diff --git a/android/abi_gki_aarch64.xml b/android/abi_gki_aarch64.xml
index 532be833ec36..06d41dd2254d 100644
--- a/android/abi_gki_aarch64.xml
+++ b/android/abi_gki_aarch64.xml
@@ -91,6 +91,7 @@
       <elf-symbol name='__get_task_comm' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x619f9ce1'/>
       <elf-symbol name='__hci_cmd_sync' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x58ab3544'/>
       <elf-symbol name='__hci_cmd_sync_ev' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0xff21ce7b'/>
+      <elf-symbol name='__hid_register_driver' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x489b790b'/>
       <elf-symbol name='__hvc_resize' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x626a2c75'/>
       <elf-symbol name='__hwspin_lock_timeout' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x5756a223'/>
       <elf-symbol name='__hwspin_unlock' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x11ff81de'/>
@@ -1712,8 +1713,11 @@
       <elf-symbol name='hid_add_device' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x3415a672'/>
       <elf-symbol name='hid_allocate_device' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x484a3bb'/>
       <elf-symbol name='hid_destroy_device' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x8a79daad'/>
+      <elf-symbol name='hid_hw_start' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x1da9c94b'/>
       <elf-symbol name='hid_input_report' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x838085d4'/>
+      <elf-symbol name='hid_open_report' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0xb80de67f'/>
       <elf-symbol name='hid_parse_report' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0xa89586c3'/>
+      <elf-symbol name='hid_unregister_driver' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x69aecaad'/>
       <elf-symbol name='hrtimer_active' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0xecd991f'/>
       <elf-symbol name='hrtimer_cancel' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0xcc69bd8c'/>
       <elf-symbol name='hrtimer_forward' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x76c41756'/>
@@ -9975,7 +9979,23 @@
           <var-decl name='rcu' type-id='e3d8ce29' visibility='default' filepath='net/8021q/vlan.h' line='36' column='1'/>
         </data-member>
       </class-decl>
-      <class-decl name='drm_self_refresh_data' is-struct='yes' visibility='default' is-declaration-only='yes' id='12506762'/>
+      <class-decl name='drm_self_refresh_data' size-in-bits='1664' is-struct='yes' visibility='default' filepath='drivers/gpu/drm/drm_self_refresh_helper.c' line='58' column='1' id='12506762'>
+        <data-member access='public' layout-offset-in-bits='0'>
+          <var-decl name='crtc' type-id='b64ad7cb' visibility='default' filepath='drivers/gpu/drm/drm_self_refresh_helper.c' line='59' column='1'/>
+        </data-member>
+        <data-member access='public' layout-offset-in-bits='64'>
+          <var-decl name='entry_work' type-id='5ad6e0ef' visibility='default' filepath='drivers/gpu/drm/drm_self_refresh_helper.c' line='60' column='1'/>
+        </data-member>
+        <data-member access='public' layout-offset-in-bits='1152'>
+          <var-decl name='avg_mutex' type-id='925167dc' visibility='default' filepath='drivers/gpu/drm/drm_self_refresh_helper.c' line='62' column='1'/>
+        </data-member>
+        <data-member access='public' layout-offset-in-bits='1536'>
+          <var-decl name='entry_avg_ms' type-id='6e15744f' visibility='default' filepath='drivers/gpu/drm/drm_self_refresh_helper.c' line='63' column='1'/>
+        </data-member>
