: Harden uretprobe syscall trampoline check
-
-Jann reported a possible issue when trampoline_check_ip returns
-address near the bottom of the address space that is allowed to
-call into the syscall if uretprobes are not set up:
-
-   https://lore.kernel.org/bpf/202502081235.5A6F352985@keescook/T/#m9d416df341b8fbc11737dacbcd29f0054413cbbf
-
-Though the mmap minimum address restrictions will typically prevent
-creating mappings there, let's make sure uretprobe syscall checks
-for that.
-
-Fixes: ff474a78cef5 ("uprobe: Add uretprobe syscall to speed up return probe")
-Reported-by: Jann Horn <jannh@google.com>
-Signed-off-by: Jiri Olsa <jolsa@kernel.org>
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Reviewed-by: Oleg Nesterov <oleg@redhat.com>
-Reviewed-by: Kees Cook <kees@kernel.org>
-Acked-by: Andrii Nakryiko <andrii@kernel.org>
-Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
-Acked-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: stable@vger.kernel.org
-Link: https://lore.kernel.org/r/20250212220433.3624297-1-jolsa@kernel.org
----
- arch/x86/kernel/uprobes.c | 14 +++++++++-----
- include/linux/uprobes.h   |  2 ++
- kernel/events/uprobes.c   |  2 +-
- 3 files changed, 12 insertions(+), 6 deletions(-)
-
---- a/arch/x86/kernel/uprobes.c
-+++ b/arch/x86/kernel/uprobes.c
-@@ -357,19 +357,23 @@ void *arch_uprobe_trampoline(unsigned lo
- 	return &insn;
- }
- 
--static unsigned long trampoline_check_ip(void)
-+static unsigned long trampoline_check_ip(unsigned long tramp)
- {
--	unsigned long tramp = uprobe_get_trampoline_vaddr();
--
- 	return tramp + (uretprobe_syscall_check - uretprobe_trampoline_entry);
- }
- 
- SYSCALL_DEFINE0(uretprobe)
- {
- 	struct pt_regs *regs = task_pt_regs(current);
--	unsigned long err, ip, sp, r11_cx_ax[3];
-+	unsigned long err, ip, sp, r11_cx_ax[3], tramp;
-+
-+	/* If there's no trampoline, we are called from wrong place. */
-+	tramp = uprobe_get_trampoline_vaddr();
-+	if (unlikely(tramp == UPROBE_NO_TRAMPOLINE_VADDR))
-+		goto sigill;
- 
--	if (regs->ip != trampoline_check_ip())
-+	/* Make sure the ip matches the only allowed sys_uretprobe caller. */
-+	if (unlikely(regs->ip != trampoline_check_ip(tramp)))
- 		goto sigill;
- 
- 	err = copy_from_user(r11_cx_ax, (void __user *)regs->sp, sizeof(r11_cx_ax));
---- a/include/linux/uprobes.h
-+++ b/include/linux/uprobes.h
-@@ -39,6 +39,8 @@ struct page;
- 
- #define MAX_URETPROBE_DEPTH		64
- 
-+#define UPROBE_NO_TRAMPOLINE_VADDR	(~0UL)
-+
- struct uprobe_consumer {
- 	/*
- 	 * handler() can return UPROBE_HANDLER_REMOVE to signal the need to
---- a/kernel/events/uprobes.c
-+++ b/kernel/events/uprobes.c
-@@ -2169,8 +2169,8 @@ void uprobe_copy_process(struct task_str
-  */
- unsigned long uprobe_get_trampoline_vaddr(void)
- {
-+	unsigned long trampoline_vaddr = UPROBE_NO_TRAMPOLINE_VADDR;
- 	struct xol_area *area;
--	unsigned long trampoline_vaddr = -1;
- 
- 	/* Pairs with xol_add_vma() smp_store_release() */
- 	area = READ_ONCE(current->mm->uprobes_state.xol_area); /* ^^^ */

debian/patches/patchset-pf/fixes/0008-wifi-iwlwifi-pcie-set-state-to-no-FW-before-reset-ha.patch

@@ -0,0 +1,50 @@
+From 81c23adad48324b73fe0993f332407c5be050bb5 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 3 Apr 2025 11:04:37 +0000
+Subject: wifi: iwlwifi: pcie: set state to no-FW before reset handshake
+
+The reset handshake attempts to kill the firmware, and it'll go
+into a pretty much dead state once we do that. However, if it
+times out, then we'll attempt to dump the firmware to be able
+to see why it didn't respond. During this dump, we cannot treat
+it as if it was still running, since we just tried to kill it,
+otherwise dumping will attempt to send a DBGC stop command. As
+this command will time out, we'll go into a reset loop.
+
+For now, fix this by setting the trans->state to say firmware
+isn't running before doing the reset handshake. In the longer
+term, we should clean up the way this state is handled.
+
+It's not entirely clear but it seems likely that this issue was
+introduced by my rework of the error handling, prior to that it
+would've been synchronous at that point and (I think) not have
+attempted to reset since it was already doing down.
+
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219967
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219968
+Closes: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/issues/128
+Fixes: 7391b2a4f7db ("wifi: iwlwifi: rework firmware error handling")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Oleksandr Natalenko <oleksandr@natalenko.name>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c
+@@ -147,8 +147,14 @@ static void _iwl_trans_pcie_gen2_stop_de
+ 		return;
+ 
+ 	if (trans->state >= IWL_TRANS_FW_STARTED &&
+-	    trans_pcie->fw_reset_handshake)
++	    trans_pcie->fw_reset_handshake) {
++		/*
++		 * Reset handshake can dump firmware on timeout, but that
++		 * should assume that the firmware is already dead.
++		 */
++		trans->state = IWL_TRANS_NO_FW;
+ 		iwl_trans_pcie_fw_reset_handshake(trans);
++	}
+ 
+ 	trans_pcie->is_down = true;
+ 

debian/patches/patchset-pf/fixes/0009-block-make-sure-nr_integrity_segments-is-cloned-in-b.patch

@@ -1,32 +0,0 @@
-From f4511f63677bd3e7831561b1407a69a71cb519bc Mon Sep 17 00:00:00 2001
-From: Ming Lei <ming.lei@redhat.com>
-Date: Mon, 10 Mar 2025 19:54:53 +0800
-Subject: block: make sure ->nr_integrity_segments is cloned in
- blk_rq_prep_clone
-
-Make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone(),
-otherwise requests cloned by device-mapper multipath will not have the
-proper nr_integrity_segments values set, then BUG() is hit from
-sg_alloc_table_chained().
-
-Fixes: b0fd271d5fba ("block: add request clone interface (v2)")
-Cc: stable@vger.kernel.org
-Cc: Christoph Hellwig <hch@infradead.org>
-Signed-off-by: Ming Lei <ming.lei@redhat.com>
-Reviewed-by: Christoph Hellwig <hch@lst.de>
-Link: https://lore.kernel.org/r/20250310115453.2271109-1-ming.lei@redhat.com
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
----
- block/blk-mq.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/block/blk-mq.c
-+++ b/block/blk-mq.c
-@@ -3314,6 +3314,7 @@ int blk_rq_prep_clone(struct request *rq
- 		rq->special_vec = rq_src->special_vec;
- 	}
- 	rq->nr_phys_segments = rq_src->nr_phys_segments;
-+	rq->nr_integrity_segments = rq_src->nr_integrity_segments;
- 
- 	if (rq->bio && blk_crypto_rq_bio_prep(rq, rq->bio, gfp_mask) < 0)
- 		goto free_and_out;

debian/patches/patchset-pf/fixes/0009-wifi-ath12k-Abort-scan-before-removing-link-interfac.patch

@@ -0,0 +1,40 @@
+From d3140c22ed2bc3c98dcf251659d78572e154a993 Mon Sep 17 00:00:00 2001
+From: Lingbo Kong <quic_lingbok@quicinc.com>
+Date: Wed, 26 Feb 2025 19:31:18 +0800
+Subject: wifi: ath12k: Abort scan before removing link interface to prevent
+ duplicate deletion
+
+Currently, when ath12k performs the remove link interface operation, if
+there is an ongoing scan operation on the arvif, ath12k may execute the
+remove link interface operation multiple times on the same arvif. This
+occurs because, during the remove link operation, if a scan operation is
+present on the arvif, ath12k may receive a WMI_SCAN_EVENT_COMPLETED event
+from the firmware. Upon receiving this event, ath12k will continue to
+execute the ath12k_scan_vdev_clean_work() function, performing the remove
+link interface operation on the same arvif again.
+
+To address this issue, before executing the remove link interface
+operation, ath12k needs to check if there is an ongoing scan operation on
+the current arvif. If such an operation exists, it should be aborted.
+
+Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
+
+Signed-off-by: Lingbo Kong <quic_lingbok@quicinc.com>
+---
+ drivers/net/wireless/ath/ath12k/mac.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath12k/mac.c
++++ b/drivers/net/wireless/ath/ath12k/mac.c
+@@ -9330,6 +9330,11 @@ ath12k_mac_op_unassign_vif_chanctx(struc
+ 	    ar->num_started_vdevs == 1 && ar->monitor_vdev_created)
+ 		ath12k_mac_monitor_stop(ar);
+ 
++	if (ar->scan.arvif == arvif && ar->scan.state == ATH12K_SCAN_RUNNING) {
++		ath12k_scan_abort(ar);
++		ar->scan.arvif = NULL;
++	}
++
+ 	ath12k_mac_remove_link_interface(hw, arvif);
+ 	ath12k_mac_unassign_link_vif(arvif);
+ }

debian/patches/patchset-pf/fixes/0010-Kconfig-switch-CONFIG_SYSFS_SYCALL-default-to-n.patch

