--- /dev/null
+From baa18d577cd445145039e731d3de0fa49ca57204 Mon Sep 17 00:00:00 2001
+From: Quentin Schulz <quentin.schulz@cherry.de>
+Date: Wed, 12 Nov 2025 16:01:53 +0100
+Subject: arm64: dts: rockchip: disable HS400 on RK3588 Tiger
+
+From: Quentin Schulz <quentin.schulz@cherry.de>
+
+commit baa18d577cd445145039e731d3de0fa49ca57204 upstream.
+
+We've had reports from the field that some RK3588 Tiger have random
+issues with eMMC errors.
+
+Applying commit a28352cf2d2f ("mmc: sdhci-of-dwcmshc: Change
+DLL_STRBIN_TAPNUM_DEFAULT to 0x4") didn't help and seemed to have made
+things worse for our board.
+
+Our HW department checked the eMMC lines and reported that they are too
+long and don't look great so signal integrity is probably not the best.
+
+Note that not all Tigers with the same eMMC chip have errors, so the
+suspicion is that we're really on the edge in terms of signal integrity
+and only a handful devices are failing. Additionally, we have RK3588
+Jaguars with the same eMMC chip but the layout is different and we also
+haven't received reports about those so far.
+
+Lowering the max-frequency to 150MHz from 200MHz instead of simply
+disabling HS400 was briefly tested and seem to work as well. We've
+disabled HS400 downstream and haven't received reports since so we'll go
+with that instead of lowering the max-frequency.
+
+Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
+Fixes: 6173ef24b35b ("arm64: dts: rockchip: add RK3588-Q7 (Tiger) SoM")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20251112-tiger-hs200-v1-1-b50adac107c0@cherry.de
+[added Fixes tag and stable-cc from 2nd mail]
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi
+@@ -359,14 +359,12 @@
+ cap-mmc-highspeed;
+ mmc-ddr-1_8v;
+ mmc-hs200-1_8v;
+- mmc-hs400-1_8v;
+- mmc-hs400-enhanced-strobe;
+ mmc-pwrseq = <&emmc_pwrseq>;
+ no-sdio;
+ no-sd;
+ non-removable;
+ pinctrl-names = "default";
+- pinctrl-0 = <&emmc_bus8 &emmc_cmd &emmc_clk &emmc_data_strobe>;
++ pinctrl-0 = <&emmc_bus8 &emmc_cmd &emmc_clk>;
+ vmmc-supply = <&vcc_3v3_s3>;
+ vqmmc-supply = <&vcc_1v8_s3>;
+ status = "okay";
--- /dev/null
+From b5414520793e68d266fdd97a84989d9831156aad Mon Sep 17 00:00:00 2001
+From: Mykola Kvach <xakep.amatop@gmail.com>
+Date: Mon, 3 Nov 2025 12:27:40 +0200
+Subject: arm64: dts: rockchip: fix PCIe 3.3V regulator voltage on orangepi-5
+
+From: Mykola Kvach <xakep.amatop@gmail.com>
+
+commit b5414520793e68d266fdd97a84989d9831156aad upstream.
+
+The vcc3v3_pcie20 fixed regulator powers the PCIe device-side 3.3V rail
+for pcie2x1l2 via vpcie3v3-supply. The DTS mistakenly set its
+regulator-min/max-microvolt to 1800000 (1.8 V). Correct both to 3300000
+(3.3 V) to match the rail name, the PCIe/M.2 power requirement, and the
+actual hardware wiring on Orange Pi 5.
+
+Fixes: b6bc755d806e ("arm64: dts: rockchip: Add Orange Pi 5")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mykola Kvach <xakep.amatop@gmail.com>
+Reviewed-by: Michael Riesch <michael.riesch@collabora.com>
+Link: https://patch.msgid.link/cf6e08dfdfbf1c540685d12388baab1326f95d2c.1762165324.git.xakep.amatop@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3588s-orangepi-5.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3588s-orangepi-5.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3588s-orangepi-5.dts
+@@ -85,8 +85,8 @@
+ gpios = <&gpio0 RK_PC5 GPIO_ACTIVE_HIGH>;
+ regulator-name = "vcc3v3_pcie20";
+ regulator-boot-on;
+- regulator-min-microvolt = <1800000>;
+- regulator-max-microvolt = <1800000>;
++ regulator-min-microvolt = <3300000>;
++ regulator-max-microvolt = <3300000>;
+ startup-delay-us = <50000>;
+ vin-supply = <&vcc5v0_sys>;
+ };
--- /dev/null
+From 03c7e964a02e388ee168c804add7404eda23908c Mon Sep 17 00:00:00 2001
+From: Diederik de Haas <diederik@cknow-tech.com>
+Date: Mon, 27 Oct 2025 16:54:28 +0100
+Subject: arm64: dts: rockchip: Fix vccio4-supply on rk3566-pinetab2
+
+From: Diederik de Haas <diederik@cknow-tech.com>
+
+commit 03c7e964a02e388ee168c804add7404eda23908c upstream.
+
+Page 13 of the PineTab2 v2 schematic dd 20230417 shows VCCIO4's power
+source is VCCIO_WL. Page 19 shows that VCCIO_WL is connected to
+VCCA1V8_PMU, so fix the PineTab2 dtsi to reflect that.
+
+Fixes: 1b7e19448f8f ("arm64: dts: rockchip: Add devicetree for Pine64 PineTab2")
+Cc: stable@vger.kernel.org
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Signed-off-by: Diederik de Haas <diederik@cknow-tech.com>
+Link: https://patch.msgid.link/20251027155724.138096-1-diederik@cknow-tech.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi
+@@ -789,7 +789,7 @@
+ vccio1-supply = <&vccio_acodec>;
+ vccio2-supply = <&vcc_1v8>;
+ vccio3-supply = <&vccio_sd>;
+- vccio4-supply = <&vcc_1v8>;
++ vccio4-supply = <&vcca1v8_pmu>;
+ vccio5-supply = <&vcc_1v8>;
+ vccio6-supply = <&vcc1v8_dvp>;
+ vccio7-supply = <&vcc_3v3>;
--- /dev/null
+From 08d70143e3033d267507deb98a5fd187df3e6640 Mon Sep 17 00:00:00 2001
+From: Quentin Schulz <quentin.schulz@cherry.de>
+Date: Wed, 29 Oct 2025 14:50:59 +0100
+Subject: arm64: dts: rockchip: include rk3399-base instead of rk3399 in rk3399-op1
+
+From: Quentin Schulz <quentin.schulz@cherry.de>
+
+commit 08d70143e3033d267507deb98a5fd187df3e6640 upstream.
+
+In commit 296602b8e5f7 ("arm64: dts: rockchip: Move RK3399 OPPs to dtsi
+files for SoC variants"), everything shared between variants of RK3399
+was put into rk3399-base.dtsi and the rest in variant-specific DTSI,
+such as rk3399-t, rk3399-op1, rk3399, etc.
+Therefore, the variant-specific DTSI should include rk3399-base.dtsi and
+not another variant's DTSI.
+
+rk3399-op1 wrongly includes rk3399 (a variant) DTSI instead of
+rk3399-base DTSI, let's fix this oversight by including the intended
+DTSI.