+        <data-member access='public' layout-offset-in-bits='1600'>
+          <var-decl name='exit_avg_ms' type-id='6e15744f' visibility='default' filepath='drivers/gpu/drm/drm_self_refresh_helper.c' line='64' column='1'/>
+        </data-member>
+      </class-decl>
       <class-decl name='v4l2_event_subscription' size-in-bits='256' is-struct='yes' visibility='default' filepath='include/uapi/linux/videodev2.h' line='2413' column='1' id='1251351e'>
         <data-member access='public' layout-offset-in-bits='0'>
           <var-decl name='type' type-id='3f1a6b60' visibility='default' filepath='include/uapi/linux/videodev2.h' line='2414' column='1'/>
@@ -45164,6 +45184,11 @@
         <enumerator name='REGCACHE_COMPRESSED' value='2'/>
         <enumerator name='REGCACHE_FLAT' value='3'/>
       </enum-decl>
+      <class-decl name='ewma_psr_time' size-in-bits='64' is-struct='yes' visibility='default' filepath='drivers/gpu/drm/drm_self_refresh_helper.c' line='56' column='1' id='6e15744f'>
+        <data-member access='public' layout-offset-in-bits='0'>
+          <var-decl name='internal' type-id='7359adad' visibility='default' filepath='drivers/gpu/drm/drm_self_refresh_helper.c' line='56' column='1'/>
+        </data-member>
+      </class-decl>
       <typedef-decl name='uint' type-id='f0981eeb' filepath='include/linux/types.h' line='87' column='1' id='6e160b14'/>
       <class-decl name='cec_event_entry' size-in-bits='768' is-struct='yes' visibility='default' filepath='include/media/cec.h' line='75' column='1' id='6e21d41e'>
         <data-member access='public' layout-offset-in-bits='0'>
@@ -109954,6 +109979,12 @@
         <parameter type-id='19c2251e' name='timeout' filepath='net/bluetooth/hci_request.c' line='128' column='1'/>
         <return type-id='0fbf3cfd'/>
       </function-decl>
+      <function-decl name='__hid_register_driver' mangled-name='__hid_register_driver' filepath='drivers/hid/hid-core.c' line='2542' column='1' visibility='default' binding='global' size-in-bits='64' elf-symbol-id='__hid_register_driver'>
+        <parameter type-id='cbd2074d' name='hdrv' filepath='drivers/hid/hid-core.c' line='2542' column='1'/>
+        <parameter type-id='2730d015' name='owner' filepath='drivers/hid/hid-core.c' line='2542' column='1'/>
+        <parameter type-id='80f4b756' name='mod_name' filepath='drivers/hid/hid-core.c' line='2543' column='1'/>
+        <return type-id='95e97e5e'/>
+      </function-decl>
       <function-decl name='__hvc_resize' mangled-name='__hvc_resize' filepath='drivers/tty/hvc/hvc_console.c' line='778' column='1' visibility='default' binding='global' size-in-bits='64' elf-symbol-id='__hvc_resize'>
         <parameter type-id='352b95f6' name='hp' filepath='drivers/tty/hvc/hvc_console.c' line='778' column='1'/>
         <parameter type-id='a818b7a0' name='ws' filepath='drivers/tty/hvc/hvc_console.c' line='778' column='1'/>
@@ -118893,6 +118924,11 @@
         <parameter type-id='37175e4d' name='hdev' filepath='drivers/hid/hid-core.c' line='2504' column='1'/>
         <return type-id='48b5725f'/>
       </function-decl>
+      <function-decl name='hid_hw_start' mangled-name='hid_hw_start' filepath='drivers/hid/hid-core.c' line='2050' column='1' visibility='default' binding='global' size-in-bits='64' elf-symbol-id='hid_hw_start'>
+        <parameter type-id='37175e4d' name='hdev' filepath='drivers/hid/hid-core.c' line='2050' column='1'/>
+        <parameter type-id='f0981eeb' name='connect_mask' filepath='drivers/hid/hid-core.c' line='2050' column='1'/>
+        <return type-id='95e97e5e'/>
+      </function-decl>