@@ -0,0 +1,49 @@
+From fa165a32074fba27286cc9d2464a647642ad6bc7 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <brauner@kernel.org>
+Date: Tue, 15 Apr 2025 10:22:04 +0200
+Subject: Kconfig: switch CONFIG_SYSFS_SYCALL default to n
+
+This odd system call will be removed in the future. Let's decouple it
+from CONFIG_EXPERT and switch the default to n as a first step.
+
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+---
+ init/Kconfig | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1600,6 +1600,16 @@ config SYSCTL_ARCH_UNALIGN_ALLOW
+ 	  the unaligned access emulation.
+ 	  see arch/parisc/kernel/unaligned.c for reference
+ 
++config SYSFS_SYSCALL
++	bool "Sysfs syscall support"
++	default n
++	help
++	  sys_sysfs is an obsolete system call no longer supported in libc.
++	  Note that disabling this option is more secure but might break
++	  compatibility with some systems.
++
++	  If unsure say N here.
++
+ config HAVE_PCSPKR_PLATFORM
+ 	bool
+ 
+@@ -1644,16 +1654,6 @@ config SGETMASK_SYSCALL
+ 
+ 	  If unsure, leave the default option here.
+ 
+-config SYSFS_SYSCALL
+-	bool "Sysfs syscall support" if EXPERT
+-	default y
+-	help
+-	  sys_sysfs is an obsolete system call no longer supported in libc.
+-	  Note that disabling this option is more secure but might break
+-	  compatibility with some systems.
+-
+-	  If unsure say Y here.
+-
+ config FHANDLE
+ 	bool "open by fhandle syscalls" if EXPERT
+ 	select EXPORTFS

debian/patches/patchset-pf/fixes/0010-PCI-Fix-wrong-length-of-devres-array.patch

@@ -1,40 +0,0 @@
-From 46b8c87f1aa08a0794b45b394c5462f33bec54b0 Mon Sep 17 00:00:00 2001
-From: Philipp Stanner <phasta@kernel.org>
-Date: Wed, 12 Mar 2025 09:06:34 +0100
-Subject: PCI: Fix wrong length of devres array
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The array for the iomapping cookie addresses has a length of
-PCI_STD_NUM_BARS. This constant, however, only describes standard BARs;
-while PCI can allow for additional, special BARs.
-
-The total number of PCI resources is described by constant
-PCI_NUM_RESOURCES, which is also used in, e.g., pci_select_bars().
-
-Thus, the devres array has so far been too small.
-
-Change the length of the devres array to PCI_NUM_RESOURCES.
-
-Link: https://lore.kernel.org/r/20250312080634.13731-3-phasta@kernel.org
-Fixes: bbaff68bf4a4 ("PCI: Add managed partial-BAR request and map infrastructure")
-Signed-off-by: Philipp Stanner <phasta@kernel.org>
-Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
-Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
-Cc: stable@vger.kernel.org	# v6.11+
----
- drivers/pci/devres.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/pci/devres.c
-+++ b/drivers/pci/devres.c
-@@ -40,7 +40,7 @@
-  * Legacy struct storing addresses to whole mapped BARs.
-  */
- struct pcim_iomap_devres {
--	void __iomem *table[PCI_STD_NUM_BARS];
-+	void __iomem *table[PCI_NUM_RESOURCES];
- };
- 
- /* Used to restore the old INTx state on driver detach. */

debian/patches/patchset-pf/fixes/0011-exec-fix-the-racy-usage-of-fs_struct-in_exec.patch

@@ -1,84 +0,0 @@
-From 9741b8592433f51ed477c9dba6d304562aa7de18 Mon Sep 17 00:00:00 2001
-From: Oleg Nesterov <oleg@redhat.com>
-Date: Mon, 24 Mar 2025 17:00:03 +0100
-Subject: exec: fix the racy usage of fs_struct->in_exec
-
-check_unsafe_exec() sets fs->in_exec under cred_guard_mutex, then execve()
-paths clear fs->in_exec lockless. This is fine if exec succeeds, but if it
-fails we have the following race:
-
-	T1 sets fs->in_exec = 1, fails, drops cred_guard_mutex
-
-	T2 sets fs->in_exec = 1
-
-	T1 clears fs->in_exec
-
-	T2 continues with fs->in_exec == 0
-
-Change fs/exec.c to clear fs->in_exec with cred_guard_mutex held.
-
-Reported-by: syzbot+1c486d0b62032c82a968@syzkaller.appspotmail.com
-Closes: https://lore.kernel.org/all/67dc67f0.050a0220.25ae54.001f.GAE@google.com/
-Cc: stable@vger.kernel.org
-Signed-off-by: Oleg Nesterov <oleg@redhat.com>
-Link: https://lore.kernel.org/r/20250324160003.GA8878@redhat.com
-Signed-off-by: Christian Brauner <brauner@kernel.org>
----
- fs/exec.c | 15 +++++++++------
- 1 file changed, 9 insertions(+), 6 deletions(-)
-
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -1229,13 +1229,12 @@ int begin_new_exec(struct linux_binprm *
- 	 */
- 	bprm->point_of_no_return = true;
- 
--	/*
--	 * Make this the only thread in the thread group.
--	 */
-+	/* Make this the only thread in the thread group */
- 	retval = de_thread(me);
- 	if (retval)
- 		goto out;
--
-+	/* see the comment in check_unsafe_exec() */
-+	current->fs->in_exec = 0;
- 	/*
- 	 * Cancel any io_uring activity across execve
- 	 */
-@@ -1497,6 +1496,8 @@ static void free_bprm(struct linux_binpr
- 	}
- 	free_arg_pages(bprm);
- 	if (bprm->cred) {
-+		/* in case exec fails before de_thread() succeeds */
-+		current->fs->in_exec = 0;
- 		mutex_unlock(&current->signal->cred_guard_mutex);
- 		abort_creds(bprm->cred);
- 	}
-@@ -1618,6 +1619,10 @@ static void check_unsafe_exec(struct lin
- 	 * suid exec because the differently privileged task
- 	 * will be able to manipulate the current directory, etc.
- 	 * It would be nice to force an unshare instead...
-+	 *
-+	 * Otherwise we set fs->in_exec = 1 to deny clone(CLONE_FS)
-+	 * from another sub-thread until de_thread() succeeds, this
-+	 * state is protected by cred_guard_mutex we hold.
- 	 */
- 	n_fs = 1;
- 	spin_lock(&p->fs->lock);
-@@ -1862,7 +1867,6 @@ static int bprm_execve(struct linux_binp
- 
- 	sched_mm_cid_after_execve(current);
- 	/* execve succeeded */
--	current->fs->in_exec = 0;
- 	current->in_execve = 0;
- 	rseq_execve(current);
- 	user_events_execve(current);
-@@ -1881,7 +1885,6 @@ out:
- 		force_fatal_sig(SIGSEGV);
- 
- 	sched_mm_cid_after_execve(current);
--	current->fs->in_exec = 0;
- 	current->in_execve = 0;
- 
- 	return retval;

debian/patches/patchset-pf/fuse/0001-fuse-io-uring-Fix-a-possible-req-cancellation-race.patch