+
+Fortunately, this had no impact on the resulting DTB since all nodes
+were named the same and all node properties were overridden in
+rk3399-op1.dtsi. This was checked by doing a checksum of rk3399-op1 DTBs
+before and after this commit.
+
+No intended change in behavior.
+
+Fixes: 296602b8e5f7 ("arm64: dts: rockchip: Move RK3399 OPPs to dtsi files for SoC variants")
+Cc: stable@vger.kernel.org
+Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Link: https://patch.msgid.link/20251029-rk3399-op1-include-v1-1-2472ee60e7f8@cherry.de
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi
+index c4f4f1ff6117..9da6fd82e46b 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi
+@@ -3,7 +3,7 @@
+ * Copyright (c) 2016-2017 Fuzhou Rockchip Electronics Co., Ltd
+ */
+
+-#include "rk3399.dtsi"
++#include "rk3399-base.dtsi"
+
+ / {
+ cluster0_opp: opp-table-0 {
+--
+2.52.0
+
--- /dev/null
+From b32cc17d607e8ae7af037303fe101368cb4dc44c Mon Sep 17 00:00:00 2001
+From: Yihang Li <liyihang9@h-partners.com>
+Date: Thu, 20 Nov 2025 11:50:23 +0800
+Subject: ata: libata-scsi: Add missing scsi_device_put() in ata_scsi_dev_rescan()
+
+From: Yihang Li <liyihang9@h-partners.com>
+
+commit b32cc17d607e8ae7af037303fe101368cb4dc44c upstream.
+
+Call scsi_device_put() in ata_scsi_dev_rescan() if the device or its
+queue are not running.
+
+Fixes: 0c76106cb975 ("scsi: sd: Fix TCG OPAL unlock on system resume")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yihang Li <liyihang9@h-partners.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -4807,8 +4807,10 @@ void ata_scsi_dev_rescan(struct work_str
+ spin_unlock_irqrestore(ap->lock, flags);
+ if (do_resume) {
+ ret = scsi_resume_device(sdev);
+- if (ret == -EWOULDBLOCK)
++ if (ret == -EWOULDBLOCK) {
++ scsi_device_put(sdev);
+ goto unlock_scan;
++ }
+ dev->flags &= ~ATA_DFLAG_RESUMING;
+ }
+ ret = scsi_rescan_device(sdev);
--- /dev/null
+From b11890683380a36b8488229f818d5e76e8204587 Mon Sep 17 00:00:00 2001
+From: Niklas Cassel <cassel@kernel.org>
+Date: Wed, 19 Nov 2025 15:13:14 +0100
+Subject: ata: libata-scsi: Fix system suspend for a security locked drive
+
+From: Niklas Cassel <cassel@kernel.org>
+
+commit b11890683380a36b8488229f818d5e76e8204587 upstream.
+
+Commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status
+handling") fixed ata_to_sense_error() to properly generate sense key
+ABORTED COMMAND (without any additional sense code), instead of the
+previous bogus sense key ILLEGAL REQUEST with the additional sense code
+UNALIGNED WRITE COMMAND, for a failed command.
+
+However, this broke suspend for Security locked drives (drives that have
+Security enabled, and have not been Security unlocked by boot firmware).
+
+The reason for this is that the SCSI disk driver, for the Synchronize
+Cache command only, treats any sense data with sense key ILLEGAL REQUEST
+as a successful command (regardless of ASC / ASCQ).
+
+After commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error()
+status handling") the code that treats any sense data with sense key
+ILLEGAL REQUEST as a successful command is no longer applicable, so the
+command fails, which causes the system suspend to be aborted:
+
+ sd 1:0:0:0: PM: dpm_run_callback(): scsi_bus_suspend returns -5
+ sd 1:0:0:0: PM: failed to suspend async: error -5
+ PM: Some devices failed to suspend, or early wake event detected
+
+To make suspend work once again, for a Security locked device only,
+return sense data LOGICAL UNIT ACCESS NOT AUTHORIZED, the actual sense
+data which a real SCSI device would have returned if locked.
+The SCSI disk driver treats this sense data as a successful command.
+
+Cc: stable@vger.kernel.org
+Reported-by: Ilia Baryshnikov <qwelias@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220704
+Fixes: cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling")
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 7 +++++++
+ include/linux/ata.h | 1 +
+ 2 files changed, 8 insertions(+)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -991,6 +991,13 @@ static void ata_gen_ata_sense(struct ata
+ return;
+ }
+
++ if (ata_id_is_locked(dev->id)) {
++ /* Security locked */
++ /* LOGICAL UNIT ACCESS NOT AUTHORIZED */
++ ata_scsi_set_sense(dev, cmd, DATA_PROTECT, 0x74, 0x71);
++ return;
++ }
++
+ if (!(qc->flags & ATA_QCFLAG_RTF_FILLED)) {
+ ata_dev_dbg(dev,
+ "Missing result TF: reporting aborted command\n");
+--- a/include/linux/ata.h
++++ b/include/linux/ata.h
+@@ -566,6 +566,7 @@ struct ata_bmdma_prd {
+ #define ata_id_has_ncq(id) ((id)[ATA_ID_SATA_CAPABILITY] & (1 << 8))
+ #define ata_id_queue_depth(id) (((id)[ATA_ID_QUEUE_DEPTH] & 0x1f) + 1)
+ #define ata_id_removable(id) ((id)[ATA_ID_CONFIG] & (1 << 7))
++#define ata_id_is_locked(id) (((id)[ATA_ID_DLF] & 0x7) == 0x7)
+ #define ata_id_has_atapi_AN(id) \
+ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \
+ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \
--- /dev/null
+From 7d277a7a58578dd62fd546ddaef459ec24ccae36 Mon Sep 17 00:00:00 2001
+From: Andrey Vatoropin <a.vatoropin@crpt.ru>
+Date: Wed, 19 Nov 2025 10:51:12 +0000
+Subject: be2net: pass wrb_params in case of OS2BMC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrey Vatoropin <a.vatoropin@crpt.ru>
+
+commit 7d277a7a58578dd62fd546ddaef459ec24ccae36 upstream.
+
+be_insert_vlan_in_pkt() is called with the wrb_params argument being NULL
+at be_send_pkt_to_bmc() call site. This may lead to dereferencing a NULL
+pointer when processing a workaround for specific packet, as commit
+bc0c3405abbb ("be2net: fix a Tx stall bug caused by a specific ipv6
+packet") states.
+
+The correct way would be to pass the wrb_params from be_xmit().
+
+Fixes: 760c295e0e8d ("be2net: Support for OS2BMC.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru>
+Link: https://patch.msgid.link/20251119105015.194501-1-a.vatoropin@crpt.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/emulex/benet/be_main.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/emulex/benet/be_main.c
++++ b/drivers/net/ethernet/emulex/benet/be_main.c
+@@ -1296,7 +1296,8 @@ static void be_xmit_flush(struct be_adap
+ (adapter->bmc_filt_mask & BMC_FILT_MULTICAST)
+
+ static bool be_send_pkt_to_bmc(struct be_adapter *adapter,
+- struct sk_buff **skb)
++ struct sk_buff **skb,
++ struct be_wrb_params *wrb_params)
+ {
+ struct ethhdr *eh = (struct ethhdr *)(*skb)->data;
+ bool os2bmc = false;
+@@ -1360,7 +1361,7 @@ done:
+ * to BMC, asic expects the vlan to be inline in the packet.