       <function-decl name='hid_input_report' mangled-name='hid_input_report' filepath='drivers/hid/hid-core.c' line='1810' column='1' visibility='default' binding='global' size-in-bits='64' elf-symbol-id='hid_input_report'>
         <parameter type-id='37175e4d' name='hid' filepath='drivers/hid/hid-core.c' line='1810' column='1'/>
         <parameter type-id='95e97e5e' name='type' filepath='drivers/hid/hid-core.c' line='1810' column='1'/>
@@ -118901,12 +118937,20 @@
         <parameter type-id='95e97e5e' name='interrupt' filepath='drivers/hid/hid-core.c' line='1810' column='1'/>
         <return type-id='95e97e5e'/>
       </function-decl>
+      <function-decl name='hid_open_report' mangled-name='hid_open_report' filepath='drivers/hid/hid-core.c' line='1190' column='1' visibility='default' binding='global' size-in-bits='64' elf-symbol-id='hid_open_report'>
+        <parameter type-id='37175e4d' name='device' filepath='drivers/hid/hid-core.c' line='1190' column='1'/>
+        <return type-id='95e97e5e'/>
+      </function-decl>
       <function-decl name='hid_parse_report' mangled-name='hid_parse_report' filepath='drivers/hid/hid-core.c' line='937' column='1' visibility='default' binding='global' size-in-bits='64' elf-symbol-id='hid_parse_report'>
         <parameter type-id='37175e4d' name='hid' filepath='drivers/hid/hid-core.c' line='937' column='1'/>
         <parameter type-id='474e5dcc' name='start' filepath='drivers/hid/hid-core.c' line='937' column='1'/>
         <parameter type-id='f0981eeb' name='size' filepath='drivers/hid/hid-core.c' line='937' column='1'/>
         <return type-id='95e97e5e'/>
       </function-decl>
+      <function-decl name='hid_unregister_driver' mangled-name='hid_unregister_driver' filepath='drivers/hid/hid-core.c' line='2565' column='1' visibility='default' binding='global' size-in-bits='64' elf-symbol-id='hid_unregister_driver'>
+        <parameter type-id='cbd2074d' name='hdrv' filepath='drivers/hid/hid-core.c' line='2565' column='1'/>
+        <return type-id='48b5725f'/>
+      </function-decl>
       <function-decl name='hrtimer_active' mangled-name='hrtimer_active' filepath='kernel/time/hrtimer.c' line='1502' column='1' visibility='default' binding='global' size-in-bits='64' elf-symbol-id='hrtimer_active'>
         <parameter type-id='1ce53783' name='timer' filepath='kernel/time/hrtimer.c' line='1502' column='1'/>
         <return type-id='b50a4934'/>
diff --git a/android/abi_gki_aarch64_generic b/android/abi_gki_aarch64_generic
index 81746e107e32..d9a45368005a 100644
--- a/android/abi_gki_aarch64_generic
+++ b/android/abi_gki_aarch64_generic
@@ -993,8 +993,12 @@
   hid_allocate_device
   hid_debug
   hid_destroy_device
+  hid_hw_start
   hid_input_report
+  hid_open_report
   hid_parse_report
+  __hid_register_driver
+  hid_unregister_driver
   hrtimer_active
   hrtimer_cancel
   hrtimer_forward
diff --git a/arch/arm64/kvm/hyp/nvhe/mem_protect.c b/arch/arm64/kvm/hyp/nvhe/mem_protect.c
index 6ca172ac3445..810436d85608 100644
--- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c
+++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c
@@ -1915,7 +1915,14 @@ static int hyp_zero_page(phys_addr_t phys)
 	if (!addr)
 		return -EINVAL;
 	memset(addr, 0, PAGE_SIZE);
-	__clean_dcache_guest_page(addr, PAGE_SIZE);
+	/*
+	 * Prefer kvm_flush_dcache_to_poc() over __clean_dcache_guest_page()
+	 * here as the latter may elide the CMO under the assumption that FWB
+	 * will be enabled on CPUs that support it. This is incorrect for the
+	 * host stage-2 and would otherwise lead to a malicious host potentially
+	 * being able to read the content of newly reclaimed guest pages.
+	 */
+	kvm_flush_dcache_to_poc(addr, PAGE_SIZE);
 