@@ -1,207 +0,0 @@
-From 6e7ac63c4c4a8fe7c66f856f4091d9b20899f167 Mon Sep 17 00:00:00 2001
-From: Bernd Schubert <bschubert@ddn.com>
-Date: Tue, 25 Mar 2025 18:29:31 +0100
-Subject: fuse: {io-uring} Fix a possible req cancellation race
-
-task-A (application) might be in request_wait_answer and
-try to remove the request when it has FR_PENDING set.
-
-task-B (a fuse-server io-uring task) might handle this
-request with FUSE_IO_URING_CMD_COMMIT_AND_FETCH, when
-fetching the next request and accessed the req from
-the pending list in fuse_uring_ent_assign_req().
-That code path was not protected by fiq->lock and so
-might race with task-A.
-
-For scaling reasons we better don't use fiq->lock, but
-add a handler to remove canceled requests from the queue.
-
-This also removes usage of fiq->lock from
-fuse_uring_add_req_to_ring_ent() altogether, as it was
-there just to protect against this race and incomplete.
-
-Also added is a comment why FR_PENDING is not cleared.
-
-Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support")
-Cc: <stable@vger.kernel.org> # v6.14
-Reported-by: Joanne Koong <joannelkoong@gmail.com>
-Closes: https://lore.kernel.org/all/CAJnrk1ZgHNb78dz-yfNTpxmW7wtT88A=m-zF0ZoLXKLUHRjNTw@mail.gmail.com/
-Signed-off-by: Bernd Schubert <bschubert@ddn.com>
-Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
-Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
----
- fs/fuse/dev.c         | 34 +++++++++++++++++++++++++---------
- fs/fuse/dev_uring.c   | 15 +++++++++++----
- fs/fuse/dev_uring_i.h |  6 ++++++
- fs/fuse/fuse_dev_i.h  |  1 +
- fs/fuse/fuse_i.h      |  3 +++
- 5 files changed, 46 insertions(+), 13 deletions(-)
-
---- a/fs/fuse/dev.c
-+++ b/fs/fuse/dev.c
-@@ -407,6 +407,24 @@ static int queue_interrupt(struct fuse_r
- 	return 0;
- }
- 
-+bool fuse_remove_pending_req(struct fuse_req *req, spinlock_t *lock)
-+{
-+	spin_lock(lock);
-+	if (test_bit(FR_PENDING, &req->flags)) {
-+		/*
-+		 * FR_PENDING does not get cleared as the request will end
-+		 * up in destruction anyway.
-+		 */
-+		list_del(&req->list);
-+		spin_unlock(lock);
-+		__fuse_put_request(req);
-+		req->out.h.error = -EINTR;
-+		return true;
-+	}
-+	spin_unlock(lock);
-+	return false;
-+}
-+
- static void request_wait_answer(struct fuse_req *req)
- {
- 	struct fuse_conn *fc = req->fm->fc;
-@@ -428,22 +446,20 @@ static void request_wait_answer(struct f
- 	}
- 
- 	if (!test_bit(FR_FORCE, &req->flags)) {
-+		bool removed;
-+
- 		/* Only fatal signals may interrupt this */
- 		err = wait_event_killable(req->waitq,
- 					test_bit(FR_FINISHED, &req->flags));
- 		if (!err)
- 			return;
- 
--		spin_lock(&fiq->lock);
--		/* Request is not yet in userspace, bail out */
--		if (test_bit(FR_PENDING, &req->flags)) {
--			list_del(&req->list);
--			spin_unlock(&fiq->lock);
--			__fuse_put_request(req);
--			req->out.h.error = -EINTR;
-+		if (test_bit(FR_URING, &req->flags))
-+			removed = fuse_uring_remove_pending_req(req);
-+		else
-+			removed = fuse_remove_pending_req(req, &fiq->lock);
-+		if (removed)
- 			return;
--		}
--		spin_unlock(&fiq->lock);
- 	}
- 
- 	/*
---- a/fs/fuse/dev_uring.c
-+++ b/fs/fuse/dev_uring.c
-@@ -726,8 +726,6 @@ static void fuse_uring_add_req_to_ring_e
- 					   struct fuse_req *req)
- {
- 	struct fuse_ring_queue *queue = ent->queue;
--	struct fuse_conn *fc = req->fm->fc;
--	struct fuse_iqueue *fiq = &fc->iq;
- 
- 	lockdep_assert_held(&queue->lock);
- 
-@@ -737,9 +735,7 @@ static void fuse_uring_add_req_to_ring_e
- 			ent->state);
- 	}
- 
--	spin_lock(&fiq->lock);
- 	clear_bit(FR_PENDING, &req->flags);
--	spin_unlock(&fiq->lock);
- 	ent->fuse_req = req;
- 	ent->state = FRRS_FUSE_REQ;
- 	list_move(&ent->list, &queue->ent_w_req_queue);
-@@ -1238,6 +1234,8 @@ void fuse_uring_queue_fuse_req(struct fu
- 	if (unlikely(queue->stopped))
- 		goto err_unlock;
- 
-+	set_bit(FR_URING, &req->flags);
-+	req->ring_queue = queue;
- 	ent = list_first_entry_or_null(&queue->ent_avail_queue,
- 				       struct fuse_ring_ent, list);
- 	if (ent)
-@@ -1276,6 +1274,8 @@ bool fuse_uring_queue_bq_req(struct fuse
- 		return false;
- 	}
- 
-+	set_bit(FR_URING, &req->flags);
-+	req->ring_queue = queue;
- 	list_add_tail(&req->list, &queue->fuse_req_bg_queue);
- 
- 	ent = list_first_entry_or_null(&queue->ent_avail_queue,
-@@ -1306,6 +1306,13 @@ bool fuse_uring_queue_bq_req(struct fuse
- 	return true;
- }
- 
-+bool fuse_uring_remove_pending_req(struct fuse_req *req)
-+{
-+	struct fuse_ring_queue *queue = req->ring_queue;
-+
-+	return fuse_remove_pending_req(req, &queue->lock);
-+}
-+
- static const struct fuse_iqueue_ops fuse_io_uring_ops = {
- 	/* should be send over io-uring as enhancement */
- 	.send_forget = fuse_dev_queue_forget,
---- a/fs/fuse/dev_uring_i.h
-+++ b/fs/fuse/dev_uring_i.h
-@@ -142,6 +142,7 @@ void fuse_uring_abort_end_requests(struc
- int fuse_uring_cmd(struct io_uring_cmd *cmd, unsigned int issue_flags);
- void fuse_uring_queue_fuse_req(struct fuse_iqueue *fiq, struct fuse_req *req);
- bool fuse_uring_queue_bq_req(struct fuse_req *req);
-+bool fuse_uring_remove_pending_req(struct fuse_req *req);
- 
- static inline void fuse_uring_abort(struct fuse_conn *fc)
- {
-@@ -199,6 +200,11 @@ static inline bool fuse_uring_ready(stru
- {
- 	return false;
- }
-+
-+static inline bool fuse_uring_remove_pending_req(struct fuse_req *req)
-+{
-+	return false;
-+}
- 
- #endif /* CONFIG_FUSE_IO_URING */
- 
---- a/fs/fuse/fuse_dev_i.h
-+++ b/fs/fuse/fuse_dev_i.h
-@@ -61,6 +61,7 @@ int fuse_copy_out_args(struct fuse_copy_
- void fuse_dev_queue_forget(struct fuse_iqueue *fiq,
- 			   struct fuse_forget_link *forget);
- void fuse_dev_queue_interrupt(struct fuse_iqueue *fiq, struct fuse_req *req);
-+bool fuse_remove_pending_req(struct fuse_req *req, spinlock_t *lock);
- 
- #endif
- 
---- a/fs/fuse/fuse_i.h
-+++ b/fs/fuse/fuse_i.h
-@@ -378,6 +378,7 @@ struct fuse_io_priv {
-  * FR_FINISHED:		request is finished
-  * FR_PRIVATE:		request is on private list
-  * FR_ASYNC:		request is asynchronous
-+ * FR_URING:		request is handled through fuse-io-uring
-  */
- enum fuse_req_flag {
- 	FR_ISREPLY,
-@@ -392,6 +393,7 @@ enum fuse_req_flag {
- 	FR_FINISHED,
- 	FR_PRIVATE,
- 	FR_ASYNC,
-+	FR_URING,
- };
- 
- /**
-@@ -441,6 +443,7 @@ struct fuse_req {
- 
- #ifdef CONFIG_FUSE_IO_URING
- 	void *ring_entry;
-+	void *ring_queue;
- #endif
- };
- 

debian/patches/patchset-pf/fuse/0001-virtiofs-add-filesystem-context-source-name-check.patch

@@ -0,0 +1,30 @@
+From bd6633c0e527dbcf6b52d3b34b49a980b125c866 Mon Sep 17 00:00:00 2001
+From: Xiangsheng Hou <xiangsheng.hou@mediatek.com>
+Date: Mon, 7 Apr 2025 19:50:49 +0800
+Subject: virtiofs: add filesystem context source name check
+
+In certain scenarios, for example, during fuzz testing, the source
+name may be NULL, which could lead to a kernel panic. Therefore, an
+extra check for the source name should be added.
+
+Fixes: a62a8ef9d97d ("virtio-fs: add virtiofs filesystem")
+Cc: <stable@vger.kernel.org> # all LTS kernels
+Signed-off-by: Xiangsheng Hou <xiangsheng.hou@mediatek.com>
+Link: https://lore.kernel.org/20250407115111.25535-1-xiangsheng.hou@mediatek.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+---
+ fs/fuse/virtio_fs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/fuse/virtio_fs.c
++++ b/fs/fuse/virtio_fs.c
+@@ -1670,6 +1670,9 @@ static int virtio_fs_get_tree(struct fs_
+ 	unsigned int virtqueue_size;
+ 	int err = -EIO;
+ 
++	if (!fsc->source)
++		return invalf(fsc, "No source specified");
++
+ 	/* This gets a reference on virtio_fs object. This ptr gets installed
+ 	 * in fc->iq->priv. Once fuse_conn is going away, it calls ->put()
+ 	 * to drop the reference to this object.

debian/patches/patchset-pf/nfs/0001-nfsd-fix-management-of-listener-transports.patch

@@ -1,128 +0,0 @@
-From ae5d3e4f701948dd6241451d41d9dfa0f0f703cd Mon Sep 17 00:00:00 2001
-From: Olga Kornievskaia <okorniev@redhat.com>
-Date: Fri, 17 Jan 2025 11:32:58 -0500
-Subject: nfsd: fix management of listener transports
-
-Currently, when no active threads are running, a root user using nfsdctl
-command can try to remove a particular listener from the list of previously
-added ones, then start the server by increasing the number of threads,
-it leads to the following problem:
-
-[  158.835354] refcount_t: addition on 0; use-after-free.
-[  158.835603] WARNING: CPU: 2 PID: 9145 at lib/refcount.c:25 refcount_warn_saturate+0x160/0x1a0
-[  158.836017] Modules linked in: rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd auth_rpcgss nfs_acl lockd grace overlay isofs uinput snd_seq_dummy snd_hrtimer nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill ip_set nf_tables qrtr sunrpc vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops uvc videobuf2_v4l2 videodev videobuf2_common snd_hda_codec_generic mc e1000e snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore sg loop dm_multipath dm_mod nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs libcrc32c crct10dif_ce ghash_ce vmwgfx sha2_ce sha256_arm64 sr_mod sha1_ce cdrom nvme drm_client_lib drm_ttm_helper ttm nvme_core drm_kms_helper nvme_auth drm fuse
-[  158.840093] CPU: 2 UID: 0 PID: 9145 Comm: nfsd Kdump: loaded Tainted: G    B   W          6.13.0-rc6+ #7
-[  158.840624] Tainted: [B]=BAD_PAGE, [W]=WARN
-[  158.840802] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024
-[  158.841220] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
-[  158.841563] pc : refcount_warn_saturate+0x160/0x1a0
-[  158.841780] lr : refcount_warn_saturate+0x160/0x1a0
-[  158.842000] sp : ffff800089be7d80
-[  158.842147] x29: ffff800089be7d80 x28: ffff00008e68c148 x27: ffff00008e68c148
-[  158.842492] x26: ffff0002e3b5c000 x25: ffff600011cd1829 x24: ffff00008653c010
-[  158.842832] x23: ffff00008653c000 x22: 1fffe00011cd1829 x21: ffff00008653c028
-[  158.843175] x20: 0000000000000002 x19: ffff00008653c010 x18: 0000000000000000
-[  158.843505] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
-[  158.843836] x14: 0000000000000000 x13: 0000000000000001 x12: ffff600050a26493
-[  158.844143] x11: 1fffe00050a26492 x10: ffff600050a26492 x9 : dfff800000000000
-[  158.844475] x8 : 00009fffaf5d9b6e x7 : ffff000285132493 x6 : 0000000000000001
-[  158.844823] x5 : ffff000285132490 x4 : ffff600050a26493 x3 : ffff8000805e72bc
-[  158.845174] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000098588000
-[  158.845528] Call trace:
-[  158.845658]  refcount_warn_saturate+0x160/0x1a0 (P)
-[  158.845894]  svc_recv+0x58c/0x680 [sunrpc]
-[  158.846183]  nfsd+0x1fc/0x348 [nfsd]
-[  158.846390]  kthread+0x274/0x2f8
-[  158.846546]  ret_from_fork+0x10/0x20
-[  158.846714] ---[ end trace 0000000000000000 ]---
-
-nfsd_nl_listener_set_doit() would manipulate the list of transports of
-server's sv_permsocks and close the specified listener but the other
-list of transports (server's sp_xprts list) would not be changed leading
-to the problem above.
-
-Instead, determined if the nfsdctl is trying to remove a listener, in
-which case, delete all the existing listener transports and re-create
-all-but-the-removed ones.
-
-Fixes: 16a471177496 ("NFSD: add listener-{set,get} netlink command")
-Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
-Reviewed-by: Jeff Layton <jlayton@kernel.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
----
- fs/nfsd/nfsctl.c | 44 +++++++++++++++++++++-----------------------
- 1 file changed, 21 insertions(+), 23 deletions(-)
-
---- a/fs/nfsd/nfsctl.c
-+++ b/fs/nfsd/nfsctl.c
-@@ -1917,6 +1917,7 @@ int nfsd_nl_listener_set_doit(struct sk_
- 	struct svc_serv *serv;
- 	LIST_HEAD(permsocks);
- 	struct nfsd_net *nn;
-+	bool delete = false;
- 	int err, rem;
- 
- 	mutex_lock(&nfsd_mutex);
-@@ -1977,34 +1978,28 @@ int nfsd_nl_listener_set_doit(struct sk_
- 		}
- 	}
- 
--	/* For now, no removing old sockets while server is running */
--	if (serv->sv_nrthreads && !list_empty(&permsocks)) {
-+	/*
-+	 * If there are listener transports remaining on the permsocks list,
-+	 * it means we were asked to remove a listener.
-+	 */
-+	if (!list_empty(&permsocks)) {
- 		list_splice_init(&permsocks, &serv->sv_permsocks);
--		spin_unlock_bh(&serv->sv_lock);
--		err = -EBUSY;
--		goto out_unlock_mtx;
-+		delete = true;
- 	}
-+	spin_unlock_bh(&serv->sv_lock);
- 
--	/* Close the remaining sockets on the permsocks list */
--	while (!list_empty(&permsocks)) {
--		xprt = list_first_entry(&permsocks, struct svc_xprt, xpt_list);
--		list_move(&xprt->xpt_list, &serv->sv_permsocks);
--
--		/*
--		 * Newly-created sockets are born with the BUSY bit set. Clear
--		 * it if there are no threads, since nothing can pick it up
--		 * in that case.
--		 */
--		if (!serv->sv_nrthreads)
--			clear_bit(XPT_BUSY, &xprt->xpt_flags);
--
--		set_bit(XPT_CLOSE, &xprt->xpt_flags);
--		spin_unlock_bh(&serv->sv_lock);
--		svc_xprt_close(xprt);
--		spin_lock_bh(&serv->sv_lock);
-+	/* Do not remove listeners while there are active threads. */
-+	if (serv->sv_nrthreads) {
-+		err = -EBUSY;
-+		goto out_unlock_mtx;
- 	}
- 
--	spin_unlock_bh(&serv->sv_lock);
-+	/*
-+	 * Since we can't delete an arbitrary llist entry, destroy the
-+	 * remaining listeners and recreate the list.
-+	 */
-+	if (delete)
-+		svc_xprt_destroy_all(serv, net);
- 
- 	/* walk list of addrs again, open any that still don't exist */
- 	nlmsg_for_each_attr(attr, info->nlhdr, GENL_HDRLEN, rem) {
-@@ -2031,6 +2026,9 @@ int nfsd_nl_listener_set_doit(struct sk_
- 
- 		xprt = svc_find_listener(serv, xcl_name, net, sa);
- 		if (xprt) {
-+			if (delete)
-+				WARN_ONCE(1, "Transport type=%s already exists\n",
-+					  xcl_name);
- 			svc_xprt_put(xprt);
- 			continue;
- 		}