+ */
+ if (os2bmc)
+- *skb = be_insert_vlan_in_pkt(adapter, *skb, NULL);
++ *skb = be_insert_vlan_in_pkt(adapter, *skb, wrb_params);
+
+ return os2bmc;
+ }
+@@ -1387,7 +1388,7 @@ static netdev_tx_t be_xmit(struct sk_buf
+ /* if os2bmc is enabled and if the pkt is destined to bmc,
+ * enqueue the pkt a 2nd time with mgmt bit set.
+ */
+- if (be_send_pkt_to_bmc(adapter, &skb)) {
++ if (be_send_pkt_to_bmc(adapter, &skb, &wrb_params)) {
+ BE_WRB_F_SET(wrb_params.features, OS2BMC, 1);
+ wrb_cnt = be_xmit_enqueue(adapter, txo, skb, &wrb_params);
+ if (unlikely(!wrb_cnt))
--- /dev/null
+From f2c1f631630e01821fe4c3fdf6077bc7a8284f82 Mon Sep 17 00:00:00 2001
+From: Yongpeng Yang <yangyongpeng@xiaomi.com>
+Date: Tue, 4 Nov 2025 20:50:07 +0800
+Subject: exfat: check return value of sb_min_blocksize in exfat_read_boot_sector
+
+From: Yongpeng Yang <yangyongpeng@xiaomi.com>
+
+commit f2c1f631630e01821fe4c3fdf6077bc7a8284f82 upstream.
+
+sb_min_blocksize() may return 0. Check its return value to avoid
+accessing the filesystem super block when sb->s_blocksize is 0.
+
+Cc: stable@vger.kernel.org # v6.15
+Fixes: 719c1e1829166d ("exfat: add super block operations")
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
+Link: https://patch.msgid.link/20251104125009.2111925-3-yangyongpeng.storage@gmail.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/exfat/super.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/exfat/super.c
++++ b/fs/exfat/super.c
+@@ -452,7 +452,10 @@ static int exfat_read_boot_sector(struct
+ struct exfat_sb_info *sbi = EXFAT_SB(sb);
+
+ /* set block size to read super block */
+- sb_min_blocksize(sb, 512);
++ if (!sb_min_blocksize(sb, 512)) {
++ exfat_err(sb, "unable to set blocksize");
++ return -EINVAL;
++ }
+
+ /* read boot sector */
+ sbi->boot_bh = sb_bread(sb, 0);
--- /dev/null
+From 4d3a13afa8b64dc49293b3eab3e7beac11072c12 Mon Sep 17 00:00:00 2001
+From: "Mario Limonciello (AMD)" <superm1@kernel.org>
+Date: Mon, 20 Oct 2025 10:50:42 -0500
+Subject: HID: amd_sfh: Stop sensor before starting
+
+From: Mario Limonciello (AMD) <superm1@kernel.org>
+
+commit 4d3a13afa8b64dc49293b3eab3e7beac11072c12 upstream.
+
+Titas reports that the accelerometer sensor on their laptop only
+works after a warm boot or unloading/reloading the amd-sfh kernel
+module.
+
+Presumably the sensor is in a bad state on cold boot and failing to
+start, so explicitly stop it before starting.
+
+Cc: stable@vger.kernel.org
+Fixes: 93ce5e0231d79 ("HID: amd_sfh: Implement SFH1.1 functionality")
+Reported-by: Titas <novatitas366@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220670
+Tested-by: Titas <novatitas366@gmail.com>
+Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c
++++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c
+@@ -172,6 +172,8 @@ static int amd_sfh1_1_hid_client_init(st
+ if (rc)
+ goto cleanup;
+
++ mp2_ops->stop(privdata, cl_data->sensor_idx[i]);
++ amd_sfh_wait_for_response(privdata, cl_data->sensor_idx[i], DISABLE_SENSOR);
+ writel(0, privdata->mmio + amd_get_p2c_val(privdata, 0));
+ mp2_ops->start(privdata, info);
+ status = amd_sfh_wait_for_response
--- /dev/null
+From beab067dbcff642243291fd528355d64c41dc3b2 Mon Sep 17 00:00:00 2001
+From: Zhang Heng <zhangheng@kylinos.cn>
+Date: Fri, 12 Sep 2025 20:38:18 +0800
+Subject: HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155
+
+From: Zhang Heng <zhangheng@kylinos.cn>
+
+commit beab067dbcff642243291fd528355d64c41dc3b2 upstream.
+
+Based on available evidence, the USB ID 4c4a:4155 used by multiple
+devices has been attributed to Jieli. The commit 1a8953f4f774
+("HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY") affected touchscreen
+functionality. Added checks for manufacturer and serial number to
+maintain microphone compatibility, enabling both devices to function
+properly.
+
+[jkosina@suse.com: edit shortlog]
+Fixes: 1a8953f4f774 ("HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY")
+Cc: stable@vger.kernel.org
+Tested-by: staffan.melin@oscillator.se
+Reviewed-by: Terry Junge <linuxhid@cosmicgizmosystems.com>
+Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-ids.h | 4 ++--
+ drivers/hid/hid-quirks.c | 13 ++++++++++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -1528,7 +1528,7 @@
+ #define USB_VENDOR_ID_SIGNOTEC 0x2133
+ #define USB_DEVICE_ID_SIGNOTEC_VIEWSONIC_PD1011 0x0018
+
+-#define USB_VENDOR_ID_SMARTLINKTECHNOLOGY 0x4c4a
+-#define USB_DEVICE_ID_SMARTLINKTECHNOLOGY_4155 0x4155
++#define USB_VENDOR_ID_JIELI_SDK_DEFAULT 0x4c4a
++#define USB_DEVICE_ID_JIELI_SDK_4155 0x4155
+
+ #endif
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -900,7 +900,6 @@ static const struct hid_device_id hid_ig
+ #endif
+ { HID_USB_DEVICE(USB_VENDOR_ID_YEALINK, USB_DEVICE_ID_YEALINK_P1K_P4K_B2K) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_HP_5MP_CAMERA_5473) },
+- { HID_USB_DEVICE(USB_VENDOR_ID_SMARTLINKTECHNOLOGY, USB_DEVICE_ID_SMARTLINKTECHNOLOGY_4155) },
+ { }
+ };
+
+@@ -1057,6 +1056,18 @@ bool hid_ignore(struct hid_device *hdev)
+ strlen(elan_acpi_id[i].id)))
+ return true;
+ break;
++ case USB_VENDOR_ID_JIELI_SDK_DEFAULT:
++ /*
++ * Multiple USB devices with identical IDs (mic & touchscreen).
++ * The touch screen requires hid core processing, but the
++ * microphone does not. They can be distinguished by manufacturer
++ * and serial number.