 	return hyp_fixmap_unmap();
 }
diff --git a/arch/arm64/kvm/hyp/nvhe/pkvm.c b/arch/arm64/kvm/hyp/nvhe/pkvm.c
index 50717a46e735..b9e6337852dd 100644
--- a/arch/arm64/kvm/hyp/nvhe/pkvm.c
+++ b/arch/arm64/kvm/hyp/nvhe/pkvm.c
@@ -1246,7 +1246,7 @@ out_guest_err:
 
 static bool pkvm_install_ioguard_page(struct kvm_vcpu *vcpu, u64 *exit_code)
 {
-	u32 retval = SMCCC_RET_SUCCESS;
+	u64 retval = SMCCC_RET_SUCCESS;
 	u64 ipa = smccc_get_arg1(vcpu);
 	int ret;
 
@@ -1338,6 +1338,8 @@ bool kvm_handle_pvm_hvc64(struct kvm_vcpu *vcpu, u64 *exit_code)
 		return pkvm_install_ioguard_page(vcpu, exit_code);
 	case ARM_SMCCC_VENDOR_HYP_KVM_MMIO_GUARD_UNMAP_FUNC_ID:
 		if (__pkvm_remove_ioguard_page(vcpu, vcpu_get_reg(vcpu, 1)))
+			val[0] = SMCCC_RET_INVALID_PARAMETER;
+		else
 			val[0] = SMCCC_RET_SUCCESS;
 		break;
 	case ARM_SMCCC_VENDOR_HYP_KVM_MMIO_GUARD_INFO_FUNC_ID:
diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c
index a3b151b29bd7..fc616db4231b 100644
--- a/drivers/hid/hid-steam.c
+++ b/drivers/hid/hid-steam.c
@@ -134,6 +134,11 @@ static int steam_recv_report(struct steam_device *steam,
 	int ret;
 
 	r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0];
+	if (!r) {
+		hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted -  nothing to read\n");
+		return -EINVAL;
+	}
+
 	if (hid_report_len(r) < 64)
 		return -EINVAL;
 
@@ -165,6 +170,11 @@ static int steam_send_report(struct steam_device *steam,
 	int ret;
 
 	r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0];
+	if (!r) {
+		hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted -  nothing to read\n");
+		return -EINVAL;
+	}
+
 	if (hid_report_len(r) < 64)
 		return -EINVAL;
 
diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c
index f46ac0f39777..e14917cd2a1d 100644
--- a/kernel/sched/psi.c
+++ b/kernel/sched/psi.c
@@ -1020,7 +1020,7 @@ void psi_cgroup_free(struct cgroup *cgroup)
  */
 void cgroup_move_task(struct task_struct *task, struct css_set *to)
 {
-	unsigned int task_flags = 0;
+	unsigned int task_flags;
 	struct rq_flags rf;
 	struct rq *rq;
 
@@ -1035,15 +1035,31 @@ void cgroup_move_task(struct task_struct *task, struct css_set *to)
 
 	rq = task_rq_lock(task, &rf);
 
-	if (task_on_rq_queued(task)) {
-		task_flags = TSK_RUNNING;
-		if (task_current(rq, task))
-			task_flags |= TSK_ONCPU;
-	} else if (task->in_iowait)
-		task_flags = TSK_IOWAIT;
-
-	if (task->in_memstall)
-		task_flags |= TSK_MEMSTALL;
+	/*
+	 * We may race with schedule() dropping the rq lock between
+	 * deactivating prev and switching to next. Because the psi
+	 * updates from the deactivation are deferred to the switch
+	 * callback to save cgroup tree updates, the task's scheduling
+	 * state here is not coherent with its psi state:
+	 *
+	 * schedule()                   cgroup_move_task()
+	 *   rq_lock()
+	 *   deactivate_task()
+	 *     p->on_rq = 0
+	 *     psi_dequeue() // defers TSK_RUNNING & TSK_IOWAIT updates
+	 *   pick_next_task()
+	 *     rq_unlock()
+	 *                                rq_lock()
+	 *                                psi_task_change() // old cgroup
+	 *                                task->cgroups = to
+	 *                                psi_task_change() // new cgroup
+	 *                                rq_unlock()
+	 *     rq_lock()
+	 *   psi_sched_switch() // does deferred updates in new cgroup
+	 *
+	 * Don't rely on the scheduling state. Use psi_flags instead.
+	 */
+	task_flags = task->psi_flags;
 
 	if (task_flags)
 		psi_task_change(task, task_flags, 0);