debian/patches/patchset-pf/nfs/0002-NFSD-Skip-sending-CB_RECALL_ANY-when-the-backchannel.patch

@@ -1,55 +0,0 @@
-From 71e2b1f41ebbead746c5b99384ebb9fb7c73a079 Mon Sep 17 00:00:00 2001
-From: Chuck Lever <chuck.lever@oracle.com>
-Date: Tue, 14 Jan 2025 17:09:24 -0500
-Subject: NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up
-
-NFSD sends CB_RECALL_ANY to clients when the server is low on
-memory or that client has a large number of delegations outstanding.
-
-We've seen cases where NFSD attempts to send CB_RECALL_ANY requests
-to disconnected clients, and gets confused. These calls never go
-anywhere if a backchannel transport to the target client isn't
-available. Before the server can send any backchannel operation, the
-client has to connect first and then do a BIND_CONN_TO_SESSION.
-
-This patch doesn't address the root cause of the confusion, but
-there's no need to queue up these optional operations if they can't
-go anywhere.
-
-Fixes: 44df6f439a17 ("NFSD: add delegation reaper to react to low memory condition")
-Reviewed-by: Jeff Layton <jlayton@kernel.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
----
- fs/nfsd/nfs4state.c | 19 ++++++++++++-------
- 1 file changed, 12 insertions(+), 7 deletions(-)
-
---- a/fs/nfsd/nfs4state.c
-+++ b/fs/nfsd/nfs4state.c
-@@ -6860,14 +6860,19 @@ deleg_reaper(struct nfsd_net *nn)
- 	spin_lock(&nn->client_lock);
- 	list_for_each_safe(pos, next, &nn->client_lru) {
- 		clp = list_entry(pos, struct nfs4_client, cl_lru);
--		if (clp->cl_state != NFSD4_ACTIVE ||
--			list_empty(&clp->cl_delegations) ||
--			atomic_read(&clp->cl_delegs_in_recall) ||
--			test_bit(NFSD4_CLIENT_CB_RECALL_ANY, &clp->cl_flags) ||
--			(ktime_get_boottime_seconds() -
--				clp->cl_ra_time < 5)) {
-+
-+		if (clp->cl_state != NFSD4_ACTIVE)
-+			continue;
-+		if (list_empty(&clp->cl_delegations))
-+			continue;
-+		if (atomic_read(&clp->cl_delegs_in_recall))
-+			continue;
-+		if (test_bit(NFSD4_CLIENT_CB_RECALL_ANY, &clp->cl_flags))
-+			continue;
-+		if (ktime_get_boottime_seconds() - clp->cl_ra_time < 5)
-+			continue;
-+		if (clp->cl_cb_state != NFSD4_CB_UP)
- 			continue;
--		}
- 		list_add(&clp->cl_ra_cblist, &cblist);
- 
- 		/* release in nfsd4_cb_recall_any_release */

debian/patches/patchset-pf/nfs/0003-NFSD-nfsd_unlink-clobbers-non-zero-status-returned-f.patch

@@ -1,35 +0,0 @@
-From e9976f5c50b6513c156c4f5a1d9fde96efb50d29 Mon Sep 17 00:00:00 2001
-From: Chuck Lever <chuck.lever@oracle.com>
-Date: Sun, 26 Jan 2025 16:50:17 -0500
-Subject: NFSD: nfsd_unlink() clobbers non-zero status returned from
- fh_fill_pre_attrs()
-
-If fh_fill_pre_attrs() returns a non-zero status, the error flow
-takes it through out_unlock, which then overwrites the returned
-status code with
-
-	err = nfserrno(host_err);
-
-Fixes: a332018a91c4 ("nfsd: handle failure to collect pre/post-op attrs more sanely")
-Reviewed-by: Jeff Layton <jlayton@kernel.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
----
- fs/nfsd/vfs.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
---- a/fs/nfsd/vfs.c
-+++ b/fs/nfsd/vfs.c
-@@ -2011,11 +2011,9 @@ out_nfserr:
- 		 * error status.
- 		 */
- 		err = nfserr_file_open;
--	} else {
--		err = nfserrno(host_err);
- 	}
- out:
--	return err;
-+	return err != nfs_ok ? err : nfserrno(host_err);
- out_unlock:
- 	inode_unlock(dirp);
- 	goto out_drop_write;

debian/patches/patchset-pf/nfs/0004-NFSD-Never-return-NFS4ERR_FILE_OPEN-when-removing-a-.patch

@@ -1,68 +0,0 @@
-From c6e51270335aa72d7f255051119792629ed2ad2d Mon Sep 17 00:00:00 2001
-From: Chuck Lever <chuck.lever@oracle.com>
-Date: Sun, 26 Jan 2025 16:50:18 -0500
-Subject: NFSD: Never return NFS4ERR_FILE_OPEN when removing a directory
-
-RFC 8881 Section 18.25.4 paragraph 5 tells us that the server
-should return NFS4ERR_FILE_OPEN only if the target object is an
-opened file. This suggests that returning this status when removing
-a directory will confuse NFS clients.
-
-This is a version-specific issue; nfsd_proc_remove/rmdir() and
-nfsd3_proc_remove/rmdir() already return nfserr_access as
-appropriate.
-
-Unfortunately there is no quick way for nfsd4_remove() to determine
-whether the target object is a file or not, so the check is done in
-in nfsd_unlink() for now.
-
-Reported-by: Trond Myklebust <trondmy@hammerspace.com>
-Fixes: 466e16f0920f ("nfsd: check for EBUSY from vfs_rmdir/vfs_unink.")
-Reviewed-by: Jeff Layton <jlayton@kernel.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
----
- fs/nfsd/vfs.c | 24 ++++++++++++++++++------
- 1 file changed, 18 insertions(+), 6 deletions(-)
-
---- a/fs/nfsd/vfs.c
-+++ b/fs/nfsd/vfs.c
-@@ -1931,9 +1931,17 @@ out:
- 	return err;
- }
- 
--/*
-- * Unlink a file or directory
-- * N.B. After this call fhp needs an fh_put
-+/**
-+ * nfsd_unlink - remove a directory entry
-+ * @rqstp: RPC transaction context
-+ * @fhp: the file handle of the parent directory to be modified
-+ * @type: enforced file type of the object to be removed
-+ * @fname: the name of directory entry to be removed
-+ * @flen: length of @fname in octets
-+ *
-+ * After this call fhp needs an fh_put.
-+ *
-+ * Returns a generic NFS status code in network byte-order.
-  */
- __be32
- nfsd_unlink(struct svc_rqst *rqstp, struct svc_fh *fhp, int type,
-@@ -2007,10 +2015,14 @@ out_drop_write:
- 	fh_drop_write(fhp);
- out_nfserr:
- 	if (host_err == -EBUSY) {
--		/* name is mounted-on. There is no perfect
--		 * error status.
-+		/*
-+		 * See RFC 8881 Section 18.25.4 para 4: NFSv4 REMOVE
-+		 * wants a status unique to the object type.
- 		 */
--		err = nfserr_file_open;
-+		if (type != S_IFDIR)
-+			err = nfserr_file_open;
-+		else
-+			err = nfserr_acces;
- 	}
- out:
- 	return err != nfs_ok ? err : nfserrno(host_err);

debian/patches/patchset-pf/nfs/0005-nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch

@@ -1,88 +0,0 @@
-From be9eb38c29f63437120c1b4c5d1e7df98851e05e Mon Sep 17 00:00:00 2001
-From: Jeff Layton <jlayton@kernel.org>
-Date: Thu, 6 Feb 2025 13:12:13 -0500
-Subject: nfsd: don't ignore the return code of svc_proc_register()
-
-Currently, nfsd_proc_stat_init() ignores the return value of
-svc_proc_register(). If the procfile creation fails, then the kernel
-will WARN when it tries to remove the entry later.
-
-Fix nfsd_proc_stat_init() to return the same type of pointer as
-svc_proc_register(), and fix up nfsd_net_init() to check that and fail
-the nfsd_net construction if it occurs.
-
-svc_proc_register() can fail if the dentry can't be allocated, or if an
-identical dentry already exists. The second case is pretty unlikely in
-the nfsd_net construction codepath, so if this happens, return -ENOMEM.
-
-Reported-by: syzbot+e34ad04f27991521104c@syzkaller.appspotmail.com
-Closes: https://lore.kernel.org/linux-nfs/67a47501.050a0220.19061f.05f9.GAE@google.com/
-Cc: stable@vger.kernel.org # v6.9
-Signed-off-by: Jeff Layton <jlayton@kernel.org>
-Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
----
- fs/nfsd/nfsctl.c | 9 ++++++++-
- fs/nfsd/stats.c  | 4 ++--
- fs/nfsd/stats.h  | 2 +-
- 3 files changed, 11 insertions(+), 4 deletions(-)
-
---- a/fs/nfsd/nfsctl.c
-+++ b/fs/nfsd/nfsctl.c
-@@ -2202,8 +2202,14 @@ static __net_init int nfsd_net_init(stru
- 					  NFSD_STATS_COUNTERS_NUM);
- 	if (retval)
- 		goto out_repcache_error;
-+
- 	memset(&nn->nfsd_svcstats, 0, sizeof(nn->nfsd_svcstats));
- 	nn->nfsd_svcstats.program = &nfsd_programs[0];
-+	if (!nfsd_proc_stat_init(net)) {
-+		retval = -ENOMEM;
-+		goto out_proc_error;
-+	}
-+
- 	for (i = 0; i < sizeof(nn->nfsd_versions); i++)
- 		nn->nfsd_versions[i] = nfsd_support_version(i);
- 	for (i = 0; i < sizeof(nn->nfsd4_minorversions); i++)
-@@ -2213,13 +2219,14 @@ static __net_init int nfsd_net_init(stru
- 	nfsd4_init_leases_net(nn);
- 	get_random_bytes(&nn->siphash_key, sizeof(nn->siphash_key));
- 	seqlock_init(&nn->writeverf_lock);
--	nfsd_proc_stat_init(net);
- #if IS_ENABLED(CONFIG_NFS_LOCALIO)
- 	spin_lock_init(&nn->local_clients_lock);
- 	INIT_LIST_HEAD(&nn->local_clients);
- #endif
- 	return 0;
- 
-+out_proc_error:
-+	percpu_counter_destroy_many(nn->counter, NFSD_STATS_COUNTERS_NUM);
- out_repcache_error:
- 	nfsd_idmap_shutdown(net);
- out_idmap_error:
---- a/fs/nfsd/stats.c
-+++ b/fs/nfsd/stats.c
-@@ -73,11 +73,11 @@ static int nfsd_show(struct seq_file *se
- 
- DEFINE_PROC_SHOW_ATTRIBUTE(nfsd);
- 
--void nfsd_proc_stat_init(struct net *net)
-+struct proc_dir_entry *nfsd_proc_stat_init(struct net *net)
- {
- 	struct nfsd_net *nn = net_generic(net, nfsd_net_id);
- 
--	svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops);
-+	return svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops);
- }
- 
- void nfsd_proc_stat_shutdown(struct net *net)
---- a/fs/nfsd/stats.h
-+++ b/fs/nfsd/stats.h
-@@ -10,7 +10,7 @@
- #include <uapi/linux/nfsd/stats.h>
- #include <linux/percpu_counter.h>
- 
--void nfsd_proc_stat_init(struct net *net);
-+struct proc_dir_entry *nfsd_proc_stat_init(struct net *net);
- void nfsd_proc_stat_shutdown(struct net *net);
- 
- static inline void nfsd_stats_rc_hits_inc(struct nfsd_net *nn)

debian/patches/patchset-pf/nfs/0006-nfsd-allow-SC_STATUS_FREEABLE-when-searching-via-nfs.patch

@@ -1,54 +0,0 @@
-From 8ae7239f6e86e8eaf9b2d95164b9d88b0af1c9c7 Mon Sep 17 00:00:00 2001
-From: Jeff Layton <jlayton@kernel.org>
-Date: Thu, 13 Feb 2025 09:08:29 -0500
-Subject: nfsd: allow SC_STATUS_FREEABLE when searching via
- nfs4_lookup_stateid()
-
-The pynfs DELEG8 test fails when run against nfsd. It acquires a
-delegation and then lets the lease time out. It then tries to use the
-deleg stateid and expects to see NFS4ERR_DELEG_REVOKED, but it gets
-bad NFS4ERR_BAD_STATEID instead.
-
-When a delegation is revoked, it's initially marked with
-SC_STATUS_REVOKED, or SC_STATUS_ADMIN_REVOKED and later, it's marked
-with the SC_STATUS_FREEABLE flag, which denotes that it is waiting for
-s FREE_STATEID call.
-
-nfs4_lookup_stateid() accepts a statusmask that includes the status
-flags that a found stateid is allowed to have. Currently, that mask
-never includes SC_STATUS_FREEABLE, which means that revoked delegations
-are (almost) never found.
-
-Add SC_STATUS_FREEABLE to the always-allowed status flags, and remove it
-from nfsd4_delegreturn() since it's now always implied.
-
-Fixes: 8dd91e8d31fe ("nfsd: fix race between laundromat and free_stateid")
-Cc: stable@vger.kernel.org
-Signed-off-by: Jeff Layton <jlayton@kernel.org>
-Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
----
- fs/nfsd/nfs4state.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
---- a/fs/nfsd/nfs4state.c
-+++ b/fs/nfsd/nfs4state.c
-@@ -7056,7 +7056,7 @@ nfsd4_lookup_stateid(struct nfsd4_compou
- 		 */
- 		statusmask |= SC_STATUS_REVOKED;
- 
--	statusmask |= SC_STATUS_ADMIN_REVOKED;
-+	statusmask |= SC_STATUS_ADMIN_REVOKED | SC_STATUS_FREEABLE;
- 
- 	if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) ||
- 		CLOSE_STATEID(stateid))
-@@ -7711,9 +7711,7 @@ nfsd4_delegreturn(struct svc_rqst *rqstp
- 	if ((status = fh_verify(rqstp, &cstate->current_fh, S_IFREG, 0)))
- 		return status;
- 
--	status = nfsd4_lookup_stateid(cstate, stateid, SC_TYPE_DELEG,
--				      SC_STATUS_REVOKED | SC_STATUS_FREEABLE,
--				      &s, nn);
-+	status = nfsd4_lookup_stateid(cstate, stateid, SC_TYPE_DELEG, SC_STATUS_REVOKED, &s, nn);
- 	if (status)
- 		goto out;
- 	dp = delegstateid(s);

debian/patches/patchset-pf/nfs/0007-nfsd-put-dl_stid-if-fail-to-queue-dl_recall.patch

@@ -1,97 +0,0 @@
-From e5747c32073db3e624d454b80c94f5cb9b362370 Mon Sep 17 00:00:00 2001
-From: Li Lingfeng <lilingfeng3@huawei.com>
-Date: Thu, 13 Feb 2025 22:42:20 +0800
-Subject: nfsd: put dl_stid if fail to queue dl_recall
-
-Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we
-increment the reference count of dl_stid.
-We expect that after the corresponding work_struct is processed, the
-reference count of dl_stid will be decremented through the callback
-function nfsd4_cb_recall_release.
-However, if the call to nfsd4_run_cb fails, the incremented reference
-count of dl_stid will not be decremented correspondingly, leading to the
-following nfs4_stid leak:
-unreferenced object 0xffff88812067b578 (size 344):
-  comm "nfsd", pid 2761, jiffies 4295044002 (age 5541.241s)
-  hex dump (first 32 bytes):
-    01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff  ....kkkk........
-    00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de  .kkkkkkk.....N..
-  backtrace:
-    kmem_cache_alloc+0x4b9/0x700
-    nfsd4_process_open1+0x34/0x300
-    nfsd4_open+0x2d1/0x9d0
-    nfsd4_proc_compound+0x7a2/0xe30
-    nfsd_dispatch+0x241/0x3e0
-    svc_process_common+0x5d3/0xcc0
-    svc_process+0x2a3/0x320
-    nfsd+0x180/0x2e0
-    kthread+0x199/0x1d0
-    ret_from_fork+0x30/0x50
-    ret_from_fork_asm+0x1b/0x30
-unreferenced object 0xffff8881499f4d28 (size 368):
-  comm "nfsd", pid 2761, jiffies 4295044005 (age 5541.239s)
-  hex dump (first 32 bytes):
-    01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff  ........0M.I....
-    30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00  0M.I.... .......
-  backtrace:
-    kmem_cache_alloc+0x4b9/0x700
-    nfs4_alloc_stid+0x29/0x210
-    alloc_init_deleg+0x92/0x2e0
-    nfs4_set_delegation+0x284/0xc00
-    nfs4_open_delegation+0x216/0x3f0
-    nfsd4_process_open2+0x2b3/0xee0
-    nfsd4_open+0x770/0x9d0
-    nfsd4_proc_compound+0x7a2/0xe30
-    nfsd_dispatch+0x241/0x3e0
-    svc_process_common+0x5d3/0xcc0
-    svc_process+0x2a3/0x320
-    nfsd+0x180/0x2e0
-    kthread+0x199/0x1d0
-    ret_from_fork+0x30/0x50
-    ret_from_fork_asm+0x1b/0x30
-Fix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if
-fail to queue dl_recall.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
-Reviewed-by: Jeff Layton <jlayton@kernel.org>
-Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
----
- fs/nfsd/nfs4state.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
---- a/fs/nfsd/nfs4state.c
-+++ b/fs/nfsd/nfs4state.c
-@@ -1050,6 +1050,12 @@ static struct nfs4_ol_stateid * nfs4_all
- 	return openlockstateid(stid);
- }
- 
-+/*
-+ * As the sc_free callback of deleg, this may be called by nfs4_put_stid
-+ * in nfsd_break_one_deleg.
-+ * Considering nfsd_break_one_deleg is called with the flc->flc_lock held,
-+ * this function mustn't ever sleep.
-+ */
- static void nfs4_free_deleg(struct nfs4_stid *stid)
- {
- 	struct nfs4_delegation *dp = delegstateid(stid);
-@@ -5414,6 +5420,7 @@ static const struct nfsd4_callback_ops n
- 
- static void nfsd_break_one_deleg(struct nfs4_delegation *dp)
- {
-+	bool queued;
- 	/*
- 	 * We're assuming the state code never drops its reference
- 	 * without first removing the lease.  Since we're in this lease
-@@ -5422,7 +5429,10 @@ static void nfsd_break_one_deleg(struct
- 	 * we know it's safe to take a reference.
- 	 */
- 	refcount_inc(&dp->dl_stid.sc_count);
--	WARN_ON_ONCE(!nfsd4_run_cb(&dp->dl_recall));
-+	queued = nfsd4_run_cb(&dp->dl_recall);
-+	WARN_ON_ONCE(!queued);
-+	if (!queued)
-+		nfs4_put_stid(&dp->dl_stid);
- }
- 
- /* Called from break_lease() with flc_lock held. */

debian/patches/patchset-pf/nfs/0008-NFSD-Add-a-Kconfig-setting-to-enable-delegated-times.patch