++ */
++ if (hdev->product == USB_DEVICE_ID_JIELI_SDK_4155 &&
++ strncmp(hdev->name, "SmartlinkTechnology", 19) == 0 &&
++ strncmp(hdev->uniq, "20201111000001", 14) == 0)
++ return true;
++ break;
+ }
+
+ if (hdev->type == HID_TYPE_USBMOUSE &&
--- /dev/null
+From e106e269c5cb38315eb0a0e7e38f71e9b20c8c66 Mon Sep 17 00:00:00 2001
+From: Yongpeng Yang <yangyongpeng@xiaomi.com>
+Date: Tue, 4 Nov 2025 20:50:08 +0800
+Subject: isofs: check the return value of sb_min_blocksize() in isofs_fill_super
+
+From: Yongpeng Yang <yangyongpeng@xiaomi.com>
+
+commit e106e269c5cb38315eb0a0e7e38f71e9b20c8c66 upstream.
+
+sb_min_blocksize() may return 0. Check its return value to avoid
+opt->blocksize and sb->s_blocksize is 0.
+
+Cc: stable@vger.kernel.org # v6.15
+Fixes: 1b17a46c9243e9 ("isofs: convert isofs to use the new mount API")
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
+Link: https://patch.msgid.link/20251104125009.2111925-4-yangyongpeng.storage@gmail.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/isofs/inode.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/isofs/inode.c
++++ b/fs/isofs/inode.c
+@@ -610,6 +610,11 @@ static int isofs_fill_super(struct super
+ goto out_freesbi;
+ }
+ opt->blocksize = sb_min_blocksize(s, opt->blocksize);
++ if (!opt->blocksize) {
++ printk(KERN_ERR
++ "ISOFS: unable to set blocksize\n");
++ goto out_freesbi;
++ }
+
+ sbi->s_high_sierra = 0; /* default is iso9660 */
+ sbi->s_session = opt->session;
--- /dev/null
+From 9f048fa487409e364cf866c957cf0b0d782ca5a3 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Thu, 13 Nov 2025 05:21:10 +0000
+Subject: MIPS: mm: Prevent a TLB shutdown on initial uniquification
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit 9f048fa487409e364cf866c957cf0b0d782ca5a3 upstream.
+
+Depending on the particular CPU implementation a TLB shutdown may occur
+if multiple matching entries are detected upon the execution of a TLBP
+or the TLBWI/TLBWR instructions. Given that we don't know what entries
+we have been handed we need to be very careful with the initial TLB
+setup and avoid all these instructions.
+
+Therefore read all the TLB entries one by one with the TLBR instruction,
+bypassing the content addressing logic, and truncate any large pages in
+place so as to avoid a case in the second step where an incoming entry
+for a large page at a lower address overlaps with a replacement entry
+chosen at another index. Then preinitialize the TLB using addresses
+outside our usual unique range and avoiding clashes with any entries
+received, before making the usual call to local_flush_tlb_all().
+
+This fixes (at least) R4x00 cores if TLBP hits multiple matching TLB
+entries (SGI IP22 PROM for examples sets up all TLBs to the same virtual
+address).
+
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Fixes: 35ad7e181541 ("MIPS: mm: tlb-r4k: Uniquify TLB entries on init")
+Cc: stable@vger.kernel.org
+Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Tested-by: Jiaxun Yang <jiaxun.yang@flygoat.com> # Boston I6400, M5150 sim
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mm/tlb-r4k.c | 102 ++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 64 insertions(+), 38 deletions(-)
+
+--- a/arch/mips/mm/tlb-r4k.c
++++ b/arch/mips/mm/tlb-r4k.c
+@@ -15,6 +15,7 @@
+ #include <linux/mm.h>
+ #include <linux/hugetlb.h>
+ #include <linux/export.h>
++#include <linux/sort.h>
+
+ #include <asm/cpu.h>
+ #include <asm/cpu-type.h>
+@@ -508,55 +509,79 @@ static int __init set_ntlb(char *str)
+
+ __setup("ntlb=", set_ntlb);
+
+-/* Initialise all TLB entries with unique values */
++
++/* Comparison function for EntryHi VPN fields. */
++static int r4k_vpn_cmp(const void *a, const void *b)
++{
++ long v = *(unsigned long *)a - *(unsigned long *)b;
++ int s = sizeof(long) > sizeof(int) ? sizeof(long) * 8 - 1: 0;
++ return s ? (v != 0) | v >> s : v;
++}
++
++/*
++ * Initialise all TLB entries with unique values that do not clash with
++ * what we have been handed over and what we'll be using ourselves.
++ */
+ static void r4k_tlb_uniquify(void)
+ {
+- int entry = num_wired_entries();
++ unsigned long tlb_vpns[1 << MIPS_CONF1_TLBS_SIZE];
++ int tlbsize = current_cpu_data.tlbsize;
++ int start = num_wired_entries();
++ unsigned long vpn_mask;
++ int cnt, ent, idx, i;
++
++ vpn_mask = GENMASK(cpu_vmbits - 1, 13);
++ vpn_mask |= IS_ENABLED(CONFIG_64BIT) ? 3ULL << 62 : 1 << 31;
+
+ htw_stop();
+- write_c0_entrylo0(0);
+- write_c0_entrylo1(0);
+
+- while (entry < current_cpu_data.tlbsize) {
+- unsigned long asid_mask = cpu_asid_mask(¤t_cpu_data);
+- unsigned long asid = 0;
+- int idx;
++ for (i = start, cnt = 0; i < tlbsize; i++, cnt++) {
++ unsigned long vpn;
+
+- /* Skip wired MMID to make ginvt_mmid work */
+- if (cpu_has_mmid)
+- asid = MMID_KERNEL_WIRED + 1;
++ write_c0_index(i);
++ mtc0_tlbr_hazard();
++ tlb_read();
++ tlb_read_hazard();
++ vpn = read_c0_entryhi();
++ vpn &= vpn_mask & PAGE_MASK;
++ tlb_vpns[cnt] = vpn;
+
+- /* Check for match before using UNIQUE_ENTRYHI */
+- do {
+- if (cpu_has_mmid) {
+- write_c0_memorymapid(asid);
+- write_c0_entryhi(UNIQUE_ENTRYHI(entry));
+- } else {
+- write_c0_entryhi(UNIQUE_ENTRYHI(entry) | asid);
+- }
+- mtc0_tlbw_hazard();
+- tlb_probe();
+- tlb_probe_hazard();
+- idx = read_c0_index();
+- /* No match or match is on current entry */
+- if (idx < 0 || idx == entry)
+- break;
+- /*
+- * If we hit a match, we need to try again with
+- * a different ASID.