@@ -1,74 +0,0 @@
-From 26d356ebfcd275f01c22349404676755dd36a4c4 Mon Sep 17 00:00:00 2001
-From: Chuck Lever <chuck.lever@oracle.com>
-Date: Tue, 11 Mar 2025 23:06:38 -0400
-Subject: NFSD: Add a Kconfig setting to enable delegated timestamps
-
-After three tries, we still see test failures with delegated
-timestamps. Disable them by default, but leave the implementation
-intact so that development can continue.
-
-Cc: stable@vger.kernel.org # v6.14
-Reviewed-by: Jeff Layton <jlayton@kernel.org>
-Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
----
- fs/nfsd/Kconfig     | 12 +++++++++++-
- fs/nfsd/nfs4state.c | 16 ++++++++++++++--
- 2 files changed, 25 insertions(+), 3 deletions(-)
-
---- a/fs/nfsd/Kconfig
-+++ b/fs/nfsd/Kconfig
-@@ -172,6 +172,16 @@ config NFSD_LEGACY_CLIENT_TRACKING
- 	  recoverydir, or spawn a process directly using a usermodehelper
- 	  upcall.
- 
--	  These legacy client tracking methods have proven to be probelmatic
-+	  These legacy client tracking methods have proven to be problematic
- 	  and will be removed in the future. Say Y here if you need support
- 	  for them in the interim.
-+
-+config NFSD_V4_DELEG_TIMESTAMPS
-+	bool "Support delegated timestamps"
-+	depends on NFSD_V4
-+	default n
-+	help
-+	  NFSD implements delegated timestamps according to
-+	  draft-ietf-nfsv4-delstid-08 "Extending the Opening of Files". This
-+	  is currently an experimental feature and is therefore left disabled
-+	  by default.
---- a/fs/nfsd/nfs4state.c
-+++ b/fs/nfsd/nfs4state.c
-@@ -5958,11 +5958,23 @@ nfsd4_verify_setuid_write(struct nfsd4_o
- 	return 0;
- }
- 
-+#ifdef CONFIG_NFSD_V4_DELEG_TIMESTAMPS
-+static bool nfsd4_want_deleg_timestamps(const struct nfsd4_open *open)
-+{
-+	return open->op_deleg_want & OPEN4_SHARE_ACCESS_WANT_DELEG_TIMESTAMPS;
-+}
-+#else /* CONFIG_NFSD_V4_DELEG_TIMESTAMPS */
-+static bool nfsd4_want_deleg_timestamps(const struct nfsd4_open *open)
-+{
-+	return false;
-+}
-+#endif /* CONFIG NFSD_V4_DELEG_TIMESTAMPS */
-+
- static struct nfs4_delegation *
- nfs4_set_delegation(struct nfsd4_open *open, struct nfs4_ol_stateid *stp,
- 		    struct svc_fh *parent)
- {
--	bool deleg_ts = open->op_deleg_want & OPEN4_SHARE_ACCESS_WANT_DELEG_TIMESTAMPS;
-+	bool deleg_ts = nfsd4_want_deleg_timestamps(open);
- 	struct nfs4_client *clp = stp->st_stid.sc_client;
- 	struct nfs4_file *fp = stp->st_stid.sc_file;
- 	struct nfs4_clnt_odstate *odstate = stp->st_clnt_odstate;
-@@ -6161,8 +6173,8 @@ static void
- nfs4_open_delegation(struct nfsd4_open *open, struct nfs4_ol_stateid *stp,
- 		     struct svc_fh *currentfh)
- {
--	bool deleg_ts = open->op_deleg_want & OPEN4_SHARE_ACCESS_WANT_DELEG_TIMESTAMPS;
- 	struct nfs4_openowner *oo = openowner(stp->st_stateowner);
-+	bool deleg_ts = nfsd4_want_deleg_timestamps(open);
- 	struct nfs4_client *clp = stp->st_stid.sc_client;
- 	struct svc_fh *parent = NULL;
- 	struct nfs4_delegation *dp;

debian/patches/patchset-pf/smb/0001-cifs-avoid-NULL-pointer-dereference-in-dbg-call.patch

@@ -1,37 +0,0 @@
-From c1a019d5fef8266e444159bc2bdaf9a5c9c7ef76 Mon Sep 17 00:00:00 2001
-From: Alexandra Diupina <adiupina@astralinux.ru>
-Date: Wed, 19 Mar 2025 17:28:58 +0300
-Subject: cifs: avoid NULL pointer dereference in dbg call
-
-cifs_server_dbg() implies server to be non-NULL so
-move call under condition to avoid NULL pointer dereference.
-
-Found by Linux Verification Center (linuxtesting.org) with SVACE.
-
-Fixes: e79b0332ae06 ("cifs: ignore cached share root handle closing errors")
-Cc: stable@vger.kernel.org
-Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
-Signed-off-by: Steve French <stfrench@microsoft.com>
----
- fs/smb/client/smb2misc.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
---- a/fs/smb/client/smb2misc.c
-+++ b/fs/smb/client/smb2misc.c
-@@ -816,11 +816,12 @@ smb2_handle_cancelled_close(struct cifs_
- 		WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative");
- 		spin_unlock(&cifs_tcp_ses_lock);
- 
--		if (tcon->ses)
-+		if (tcon->ses) {
- 			server = tcon->ses->server;
--
--		cifs_server_dbg(FYI, "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n",
--				tcon->tid, persistent_fid, volatile_fid);
-+			cifs_server_dbg(FYI,
-+					"tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n",
-+					tcon->tid, persistent_fid, volatile_fid);
-+		}
- 
- 		return 0;
- 	}

debian/patches/patchset-pf/smb/0001-ksmbd-Fix-dangling-pointer-in-krb_authenticate.patch

@@ -0,0 +1,33 @@
+From c3eedd3e0d50a748c6c520ba00377aba8150c713 Mon Sep 17 00:00:00 2001
+From: Sean Heelan <seanheelan@gmail.com>
+Date: Mon, 7 Apr 2025 11:26:50 +0000
+Subject: ksmbd: Fix dangling pointer in krb_authenticate
+
+krb_authenticate frees sess->user and does not set the pointer
+to NULL. It calls ksmbd_krb5_authenticate to reinitialise
+sess->user but that function may return without doing so. If
+that happens then smb2_sess_setup, which calls krb_authenticate,
+will be accessing free'd memory when it later uses sess->user.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Heelan <seanheelan@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/server/smb2pdu.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1602,8 +1602,10 @@ static int krb5_authenticate(struct ksmb
+ 	if (prev_sess_id && prev_sess_id != sess->id)
+ 		destroy_previous_session(conn, sess->user, prev_sess_id);
+ 
+-	if (sess->state == SMB2_SESSION_VALID)
++	if (sess->state == SMB2_SESSION_VALID) {
+ 		ksmbd_free_user(sess->user);
++		sess->user = NULL;
++	}
+ 
+ 	retval = ksmbd_krb5_authenticate(sess, in_blob, in_len,
+ 					 out_blob, &out_len);

debian/patches/patchset-pf/smb/0002-ksmbd-add-bounds-check-for-durable-handle-context.patch

@@ -1,60 +0,0 @@
-From 750b72183e7f3d9dc775540cee41c0c06d2c1da4 Mon Sep 17 00:00:00 2001
-From: Namjae Jeon <linkinjeon@kernel.org>
-Date: Fri, 14 Mar 2025 18:21:47 +0900
-Subject: ksmbd: add bounds check for durable handle context
-
-Add missing bounds check for durable handle context.
-
-Cc: stable@vger.kernel.org
-Reported-by: Norbert Szetei <norbert@doyensec.com>
-Tested-by: Norbert Szetei <norbert@doyensec.com>
-Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
-Signed-off-by: Steve French <stfrench@microsoft.com>
----
- fs/smb/server/smb2pdu.c | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
---- a/fs/smb/server/smb2pdu.c
-+++ b/fs/smb/server/smb2pdu.c
-@@ -2708,6 +2708,13 @@ static int parse_durable_handle_context(
- 				goto out;
- 			}
- 
-+			if (le16_to_cpu(context->DataOffset) +
-+				le32_to_cpu(context->DataLength) <
-+			    sizeof(struct create_durable_reconn_v2_req)) {
-+				err = -EINVAL;
-+				goto out;
-+			}
-+
- 			recon_v2 = (struct create_durable_reconn_v2_req *)context;
- 			persistent_id = recon_v2->Fid.PersistentFileId;
- 			dh_info->fp = ksmbd_lookup_durable_fd(persistent_id);
-@@ -2741,6 +2748,13 @@ static int parse_durable_handle_context(
- 				goto out;
- 			}
- 
-+			if (le16_to_cpu(context->DataOffset) +
-+				le32_to_cpu(context->DataLength) <
-+			    sizeof(struct create_durable_reconn_req)) {
-+				err = -EINVAL;
-+				goto out;
-+			}
-+
- 			recon = (struct create_durable_reconn_req *)context;
- 			persistent_id = recon->Data.Fid.PersistentFileId;
- 			dh_info->fp = ksmbd_lookup_durable_fd(persistent_id);
-@@ -2765,6 +2779,13 @@ static int parse_durable_handle_context(
- 				err = -EINVAL;
- 				goto out;
- 			}
-+
-+			if (le16_to_cpu(context->DataOffset) +
-+				le32_to_cpu(context->DataLength) <
-+			    sizeof(struct create_durable_req_v2)) {
-+				err = -EINVAL;
-+				goto out;
-+			}
- 
- 			durable_v2_blob =
- 				(struct create_durable_req_v2 *)context;

debian/patches/patchset-pf/smb/0002-ksmbd-fix-use-after-free-in-__smb2_lease_break_noti.patch

@@ -0,0 +1,76 @@
+From 1932e1bb8624ec520da5f61e3f5bbdd16b9f320d Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 11 Apr 2025 15:19:46 +0900
+Subject: ksmbd: fix use-after-free in __smb2_lease_break_noti()
+
+Move tcp_transport free to ksmbd_conn_free. If ksmbd connection is
+referenced when ksmbd server thread terminates, It will not be freed,
+but conn->tcp_transport is freed. __smb2_lease_break_noti can be performed
+asynchronously when the connection is disconnected. __smb2_lease_break_noti
+calls ksmbd_conn_write, which can cause use-after-free
+when conn->ksmbd_transport is already freed.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/server/connection.c    |  4 +++-
+ fs/smb/server/transport_tcp.c | 14 +++++++++-----
+ fs/smb/server/transport_tcp.h |  1 +
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+--- a/fs/smb/server/connection.c
++++ b/fs/smb/server/connection.c
+@@ -39,8 +39,10 @@ void ksmbd_conn_free(struct ksmbd_conn *
+ 	xa_destroy(&conn->sessions);
+ 	kvfree(conn->request_buf);
+ 	kfree(conn->preauth_info);
+-	if (atomic_dec_and_test(&conn->refcnt))
++	if (atomic_dec_and_test(&conn->refcnt)) {
++		ksmbd_free_transport(conn->transport);
+ 		kfree(conn);
++	}
+ }
+ 
+ /**
+--- a/fs/smb/server/transport_tcp.c
++++ b/fs/smb/server/transport_tcp.c
+@@ -93,17 +93,21 @@ static struct tcp_transport *alloc_trans
+ 	return t;
+ }
+ 
+-static void free_transport(struct tcp_transport *t)
++void ksmbd_free_transport(struct ksmbd_transport *kt)
+ {
+-	kernel_sock_shutdown(t->sock, SHUT_RDWR);
+-	sock_release(t->sock);
+-	t->sock = NULL;
++	struct tcp_transport *t = TCP_TRANS(kt);
+ 
+-	ksmbd_conn_free(KSMBD_TRANS(t)->conn);
++	sock_release(t->sock);
+ 	kfree(t->iov);
+ 	kfree(t);
+ }
+ 
++static void free_transport(struct tcp_transport *t)
++{
++	kernel_sock_shutdown(t->sock, SHUT_RDWR);
++	ksmbd_conn_free(KSMBD_TRANS(t)->conn);
++}
++
+ /**
+  * kvec_array_init() - initialize a IO vector segment
+  * @new:	IO vector to be initialized
+--- a/fs/smb/server/transport_tcp.h
++++ b/fs/smb/server/transport_tcp.h
+@@ -8,6 +8,7 @@
+ 
+ int ksmbd_tcp_set_interfaces(char *ifc_list, int ifc_list_sz);
+ struct interface *ksmbd_find_netdev_name_iface_list(char *netdev_name);
++void ksmbd_free_transport(struct ksmbd_transport *kt);
+ int ksmbd_tcp_init(void);
+ void ksmbd_tcp_destroy(void);
+ 

debian/patches/patchset-pf/smb/0003-CIFS-Propagate-min-offload-along-with-other-paramete.patch

@@ -1,59 +0,0 @@
-From 419b06f0ca7662c17a026ab0117ba9887dbd0477 Mon Sep 17 00:00:00 2001
-From: Aman <aman1@microsoft.com>
-Date: Thu, 6 Mar 2025 17:46:43 +0000
-Subject: CIFS: Propagate min offload along with other parameters from primary
- to secondary channels.
-
-In a multichannel setup, it was observed that a few fields were not being
-copied over to the secondary channels, which impacted performance in cases
-where these options were relevant but not properly synchronized. To address
-this, this patch introduces copying the following parameters from the
-primary channel to the secondary channels:
-
-- min_offload
-- compression.requested
-- dfs_conn
-- ignore_signature
-- leaf_fullpath
-- noblockcnt
-- retrans
-- sign
-
-By copying these parameters, we ensure consistency across channels and
-prevent performance degradation due to missing or outdated settings.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Aman <aman1@microsoft.com>
-Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
-Signed-off-by: Steve French <stfrench@microsoft.com>
----
- fs/smb/client/connect.c | 1 +
- fs/smb/client/sess.c    | 7 +++++++
- 2 files changed, 8 insertions(+)
-
---- a/fs/smb/client/connect.c
-+++ b/fs/smb/client/connect.c
-@@ -1676,6 +1676,7 @@ cifs_get_tcp_session(struct smb3_fs_cont
- 	/* Grab netns reference for this server. */
- 	cifs_set_net_ns(tcp_ses, get_net(current->nsproxy->net_ns));
- 
-+	tcp_ses->sign = ctx->sign;
- 	tcp_ses->conn_id = atomic_inc_return(&tcpSesNextId);
- 	tcp_ses->noblockcnt = ctx->rootfs;
- 	tcp_ses->noblocksnd = ctx->noblocksnd || ctx->rootfs;
---- a/fs/smb/client/sess.c
-+++ b/fs/smb/client/sess.c
-@@ -522,6 +522,13 @@ cifs_ses_add_channel(struct cifs_ses *se
- 	ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay;
- 	ctx->echo_interval = ses->server->echo_interval / HZ;
- 	ctx->max_credits = ses->server->max_credits;
-+	ctx->min_offload = ses->server->min_offload;
-+	ctx->compress = ses->server->compression.requested;
-+	ctx->dfs_conn = ses->server->dfs_conn;
-+	ctx->ignore_signature = ses->server->ignore_signature;
-+	ctx->leaf_fullpath = ses->server->leaf_fullpath;
-+	ctx->rootfs = ses->server->noblockcnt;
-+	ctx->retrans = ses->server->retrans;
- 
- 	/*
- 	 * This will be used for encoding/decoding user/domain/pw

debian/patches/patchset-pf/smb/0003-ksmbd-fix-use-after-free-in-smb_break_all_levII_oplo.patch

@@ -0,0 +1,124 @@
+From 67437a4c66847a82ab538705b932144d4af28f4b Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Tue, 15 Apr 2025 09:30:21 +0900
+Subject: ksmbd: fix use-after-free in smb_break_all_levII_oplock()
+
+There is a room in smb_break_all_levII_oplock that can cause racy issues
+when unlocking in the middle of the loop. This patch use read lock
+to protect whole loop.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/server/oplock.c | 29 +++++++++--------------------
+ fs/smb/server/oplock.h |  1 -
+ 2 files changed, 9 insertions(+), 21 deletions(-)
+
+--- a/fs/smb/server/oplock.c
++++ b/fs/smb/server/oplock.c
+@@ -129,14 +129,6 @@ static void free_opinfo(struct oplock_in
+ 	kfree(opinfo);
+ }
+ 
+-static inline void opinfo_free_rcu(struct rcu_head *rcu_head)
+-{
+-	struct oplock_info *opinfo;
+-
+-	opinfo = container_of(rcu_head, struct oplock_info, rcu_head);
+-	free_opinfo(opinfo);
+-}
+-
+ struct oplock_info *opinfo_get(struct ksmbd_file *fp)
+ {
+ 	struct oplock_info *opinfo;
+@@ -157,8 +149,8 @@ static struct oplock_info *opinfo_get_li
+ 	if (list_empty(&ci->m_op_list))
+ 		return NULL;
+ 
+-	rcu_read_lock();
+-	opinfo = list_first_or_null_rcu(&ci->m_op_list, struct oplock_info,
++	down_read(&ci->m_lock);
++	opinfo = list_first_entry(&ci->m_op_list, struct oplock_info,
+ 					op_entry);
+ 	if (opinfo) {
+ 		if (opinfo->conn == NULL ||
+@@ -171,8 +163,7 @@ static struct oplock_info *opinfo_get_li
+ 			}
+ 		}
+ 	}
+-
+-	rcu_read_unlock();
++	up_read(&ci->m_lock);
+ 
+ 	return opinfo;
+ }
+@@ -185,7 +176,7 @@ void opinfo_put(struct oplock_info *opin
+ 	if (!atomic_dec_and_test(&opinfo->refcount))
+ 		return;
+ 
+-	call_rcu(&opinfo->rcu_head, opinfo_free_rcu);
++	free_opinfo(opinfo);
+ }
+ 
+ static void opinfo_add(struct oplock_info *opinfo)
+@@ -193,7 +184,7 @@ static void opinfo_add(struct oplock_inf
+ 	struct ksmbd_inode *ci = opinfo->o_fp->f_ci;
+ 
+ 	down_write(&ci->m_lock);
+-	list_add_rcu(&opinfo->op_entry, &ci->m_op_list);
++	list_add(&opinfo->op_entry, &ci->m_op_list);
+ 	up_write(&ci->m_lock);
+ }
+ 
+@@ -207,7 +198,7 @@ static void opinfo_del(struct oplock_inf
+ 		write_unlock(&lease_list_lock);
+ 	}
+ 	down_write(&ci->m_lock);
+-	list_del_rcu(&opinfo->op_entry);
++	list_del(&opinfo->op_entry);
+ 	up_write(&ci->m_lock);
+ }
+ 
+@@ -1347,8 +1338,8 @@ void smb_break_all_levII_oplock(struct k
+ 	ci = fp->f_ci;
+ 	op = opinfo_get(fp);
+ 
+-	rcu_read_lock();
+-	list_for_each_entry_rcu(brk_op, &ci->m_op_list, op_entry) {
++	down_read(&ci->m_lock);
++	list_for_each_entry(brk_op, &ci->m_op_list, op_entry) {
+ 		if (brk_op->conn == NULL)
+ 			continue;
+ 
+@@ -1358,7 +1349,6 @@ void smb_break_all_levII_oplock(struct k
+ 		if (ksmbd_conn_releasing(brk_op->conn))
+ 			continue;
+ 
+-		rcu_read_unlock();
+ 		if (brk_op->is_lease && (brk_op->o_lease->state &
+ 		    (~(SMB2_LEASE_READ_CACHING_LE |
+ 				SMB2_LEASE_HANDLE_CACHING_LE)))) {
+@@ -1388,9 +1378,8 @@ void smb_break_all_levII_oplock(struct k
+ 		oplock_break(brk_op, SMB2_OPLOCK_LEVEL_NONE, NULL);
+ next:
+ 		opinfo_put(brk_op);
+-		rcu_read_lock();
+ 	}
+-	rcu_read_unlock();
++	up_read(&ci->m_lock);
+ 
+ 	if (op)
+ 		opinfo_put(op);
+--- a/fs/smb/server/oplock.h
++++ b/fs/smb/server/oplock.h
+@@ -71,7 +71,6 @@ struct oplock_info {
+ 	struct list_head        lease_entry;
+ 	wait_queue_head_t oplock_q; /* Other server threads */
+ 	wait_queue_head_t oplock_brk; /* oplock breaking wait */
+-	struct rcu_head		rcu_head;
+ };
+ 
+ struct lease_break_info {