+- */
+- asid++;
+- } while (asid < asid_mask);
+-
+- if (idx >= 0 && idx != entry)
+- panic("Unable to uniquify TLB entry %d", idx);
+-
+- write_c0_index(entry);
++ /* Prevent any large pages from overlapping regular ones. */
++ write_c0_pagemask(read_c0_pagemask() & PM_DEFAULT_MASK);
+ mtc0_tlbw_hazard();
+ tlb_write_indexed();
+- entry++;
++ tlbw_use_hazard();
+ }
+
++ sort(tlb_vpns, cnt, sizeof(tlb_vpns[0]), r4k_vpn_cmp, NULL);
++
++ write_c0_pagemask(PM_DEFAULT_MASK);
++ write_c0_entrylo0(0);
++ write_c0_entrylo1(0);
++
++ idx = 0;
++ ent = tlbsize;
++ for (i = start; i < tlbsize; i++)
++ while (1) {
++ unsigned long entryhi, vpn;
++
++ entryhi = UNIQUE_ENTRYHI(ent);
++ vpn = entryhi & vpn_mask & PAGE_MASK;
++
++ if (idx >= cnt || vpn < tlb_vpns[idx]) {
++ write_c0_entryhi(entryhi);
++ write_c0_index(i);
++ mtc0_tlbw_hazard();
++ tlb_write_indexed();
++ ent++;
++ break;
++ } else if (vpn == tlb_vpns[idx]) {
++ ent++;
++ } else {
++ idx++;
++ }
++ }
++
+ tlbw_use_hazard();
+ htw_start();
+ flush_micro_tlb();
+@@ -602,6 +627,7 @@ static void r4k_tlb_configure(void)
+
+ /* From this point on the ARC firmware is dead. */
+ r4k_tlb_uniquify();
++ local_flush_tlb_all();
+
+ /* Did I tell you that ARC SUCKS? */
+ }
--- /dev/null
+From fbade4bd08ba52cbc74a71c4e86e736f059f99f7 Mon Sep 17 00:00:00 2001
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+Date: Tue, 11 Nov 2025 14:02:50 +0800
+Subject: mptcp: Disallow MPTCP subflows from sockmap
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+commit fbade4bd08ba52cbc74a71c4e86e736f059f99f7 upstream.
+
+The sockmap feature allows bpf syscall from userspace, or based on bpf
+sockops, replacing the sk_prot of sockets during protocol stack processing
+with sockmap's custom read/write interfaces.
+'''
+tcp_rcv_state_process()
+ subflow_syn_recv_sock()
+ tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)
+ bpf_skops_established <== sockops
+ bpf_sock_map_update(sk) <== call bpf helper
+ tcp_bpf_update_proto() <== update sk_prot
+'''
+Consider two scenarios:
+
+1. When the server has MPTCP enabled and the client also requests MPTCP,
+ the sk passed to the BPF program is a subflow sk. Since subflows only
+ handle partial data, replacing their sk_prot is meaningless and will
+ cause traffic disruption.
+
+2. When the server has MPTCP enabled but the client sends a TCP SYN
+ without MPTCP, subflow_syn_recv_sock() performs a fallback on the
+ subflow, replacing the subflow sk's sk_prot with the native sk_prot.
+ '''
+ subflow_ulp_fallback()
+ subflow_drop_ctx()
+ mptcp_subflow_ops_undo_override()
+ '''
+ Subsequently, accept::mptcp_stream_accept::mptcp_fallback_tcp_ops()
+ converts the subflow to plain TCP.
+
+For the first case, we should prevent it from being combined with sockmap
+by setting sk_prot->psock_update_sk_prot to NULL, which will be blocked by
+sockmap's own flow.
+
+For the second case, since subflow_syn_recv_sock() has already restored
+sk_prot to native tcp_prot/tcpv6_prot, no further action is needed.
+
+Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20251111060307.194196-2-jiayuan.chen@linux.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/subflow.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/mptcp/subflow.c
++++ b/net/mptcp/subflow.c
+@@ -2150,6 +2150,10 @@ void __init mptcp_subflow_init(void)
+ tcp_prot_override = tcp_prot;
+ tcp_prot_override.release_cb = tcp_release_cb_override;
+ tcp_prot_override.diag_destroy = tcp_abort_override;
++#ifdef CONFIG_BPF_SYSCALL
++ /* Disable sockmap processing for subflows */
++ tcp_prot_override.psock_update_sk_prot = NULL;
++#endif
+
+ #if IS_ENABLED(CONFIG_MPTCP_IPV6)
+ /* In struct mptcp_subflow_request_sock, we assume the TCP request sock
+@@ -2186,6 +2190,10 @@ void __init mptcp_subflow_init(void)
+ tcpv6_prot_override = tcpv6_prot;
+ tcpv6_prot_override.release_cb = tcp_release_cb_override;
+ tcpv6_prot_override.diag_destroy = tcp_abort_override;
++#ifdef CONFIG_BPF_SYSCALL
++ /* Disable sockmap processing for subflows */
++ tcpv6_prot_override.psock_update_sk_prot = NULL;
++#endif
+ #endif
+
+ mptcp_diag_subflow_init(&subflow_ulp_ops);
--- /dev/null
+From c77b3b79a92e3345aa1ee296180d1af4e7031f8f Mon Sep 17 00:00:00 2001
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+Date: Tue, 11 Nov 2025 14:02:51 +0800
+Subject: mptcp: Fix proto fallback detection with BPF
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+commit c77b3b79a92e3345aa1ee296180d1af4e7031f8f upstream.
+
+The sockmap feature allows bpf syscall from userspace, or based
+on bpf sockops, replacing the sk_prot of sockets during protocol stack
+processing with sockmap's custom read/write interfaces.
+'''
+tcp_rcv_state_process()
+ syn_recv_sock()/subflow_syn_recv_sock()
+ tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)
+ bpf_skops_established <== sockops
+ bpf_sock_map_update(sk) <== call bpf helper
+ tcp_bpf_update_proto() <== update sk_prot
+'''
+
+When the server has MPTCP enabled but the client sends a TCP SYN
+without MPTCP, subflow_syn_recv_sock() performs a fallback on the
+subflow, replacing the subflow sk's sk_prot with the native sk_prot.
+'''
+subflow_syn_recv_sock()
+ subflow_ulp_fallback()
+ subflow_drop_ctx()
+ mptcp_subflow_ops_undo_override()
+'''
+
+Then, this subflow can be normally used by sockmap, which replaces the
+native sk_prot with sockmap's custom sk_prot. The issue occurs when the
+user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops().
+Here, it uses sk->sk_prot to compare with the native sk_prot, but this
+is incorrect when sockmap is used, as we may incorrectly set
+sk->sk_socket->ops.
+
+This fix uses the more generic sk_family for the comparison instead.
+
+Additionally, this also prevents a WARNING from occurring:
+
+result from ./scripts/decode_stacktrace.sh:
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \
+(net/mptcp/protocol.c:4005)
+Modules linked in:
+...
+
+PKRU: 55555554
+Call Trace:
+<TASK>
+do_accept (net/socket.c:1989)
+__sys_accept4 (net/socket.c:2028 net/socket.c:2057)
+__x64_sys_accept (net/socket.c:2067)
+x64_sys_call (arch/x86/entry/syscall_64.c:41)
+do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
+entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+RIP: 0033:0x7f87ac92b83d
+
+---[ end trace 0000000000000000 ]---
+
+Fixes: 0b4f33def7bb ("mptcp: fix tcp fallback crash")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20251111060307.194196-3-jiayuan.chen@linux.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -57,11 +57,13 @@ static u64 mptcp_wnd_end(const struct mp
+
+ static const struct proto_ops *mptcp_fallback_tcp_ops(const struct sock *sk)
+ {
++ unsigned short family = READ_ONCE(sk->sk_family);
++
+ #if IS_ENABLED(CONFIG_MPTCP_IPV6)
+- if (sk->sk_prot == &tcpv6_prot)
++ if (family == AF_INET6)
+ return &inet6_stream_ops;
+ #endif
+- WARN_ON_ONCE(sk->sk_prot != &tcp_prot);
++ WARN_ON_ONCE(family != AF_INET);
+ return &inet_stream_ops;
+ }
+
--- /dev/null
+From 5c56bf214af85ca042bf97f8584aab2151035840 Mon Sep 17 00:00:00 2001
+From: Niravkumar L Rabara <niravkumarlaxmidas.rabara@altera.com>
+Date: Thu, 23 Oct 2025 11:32:01 +0800
+Subject: mtd: rawnand: cadence: fix DMA device NULL pointer dereference
+
+From: Niravkumar L Rabara <niravkumarlaxmidas.rabara@altera.com>
+
+commit 5c56bf214af85ca042bf97f8584aab2151035840 upstream.
+
+The DMA device pointer `dma_dev` was being dereferenced before ensuring
+that `cdns_ctrl->dmac` is properly initialized.
+
+Move the assignment of `dma_dev` after successfully acquiring the DMA
+channel to ensure the pointer is valid before use.
+
+Fixes: d76d22b5096c ("mtd: rawnand: cadence: use dma_map_resource for sdma address")
+Cc: stable@vger.kernel.org
+Signed-off-by: Niravkumar L Rabara <niravkumarlaxmidas.rabara@altera.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/cadence-nand-controller.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/raw/cadence-nand-controller.c
++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c
+@@ -2871,7 +2871,7 @@ cadence_nand_irq_cleanup(int irqnum, str
+ static int cadence_nand_init(struct cdns_nand_ctrl *cdns_ctrl)
+ {
+ dma_cap_mask_t mask;
+- struct dma_device *dma_dev = cdns_ctrl->dmac->device;
++ struct dma_device *dma_dev;
+ int ret;
+
+ cdns_ctrl->cdma_desc = dma_alloc_coherent(cdns_ctrl->dev,
+@@ -2915,6 +2915,7 @@ static int cadence_nand_init(struct cdns
+ }
+ }
+
++ dma_dev = cdns_ctrl->dmac->device;
+ cdns_ctrl->io.iova_dma = dma_map_resource(dma_dev->dev, cdns_ctrl->io.dma,
+ cdns_ctrl->io.size,
+ DMA_BIDIRECTIONAL, 0);
--- /dev/null
+From e4185bed738da755b191aa3f2e16e8b48450e1b8 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Tue, 30 Sep 2025 15:32:34 +0300
+Subject: mtdchar: fix integer overflow in read/write ioctls
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit e4185bed738da755b191aa3f2e16e8b48450e1b8 upstream.
+
+The "req.start" and "req.len" variables are u64 values that come from the
+user at the start of the function. We mask away the high 32 bits of
+"req.len" so that's capped at U32_MAX but the "req.start" variable can go
+up to U64_MAX which means that the addition can still integer overflow.
+
+Use check_add_overflow() to fix this bug.
+
+Fixes: 095bb6e44eb1 ("mtdchar: add MEMREAD ioctl")
+Fixes: 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/mtdchar.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/mtdchar.c
++++ b/drivers/mtd/mtdchar.c
+@@ -599,6 +599,7 @@ mtdchar_write_ioctl(struct mtd_info *mtd
+ uint8_t *datbuf = NULL, *oobbuf = NULL;
+ size_t datbuf_len, oobbuf_len;
+ int ret = 0;
++ u64 end;
+
+ if (copy_from_user(&req, argp, sizeof(req)))
+ return -EFAULT;
+@@ -618,7 +619,7 @@ mtdchar_write_ioctl(struct mtd_info *mtd
+ req.len &= 0xffffffff;
+ req.ooblen &= 0xffffffff;
+
+- if (req.start + req.len > mtd->size)
++ if (check_add_overflow(req.start, req.len, &end) || end > mtd->size)
+ return -EINVAL;
+
+ datbuf_len = min_t(size_t, req.len, mtd->erasesize);
+@@ -698,6 +699,7 @@ mtdchar_read_ioctl(struct mtd_info *mtd,
+ size_t datbuf_len, oobbuf_len;
+ size_t orig_len, orig_ooblen;
+ int ret = 0;
++ u64 end;
+
+ if (copy_from_user(&req, argp, sizeof(req)))
+ return -EFAULT;
+@@ -724,7 +726,7 @@ mtdchar_read_ioctl(struct mtd_info *mtd,
+ req.len &= 0xffffffff;
+ req.ooblen &= 0xffffffff;
+
+- if (req.start + req.len > mtd->size) {
++ if (check_add_overflow(req.start, req.len, &end) || end > mtd->size) {
+ ret = -EINVAL;
+ goto out;
+ }
--- /dev/null
+From 3ceb6ac2116ecda1c5d779bb73271479e70fccb4 Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Fri, 14 Nov 2025 10:09:51 +0100
+Subject: net: dsa: microchip: lan937x: Fix RGMII delay tuning
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit 3ceb6ac2116ecda1c5d779bb73271479e70fccb4 upstream.
+
+Correct RGMII delay application logic in lan937x_set_tune_adj().
+
+The function was missing `data16 &= ~PORT_TUNE_ADJ` before setting the
+new delay value. This caused the new value to be bitwise-OR'd with the
+existing PORT_TUNE_ADJ field instead of replacing it.
+
+For example, when setting the RGMII 2 TX delay on port 4, the
+intended TUNE_ADJUST value of 0 (RGMII_2_TX_DELAY_2NS) was
+incorrectly OR'd with the default 0x1B (from register value 0xDA3),
+leaving the delay at the wrong setting.
+
+This patch adds the missing mask to clear the field, ensuring the
+correct delay value is written. Physical measurements on the RGMII TX
+lines confirm the fix, showing the delay changing from ~1ns (before
+change) to ~2ns.
+
+While testing on i.MX 8MP showed this was within the platform's timing
+tolerance, it did not match the intended hardware-characterized value.
+
+Fixes: b19ac41faa3f ("net: dsa: microchip: apply rgmii tx and rx delay in phylink mac config")
+Cc: stable@vger.kernel.org
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://patch.msgid.link/20251114090951.4057261-1-o.rempel@pengutronix.de
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/microchip/lan937x_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/dsa/microchip/lan937x_main.c
++++ b/drivers/net/dsa/microchip/lan937x_main.c
+@@ -339,6 +339,7 @@ static void lan937x_set_tune_adj(struct
+ ksz_pread16(dev, port, reg, &data16);
+
+ /* Update tune Adjust */
++ data16 &= ~PORT_TUNE_ADJ;
+ data16 |= FIELD_PREP(PORT_TUNE_ADJ, val);
+ ksz_pwrite16(dev, port, reg, data16);
+
--- /dev/null
+From 660b299bed2a2a55a1f9102d029549d0235f881c Mon Sep 17 00:00:00 2001
+From: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
+Date: Mon, 3 Nov 2025 14:14:15 +0000
+Subject: Revert "drm/tegra: dsi: Clear enable register if powered by bootloader"
+
+From: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
+
+commit 660b299bed2a2a55a1f9102d029549d0235f881c upstream.
+
+Commit b6bcbce33596 ("soc/tegra: pmc: Ensure power-domains are in a
+known state") was introduced so that all power domains get initialized
+to a known working state when booting and it does this by shutting them
+down (including asserting resets and disabling clocks) before registering
+each power domain with the genpd framework, leaving it to each driver to
+later on power its needed domains.
+
+This caused the Google Pixel C to hang when booting due to a workaround
+in the DSI driver introduced in commit b22fd0b9639e ("drm/tegra: dsi:
+Clear enable register if powered by bootloader") meant to handle the case
+where the bootloader enabled the DSI hardware module. The workaround relies
+on reading a hardware register to determine the current status and after
+b6bcbce33596 that now happens in a powered down state thus leading to
+the boot hang.
+
+Fix this by reverting b22fd0b9639e since currently we are guaranteed
+that the hardware will be fully reset by the time we start enabling the
+DSI module.
+
+Fixes: b6bcbce33596 ("soc/tegra: pmc: Ensure power-domains are in a known state")
+Cc: stable@vger.kernel.org
+Signed-off-by: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://patch.msgid.link/20251103-diogo-smaug_ec_typec-v1-1-be656ccda391@tecnico.ulisboa.pt
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/tegra/dsi.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/drivers/gpu/drm/tegra/dsi.c
++++ b/drivers/gpu/drm/tegra/dsi.c
+@@ -913,15 +913,6 @@ static void tegra_dsi_encoder_enable(str
+ u32 value;
+ int err;
+
+- /* If the bootloader enabled DSI it needs to be disabled
+- * in order for the panel initialization commands to be
+- * properly sent.
+- */
+- value = tegra_dsi_readl(dsi, DSI_POWER_CONTROL);
+-
+- if (value & DSI_POWER_CONTROL_ENABLE)
+- tegra_dsi_disable(dsi);
+-
+ err = tegra_dsi_prepare(dsi);
+ if (err < 0) {
+ dev_err(dsi->dev, "failed to prepare: %d\n", err);
kvm-arm64-check-the-untrusted-offset-in-ff-a-memory-share.patch
+timers-fix-null-function-pointer-race-in-timer_shutdown_sync.patch
+hid-amd_sfh-stop-sensor-before-starting.patch
+hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch
+arm64-dts-rockchip-fix-vccio4-supply-on-rk3566-pinetab2.patch
+arm64-dts-rockchip-fix-pcie-3.3v-regulator-voltage-on-orangepi-5.patch
+arm64-dts-rockchip-include-rk3399-base-instead-of-rk3399-in-rk3399-op1.patch
+arm64-dts-rockchip-disable-hs400-on-rk3588-tiger.patch
+mtd-rawnand-cadence-fix-dma-device-null-pointer-dereference.patch
+mtdchar-fix-integer-overflow-in-read-write-ioctls.patch
+isofs-check-the-return-value-of-sb_min_blocksize-in-isofs_fill_super.patch
+shmem-fix-tmpfs-reconfiguration-remount-when-noswap-is-set.patch
+exfat-check-return-value-of-sb_min_blocksize-in-exfat_read_boot_sector.patch
+mptcp-disallow-mptcp-subflows-from-sockmap.patch
+mptcp-fix-proto-fallback-detection-with-bpf.patch
+ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch
+mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch
+smb-client-introduce-close_cached_dir_locked.patch
+ata-libata-scsi-add-missing-scsi_device_put-in-ata_scsi_dev_rescan.patch
+be2net-pass-wrb_params-in-case-of-os2bmc.patch
+net-dsa-microchip-lan937x-fix-rgmii-delay-tuning.patch
+revert-drm-tegra-dsi-clear-enable-register-if-powered-by-bootloader.patch
--- /dev/null
+From 3cd1548a278c7d6a9bdef1f1866e7cf66bfd3518 Mon Sep 17 00:00:00 2001
+From: Mike Yuan <me@yhndnzj.com>
+Date: Sat, 8 Nov 2025 19:09:47 +0000
+Subject: shmem: fix tmpfs reconfiguration (remount) when noswap is set
+
+From: Mike Yuan <me@yhndnzj.com>
+
+commit 3cd1548a278c7d6a9bdef1f1866e7cf66bfd3518 upstream.
+
+In systemd we're trying to switch the internal credentials setup logic
+to new mount API [1], and I noticed fsconfig(FSCONFIG_CMD_RECONFIGURE)
+consistently fails on tmpfs with noswap option. This can be trivially
+reproduced with the following:
+
+```
+int fs_fd = fsopen("tmpfs", 0);
+fsconfig(fs_fd, FSCONFIG_SET_FLAG, "noswap", NULL, 0);
+fsconfig(fs_fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);
+fsmount(fs_fd, 0, 0);
+fsconfig(fs_fd, FSCONFIG_CMD_RECONFIGURE, NULL, NULL, 0); <------ EINVAL
+```
+
+After some digging the culprit is shmem_reconfigure() rejecting
+!(ctx->seen & SHMEM_SEEN_NOSWAP) && sbinfo->noswap, which is bogus
+as ctx->seen serves as a mask for whether certain options are touched
+at all. On top of that, noswap option doesn't use fsparam_flag_no,
+hence it's not really possible to "reenable" swap to begin with.
+Drop the check and redundant SHMEM_SEEN_NOSWAP flag.
+
+[1] https://github.com/systemd/systemd/pull/39637
+
+Fixes: 2c6efe9cf2d7 ("shmem: add support to ignore swap")
+Signed-off-by: Mike Yuan <me@yhndnzj.com>
+Link: https://patch.msgid.link/20251108190930.440685-1-me@yhndnzj.com
+Cc: Luis Chamberlain <mcgrof@kernel.org>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/shmem.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -127,8 +127,7 @@ struct shmem_options {
+ #define SHMEM_SEEN_INODES 2
+ #define SHMEM_SEEN_HUGE 4
+ #define SHMEM_SEEN_INUMS 8
+-#define SHMEM_SEEN_NOSWAP 16
+-#define SHMEM_SEEN_QUOTA 32
++#define SHMEM_SEEN_QUOTA 16
+ };
+
+ #ifdef CONFIG_TRANSPARENT_HUGEPAGE
+@@ -4330,7 +4329,6 @@ static int shmem_parse_one(struct fs_con
+ "Turning off swap in unprivileged tmpfs mounts unsupported");
+ }
+ ctx->noswap = true;
+- ctx->seen |= SHMEM_SEEN_NOSWAP;
+ break;
+ case Opt_quota:
+ if (fc->user_ns != &init_user_ns)
+@@ -4480,14 +4478,15 @@ static int shmem_reconfigure(struct fs_c
+ err = "Current inum too high to switch to 32-bit inums";
+ goto out;
+ }
+- if ((ctx->seen & SHMEM_SEEN_NOSWAP) && ctx->noswap && !sbinfo->noswap) {
++
++ /*
++ * "noswap" doesn't use fsparam_flag_no, i.e. there's no "swap"
++ * counterpart for (re-)enabling swap.
++ */
++ if (ctx->noswap && !sbinfo->noswap) {
+ err = "Cannot disable swap on remount";
+ goto out;
+ }
+- if (!(ctx->seen & SHMEM_SEEN_NOSWAP) && !ctx->noswap && sbinfo->noswap) {
+- err = "Cannot enable swap on remount if it was disabled on first mount";
+- goto out;
+- }
+
+ if (ctx->seen & SHMEM_SEEN_QUOTA &&
+ !sb_any_quota_loaded(fc->root->d_sb)) {
--- /dev/null
+From a9d1f38df7ecd0e21233447c9cc6fa1799eddaf3 Mon Sep 17 00:00:00 2001
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+Date: Thu, 13 Nov 2025 15:09:13 -0300
+Subject: smb: client: introduce close_cached_dir_locked()
+
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+
+commit a9d1f38df7ecd0e21233447c9cc6fa1799eddaf3 upstream.
+
+Replace close_cached_dir() calls under cfid_list_lock with a new
+close_cached_dir_locked() variant that uses kref_put() instead of
+kref_put_lock() to avoid recursive locking when dropping references.
+
+While the existing code works if the refcount >= 2 invariant holds,
+this area has proven error-prone. Make deadlocks impossible and WARN
+on invariant violations.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cached_dir.c | 41 ++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 38 insertions(+), 3 deletions(-)
+
+--- a/fs/smb/client/cached_dir.c
++++ b/fs/smb/client/cached_dir.c
+@@ -16,6 +16,7 @@ static struct cached_fid *init_cached_di
+ static void free_cached_dir(struct cached_fid *cfid);
+ static void smb2_close_cached_fid(struct kref *ref);
+ static void cfids_laundromat_worker(struct work_struct *work);
++static void close_cached_dir_locked(struct cached_fid *cfid);
+
+ struct cached_dir_dentry {
+ struct list_head entry;
+@@ -362,7 +363,7 @@ out:
+ * lease. Release one here, and the second below.
+ */
+ cfid->has_lease = false;
+- close_cached_dir(cfid);
++ close_cached_dir_locked(cfid);
+ }
+ spin_unlock(&cfids->cfid_list_lock);
+
+@@ -448,18 +449,52 @@ void drop_cached_dir_by_name(const unsig
+ spin_lock(&cfid->cfids->cfid_list_lock);
+ if (cfid->has_lease) {
+ cfid->has_lease = false;
+- close_cached_dir(cfid);
++ close_cached_dir_locked(cfid);
+ }
+ spin_unlock(&cfid->cfids->cfid_list_lock);
+ close_cached_dir(cfid);
+ }
+
+-
++/**
++ * close_cached_dir - drop a reference of a cached dir
++ *
++ * The release function will be called with cfid_list_lock held to remove the
++ * cached dirs from the list before any other thread can take another @cfid
++ * ref. Must not be called with cfid_list_lock held; use
++ * close_cached_dir_locked() called instead.
++ *
++ * @cfid: cached dir
++ */
+ void close_cached_dir(struct cached_fid *cfid)
+ {
++ lockdep_assert_not_held(&cfid->cfids->cfid_list_lock);
+ kref_put_lock(&cfid->refcount, smb2_close_cached_fid, &cfid->cfids->cfid_list_lock);
+ }
+
++/**
++ * close_cached_dir_locked - put a reference of a cached dir with
++ * cfid_list_lock held
++ *
++ * Calling close_cached_dir() with cfid_list_lock held has the potential effect
++ * of causing a deadlock if the invariant of refcount >= 2 is false.
++ *
++ * This function is used in paths that hold cfid_list_lock and expect at least
++ * two references. If that invariant is violated, WARNs and returns without
++ * dropping a reference; the final put must still go through
++ * close_cached_dir().
++ *
++ * @cfid: cached dir
++ */
++static void close_cached_dir_locked(struct cached_fid *cfid)
++{
++ lockdep_assert_held(&cfid->cfids->cfid_list_lock);
++
++ if (WARN_ON(kref_read(&cfid->refcount) < 2))
++ return;
++
++ kref_put(&cfid->refcount, smb2_close_cached_fid);
++}
++
+ /*
+ * Called from cifs_kill_sb when we unmount a share
+ */
--- /dev/null
+From 20739af07383e6eb1ec59dcd70b72ebfa9ac362c Mon Sep 17 00:00:00 2001
+From: Yipeng Zou <zouyipeng@huawei.com>
+Date: Sat, 22 Nov 2025 09:39:42 +0000
+Subject: timers: Fix NULL function pointer race in timer_shutdown_sync()
+
+From: Yipeng Zou <zouyipeng@huawei.com>
+
+commit 20739af07383e6eb1ec59dcd70b72ebfa9ac362c upstream.
+
+There is a race condition between timer_shutdown_sync() and timer
+expiration that can lead to hitting a WARN_ON in expire_timers().
+
+The issue occurs when timer_shutdown_sync() clears the timer function
+to NULL while the timer is still running on another CPU. The race
+scenario looks like this:
+
+CPU0 CPU1
+ <SOFTIRQ>
+ lock_timer_base()
+ expire_timers()
+ base->running_timer = timer;
+ unlock_timer_base()
+ [call_timer_fn enter]
+ mod_timer()
+ ...
+timer_shutdown_sync()
+lock_timer_base()
+// For now, will not detach the timer but only clear its function to NULL
+if (base->running_timer != timer)
+ ret = detach_if_pending(timer, base, true);
+if (shutdown)
+ timer->function = NULL;
+unlock_timer_base()
+ [call_timer_fn exit]
+ lock_timer_base()
+ base->running_timer = NULL;
+ unlock_timer_base()
+ ...
+ // Now timer is pending while its function set to NULL.
+ // next timer trigger
+ <SOFTIRQ>
+ expire_timers()
+ WARN_ON_ONCE(!fn) // hit
+ ...
+lock_timer_base()
+// Now timer will detach
+if (base->running_timer != timer)
+ ret = detach_if_pending(timer, base, true);
+if (shutdown)
+ timer->function = NULL;
+unlock_timer_base()
+
+The problem is that timer_shutdown_sync() clears the timer function
+regardless of whether the timer is currently running. This can leave a
+pending timer with a NULL function pointer, which triggers the
+WARN_ON_ONCE(!fn) check in expire_timers().
+
+Fix this by only clearing the timer function when actually detaching the
+timer. If the timer is running, leave the function pointer intact, which is
+safe because the timer will be properly detached when it finishes running.
+
+Fixes: 0cc04e80458a ("timers: Add shutdown mechanism to the internal functions")
+Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20251122093942.301559-1-zouyipeng@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/time/timer.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -1505,10 +1505,11 @@ static int __try_to_del_timer_sync(struc
+
+ base = lock_timer_base(timer, &flags);
+
+- if (base->running_timer != timer)
++ if (base->running_timer != timer) {
+ ret = detach_if_pending(timer, base, true);
+- if (shutdown)
+- timer->function = NULL;
++ if (shutdown)
++ timer->function = NULL;
++ }
+
+ raw_spin_unlock_irqrestore(&base->lock, flags);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