debian/patches/patchset-pf/smb/0004-ksmbd-add-bounds-check-for-create-lease-context.patch

@@ -1,41 +0,0 @@
-From df179d4868b57eb8bcd7587559164178f17f0747 Mon Sep 17 00:00:00 2001
-From: Norbert Szetei <norbert@doyensec.com>
-Date: Sat, 15 Mar 2025 12:19:28 +0900
-Subject: ksmbd: add bounds check for create lease context
-
-Add missing bounds check for create lease context.
-
-Cc: stable@vger.kernel.org
-Reported-by: Norbert Szetei <norbert@doyensec.com>
-Tested-by: Norbert Szetei <norbert@doyensec.com>
-Signed-off-by: Norbert Szetei <norbert@doyensec.com>
-Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
-Signed-off-by: Steve French <stfrench@microsoft.com>
----
- fs/smb/server/oplock.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
---- a/fs/smb/server/oplock.c
-+++ b/fs/smb/server/oplock.c
-@@ -1505,6 +1505,10 @@ struct lease_ctx_info *parse_lease_state
- 	if (sizeof(struct lease_context_v2) == le32_to_cpu(cc->DataLength)) {
- 		struct create_lease_v2 *lc = (struct create_lease_v2 *)cc;
- 
-+		if (le16_to_cpu(cc->DataOffset) + le32_to_cpu(cc->DataLength) <
-+		    sizeof(struct create_lease_v2) - 4)
-+			return NULL;
-+
- 		memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);
- 		lreq->req_state = lc->lcontext.LeaseState;
- 		lreq->flags = lc->lcontext.LeaseFlags;
-@@ -1517,6 +1521,10 @@ struct lease_ctx_info *parse_lease_state
- 	} else {
- 		struct create_lease *lc = (struct create_lease *)cc;
- 
-+		if (le16_to_cpu(cc->DataOffset) + le32_to_cpu(cc->DataLength) <
-+		    sizeof(struct create_lease))
-+			return NULL;
-+
- 		memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);
- 		lreq->req_state = lc->lcontext.LeaseState;
- 		lreq->flags = lc->lcontext.LeaseFlags;

debian/patches/patchset-pf/smb/0004-ksmbd-fix-the-warning-from-__kernel_write_iter.patch

@@ -0,0 +1,31 @@
+From d9f3fc321672406f959334509a88296187994c5a Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Tue, 15 Apr 2025 09:31:08 +0900
+Subject: ksmbd: fix the warning from __kernel_write_iter
+
+[ 2110.972290] ------------[ cut here ]------------
+[ 2110.972301] WARNING: CPU: 3 PID: 735 at fs/read_write.c:599 __kernel_write_iter+0x21b/0x280
+
+This patch doesn't allow writing to directory.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/server/vfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/vfs.c
++++ b/fs/smb/server/vfs.c
+@@ -496,7 +496,8 @@ int ksmbd_vfs_write(struct ksmbd_work *w
+ 	int err = 0;
+ 
+ 	if (work->conn->connection_type) {
+-		if (!(fp->daccess & (FILE_WRITE_DATA_LE | FILE_APPEND_DATA_LE))) {
++		if (!(fp->daccess & (FILE_WRITE_DATA_LE | FILE_APPEND_DATA_LE)) ||
++		    S_ISDIR(file_inode(fp->filp)->i_mode)) {
+ 			pr_err("no right to write(%pD)\n", fp->filp);
+ 			err = -EACCES;
+ 			goto out;

debian/patches/patchset-pf/smb/0005-ksmbd-Prevent-integer-overflow-in-calculation-of-dea.patch

@@ -0,0 +1,43 @@
+From adbf65091f5ac103ae5339bd49549b147906a0c0 Mon Sep 17 00:00:00 2001
+From: Denis Arefev <arefev@swemel.ru>
+Date: Wed, 9 Apr 2025 12:04:49 +0300
+Subject: ksmbd: Prevent integer overflow in calculation of deadtime
+
+The user can set any value for 'deadtime'. This affects the arithmetic
+expression 'req->deadtime * SMB_ECHO_INTERVAL', which is subject to
+overflow. The added check makes the server behavior more predictable.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
+Cc: stable@vger.kernel.org
+Signed-off-by: Denis Arefev <arefev@swemel.ru>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/server/transport_ipc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/transport_ipc.c
++++ b/fs/smb/server/transport_ipc.c
+@@ -310,7 +310,11 @@ static int ipc_server_config_on_startup(
+ 	server_conf.signing = req->signing;
+ 	server_conf.tcp_port = req->tcp_port;
+ 	server_conf.ipc_timeout = req->ipc_timeout * HZ;
+-	server_conf.deadtime = req->deadtime * SMB_ECHO_INTERVAL;
++	if (check_mul_overflow(req->deadtime, SMB_ECHO_INTERVAL,
++					&server_conf.deadtime)) {
++		ret = -EINVAL;
++		goto out;
++	}
+ 	server_conf.share_fake_fscaps = req->share_fake_fscaps;
+ 	ksmbd_init_domain(req->sub_auth);
+ 
+@@ -337,6 +341,7 @@ static int ipc_server_config_on_startup(
+ 	server_conf.bind_interfaces_only = req->bind_interfaces_only;
+ 	ret |= ksmbd_tcp_set_interfaces(KSMBD_STARTUP_CONFIG_INTERFACES(req),
+ 					req->ifc_list_sz);
++out:
+ 	if (ret) {
+ 		pr_err("Server configuration error: %s %s %s\n",
+ 		       req->netbios_name, req->server_string,

debian/patches/patchset-pf/smb/0005-ksmbd-fix-use-after-free-in-ksmbd_sessions_deregiste.patch

@@ -1,31 +0,0 @@
-From d72853120541d47779616db780a15a42afe4ad9b Mon Sep 17 00:00:00 2001
-From: Namjae Jeon <linkinjeon@kernel.org>
-Date: Sat, 22 Mar 2025 09:20:19 +0900
-Subject: ksmbd: fix use-after-free in ksmbd_sessions_deregister()
-
-In multichannel mode, UAF issue can occur in session_deregister
-when the second channel sets up a session through the connection of
-the first channel. session that is freed through the global session
-table can be accessed again through ->sessions of connection.
-
-Cc: stable@vger.kernel.org
-Reported-by: Norbert Szetei <norbert@doyensec.com>
-Tested-by: Norbert Szetei <norbert@doyensec.com>
-Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
-Signed-off-by: Steve French <stfrench@microsoft.com>
----
- fs/smb/server/mgmt/user_session.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/fs/smb/server/mgmt/user_session.c
-+++ b/fs/smb/server/mgmt/user_session.c
-@@ -230,6 +230,9 @@ void ksmbd_sessions_deregister(struct ks
- 			if (!ksmbd_chann_del(conn, sess) &&
- 			    xa_empty(&sess->ksmbd_chann_list)) {
- 				hash_del(&sess->hlist);
-+				down_write(&conn->session_lock);
-+				xa_erase(&conn->sessions, sess->id);
-+				up_write(&conn->session_lock);
- 				ksmbd_session_destroy(sess);
- 			}
- 		}

debian/patches/patchset-pf/smb/0006-cifs-fix-integer-overflow-in-match_server.patch

@@ -1,36 +0,0 @@
-From 87a17042db9d288d1c5bf3eac2a31bd3315a8cd0 Mon Sep 17 00:00:00 2001
-From: Roman Smirnov <r.smirnov@omp.ru>
-Date: Mon, 31 Mar 2025 11:22:49 +0300
-Subject: cifs: fix integer overflow in match_server()
-
-The echo_interval is not limited in any way during mounting,
-which makes it possible to write a large number to it. This can
-cause an overflow when multiplying ctx->echo_interval by HZ in
-match_server().
-
-Add constraints for echo_interval to smb3_fs_context_parse_param().
-
-Found by Linux Verification Center (linuxtesting.org) with Svace.
-
-Fixes: adfeb3e00e8e1 ("cifs: Make echo interval tunable")
-Cc: stable@vger.kernel.org
-Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
-Signed-off-by: Steve French <stfrench@microsoft.com>
----
- fs/smb/client/fs_context.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
---- a/fs/smb/client/fs_context.c
-+++ b/fs/smb/client/fs_context.c
-@@ -1377,6 +1377,11 @@ static int smb3_fs_context_parse_param(s
- 		ctx->closetimeo = HZ * result.uint_32;
- 		break;
- 	case Opt_echo_interval:
-+		if (result.uint_32 < SMB_ECHO_INTERVAL_MIN ||
-+		    result.uint_32 > SMB_ECHO_INTERVAL_MAX) {
-+			cifs_errorf(fc, "echo interval is out of bounds\n");
-+			goto cifs_parse_mount_err;
-+		}
- 		ctx->echo_interval = result.uint_32;
- 		break;
- 	case Opt_snapshot: