--- /dev/null
+From f6943f3e84ff8872e148bad991f3adcb77093f1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 17:49:32 +0200
+Subject: kconfig/mconf: Initialize the default locale at startup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jakub Horký <jakub.git@horky.net>
+
+[ Upstream commit 3927c4a1084c48ef97f11281a0a43ecb2cb4d6f1 ]
+
+Fix bug where make menuconfig doesn't initialize the default locale, which
+causes ncurses menu borders to be displayed incorrectly (lqqqqk) in
+UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY.
+
+Signed-off-by: Jakub Horký <jakub.git@horky.net>
+Link: https://patch.msgid.link/20251014154933.3990990-1-jakub.git@horky.net
+[nathan: Alphabetize locale.h include]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/mconf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/mconf.c b/scripts/kconfig/mconf.c
+index 4063dbc1b9270..a6d24c63c98c2 100644
+--- a/scripts/kconfig/mconf.c
++++ b/scripts/kconfig/mconf.c
+@@ -12,6 +12,7 @@
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <limits.h>
++#include <locale.h>
+ #include <stdarg.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -1008,6 +1009,8 @@ int main(int ac, char **av)
+
+ signal(SIGINT, sig_handler);
+
++ setlocale(LC_ALL, "");
++
+ if (ac > 1 && strcmp(av[1], "-s") == 0) {
+ silent = 1;
+ /* Silence conf_read() until the real callback is set up */
+--
+2.51.0
+
--- /dev/null
+From 63c367f829cf803b9995b69d47b7402a99491a23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 16:44:06 +0200
+Subject: kconfig/nconf: Initialize the default locale at startup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jakub Horký <jakub.git@horky.net>
+
+[ Upstream commit 43c2931a95e6b295bfe9e3b90dbe0f7596933e91 ]
+
+Fix bug where make nconfig doesn't initialize the default locale, which
+causes ncurses menu borders to be displayed incorrectly (lqqqqk) in
+UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY.
+
+Signed-off-by: Jakub Horký <jakub.git@horky.net>
+Link: https://patch.msgid.link/20251014144405.3975275-2-jakub.git@horky.net
+[nathan: Alphabetize locale.h include]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/nconf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
+index cdbd60a3ae16a..5b504be357135 100644
+--- a/scripts/kconfig/nconf.c
++++ b/scripts/kconfig/nconf.c
+@@ -7,6 +7,7 @@
+ #ifndef _GNU_SOURCE
+ #define _GNU_SOURCE
+ #endif
++#include <locale.h>
+ #include <string.h>
+ #include <strings.h>
+ #include <stdlib.h>
+@@ -1478,6 +1479,8 @@ int main(int ac, char **av)
+ int lines, columns;
+ char *mode;
+
++ setlocale(LC_ALL, "");
++
+ if (ac > 1 && strcmp(av[1], "-s") == 0) {
+ /* Silence conf_read() until the real callback is set up */
+ conf_set_message_callback(NULL);
+--
+2.51.0
+
--- /dev/null
+From 7a67c21923531c80371509f445092276ce6309db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 05:21:14 +0000
+Subject: mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 407a06507c2358554958e8164dc97176feddcafc ]
+
+The function mlxsw_sp_flower_stats() calls mlxsw_sp_acl_ruleset_get() to
+obtain a ruleset reference. If the subsequent call to
+mlxsw_sp_acl_rule_lookup() fails to find a rule, the function returns
+an error without releasing the ruleset reference, causing a memory leak.
+
+Fix this by using a goto to the existing error handling label, which
+calls mlxsw_sp_acl_ruleset_put() to properly release the reference.
+
+Fixes: 7c1b8eb175b69 ("mlxsw: spectrum: Add support for TC flower offload statistics")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251112052114.1591695-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
+index 41855e58564b1..3d99b16ebd553 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
+@@ -650,8 +650,10 @@ int mlxsw_sp_flower_stats(struct mlxsw_sp *mlxsw_sp,
+ return -EINVAL;
+
+ rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, f->cookie);
+- if (!rule)
+- return -EINVAL;
++ if (!rule) {
++ err = -EINVAL;
++ goto err_rule_get_stats;
++ }
+
+ err = mlxsw_sp_acl_rule_get_stats(mlxsw_sp, rule, &packets, &bytes,
+ &drops, &lastuse, &used_hw_stats);
+--
+2.51.0
+
--- /dev/null
+From ffbda86161d8e5f840a6285df54f9d43387ccff1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 12:14:03 +0100
+Subject: net: openvswitch: remove never-working support for setting nsh fields
+
+From: Ilya Maximets <i.maximets@ovn.org>
+
+[ Upstream commit dfe28c4167a9259fc0c372d9f9473e1ac95cff67 ]
+
+The validation of the set(nsh(...)) action is completely wrong.
+It runs through the nsh_key_put_from_nlattr() function that is the
+same function that validates NSH keys for the flow match and the
+push_nsh() action. However, the set(nsh(...)) has a very different
+memory layout. Nested attributes in there are doubled in size in
+case of the masked set(). That makes proper validation impossible.
+
+There is also confusion in the code between the 'masked' flag, that
+says that the nested attributes are doubled in size containing both
+the value and the mask, and the 'is_mask' that says that the value
+we're parsing is the mask. This is causing kernel crash on trying to
+write into mask part of the match with SW_FLOW_KEY_PUT() during
+validation, while validate_nsh() doesn't allocate any memory for it:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0
+ Oops: Oops: 0000 [#1] SMP NOPTI
+ CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)
+ RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]
+ Call Trace:
+ <TASK>
+ validate_nsh+0x60/0x90 [openvswitch]
+ validate_set.constprop.0+0x270/0x3c0 [openvswitch]
+ __ovs_nla_copy_actions+0x477/0x860 [openvswitch]
+ ovs_nla_copy_actions+0x8d/0x100 [openvswitch]
+ ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]
+ genl_family_rcv_msg_doit+0xdb/0x130
+ genl_family_rcv_msg+0x14b/0x220
+ genl_rcv_msg+0x47/0xa0
+ netlink_rcv_skb+0x53/0x100
+ genl_rcv+0x24/0x40
+ netlink_unicast+0x280/0x3b0
+ netlink_sendmsg+0x1f7/0x430
+ ____sys_sendmsg+0x36b/0x3a0
+ ___sys_sendmsg+0x87/0xd0
+ __sys_sendmsg+0x6d/0xd0
+ do_syscall_64+0x7b/0x2c0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+The third issue with this process is that while trying to convert
+the non-masked set into masked one, validate_set() copies and doubles
+the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested
+attributes. It should be copying each nested attribute and doubling
+them in size independently. And the process must be properly reversed
+during the conversion back from masked to a non-masked variant during
+the flow dump.
+
+In the end, the only two outcomes of trying to use this action are
+either validation failure or a kernel crash. And if somehow someone
+manages to install a flow with such an action, it will most definitely
+not do what it is supposed to, since all the keys and the masks are
+mixed up.
+
+Fixing all the issues is a complex task as it requires re-writing
+most of the validation code.
+
+Given that and the fact that this functionality never worked since
+introduction, let's just remove it altogether. It's better to
+re-introduce it later with a proper implementation instead of trying
+to fix it in stable releases.
+
+Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support")
+Reported-by: Junvy Yang <zhuque@tencent.com>
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Reviewed-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/20251112112246.95064-1-i.maximets@ovn.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/actions.c | 68 +---------------------------------
+ net/openvswitch/flow_netlink.c | 64 ++++----------------------------
+ net/openvswitch/flow_netlink.h | 2 -
+ 3 files changed, 9 insertions(+), 125 deletions(-)
+
+diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
+index c3ca4ae11c09f..3b3cc6ea274f8 100644
+--- a/net/openvswitch/actions.c
++++ b/net/openvswitch/actions.c
+@@ -594,69 +594,6 @@ static int set_ipv6(struct sk_buff *skb, struct sw_flow_key *flow_key,
+ return 0;
+ }
+
+-static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key,
+- const struct nlattr *a)
+-{
+- struct nshhdr *nh;
+- size_t length;
+- int err;
+- u8 flags;
+- u8 ttl;
+- int i;
+-
+- struct ovs_key_nsh key;
+- struct ovs_key_nsh mask;
+-
+- err = nsh_key_from_nlattr(a, &key, &mask);
+- if (err)
+- return err;
+-
+- /* Make sure the NSH base header is there */
+- if (!pskb_may_pull(skb, skb_network_offset(skb) + NSH_BASE_HDR_LEN))
+- return -ENOMEM;
+-
+- nh = nsh_hdr(skb);
+- length = nsh_hdr_len(nh);
+-
+- /* Make sure the whole NSH header is there */
+- err = skb_ensure_writable(skb, skb_network_offset(skb) +
+- length);
+- if (unlikely(err))
+- return err;
+-
+- nh = nsh_hdr(skb);
+- skb_postpull_rcsum(skb, nh, length);
+- flags = nsh_get_flags(nh);
+- flags = OVS_MASKED(flags, key.base.flags, mask.base.flags);
+- flow_key->nsh.base.flags = flags;
+- ttl = nsh_get_ttl(nh);
+- ttl = OVS_MASKED(ttl, key.base.ttl, mask.base.ttl);
+- flow_key->nsh.base.ttl = ttl;
+- nsh_set_flags_and_ttl(nh, flags, ttl);
+- nh->path_hdr = OVS_MASKED(nh->path_hdr, key.base.path_hdr,
+- mask.base.path_hdr);
+- flow_key->nsh.base.path_hdr = nh->path_hdr;
+- switch (nh->mdtype) {
+- case NSH_M_TYPE1:
+- for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) {
+- nh->md1.context[i] =
+- OVS_MASKED(nh->md1.context[i], key.context[i],
+- mask.context[i]);
+- }
+- memcpy(flow_key->nsh.context, nh->md1.context,
+- sizeof(nh->md1.context));
+- break;
+- case NSH_M_TYPE2:
+- memset(flow_key->nsh.context, 0,
+- sizeof(flow_key->nsh.context));
+- break;
+- default:
+- return -EINVAL;
+- }
+- skb_postpush_rcsum(skb, nh, length);
+- return 0;
+-}
+-
+ /* Must follow skb_ensure_writable() since that can move the skb data. */
+ static void set_tp_port(struct sk_buff *skb, __be16 *port,
+ __be16 new_port, __sum16 *check)
+@@ -1123,10 +1060,6 @@ static int execute_masked_set_action(struct sk_buff *skb,
+ get_mask(a, struct ovs_key_ethernet *));
+ break;
+
+- case OVS_KEY_ATTR_NSH:
+- err = set_nsh(skb, flow_key, a);
+- break;
+-
+ case OVS_KEY_ATTR_IPV4:
+ err = set_ipv4(skb, flow_key, nla_data(a),
+ get_mask(a, struct ovs_key_ipv4 *));
+@@ -1163,6 +1096,7 @@ static int execute_masked_set_action(struct sk_buff *skb,
+ case OVS_KEY_ATTR_CT_LABELS:
+ case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4:
+ case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6:
++ case OVS_KEY_ATTR_NSH:
+ err = -EINVAL;
+ break;
+ }
+diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
+index 3f8f43dbf44fc..a70a87a4392ab 100644
+--- a/net/openvswitch/flow_netlink.c
++++ b/net/openvswitch/flow_netlink.c
+@@ -1280,6 +1280,11 @@ static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match,
+ return 0;
+ }
+
++/*
++ * Constructs NSH header 'nh' from attributes of OVS_ACTION_ATTR_PUSH_NSH,
++ * where 'nh' points to a memory block of 'size' bytes. It's assumed that
++ * attributes were previously validated with validate_push_nsh().
++ */
+ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ struct nshhdr *nh, size_t size)
+ {
+@@ -1289,8 +1294,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ u8 ttl = 0;
+ int mdlen = 0;
+
+- /* validate_nsh has check this, so we needn't do duplicate check here
+- */
+ if (size < NSH_BASE_HDR_LEN)
+ return -ENOBUFS;
+
+@@ -1334,46 +1337,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ return 0;
+ }
+
+-int nsh_key_from_nlattr(const struct nlattr *attr,
+- struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask)
+-{
+- struct nlattr *a;
+- int rem;
+-
+- /* validate_nsh has check this, so we needn't do duplicate check here
+- */
+- nla_for_each_nested(a, attr, rem) {
+- int type = nla_type(a);
+-
+- switch (type) {
+- case OVS_NSH_KEY_ATTR_BASE: {
+- const struct ovs_nsh_key_base *base = nla_data(a);
+- const struct ovs_nsh_key_base *base_mask = base + 1;
+-
+- nsh->base = *base;
+- nsh_mask->base = *base_mask;
+- break;
+- }
+- case OVS_NSH_KEY_ATTR_MD1: {
+- const struct ovs_nsh_key_md1 *md1 = nla_data(a);
+- const struct ovs_nsh_key_md1 *md1_mask = md1 + 1;
+-
+- memcpy(nsh->context, md1->context, sizeof(*md1));
+- memcpy(nsh_mask->context, md1_mask->context,
+- sizeof(*md1_mask));
+- break;
+- }
+- case OVS_NSH_KEY_ATTR_MD2:
+- /* Not supported yet */
+- return -ENOTSUPP;
+- default:
+- return -EINVAL;
+- }
+- }
+-
+- return 0;
+-}
+-
+ static int nsh_key_put_from_nlattr(const struct nlattr *attr,
+ struct sw_flow_match *match, bool is_mask,
+ bool is_push_nsh, bool log)
+@@ -2797,17 +2760,13 @@ static int validate_and_copy_set_tun(const struct nlattr *attr,
+ return err;
+ }
+
+-static bool validate_nsh(const struct nlattr *attr, bool is_mask,
+- bool is_push_nsh, bool log)
++static bool validate_push_nsh(const struct nlattr *attr, bool log)
+ {
+ struct sw_flow_match match;
+ struct sw_flow_key key;
+- int ret = 0;
+
+ ovs_match_init(&match, &key, true, NULL);
+- ret = nsh_key_put_from_nlattr(attr, &match, is_mask,
+- is_push_nsh, log);
+- return !ret;
++ return !nsh_key_put_from_nlattr(attr, &match, false, true, log);
+ }
+
+ /* Return false if there are any non-masked bits set.
+@@ -2955,13 +2914,6 @@ static int validate_set(const struct nlattr *a,
+
+ break;
+
+- case OVS_KEY_ATTR_NSH:
+- if (eth_type != htons(ETH_P_NSH))
+- return -EINVAL;
+- if (!validate_nsh(nla_data(a), masked, false, log))
+- return -EINVAL;
+- break;
+-
+ default:
+ return -EINVAL;
+ }
+@@ -3368,7 +3320,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
+ return -EINVAL;
+ }
+ mac_proto = MAC_PROTO_NONE;
+- if (!validate_nsh(nla_data(a), false, true, true))
++ if (!validate_push_nsh(nla_data(a), log))
+ return -EINVAL;
+ break;
+
+diff --git a/net/openvswitch/flow_netlink.h b/net/openvswitch/flow_netlink.h
+index fe7f77fc5f189..ff8cdecbe3465 100644
+--- a/net/openvswitch/flow_netlink.h
++++ b/net/openvswitch/flow_netlink.h
+@@ -65,8 +65,6 @@ int ovs_nla_put_actions(const struct nlattr *attr,
+ void ovs_nla_free_flow_actions(struct sw_flow_actions *);
+ void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *);
+
+-int nsh_key_from_nlattr(const struct nlattr *attr, struct ovs_key_nsh *nsh,
+- struct ovs_key_nsh *nsh_mask);
+ int nsh_hdr_from_nlattr(const struct nlattr *attr, struct nshhdr *nh,
+ size_t size);
+
+--
+2.51.0
+
--- /dev/null
+From 835b8f33cdf20e88ee559d0112b7ed27d941159d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Oct 2025 22:03:02 +0200
+Subject: net: tls: Cancel RX async resync request on rcd_delta overflow
+
+From: Shahar Shitrit <shshitrit@nvidia.com>
+
+[ Upstream commit c15d5c62ab313c19121f10e25d4fec852bd1c40c ]
+
+When a netdev issues a RX async resync request for a TLS connection,
+the TLS module handles it by logging record headers and attempting to
+match them to the tcp_sn provided by the device. If a match is found,
+the TLS module approves the tcp_sn for resynchronization.
+
+While waiting for a device response, the TLS module also increments
+rcd_delta each time a new TLS record is received, tracking the distance
+from the original resync request.
+
+However, if the device response is delayed or fails (e.g due to
+unstable connection and device getting out of tracking, hardware
+errors, resource exhaustion etc.), the TLS module keeps logging and
+incrementing, which can lead to a WARN() when rcd_delta exceeds the
+threshold.
+
+To address this, introduce tls_offload_rx_resync_async_request_cancel()
+to explicitly cancel resync requests when a device response failure is
+detected. Call this helper also as a final safeguard when rcd_delta
+crosses its threshold, as reaching this point implies that earlier
+cancellation did not occur.
+
+Signed-off-by: Shahar Shitrit <shshitrit@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1761508983-937977-3-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/tls.h | 6 ++++++
+ net/tls/tls_device.c | 4 +++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/tls.h b/include/net/tls.h
+index c76a827a678ae..b4040f76b007f 100644
+--- a/include/net/tls.h
++++ b/include/net/tls.h
+@@ -674,6 +674,12 @@ tls_offload_rx_resync_async_request_end(struct sock *sk, __be32 seq)
+ ((u64)ntohl(seq) << 32) | RESYNC_REQ);
+ }
+
++static inline void
++tls_offload_rx_resync_async_request_cancel(struct tls_offload_resync_async *resync_async)
++{
++ atomic64_set(&resync_async->req, 0);
++}
++
+ static inline void
+ tls_offload_rx_resync_set_type(struct sock *sk, enum tls_offload_sync_type type)
+ {
+diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
+index 5cb6846544cc7..8e89ff403073b 100644
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -710,8 +710,10 @@ tls_device_rx_resync_async(struct tls_offload_resync_async *resync_async,
+ /* shouldn't get to wraparound:
+ * too long in async stage, something bad happened
+ */
+- if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX))
++ if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) {
++ tls_offload_rx_resync_async_request_cancel(resync_async);
+ return false;
++ }
+
+ /* asynchronous stage: log all headers seq such that
+ * req_seq <= seq <= end_seq, and wait for real resync request
+--
+2.51.0
+
--- /dev/null
+From abf00d47599a483e5a7611ae21fef9bb7a192bbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 19:27:24 +0100
+Subject: s390/ctcm: Fix double-kfree
+
+From: Aleksei Nikiforov <aleksei.nikiforov@linux.ibm.com>
+
+[ Upstream commit da02a1824884d6c84c5e5b5ac373b0c9e3288ec2 ]
+
+The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally
+from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo.
+After that a call to function 'kfree' in function 'ctcmpc_unpack_skb'
+frees it again.
+
+Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'.
+
+Bug detected by the clang static analyzer.
+
+Fixes: 0c0b20587b9f25a2 ("s390/ctcm: fix potential memory leak")
+Reviewed-by: Aswin Karuvally <aswin@linux.ibm.com>
+Signed-off-by: Aleksei Nikiforov <aleksei.nikiforov@linux.ibm.com>
+Signed-off-by: Aswin Karuvally <aswin@linux.ibm.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251112182724.1109474-1-aswin@linux.ibm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/ctcm_mpc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/s390/net/ctcm_mpc.c b/drivers/s390/net/ctcm_mpc.c
+index 20a6097e1b204..4e6f340d09261 100644
+--- a/drivers/s390/net/ctcm_mpc.c
++++ b/drivers/s390/net/ctcm_mpc.c
+@@ -712,7 +712,6 @@ static void mpc_rcvd_sweep_req(struct mpcg_info *mpcginfo)
+
+ grp->sweep_req_pend_num--;
+ ctcmpc_send_sweep_resp(ch);
+- kfree(mpcginfo);
+ return;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 4f279145d16b41c7600b78312043d720fa16661b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Oct 2025 14:48:00 -0700
+Subject: scsi: core: Fix a regression triggered by scsi_host_busy()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit a0b7780602b1b196f47e527fec82166a7e67c4d0 ]
+
+Commit 995412e23bb2 ("blk-mq: Replace tags->lock with SRCU for tag
+iterators") introduced the following regression:
+
+Call trace:
+ __srcu_read_lock+0x30/0x80 (P)
+ blk_mq_tagset_busy_iter+0x44/0x300
+ scsi_host_busy+0x38/0x70
+ ufshcd_print_host_state+0x34/0x1bc
+ ufshcd_link_startup.constprop.0+0xe4/0x2e0
+ ufshcd_init+0x944/0xf80
+ ufshcd_pltfrm_init+0x504/0x820
+ ufs_rockchip_probe+0x2c/0x88
+ platform_probe+0x5c/0xa4
+ really_probe+0xc0/0x38c
+ __driver_probe_device+0x7c/0x150
+ driver_probe_device+0x40/0x120
+ __driver_attach+0xc8/0x1e0
+ bus_for_each_dev+0x7c/0xdc
+ driver_attach+0x24/0x30
+ bus_add_driver+0x110/0x230
+ driver_register+0x68/0x130
+ __platform_driver_register+0x20/0x2c
+ ufs_rockchip_pltform_init+0x1c/0x28
+ do_one_initcall+0x60/0x1e0
+ kernel_init_freeable+0x248/0x2c4
+ kernel_init+0x20/0x140
+ ret_from_fork+0x10/0x20
+
+Fix this regression by making scsi_host_busy() check whether the SCSI
+host tag set has already been initialized. tag_set->ops is set by
+scsi_mq_setup_tags() just before blk_mq_alloc_tag_set() is called. This
+fix is based on the assumption that scsi_host_busy() and
+scsi_mq_setup_tags() calls are serialized. This is the case in the UFS
+driver.
+
+Reported-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Closes: https://lore.kernel.org/linux-block/pnezafputodmqlpumwfbn644ohjybouveehcjhz2hmhtcf2rka@sdhoiivync4y/
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Tested-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Link: https://patch.msgid.link/20251007214800.1678255-1-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hosts.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
+index 17fa1cd91da61..97cbe22d7fee2 100644
+--- a/drivers/scsi/hosts.c
++++ b/drivers/scsi/hosts.c
+@@ -598,8 +598,9 @@ int scsi_host_busy(struct Scsi_Host *shost)
+ {
+ int cnt = 0;
+
+- blk_mq_tagset_busy_iter(&shost->tag_set,
+- scsi_host_check_in_flight, &cnt);
++ if (shost->tag_set.ops)
++ blk_mq_tagset_busy_iter(&shost->tag_set,
++ scsi_host_check_in_flight, &cnt);
+ return cnt;
+ }
+ EXPORT_SYMBOL(scsi_host_busy);
+--
+2.51.0
+
scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch
mips-malta-fix-eva-soc-it-pci-mmio.patch
drm-tegra-dc-fix-reference-leak-in-tegra_dc_couple.patch
+mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch
+net-openvswitch-remove-never-working-support-for-set.patch
+s390-ctcm-fix-double-kfree.patch
+vsock-ignore-signal-timeout-on-connect-if-already-es.patch
+scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch
+net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch
+kconfig-mconf-initialize-the-default-locale-at-start.patch
+kconfig-nconf-initialize-the-default-locale-at-start.patch
--- /dev/null
+From 0a910fb6bdd37db636ae947c42e0360d9e470c4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Nov 2025 15:02:59 +0100
+Subject: vsock: Ignore signal/timeout on connect() if already established
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 002541ef650b742a198e4be363881439bb9d86b4 ]
+
+During connect(), acting on a signal/timeout by disconnecting an already
+established socket leads to several issues:
+
+1. connect() invoking vsock_transport_cancel_pkt() ->
+ virtio_transport_purge_skbs() may race with sendmsg() invoking
+ virtio_transport_get_credit(). This results in a permanently elevated
+ `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.
+
+2. connect() resetting a connected socket's state may race with socket
+ being placed in a sockmap. A disconnected socket remaining in a sockmap
+ breaks sockmap's assumptions. And gives rise to WARNs.
+
+3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a
+ transport change/drop after TCP_ESTABLISHED. Which poses a problem for
+ any simultaneous sendmsg() or connect() and may result in a
+ use-after-free/null-ptr-deref.
+
+Do not disconnect socket on signal/timeout. Keep the logic for unconnected
+sockets: they don't linger, can't be placed in a sockmap, are rejected by
+sendmsg().
+
+[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/
+[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/
+[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20251119-vsock-interrupted-connect-v2-1-70734cf1233f@rbox.co
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 40 +++++++++++++++++++++++++++++++---------
+ 1 file changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index 36b65b45c5c7a..3a5cde1a026ed 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1464,18 +1464,40 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr,
+ timeout = schedule_timeout(timeout);
+ lock_sock(sk);
+
+- if (signal_pending(current)) {
+- err = sock_intr_errno(timeout);
+- sk->sk_state = sk->sk_state == TCP_ESTABLISHED ? TCP_CLOSING : TCP_CLOSE;
+- sock->state = SS_UNCONNECTED;
+- vsock_transport_cancel_pkt(vsk);
+- vsock_remove_connected(vsk);
+- goto out_wait;
+- } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) {
+- err = -ETIMEDOUT;
++ /* Connection established. Whatever happens to socket once we
++ * release it, that's not connect()'s concern. No need to go
++ * into signal and timeout handling. Call it a day.
++ *
++ * Note that allowing to "reset" an already established socket
++ * here is racy and insecure.
++ */
++ if (sk->sk_state == TCP_ESTABLISHED)
++ break;
++
++ /* If connection was _not_ established and a signal/timeout came
++ * to be, we want the socket's state reset. User space may want
++ * to retry.
++ *
++ * sk_state != TCP_ESTABLISHED implies that socket is not on
++ * vsock_connected_table. We keep the binding and the transport
++ * assigned.
++ */
++ if (signal_pending(current) || timeout == 0) {
++ err = timeout == 0 ? -ETIMEDOUT : sock_intr_errno(timeout);
++
++ /* Listener might have already responded with
++ * VIRTIO_VSOCK_OP_RESPONSE. Its handling expects our
++ * sk_state == TCP_SYN_SENT, which hereby we break.
++ * In such case VIRTIO_VSOCK_OP_RST will follow.
++ */
+ sk->sk_state = TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
++
++ /* Try to cancel VIRTIO_VSOCK_OP_REQUEST skb sent out by
++ * transport->connect().
++ */
+ vsock_transport_cancel_pkt(vsk);
++
+ goto out_wait;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From ab715f095cf41687c429e193a2a6b21a3cd17ab6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 17:49:32 +0200
+Subject: kconfig/mconf: Initialize the default locale at startup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jakub Horký <jakub.git@horky.net>
+
+[ Upstream commit 3927c4a1084c48ef97f11281a0a43ecb2cb4d6f1 ]
+
+Fix bug where make menuconfig doesn't initialize the default locale, which
+causes ncurses menu borders to be displayed incorrectly (lqqqqk) in
+UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY.
+
+Signed-off-by: Jakub Horký <jakub.git@horky.net>
+Link: https://patch.msgid.link/20251014154933.3990990-1-jakub.git@horky.net
+[nathan: Alphabetize locale.h include]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/mconf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/mconf.c b/scripts/kconfig/mconf.c
+index 9d3cf510562f8..0649ff35ec5c0 100644
+--- a/scripts/kconfig/mconf.c
++++ b/scripts/kconfig/mconf.c
+@@ -12,6 +12,7 @@
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <limits.h>
++#include <locale.h>
+ #include <stdarg.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -1005,6 +1006,8 @@ int main(int ac, char **av)
+
+ signal(SIGINT, sig_handler);
+
++ setlocale(LC_ALL, "");
++
+ if (ac > 1 && strcmp(av[1], "-s") == 0) {
+ silent = 1;
+ /* Silence conf_read() until the real callback is set up */
+--
+2.51.0
+
--- /dev/null
+From baffbcb31851a3d994afa64c0547a7f1bc1ab840 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 16:44:06 +0200
+Subject: kconfig/nconf: Initialize the default locale at startup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jakub Horký <jakub.git@horky.net>
+
+[ Upstream commit 43c2931a95e6b295bfe9e3b90dbe0f7596933e91 ]
+
+Fix bug where make nconfig doesn't initialize the default locale, which
+causes ncurses menu borders to be displayed incorrectly (lqqqqk) in
+UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY.
+
+Signed-off-by: Jakub Horký <jakub.git@horky.net>
+Link: https://patch.msgid.link/20251014144405.3975275-2-jakub.git@horky.net
+[nathan: Alphabetize locale.h include]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/nconf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
+index 8b166ccb0447f..d1d928b20ecfd 100644
+--- a/scripts/kconfig/nconf.c
++++ b/scripts/kconfig/nconf.c
+@@ -7,6 +7,7 @@
+ #ifndef _GNU_SOURCE
+ #define _GNU_SOURCE
+ #endif
++#include <locale.h>
+ #include <string.h>
+ #include <strings.h>
+ #include <stdlib.h>
+@@ -1472,6 +1473,8 @@ int main(int ac, char **av)
+ int lines, columns;
+ char *mode;
+
++ setlocale(LC_ALL, "");
++
+ if (ac > 1 && strcmp(av[1], "-s") == 0) {
+ /* Silence conf_read() until the real callback is set up */
+ conf_set_message_callback(NULL);
+--
+2.51.0
+
--- /dev/null
+From 37c00f7198183b32f92f5ae7669dab1a218d428f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Oct 2023 14:59:53 +0300
+Subject: kernel.h: Move ARRAY_SIZE() to a separate header
+
+From: Alejandro Colomar <alx@kernel.org>
+
+[ Upstream commit 3cd39bc3b11b8d34b7d7c961a35fdfd18b0ebf75 ]
+
+Touching files so used for the kernel,
+forces 'make' to recompile most of the kernel.
+
+Having those definitions in more granular files
+helps avoid recompiling so much of the kernel.
+
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20230817143352.132583-2-lucas.segarra.fernandez@intel.com
+[andy: reduced to cover only string.h for now]
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Stable-dep-of: 896f1a2493b5 ("net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/array_size.h | 13 +++++++++++++
+ include/linux/kernel.h | 7 +------
+ include/linux/string.h | 1 +
+ 3 files changed, 15 insertions(+), 6 deletions(-)
+ create mode 100644 include/linux/array_size.h
+
+diff --git a/include/linux/array_size.h b/include/linux/array_size.h
+new file mode 100644
+index 0000000000000..06d7d83196ca3
+--- /dev/null
++++ b/include/linux/array_size.h
+@@ -0,0 +1,13 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++#ifndef _LINUX_ARRAY_SIZE_H
++#define _LINUX_ARRAY_SIZE_H
++
++#include <linux/compiler.h>
++
++/**
++ * ARRAY_SIZE - get the number of elements in array @arr
++ * @arr: array to be sized
++ */
++#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr))
++
++#endif /* _LINUX_ARRAY_SIZE_H */
+diff --git a/include/linux/kernel.h b/include/linux/kernel.h
+index f56cd8879a594..5717a0965bd6c 100644
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -4,6 +4,7 @@
+
+ #include <linux/stdarg.h>
+ #include <linux/align.h>
++#include <linux/array_size.h>
+ #include <linux/limits.h>
+ #include <linux/linkage.h>
+ #include <linux/stddef.h>
+@@ -37,12 +38,6 @@
+ #define READ 0
+ #define WRITE 1
+
+-/**
+- * ARRAY_SIZE - get the number of elements in array @arr
+- * @arr: array to be sized
+- */
+-#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr))
+-
+ #define PTR_IF(cond, ptr) ((cond) ? (ptr) : NULL)
+
+ #define u64_to_user_ptr(x) ( \
+diff --git a/include/linux/string.h b/include/linux/string.h
+index 3b9f5abe5ee83..bf368130bc42b 100644
+--- a/include/linux/string.h
++++ b/include/linux/string.h
+@@ -2,6 +2,7 @@
+ #ifndef _LINUX_STRING_H_
+ #define _LINUX_STRING_H_
+
++#include <linux/array_size.h>
+ #include <linux/compiler.h> /* for inline */
+ #include <linux/types.h> /* for size_t */
+ #include <linux/stddef.h> /* for NULL */
+--
+2.51.0
+
--- /dev/null
+From 0338856fcf4a047143a059277845db2cb9031de3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 05:21:14 +0000
+Subject: mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 407a06507c2358554958e8164dc97176feddcafc ]
+
+The function mlxsw_sp_flower_stats() calls mlxsw_sp_acl_ruleset_get() to
+obtain a ruleset reference. If the subsequent call to
+mlxsw_sp_acl_rule_lookup() fails to find a rule, the function returns
+an error without releasing the ruleset reference, causing a memory leak.
+
+Fix this by using a goto to the existing error handling label, which
+calls mlxsw_sp_acl_ruleset_put() to properly release the reference.
+
+Fixes: 7c1b8eb175b69 ("mlxsw: spectrum: Add support for TC flower offload statistics")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251112052114.1591695-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
+index be3791ca6069d..c327b11265773 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
+@@ -673,8 +673,10 @@ int mlxsw_sp_flower_stats(struct mlxsw_sp *mlxsw_sp,
+ return -EINVAL;
+
+ rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, f->cookie);
+- if (!rule)
+- return -EINVAL;
++ if (!rule) {
++ err = -EINVAL;
++ goto err_rule_get_stats;
++ }
+
+ err = mlxsw_sp_acl_rule_get_stats(mlxsw_sp, rule, &packets, &bytes,
+ &drops, &lastuse, &used_hw_stats);
+--
+2.51.0
+
--- /dev/null
+From ee003c8cb46edbd0eb1799b8c76355262edfaf5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 16:57:44 +0300
+Subject: net: dsa: hellcreek: fix missing error handling in LED registration
+
+From: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+
+[ Upstream commit e6751b0b19a6baab219a62e1e302b8aa6b5a55b2 ]
+
+The LED setup routine registered both led_sync_good
+and led_is_gm devices without checking the return
+values of led_classdev_register(). If either registration
+failed, the function continued silently, leaving the
+driver in a partially-initialized state and leaking
+a registered LED classdev.
+
+Add proper error handling
+
+Fixes: 7d9ee2e8ff15 ("net: dsa: hellcreek: Add PTP status LEDs")
+Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Acked-by: Kurt Kanzenbach <kurt@linutronix.de>
+Link: https://patch.msgid.link/20251113135745.92375-1-Pavel.Zhigulin@kaspersky.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/hirschmann/hellcreek_ptp.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/hirschmann/hellcreek_ptp.c b/drivers/net/dsa/hirschmann/hellcreek_ptp.c
+index b28baab6d56a1..763666480a8a8 100644
+--- a/drivers/net/dsa/hirschmann/hellcreek_ptp.c
++++ b/drivers/net/dsa/hirschmann/hellcreek_ptp.c
+@@ -367,8 +367,18 @@ static int hellcreek_led_setup(struct hellcreek *hellcreek)
+ hellcreek_set_brightness(hellcreek, STATUS_OUT_IS_GM, 1);
+
+ /* Register both leds */
+- led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good);
+- led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm);
++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good);
++ if (ret) {
++ dev_err(hellcreek->dev, "Failed to register sync_good LED\n");
++ goto out;
++ }
++
++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm);
++ if (ret) {
++ dev_err(hellcreek->dev, "Failed to register is_gm LED\n");
++ led_classdev_unregister(&hellcreek->led_sync_good);
++ goto out;
++ }
+
+ ret = 0;
+
+--
+2.51.0
+
--- /dev/null
+From afb70ceb256635d7f08aa8b83a36253c4b739e8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 12:14:03 +0100
+Subject: net: openvswitch: remove never-working support for setting nsh fields
+
+From: Ilya Maximets <i.maximets@ovn.org>
+
+[ Upstream commit dfe28c4167a9259fc0c372d9f9473e1ac95cff67 ]
+
+The validation of the set(nsh(...)) action is completely wrong.
+It runs through the nsh_key_put_from_nlattr() function that is the
+same function that validates NSH keys for the flow match and the
+push_nsh() action. However, the set(nsh(...)) has a very different
+memory layout. Nested attributes in there are doubled in size in
+case of the masked set(). That makes proper validation impossible.
+
+There is also confusion in the code between the 'masked' flag, that
+says that the nested attributes are doubled in size containing both
+the value and the mask, and the 'is_mask' that says that the value
+we're parsing is the mask. This is causing kernel crash on trying to
+write into mask part of the match with SW_FLOW_KEY_PUT() during
+validation, while validate_nsh() doesn't allocate any memory for it:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0
+ Oops: Oops: 0000 [#1] SMP NOPTI
+ CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)
+ RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]
+ Call Trace:
+ <TASK>
+ validate_nsh+0x60/0x90 [openvswitch]
+ validate_set.constprop.0+0x270/0x3c0 [openvswitch]
+ __ovs_nla_copy_actions+0x477/0x860 [openvswitch]
+ ovs_nla_copy_actions+0x8d/0x100 [openvswitch]
+ ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]
+ genl_family_rcv_msg_doit+0xdb/0x130
+ genl_family_rcv_msg+0x14b/0x220
+ genl_rcv_msg+0x47/0xa0
+ netlink_rcv_skb+0x53/0x100
+ genl_rcv+0x24/0x40
+ netlink_unicast+0x280/0x3b0
+ netlink_sendmsg+0x1f7/0x430
+ ____sys_sendmsg+0x36b/0x3a0
+ ___sys_sendmsg+0x87/0xd0
+ __sys_sendmsg+0x6d/0xd0
+ do_syscall_64+0x7b/0x2c0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+The third issue with this process is that while trying to convert
+the non-masked set into masked one, validate_set() copies and doubles
+the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested
+attributes. It should be copying each nested attribute and doubling
+them in size independently. And the process must be properly reversed
+during the conversion back from masked to a non-masked variant during
+the flow dump.
+
+In the end, the only two outcomes of trying to use this action are
+either validation failure or a kernel crash. And if somehow someone
+manages to install a flow with such an action, it will most definitely
+not do what it is supposed to, since all the keys and the masks are
+mixed up.
+
+Fixing all the issues is a complex task as it requires re-writing
+most of the validation code.
+
+Given that and the fact that this functionality never worked since
+introduction, let's just remove it altogether. It's better to
+re-introduce it later with a proper implementation instead of trying
+to fix it in stable releases.
+
+Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support")
+Reported-by: Junvy Yang <zhuque@tencent.com>
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Reviewed-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/20251112112246.95064-1-i.maximets@ovn.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/actions.c | 68 +---------------------------------
+ net/openvswitch/flow_netlink.c | 64 ++++----------------------------
+ net/openvswitch/flow_netlink.h | 2 -
+ 3 files changed, 9 insertions(+), 125 deletions(-)
+
+diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
+index 0de165ed04eba..aa240953d7669 100644
+--- a/net/openvswitch/actions.c
++++ b/net/openvswitch/actions.c
+@@ -595,69 +595,6 @@ static int set_ipv6(struct sk_buff *skb, struct sw_flow_key *flow_key,
+ return 0;
+ }
+
+-static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key,
+- const struct nlattr *a)
+-{
+- struct nshhdr *nh;
+- size_t length;
+- int err;
+- u8 flags;
+- u8 ttl;
+- int i;
+-
+- struct ovs_key_nsh key;
+- struct ovs_key_nsh mask;
+-
+- err = nsh_key_from_nlattr(a, &key, &mask);
+- if (err)
+- return err;
+-
+- /* Make sure the NSH base header is there */
+- if (!pskb_may_pull(skb, skb_network_offset(skb) + NSH_BASE_HDR_LEN))
+- return -ENOMEM;
+-
+- nh = nsh_hdr(skb);
+- length = nsh_hdr_len(nh);
+-
+- /* Make sure the whole NSH header is there */
+- err = skb_ensure_writable(skb, skb_network_offset(skb) +
+- length);
+- if (unlikely(err))
+- return err;
+-
+- nh = nsh_hdr(skb);
+- skb_postpull_rcsum(skb, nh, length);
+- flags = nsh_get_flags(nh);
+- flags = OVS_MASKED(flags, key.base.flags, mask.base.flags);
+- flow_key->nsh.base.flags = flags;
+- ttl = nsh_get_ttl(nh);
+- ttl = OVS_MASKED(ttl, key.base.ttl, mask.base.ttl);
+- flow_key->nsh.base.ttl = ttl;
+- nsh_set_flags_and_ttl(nh, flags, ttl);
+- nh->path_hdr = OVS_MASKED(nh->path_hdr, key.base.path_hdr,
+- mask.base.path_hdr);
+- flow_key->nsh.base.path_hdr = nh->path_hdr;
+- switch (nh->mdtype) {
+- case NSH_M_TYPE1:
+- for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) {
+- nh->md1.context[i] =
+- OVS_MASKED(nh->md1.context[i], key.context[i],
+- mask.context[i]);
+- }
+- memcpy(flow_key->nsh.context, nh->md1.context,
+- sizeof(nh->md1.context));
+- break;
+- case NSH_M_TYPE2:
+- memset(flow_key->nsh.context, 0,
+- sizeof(flow_key->nsh.context));
+- break;
+- default:
+- return -EINVAL;
+- }
+- skb_postpush_rcsum(skb, nh, length);
+- return 0;
+-}
+-
+ /* Must follow skb_ensure_writable() since that can move the skb data. */
+ static void set_tp_port(struct sk_buff *skb, __be16 *port,
+ __be16 new_port, __sum16 *check)
+@@ -1130,10 +1067,6 @@ static int execute_masked_set_action(struct sk_buff *skb,
+ get_mask(a, struct ovs_key_ethernet *));
+ break;
+
+- case OVS_KEY_ATTR_NSH:
+- err = set_nsh(skb, flow_key, a);
+- break;
+-
+ case OVS_KEY_ATTR_IPV4:
+ err = set_ipv4(skb, flow_key, nla_data(a),
+ get_mask(a, struct ovs_key_ipv4 *));
+@@ -1170,6 +1103,7 @@ static int execute_masked_set_action(struct sk_buff *skb,
+ case OVS_KEY_ATTR_CT_LABELS:
+ case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4:
+ case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6:
++ case OVS_KEY_ATTR_NSH:
+ err = -EINVAL;
+ break;
+ }
+diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
+index 7db0f8938c145..7c2692f897f99 100644
+--- a/net/openvswitch/flow_netlink.c
++++ b/net/openvswitch/flow_netlink.c
+@@ -1280,6 +1280,11 @@ static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match,
+ return 0;
+ }
+
++/*
++ * Constructs NSH header 'nh' from attributes of OVS_ACTION_ATTR_PUSH_NSH,
++ * where 'nh' points to a memory block of 'size' bytes. It's assumed that
++ * attributes were previously validated with validate_push_nsh().
++ */
+ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ struct nshhdr *nh, size_t size)
+ {
+@@ -1289,8 +1294,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ u8 ttl = 0;
+ int mdlen = 0;
+
+- /* validate_nsh has check this, so we needn't do duplicate check here
+- */
+ if (size < NSH_BASE_HDR_LEN)
+ return -ENOBUFS;
+
+@@ -1334,46 +1337,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ return 0;
+ }
+
+-int nsh_key_from_nlattr(const struct nlattr *attr,
+- struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask)
+-{
+- struct nlattr *a;
+- int rem;
+-
+- /* validate_nsh has check this, so we needn't do duplicate check here
+- */
+- nla_for_each_nested(a, attr, rem) {
+- int type = nla_type(a);
+-
+- switch (type) {
+- case OVS_NSH_KEY_ATTR_BASE: {
+- const struct ovs_nsh_key_base *base = nla_data(a);
+- const struct ovs_nsh_key_base *base_mask = base + 1;
+-
+- nsh->base = *base;
+- nsh_mask->base = *base_mask;
+- break;
+- }
+- case OVS_NSH_KEY_ATTR_MD1: {
+- const struct ovs_nsh_key_md1 *md1 = nla_data(a);
+- const struct ovs_nsh_key_md1 *md1_mask = md1 + 1;
+-
+- memcpy(nsh->context, md1->context, sizeof(*md1));
+- memcpy(nsh_mask->context, md1_mask->context,
+- sizeof(*md1_mask));
+- break;
+- }
+- case OVS_NSH_KEY_ATTR_MD2:
+- /* Not supported yet */
+- return -ENOTSUPP;
+- default:
+- return -EINVAL;
+- }
+- }
+-
+- return 0;
+-}
+-
+ static int nsh_key_put_from_nlattr(const struct nlattr *attr,
+ struct sw_flow_match *match, bool is_mask,
+ bool is_push_nsh, bool log)
+@@ -2794,17 +2757,13 @@ static int validate_and_copy_set_tun(const struct nlattr *attr,
+ return err;
+ }
+
+-static bool validate_nsh(const struct nlattr *attr, bool is_mask,
+- bool is_push_nsh, bool log)
++static bool validate_push_nsh(const struct nlattr *attr, bool log)
+ {
+ struct sw_flow_match match;
+ struct sw_flow_key key;
+- int ret = 0;
+
+ ovs_match_init(&match, &key, true, NULL);
+- ret = nsh_key_put_from_nlattr(attr, &match, is_mask,
+- is_push_nsh, log);
+- return !ret;
++ return !nsh_key_put_from_nlattr(attr, &match, false, true, log);
+ }
+
+ /* Return false if there are any non-masked bits set.
+@@ -2952,13 +2911,6 @@ static int validate_set(const struct nlattr *a,
+
+ break;
+
+- case OVS_KEY_ATTR_NSH:
+- if (eth_type != htons(ETH_P_NSH))
+- return -EINVAL;
+- if (!validate_nsh(nla_data(a), masked, false, log))
+- return -EINVAL;
+- break;
+-
+ default:
+ return -EINVAL;
+ }
+@@ -3365,7 +3317,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
+ return -EINVAL;
+ }
+ mac_proto = MAC_PROTO_NONE;
+- if (!validate_nsh(nla_data(a), false, true, true))
++ if (!validate_push_nsh(nla_data(a), log))
+ return -EINVAL;
+ break;
+
+diff --git a/net/openvswitch/flow_netlink.h b/net/openvswitch/flow_netlink.h
+index fe7f77fc5f189..ff8cdecbe3465 100644
+--- a/net/openvswitch/flow_netlink.h
++++ b/net/openvswitch/flow_netlink.h
+@@ -65,8 +65,6 @@ int ovs_nla_put_actions(const struct nlattr *attr,
+ void ovs_nla_free_flow_actions(struct sw_flow_actions *);
+ void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *);
+
+-int nsh_key_from_nlattr(const struct nlattr *attr, struct ovs_key_nsh *nsh,
+- struct ovs_key_nsh *nsh_mask);
+ int nsh_hdr_from_nlattr(const struct nlattr *attr, struct nshhdr *nh,
+ size_t size);
+
+--
+2.51.0
+
--- /dev/null
+From a18e28f305ca7441099d93b045a143face3e78b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 14:27:56 +0300
+Subject: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont()
+ and qede_tpa_end()
+
+From: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+
+[ Upstream commit 896f1a2493b59beb2b5ccdf990503dbb16cb2256 ]
+
+The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate
+over 'cqe->len_list[]' using only a zero-length terminator as
+the stopping condition. If the terminator was missing or
+malformed, the loop could run past the end of the fixed-size array.
+
+Add an explicit bound check using ARRAY_SIZE() in both loops to prevent
+a potential out-of-bounds access.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 55482edc25f0 ("qede: Add slowpath/fastpath support and enable hardware GRO")
+Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+Link: https://patch.msgid.link/20251113112757.4166625-1-Pavel.Zhigulin@kaspersky.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_fp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qede/qede_fp.c b/drivers/net/ethernet/qlogic/qede/qede_fp.c
+index d67d4e74b326d..503ab11a5a33e 100644
+--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c
+@@ -4,6 +4,7 @@
+ * Copyright (c) 2019-2020 Marvell International Ltd.
+ */
+
++#include <linux/array_size.h>
+ #include <linux/netdevice.h>
+ #include <linux/etherdevice.h>
+ #include <linux/skbuff.h>
+@@ -961,7 +962,7 @@ static inline void qede_tpa_cont(struct qede_dev *edev,
+ {
+ int i;
+
+- for (i = 0; cqe->len_list[i]; i++)
++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++)
+ qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index,
+ le16_to_cpu(cqe->len_list[i]));
+
+@@ -986,7 +987,7 @@ static int qede_tpa_end(struct qede_dev *edev,
+ dma_unmap_page(rxq->dev, tpa_info->buffer.mapping,
+ PAGE_SIZE, rxq->data_direction);
+
+- for (i = 0; cqe->len_list[i]; i++)
++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++)
+ qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index,
+ le16_to_cpu(cqe->len_list[i]));
+ if (unlikely(i > 1))
+--
+2.51.0
+
--- /dev/null
+From ffb091f77c28f37bd7f902df743aa38c8b488ba7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Oct 2025 22:03:02 +0200
+Subject: net: tls: Cancel RX async resync request on rcd_delta overflow
+
+From: Shahar Shitrit <shshitrit@nvidia.com>
+
+[ Upstream commit c15d5c62ab313c19121f10e25d4fec852bd1c40c ]
+
+When a netdev issues a RX async resync request for a TLS connection,
+the TLS module handles it by logging record headers and attempting to
+match them to the tcp_sn provided by the device. If a match is found,
+the TLS module approves the tcp_sn for resynchronization.
+
+While waiting for a device response, the TLS module also increments
+rcd_delta each time a new TLS record is received, tracking the distance
+from the original resync request.
+
+However, if the device response is delayed or fails (e.g due to
+unstable connection and device getting out of tracking, hardware
+errors, resource exhaustion etc.), the TLS module keeps logging and
+incrementing, which can lead to a WARN() when rcd_delta exceeds the
+threshold.
+
+To address this, introduce tls_offload_rx_resync_async_request_cancel()
+to explicitly cancel resync requests when a device response failure is
+detected. Call this helper also as a final safeguard when rcd_delta
+crosses its threshold, as reaching this point implies that earlier
+cancellation did not occur.
+
+Signed-off-by: Shahar Shitrit <shshitrit@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1761508983-937977-3-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/tls.h | 6 ++++++
+ net/tls/tls_device.c | 4 +++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/tls.h b/include/net/tls.h
+index 59ff5c901ab56..db0d1ec04f39c 100644
+--- a/include/net/tls.h
++++ b/include/net/tls.h
+@@ -665,6 +665,12 @@ tls_offload_rx_resync_async_request_end(struct sock *sk, __be32 seq)
+ ((u64)ntohl(seq) << 32) | RESYNC_REQ);
+ }
+
++static inline void
++tls_offload_rx_resync_async_request_cancel(struct tls_offload_resync_async *resync_async)
++{
++ atomic64_set(&resync_async->req, 0);
++}
++
+ static inline void
+ tls_offload_rx_resync_set_type(struct sock *sk, enum tls_offload_sync_type type)
+ {
+diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
+index e7c361807590d..1338e4e2c0f40 100644
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -694,8 +694,10 @@ tls_device_rx_resync_async(struct tls_offload_resync_async *resync_async,
+ /* shouldn't get to wraparound:
+ * too long in async stage, something bad happened
+ */
+- if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX))
++ if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) {
++ tls_offload_rx_resync_async_request_cancel(resync_async);
+ return false;
++ }
+
+ /* asynchronous stage: log all headers seq such that
+ * req_seq <= seq <= end_seq, and wait for real resync request
+--
+2.51.0
+
--- /dev/null
+From 851b8dd521a29e49a8262048049e61043bfc686b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 11:33:54 +0800
+Subject: platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to
+ errnos
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit d8bb447efc5622577994287dc77c684fa8840b30 ]
+
+isst_if_probe() uses pci_read_config_dword() that returns PCIBIOS_*
+codes. The return code is returned from the probe function as is but
+probe functions should return normal errnos. A proper implementation
+can be found in drivers/leds/leds-ss4200.c.
+
+Convert PCIBIOS_* return codes using pcibios_err_to_errno() into
+normal errno before returning.
+
+Fixes: d3a23584294c ("platform/x86: ISST: Add Intel Speed Select mmio interface")
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Link: https://patch.msgid.link/20251117033354.132-1-vulab@iscas.ac.cn
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c
+index ff49025ec0856..bb38e5f021a80 100644
+--- a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c
++++ b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c
+@@ -106,11 +106,11 @@ static int isst_if_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ ret = pci_read_config_dword(pdev, 0xD0, &mmio_base);
+ if (ret)
+- return ret;
++ return pcibios_err_to_errno(ret);
+
+ ret = pci_read_config_dword(pdev, 0xFC, &pcu_base);
+ if (ret)
+- return ret;
++ return pcibios_err_to_errno(ret);
+
+ pcu_base &= GENMASK(10, 0);
+ base_addr = (u64)mmio_base << 23 | (u64) pcu_base << 12;
+--
+2.51.0
+
--- /dev/null
+From 2b02f942fabe191771d89ff29074e788ca8e12bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 19:27:24 +0100
+Subject: s390/ctcm: Fix double-kfree
+
+From: Aleksei Nikiforov <aleksei.nikiforov@linux.ibm.com>
+
+[ Upstream commit da02a1824884d6c84c5e5b5ac373b0c9e3288ec2 ]
+
+The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally
+from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo.
+After that a call to function 'kfree' in function 'ctcmpc_unpack_skb'
+frees it again.
+
+Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'.
+
+Bug detected by the clang static analyzer.
+
+Fixes: 0c0b20587b9f25a2 ("s390/ctcm: fix potential memory leak")
+Reviewed-by: Aswin Karuvally <aswin@linux.ibm.com>
+Signed-off-by: Aleksei Nikiforov <aleksei.nikiforov@linux.ibm.com>
+Signed-off-by: Aswin Karuvally <aswin@linux.ibm.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251112182724.1109474-1-aswin@linux.ibm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/ctcm_mpc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/s390/net/ctcm_mpc.c b/drivers/s390/net/ctcm_mpc.c
+index be03cb123ef48..cde36a3b6c03c 100644
+--- a/drivers/s390/net/ctcm_mpc.c
++++ b/drivers/s390/net/ctcm_mpc.c
+@@ -698,7 +698,6 @@ static void mpc_rcvd_sweep_req(struct mpcg_info *mpcginfo)
+
+ grp->sweep_req_pend_num--;
+ ctcmpc_send_sweep_resp(ch);
+- kfree(mpcginfo);
+ return;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 95b3ab55ef29dec5af0159cda77c60a2be70cde0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Oct 2025 14:48:00 -0700
+Subject: scsi: core: Fix a regression triggered by scsi_host_busy()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit a0b7780602b1b196f47e527fec82166a7e67c4d0 ]
+
+Commit 995412e23bb2 ("blk-mq: Replace tags->lock with SRCU for tag
+iterators") introduced the following regression:
+
+Call trace:
+ __srcu_read_lock+0x30/0x80 (P)
+ blk_mq_tagset_busy_iter+0x44/0x300
+ scsi_host_busy+0x38/0x70
+ ufshcd_print_host_state+0x34/0x1bc
+ ufshcd_link_startup.constprop.0+0xe4/0x2e0
+ ufshcd_init+0x944/0xf80
+ ufshcd_pltfrm_init+0x504/0x820
+ ufs_rockchip_probe+0x2c/0x88
+ platform_probe+0x5c/0xa4
+ really_probe+0xc0/0x38c
+ __driver_probe_device+0x7c/0x150
+ driver_probe_device+0x40/0x120
+ __driver_attach+0xc8/0x1e0
+ bus_for_each_dev+0x7c/0xdc
+ driver_attach+0x24/0x30
+ bus_add_driver+0x110/0x230
+ driver_register+0x68/0x130
+ __platform_driver_register+0x20/0x2c
+ ufs_rockchip_pltform_init+0x1c/0x28
+ do_one_initcall+0x60/0x1e0
+ kernel_init_freeable+0x248/0x2c4
+ kernel_init+0x20/0x140
+ ret_from_fork+0x10/0x20
+
+Fix this regression by making scsi_host_busy() check whether the SCSI
+host tag set has already been initialized. tag_set->ops is set by
+scsi_mq_setup_tags() just before blk_mq_alloc_tag_set() is called. This
+fix is based on the assumption that scsi_host_busy() and
+scsi_mq_setup_tags() calls are serialized. This is the case in the UFS
+driver.
+
+Reported-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Closes: https://lore.kernel.org/linux-block/pnezafputodmqlpumwfbn644ohjybouveehcjhz2hmhtcf2rka@sdhoiivync4y/
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Tested-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Link: https://patch.msgid.link/20251007214800.1678255-1-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hosts.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
+index eb3e8b41adb10..cf842c97639a7 100644
+--- a/drivers/scsi/hosts.c
++++ b/drivers/scsi/hosts.c
+@@ -594,8 +594,9 @@ int scsi_host_busy(struct Scsi_Host *shost)
+ {
+ int cnt = 0;
+
+- blk_mq_tagset_busy_iter(&shost->tag_set,
+- scsi_host_check_in_flight, &cnt);
++ if (shost->tag_set.ops)
++ blk_mq_tagset_busy_iter(&shost->tag_set,
++ scsi_host_check_in_flight, &cnt);
+ return cnt;
+ }
+ EXPORT_SYMBOL(scsi_host_busy);
+--
+2.51.0
+
--- /dev/null
+From 308e7d7d9514accea57e1b9ddfc38e2875795008 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Oct 2025 17:57:10 +0800
+Subject: selftests: net: use BASH for bareudp testing
+
+From: Po-Hsu Lin <po-hsu.lin@canonical.com>
+
+[ Upstream commit 9311e9540a8b406d9f028aa87fb072a3819d4c82 ]
+
+In bareudp.sh, this script uses /bin/sh and it will load another lib.sh
+BASH script at the very beginning.
+
+But on some operating systems like Ubuntu, /bin/sh is actually pointed to
+DASH, thus it will try to run BASH commands with DASH and consequently
+leads to syntax issues:
+ # ./bareudp.sh: 4: ./lib.sh: Bad substitution
+ # ./bareudp.sh: 5: ./lib.sh: source: not found
+ # ./bareudp.sh: 24: ./lib.sh: Syntax error: "(" unexpected
+
+Fix this by explicitly using BASH for bareudp.sh. This fixes test
+execution failures on systems where /bin/sh is not BASH.
+
+Reported-by: Edoardo Canepa <edoardo.canepa@canonical.com>
+Link: https://bugs.launchpad.net/bugs/2129812
+Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Link: https://patch.msgid.link/20251027095710.2036108-2-po-hsu.lin@canonical.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/bareudp.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/bareudp.sh b/tools/testing/selftests/net/bareudp.sh
+index f366cadbc5e86..ff4308b48e65d 100755
+--- a/tools/testing/selftests/net/bareudp.sh
++++ b/tools/testing/selftests/net/bareudp.sh
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ # SPDX-License-Identifier: GPL-2.0
+
+ # Test various bareudp tunnel configurations.
+--
+2.51.0
+
mips-malta-fix-eva-soc-it-pci-mmio.patch
mptcp-fix-race-condition-in-mptcp_schedule_work.patch
drm-tegra-dc-fix-reference-leak-in-tegra_dc_couple.patch
+mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch
+net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch
+net-openvswitch-remove-never-working-support-for-set.patch
+s390-ctcm-fix-double-kfree.patch
+platform-x86-intel-speed_select_if-convert-pcibios_-.patch
+kernel.h-move-array_size-to-a-separate-header.patch
+net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch
+vsock-ignore-signal-timeout-on-connect-if-already-es.patch
+scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch
+selftests-net-use-bash-for-bareudp-testing.patch
+net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch
+kconfig-mconf-initialize-the-default-locale-at-start.patch
+kconfig-nconf-initialize-the-default-locale-at-start.patch
--- /dev/null
+From 0b614133981d1c960d7cfbb1c416ae74483d6f20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Nov 2025 15:02:59 +0100
+Subject: vsock: Ignore signal/timeout on connect() if already established
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 002541ef650b742a198e4be363881439bb9d86b4 ]
+
+During connect(), acting on a signal/timeout by disconnecting an already
+established socket leads to several issues:
+
+1. connect() invoking vsock_transport_cancel_pkt() ->
+ virtio_transport_purge_skbs() may race with sendmsg() invoking
+ virtio_transport_get_credit(). This results in a permanently elevated
+ `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.
+
+2. connect() resetting a connected socket's state may race with socket
+ being placed in a sockmap. A disconnected socket remaining in a sockmap
+ breaks sockmap's assumptions. And gives rise to WARNs.
+
+3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a
+ transport change/drop after TCP_ESTABLISHED. Which poses a problem for
+ any simultaneous sendmsg() or connect() and may result in a
+ use-after-free/null-ptr-deref.
+
+Do not disconnect socket on signal/timeout. Keep the logic for unconnected
+sockets: they don't linger, can't be placed in a sockmap, are rejected by
+sendmsg().
+
+[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/
+[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/
+[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20251119-vsock-interrupted-connect-v2-1-70734cf1233f@rbox.co
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 40 +++++++++++++++++++++++++++++++---------
+ 1 file changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index 033fcdffc9e50..d79a755388318 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1493,18 +1493,40 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr,
+ timeout = schedule_timeout(timeout);
+ lock_sock(sk);
+
+- if (signal_pending(current)) {
+- err = sock_intr_errno(timeout);
+- sk->sk_state = sk->sk_state == TCP_ESTABLISHED ? TCP_CLOSING : TCP_CLOSE;
+- sock->state = SS_UNCONNECTED;
+- vsock_transport_cancel_pkt(vsk);
+- vsock_remove_connected(vsk);
+- goto out_wait;
+- } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) {
+- err = -ETIMEDOUT;
++ /* Connection established. Whatever happens to socket once we
++ * release it, that's not connect()'s concern. No need to go
++ * into signal and timeout handling. Call it a day.
++ *
++ * Note that allowing to "reset" an already established socket
++ * here is racy and insecure.
++ */
++ if (sk->sk_state == TCP_ESTABLISHED)
++ break;
++
++ /* If connection was _not_ established and a signal/timeout came
++ * to be, we want the socket's state reset. User space may want
++ * to retry.
++ *
++ * sk_state != TCP_ESTABLISHED implies that socket is not on
++ * vsock_connected_table. We keep the binding and the transport
++ * assigned.
++ */
++ if (signal_pending(current) || timeout == 0) {
++ err = timeout == 0 ? -ETIMEDOUT : sock_intr_errno(timeout);
++
++ /* Listener might have already responded with
++ * VIRTIO_VSOCK_OP_RESPONSE. Its handling expects our
++ * sk_state == TCP_SYN_SENT, which hereby we break.
++ * In such case VIRTIO_VSOCK_OP_RST will follow.
++ */
+ sk->sk_state = TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
++
++ /* Try to cancel VIRTIO_VSOCK_OP_REQUEST skb sent out by
++ * transport->connect().
++ */
+ vsock_transport_cancel_pkt(vsk);
++
+ goto out_wait;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From ff0d8fd814836af6e8aa89dee9e6d82172013fa9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 17:49:32 +0200
+Subject: kconfig/mconf: Initialize the default locale at startup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jakub Horký <jakub.git@horky.net>
+
+[ Upstream commit 3927c4a1084c48ef97f11281a0a43ecb2cb4d6f1 ]
+
+Fix bug where make menuconfig doesn't initialize the default locale, which
+causes ncurses menu borders to be displayed incorrectly (lqqqqk) in
+UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY.
+
+Signed-off-by: Jakub Horký <jakub.git@horky.net>
+Link: https://patch.msgid.link/20251014154933.3990990-1-jakub.git@horky.net
+[nathan: Alphabetize locale.h include]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/mconf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/mconf.c b/scripts/kconfig/mconf.c
+index 49c26ea9dd984..fe57b4071e910 100644
+--- a/scripts/kconfig/mconf.c
++++ b/scripts/kconfig/mconf.c
+@@ -12,6 +12,7 @@
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <limits.h>
++#include <locale.h>
+ #include <stdarg.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -1007,6 +1008,8 @@ int main(int ac, char **av)
+
+ signal(SIGINT, sig_handler);
+
++ setlocale(LC_ALL, "");
++
+ if (ac > 1 && strcmp(av[1], "-s") == 0) {
+ silent = 1;
+ /* Silence conf_read() until the real callback is set up */
+--
+2.51.0
+
--- /dev/null
+From 058b7ff6323c3c6d6c9200579f714b9a4a1efe71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 16:44:06 +0200
+Subject: kconfig/nconf: Initialize the default locale at startup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jakub Horký <jakub.git@horky.net>
+
+[ Upstream commit 43c2931a95e6b295bfe9e3b90dbe0f7596933e91 ]
+
+Fix bug where make nconfig doesn't initialize the default locale, which
+causes ncurses menu borders to be displayed incorrectly (lqqqqk) in
+UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY.
+
+Signed-off-by: Jakub Horký <jakub.git@horky.net>
+Link: https://patch.msgid.link/20251014144405.3975275-2-jakub.git@horky.net
+[nathan: Alphabetize locale.h include]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/nconf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
+index af56d27693d07..7c126569e6cb5 100644
+--- a/scripts/kconfig/nconf.c
++++ b/scripts/kconfig/nconf.c
+@@ -7,6 +7,7 @@
+ #ifndef _GNU_SOURCE
+ #define _GNU_SOURCE
+ #endif
++#include <locale.h>
+ #include <string.h>
+ #include <stdlib.h>
+
+@@ -1478,6 +1479,8 @@ int main(int ac, char **av)
+ int lines, columns;
+ char *mode;
+
++ setlocale(LC_ALL, "");
++
+ if (ac > 1 && strcmp(av[1], "-s") == 0) {
+ /* Silence conf_read() until the real callback is set up */
+ conf_set_message_callback(NULL);
+--
+2.51.0
+
--- /dev/null
+From bb7900953c51ca784c86a3e4fe342cd6b68845e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 05:21:14 +0000
+Subject: mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 407a06507c2358554958e8164dc97176feddcafc ]
+
+The function mlxsw_sp_flower_stats() calls mlxsw_sp_acl_ruleset_get() to
+obtain a ruleset reference. If the subsequent call to
+mlxsw_sp_acl_rule_lookup() fails to find a rule, the function returns
+an error without releasing the ruleset reference, causing a memory leak.
+
+Fix this by using a goto to the existing error handling label, which
+calls mlxsw_sp_acl_ruleset_put() to properly release the reference.
+
+Fixes: 7c1b8eb175b69 ("mlxsw: spectrum: Add support for TC flower offload statistics")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251112052114.1591695-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
+index 498de6ef68705..4eeebcb50ab68 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
+@@ -542,8 +542,10 @@ int mlxsw_sp_flower_stats(struct mlxsw_sp *mlxsw_sp,
+ return -EINVAL;
+
+ rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, f->cookie);
+- if (!rule)
+- return -EINVAL;
++ if (!rule) {
++ err = -EINVAL;
++ goto err_rule_get_stats;
++ }
+
+ err = mlxsw_sp_acl_rule_get_stats(mlxsw_sp, rule, &packets, &bytes,
+ &lastuse);
+--
+2.51.0
+
--- /dev/null
+From 316e04e5def01fd3b334b0bb43076f134be68d36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 12:14:03 +0100
+Subject: net: openvswitch: remove never-working support for setting nsh fields
+
+From: Ilya Maximets <i.maximets@ovn.org>
+
+[ Upstream commit dfe28c4167a9259fc0c372d9f9473e1ac95cff67 ]
+
+The validation of the set(nsh(...)) action is completely wrong.
+It runs through the nsh_key_put_from_nlattr() function that is the
+same function that validates NSH keys for the flow match and the
+push_nsh() action. However, the set(nsh(...)) has a very different
+memory layout. Nested attributes in there are doubled in size in
+case of the masked set(). That makes proper validation impossible.
+
+There is also confusion in the code between the 'masked' flag, that
+says that the nested attributes are doubled in size containing both
+the value and the mask, and the 'is_mask' that says that the value
+we're parsing is the mask. This is causing kernel crash on trying to
+write into mask part of the match with SW_FLOW_KEY_PUT() during
+validation, while validate_nsh() doesn't allocate any memory for it:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0
+ Oops: Oops: 0000 [#1] SMP NOPTI
+ CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)
+ RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]
+ Call Trace:
+ <TASK>
+ validate_nsh+0x60/0x90 [openvswitch]
+ validate_set.constprop.0+0x270/0x3c0 [openvswitch]
+ __ovs_nla_copy_actions+0x477/0x860 [openvswitch]
+ ovs_nla_copy_actions+0x8d/0x100 [openvswitch]
+ ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]
+ genl_family_rcv_msg_doit+0xdb/0x130
+ genl_family_rcv_msg+0x14b/0x220
+ genl_rcv_msg+0x47/0xa0
+ netlink_rcv_skb+0x53/0x100
+ genl_rcv+0x24/0x40
+ netlink_unicast+0x280/0x3b0
+ netlink_sendmsg+0x1f7/0x430
+ ____sys_sendmsg+0x36b/0x3a0
+ ___sys_sendmsg+0x87/0xd0
+ __sys_sendmsg+0x6d/0xd0
+ do_syscall_64+0x7b/0x2c0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+The third issue with this process is that while trying to convert
+the non-masked set into masked one, validate_set() copies and doubles
+the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested
+attributes. It should be copying each nested attribute and doubling
+them in size independently. And the process must be properly reversed
+during the conversion back from masked to a non-masked variant during
+the flow dump.
+
+In the end, the only two outcomes of trying to use this action are
+either validation failure or a kernel crash. And if somehow someone
+manages to install a flow with such an action, it will most definitely
+not do what it is supposed to, since all the keys and the masks are
+mixed up.
+
+Fixing all the issues is a complex task as it requires re-writing
+most of the validation code.
+
+Given that and the fact that this functionality never worked since
+introduction, let's just remove it altogether. It's better to
+re-introduce it later with a proper implementation instead of trying
+to fix it in stable releases.
+
+Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support")
+Reported-by: Junvy Yang <zhuque@tencent.com>
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Reviewed-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/20251112112246.95064-1-i.maximets@ovn.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/actions.c | 68 +---------------------------------
+ net/openvswitch/flow_netlink.c | 64 ++++----------------------------
+ net/openvswitch/flow_netlink.h | 2 -
+ 3 files changed, 9 insertions(+), 125 deletions(-)
+
+diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
+index 5af7fe6312cf0..b1a3581ce2060 100644
+--- a/net/openvswitch/actions.c
++++ b/net/openvswitch/actions.c
+@@ -599,69 +599,6 @@ static int set_ipv6(struct sk_buff *skb, struct sw_flow_key *flow_key,
+ return 0;
+ }
+
+-static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key,
+- const struct nlattr *a)
+-{
+- struct nshhdr *nh;
+- size_t length;
+- int err;
+- u8 flags;
+- u8 ttl;
+- int i;
+-
+- struct ovs_key_nsh key;
+- struct ovs_key_nsh mask;
+-
+- err = nsh_key_from_nlattr(a, &key, &mask);
+- if (err)
+- return err;
+-
+- /* Make sure the NSH base header is there */
+- if (!pskb_may_pull(skb, skb_network_offset(skb) + NSH_BASE_HDR_LEN))
+- return -ENOMEM;
+-
+- nh = nsh_hdr(skb);
+- length = nsh_hdr_len(nh);
+-
+- /* Make sure the whole NSH header is there */
+- err = skb_ensure_writable(skb, skb_network_offset(skb) +
+- length);
+- if (unlikely(err))
+- return err;
+-
+- nh = nsh_hdr(skb);
+- skb_postpull_rcsum(skb, nh, length);
+- flags = nsh_get_flags(nh);
+- flags = OVS_MASKED(flags, key.base.flags, mask.base.flags);
+- flow_key->nsh.base.flags = flags;
+- ttl = nsh_get_ttl(nh);
+- ttl = OVS_MASKED(ttl, key.base.ttl, mask.base.ttl);
+- flow_key->nsh.base.ttl = ttl;
+- nsh_set_flags_and_ttl(nh, flags, ttl);
+- nh->path_hdr = OVS_MASKED(nh->path_hdr, key.base.path_hdr,
+- mask.base.path_hdr);
+- flow_key->nsh.base.path_hdr = nh->path_hdr;
+- switch (nh->mdtype) {
+- case NSH_M_TYPE1:
+- for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) {
+- nh->md1.context[i] =
+- OVS_MASKED(nh->md1.context[i], key.context[i],
+- mask.context[i]);
+- }
+- memcpy(flow_key->nsh.context, nh->md1.context,
+- sizeof(nh->md1.context));
+- break;
+- case NSH_M_TYPE2:
+- memset(flow_key->nsh.context, 0,
+- sizeof(flow_key->nsh.context));
+- break;
+- default:
+- return -EINVAL;
+- }
+- skb_postpush_rcsum(skb, nh, length);
+- return 0;
+-}
+-
+ /* Must follow skb_ensure_writable() since that can move the skb data. */
+ static void set_tp_port(struct sk_buff *skb, __be16 *port,
+ __be16 new_port, __sum16 *check)
+@@ -1122,10 +1059,6 @@ static int execute_masked_set_action(struct sk_buff *skb,
+ get_mask(a, struct ovs_key_ethernet *));
+ break;
+
+- case OVS_KEY_ATTR_NSH:
+- err = set_nsh(skb, flow_key, a);
+- break;
+-
+ case OVS_KEY_ATTR_IPV4:
+ err = set_ipv4(skb, flow_key, nla_data(a),
+ get_mask(a, struct ovs_key_ipv4 *));
+@@ -1162,6 +1095,7 @@ static int execute_masked_set_action(struct sk_buff *skb,
+ case OVS_KEY_ATTR_CT_LABELS:
+ case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4:
+ case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6:
++ case OVS_KEY_ATTR_NSH:
+ err = -EINVAL;
+ break;
+ }
+diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
+index 4ad4c89886ee3..a378b06db24f0 100644
+--- a/net/openvswitch/flow_netlink.c
++++ b/net/openvswitch/flow_netlink.c
+@@ -1277,6 +1277,11 @@ static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match,
+ return 0;
+ }
+
++/*
++ * Constructs NSH header 'nh' from attributes of OVS_ACTION_ATTR_PUSH_NSH,
++ * where 'nh' points to a memory block of 'size' bytes. It's assumed that
++ * attributes were previously validated with validate_push_nsh().
++ */
+ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ struct nshhdr *nh, size_t size)
+ {
+@@ -1286,8 +1291,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ u8 ttl = 0;
+ int mdlen = 0;
+
+- /* validate_nsh has check this, so we needn't do duplicate check here
+- */
+ if (size < NSH_BASE_HDR_LEN)
+ return -ENOBUFS;
+
+@@ -1331,46 +1334,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ return 0;
+ }
+
+-int nsh_key_from_nlattr(const struct nlattr *attr,
+- struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask)
+-{
+- struct nlattr *a;
+- int rem;
+-
+- /* validate_nsh has check this, so we needn't do duplicate check here
+- */
+- nla_for_each_nested(a, attr, rem) {
+- int type = nla_type(a);
+-
+- switch (type) {
+- case OVS_NSH_KEY_ATTR_BASE: {
+- const struct ovs_nsh_key_base *base = nla_data(a);
+- const struct ovs_nsh_key_base *base_mask = base + 1;
+-
+- nsh->base = *base;
+- nsh_mask->base = *base_mask;
+- break;
+- }
+- case OVS_NSH_KEY_ATTR_MD1: {
+- const struct ovs_nsh_key_md1 *md1 = nla_data(a);
+- const struct ovs_nsh_key_md1 *md1_mask = md1 + 1;
+-
+- memcpy(nsh->context, md1->context, sizeof(*md1));
+- memcpy(nsh_mask->context, md1_mask->context,
+- sizeof(*md1_mask));
+- break;
+- }
+- case OVS_NSH_KEY_ATTR_MD2:
+- /* Not supported yet */
+- return -ENOTSUPP;
+- default:
+- return -EINVAL;
+- }
+- }
+-
+- return 0;
+-}
+-
+ static int nsh_key_put_from_nlattr(const struct nlattr *attr,
+ struct sw_flow_match *match, bool is_mask,
+ bool is_push_nsh, bool log)
+@@ -2704,17 +2667,13 @@ static int validate_and_copy_set_tun(const struct nlattr *attr,
+ return err;
+ }
+
+-static bool validate_nsh(const struct nlattr *attr, bool is_mask,
+- bool is_push_nsh, bool log)
++static bool validate_push_nsh(const struct nlattr *attr, bool log)
+ {
+ struct sw_flow_match match;
+ struct sw_flow_key key;
+- int ret = 0;
+
+ ovs_match_init(&match, &key, true, NULL);
+- ret = nsh_key_put_from_nlattr(attr, &match, is_mask,
+- is_push_nsh, log);
+- return !ret;
++ return !nsh_key_put_from_nlattr(attr, &match, false, true, log);
+ }
+
+ /* Return false if there are any non-masked bits set.
+@@ -2860,13 +2819,6 @@ static int validate_set(const struct nlattr *a,
+
+ break;
+
+- case OVS_KEY_ATTR_NSH:
+- if (eth_type != htons(ETH_P_NSH))
+- return -EINVAL;
+- if (!validate_nsh(nla_data(a), masked, false, log))
+- return -EINVAL;
+- break;
+-
+ default:
+ return -EINVAL;
+ }
+@@ -3219,7 +3171,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
+ return -EINVAL;
+ }
+ mac_proto = MAC_PROTO_NONE;
+- if (!validate_nsh(nla_data(a), false, true, true))
++ if (!validate_push_nsh(nla_data(a), log))
+ return -EINVAL;
+ break;
+
+diff --git a/net/openvswitch/flow_netlink.h b/net/openvswitch/flow_netlink.h
+index fe7f77fc5f189..ff8cdecbe3465 100644
+--- a/net/openvswitch/flow_netlink.h
++++ b/net/openvswitch/flow_netlink.h
+@@ -65,8 +65,6 @@ int ovs_nla_put_actions(const struct nlattr *attr,
+ void ovs_nla_free_flow_actions(struct sw_flow_actions *);
+ void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *);
+
+-int nsh_key_from_nlattr(const struct nlattr *attr, struct ovs_key_nsh *nsh,
+- struct ovs_key_nsh *nsh_mask);
+ int nsh_hdr_from_nlattr(const struct nlattr *attr, struct nshhdr *nh,
+ size_t size);
+
+--
+2.51.0
+
--- /dev/null
+From ccbdc41f3f9a994ab062e10884de5f1ed05c2bd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 19:27:24 +0100
+Subject: s390/ctcm: Fix double-kfree
+
+From: Aleksei Nikiforov <aleksei.nikiforov@linux.ibm.com>
+
+[ Upstream commit da02a1824884d6c84c5e5b5ac373b0c9e3288ec2 ]
+
+The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally
+from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo.
+After that a call to function 'kfree' in function 'ctcmpc_unpack_skb'
+frees it again.
+
+Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'.
+
+Bug detected by the clang static analyzer.
+
+Fixes: 0c0b20587b9f25a2 ("s390/ctcm: fix potential memory leak")
+Reviewed-by: Aswin Karuvally <aswin@linux.ibm.com>
+Signed-off-by: Aleksei Nikiforov <aleksei.nikiforov@linux.ibm.com>
+Signed-off-by: Aswin Karuvally <aswin@linux.ibm.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251112182724.1109474-1-aswin@linux.ibm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/ctcm_mpc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/s390/net/ctcm_mpc.c b/drivers/s390/net/ctcm_mpc.c
+index d766002bc5bee..e76b6e7f80ac5 100644
+--- a/drivers/s390/net/ctcm_mpc.c
++++ b/drivers/s390/net/ctcm_mpc.c
+@@ -712,7 +712,6 @@ static void mpc_rcvd_sweep_req(struct mpcg_info *mpcginfo)
+
+ grp->sweep_req_pend_num--;
+ ctcmpc_send_sweep_resp(ch);
+- kfree(mpcginfo);
+ return;
+ }
+
+--
+2.51.0
+
scsi-sg-do-not-sleep-in-atomic-context.patch
scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch
mips-malta-fix-eva-soc-it-pci-mmio.patch
+mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch
+net-openvswitch-remove-never-working-support-for-set.patch
+s390-ctcm-fix-double-kfree.patch
+vsock-ignore-signal-timeout-on-connect-if-already-es.patch
+kconfig-mconf-initialize-the-default-locale-at-start.patch
+kconfig-nconf-initialize-the-default-locale-at-start.patch
--- /dev/null
+From f3ab0069cd20ebd92a3b41b4749315f2451012b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Nov 2025 15:02:59 +0100
+Subject: vsock: Ignore signal/timeout on connect() if already established
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 002541ef650b742a198e4be363881439bb9d86b4 ]
+
+During connect(), acting on a signal/timeout by disconnecting an already
+established socket leads to several issues:
+
+1. connect() invoking vsock_transport_cancel_pkt() ->
+ virtio_transport_purge_skbs() may race with sendmsg() invoking
+ virtio_transport_get_credit(). This results in a permanently elevated
+ `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.
+
+2. connect() resetting a connected socket's state may race with socket
+ being placed in a sockmap. A disconnected socket remaining in a sockmap
+ breaks sockmap's assumptions. And gives rise to WARNs.
+
+3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a
+ transport change/drop after TCP_ESTABLISHED. Which poses a problem for
+ any simultaneous sendmsg() or connect() and may result in a
+ use-after-free/null-ptr-deref.
+
+Do not disconnect socket on signal/timeout. Keep the logic for unconnected
+sockets: they don't linger, can't be placed in a sockmap, are rejected by
+sendmsg().
+
+[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/
+[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/
+[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20251119-vsock-interrupted-connect-v2-1-70734cf1233f@rbox.co
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 40 +++++++++++++++++++++++++++++++---------
+ 1 file changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index 831ca8da84813..2202a8ba2dfdc 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1235,18 +1235,40 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr,
+ timeout = schedule_timeout(timeout);
+ lock_sock(sk);
+
+- if (signal_pending(current)) {
+- err = sock_intr_errno(timeout);
+- sk->sk_state = sk->sk_state == TCP_ESTABLISHED ? TCP_CLOSING : TCP_CLOSE;
+- sock->state = SS_UNCONNECTED;
+- vsock_transport_cancel_pkt(vsk);
+- vsock_remove_connected(vsk);
+- goto out_wait;
+- } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) {
+- err = -ETIMEDOUT;
++ /* Connection established. Whatever happens to socket once we
++ * release it, that's not connect()'s concern. No need to go
++ * into signal and timeout handling. Call it a day.
++ *
++ * Note that allowing to "reset" an already established socket
++ * here is racy and insecure.
++ */
++ if (sk->sk_state == TCP_ESTABLISHED)
++ break;
++
++ /* If connection was _not_ established and a signal/timeout came
++ * to be, we want the socket's state reset. User space may want
++ * to retry.
++ *
++ * sk_state != TCP_ESTABLISHED implies that socket is not on
++ * vsock_connected_table. We keep the binding and the transport
++ * assigned.
++ */
++ if (signal_pending(current) || timeout == 0) {
++ err = timeout == 0 ? -ETIMEDOUT : sock_intr_errno(timeout);
++
++ /* Listener might have already responded with
++ * VIRTIO_VSOCK_OP_RESPONSE. Its handling expects our
++ * sk_state == TCP_SYN_SENT, which hereby we break.
++ * In such case VIRTIO_VSOCK_OP_RST will follow.
++ */
+ sk->sk_state = TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
++
++ /* Try to cancel VIRTIO_VSOCK_OP_REQUEST skb sent out by
++ * transport->connect().
++ */
+ vsock_transport_cancel_pkt(vsk);
++
+ goto out_wait;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From af2c8f8f1ed23ca9022827b48af3a03e50268909 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Oct 2025 14:51:26 +0200
+Subject: bcma: don't register devices disabled in OF
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+[ Upstream commit a2a69add80411dd295c9088c1bcf925b1f4e53d7 ]
+
+Some bus devices can be marked as disabled for specific SoCs or models.
+Those should not be registered to avoid probing them.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20251003125126.27950-1-zajec5@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bcma/main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/bcma/main.c b/drivers/bcma/main.c
+index 44392b624b200..11fbae15a7884 100644
+--- a/drivers/bcma/main.c
++++ b/drivers/bcma/main.c
+@@ -293,6 +293,8 @@ static int bcma_register_devices(struct bcma_bus *bus)
+ int err;
+
+ list_for_each_entry(core, &bus->cores, list) {
++ struct device_node *np;
++
+ /* We support that core ourselves */
+ switch (core->id.id) {
+ case BCMA_CORE_4706_CHIPCOMMON:
+@@ -310,6 +312,10 @@ static int bcma_register_devices(struct bcma_bus *bus)
+ if (bcma_is_core_needed_early(core->id.id))
+ continue;
+
++ np = core->dev.of_node;
++ if (np && !of_device_is_available(np))
++ continue;
++
+ /* Only first GMAC core on BCM4706 is connected and working */
+ if (core->id.id == BCMA_CORE_4706_MAC_GBIT &&
+ core->core_unit > 0)
+--
+2.51.0
+
--- /dev/null
+From 1a9dcbf68e54650aae5e1347e1c23a5780c8860a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Oct 2025 21:17:01 -0500
+Subject: cifs: fix typo in enable_gcm_256 module parameter
+
+From: Steve French <stfrench@microsoft.com>
+
+[ Upstream commit f765fdfcd8b5bce92c6aa1a517ff549529ddf590 ]
+
+Fix typo in description of enable_gcm_256 module parameter
+
+Suggested-by: Thomas Spear <speeddymon@gmail.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifsfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/smb/client/cifsfs.c b/fs/smb/client/cifsfs.c
+index 32b008bc99a09..74e4beb351946 100644
+--- a/fs/smb/client/cifsfs.c
++++ b/fs/smb/client/cifsfs.c
+@@ -128,7 +128,7 @@ module_param(enable_oplocks, bool, 0644);
+ MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1");
+
+ module_param(enable_gcm_256, bool, 0644);
+-MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/0");
++MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/1");
+
+ module_param(require_gcm_256, bool, 0644);
+ MODULE_PARM_DESC(require_gcm_256, "Require strongest (256 bit) GCM encryption. Default: n/N/0");
+--
+2.51.0
+
--- /dev/null
+From 341f0e3a9cbbaa076bb8ae2eb1aeab32fcd3faea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Sep 2025 13:25:40 +0900
+Subject: drm/tegra: Add call to put_pid()
+
+From: Prateek Agarwal <praagarwal@nvidia.com>
+
+[ Upstream commit 6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a ]
+
+Add a call to put_pid() corresponding to get_task_pid().
+host1x_memory_context_alloc() does not take ownership of the PID so we
+need to free it here to avoid leaking.
+
+Signed-off-by: Prateek Agarwal <praagarwal@nvidia.com>
+Fixes: e09db97889ec ("drm/tegra: Support context isolation")
+[mperttunen@nvidia.com: reword commit message]
+Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://patch.msgid.link/20250919-host1x-put-pid-v1-1-19c2163dfa87@nvidia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/uapi.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/tegra/uapi.c b/drivers/gpu/drm/tegra/uapi.c
+index 5adab6b229164..d0b6a1fa6efad 100644
+--- a/drivers/gpu/drm/tegra/uapi.c
++++ b/drivers/gpu/drm/tegra/uapi.c
+@@ -114,9 +114,12 @@ int tegra_drm_ioctl_channel_open(struct drm_device *drm, void *data, struct drm_
+ if (err)
+ goto put_channel;
+
+- if (supported)
++ if (supported) {
++ struct pid *pid = get_task_pid(current, PIDTYPE_TGID);
+ context->memory_context = host1x_memory_context_alloc(
+- host, client->base.dev, get_task_pid(current, PIDTYPE_TGID));
++ host, client->base.dev, pid);
++ put_pid(pid);
++ }
+
+ if (IS_ERR(context->memory_context)) {
+ if (PTR_ERR(context->memory_context) != -EOPNOTSUPP) {
+--
+2.51.0
+
--- /dev/null
+From dec46b3bc3cbcbd215875f698fb5a5ad9c70df57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 11:38:42 +0300
+Subject: gpu: host1x: Select context device based on attached IOMMU
+
+From: Mikko Perttunen <mperttunen@nvidia.com>
+
+[ Upstream commit 8935002fc37fce1ad211d98a70f2fd42083c0594 ]
+
+On Tegra234, engines that are programmed through Host1x channels can
+be attached to either the NISO0 or NISO1 SMMU. Because of that, when
+selecting a context device to use with an engine, we need to select
+one that is also attached to the same SMMU.
+
+Add a parameter to host1x_memory_context_alloc to specify which device
+we are allocating a context for, and use it to pick an appropriate
+context device.
+
+Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
+[treding@nvidia.com: update !IOMMU_API stub signature]
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Stable-dep-of: 6cbab9f0da72 ("drm/tegra: Add call to put_pid()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/uapi.c | 2 +-
+ drivers/gpu/host1x/context.c | 4 ++++
+ include/linux/host1x.h | 2 ++
+ 3 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/tegra/uapi.c b/drivers/gpu/drm/tegra/uapi.c
+index a98239cb0e29a..5adab6b229164 100644
+--- a/drivers/gpu/drm/tegra/uapi.c
++++ b/drivers/gpu/drm/tegra/uapi.c
+@@ -116,7 +116,7 @@ int tegra_drm_ioctl_channel_open(struct drm_device *drm, void *data, struct drm_
+
+ if (supported)
+ context->memory_context = host1x_memory_context_alloc(
+- host, get_task_pid(current, PIDTYPE_TGID));
++ host, client->base.dev, get_task_pid(current, PIDTYPE_TGID));
+
+ if (IS_ERR(context->memory_context)) {
+ if (PTR_ERR(context->memory_context) != -EOPNOTSUPP) {
+diff --git a/drivers/gpu/host1x/context.c b/drivers/gpu/host1x/context.c
+index 93c0c532fe5af..9c0db178fade9 100644
+--- a/drivers/gpu/host1x/context.c
++++ b/drivers/gpu/host1x/context.c
+@@ -112,6 +112,7 @@ void host1x_memory_context_list_free(struct host1x_memory_context_list *cdl)
+ }
+
+ struct host1x_memory_context *host1x_memory_context_alloc(struct host1x *host1x,
++ struct device *dev,
+ struct pid *pid)
+ {
+ struct host1x_memory_context_list *cdl = &host1x->context_list;
+@@ -126,6 +127,9 @@ struct host1x_memory_context *host1x_memory_context_alloc(struct host1x *host1x,
+ for (i = 0; i < cdl->len; i++) {
+ struct host1x_memory_context *cd = &cdl->devs[i];
+
++ if (cd->dev.iommu->iommu_dev != dev->iommu->iommu_dev)
++ continue;
++
+ if (cd->owner == pid) {
+ refcount_inc(&cd->ref);
+ mutex_unlock(&cdl->lock);
+diff --git a/include/linux/host1x.h b/include/linux/host1x.h
+index cb2100d9b0ffe..dc55d9d3b94f0 100644
+--- a/include/linux/host1x.h
++++ b/include/linux/host1x.h
+@@ -469,11 +469,13 @@ struct host1x_memory_context {
+
+ #ifdef CONFIG_IOMMU_API
+ struct host1x_memory_context *host1x_memory_context_alloc(struct host1x *host1x,
++ struct device *dev,
+ struct pid *pid);
+ void host1x_memory_context_get(struct host1x_memory_context *cd);
+ void host1x_memory_context_put(struct host1x_memory_context *cd);
+ #else
+ static inline struct host1x_memory_context *host1x_memory_context_alloc(struct host1x *host1x,
++ struct device *dev,
+ struct pid *pid)
+ {
+ return NULL;
+--
+2.51.0
+
--- /dev/null
+From 12d52675e4e7330780d522c63a562c61c914ba23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 17:49:32 +0200
+Subject: kconfig/mconf: Initialize the default locale at startup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jakub Horký <jakub.git@horky.net>
+
+[ Upstream commit 3927c4a1084c48ef97f11281a0a43ecb2cb4d6f1 ]
+
+Fix bug where make menuconfig doesn't initialize the default locale, which
+causes ncurses menu borders to be displayed incorrectly (lqqqqk) in
+UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY.
+
+Signed-off-by: Jakub Horký <jakub.git@horky.net>
+Link: https://patch.msgid.link/20251014154933.3990990-1-jakub.git@horky.net
+[nathan: Alphabetize locale.h include]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/mconf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/mconf.c b/scripts/kconfig/mconf.c
+index 9d3cf510562f8..0649ff35ec5c0 100644
+--- a/scripts/kconfig/mconf.c
++++ b/scripts/kconfig/mconf.c
+@@ -12,6 +12,7 @@
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <limits.h>
++#include <locale.h>
+ #include <stdarg.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -1005,6 +1006,8 @@ int main(int ac, char **av)
+
+ signal(SIGINT, sig_handler);
+
++ setlocale(LC_ALL, "");
++
+ if (ac > 1 && strcmp(av[1], "-s") == 0) {
+ silent = 1;
+ /* Silence conf_read() until the real callback is set up */
+--
+2.51.0
+
--- /dev/null
+From a847976f53c7531462f4b9f35b74d0ab5ed6aa97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 16:44:06 +0200
+Subject: kconfig/nconf: Initialize the default locale at startup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jakub Horký <jakub.git@horky.net>
+
+[ Upstream commit 43c2931a95e6b295bfe9e3b90dbe0f7596933e91 ]
+
+Fix bug where make nconfig doesn't initialize the default locale, which
+causes ncurses menu borders to be displayed incorrectly (lqqqqk) in
+UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY.
+
+Signed-off-by: Jakub Horký <jakub.git@horky.net>
+Link: https://patch.msgid.link/20251014144405.3975275-2-jakub.git@horky.net
+[nathan: Alphabetize locale.h include]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/nconf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
+index 16a2db59432a5..e9ae03d056b09 100644
+--- a/scripts/kconfig/nconf.c
++++ b/scripts/kconfig/nconf.c
+@@ -7,6 +7,7 @@
+ #ifndef _GNU_SOURCE
+ #define _GNU_SOURCE
+ #endif
++#include <locale.h>
+ #include <string.h>
+ #include <strings.h>
+ #include <stdlib.h>
+@@ -1476,6 +1477,8 @@ int main(int ac, char **av)
+ int lines, columns;
+ char *mode;
+
++ setlocale(LC_ALL, "");
++
+ if (ac > 1 && strcmp(av[1], "-s") == 0) {
+ /* Silence conf_read() until the real callback is set up */
+ conf_set_message_callback(NULL);
+--
+2.51.0
+
--- /dev/null
+From 3ce2cf119e03f49288ea5171f006188a3e44e500 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Oct 2023 14:59:53 +0300
+Subject: kernel.h: Move ARRAY_SIZE() to a separate header
+
+From: Alejandro Colomar <alx@kernel.org>
+
+[ Upstream commit 3cd39bc3b11b8d34b7d7c961a35fdfd18b0ebf75 ]
+
+Touching files so used for the kernel,
+forces 'make' to recompile most of the kernel.
+
+Having those definitions in more granular files
+helps avoid recompiling so much of the kernel.
+
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20230817143352.132583-2-lucas.segarra.fernandez@intel.com
+[andy: reduced to cover only string.h for now]
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Stable-dep-of: 896f1a2493b5 ("net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/array_size.h | 13 +++++++++++++
+ include/linux/kernel.h | 7 +------
+ include/linux/string.h | 1 +
+ 3 files changed, 15 insertions(+), 6 deletions(-)
+ create mode 100644 include/linux/array_size.h
+
+diff --git a/include/linux/array_size.h b/include/linux/array_size.h
+new file mode 100644
+index 0000000000000..06d7d83196ca3
+--- /dev/null
++++ b/include/linux/array_size.h
+@@ -0,0 +1,13 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++#ifndef _LINUX_ARRAY_SIZE_H
++#define _LINUX_ARRAY_SIZE_H
++
++#include <linux/compiler.h>
++
++/**
++ * ARRAY_SIZE - get the number of elements in array @arr
++ * @arr: array to be sized
++ */
++#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr))
++
++#endif /* _LINUX_ARRAY_SIZE_H */
+diff --git a/include/linux/kernel.h b/include/linux/kernel.h
+index fe6efb24d151a..50254bb6b7a98 100644
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -13,6 +13,7 @@
+
+ #include <linux/stdarg.h>
+ #include <linux/align.h>
++#include <linux/array_size.h>
+ #include <linux/limits.h>
+ #include <linux/linkage.h>
+ #include <linux/stddef.h>
+@@ -48,12 +49,6 @@
+ #define READ 0
+ #define WRITE 1
+
+-/**
+- * ARRAY_SIZE - get the number of elements in array @arr
+- * @arr: array to be sized
+- */
+-#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr))
+-
+ #define PTR_IF(cond, ptr) ((cond) ? (ptr) : NULL)
+
+ #define u64_to_user_ptr(x) ( \
+diff --git a/include/linux/string.h b/include/linux/string.h
+index 422606e98cc42..e7ade5223d422 100644
+--- a/include/linux/string.h
++++ b/include/linux/string.h
+@@ -2,6 +2,7 @@
+ #ifndef _LINUX_STRING_H_
+ #define _LINUX_STRING_H_
+
++#include <linux/array_size.h>
+ #include <linux/compiler.h> /* for inline */
+ #include <linux/types.h> /* for size_t */
+ #include <linux/stddef.h> /* for NULL */
+--
+2.51.0
+
--- /dev/null
+From 5f5966c95dd83602d68c468356ca92977a969d4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 05:21:14 +0000
+Subject: mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 407a06507c2358554958e8164dc97176feddcafc ]
+
+The function mlxsw_sp_flower_stats() calls mlxsw_sp_acl_ruleset_get() to
+obtain a ruleset reference. If the subsequent call to
+mlxsw_sp_acl_rule_lookup() fails to find a rule, the function returns
+an error without releasing the ruleset reference, causing a memory leak.
+
+Fix this by using a goto to the existing error handling label, which
+calls mlxsw_sp_acl_ruleset_put() to properly release the reference.
+
+Fixes: 7c1b8eb175b69 ("mlxsw: spectrum: Add support for TC flower offload statistics")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251112052114.1591695-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
+index e91fb205e0b4c..66e95918bdf6e 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
+@@ -719,8 +719,10 @@ int mlxsw_sp_flower_stats(struct mlxsw_sp *mlxsw_sp,
+ return -EINVAL;
+
+ rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, f->cookie);
+- if (!rule)
+- return -EINVAL;
++ if (!rule) {
++ err = -EINVAL;
++ goto err_rule_get_stats;
++ }
+
+ err = mlxsw_sp_acl_rule_get_stats(mlxsw_sp, rule, &packets, &bytes,
+ &drops, &lastuse, &used_hw_stats);
+--
+2.51.0
+
--- /dev/null
+From b5413919a577dff937ae66a7a273157f210a7848 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 16:57:44 +0300
+Subject: net: dsa: hellcreek: fix missing error handling in LED registration
+
+From: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+
+[ Upstream commit e6751b0b19a6baab219a62e1e302b8aa6b5a55b2 ]
+
+The LED setup routine registered both led_sync_good
+and led_is_gm devices without checking the return
+values of led_classdev_register(). If either registration
+failed, the function continued silently, leaving the
+driver in a partially-initialized state and leaking
+a registered LED classdev.
+
+Add proper error handling
+
+Fixes: 7d9ee2e8ff15 ("net: dsa: hellcreek: Add PTP status LEDs")
+Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Acked-by: Kurt Kanzenbach <kurt@linutronix.de>
+Link: https://patch.msgid.link/20251113135745.92375-1-Pavel.Zhigulin@kaspersky.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/hirschmann/hellcreek_ptp.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/hirschmann/hellcreek_ptp.c b/drivers/net/dsa/hirschmann/hellcreek_ptp.c
+index b28baab6d56a1..763666480a8a8 100644
+--- a/drivers/net/dsa/hirschmann/hellcreek_ptp.c
++++ b/drivers/net/dsa/hirschmann/hellcreek_ptp.c
+@@ -367,8 +367,18 @@ static int hellcreek_led_setup(struct hellcreek *hellcreek)
+ hellcreek_set_brightness(hellcreek, STATUS_OUT_IS_GM, 1);
+
+ /* Register both leds */
+- led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good);
+- led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm);
++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good);
++ if (ret) {
++ dev_err(hellcreek->dev, "Failed to register sync_good LED\n");
++ goto out;
++ }
++
++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm);
++ if (ret) {
++ dev_err(hellcreek->dev, "Failed to register is_gm LED\n");
++ led_classdev_unregister(&hellcreek->led_sync_good);
++ goto out;
++ }
+
+ ret = 0;
+
+--
+2.51.0
+
--- /dev/null
+From dbf83b6bf2efeb0530e1f2dccca3dd9bc0955757 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 19:19:21 +0300
+Subject: net: mlxsw: linecards: fix missing error check in
+ mlxsw_linecard_devlink_info_get()
+
+From: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+
+[ Upstream commit b0c959fec18f4595a6a6317ffc30615cfa37bf69 ]
+
+The call to devlink_info_version_fixed_put() in
+mlxsw_linecard_devlink_info_get() did not check for errors,
+although it is checked everywhere in the code.
+
+Add missed 'err' check to the mlxsw_linecard_devlink_info_get()
+
+Fixes: 3fc0c51905fb ("mlxsw: core_linecards: Expose device PSID over device info")
+Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251113161922.813828-1-Pavel.Zhigulin@kaspersky.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/core_linecards.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c
+index 99196333d1324..525973da7abc9 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c
+@@ -601,6 +601,8 @@ int mlxsw_linecard_devlink_info_get(struct mlxsw_linecard *linecard,
+ err = devlink_info_version_fixed_put(req,
+ DEVLINK_INFO_VERSION_GENERIC_FW_PSID,
+ info->psid);
++ if (err)
++ goto unlock;
+
+ sprintf(buf, "%u.%u.%u", info->fw_major, info->fw_minor,
+ info->fw_sub_minor);
+--
+2.51.0
+
--- /dev/null
+From 45f28ca934b638619f37c6edbe052f4faf0498be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 12:14:03 +0100
+Subject: net: openvswitch: remove never-working support for setting nsh fields
+
+From: Ilya Maximets <i.maximets@ovn.org>
+
+[ Upstream commit dfe28c4167a9259fc0c372d9f9473e1ac95cff67 ]
+
+The validation of the set(nsh(...)) action is completely wrong.
+It runs through the nsh_key_put_from_nlattr() function that is the
+same function that validates NSH keys for the flow match and the
+push_nsh() action. However, the set(nsh(...)) has a very different
+memory layout. Nested attributes in there are doubled in size in
+case of the masked set(). That makes proper validation impossible.
+
+There is also confusion in the code between the 'masked' flag, that
+says that the nested attributes are doubled in size containing both
+the value and the mask, and the 'is_mask' that says that the value
+we're parsing is the mask. This is causing kernel crash on trying to
+write into mask part of the match with SW_FLOW_KEY_PUT() during
+validation, while validate_nsh() doesn't allocate any memory for it:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0
+ Oops: Oops: 0000 [#1] SMP NOPTI
+ CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)
+ RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]
+ Call Trace:
+ <TASK>
+ validate_nsh+0x60/0x90 [openvswitch]
+ validate_set.constprop.0+0x270/0x3c0 [openvswitch]
+ __ovs_nla_copy_actions+0x477/0x860 [openvswitch]
+ ovs_nla_copy_actions+0x8d/0x100 [openvswitch]
+ ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]
+ genl_family_rcv_msg_doit+0xdb/0x130
+ genl_family_rcv_msg+0x14b/0x220
+ genl_rcv_msg+0x47/0xa0
+ netlink_rcv_skb+0x53/0x100
+ genl_rcv+0x24/0x40
+ netlink_unicast+0x280/0x3b0
+ netlink_sendmsg+0x1f7/0x430
+ ____sys_sendmsg+0x36b/0x3a0
+ ___sys_sendmsg+0x87/0xd0
+ __sys_sendmsg+0x6d/0xd0
+ do_syscall_64+0x7b/0x2c0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+The third issue with this process is that while trying to convert
+the non-masked set into masked one, validate_set() copies and doubles
+the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested
+attributes. It should be copying each nested attribute and doubling
+them in size independently. And the process must be properly reversed
+during the conversion back from masked to a non-masked variant during
+the flow dump.
+
+In the end, the only two outcomes of trying to use this action are
+either validation failure or a kernel crash. And if somehow someone
+manages to install a flow with such an action, it will most definitely
+not do what it is supposed to, since all the keys and the masks are
+mixed up.
+
+Fixing all the issues is a complex task as it requires re-writing
+most of the validation code.
+
+Given that and the fact that this functionality never worked since
+introduction, let's just remove it altogether. It's better to
+re-introduce it later with a proper implementation instead of trying
+to fix it in stable releases.
+
+Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support")
+Reported-by: Junvy Yang <zhuque@tencent.com>
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Reviewed-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/20251112112246.95064-1-i.maximets@ovn.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/actions.c | 68 +---------------------------------
+ net/openvswitch/flow_netlink.c | 64 ++++----------------------------
+ net/openvswitch/flow_netlink.h | 2 -
+ 3 files changed, 9 insertions(+), 125 deletions(-)
+
+diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
+index a87c25e06bafd..f7cc87e67d3c8 100644
+--- a/net/openvswitch/actions.c
++++ b/net/openvswitch/actions.c
+@@ -595,69 +595,6 @@ static int set_ipv6(struct sk_buff *skb, struct sw_flow_key *flow_key,
+ return 0;
+ }
+
+-static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key,
+- const struct nlattr *a)
+-{
+- struct nshhdr *nh;
+- size_t length;
+- int err;
+- u8 flags;
+- u8 ttl;
+- int i;
+-
+- struct ovs_key_nsh key;
+- struct ovs_key_nsh mask;
+-
+- err = nsh_key_from_nlattr(a, &key, &mask);
+- if (err)
+- return err;
+-
+- /* Make sure the NSH base header is there */
+- if (!pskb_may_pull(skb, skb_network_offset(skb) + NSH_BASE_HDR_LEN))
+- return -ENOMEM;
+-
+- nh = nsh_hdr(skb);
+- length = nsh_hdr_len(nh);
+-
+- /* Make sure the whole NSH header is there */
+- err = skb_ensure_writable(skb, skb_network_offset(skb) +
+- length);
+- if (unlikely(err))
+- return err;
+-
+- nh = nsh_hdr(skb);
+- skb_postpull_rcsum(skb, nh, length);
+- flags = nsh_get_flags(nh);
+- flags = OVS_MASKED(flags, key.base.flags, mask.base.flags);
+- flow_key->nsh.base.flags = flags;
+- ttl = nsh_get_ttl(nh);
+- ttl = OVS_MASKED(ttl, key.base.ttl, mask.base.ttl);
+- flow_key->nsh.base.ttl = ttl;
+- nsh_set_flags_and_ttl(nh, flags, ttl);
+- nh->path_hdr = OVS_MASKED(nh->path_hdr, key.base.path_hdr,
+- mask.base.path_hdr);
+- flow_key->nsh.base.path_hdr = nh->path_hdr;
+- switch (nh->mdtype) {
+- case NSH_M_TYPE1:
+- for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) {
+- nh->md1.context[i] =
+- OVS_MASKED(nh->md1.context[i], key.context[i],
+- mask.context[i]);
+- }
+- memcpy(flow_key->nsh.context, nh->md1.context,
+- sizeof(nh->md1.context));
+- break;
+- case NSH_M_TYPE2:
+- memset(flow_key->nsh.context, 0,
+- sizeof(flow_key->nsh.context));
+- break;
+- default:
+- return -EINVAL;
+- }
+- skb_postpush_rcsum(skb, nh, length);
+- return 0;
+-}
+-
+ /* Must follow skb_ensure_writable() since that can move the skb data. */
+ static void set_tp_port(struct sk_buff *skb, __be16 *port,
+ __be16 new_port, __sum16 *check)
+@@ -1130,10 +1067,6 @@ static int execute_masked_set_action(struct sk_buff *skb,
+ get_mask(a, struct ovs_key_ethernet *));
+ break;
+
+- case OVS_KEY_ATTR_NSH:
+- err = set_nsh(skb, flow_key, a);
+- break;
+-
+ case OVS_KEY_ATTR_IPV4:
+ err = set_ipv4(skb, flow_key, nla_data(a),
+ get_mask(a, struct ovs_key_ipv4 *));
+@@ -1170,6 +1103,7 @@ static int execute_masked_set_action(struct sk_buff *skb,
+ case OVS_KEY_ATTR_CT_LABELS:
+ case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4:
+ case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6:
++ case OVS_KEY_ATTR_NSH:
+ err = -EINVAL;
+ break;
+ }
+diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
+index 0ed3953dbe529..d0b6e58720816 100644
+--- a/net/openvswitch/flow_netlink.c
++++ b/net/openvswitch/flow_netlink.c
+@@ -1290,6 +1290,11 @@ static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match,
+ return 0;
+ }
+
++/*
++ * Constructs NSH header 'nh' from attributes of OVS_ACTION_ATTR_PUSH_NSH,
++ * where 'nh' points to a memory block of 'size' bytes. It's assumed that
++ * attributes were previously validated with validate_push_nsh().
++ */
+ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ struct nshhdr *nh, size_t size)
+ {
+@@ -1299,8 +1304,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ u8 ttl = 0;
+ int mdlen = 0;
+
+- /* validate_nsh has check this, so we needn't do duplicate check here
+- */
+ if (size < NSH_BASE_HDR_LEN)
+ return -ENOBUFS;
+
+@@ -1344,46 +1347,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ return 0;
+ }
+
+-int nsh_key_from_nlattr(const struct nlattr *attr,
+- struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask)
+-{
+- struct nlattr *a;
+- int rem;
+-
+- /* validate_nsh has check this, so we needn't do duplicate check here
+- */
+- nla_for_each_nested(a, attr, rem) {
+- int type = nla_type(a);
+-
+- switch (type) {
+- case OVS_NSH_KEY_ATTR_BASE: {
+- const struct ovs_nsh_key_base *base = nla_data(a);
+- const struct ovs_nsh_key_base *base_mask = base + 1;
+-
+- nsh->base = *base;
+- nsh_mask->base = *base_mask;
+- break;
+- }
+- case OVS_NSH_KEY_ATTR_MD1: {
+- const struct ovs_nsh_key_md1 *md1 = nla_data(a);
+- const struct ovs_nsh_key_md1 *md1_mask = md1 + 1;
+-
+- memcpy(nsh->context, md1->context, sizeof(*md1));
+- memcpy(nsh_mask->context, md1_mask->context,
+- sizeof(*md1_mask));
+- break;
+- }
+- case OVS_NSH_KEY_ATTR_MD2:
+- /* Not supported yet */
+- return -ENOTSUPP;
+- default:
+- return -EINVAL;
+- }
+- }
+-
+- return 0;
+-}
+-
+ static int nsh_key_put_from_nlattr(const struct nlattr *attr,
+ struct sw_flow_match *match, bool is_mask,
+ bool is_push_nsh, bool log)
+@@ -2823,17 +2786,13 @@ static int validate_and_copy_set_tun(const struct nlattr *attr,
+ return err;
+ }
+
+-static bool validate_nsh(const struct nlattr *attr, bool is_mask,
+- bool is_push_nsh, bool log)
++static bool validate_push_nsh(const struct nlattr *attr, bool log)
+ {
+ struct sw_flow_match match;
+ struct sw_flow_key key;
+- int ret = 0;
+
+ ovs_match_init(&match, &key, true, NULL);
+- ret = nsh_key_put_from_nlattr(attr, &match, is_mask,
+- is_push_nsh, log);
+- return !ret;
++ return !nsh_key_put_from_nlattr(attr, &match, false, true, log);
+ }
+
+ /* Return false if there are any non-masked bits set.
+@@ -2981,13 +2940,6 @@ static int validate_set(const struct nlattr *a,
+
+ break;
+
+- case OVS_KEY_ATTR_NSH:
+- if (eth_type != htons(ETH_P_NSH))
+- return -EINVAL;
+- if (!validate_nsh(nla_data(a), masked, false, log))
+- return -EINVAL;
+- break;
+-
+ default:
+ return -EINVAL;
+ }
+@@ -3394,7 +3346,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
+ return -EINVAL;
+ }
+ mac_proto = MAC_PROTO_NONE;
+- if (!validate_nsh(nla_data(a), false, true, true))
++ if (!validate_push_nsh(nla_data(a), log))
+ return -EINVAL;
+ break;
+
+diff --git a/net/openvswitch/flow_netlink.h b/net/openvswitch/flow_netlink.h
+index fe7f77fc5f189..ff8cdecbe3465 100644
+--- a/net/openvswitch/flow_netlink.h
++++ b/net/openvswitch/flow_netlink.h
+@@ -65,8 +65,6 @@ int ovs_nla_put_actions(const struct nlattr *attr,
+ void ovs_nla_free_flow_actions(struct sw_flow_actions *);
+ void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *);
+
+-int nsh_key_from_nlattr(const struct nlattr *attr, struct ovs_key_nsh *nsh,
+- struct ovs_key_nsh *nsh_mask);
+ int nsh_hdr_from_nlattr(const struct nlattr *attr, struct nshhdr *nh,
+ size_t size);
+
+--
+2.51.0
+
--- /dev/null
+From 9183e6551c531a0a1eb418298b2e1b8f182ba222 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 14:27:56 +0300
+Subject: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont()
+ and qede_tpa_end()
+
+From: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+
+[ Upstream commit 896f1a2493b59beb2b5ccdf990503dbb16cb2256 ]
+
+The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate
+over 'cqe->len_list[]' using only a zero-length terminator as
+the stopping condition. If the terminator was missing or
+malformed, the loop could run past the end of the fixed-size array.
+
+Add an explicit bound check using ARRAY_SIZE() in both loops to prevent
+a potential out-of-bounds access.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 55482edc25f0 ("qede: Add slowpath/fastpath support and enable hardware GRO")
+Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+Link: https://patch.msgid.link/20251113112757.4166625-1-Pavel.Zhigulin@kaspersky.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_fp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qede/qede_fp.c b/drivers/net/ethernet/qlogic/qede/qede_fp.c
+index cb1746bc0e0c5..273dae622c411 100644
+--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c
+@@ -4,6 +4,7 @@
+ * Copyright (c) 2019-2020 Marvell International Ltd.
+ */
+
++#include <linux/array_size.h>
+ #include <linux/netdevice.h>
+ #include <linux/etherdevice.h>
+ #include <linux/skbuff.h>
+@@ -960,7 +961,7 @@ static inline void qede_tpa_cont(struct qede_dev *edev,
+ {
+ int i;
+
+- for (i = 0; cqe->len_list[i]; i++)
++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++)
+ qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index,
+ le16_to_cpu(cqe->len_list[i]));
+
+@@ -985,7 +986,7 @@ static int qede_tpa_end(struct qede_dev *edev,
+ dma_unmap_page(rxq->dev, tpa_info->buffer.mapping,
+ PAGE_SIZE, rxq->data_direction);
+
+- for (i = 0; cqe->len_list[i]; i++)
++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++)
+ qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index,
+ le16_to_cpu(cqe->len_list[i]));
+ if (unlikely(i > 1))
+--
+2.51.0
+
--- /dev/null
+From 6d1bd8b86dc10fb6bec0c0a2e93581f2f779165b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Oct 2025 22:03:02 +0200
+Subject: net: tls: Cancel RX async resync request on rcd_delta overflow
+
+From: Shahar Shitrit <shshitrit@nvidia.com>
+
+[ Upstream commit c15d5c62ab313c19121f10e25d4fec852bd1c40c ]
+
+When a netdev issues a RX async resync request for a TLS connection,
+the TLS module handles it by logging record headers and attempting to
+match them to the tcp_sn provided by the device. If a match is found,
+the TLS module approves the tcp_sn for resynchronization.
+
+While waiting for a device response, the TLS module also increments
+rcd_delta each time a new TLS record is received, tracking the distance
+from the original resync request.
+
+However, if the device response is delayed or fails (e.g due to
+unstable connection and device getting out of tracking, hardware
+errors, resource exhaustion etc.), the TLS module keeps logging and
+incrementing, which can lead to a WARN() when rcd_delta exceeds the
+threshold.
+
+To address this, introduce tls_offload_rx_resync_async_request_cancel()
+to explicitly cancel resync requests when a device response failure is
+detected. Call this helper also as a final safeguard when rcd_delta
+crosses its threshold, as reaching this point implies that earlier
+cancellation did not occur.
+
+Signed-off-by: Shahar Shitrit <shshitrit@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1761508983-937977-3-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/tls.h | 6 ++++++
+ net/tls/tls_device.c | 4 +++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/tls.h b/include/net/tls.h
+index 899c863aba02c..037049def8a7f 100644
+--- a/include/net/tls.h
++++ b/include/net/tls.h
+@@ -475,6 +475,12 @@ tls_offload_rx_resync_async_request_end(struct sock *sk, __be32 seq)
+ ((u64)ntohl(seq) << 32) | RESYNC_REQ);
+ }
+
++static inline void
++tls_offload_rx_resync_async_request_cancel(struct tls_offload_resync_async *resync_async)
++{
++ atomic64_set(&resync_async->req, 0);
++}
++
+ static inline void
+ tls_offload_rx_resync_set_type(struct sock *sk, enum tls_offload_sync_type type)
+ {
+diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
+index 1849827884735..c51377a159bec 100644
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -739,8 +739,10 @@ tls_device_rx_resync_async(struct tls_offload_resync_async *resync_async,
+ /* shouldn't get to wraparound:
+ * too long in async stage, something bad happened
+ */
+- if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX))
++ if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) {
++ tls_offload_rx_resync_async_request_cancel(resync_async);
+ return false;
++ }
+
+ /* asynchronous stage: log all headers seq such that
+ * req_seq <= seq <= end_seq, and wait for real resync request
+--
+2.51.0
+
--- /dev/null
+From 309e4ba60f78efb5bf8d7699bd69c54547f5825b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 11:23:39 +0900
+Subject: nvme-multipath: fix lockdep WARN due to partition scan work
+
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+
+[ Upstream commit 6d87cd5335784351280f82c47cc8a657271929c3 ]
+
+Blktests test cases nvme/014, 057 and 058 fail occasionally due to a
+lockdep WARN. As reported in the Closes tag URL, the WARN indicates that
+a deadlock can happen due to the dependency among disk->open_mutex,
+kblockd workqueue completion and partition_scan_work completion.
+
+To avoid the lockdep WARN and the potential deadlock, cut the dependency
+by running the partition_scan_work not by kblockd workqueue but by
+nvme_wq.
+
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Closes: https://lore.kernel.org/linux-block/CAHj4cs8mJ+R_GmQm9R8ebResKAWUE8kF5+_WVg0v8zndmqd6BQ@mail.gmail.com/
+Link: https://lore.kernel.org/linux-block/oeyzci6ffshpukpfqgztsdeke5ost5hzsuz4rrsjfmvpqcevax@5nhnwbkzbrpa/
+Fixes: 1f021341eef4 ("nvme-multipath: defer partition scanning")
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index 43b89c7d585f0..a3e225bb4b88f 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -577,7 +577,7 @@ static void nvme_mpath_set_live(struct nvme_ns *ns)
+ return;
+ }
+ nvme_add_ns_head_cdev(head);
+- kblockd_schedule_work(&head->partition_scan_work);
++ queue_work(nvme_wq, &head->partition_scan_work);
+ }
+
+ mutex_lock(&head->lock);
+--
+2.51.0
+
--- /dev/null
+From 547f0dc91c114ad359e0b4795d91231ddad21b5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 11:33:54 +0800
+Subject: platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to
+ errnos
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit d8bb447efc5622577994287dc77c684fa8840b30 ]
+
+isst_if_probe() uses pci_read_config_dword() that returns PCIBIOS_*
+codes. The return code is returned from the probe function as is but
+probe functions should return normal errnos. A proper implementation
+can be found in drivers/leds/leds-ss4200.c.
+
+Convert PCIBIOS_* return codes using pcibios_err_to_errno() into
+normal errno before returning.
+
+Fixes: d3a23584294c ("platform/x86: ISST: Add Intel Speed Select mmio interface")
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Link: https://patch.msgid.link/20251117033354.132-1-vulab@iscas.ac.cn
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c
+index ff49025ec0856..bb38e5f021a80 100644
+--- a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c
++++ b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c
+@@ -106,11 +106,11 @@ static int isst_if_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ ret = pci_read_config_dword(pdev, 0xD0, &mmio_base);
+ if (ret)
+- return ret;
++ return pcibios_err_to_errno(ret);
+
+ ret = pci_read_config_dword(pdev, 0xFC, &pcu_base);
+ if (ret)
+- return ret;
++ return pcibios_err_to_errno(ret);
+
+ pcu_base &= GENMASK(10, 0);
+ base_addr = (u64)mmio_base << 23 | (u64) pcu_base << 12;
+--
+2.51.0
+
--- /dev/null
+From 4dceb0fa666972de17777b50b3e0ea391151c843 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 19:27:24 +0100
+Subject: s390/ctcm: Fix double-kfree
+
+From: Aleksei Nikiforov <aleksei.nikiforov@linux.ibm.com>
+
+[ Upstream commit da02a1824884d6c84c5e5b5ac373b0c9e3288ec2 ]
+
+The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally
+from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo.
+After that a call to function 'kfree' in function 'ctcmpc_unpack_skb'
+frees it again.
+
+Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'.
+
+Bug detected by the clang static analyzer.
+
+Fixes: 0c0b20587b9f25a2 ("s390/ctcm: fix potential memory leak")
+Reviewed-by: Aswin Karuvally <aswin@linux.ibm.com>
+Signed-off-by: Aleksei Nikiforov <aleksei.nikiforov@linux.ibm.com>
+Signed-off-by: Aswin Karuvally <aswin@linux.ibm.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251112182724.1109474-1-aswin@linux.ibm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/ctcm_mpc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/s390/net/ctcm_mpc.c b/drivers/s390/net/ctcm_mpc.c
+index 8ac213a551418..55216d2fbea0b 100644
+--- a/drivers/s390/net/ctcm_mpc.c
++++ b/drivers/s390/net/ctcm_mpc.c
+@@ -698,7 +698,6 @@ static void mpc_rcvd_sweep_req(struct mpcg_info *mpcginfo)
+
+ grp->sweep_req_pend_num--;
+ ctcmpc_send_sweep_resp(ch);
+- kfree(mpcginfo);
+ return;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From cdf6ebbee86f107885c4f3769e310a91754b381c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Oct 2025 14:48:00 -0700
+Subject: scsi: core: Fix a regression triggered by scsi_host_busy()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit a0b7780602b1b196f47e527fec82166a7e67c4d0 ]
+
+Commit 995412e23bb2 ("blk-mq: Replace tags->lock with SRCU for tag
+iterators") introduced the following regression:
+
+Call trace:
+ __srcu_read_lock+0x30/0x80 (P)
+ blk_mq_tagset_busy_iter+0x44/0x300
+ scsi_host_busy+0x38/0x70
+ ufshcd_print_host_state+0x34/0x1bc
+ ufshcd_link_startup.constprop.0+0xe4/0x2e0
+ ufshcd_init+0x944/0xf80
+ ufshcd_pltfrm_init+0x504/0x820
+ ufs_rockchip_probe+0x2c/0x88
+ platform_probe+0x5c/0xa4
+ really_probe+0xc0/0x38c
+ __driver_probe_device+0x7c/0x150
+ driver_probe_device+0x40/0x120
+ __driver_attach+0xc8/0x1e0
+ bus_for_each_dev+0x7c/0xdc
+ driver_attach+0x24/0x30
+ bus_add_driver+0x110/0x230
+ driver_register+0x68/0x130
+ __platform_driver_register+0x20/0x2c
+ ufs_rockchip_pltform_init+0x1c/0x28
+ do_one_initcall+0x60/0x1e0
+ kernel_init_freeable+0x248/0x2c4
+ kernel_init+0x20/0x140
+ ret_from_fork+0x10/0x20
+
+Fix this regression by making scsi_host_busy() check whether the SCSI
+host tag set has already been initialized. tag_set->ops is set by
+scsi_mq_setup_tags() just before blk_mq_alloc_tag_set() is called. This
+fix is based on the assumption that scsi_host_busy() and
+scsi_mq_setup_tags() calls are serialized. This is the case in the UFS
+driver.
+
+Reported-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Closes: https://lore.kernel.org/linux-block/pnezafputodmqlpumwfbn644ohjybouveehcjhz2hmhtcf2rka@sdhoiivync4y/
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Tested-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Link: https://patch.msgid.link/20251007214800.1678255-1-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hosts.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
+index c785493b105c0..28cf473fcf96d 100644
+--- a/drivers/scsi/hosts.c
++++ b/drivers/scsi/hosts.c
+@@ -600,8 +600,9 @@ int scsi_host_busy(struct Scsi_Host *shost)
+ {
+ int cnt = 0;
+
+- blk_mq_tagset_busy_iter(&shost->tag_set,
+- scsi_host_check_in_flight, &cnt);
++ if (shost->tag_set.ops)
++ blk_mq_tagset_busy_iter(&shost->tag_set,
++ scsi_host_check_in_flight, &cnt);
+ return cnt;
+ }
+ EXPORT_SYMBOL(scsi_host_busy);
+--
+2.51.0
+
--- /dev/null
+From cc50b495496221f607813c3e35249be39a8296fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Oct 2025 17:57:10 +0800
+Subject: selftests: net: use BASH for bareudp testing
+
+From: Po-Hsu Lin <po-hsu.lin@canonical.com>
+
+[ Upstream commit 9311e9540a8b406d9f028aa87fb072a3819d4c82 ]
+
+In bareudp.sh, this script uses /bin/sh and it will load another lib.sh
+BASH script at the very beginning.
+
+But on some operating systems like Ubuntu, /bin/sh is actually pointed to
+DASH, thus it will try to run BASH commands with DASH and consequently
+leads to syntax issues:
+ # ./bareudp.sh: 4: ./lib.sh: Bad substitution
+ # ./bareudp.sh: 5: ./lib.sh: source: not found
+ # ./bareudp.sh: 24: ./lib.sh: Syntax error: "(" unexpected
+
+Fix this by explicitly using BASH for bareudp.sh. This fixes test
+execution failures on systems where /bin/sh is not BASH.
+
+Reported-by: Edoardo Canepa <edoardo.canepa@canonical.com>
+Link: https://bugs.launchpad.net/bugs/2129812
+Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Link: https://patch.msgid.link/20251027095710.2036108-2-po-hsu.lin@canonical.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/bareudp.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/bareudp.sh b/tools/testing/selftests/net/bareudp.sh
+index f366cadbc5e86..ff4308b48e65d 100755
+--- a/tools/testing/selftests/net/bareudp.sh
++++ b/tools/testing/selftests/net/bareudp.sh
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ # SPDX-License-Identifier: GPL-2.0
+
+ # Test various bareudp tunnel configurations.
+--
+2.51.0
+
mptcp-do-not-fallback-when-ooo-is-present.patch
drm-tegra-dc-fix-reference-leak-in-tegra_dc_couple.patch
drm-amdgpu-skip-emit-de-meta-data-on-gfx11-with-rs64-enabled.patch
+xfrm-determine-inner-gso-type-from-packet-inner-prot.patch
+mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch
+gpu-host1x-select-context-device-based-on-attached-i.patch
+drm-tegra-add-call-to-put_pid.patch
+net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch
+net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch
+net-openvswitch-remove-never-working-support-for-set.patch
+nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch
+s390-ctcm-fix-double-kfree.patch
+platform-x86-intel-speed_select_if-convert-pcibios_-.patch
+kernel.h-move-array_size-to-a-separate-header.patch
+net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch
+vsock-ignore-signal-timeout-on-connect-if-already-es.patch
+bcma-don-t-register-devices-disabled-in-of.patch
+cifs-fix-typo-in-enable_gcm_256-module-parameter.patch
+scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch
+selftests-net-use-bash-for-bareudp-testing.patch
+net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch
+kconfig-mconf-initialize-the-default-locale-at-start.patch
+kconfig-nconf-initialize-the-default-locale-at-start.patch
--- /dev/null
+From d9ba2de6a8b233a16865a8ac3af8e13f36d668a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Nov 2025 15:02:59 +0100
+Subject: vsock: Ignore signal/timeout on connect() if already established
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 002541ef650b742a198e4be363881439bb9d86b4 ]
+
+During connect(), acting on a signal/timeout by disconnecting an already
+established socket leads to several issues:
+
+1. connect() invoking vsock_transport_cancel_pkt() ->
+ virtio_transport_purge_skbs() may race with sendmsg() invoking
+ virtio_transport_get_credit(). This results in a permanently elevated
+ `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.
+
+2. connect() resetting a connected socket's state may race with socket
+ being placed in a sockmap. A disconnected socket remaining in a sockmap
+ breaks sockmap's assumptions. And gives rise to WARNs.
+
+3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a
+ transport change/drop after TCP_ESTABLISHED. Which poses a problem for
+ any simultaneous sendmsg() or connect() and may result in a
+ use-after-free/null-ptr-deref.
+
+Do not disconnect socket on signal/timeout. Keep the logic for unconnected
+sockets: they don't linger, can't be placed in a sockmap, are rejected by
+sendmsg().
+
+[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/
+[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/
+[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20251119-vsock-interrupted-connect-v2-1-70734cf1233f@rbox.co
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 40 +++++++++++++++++++++++++++++++---------
+ 1 file changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index 6de321a6e43cf..95441466d90dd 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1502,18 +1502,40 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr,
+ timeout = schedule_timeout(timeout);
+ lock_sock(sk);
+
+- if (signal_pending(current)) {
+- err = sock_intr_errno(timeout);
+- sk->sk_state = sk->sk_state == TCP_ESTABLISHED ? TCP_CLOSING : TCP_CLOSE;
+- sock->state = SS_UNCONNECTED;
+- vsock_transport_cancel_pkt(vsk);
+- vsock_remove_connected(vsk);
+- goto out_wait;
+- } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) {
+- err = -ETIMEDOUT;
++ /* Connection established. Whatever happens to socket once we
++ * release it, that's not connect()'s concern. No need to go
++ * into signal and timeout handling. Call it a day.
++ *
++ * Note that allowing to "reset" an already established socket
++ * here is racy and insecure.
++ */
++ if (sk->sk_state == TCP_ESTABLISHED)
++ break;
++
++ /* If connection was _not_ established and a signal/timeout came
++ * to be, we want the socket's state reset. User space may want
++ * to retry.
++ *
++ * sk_state != TCP_ESTABLISHED implies that socket is not on
++ * vsock_connected_table. We keep the binding and the transport
++ * assigned.
++ */
++ if (signal_pending(current) || timeout == 0) {
++ err = timeout == 0 ? -ETIMEDOUT : sock_intr_errno(timeout);
++
++ /* Listener might have already responded with
++ * VIRTIO_VSOCK_OP_RESPONSE. Its handling expects our
++ * sk_state == TCP_SYN_SENT, which hereby we break.
++ * In such case VIRTIO_VSOCK_OP_RST will follow.
++ */
+ sk->sk_state = TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
++
++ /* Try to cancel VIRTIO_VSOCK_OP_REQUEST skb sent out by
++ * transport->connect().
++ */
+ vsock_transport_cancel_pkt(vsk);
++
+ goto out_wait;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From ec62da3c2a8d4d0906edb65652d7a65f61021fb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Oct 2025 04:22:48 +0200
+Subject: xfrm: Determine inner GSO type from packet inner protocol
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 61fafbee6cfed283c02a320896089f658fa67e56 ]
+
+The GSO segmentation functions for ESP tunnel mode
+(xfrm4_tunnel_gso_segment and xfrm6_tunnel_gso_segment) were
+determining the inner packet's L2 protocol type by checking the static
+x->inner_mode.family field from the xfrm state.
+
+This is unreliable. In tunnel mode, the state's actual inner family
+could be defined by x->inner_mode.family or by
+x->inner_mode_iaf.family. Checking only the former can lead to a
+mismatch with the actual packet being processed, causing GSO to create
+segments with the wrong L2 header type.
+
+This patch fixes the bug by deriving the inner mode directly from the
+packet's inner protocol stored in XFRM_MODE_SKB_CB(skb)->protocol.
+
+Instead of replicating the code, this patch modifies the
+xfrm_ip2inner_mode helper function. It now correctly returns
+&x->inner_mode if the selector family (x->sel.family) is already
+specified, thereby handling both specific and AF_UNSPEC cases
+appropriately.
+
+With this change, ESP GSO can use xfrm_ip2inner_mode to get the
+correct inner mode. It doesn't affect existing callers, as the updated
+logic now mirrors the checks they were already performing externally.
+
+Fixes: 26dbd66eab80 ("esp: choose the correct inner protocol for GSO on inter address family tunnels")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xfrm.h | 3 ++-
+ net/ipv4/esp4_offload.c | 6 ++++--
+ net/ipv6/esp6_offload.c | 6 ++++--
+ 3 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 64911162ab5f4..ac5db167370c9 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -446,7 +446,8 @@ static inline int xfrm_af2proto(unsigned int family)
+
+ static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
+ {
+- if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
++ if ((x->sel.family != AF_UNSPEC) ||
++ (ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
+ (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
+ return &x->inner_mode;
+ else
+diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
+index ee848be59e65a..cbfc8b5b15bd2 100644
+--- a/net/ipv4/esp4_offload.c
++++ b/net/ipv4/esp4_offload.c
+@@ -110,8 +110,10 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x,
+ struct sk_buff *skb,
+ netdev_features_t features)
+ {
+- __be16 type = x->inner_mode.family == AF_INET6 ? htons(ETH_P_IPV6)
+- : htons(ETH_P_IP);
++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
++ XFRM_MODE_SKB_CB(skb)->protocol);
++ __be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6)
++ : htons(ETH_P_IP);
+
+ return skb_eth_gso_segment(skb, features, type);
+ }
+diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
+index fc6a5be732634..65d628e500059 100644
+--- a/net/ipv6/esp6_offload.c
++++ b/net/ipv6/esp6_offload.c
+@@ -145,8 +145,10 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x,
+ struct sk_buff *skb,
+ netdev_features_t features)
+ {
+- __be16 type = x->inner_mode.family == AF_INET ? htons(ETH_P_IP)
+- : htons(ETH_P_IPV6);
++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
++ XFRM_MODE_SKB_CB(skb)->protocol);
++ __be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP)
++ : htons(ETH_P_IPV6);
+
+ return skb_eth_gso_segment(skb, features, type);
+ }
+--
+2.51.0
+
--- /dev/null
+From a6eca0819b00c0d2f8b0d9066c2815a3e751adcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 22:35:17 +0000
+Subject: af_unix: Cache state->msg in unix_stream_read_generic().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 8b77338eb2af74bb93986e4a8cfd86724168fe39 ]
+
+In unix_stream_read_generic(), state->msg is fetched multiple times.
+
+Let's cache it in a local variable.
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250702223606.1054680-6-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 7bf3a476ce43 ("af_unix: Read sk_peek_offset() again after sleeping in unix_stream_read_generic().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 33 +++++++++++++++++----------------
+ 1 file changed, 17 insertions(+), 16 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 45f8e21829ecd..26d37a90b755d 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2769,20 +2769,21 @@ static int unix_stream_read_skb(struct sock *sk, skb_read_actor_t recv_actor)
+ static int unix_stream_read_generic(struct unix_stream_read_state *state,
+ bool freezable)
+ {
+- struct scm_cookie scm;
++ int noblock = state->flags & MSG_DONTWAIT;
+ struct socket *sock = state->socket;
++ struct msghdr *msg = state->msg;
+ struct sock *sk = sock->sk;
+- struct unix_sock *u = unix_sk(sk);
+- int copied = 0;
++ size_t size = state->size;
+ int flags = state->flags;
+- int noblock = flags & MSG_DONTWAIT;
+ bool check_creds = false;
+- int target;
++ struct scm_cookie scm;
++ unsigned int last_len;
++ struct unix_sock *u;
++ int copied = 0;
+ int err = 0;
+ long timeo;
++ int target;
+ int skip;
+- size_t size = state->size;
+- unsigned int last_len;
+
+ if (unlikely(READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)) {
+ err = -EINVAL;
+@@ -2802,6 +2803,8 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state,
+
+ memset(&scm, 0, sizeof(scm));
+
++ u = unix_sk(sk);
++
+ /* Lock the socket to prevent queue disordering
+ * while sleeps in memcpy_tomsg
+ */
+@@ -2894,14 +2897,12 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state,
+ }
+
+ /* Copy address just once */
+- if (state->msg && state->msg->msg_name) {
+- DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr,
+- state->msg->msg_name);
+- unix_copy_addr(state->msg, skb->sk);
++ if (msg && msg->msg_name) {
++ DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, msg->msg_name);
+
+- BPF_CGROUP_RUN_PROG_UNIX_RECVMSG_LOCK(sk,
+- state->msg->msg_name,
+- &state->msg->msg_namelen);
++ unix_copy_addr(msg, skb->sk);
++ BPF_CGROUP_RUN_PROG_UNIX_RECVMSG_LOCK(sk, msg->msg_name,
++ &msg->msg_namelen);
+
+ sunaddr = NULL;
+ }
+@@ -2959,8 +2960,8 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state,
+ } while (size);
+
+ mutex_unlock(&u->iolock);
+- if (state->msg)
+- scm_recv_unix(sock, state->msg, &scm, flags);
++ if (msg)
++ scm_recv_unix(sock, msg, &scm, flags);
+ else
+ scm_destroy(&scm);
+ out:
+--
+2.51.0
+
--- /dev/null
+From f2b1ab4fafe6b975fa16c9f522b0fcdb83eb4260 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 17:47:10 +0000
+Subject: af_unix: Read sk_peek_offset() again after sleeping in
+ unix_stream_read_generic().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 7bf3a476ce43833c49fceddbe94ff3472e04e9bc ]
+
+Miao Wang reported a bug of SO_PEEK_OFF on AF_UNIX SOCK_STREAM
+socket.
+
+The unexpected behaviour is triggered when the peek offset is
+larger than the recv queue and the thread is unblocked by new
+data.
+
+Let's assume a socket which has "aaaa" in the recv queue and
+the peek offset is 4.
+
+First, unix_stream_read_generic() reads the offset 4 and skips
+the skb(s) of "aaaa" with the code below:
+
+ skip = max(sk_peek_offset(sk, flags), 0); /* @skip is 4. */
+
+ do {
+ ...
+ while (skip >= unix_skb_len(skb)) {
+ skip -= unix_skb_len(skb);
+ ...
+ skb = skb_peek_next(skb, &sk->sk_receive_queue);
+ if (!skb)
+ goto again; /* @skip is 0. */
+ }
+
+The thread jumps to the 'again' label and goes to sleep since
+new data has not arrived yet.
+
+Later, new data "bbbb" unblocks the thread, and the thread jumps
+to the 'redo:' label to restart the entire process from the first
+skb in the recv queue.
+
+ do {
+ ...
+redo:
+ ...
+ last = skb = skb_peek(&sk->sk_receive_queue);
+ ...
+again:
+ if (skb == NULL) {
+ ...
+ timeo = unix_stream_data_wait(sk, timeo, last,
+ last_len, freezable);
+ ...
+ goto redo; /* @skip is 0 !! */
+
+However, the peek offset is not reset in the path.
+
+If the buffer size is 8, recv() will return "aaaabbbb" without
+skipping any data, and the final offset will be 12 (the original
+offset 4 + peeked skbs' length 8).
+
+After sleeping in unix_stream_read_generic(), we have to fetch the
+peek offset again.
+
+Let's move the redo label before mutex_lock(&u->iolock).
+
+Fixes: 9f389e35674f ("af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag")
+Reported-by: Miao Wang <shankerwangmiao@gmail.com>
+Closes: https://lore.kernel.org/netdev/3B969F90-F51F-4B9D-AB1A-994D9A54D460@gmail.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20251117174740.3684604-2-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 26d37a90b755d..59911ac719b19 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2805,6 +2805,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state,
+
+ u = unix_sk(sk);
+
++redo:
+ /* Lock the socket to prevent queue disordering
+ * while sleeps in memcpy_tomsg
+ */
+@@ -2816,7 +2817,6 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state,
+ struct sk_buff *skb, *last;
+ int chunk;
+
+-redo:
+ unix_state_lock(sk);
+ if (sock_flag(sk, SOCK_DEAD)) {
+ err = -ECONNRESET;
+@@ -2866,7 +2866,6 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state,
+ goto out;
+ }
+
+- mutex_lock(&u->iolock);
+ goto redo;
+ unlock:
+ unix_state_unlock(sk);
+--
+2.51.0
+
--- /dev/null
+From c725e8aeaa72445ea2784528a3834258ecb8bab3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Oct 2025 14:51:26 +0200
+Subject: bcma: don't register devices disabled in OF
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+[ Upstream commit a2a69add80411dd295c9088c1bcf925b1f4e53d7 ]
+
+Some bus devices can be marked as disabled for specific SoCs or models.
+Those should not be registered to avoid probing them.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20251003125126.27950-1-zajec5@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bcma/main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/bcma/main.c b/drivers/bcma/main.c
+index 6ecfc821cf833..72f045e6ed513 100644
+--- a/drivers/bcma/main.c
++++ b/drivers/bcma/main.c
+@@ -294,6 +294,8 @@ static int bcma_register_devices(struct bcma_bus *bus)
+ int err;
+
+ list_for_each_entry(core, &bus->cores, list) {
++ struct device_node *np;
++
+ /* We support that core ourselves */
+ switch (core->id.id) {
+ case BCMA_CORE_4706_CHIPCOMMON:
+@@ -311,6 +313,10 @@ static int bcma_register_devices(struct bcma_bus *bus)
+ if (bcma_is_core_needed_early(core->id.id))
+ continue;
+
++ np = core->dev.of_node;
++ if (np && !of_device_is_available(np))
++ continue;
++
+ /* Only first GMAC core on BCM4706 is connected and working */
+ if (core->id.id == BCMA_CORE_4706_MAC_GBIT &&
+ core->core_unit > 0)
+--
+2.51.0
+
--- /dev/null
+From ee487477301ee6b00e85f984e0fcdba676ee3e1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Oct 2025 04:39:18 +0000
+Subject: blk-crypto: use BLK_STS_INVAL for alignment errors
+
+From: Carlos Llamas <cmllamas@google.com>
+
+[ Upstream commit 0b39ca457241aeca07a613002512573e8804f93a ]
+
+Make __blk_crypto_bio_prep() propagate BLK_STS_INVAL when IO segments
+fail the data unit alignment check.
+
+This was flagged by an LTP test that expects EINVAL when performing an
+O_DIRECT read with a misaligned buffer [1].
+
+Cc: Eric Biggers <ebiggers@kernel.org>
+Cc: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/all/aP-c5gPjrpsn0vJA@google.com/ [1]
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Reviewed-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-crypto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/blk-crypto.c b/block/blk-crypto.c
+index 4d760b092deb9..7a0bd086a194b 100644
+--- a/block/blk-crypto.c
++++ b/block/blk-crypto.c
+@@ -282,7 +282,7 @@ bool __blk_crypto_bio_prep(struct bio **bio_ptr)
+ }
+
+ if (!bio_crypt_check_alignment(bio)) {
+- bio->bi_status = BLK_STS_IOERR;
++ bio->bi_status = BLK_STS_INVAL;
+ goto fail;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From a967772ba591e579b9d300542bbb415204042439 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Nov 2025 20:32:57 +0530
+Subject: cifs: fix memory leak in smb3_fs_context_parse_param error path
+
+From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+
+[ Upstream commit 7e4d9120cfa413dd34f4f434befc5dbe6c38b2e5 ]
+
+Add proper cleanup of ctx->source and fc->source to the
+cifs_parse_mount_err error handler. This ensures that memory allocated
+for the source strings is correctly freed on all error paths, matching
+the cleanup already performed in the success path by
+smb3_cleanup_fs_context_contents().
+Pointers are also set to NULL after freeing to prevent potential
+double-free issues.
+
+This change fixes a memory leak originally detected by syzbot. The
+leak occurred when processing Opt_source mount options if an error
+happened after ctx->source and fc->source were successfully
+allocated but before the function completed.
+
+The specific leak sequence was:
+1. ctx->source = smb3_fs_context_fullpath(ctx, '/') allocates memory
+2. fc->source = kstrdup(ctx->source, GFP_KERNEL) allocates more memory
+3. A subsequent error jumps to cifs_parse_mount_err
+4. The old error handler freed passwords but not the source strings,
+causing the memory to leak.
+
+This issue was not addressed by commit e8c73eb7db0a ("cifs: client:
+fix memory leak in smb3_fs_context_parse_param"), which only fixed
+leaks from repeated fsconfig() calls but not this error path.
+
+Patch updated with minor change suggested by kernel test robot
+
+Reported-by: syzbot+87be6809ed9bf6d718e3@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=87be6809ed9bf6d718e3
+Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api")
+Reviewed-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/fs_context.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
+index 4c295d6ca986a..9a4492106c25f 100644
+--- a/fs/smb/client/fs_context.c
++++ b/fs/smb/client/fs_context.c
+@@ -1764,6 +1764,10 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
+ ctx->password = NULL;
+ kfree_sensitive(ctx->password2);
+ ctx->password2 = NULL;
++ kfree(ctx->source);
++ ctx->source = NULL;
++ kfree(fc->source);
++ fc->source = NULL;
+ return -EINVAL;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 584a63ef658a247b8314f63e24c9eeb638d24c23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Oct 2025 21:17:01 -0500
+Subject: cifs: fix typo in enable_gcm_256 module parameter
+
+From: Steve French <stfrench@microsoft.com>
+
+[ Upstream commit f765fdfcd8b5bce92c6aa1a517ff549529ddf590 ]
+
+Fix typo in description of enable_gcm_256 module parameter
+
+Suggested-by: Thomas Spear <speeddymon@gmail.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifsfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/smb/client/cifsfs.c b/fs/smb/client/cifsfs.c
+index 64dc7ec045d87..1187b0240a444 100644
+--- a/fs/smb/client/cifsfs.c
++++ b/fs/smb/client/cifsfs.c
+@@ -134,7 +134,7 @@ module_param(enable_oplocks, bool, 0644);
+ MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1");
+
+ module_param(enable_gcm_256, bool, 0644);
+-MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/0");
++MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/1");
+
+ module_param(require_gcm_256, bool, 0644);
+ MODULE_PARM_DESC(require_gcm_256, "Require strongest (256 bit) GCM encryption. Default: n/N/0");
+--
+2.51.0
+
--- /dev/null
+From 94868d32be393ed64c12fe5714fe3967c5993ff2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 14:05:49 +0200
+Subject: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit f94c1a114ac209977bdf5ca841b98424295ab1f0 ]
+
+The function devl_rate_nodes_destroy is documented to "Unset parent for
+all rate objects". However, it was only calling the driver-specific
+`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing
+the parent's refcount, without actually setting the
+`devlink_rate->parent` pointer to NULL.
+
+This leaves a dangling pointer in the `devlink_rate` struct, which cause
+refcount error in netdevsim[1] and mlx5[2]. In addition, this is
+inconsistent with the behavior of `devlink_nl_rate_parent_node_set`,
+where the parent pointer is correctly cleared.
+
+This patch fixes the issue by explicitly setting `devlink_rate->parent`
+to NULL after notifying the driver, thus fulfilling the function's
+documented behavior for all rate objects.
+
+[1]
+repro steps:
+echo 1 > /sys/bus/netdevsim/new_device
+devlink dev eswitch set netdevsim/netdevsim1 mode switchdev
+echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs
+devlink port function rate add netdevsim/netdevsim1/test_node
+devlink port function rate set netdevsim/netdevsim1/128 parent test_node
+echo 1 > /sys/bus/netdevsim/del_device
+
+dmesg:
+refcount_t: decrement hit 0; leaking memory.
+WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0
+CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+RIP: 0010:refcount_warn_saturate+0x42/0xe0
+Call Trace:
+ <TASK>
+ devl_rate_leaf_destroy+0x8d/0x90
+ __nsim_dev_port_del+0x6c/0x70 [netdevsim]
+ nsim_dev_reload_destroy+0x11c/0x140 [netdevsim]
+ nsim_drv_remove+0x2b/0xb0 [netdevsim]
+ device_release_driver_internal+0x194/0x1f0
+ bus_remove_device+0xc6/0x130
+ device_del+0x159/0x3c0
+ device_unregister+0x1a/0x60
+ del_device_store+0x111/0x170 [netdevsim]
+ kernfs_fop_write_iter+0x12e/0x1e0
+ vfs_write+0x215/0x3d0
+ ksys_write+0x5f/0xd0
+ do_syscall_64+0x55/0x10f0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+[2]
+devlink dev eswitch set pci/0000:08:00.0 mode switchdev
+devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000
+devlink port function rate add pci/0000:08:00.0/group1
+devlink port function rate set pci/0000:08:00.0/32768 parent group1
+modprobe -r mlx5_ib mlx5_fwctl mlx5_core
+
+dmesg:
+refcount_t: decrement hit 0; leaking memory.
+WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0
+CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
+RIP: 0010:refcount_warn_saturate+0x42/0xe0
+Call Trace:
+ <TASK>
+ devl_rate_leaf_destroy+0x8d/0x90
+ mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core]
+ mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core]
+ mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core]
+ mlx5_sf_esw_event+0xc4/0x120 [mlx5_core]
+ notifier_call_chain+0x33/0xa0
+ blocking_notifier_call_chain+0x3b/0x50
+ mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core]
+ mlx5_eswitch_disable+0x63/0x90 [mlx5_core]
+ mlx5_unload+0x1d/0x170 [mlx5_core]
+ mlx5_uninit_one+0xa2/0x130 [mlx5_core]
+ remove_one+0x78/0xd0 [mlx5_core]
+ pci_device_remove+0x39/0xa0
+ device_release_driver_internal+0x194/0x1f0
+ unbind_store+0x99/0xa0
+ kernfs_fop_write_iter+0x12e/0x1e0
+ vfs_write+0x215/0x3d0
+ ksys_write+0x5f/0xd0
+ do_syscall_64+0x53/0x1f0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Fixes: d75559845078 ("devlink: Allow setting parent node of rate objects")
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1763381149-1234377-1-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/devlink/rate.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/devlink/rate.c b/net/devlink/rate.c
+index 7139e67e93aeb..adb5267d377cf 100644
+--- a/net/devlink/rate.c
++++ b/net/devlink/rate.c
+@@ -701,13 +701,15 @@ void devl_rate_nodes_destroy(struct devlink *devlink)
+ if (!devlink_rate->parent)
+ continue;
+
+- refcount_dec(&devlink_rate->parent->refcnt);
+ if (devlink_rate_is_leaf(devlink_rate))
+ ops->rate_leaf_parent_set(devlink_rate, NULL, devlink_rate->priv,
+ NULL, NULL);
+ else if (devlink_rate_is_node(devlink_rate))
+ ops->rate_node_parent_set(devlink_rate, NULL, devlink_rate->priv,
+ NULL, NULL);
++
++ refcount_dec(&devlink_rate->parent->refcnt);
++ devlink_rate->parent = NULL;
+ }
+ list_for_each_entry_safe(devlink_rate, tmp, &devlink->rate_list, list) {
+ if (devlink_rate_is_node(devlink_rate)) {
+--
+2.51.0
+
--- /dev/null
+From 68c820211fa6c95a11a1d50d96125d480323d5ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Sep 2025 13:25:40 +0900
+Subject: drm/tegra: Add call to put_pid()
+
+From: Prateek Agarwal <praagarwal@nvidia.com>
+
+[ Upstream commit 6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a ]
+
+Add a call to put_pid() corresponding to get_task_pid().
+host1x_memory_context_alloc() does not take ownership of the PID so we
+need to free it here to avoid leaking.
+
+Signed-off-by: Prateek Agarwal <praagarwal@nvidia.com>
+Fixes: e09db97889ec ("drm/tegra: Support context isolation")
+[mperttunen@nvidia.com: reword commit message]
+Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://patch.msgid.link/20250919-host1x-put-pid-v1-1-19c2163dfa87@nvidia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/uapi.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/tegra/uapi.c b/drivers/gpu/drm/tegra/uapi.c
+index 5adab6b229164..d0b6a1fa6efad 100644
+--- a/drivers/gpu/drm/tegra/uapi.c
++++ b/drivers/gpu/drm/tegra/uapi.c
+@@ -114,9 +114,12 @@ int tegra_drm_ioctl_channel_open(struct drm_device *drm, void *data, struct drm_
+ if (err)
+ goto put_channel;
+
+- if (supported)
++ if (supported) {
++ struct pid *pid = get_task_pid(current, PIDTYPE_TGID);
+ context->memory_context = host1x_memory_context_alloc(
+- host, client->base.dev, get_task_pid(current, PIDTYPE_TGID));
++ host, client->base.dev, pid);
++ put_pid(pid);
++ }
+
+ if (IS_ERR(context->memory_context)) {
+ if (PTR_ERR(context->memory_context) != -EOPNOTSUPP) {
+--
+2.51.0
+
--- /dev/null
+From f7b95cc2d030f380f0bb8922b9362ceb64d8d288 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 12:02:16 +0200
+Subject: ice: fix PTP cleanup on driver removal in error path
+
+From: Grzegorz Nitka <grzegorz.nitka@intel.com>
+
+[ Upstream commit 23a5b9b12de9dcd15ebae4f1abc8814ec1c51ab0 ]
+
+Improve the cleanup on releasing PTP resources in error path.
+The error case might happen either at the driver probe and PTP
+feature initialization or on PTP restart (errors in reset handling, NVM
+update etc). In both cases, calls to PF PTP cleanup (ice_ptp_cleanup_pf
+function) and 'ps_lock' mutex deinitialization were missed.
+Additionally, ptp clock was not unregistered in the latter case.
+
+Keep PTP state as 'uninitialized' on init to distinguish between error
+scenarios and to avoid resource release duplication at driver removal.
+
+The consequence of missing ice_ptp_cleanup_pf call is the following call
+trace dumped when ice_adapter object is freed (port list is not empty,
+as it is required at this stage):
+
+[ T93022] ------------[ cut here ]------------
+[ T93022] WARNING: CPU: 10 PID: 93022 at
+ice/ice_adapter.c:67 ice_adapter_put+0xef/0x100 [ice]
+...
+[ T93022] RIP: 0010:ice_adapter_put+0xef/0x100 [ice]
+...
+[ T93022] Call Trace:
+[ T93022] <TASK>
+[ T93022] ? ice_adapter_put+0xef/0x100 [ice
+33d2647ad4f6d866d41eefff1806df37c68aef0c]
+[ T93022] ? __warn.cold+0xb0/0x10e
+[ T93022] ? ice_adapter_put+0xef/0x100 [ice
+33d2647ad4f6d866d41eefff1806df37c68aef0c]
+[ T93022] ? report_bug+0xd8/0x150
+[ T93022] ? handle_bug+0xe9/0x110
+[ T93022] ? exc_invalid_op+0x17/0x70
+[ T93022] ? asm_exc_invalid_op+0x1a/0x20
+[ T93022] ? ice_adapter_put+0xef/0x100 [ice
+33d2647ad4f6d866d41eefff1806df37c68aef0c]
+[ T93022] pci_device_remove+0x42/0xb0
+[ T93022] device_release_driver_internal+0x19f/0x200
+[ T93022] driver_detach+0x48/0x90
+[ T93022] bus_remove_driver+0x70/0xf0
+[ T93022] pci_unregister_driver+0x42/0xb0
+[ T93022] ice_module_exit+0x10/0xdb0 [ice
+33d2647ad4f6d866d41eefff1806df37c68aef0c]
+...
+[ T93022] ---[ end trace 0000000000000000 ]---
+[ T93022] ice: module unloaded
+
+Fixes: e800654e85b5 ("ice: Use ice_adapter for PTP shared data instead of auxdev")
+Signed-off-by: Grzegorz Nitka <grzegorz.nitka@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ptp.c | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c
+index 369c968a0117d..4e6006991e8fd 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ptp.c
++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c
+@@ -3409,7 +3409,7 @@ void ice_ptp_init(struct ice_pf *pf)
+
+ err = ice_ptp_init_port(pf, &ptp->port);
+ if (err)
+- goto err_exit;
++ goto err_clean_pf;
+
+ /* Start the PHY timestamping block */
+ ice_ptp_reset_phy_timestamping(pf);
+@@ -3426,13 +3426,19 @@ void ice_ptp_init(struct ice_pf *pf)
+ dev_info(ice_pf_to_dev(pf), "PTP init successful\n");
+ return;
+
++err_clean_pf:
++ mutex_destroy(&ptp->port.ps_lock);
++ ice_ptp_cleanup_pf(pf);
+ err_exit:
+ /* If we registered a PTP clock, release it */
+ if (pf->ptp.clock) {
+ ptp_clock_unregister(ptp->clock);
+ pf->ptp.clock = NULL;
+ }
+- ptp->state = ICE_PTP_ERROR;
++ /* Keep ICE_PTP_UNINIT state to avoid ambiguity at driver unload
++ * and to avoid duplicated resources release.
++ */
++ ptp->state = ICE_PTP_UNINIT;
+ dev_err(ice_pf_to_dev(pf), "PTP failed %d\n", err);
+ }
+
+@@ -3445,9 +3451,19 @@ void ice_ptp_init(struct ice_pf *pf)
+ */
+ void ice_ptp_release(struct ice_pf *pf)
+ {
+- if (pf->ptp.state != ICE_PTP_READY)
++ if (pf->ptp.state == ICE_PTP_UNINIT)
+ return;
+
++ if (pf->ptp.state != ICE_PTP_READY) {
++ mutex_destroy(&pf->ptp.port.ps_lock);
++ ice_ptp_cleanup_pf(pf);
++ if (pf->ptp.clock) {
++ ptp_clock_unregister(pf->ptp.clock);
++ pf->ptp.clock = NULL;
++ }
++ return;
++ }
++
+ pf->ptp.state = ICE_PTP_UNINIT;
+
+ /* Disable timestamping for both Tx and Rx */
+--
+2.51.0
+
--- /dev/null
+From 7c5f586e87ace38146c48a5a830efe7e196d4221 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 08:08:24 -0700
+Subject: idpf: fix possible vport_config NULL pointer deref in remove
+
+From: Emil Tantilov <emil.s.tantilov@intel.com>
+
+[ Upstream commit 118082368c2b6ddefe6cb607efc312285148f044 ]
+
+Attempting to remove the driver will cause a crash in cases where
+the vport failed to initialize. Following trace is from an instance where
+the driver failed during an attempt to create a VF:
+[ 1661.543624] idpf 0000:84:00.7: Device HW Reset initiated
+[ 1722.923726] idpf 0000:84:00.7: Transaction timed-out (op:1 cookie:2900 vc_op:1 salt:29 timeout:60000ms)
+[ 1723.353263] BUG: kernel NULL pointer dereference, address: 0000000000000028
+...
+[ 1723.358472] RIP: 0010:idpf_remove+0x11c/0x200 [idpf]
+...
+[ 1723.364973] Call Trace:
+[ 1723.365475] <TASK>
+[ 1723.365972] pci_device_remove+0x42/0xb0
+[ 1723.366481] device_release_driver_internal+0x1a9/0x210
+[ 1723.366987] pci_stop_bus_device+0x6d/0x90
+[ 1723.367488] pci_stop_and_remove_bus_device+0x12/0x20
+[ 1723.367971] pci_iov_remove_virtfn+0xbd/0x120
+[ 1723.368309] sriov_disable+0x34/0xe0
+[ 1723.368643] idpf_sriov_configure+0x58/0x140 [idpf]
+[ 1723.368982] sriov_numvfs_store+0xda/0x1c0
+
+Avoid the NULL pointer dereference by adding NULL pointer check for
+vport_config[i], before freeing user_config.q_coalesce.
+
+Fixes: e1e3fec3e34b ("idpf: preserve coalescing settings across resets")
+Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
+Reviewed-by: Chittim Madhu <madhu.chittim@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Samuel Salin <Samuel.salin@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/idpf/idpf_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_main.c b/drivers/net/ethernet/intel/idpf/idpf_main.c
+index 4c48a1a6aab0d..d7a7b0c5f1b8d 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_main.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_main.c
+@@ -62,6 +62,8 @@ static void idpf_remove(struct pci_dev *pdev)
+ destroy_workqueue(adapter->vc_event_wq);
+
+ for (i = 0; i < adapter->max_vports; i++) {
++ if (!adapter->vport_config[i])
++ continue;
+ kfree(adapter->vport_config[i]->user_config.q_coalesce);
+ kfree(adapter->vport_config[i]);
+ adapter->vport_config[i] = NULL;
+--
+2.51.0
+
--- /dev/null
+From 1c9c7c9c15fcf0ce051c471f2996a4507b7787f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 17:49:32 +0200
+Subject: kconfig/mconf: Initialize the default locale at startup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jakub Horký <jakub.git@horky.net>
+
+[ Upstream commit 3927c4a1084c48ef97f11281a0a43ecb2cb4d6f1 ]
+
+Fix bug where make menuconfig doesn't initialize the default locale, which
+causes ncurses menu borders to be displayed incorrectly (lqqqqk) in
+UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY.
+
+Signed-off-by: Jakub Horký <jakub.git@horky.net>
+Link: https://patch.msgid.link/20251014154933.3990990-1-jakub.git@horky.net
+[nathan: Alphabetize locale.h include]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/mconf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/mconf.c b/scripts/kconfig/mconf.c
+index 84ea9215c0a7e..b8b7bba84a651 100644
+--- a/scripts/kconfig/mconf.c
++++ b/scripts/kconfig/mconf.c
+@@ -12,6 +12,7 @@
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <limits.h>
++#include <locale.h>
+ #include <stdarg.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -931,6 +932,8 @@ int main(int ac, char **av)
+
+ signal(SIGINT, sig_handler);
+
++ setlocale(LC_ALL, "");
++
+ if (ac > 1 && strcmp(av[1], "-s") == 0) {
+ silent = 1;
+ /* Silence conf_read() until the real callback is set up */
+--
+2.51.0
+
--- /dev/null
+From 9c762fb091faa592058ef7b65511397ee7deda4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 16:44:06 +0200
+Subject: kconfig/nconf: Initialize the default locale at startup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jakub Horký <jakub.git@horky.net>
+
+[ Upstream commit 43c2931a95e6b295bfe9e3b90dbe0f7596933e91 ]
+
+Fix bug where make nconfig doesn't initialize the default locale, which
+causes ncurses menu borders to be displayed incorrectly (lqqqqk) in
+UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY.
+
+Signed-off-by: Jakub Horký <jakub.git@horky.net>
+Link: https://patch.msgid.link/20251014144405.3975275-2-jakub.git@horky.net
+[nathan: Alphabetize locale.h include]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/nconf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
+index 5f484422278e1..cfe66aaf8bfe9 100644
+--- a/scripts/kconfig/nconf.c
++++ b/scripts/kconfig/nconf.c
+@@ -7,6 +7,7 @@
+ #ifndef _GNU_SOURCE
+ #define _GNU_SOURCE
+ #endif
++#include <locale.h>
+ #include <string.h>
+ #include <strings.h>
+ #include <stdlib.h>
+@@ -1478,6 +1479,8 @@ int main(int ac, char **av)
+ int lines, columns;
+ char *mode;
+
++ setlocale(LC_ALL, "");
++
+ if (ac > 1 && strcmp(av[1], "-s") == 0) {
+ /* Silence conf_read() until the real callback is set up */
+ conf_set_message_callback(NULL);
+--
+2.51.0
+
--- /dev/null
+From a60adaf4a5b2aaacc56ccba9a26bdb82b8012611 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 14:42:05 +0800
+Subject: LoongArch: Use UAPI types in ptrace UAPI header
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit 20d7338f2d3bcb570068dd6d39b16f1a909fe976 ]
+
+The kernel UAPI headers already contain fixed-width integer types, there
+is no need to rely on the libc types. There may not be a libc available
+or the libc may not provides the <stdint.h>, like for example on nolibc.
+
+This also aligns the header with the rest of the LoongArch UAPI headers.
+
+Fixes: 803b0fc5c3f2 ("LoongArch: Add process management")
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/loongarch/include/uapi/asm/ptrace.h | 40 +++++++++++-------------
+ 1 file changed, 18 insertions(+), 22 deletions(-)
+
+diff --git a/arch/loongarch/include/uapi/asm/ptrace.h b/arch/loongarch/include/uapi/asm/ptrace.h
+index aafb3cd9e943e..215e0f9e8aa32 100644
+--- a/arch/loongarch/include/uapi/asm/ptrace.h
++++ b/arch/loongarch/include/uapi/asm/ptrace.h
+@@ -10,10 +10,6 @@
+
+ #include <linux/types.h>
+
+-#ifndef __KERNEL__
+-#include <stdint.h>
+-#endif
+-
+ /*
+ * For PTRACE_{POKE,PEEK}USR. 0 - 31 are GPRs,
+ * 32 is syscall's original ARG0, 33 is PC, 34 is BADVADDR.
+@@ -41,44 +37,44 @@ struct user_pt_regs {
+ } __attribute__((aligned(8)));
+
+ struct user_fp_state {
+- uint64_t fpr[32];
+- uint64_t fcc;
+- uint32_t fcsr;
++ __u64 fpr[32];
++ __u64 fcc;
++ __u32 fcsr;
+ };
+
+ struct user_lsx_state {
+ /* 32 registers, 128 bits width per register. */
+- uint64_t vregs[32*2];
++ __u64 vregs[32*2];
+ };
+
+ struct user_lasx_state {
+ /* 32 registers, 256 bits width per register. */
+- uint64_t vregs[32*4];
++ __u64 vregs[32*4];
+ };
+
+ struct user_lbt_state {
+- uint64_t scr[4];
+- uint32_t eflags;
+- uint32_t ftop;
++ __u64 scr[4];
++ __u32 eflags;
++ __u32 ftop;
+ };
+
+ struct user_watch_state {
+- uint64_t dbg_info;
++ __u64 dbg_info;
+ struct {
+- uint64_t addr;
+- uint64_t mask;
+- uint32_t ctrl;
+- uint32_t pad;
++ __u64 addr;
++ __u64 mask;
++ __u32 ctrl;
++ __u32 pad;
+ } dbg_regs[8];
+ };
+
+ struct user_watch_state_v2 {
+- uint64_t dbg_info;
++ __u64 dbg_info;
+ struct {
+- uint64_t addr;
+- uint64_t mask;
+- uint32_t ctrl;
+- uint32_t pad;
++ __u64 addr;
++ __u64 mask;
++ __u32 ctrl;
++ __u32 pad;
+ } dbg_regs[14];
+ };
+
+--
+2.51.0
+
--- /dev/null
+From ac1f4812e5a7c7213b58fb02468b0449f3d4f77d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 05:21:14 +0000
+Subject: mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 407a06507c2358554958e8164dc97176feddcafc ]
+
+The function mlxsw_sp_flower_stats() calls mlxsw_sp_acl_ruleset_get() to
+obtain a ruleset reference. If the subsequent call to
+mlxsw_sp_acl_rule_lookup() fails to find a rule, the function returns
+an error without releasing the ruleset reference, causing a memory leak.
+
+Fix this by using a goto to the existing error handling label, which
+calls mlxsw_sp_acl_ruleset_put() to properly release the reference.
+
+Fixes: 7c1b8eb175b69 ("mlxsw: spectrum: Add support for TC flower offload statistics")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251112052114.1591695-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
+index f07955b5439f6..a8d4cf8b92998 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
+@@ -820,8 +820,10 @@ int mlxsw_sp_flower_stats(struct mlxsw_sp *mlxsw_sp,
+ return -EINVAL;
+
+ rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, f->cookie);
+- if (!rule)
+- return -EINVAL;
++ if (!rule) {
++ err = -EINVAL;
++ goto err_rule_get_stats;
++ }
+
+ err = mlxsw_sp_acl_rule_get_stats(mlxsw_sp, rule, &packets, &bytes,
+ &drops, &lastuse, &used_hw_stats);
+--
+2.51.0
+
--- /dev/null
+From 1522ff9ba8af7b0c997cd1c5a14a36cbaba40b23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 16:57:44 +0300
+Subject: net: dsa: hellcreek: fix missing error handling in LED registration
+
+From: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+
+[ Upstream commit e6751b0b19a6baab219a62e1e302b8aa6b5a55b2 ]
+
+The LED setup routine registered both led_sync_good
+and led_is_gm devices without checking the return
+values of led_classdev_register(). If either registration
+failed, the function continued silently, leaving the
+driver in a partially-initialized state and leaking
+a registered LED classdev.
+
+Add proper error handling
+
+Fixes: 7d9ee2e8ff15 ("net: dsa: hellcreek: Add PTP status LEDs")
+Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Acked-by: Kurt Kanzenbach <kurt@linutronix.de>
+Link: https://patch.msgid.link/20251113135745.92375-1-Pavel.Zhigulin@kaspersky.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/hirschmann/hellcreek_ptp.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/hirschmann/hellcreek_ptp.c b/drivers/net/dsa/hirschmann/hellcreek_ptp.c
+index bfe21f9f7dcd3..cb23bea9c21b8 100644
+--- a/drivers/net/dsa/hirschmann/hellcreek_ptp.c
++++ b/drivers/net/dsa/hirschmann/hellcreek_ptp.c
+@@ -376,8 +376,18 @@ static int hellcreek_led_setup(struct hellcreek *hellcreek)
+ hellcreek_set_brightness(hellcreek, STATUS_OUT_IS_GM, 1);
+
+ /* Register both leds */
+- led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good);
+- led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm);
++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good);
++ if (ret) {
++ dev_err(hellcreek->dev, "Failed to register sync_good LED\n");
++ goto out;
++ }
++
++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm);
++ if (ret) {
++ dev_err(hellcreek->dev, "Failed to register is_gm LED\n");
++ led_classdev_unregister(&hellcreek->led_sync_good);
++ goto out;
++ }
+
+ ret = 0;
+
+--
+2.51.0
+
--- /dev/null
+From efe20ffae60c94dded386d4cbd7869a035c57cf7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 14:16:08 +0200
+Subject: net/mlx5: Clean up only new IRQ glue on request_irq() failure
+
+From: Pradyumn Rahar <pradyumn.rahar@oracle.com>
+
+[ Upstream commit d47515af6cccd7484d8b0870376858c9848a18ec ]
+
+The mlx5_irq_alloc() function can inadvertently free the entire rmap
+and end up in a crash[1] when the other threads tries to access this,
+when request_irq() fails due to exhausted IRQ vectors. This commit
+modifies the cleanup to remove only the specific IRQ mapping that was
+just added.
+
+This prevents removal of other valid mappings and ensures precise
+cleanup of the failed IRQ allocation's associated glue object.
+
+Note: This error is observed when both fwctl and rds configs are enabled.
+
+[1]
+mlx5_core 0000:05:00.0: Successfully registered panic handler for port 1
+mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to
+request irq. err = -28
+infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while
+trying to test write-combining support
+mlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1
+mlx5_core 0000:06:00.0: Successfully registered panic handler for port 1
+mlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to
+request irq. err = -28
+infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while
+trying to test write-combining support
+mlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1
+mlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to
+request irq. err = -28
+mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to
+request irq. err = -28
+general protection fault, probably for non-canonical address
+0xe277a58fde16f291: 0000 [#1] SMP NOPTI
+
+RIP: 0010:free_irq_cpu_rmap+0x23/0x7d
+Call Trace:
+ <TASK>
+ ? show_trace_log_lvl+0x1d6/0x2f9
+ ? show_trace_log_lvl+0x1d6/0x2f9
+ ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]
+ ? __die_body.cold+0x8/0xa
+ ? die_addr+0x39/0x53
+ ? exc_general_protection+0x1c4/0x3e9
+ ? dev_vprintk_emit+0x5f/0x90
+ ? asm_exc_general_protection+0x22/0x27
+ ? free_irq_cpu_rmap+0x23/0x7d
+ mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]
+ irq_pool_request_vector+0x7d/0x90 [mlx5_core]
+ mlx5_irq_request+0x2e/0xe0 [mlx5_core]
+ mlx5_irq_request_vector+0xad/0xf7 [mlx5_core]
+ comp_irq_request_pci+0x64/0xf0 [mlx5_core]
+ create_comp_eq+0x71/0x385 [mlx5_core]
+ ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core]
+ mlx5_comp_eqn_get+0x72/0x90 [mlx5_core]
+ ? xas_load+0x8/0x91
+ mlx5_comp_irqn_get+0x40/0x90 [mlx5_core]
+ mlx5e_open_channel+0x7d/0x3c7 [mlx5_core]
+ mlx5e_open_channels+0xad/0x250 [mlx5_core]
+ mlx5e_open_locked+0x3e/0x110 [mlx5_core]
+ mlx5e_open+0x23/0x70 [mlx5_core]
+ __dev_open+0xf1/0x1a5
+ __dev_change_flags+0x1e1/0x249
+ dev_change_flags+0x21/0x5c
+ do_setlink+0x28b/0xcc4
+ ? __nla_parse+0x22/0x3d
+ ? inet6_validate_link_af+0x6b/0x108
+ ? cpumask_next+0x1f/0x35
+ ? __snmp6_fill_stats64.constprop.0+0x66/0x107
+ ? __nla_validate_parse+0x48/0x1e6
+ __rtnl_newlink+0x5ff/0xa57
+ ? kmem_cache_alloc_trace+0x164/0x2ce
+ rtnl_newlink+0x44/0x6e
+ rtnetlink_rcv_msg+0x2bb/0x362
+ ? __netlink_sendskb+0x4c/0x6c
+ ? netlink_unicast+0x28f/0x2ce
+ ? rtnl_calcit.isra.0+0x150/0x146
+ netlink_rcv_skb+0x5f/0x112
+ netlink_unicast+0x213/0x2ce
+ netlink_sendmsg+0x24f/0x4d9
+ __sock_sendmsg+0x65/0x6a
+ ____sys_sendmsg+0x28f/0x2c9
+ ? import_iovec+0x17/0x2b
+ ___sys_sendmsg+0x97/0xe0
+ __sys_sendmsg+0x81/0xd8
+ do_syscall_64+0x35/0x87
+ entry_SYSCALL_64_after_hwframe+0x6e/0x0
+RIP: 0033:0x7fc328603727
+Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed
+ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00
+f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48
+RSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727
+RDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d
+RBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
+R13: 0000000000000000 R14: 00007ffe8eb3f3c8 R15: 00007ffe8eb3f3bc
+ </TASK>
+---[ end trace f43ce73c3c2b13a2 ]---
+RIP: 0010:free_irq_cpu_rmap+0x23/0x7d
+Code: 0f 1f 80 00 00 00 00 48 85 ff 74 6b 55 48 89 fd 53 66 83 7f 06 00
+74 24 31 db 48 8b 55 08 0f b7 c3 48 8b 04 c2 48 85 c0 74 09 <8b> 38 31
+f6 e8 c4 0a b8 ff 83 c3 01 66 3b 5d 06 72 de b8 ff ff ff
+RSP: 0018:ff384881640eaca0 EFLAGS: 00010282
+RAX: e277a58fde16f291 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: ff2335e2e20b3600 RSI: 0000000000000000 RDI: ff2335e2e20b3400
+RBP: ff2335e2e20b3400 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 00000000ffffffe4 R12: ff384881640ead88
+R13: ff2335c3760751e0 R14: ff2335e2e1672200 R15: ff2335c3760751f8
+FS: 00007fc32ac22480(0000) GS:ff2335e2d6e00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f651ab54000 CR3: 00000029f1206003 CR4: 0000000000771ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Kernel panic - not syncing: Fatal exception
+Kernel Offset: 0x1dc00000 from 0xffffffff81000000 (relocation range:
+0xffffffff80000000-0xffffffffbfffffff)
+kvm-guest: disable async PF for cpu 0
+
+Fixes: 3354822cde5a ("net/mlx5: Use dynamic msix vectors allocation")
+Signed-off-by: Mohith Kumar Thummaluru<mohith.k.kumar.thummaluru@oracle.com>
+Tested-by: Mohith Kumar Thummaluru<mohith.k.kumar.thummaluru@oracle.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Shay Drori <shayd@nvidia.com>
+Signed-off-by: Pradyumn Rahar <pradyumn.rahar@oracle.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1763381768-1234998-1-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c b/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c
+index 2c5f850c31f68..0c6b5103a57c0 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c
+@@ -324,10 +324,8 @@ struct mlx5_irq *mlx5_irq_alloc(struct mlx5_irq_pool *pool, int i,
+ free_irq(irq->map.virq, &irq->nh);
+ err_req_irq:
+ #ifdef CONFIG_RFS_ACCEL
+- if (i && rmap && *rmap) {
+- free_irq_cpu_rmap(*rmap);
+- *rmap = NULL;
+- }
++ if (i && rmap && *rmap)
++ irq_cpu_rmap_remove(*rmap, irq->map.virq);
+ err_irq_rmap:
+ #endif
+ if (i && pci_msix_can_alloc_dyn(dev->pdev))
+--
+2.51.0
+
--- /dev/null
+From 90d1b6d72738edf93a9922fd182fd7a303e6a910 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 19:19:21 +0300
+Subject: net: mlxsw: linecards: fix missing error check in
+ mlxsw_linecard_devlink_info_get()
+
+From: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+
+[ Upstream commit b0c959fec18f4595a6a6317ffc30615cfa37bf69 ]
+
+The call to devlink_info_version_fixed_put() in
+mlxsw_linecard_devlink_info_get() did not check for errors,
+although it is checked everywhere in the code.
+
+Add missed 'err' check to the mlxsw_linecard_devlink_info_get()
+
+Fixes: 3fc0c51905fb ("mlxsw: core_linecards: Expose device PSID over device info")
+Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251113161922.813828-1-Pavel.Zhigulin@kaspersky.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/core_linecards.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c
+index b032d5a4b3b84..10f5bc4892fc7 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c
+@@ -601,6 +601,8 @@ int mlxsw_linecard_devlink_info_get(struct mlxsw_linecard *linecard,
+ err = devlink_info_version_fixed_put(req,
+ DEVLINK_INFO_VERSION_GENERIC_FW_PSID,
+ info->psid);
++ if (err)
++ goto unlock;
+
+ sprintf(buf, "%u.%u.%u", info->fw_major, info->fw_minor,
+ info->fw_sub_minor);
+--
+2.51.0
+
--- /dev/null
+From 734e64f3b36b5030d55c22d42c96fc3130fbdfa8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 12:14:03 +0100
+Subject: net: openvswitch: remove never-working support for setting nsh fields
+
+From: Ilya Maximets <i.maximets@ovn.org>
+
+[ Upstream commit dfe28c4167a9259fc0c372d9f9473e1ac95cff67 ]
+
+The validation of the set(nsh(...)) action is completely wrong.
+It runs through the nsh_key_put_from_nlattr() function that is the
+same function that validates NSH keys for the flow match and the
+push_nsh() action. However, the set(nsh(...)) has a very different
+memory layout. Nested attributes in there are doubled in size in
+case of the masked set(). That makes proper validation impossible.
+
+There is also confusion in the code between the 'masked' flag, that
+says that the nested attributes are doubled in size containing both
+the value and the mask, and the 'is_mask' that says that the value
+we're parsing is the mask. This is causing kernel crash on trying to
+write into mask part of the match with SW_FLOW_KEY_PUT() during
+validation, while validate_nsh() doesn't allocate any memory for it:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0
+ Oops: Oops: 0000 [#1] SMP NOPTI
+ CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)
+ RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]
+ Call Trace:
+ <TASK>
+ validate_nsh+0x60/0x90 [openvswitch]
+ validate_set.constprop.0+0x270/0x3c0 [openvswitch]
+ __ovs_nla_copy_actions+0x477/0x860 [openvswitch]
+ ovs_nla_copy_actions+0x8d/0x100 [openvswitch]
+ ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]
+ genl_family_rcv_msg_doit+0xdb/0x130
+ genl_family_rcv_msg+0x14b/0x220
+ genl_rcv_msg+0x47/0xa0
+ netlink_rcv_skb+0x53/0x100
+ genl_rcv+0x24/0x40
+ netlink_unicast+0x280/0x3b0
+ netlink_sendmsg+0x1f7/0x430
+ ____sys_sendmsg+0x36b/0x3a0
+ ___sys_sendmsg+0x87/0xd0
+ __sys_sendmsg+0x6d/0xd0
+ do_syscall_64+0x7b/0x2c0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+The third issue with this process is that while trying to convert
+the non-masked set into masked one, validate_set() copies and doubles
+the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested
+attributes. It should be copying each nested attribute and doubling
+them in size independently. And the process must be properly reversed
+during the conversion back from masked to a non-masked variant during
+the flow dump.
+
+In the end, the only two outcomes of trying to use this action are
+either validation failure or a kernel crash. And if somehow someone
+manages to install a flow with such an action, it will most definitely
+not do what it is supposed to, since all the keys and the masks are
+mixed up.
+
+Fixing all the issues is a complex task as it requires re-writing
+most of the validation code.
+
+Given that and the fact that this functionality never worked since
+introduction, let's just remove it altogether. It's better to
+re-introduce it later with a proper implementation instead of trying
+to fix it in stable releases.
+
+Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support")
+Reported-by: Junvy Yang <zhuque@tencent.com>
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Reviewed-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/20251112112246.95064-1-i.maximets@ovn.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/actions.c | 68 +---------------------------------
+ net/openvswitch/flow_netlink.c | 64 ++++----------------------------
+ net/openvswitch/flow_netlink.h | 2 -
+ 3 files changed, 9 insertions(+), 125 deletions(-)
+
+diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
+index 2f22ca59586f2..dad8e6eefe680 100644
+--- a/net/openvswitch/actions.c
++++ b/net/openvswitch/actions.c
+@@ -613,69 +613,6 @@ static int set_ipv6(struct sk_buff *skb, struct sw_flow_key *flow_key,
+ return 0;
+ }
+
+-static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key,
+- const struct nlattr *a)
+-{
+- struct nshhdr *nh;
+- size_t length;
+- int err;
+- u8 flags;
+- u8 ttl;
+- int i;
+-
+- struct ovs_key_nsh key;
+- struct ovs_key_nsh mask;
+-
+- err = nsh_key_from_nlattr(a, &key, &mask);
+- if (err)
+- return err;
+-
+- /* Make sure the NSH base header is there */
+- if (!pskb_may_pull(skb, skb_network_offset(skb) + NSH_BASE_HDR_LEN))
+- return -ENOMEM;
+-
+- nh = nsh_hdr(skb);
+- length = nsh_hdr_len(nh);
+-
+- /* Make sure the whole NSH header is there */
+- err = skb_ensure_writable(skb, skb_network_offset(skb) +
+- length);
+- if (unlikely(err))
+- return err;
+-
+- nh = nsh_hdr(skb);
+- skb_postpull_rcsum(skb, nh, length);
+- flags = nsh_get_flags(nh);
+- flags = OVS_MASKED(flags, key.base.flags, mask.base.flags);
+- flow_key->nsh.base.flags = flags;
+- ttl = nsh_get_ttl(nh);
+- ttl = OVS_MASKED(ttl, key.base.ttl, mask.base.ttl);
+- flow_key->nsh.base.ttl = ttl;
+- nsh_set_flags_and_ttl(nh, flags, ttl);
+- nh->path_hdr = OVS_MASKED(nh->path_hdr, key.base.path_hdr,
+- mask.base.path_hdr);
+- flow_key->nsh.base.path_hdr = nh->path_hdr;
+- switch (nh->mdtype) {
+- case NSH_M_TYPE1:
+- for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) {
+- nh->md1.context[i] =
+- OVS_MASKED(nh->md1.context[i], key.context[i],
+- mask.context[i]);
+- }
+- memcpy(flow_key->nsh.context, nh->md1.context,
+- sizeof(nh->md1.context));
+- break;
+- case NSH_M_TYPE2:
+- memset(flow_key->nsh.context, 0,
+- sizeof(flow_key->nsh.context));
+- break;
+- default:
+- return -EINVAL;
+- }
+- skb_postpush_rcsum(skb, nh, length);
+- return 0;
+-}
+-
+ /* Must follow skb_ensure_writable() since that can move the skb data. */
+ static void set_tp_port(struct sk_buff *skb, __be16 *port,
+ __be16 new_port, __sum16 *check)
+@@ -1169,10 +1106,6 @@ static int execute_masked_set_action(struct sk_buff *skb,
+ get_mask(a, struct ovs_key_ethernet *));
+ break;
+
+- case OVS_KEY_ATTR_NSH:
+- err = set_nsh(skb, flow_key, a);
+- break;
+-
+ case OVS_KEY_ATTR_IPV4:
+ err = set_ipv4(skb, flow_key, nla_data(a),
+ get_mask(a, struct ovs_key_ipv4 *));
+@@ -1209,6 +1142,7 @@ static int execute_masked_set_action(struct sk_buff *skb,
+ case OVS_KEY_ATTR_CT_LABELS:
+ case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4:
+ case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6:
++ case OVS_KEY_ATTR_NSH:
+ err = -EINVAL;
+ break;
+ }
+diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
+index 305daf57a4f9d..e3359e15aa2e4 100644
+--- a/net/openvswitch/flow_netlink.c
++++ b/net/openvswitch/flow_netlink.c
+@@ -1305,6 +1305,11 @@ static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match,
+ return 0;
+ }
+
++/*
++ * Constructs NSH header 'nh' from attributes of OVS_ACTION_ATTR_PUSH_NSH,
++ * where 'nh' points to a memory block of 'size' bytes. It's assumed that
++ * attributes were previously validated with validate_push_nsh().
++ */
+ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ struct nshhdr *nh, size_t size)
+ {
+@@ -1314,8 +1319,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ u8 ttl = 0;
+ int mdlen = 0;
+
+- /* validate_nsh has check this, so we needn't do duplicate check here
+- */
+ if (size < NSH_BASE_HDR_LEN)
+ return -ENOBUFS;
+
+@@ -1359,46 +1362,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ return 0;
+ }
+
+-int nsh_key_from_nlattr(const struct nlattr *attr,
+- struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask)
+-{
+- struct nlattr *a;
+- int rem;
+-
+- /* validate_nsh has check this, so we needn't do duplicate check here
+- */
+- nla_for_each_nested(a, attr, rem) {
+- int type = nla_type(a);
+-
+- switch (type) {
+- case OVS_NSH_KEY_ATTR_BASE: {
+- const struct ovs_nsh_key_base *base = nla_data(a);
+- const struct ovs_nsh_key_base *base_mask = base + 1;
+-
+- nsh->base = *base;
+- nsh_mask->base = *base_mask;
+- break;
+- }
+- case OVS_NSH_KEY_ATTR_MD1: {
+- const struct ovs_nsh_key_md1 *md1 = nla_data(a);
+- const struct ovs_nsh_key_md1 *md1_mask = md1 + 1;
+-
+- memcpy(nsh->context, md1->context, sizeof(*md1));
+- memcpy(nsh_mask->context, md1_mask->context,
+- sizeof(*md1_mask));
+- break;
+- }
+- case OVS_NSH_KEY_ATTR_MD2:
+- /* Not supported yet */
+- return -ENOTSUPP;
+- default:
+- return -EINVAL;
+- }
+- }
+-
+- return 0;
+-}
+-
+ static int nsh_key_put_from_nlattr(const struct nlattr *attr,
+ struct sw_flow_match *match, bool is_mask,
+ bool is_push_nsh, bool log)
+@@ -2839,17 +2802,13 @@ static int validate_and_copy_set_tun(const struct nlattr *attr,
+ return err;
+ }
+
+-static bool validate_nsh(const struct nlattr *attr, bool is_mask,
+- bool is_push_nsh, bool log)
++static bool validate_push_nsh(const struct nlattr *attr, bool log)
+ {
+ struct sw_flow_match match;
+ struct sw_flow_key key;
+- int ret = 0;
+
+ ovs_match_init(&match, &key, true, NULL);
+- ret = nsh_key_put_from_nlattr(attr, &match, is_mask,
+- is_push_nsh, log);
+- return !ret;
++ return !nsh_key_put_from_nlattr(attr, &match, false, true, log);
+ }
+
+ /* Return false if there are any non-masked bits set.
+@@ -2997,13 +2956,6 @@ static int validate_set(const struct nlattr *a,
+
+ break;
+
+- case OVS_KEY_ATTR_NSH:
+- if (eth_type != htons(ETH_P_NSH))
+- return -EINVAL;
+- if (!validate_nsh(nla_data(a), masked, false, log))
+- return -EINVAL;
+- break;
+-
+ default:
+ return -EINVAL;
+ }
+@@ -3436,7 +3388,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
+ return -EINVAL;
+ }
+ mac_proto = MAC_PROTO_NONE;
+- if (!validate_nsh(nla_data(a), false, true, true))
++ if (!validate_push_nsh(nla_data(a), log))
+ return -EINVAL;
+ break;
+
+diff --git a/net/openvswitch/flow_netlink.h b/net/openvswitch/flow_netlink.h
+index fe7f77fc5f189..ff8cdecbe3465 100644
+--- a/net/openvswitch/flow_netlink.h
++++ b/net/openvswitch/flow_netlink.h
+@@ -65,8 +65,6 @@ int ovs_nla_put_actions(const struct nlattr *attr,
+ void ovs_nla_free_flow_actions(struct sw_flow_actions *);
+ void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *);
+
+-int nsh_key_from_nlattr(const struct nlattr *attr, struct ovs_key_nsh *nsh,
+- struct ovs_key_nsh *nsh_mask);
+ int nsh_hdr_from_nlattr(const struct nlattr *attr, struct nshhdr *nh,
+ size_t size);
+
+--
+2.51.0
+
--- /dev/null
+From 49982d3ec2e0a2e416cf9119c116d3787ecd9b64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 14:27:56 +0300
+Subject: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont()
+ and qede_tpa_end()
+
+From: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+
+[ Upstream commit 896f1a2493b59beb2b5ccdf990503dbb16cb2256 ]
+
+The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate
+over 'cqe->len_list[]' using only a zero-length terminator as
+the stopping condition. If the terminator was missing or
+malformed, the loop could run past the end of the fixed-size array.
+
+Add an explicit bound check using ARRAY_SIZE() in both loops to prevent
+a potential out-of-bounds access.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 55482edc25f0 ("qede: Add slowpath/fastpath support and enable hardware GRO")
+Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+Link: https://patch.msgid.link/20251113112757.4166625-1-Pavel.Zhigulin@kaspersky.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_fp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qede/qede_fp.c b/drivers/net/ethernet/qlogic/qede/qede_fp.c
+index 847fa62c80df8..e338bfc8b7b2f 100644
+--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c
+@@ -4,6 +4,7 @@
+ * Copyright (c) 2019-2020 Marvell International Ltd.
+ */
+
++#include <linux/array_size.h>
+ #include <linux/netdevice.h>
+ #include <linux/etherdevice.h>
+ #include <linux/skbuff.h>
+@@ -960,7 +961,7 @@ static inline void qede_tpa_cont(struct qede_dev *edev,
+ {
+ int i;
+
+- for (i = 0; cqe->len_list[i]; i++)
++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++)
+ qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index,
+ le16_to_cpu(cqe->len_list[i]));
+
+@@ -985,7 +986,7 @@ static int qede_tpa_end(struct qede_dev *edev,
+ dma_unmap_page(rxq->dev, tpa_info->buffer.mapping,
+ PAGE_SIZE, rxq->data_direction);
+
+- for (i = 0; cqe->len_list[i]; i++)
++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++)
+ qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index,
+ le16_to_cpu(cqe->len_list[i]));
+ if (unlikely(i > 1))
+--
+2.51.0
+
--- /dev/null
+From 2a4e9079f013a4a69fbd400d6ffce61c0711db5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Oct 2025 22:03:02 +0200
+Subject: net: tls: Cancel RX async resync request on rcd_delta overflow
+
+From: Shahar Shitrit <shshitrit@nvidia.com>
+
+[ Upstream commit c15d5c62ab313c19121f10e25d4fec852bd1c40c ]
+
+When a netdev issues a RX async resync request for a TLS connection,
+the TLS module handles it by logging record headers and attempting to
+match them to the tcp_sn provided by the device. If a match is found,
+the TLS module approves the tcp_sn for resynchronization.
+
+While waiting for a device response, the TLS module also increments
+rcd_delta each time a new TLS record is received, tracking the distance
+from the original resync request.
+
+However, if the device response is delayed or fails (e.g due to
+unstable connection and device getting out of tracking, hardware
+errors, resource exhaustion etc.), the TLS module keeps logging and
+incrementing, which can lead to a WARN() when rcd_delta exceeds the
+threshold.
+
+To address this, introduce tls_offload_rx_resync_async_request_cancel()
+to explicitly cancel resync requests when a device response failure is
+detected. Call this helper also as a final safeguard when rcd_delta
+crosses its threshold, as reaching this point implies that earlier
+cancellation did not occur.
+
+Signed-off-by: Shahar Shitrit <shshitrit@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1761508983-937977-3-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/tls.h | 6 ++++++
+ net/tls/tls_device.c | 4 +++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/tls.h b/include/net/tls.h
+index 181173e62a068..3f4235cc0207c 100644
+--- a/include/net/tls.h
++++ b/include/net/tls.h
+@@ -464,6 +464,12 @@ tls_offload_rx_resync_async_request_end(struct tls_offload_resync_async *resync_
+ atomic64_set(&resync_async->req, ((u64)ntohl(seq) << 32) | RESYNC_REQ);
+ }
+
++static inline void
++tls_offload_rx_resync_async_request_cancel(struct tls_offload_resync_async *resync_async)
++{
++ atomic64_set(&resync_async->req, 0);
++}
++
+ static inline void
+ tls_offload_rx_resync_set_type(struct sock *sk, enum tls_offload_sync_type type)
+ {
+diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
+index dc063c2c7950e..0af7b3c529678 100644
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -721,8 +721,10 @@ tls_device_rx_resync_async(struct tls_offload_resync_async *resync_async,
+ /* shouldn't get to wraparound:
+ * too long in async stage, something bad happened
+ */
+- if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX))
++ if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) {
++ tls_offload_rx_resync_async_request_cancel(resync_async);
+ return false;
++ }
+
+ /* asynchronous stage: log all headers seq such that
+ * req_seq <= seq <= end_seq, and wait for real resync request
+--
+2.51.0
+
--- /dev/null
+From 7ee7e39be1e7ba7e40b8a2276608f06066bb2710 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Oct 2025 22:03:01 +0200
+Subject: net: tls: Change async resync helpers argument
+
+From: Shahar Shitrit <shshitrit@nvidia.com>
+
+[ Upstream commit 34892cfec0c2d96787c4be7bda0d5f18d7dacf85 ]
+
+Update tls_offload_rx_resync_async_request_start() and
+tls_offload_rx_resync_async_request_end() to get a struct
+tls_offload_resync_async parameter directly, rather than
+extracting it from struct sock.
+
+This change aligns the function signatures with the upcoming
+tls_offload_rx_resync_async_request_cancel() helper, which
+will be introduced in a subsequent patch.
+
+Signed-off-by: Shahar Shitrit <shshitrit@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1761508983-937977-2-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/en_accel/ktls_rx.c | 9 ++++++--
+ include/net/tls.h | 21 +++++++------------
+ 2 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c
+index 65ccb33edafb7..c0089c704c0cc 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c
+@@ -425,12 +425,14 @@ void mlx5e_ktls_handle_get_psv_completion(struct mlx5e_icosq_wqe_info *wi,
+ {
+ struct mlx5e_ktls_rx_resync_buf *buf = wi->tls_get_params.buf;
+ struct mlx5e_ktls_offload_context_rx *priv_rx;
++ struct tls_offload_context_rx *rx_ctx;
+ u8 tracker_state, auth_state, *ctx;
+ struct device *dev;
+ u32 hw_seq;
+
+ priv_rx = buf->priv_rx;
+ dev = mlx5_core_dma_dev(sq->channel->mdev);
++ rx_ctx = tls_offload_ctx_rx(tls_get_ctx(priv_rx->sk));
+ if (unlikely(test_bit(MLX5E_PRIV_RX_FLAG_DELETING, priv_rx->flags)))
+ goto out;
+
+@@ -447,7 +449,8 @@ void mlx5e_ktls_handle_get_psv_completion(struct mlx5e_icosq_wqe_info *wi,
+ }
+
+ hw_seq = MLX5_GET(tls_progress_params, ctx, hw_resync_tcp_sn);
+- tls_offload_rx_resync_async_request_end(priv_rx->sk, cpu_to_be32(hw_seq));
++ tls_offload_rx_resync_async_request_end(rx_ctx->resync_async,
++ cpu_to_be32(hw_seq));
+ priv_rx->rq_stats->tls_resync_req_end++;
+ out:
+ mlx5e_ktls_priv_rx_put(priv_rx);
+@@ -482,6 +485,7 @@ static bool resync_queue_get_psv(struct sock *sk)
+ static void resync_update_sn(struct mlx5e_rq *rq, struct sk_buff *skb)
+ {
+ struct ethhdr *eth = (struct ethhdr *)(skb->data);
++ struct tls_offload_resync_async *resync_async;
+ struct net_device *netdev = rq->netdev;
+ struct net *net = dev_net(netdev);
+ struct sock *sk = NULL;
+@@ -528,7 +532,8 @@ static void resync_update_sn(struct mlx5e_rq *rq, struct sk_buff *skb)
+
+ seq = th->seq;
+ datalen = skb->len - depth;
+- tls_offload_rx_resync_async_request_start(sk, seq, datalen);
++ resync_async = tls_offload_ctx_rx(tls_get_ctx(sk))->resync_async;
++ tls_offload_rx_resync_async_request_start(resync_async, seq, datalen);
+ rq->stats->tls_resync_req_start++;
+
+ unref:
+diff --git a/include/net/tls.h b/include/net/tls.h
+index 61fef28801140..181173e62a068 100644
+--- a/include/net/tls.h
++++ b/include/net/tls.h
+@@ -448,25 +448,20 @@ static inline void tls_offload_rx_resync_request(struct sock *sk, __be32 seq)
+
+ /* Log all TLS record header TCP sequences in [seq, seq+len] */
+ static inline void
+-tls_offload_rx_resync_async_request_start(struct sock *sk, __be32 seq, u16 len)
++tls_offload_rx_resync_async_request_start(struct tls_offload_resync_async *resync_async,
++ __be32 seq, u16 len)
+ {
+- struct tls_context *tls_ctx = tls_get_ctx(sk);
+- struct tls_offload_context_rx *rx_ctx = tls_offload_ctx_rx(tls_ctx);
+-
+- atomic64_set(&rx_ctx->resync_async->req, ((u64)ntohl(seq) << 32) |
++ atomic64_set(&resync_async->req, ((u64)ntohl(seq) << 32) |
+ ((u64)len << 16) | RESYNC_REQ | RESYNC_REQ_ASYNC);
+- rx_ctx->resync_async->loglen = 0;
+- rx_ctx->resync_async->rcd_delta = 0;
++ resync_async->loglen = 0;
++ resync_async->rcd_delta = 0;
+ }
+
+ static inline void
+-tls_offload_rx_resync_async_request_end(struct sock *sk, __be32 seq)
++tls_offload_rx_resync_async_request_end(struct tls_offload_resync_async *resync_async,
++ __be32 seq)
+ {
+- struct tls_context *tls_ctx = tls_get_ctx(sk);
+- struct tls_offload_context_rx *rx_ctx = tls_offload_ctx_rx(tls_ctx);
+-
+- atomic64_set(&rx_ctx->resync_async->req,
+- ((u64)ntohl(seq) << 32) | RESYNC_REQ);
++ atomic64_set(&resync_async->req, ((u64)ntohl(seq) << 32) | RESYNC_REQ);
+ }
+
+ static inline void
+--
+2.51.0
+
--- /dev/null
+From af2de824bae4db082cb2f0b0028130ff58496c74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 11:23:39 +0900
+Subject: nvme-multipath: fix lockdep WARN due to partition scan work
+
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+
+[ Upstream commit 6d87cd5335784351280f82c47cc8a657271929c3 ]
+
+Blktests test cases nvme/014, 057 and 058 fail occasionally due to a
+lockdep WARN. As reported in the Closes tag URL, the WARN indicates that
+a deadlock can happen due to the dependency among disk->open_mutex,
+kblockd workqueue completion and partition_scan_work completion.
+
+To avoid the lockdep WARN and the potential deadlock, cut the dependency
+by running the partition_scan_work not by kblockd workqueue but by
+nvme_wq.
+
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Closes: https://lore.kernel.org/linux-block/CAHj4cs8mJ+R_GmQm9R8ebResKAWUE8kF5+_WVg0v8zndmqd6BQ@mail.gmail.com/
+Link: https://lore.kernel.org/linux-block/oeyzci6ffshpukpfqgztsdeke5ost5hzsuz4rrsjfmvpqcevax@5nhnwbkzbrpa/
+Fixes: 1f021341eef4 ("nvme-multipath: defer partition scanning")
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index 24cff8b044923..4ec4a1b11bb2e 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -687,7 +687,7 @@ static void nvme_mpath_set_live(struct nvme_ns *ns)
+ return;
+ }
+ nvme_add_ns_head_cdev(head);
+- kblockd_schedule_work(&head->partition_scan_work);
++ queue_work(nvme_wq, &head->partition_scan_work);
+ }
+
+ mutex_lock(&head->lock);
+--
+2.51.0
+
--- /dev/null
+From f42f2e1c5ece900f6abd54c99da09e93d57ab76d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Oct 2025 11:05:09 +0800
+Subject: pinctrl: cirrus: Fix fwnode leak in cs42l43_pin_probe()
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit 9b07cdf86a0b90556f5b68a6b20b35833b558df3 ]
+
+The driver calls fwnode_get_named_child_node() which takes a reference
+on the child node, but never releases it, which causes a reference leak.
+
+Fix by using devm_add_action_or_reset() to automatically release the
+reference when the device is removed.
+
+Fixes: d5282a539297 ("pinctrl: cs42l43: Add support for the cs42l43")
+Suggested-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/cirrus/pinctrl-cs42l43.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pinctrl/cirrus/pinctrl-cs42l43.c b/drivers/pinctrl/cirrus/pinctrl-cs42l43.c
+index 628b60ccc2b07..8b3f3b945e206 100644
+--- a/drivers/pinctrl/cirrus/pinctrl-cs42l43.c
++++ b/drivers/pinctrl/cirrus/pinctrl-cs42l43.c
+@@ -527,6 +527,11 @@ static int cs42l43_gpio_add_pin_ranges(struct gpio_chip *chip)
+ return ret;
+ }
+
++static void cs42l43_fwnode_put(void *data)
++{
++ fwnode_handle_put(data);
++}
++
+ static int cs42l43_pin_probe(struct platform_device *pdev)
+ {
+ struct cs42l43 *cs42l43 = dev_get_drvdata(pdev->dev.parent);
+@@ -558,10 +563,20 @@ static int cs42l43_pin_probe(struct platform_device *pdev)
+ priv->gpio_chip.ngpio = CS42L43_NUM_GPIOS;
+
+ if (is_of_node(fwnode)) {
+- fwnode = fwnode_get_named_child_node(fwnode, "pinctrl");
+-
+- if (fwnode && !fwnode->dev)
+- fwnode->dev = priv->dev;
++ struct fwnode_handle *child;
++
++ child = fwnode_get_named_child_node(fwnode, "pinctrl");
++ if (child) {
++ ret = devm_add_action_or_reset(&pdev->dev,
++ cs42l43_fwnode_put, child);
++ if (ret) {
++ fwnode_handle_put(child);
++ return ret;
++ }
++ if (!child->dev)
++ child->dev = priv->dev;
++ fwnode = child;
++ }
+ }
+
+ priv->gpio_chip.fwnode = fwnode;
+--
+2.51.0
+
--- /dev/null
+From b74a81e378d9d3ee22efe14e18d62be6bef00461 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 15:55:29 +0800
+Subject: pinctrl: realtek: Select REGMAP_MMIO for RTD driver
+
+From: Yu-Chun Lin <eleanor.lin@realtek.com>
+
+[ Upstream commit 369f772299821f93f872bf1b4d7d7ed2fc50243b ]
+
+The pinctrl-rtd driver uses 'devm_regmap_init_mmio', which requires
+'REGMAP_MMIO' to be enabled.
+
+Without this selection, the build fails with an undefined reference:
+aarch64-none-linux-gnu-ld: drivers/pinctrl/realtek/pinctrl-rtd.o: in
+function rtd_pinctrl_probe': pinctrl-rtd.c:(.text+0x5a0): undefined
+reference to __devm_regmap_init_mmio_clk'
+
+Fix this by selecting 'REGMAP_MMIO' in the Kconfig.
+
+Fixes: e99ce78030db ("pinctrl: realtek: Add common pinctrl driver for Realtek DHC RTD SoCs")
+Signed-off-by: Yu-Chun Lin <eleanor.lin@realtek.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/realtek/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/realtek/Kconfig b/drivers/pinctrl/realtek/Kconfig
+index 0fc6bd4fcb7ec..400c9e5b16ada 100644
+--- a/drivers/pinctrl/realtek/Kconfig
++++ b/drivers/pinctrl/realtek/Kconfig
+@@ -6,6 +6,7 @@ config PINCTRL_RTD
+ default y
+ select PINMUX
+ select GENERIC_PINCONF
++ select REGMAP_MMIO
+
+ config PINCTRL_RTD1619B
+ tristate "Realtek DHC 1619B pin controller driver"
+--
+2.51.0
+
--- /dev/null
+From e5318ea32ff27620f90c44098bf3e7ec22a5a499 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Nov 2025 13:54:11 -0800
+Subject: pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc
+
+From: Jared Kangas <jkangas@redhat.com>
+
+[ Upstream commit 97ea34defbb57bfaf71ce487b1b0865ffd186e81 ]
+
+s32_pinctrl_desc is allocated with devm_kmalloc(), but not all of its
+fields are initialized. Notably, num_custom_params is used in
+pinconf_generic_parse_dt_config(), resulting in intermittent allocation
+errors, such as the following splat when probing i2c-imx:
+
+ WARNING: CPU: 0 PID: 176 at mm/page_alloc.c:4795 __alloc_pages_noprof+0x290/0x300
+ [...]
+ Hardware name: NXP S32G3 Reference Design Board 3 (S32G-VNP-RDB3) (DT)
+ [...]
+ Call trace:
+ __alloc_pages_noprof+0x290/0x300 (P)
+ ___kmalloc_large_node+0x84/0x168
+ __kmalloc_large_node_noprof+0x34/0x120
+ __kmalloc_noprof+0x2ac/0x378
+ pinconf_generic_parse_dt_config+0x68/0x1a0
+ s32_dt_node_to_map+0x104/0x248
+ dt_to_map_one_config+0x154/0x1d8
+ pinctrl_dt_to_map+0x12c/0x280
+ create_pinctrl+0x6c/0x270
+ pinctrl_get+0xc0/0x170
+ devm_pinctrl_get+0x50/0xa0
+ pinctrl_bind_pins+0x60/0x2a0
+ really_probe+0x60/0x3a0
+ [...]
+ __platform_driver_register+0x2c/0x40
+ i2c_adap_imx_init+0x28/0xff8 [i2c_imx]
+ [...]
+
+This results in later parse failures that can cause issues in dependent
+drivers:
+
+ s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property
+ s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property
+ [...]
+ pca953x 0-0022: failed writing register: -6
+ i2c i2c-0: IMX I2C adapter registered
+ s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property
+ s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property
+ i2c i2c-1: IMX I2C adapter registered
+ s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property
+ s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property
+ i2c i2c-2: IMX I2C adapter registered
+
+Fix this by initializing s32_pinctrl_desc with devm_kzalloc() instead of
+devm_kmalloc() in s32_pinctrl_probe(), which sets the previously
+uninitialized fields to zero.
+
+Fixes: fd84aaa8173d ("pinctrl: add NXP S32 SoC family support")
+Signed-off-by: Jared Kangas <jkangas@redhat.com>
+Tested-by: Jan Petrous (OSS) <jan.petrous@oss.nxp.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/nxp/pinctrl-s32cc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/nxp/pinctrl-s32cc.c b/drivers/pinctrl/nxp/pinctrl-s32cc.c
+index 501eb296c7605..51ecb8d0fb7e8 100644
+--- a/drivers/pinctrl/nxp/pinctrl-s32cc.c
++++ b/drivers/pinctrl/nxp/pinctrl-s32cc.c
+@@ -951,7 +951,7 @@ int s32_pinctrl_probe(struct platform_device *pdev,
+ spin_lock_init(&ipctl->gpio_configs_lock);
+
+ s32_pinctrl_desc =
+- devm_kmalloc(&pdev->dev, sizeof(*s32_pinctrl_desc), GFP_KERNEL);
++ devm_kzalloc(&pdev->dev, sizeof(*s32_pinctrl_desc), GFP_KERNEL);
+ if (!s32_pinctrl_desc)
+ return -ENOMEM;
+
+--
+2.51.0
+
--- /dev/null
+From e6a9218556130ff9fa8eed82ea08136352046c13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Nov 2025 13:54:12 -0800
+Subject: pinctrl: s32cc: initialize gpio_pin_config::list after kmalloc()
+
+From: Jared Kangas <jkangas@redhat.com>
+
+[ Upstream commit 6010d4d8b55b5d3ae1efb5502c54312e15c14f21 ]
+
+s32_pmx_gpio_request_enable() does not initialize the newly-allocated
+gpio_pin_config::list before adding it to s32_pinctrl::gpio_configs.
+This could result in a linked list corruption.
+
+Initialize the new list_head with INIT_LIST_HEAD() to fix this.
+
+Fixes: fd84aaa8173d ("pinctrl: add NXP S32 SoC family support")
+Signed-off-by: Jared Kangas <jkangas@redhat.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/nxp/pinctrl-s32cc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/nxp/pinctrl-s32cc.c b/drivers/pinctrl/nxp/pinctrl-s32cc.c
+index 51ecb8d0fb7e8..35511f83d0560 100644
+--- a/drivers/pinctrl/nxp/pinctrl-s32cc.c
++++ b/drivers/pinctrl/nxp/pinctrl-s32cc.c
+@@ -392,6 +392,7 @@ static int s32_pmx_gpio_request_enable(struct pinctrl_dev *pctldev,
+
+ gpio_pin->pin_id = offset;
+ gpio_pin->config = config;
++ INIT_LIST_HEAD(&gpio_pin->list);
+
+ spin_lock_irqsave(&ipctl->gpio_configs_lock, flags);
+ list_add(&gpio_pin->list, &ipctl->gpio_configs);
+--
+2.51.0
+
--- /dev/null
+From f8255018d535990af2a6c4269277e9f56df0a3d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 11:33:54 +0800
+Subject: platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to
+ errnos
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit d8bb447efc5622577994287dc77c684fa8840b30 ]
+
+isst_if_probe() uses pci_read_config_dword() that returns PCIBIOS_*
+codes. The return code is returned from the probe function as is but
+probe functions should return normal errnos. A proper implementation
+can be found in drivers/leds/leds-ss4200.c.
+
+Convert PCIBIOS_* return codes using pcibios_err_to_errno() into
+normal errno before returning.
+
+Fixes: d3a23584294c ("platform/x86: ISST: Add Intel Speed Select mmio interface")
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Link: https://patch.msgid.link/20251117033354.132-1-vulab@iscas.ac.cn
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c
+index 3f4343147dadb..950ede5eab769 100644
+--- a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c
++++ b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c
+@@ -108,11 +108,11 @@ static int isst_if_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ ret = pci_read_config_dword(pdev, 0xD0, &mmio_base);
+ if (ret)
+- return ret;
++ return pcibios_err_to_errno(ret);
+
+ ret = pci_read_config_dword(pdev, 0xFC, &pcu_base);
+ if (ret)
+- return ret;
++ return pcibios_err_to_errno(ret);
+
+ pcu_base &= GENMASK(10, 0);
+ base_addr = (u64)mmio_base << 23 | (u64) pcu_base << 12;
+--
+2.51.0
+
--- /dev/null
+From 34be04a84c55ad8ba16147b7a204aa06bfb94479 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Nov 2025 12:12:53 +0100
+Subject: platform/x86: msi-wmi-platform: Fix typo in WMI GUID
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+[ Upstream commit 97b726eb1dc2b4a2532544eb3da72bb6acbd39a3 ]
+
+The WMI driver core only supports GUID strings containing only
+uppercase characters, however the GUID string used by the
+msi-wmi-platform driver contains a single lowercase character.
+This prevents the WMI driver core from matching said driver to
+its WMI device.
+
+Fix this by turning the lowercase character into a uppercase
+character. Also update the WMI driver development guide to warn
+about this.
+
+Reported-by: Antheas Kapenekakis <lkml@antheas.dev>
+Fixes: 9c0beb6b29e7 ("platform/x86: wmi: Add MSI WMI Platform driver")
+Tested-by: Antheas Kapenekakis <lkml@antheas.dev>
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Link: https://patch.msgid.link/20251110111253.16204-3-W_Armin@gmx.de
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/wmi/driver-development-guide.rst | 1 +
+ drivers/platform/x86/msi-wmi-platform.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/wmi/driver-development-guide.rst b/Documentation/wmi/driver-development-guide.rst
+index 429137b2f6323..4c10159d5f6cd 100644
+--- a/Documentation/wmi/driver-development-guide.rst
++++ b/Documentation/wmi/driver-development-guide.rst
+@@ -50,6 +50,7 @@ to matching WMI devices using a struct wmi_device_id table:
+ ::
+
+ static const struct wmi_device_id foo_id_table[] = {
++ /* Only use uppercase letters! */
+ { "936DA01F-9ABD-4D9D-80C7-02AF85C822A8", NULL },
+ { }
+ };
+diff --git a/drivers/platform/x86/msi-wmi-platform.c b/drivers/platform/x86/msi-wmi-platform.c
+index bd2687828a2e6..e912fcc12d124 100644
+--- a/drivers/platform/x86/msi-wmi-platform.c
++++ b/drivers/platform/x86/msi-wmi-platform.c
+@@ -29,7 +29,7 @@
+
+ #define DRIVER_NAME "msi-wmi-platform"
+
+-#define MSI_PLATFORM_GUID "ABBC0F6E-8EA1-11d1-00A0-C90629100000"
++#define MSI_PLATFORM_GUID "ABBC0F6E-8EA1-11D1-00A0-C90629100000"
+
+ #define MSI_WMI_PLATFORM_INTERFACE_VERSION 2
+
+--
+2.51.0
+
--- /dev/null
+From 875c4d0fff99f4c708d6962763c721a376ef967d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Nov 2025 12:12:52 +0100
+Subject: platform/x86: msi-wmi-platform: Only load on MSI devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+[ Upstream commit c93433fd4e2bbbe7caa67b53d808b4a084852ff3 ]
+
+It turns out that the GUID used by the msi-wmi-platform driver
+(ABBC0F60-8EA1-11D1-00A0-C90629100000) is not unique, but was instead
+copied from the WIndows Driver Samples. This means that this driver
+could load on devices from other manufacturers that also copied this
+GUID, potentially causing hardware errors.
+
+Prevent this by only loading on devices whitelisted via DMI. The DMI
+matches where taken from the msi-ec driver.
+
+Reported-by: Antheas Kapenekakis <lkml@antheas.dev>
+Fixes: 9c0beb6b29e7 ("platform/x86: wmi: Add MSI WMI Platform driver")
+Tested-by: Antheas Kapenekakis <lkml@antheas.dev>
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Link: https://patch.msgid.link/20251110111253.16204-2-W_Armin@gmx.de
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/Kconfig | 1 +
+ drivers/platform/x86/msi-wmi-platform.c | 41 ++++++++++++++++++++++++-
+ 2 files changed, 41 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig
+index 3875abba5a790..902b50510d8d6 100644
+--- a/drivers/platform/x86/Kconfig
++++ b/drivers/platform/x86/Kconfig
+@@ -726,6 +726,7 @@ config MSI_WMI
+ config MSI_WMI_PLATFORM
+ tristate "MSI WMI Platform features"
+ depends on ACPI_WMI
++ depends on DMI
+ depends on HWMON
+ help
+ Say Y here if you want to have support for WMI-based platform features
+diff --git a/drivers/platform/x86/msi-wmi-platform.c b/drivers/platform/x86/msi-wmi-platform.c
+index dc5e9878cb682..bd2687828a2e6 100644
+--- a/drivers/platform/x86/msi-wmi-platform.c
++++ b/drivers/platform/x86/msi-wmi-platform.c
+@@ -14,6 +14,7 @@
+ #include <linux/debugfs.h>
+ #include <linux/device.h>
+ #include <linux/device/driver.h>
++#include <linux/dmi.h>
+ #include <linux/errno.h>
+ #include <linux/hwmon.h>
+ #include <linux/kernel.h>
+@@ -448,7 +449,45 @@ static struct wmi_driver msi_wmi_platform_driver = {
+ .probe = msi_wmi_platform_probe,
+ .no_singleton = true,
+ };
+-module_wmi_driver(msi_wmi_platform_driver);
++
++/*
++ * MSI reused the WMI GUID from the WMI-ACPI sample code provided by Microsoft,
++ * so other manufacturers might use it as well for their WMI-ACPI implementations.
++ */
++static const struct dmi_system_id msi_wmi_platform_whitelist[] __initconst = {
++ {
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "MICRO-STAR INT"),
++ },
++ },
++ {
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Micro-Star International"),
++ },
++ },
++ { }
++};
++
++static int __init msi_wmi_platform_module_init(void)
++{
++ if (!dmi_check_system(msi_wmi_platform_whitelist)) {
++ if (!force)
++ return -ENODEV;
++
++ pr_warn("Ignoring DMI whitelist\n");
++ }
++
++ return wmi_driver_register(&msi_wmi_platform_driver);
++}
++
++static void __exit msi_wmi_platform_module_exit(void)
++{
++ wmi_driver_unregister(&msi_wmi_platform_driver);
++}
++
++module_init(msi_wmi_platform_module_init);
++module_exit(msi_wmi_platform_module_exit);
++
+
+ MODULE_AUTHOR("Armin Wolf <W_Armin@gmx.de>");
+ MODULE_DESCRIPTION("MSI WMI platform features");
+--
+2.51.0
+
--- /dev/null
+From 425dc28b0345081d9d528cb4901937a0ca75b3c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 19:27:24 +0100
+Subject: s390/ctcm: Fix double-kfree
+
+From: Aleksei Nikiforov <aleksei.nikiforov@linux.ibm.com>
+
+[ Upstream commit da02a1824884d6c84c5e5b5ac373b0c9e3288ec2 ]
+
+The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally
+from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo.
+After that a call to function 'kfree' in function 'ctcmpc_unpack_skb'
+frees it again.
+
+Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'.
+
+Bug detected by the clang static analyzer.
+
+Fixes: 0c0b20587b9f25a2 ("s390/ctcm: fix potential memory leak")
+Reviewed-by: Aswin Karuvally <aswin@linux.ibm.com>
+Signed-off-by: Aleksei Nikiforov <aleksei.nikiforov@linux.ibm.com>
+Signed-off-by: Aswin Karuvally <aswin@linux.ibm.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251112182724.1109474-1-aswin@linux.ibm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/ctcm_mpc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/s390/net/ctcm_mpc.c b/drivers/s390/net/ctcm_mpc.c
+index 9e580ef69bdaa..48ea517ff567a 100644
+--- a/drivers/s390/net/ctcm_mpc.c
++++ b/drivers/s390/net/ctcm_mpc.c
+@@ -700,7 +700,6 @@ static void mpc_rcvd_sweep_req(struct mpcg_info *mpcginfo)
+
+ grp->sweep_req_pend_num--;
+ ctcmpc_send_sweep_resp(ch);
+- kfree(mpcginfo);
+ return;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From bee13d64b2cf52aea4eced7532a3e57623bc4623 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Oct 2025 14:48:00 -0700
+Subject: scsi: core: Fix a regression triggered by scsi_host_busy()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit a0b7780602b1b196f47e527fec82166a7e67c4d0 ]
+
+Commit 995412e23bb2 ("blk-mq: Replace tags->lock with SRCU for tag
+iterators") introduced the following regression:
+
+Call trace:
+ __srcu_read_lock+0x30/0x80 (P)
+ blk_mq_tagset_busy_iter+0x44/0x300
+ scsi_host_busy+0x38/0x70
+ ufshcd_print_host_state+0x34/0x1bc
+ ufshcd_link_startup.constprop.0+0xe4/0x2e0
+ ufshcd_init+0x944/0xf80
+ ufshcd_pltfrm_init+0x504/0x820
+ ufs_rockchip_probe+0x2c/0x88
+ platform_probe+0x5c/0xa4
+ really_probe+0xc0/0x38c
+ __driver_probe_device+0x7c/0x150
+ driver_probe_device+0x40/0x120
+ __driver_attach+0xc8/0x1e0
+ bus_for_each_dev+0x7c/0xdc
+ driver_attach+0x24/0x30
+ bus_add_driver+0x110/0x230
+ driver_register+0x68/0x130
+ __platform_driver_register+0x20/0x2c
+ ufs_rockchip_pltform_init+0x1c/0x28
+ do_one_initcall+0x60/0x1e0
+ kernel_init_freeable+0x248/0x2c4
+ kernel_init+0x20/0x140
+ ret_from_fork+0x10/0x20
+
+Fix this regression by making scsi_host_busy() check whether the SCSI
+host tag set has already been initialized. tag_set->ops is set by
+scsi_mq_setup_tags() just before blk_mq_alloc_tag_set() is called. This
+fix is based on the assumption that scsi_host_busy() and
+scsi_mq_setup_tags() calls are serialized. This is the case in the UFS
+driver.
+
+Reported-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Closes: https://lore.kernel.org/linux-block/pnezafputodmqlpumwfbn644ohjybouveehcjhz2hmhtcf2rka@sdhoiivync4y/
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Tested-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Link: https://patch.msgid.link/20251007214800.1678255-1-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hosts.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
+index e021f1106beab..5cf13d019a15e 100644
+--- a/drivers/scsi/hosts.c
++++ b/drivers/scsi/hosts.c
+@@ -607,8 +607,9 @@ int scsi_host_busy(struct Scsi_Host *shost)
+ {
+ int cnt = 0;
+
+- blk_mq_tagset_busy_iter(&shost->tag_set,
+- scsi_host_check_in_flight, &cnt);
++ if (shost->tag_set.ops)
++ blk_mq_tagset_busy_iter(&shost->tag_set,
++ scsi_host_check_in_flight, &cnt);
+ return cnt;
+ }
+ EXPORT_SYMBOL(scsi_host_busy);
+--
+2.51.0
+
--- /dev/null
+From e1651b909c728bf5542e55aadbedfb6c5702a47a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Nov 2025 10:10:29 +0200
+Subject: selftests: net: lib: Do not overwrite error messages
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit bed22c7b90af732978715a1789bca1c3cfa245a6 ]
+
+ret_set_ksft_status() calls ksft_status_merge() with the current return
+status and the last one. It treats a non-zero return code from
+ksft_status_merge() as an indication that the return status was
+overwritten by the last one and therefore overwrites the return message
+with the last one.
+
+Currently, ksft_status_merge() returns a non-zero return code even if
+the current return status and the last one are equal. This results in
+return messages being overwritten which is counter-productive since we
+are more interested in the first failure message and not the last one.
+
+Fix by changing ksft_status_merge() to only return a non-zero return
+code if the current return status was actually changed.
+
+Add a test case which checks that the first error message is not
+overwritten.
+
+Before:
+
+ # ./lib_sh_test.sh
+ [...]
+ TEST: RET tfail2 tfail -> fail [FAIL]
+ retmsg=tfail expected tfail2
+ [...]
+ # echo $?
+ 1
+
+After:
+
+ # ./lib_sh_test.sh
+ [...]
+ TEST: RET tfail2 tfail -> fail [ OK ]
+ [...]
+ # echo $?
+ 0
+
+Fixes: 596c8819cb78 ("selftests: forwarding: Have RET track kselftest framework constants")
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251116081029.69112-1-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/forwarding/lib_sh_test.sh | 7 +++++++
+ tools/testing/selftests/net/lib.sh | 2 +-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/forwarding/lib_sh_test.sh b/tools/testing/selftests/net/forwarding/lib_sh_test.sh
+index ff2accccaf4d4..b4eda6c6199ed 100755
+--- a/tools/testing/selftests/net/forwarding/lib_sh_test.sh
++++ b/tools/testing/selftests/net/forwarding/lib_sh_test.sh
+@@ -30,6 +30,11 @@ tfail()
+ do_test "tfail" false
+ }
+
++tfail2()
++{
++ do_test "tfail2" false
++}
++
+ txfail()
+ {
+ FAIL_TO_XFAIL=yes do_test "txfail" false
+@@ -132,6 +137,8 @@ test_ret()
+ ret_subtest $ksft_fail "tfail" txfail tfail
+
+ ret_subtest $ksft_xfail "txfail" txfail txfail
++
++ ret_subtest $ksft_fail "tfail2" tfail2 tfail
+ }
+
+ exit_status_tests_run()
+diff --git a/tools/testing/selftests/net/lib.sh b/tools/testing/selftests/net/lib.sh
+index bb4d2f8d50d67..501615d285300 100644
+--- a/tools/testing/selftests/net/lib.sh
++++ b/tools/testing/selftests/net/lib.sh
+@@ -40,7 +40,7 @@ __ksft_status_merge()
+ weights[$i]=$((weight++))
+ done
+
+- if [[ ${weights[$a]} > ${weights[$b]} ]]; then
++ if [[ ${weights[$a]} -ge ${weights[$b]} ]]; then
+ echo "$a"
+ return 0
+ else
+--
+2.51.0
+
--- /dev/null
+From f4d04565859630f67e78a7f2f25d1ba0c3e229fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Oct 2025 17:57:10 +0800
+Subject: selftests: net: use BASH for bareudp testing
+
+From: Po-Hsu Lin <po-hsu.lin@canonical.com>
+
+[ Upstream commit 9311e9540a8b406d9f028aa87fb072a3819d4c82 ]
+
+In bareudp.sh, this script uses /bin/sh and it will load another lib.sh
+BASH script at the very beginning.
+
+But on some operating systems like Ubuntu, /bin/sh is actually pointed to
+DASH, thus it will try to run BASH commands with DASH and consequently
+leads to syntax issues:
+ # ./bareudp.sh: 4: ./lib.sh: Bad substitution
+ # ./bareudp.sh: 5: ./lib.sh: source: not found
+ # ./bareudp.sh: 24: ./lib.sh: Syntax error: "(" unexpected
+
+Fix this by explicitly using BASH for bareudp.sh. This fixes test
+execution failures on systems where /bin/sh is not BASH.
+
+Reported-by: Edoardo Canepa <edoardo.canepa@canonical.com>
+Link: https://bugs.launchpad.net/bugs/2129812
+Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Link: https://patch.msgid.link/20251027095710.2036108-2-po-hsu.lin@canonical.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/bareudp.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/bareudp.sh b/tools/testing/selftests/net/bareudp.sh
+index f366cadbc5e86..ff4308b48e65d 100755
+--- a/tools/testing/selftests/net/bareudp.sh
++++ b/tools/testing/selftests/net/bareudp.sh
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ # SPDX-License-Identifier: GPL-2.0
+
+ # Test various bareudp tunnel configurations.
+--
+2.51.0
+
drm-amd-display-move-sleep-into-each-retry-for-retrieve_link_cap.patch
drm-amd-display-fix-pbn-to-kbps-conversion.patch
drm-amd-display-clear-the-cur_enable-register-on-dcn20-on-dpp5.patch
+xfrm-drop-sa-reference-in-xfrm_state_update-if-dir-d.patch
+xfrm-set-err-and-extack-on-failure-to-create-pcpu-sa.patch
+pinctrl-realtek-select-regmap_mmio-for-rtd-driver.patch
+xfrm-determine-inner-gso-type-from-packet-inner-prot.patch
+xfrm-prevent-locally-generated-packets-from-direct-o.patch
+pinctrl-cirrus-fix-fwnode-leak-in-cs42l43_pin_probe.patch
+platform-x86-msi-wmi-platform-only-load-on-msi-devic.patch
+platform-x86-msi-wmi-platform-fix-typo-in-wmi-guid.patch
+mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch
+drm-tegra-add-call-to-put_pid.patch
+net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch
+net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch
+net-openvswitch-remove-never-working-support-for-set.patch
+tools-riscv-fixed-misalignment-of-csr-related-defini.patch
+nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch
+s390-ctcm-fix-double-kfree.patch
+selftests-net-lib-do-not-overwrite-error-messages.patch
+platform-x86-intel-speed_select_if-convert-pcibios_-.patch
+net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch
+idpf-fix-possible-vport_config-null-pointer-deref-in.patch
+ice-fix-ptp-cleanup-on-driver-removal-in-error-path.patch
+pinctrl-s32cc-fix-uninitialized-memory-in-s32_pinctr.patch
+pinctrl-s32cc-initialize-gpio_pin_config-list-after-.patch
+devlink-rate-unset-parent-pointer-in-devl_rate_nodes.patch
+net-mlx5-clean-up-only-new-irq-glue-on-request_irq-f.patch
+af_unix-cache-state-msg-in-unix_stream_read_generic.patch
+af_unix-read-sk_peek_offset-again-after-sleeping-in-.patch
+loongarch-use-uapi-types-in-ptrace-uapi-header.patch
+cifs-fix-memory-leak-in-smb3_fs_context_parse_param-.patch
+vsock-ignore-signal-timeout-on-connect-if-already-es.patch
+bcma-don-t-register-devices-disabled-in-of.patch
+cifs-fix-typo-in-enable_gcm_256-module-parameter.patch
+scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch
+x86-microcode-amd-limit-entrysign-signature-checking.patch
+selftests-net-use-bash-for-bareudp-testing.patch
+net-tls-change-async-resync-helpers-argument.patch
+blk-crypto-use-blk_sts_inval-for-alignment-errors.patch
+net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch
+kconfig-mconf-initialize-the-default-locale-at-start.patch
+kconfig-nconf-initialize-the-default-locale-at-start.patch
--- /dev/null
+From fe75c6d12f2beb8334d198a0df363d50e7743666 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Nov 2025 15:12:15 +0800
+Subject: tools: riscv: Fixed misalignment of CSR related definitions
+
+From: Chen Pei <cp0613@linux.alibaba.com>
+
+[ Upstream commit e2cb69263e797c0aa6676bcef23e9e27e44c83b0 ]
+
+The file tools/arch/riscv/include/asm/csr.h borrows from
+arch/riscv/include/asm/csr.h, and subsequent modifications
+related to CSR should maintain consistency.
+
+Signed-off-by: Chen Pei <cp0613@linux.alibaba.com>
+Link: https://patch.msgid.link/20251114071215.816-1-cp0613@linux.alibaba.com
+[pjw@kernel.org: dropped Fixes: lines for patches that weren't broken; removed superfluous blank line]
+Signed-off-by: Paul Walmsley <pjw@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/riscv_pmu_sbi.c | 2 +-
+ tools/arch/riscv/include/asm/csr.h | 5 +++--
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/perf/riscv_pmu_sbi.c b/drivers/perf/riscv_pmu_sbi.c
+index da3651d329069..6df8b260f0702 100644
+--- a/drivers/perf/riscv_pmu_sbi.c
++++ b/drivers/perf/riscv_pmu_sbi.c
+@@ -1016,7 +1016,7 @@ static irqreturn_t pmu_sbi_ovf_handler(int irq, void *dev)
+ /* compute hardware counter index */
+ hidx = info->csr - CSR_CYCLE;
+
+- /* check if the corresponding bit is set in sscountovf or overflow mask in shmem */
++ /* check if the corresponding bit is set in scountovf or overflow mask in shmem */
+ if (!(overflow & BIT(hidx)))
+ continue;
+
+diff --git a/tools/arch/riscv/include/asm/csr.h b/tools/arch/riscv/include/asm/csr.h
+index 0dfc09254f99a..1cd824aaa3ba2 100644
+--- a/tools/arch/riscv/include/asm/csr.h
++++ b/tools/arch/riscv/include/asm/csr.h
+@@ -167,7 +167,8 @@
+ #define VSIP_TO_HVIP_SHIFT (IRQ_VS_SOFT - IRQ_S_SOFT)
+ #define VSIP_VALID_MASK ((_AC(1, UL) << IRQ_S_SOFT) | \
+ (_AC(1, UL) << IRQ_S_TIMER) | \
+- (_AC(1, UL) << IRQ_S_EXT))
++ (_AC(1, UL) << IRQ_S_EXT) | \
++ (_AC(1, UL) << IRQ_PMU_OVF))
+
+ /* AIA CSR bits */
+ #define TOPI_IID_SHIFT 16
+@@ -280,7 +281,7 @@
+ #define CSR_HPMCOUNTER30H 0xc9e
+ #define CSR_HPMCOUNTER31H 0xc9f
+
+-#define CSR_SSCOUNTOVF 0xda0
++#define CSR_SCOUNTOVF 0xda0
+
+ #define CSR_SSTATUS 0x100
+ #define CSR_SIE 0x104
+--
+2.51.0
+
--- /dev/null
+From 9a650d808d2fa40c4cd2c6b55df8eff50bf58e2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Nov 2025 15:02:59 +0100
+Subject: vsock: Ignore signal/timeout on connect() if already established
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 002541ef650b742a198e4be363881439bb9d86b4 ]
+
+During connect(), acting on a signal/timeout by disconnecting an already
+established socket leads to several issues:
+
+1. connect() invoking vsock_transport_cancel_pkt() ->
+ virtio_transport_purge_skbs() may race with sendmsg() invoking
+ virtio_transport_get_credit(). This results in a permanently elevated
+ `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.
+
+2. connect() resetting a connected socket's state may race with socket
+ being placed in a sockmap. A disconnected socket remaining in a sockmap
+ breaks sockmap's assumptions. And gives rise to WARNs.
+
+3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a
+ transport change/drop after TCP_ESTABLISHED. Which poses a problem for
+ any simultaneous sendmsg() or connect() and may result in a
+ use-after-free/null-ptr-deref.
+
+Do not disconnect socket on signal/timeout. Keep the logic for unconnected
+sockets: they don't linger, can't be placed in a sockmap, are rejected by
+sendmsg().
+
+[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/
+[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/
+[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20251119-vsock-interrupted-connect-v2-1-70734cf1233f@rbox.co
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 40 +++++++++++++++++++++++++++++++---------
+ 1 file changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index 68a9d4214584f..621be9be64f67 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1616,18 +1616,40 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr,
+ timeout = schedule_timeout(timeout);
+ lock_sock(sk);
+
+- if (signal_pending(current)) {
+- err = sock_intr_errno(timeout);
+- sk->sk_state = sk->sk_state == TCP_ESTABLISHED ? TCP_CLOSING : TCP_CLOSE;
+- sock->state = SS_UNCONNECTED;
+- vsock_transport_cancel_pkt(vsk);
+- vsock_remove_connected(vsk);
+- goto out_wait;
+- } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) {
+- err = -ETIMEDOUT;
++ /* Connection established. Whatever happens to socket once we
++ * release it, that's not connect()'s concern. No need to go
++ * into signal and timeout handling. Call it a day.
++ *
++ * Note that allowing to "reset" an already established socket
++ * here is racy and insecure.
++ */
++ if (sk->sk_state == TCP_ESTABLISHED)
++ break;
++
++ /* If connection was _not_ established and a signal/timeout came
++ * to be, we want the socket's state reset. User space may want
++ * to retry.
++ *
++ * sk_state != TCP_ESTABLISHED implies that socket is not on
++ * vsock_connected_table. We keep the binding and the transport
++ * assigned.
++ */
++ if (signal_pending(current) || timeout == 0) {
++ err = timeout == 0 ? -ETIMEDOUT : sock_intr_errno(timeout);
++
++ /* Listener might have already responded with
++ * VIRTIO_VSOCK_OP_RESPONSE. Its handling expects our
++ * sk_state == TCP_SYN_SENT, which hereby we break.
++ * In such case VIRTIO_VSOCK_OP_RST will follow.
++ */
+ sk->sk_state = TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
++
++ /* Try to cancel VIRTIO_VSOCK_OP_REQUEST skb sent out by
++ * transport->connect().
++ */
+ vsock_transport_cancel_pkt(vsk);
++
+ goto out_wait;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 172066aea2e12be6fa3b8cdf7233c027b8e5e4fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 14:46:29 +0200
+Subject: x86/microcode/AMD: Limit Entrysign signature checking to known
+ generations
+
+From: Borislav Petkov (AMD) <bp@alien8.de>
+
+[ Upstream commit 8a9fb5129e8e64d24543ebc70de941a2d77a9e77 ]
+
+Limit Entrysign sha256 signature checking to CPUs in the range Zen1-Zen5.
+
+X86_BUG cannot be used here because the loading on the BSP happens way
+too early, before the cpufeatures machinery has been set up.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://patch.msgid.link/all/20251023124629.5385-1-bp@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/microcode/amd.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
+index 93cbf05b83a56..7e997360223b2 100644
+--- a/arch/x86/kernel/cpu/microcode/amd.c
++++ b/arch/x86/kernel/cpu/microcode/amd.c
+@@ -224,6 +224,24 @@ static bool need_sha_check(u32 cur_rev)
+ return true;
+ }
+
++static bool cpu_has_entrysign(void)
++{
++ unsigned int fam = x86_family(bsp_cpuid_1_eax);
++ unsigned int model = x86_model(bsp_cpuid_1_eax);
++
++ if (fam == 0x17 || fam == 0x19)
++ return true;
++
++ if (fam == 0x1a) {
++ if (model <= 0x2f ||
++ (0x40 <= model && model <= 0x4f) ||
++ (0x60 <= model && model <= 0x6f))
++ return true;
++ }
++
++ return false;
++}
++
+ static bool verify_sha256_digest(u32 patch_id, u32 cur_rev, const u8 *data, unsigned int len)
+ {
+ struct patch_digest *pd = NULL;
+@@ -231,7 +249,7 @@ static bool verify_sha256_digest(u32 patch_id, u32 cur_rev, const u8 *data, unsi
+ struct sha256_state s;
+ int i;
+
+- if (x86_family(bsp_cpuid_1_eax) < 0x17)
++ if (!cpu_has_entrysign())
+ return true;
+
+ if (!need_sha_check(cur_rev))
+--
+2.51.0
+
--- /dev/null
+From ec380dc3515271fdca298dc8c8930b2e2dfd26cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Oct 2025 04:22:48 +0200
+Subject: xfrm: Determine inner GSO type from packet inner protocol
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 61fafbee6cfed283c02a320896089f658fa67e56 ]
+
+The GSO segmentation functions for ESP tunnel mode
+(xfrm4_tunnel_gso_segment and xfrm6_tunnel_gso_segment) were
+determining the inner packet's L2 protocol type by checking the static
+x->inner_mode.family field from the xfrm state.
+
+This is unreliable. In tunnel mode, the state's actual inner family
+could be defined by x->inner_mode.family or by
+x->inner_mode_iaf.family. Checking only the former can lead to a
+mismatch with the actual packet being processed, causing GSO to create
+segments with the wrong L2 header type.
+
+This patch fixes the bug by deriving the inner mode directly from the
+packet's inner protocol stored in XFRM_MODE_SKB_CB(skb)->protocol.
+
+Instead of replicating the code, this patch modifies the
+xfrm_ip2inner_mode helper function. It now correctly returns
+&x->inner_mode if the selector family (x->sel.family) is already
+specified, thereby handling both specific and AF_UNSPEC cases
+appropriately.
+
+With this change, ESP GSO can use xfrm_ip2inner_mode to get the
+correct inner mode. It doesn't affect existing callers, as the updated
+logic now mirrors the checks they were already performing externally.
+
+Fixes: 26dbd66eab80 ("esp: choose the correct inner protocol for GSO on inter address family tunnels")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xfrm.h | 3 ++-
+ net/ipv4/esp4_offload.c | 6 ++++--
+ net/ipv6/esp6_offload.c | 6 ++++--
+ 3 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 1484dd15a3694..caaff61601a07 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -472,7 +472,8 @@ static inline int xfrm_af2proto(unsigned int family)
+
+ static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
+ {
+- if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
++ if ((x->sel.family != AF_UNSPEC) ||
++ (ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
+ (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
+ return &x->inner_mode;
+ else
+diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
+index e0d94270da28a..05828d4cb6cdb 100644
+--- a/net/ipv4/esp4_offload.c
++++ b/net/ipv4/esp4_offload.c
+@@ -122,8 +122,10 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x,
+ struct sk_buff *skb,
+ netdev_features_t features)
+ {
+- __be16 type = x->inner_mode.family == AF_INET6 ? htons(ETH_P_IPV6)
+- : htons(ETH_P_IP);
++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
++ XFRM_MODE_SKB_CB(skb)->protocol);
++ __be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6)
++ : htons(ETH_P_IP);
+
+ return skb_eth_gso_segment(skb, features, type);
+ }
+diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
+index 7b41fb4f00b58..22410243ebe88 100644
+--- a/net/ipv6/esp6_offload.c
++++ b/net/ipv6/esp6_offload.c
+@@ -158,8 +158,10 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x,
+ struct sk_buff *skb,
+ netdev_features_t features)
+ {
+- __be16 type = x->inner_mode.family == AF_INET ? htons(ETH_P_IP)
+- : htons(ETH_P_IPV6);
++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
++ XFRM_MODE_SKB_CB(skb)->protocol);
++ __be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP)
++ : htons(ETH_P_IPV6);
+
+ return skb_eth_gso_segment(skb, features, type);
+ }
+--
+2.51.0
+
--- /dev/null
+From 45063117417619a4f66efc36b573ee65f2db361a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Oct 2025 12:39:12 +0200
+Subject: xfrm: drop SA reference in xfrm_state_update if dir doesn't match
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 8d2a2a49c30f67a480fa9ed25e08436a446f057e ]
+
+We're not updating x1, but we still need to put() it.
+
+Fixes: a4a87fa4e96c ("xfrm: Add Direction to the SA in or out")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index 1e2f5ecd63248..f8cb033f102ed 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -2117,14 +2117,18 @@ int xfrm_state_update(struct xfrm_state *x)
+ }
+
+ if (x1->km.state == XFRM_STATE_ACQ) {
+- if (x->dir && x1->dir != x->dir)
++ if (x->dir && x1->dir != x->dir) {
++ to_put = x1;
+ goto out;
++ }
+
+ __xfrm_state_insert(x);
+ x = NULL;
+ } else {
+- if (x1->dir != x->dir)
++ if (x1->dir != x->dir) {
++ to_put = x1;
+ goto out;
++ }
+ }
+ err = 0;
+
+--
+2.51.0
+
--- /dev/null
+From 0c31e08f1b7ea748ffb8aaf1e01ab5382c7d3bc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Oct 2025 11:50:25 +0200
+Subject: xfrm: Prevent locally generated packets from direct output in tunnel
+ mode
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 59630e2ccd728703cc826e3a3515d70f8c7a766c ]
+
+Add a check to ensure locally generated packets (skb->sk != NULL) do
+not use direct output in tunnel mode, as these packets require proper
+L2 header setup that is handled by the normal XFRM processing path.
+
+Fixes: 5eddd76ec2fd ("xfrm: fix tunnel mode TX datapath in packet offload mode")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_output.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
+index a30538a980cc7..9277dd4ed541a 100644
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -766,8 +766,12 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb)
+ /* Exclusive direct xmit for tunnel mode, as
+ * some filtering or matching rules may apply
+ * in transport mode.
++ * Locally generated packets also require
++ * the normal XFRM path for L2 header setup,
++ * as the hardware needs the L2 header to match
++ * for encryption, so skip direct output as well.
+ */
+- if (x->props.mode == XFRM_MODE_TUNNEL)
++ if (x->props.mode == XFRM_MODE_TUNNEL && !skb->sk)
+ return xfrm_dev_direct_output(sk, x, skb);
+
+ return xfrm_output_resume(sk, skb, 0);
+--
+2.51.0
+
--- /dev/null
+From d8c21464ec4c3f677c62d3e05154ffe758cfadfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Oct 2025 12:39:16 +0200
+Subject: xfrm: set err and extack on failure to create pcpu SA
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 1dcf617bec5cb85f68ca19969e7537ef6f6931d3 ]
+
+xfrm_state_construct can fail without setting an error if the
+requested pcpu_num value is too big. Set err and add an extack message
+to avoid confusing userspace.
+
+Fixes: 1ddf9916ac09 ("xfrm: Add support for per cpu xfrm state handling.")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index d41e5642625e3..3d0fdeebaf3c8 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -893,8 +893,11 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
+
+ if (attrs[XFRMA_SA_PCPU]) {
+ x->pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]);
+- if (x->pcpu_num >= num_possible_cpus())
++ if (x->pcpu_num >= num_possible_cpus()) {
++ err = -ERANGE;
++ NL_SET_ERR_MSG(extack, "pCPU number too big");
+ goto error;
++ }
+ }
+
+ err = __xfrm_init_state(x, false, attrs[XFRMA_OFFLOAD_DEV], extack);
+--
+2.51.0
+
--- /dev/null
+From 0f012048e33f3d90e9637b82a6df1c8afe92e252 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 17:47:10 +0000
+Subject: af_unix: Read sk_peek_offset() again after sleeping in
+ unix_stream_read_generic().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 7bf3a476ce43833c49fceddbe94ff3472e04e9bc ]
+
+Miao Wang reported a bug of SO_PEEK_OFF on AF_UNIX SOCK_STREAM
+socket.
+
+The unexpected behaviour is triggered when the peek offset is
+larger than the recv queue and the thread is unblocked by new
+data.
+
+Let's assume a socket which has "aaaa" in the recv queue and
+the peek offset is 4.
+
+First, unix_stream_read_generic() reads the offset 4 and skips
+the skb(s) of "aaaa" with the code below:
+
+ skip = max(sk_peek_offset(sk, flags), 0); /* @skip is 4. */
+
+ do {
+ ...
+ while (skip >= unix_skb_len(skb)) {
+ skip -= unix_skb_len(skb);
+ ...
+ skb = skb_peek_next(skb, &sk->sk_receive_queue);
+ if (!skb)
+ goto again; /* @skip is 0. */
+ }
+
+The thread jumps to the 'again' label and goes to sleep since
+new data has not arrived yet.
+
+Later, new data "bbbb" unblocks the thread, and the thread jumps
+to the 'redo:' label to restart the entire process from the first
+skb in the recv queue.
+
+ do {
+ ...
+redo:
+ ...
+ last = skb = skb_peek(&sk->sk_receive_queue);
+ ...
+again:
+ if (skb == NULL) {
+ ...
+ timeo = unix_stream_data_wait(sk, timeo, last,
+ last_len, freezable);
+ ...
+ goto redo; /* @skip is 0 !! */
+
+However, the peek offset is not reset in the path.
+
+If the buffer size is 8, recv() will return "aaaabbbb" without
+skipping any data, and the final offset will be 12 (the original
+offset 4 + peeked skbs' length 8).
+
+After sleeping in unix_stream_read_generic(), we have to fetch the
+peek offset again.
+
+Let's move the redo label before mutex_lock(&u->iolock).
+
+Fixes: 9f389e35674f ("af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag")
+Reported-by: Miao Wang <shankerwangmiao@gmail.com>
+Closes: https://lore.kernel.org/netdev/3B969F90-F51F-4B9D-AB1A-994D9A54D460@gmail.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20251117174740.3684604-2-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 6d7c110814ffa..0f288a80e0acd 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2954,6 +2954,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state,
+
+ u = unix_sk(sk);
+
++redo:
+ /* Lock the socket to prevent queue disordering
+ * while sleeps in memcpy_tomsg
+ */
+@@ -2965,7 +2966,6 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state,
+ struct sk_buff *skb, *last;
+ int chunk;
+
+-redo:
+ unix_state_lock(sk);
+ if (sock_flag(sk, SOCK_DEAD)) {
+ err = -ECONNRESET;
+@@ -3015,7 +3015,6 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state,
+ goto out;
+ }
+
+- mutex_lock(&u->iolock);
+ goto redo;
+ unlock:
+ unix_state_unlock(sk);
+--
+2.51.0
+
--- /dev/null
+From 9936ba7e9a7bb05f3a056cba8ba6a9c7d3027c51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Oct 2025 15:52:26 +0100
+Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga 7 2-in-1 14AKP10
+
+From: J-Donald Tournier <jdtournier@gmail.com>
+
+[ Upstream commit 1386d16761c0b569efedb998f56c1ae048a086e2 ]
+
+This laptop requires the same quirk as Lenovo Yoga9 14IAP7 for
+fixing the bass speaker problems.
+
+Use HDA_CODEC_QUIRK to match on the codec SSID to avoid conflict with
+the Lenovo Legion Slim 7 16IRH8, which has the same PCI SSID.
+
+Signed-off-by: J-Donald Tournier <jdtournier@gmail.com>
+Link: https://patch.msgid.link/20251018145322.39119-1-jdournier@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index 19604352317dd..20f0ad43953f4 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7082,6 +7082,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x38a9, "Thinkbook 16P", ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD),
+ SND_PCI_QUIRK(0x17aa, 0x38ab, "Thinkbook 16P", ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD),
+ SND_PCI_QUIRK(0x17aa, 0x38b4, "Legion Slim 7 16IRH8", ALC287_FIXUP_CS35L41_I2C_2),
++ HDA_CODEC_QUIRK(0x17aa, 0x391c, "Lenovo Yoga 7 2-in-1 14AKP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x38b5, "Legion Slim 7 16IRH8", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x17aa, 0x38b6, "Legion Slim 7 16APH8", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x17aa, 0x38b7, "Legion Slim 7 16APH8", ALC287_FIXUP_CS35L41_I2C_2),
+--
+2.51.0
+
--- /dev/null
+From 3b3cd5df8100b7f22b675ef745bfca1ce9c7f66d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Oct 2025 13:58:10 +0300
+Subject: ALSA: hda/realtek: Fix mute led for HP Victus 15-fa1xxx (MB 8C2D)
+
+From: Eren Demir <eren.demir2479090@gmail.com>
+
+[ Upstream commit 28935ee5e4789ad86c08ba9f2426edd6203d13fa ]
+
+The quirk for Victus 15-fa1xxx wasn't working on Victus 15-fa1031nt due to a different board id. This patch enables the existing quirk for the board id 8BC8.
+
+Tested on HP Victus 15-fa1031nt (MB 8C2D). The LED behaviour works as intended.
+
+Signed-off-by: Eren Demir <eren.demir2479090@gmail.com>
+Link: https://patch.msgid.link/20251027110208.6481-1-eren.demir2479090@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index 20f0ad43953f4..796f555dd381d 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -6580,6 +6580,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x8c16, "HP Spectre x360 2-in-1 Laptop 16-aa0xxx", ALC245_FIXUP_HP_SPECTRE_X360_16_AA0XXX),
+ SND_PCI_QUIRK(0x103c, 0x8c17, "HP Spectre 16", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8c21, "HP Pavilion Plus Laptop 14-ey0XXX", ALC245_FIXUP_HP_X360_MUTE_LEDS),
++ SND_PCI_QUIRK(0x103c, 0x8c2d, "HP Victus 15-fa1xxx (MB 8C2D)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x8c30, "HP Victus 15-fb1xxx", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x8c46, "HP EliteBook 830 G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c47, "HP EliteBook 840 G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+--
+2.51.0
+
--- /dev/null
+From 38056358953efd70f7ef5cccb2b4a9d28e1d7325 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Oct 2025 18:33:33 +0800
+Subject: ASoC: rt721: fix prepare clock stop failed
+
+From: Shuming Fan <shumingf@realtek.com>
+
+[ Upstream commit d914ec6f07548f7c13a231a4f526e043e736e82e ]
+
+This patch adds settings to prevent the 'prepare clock stop failed' error.
+
+Signed-off-by: Shuming Fan <shumingf@realtek.com>
+Link: https://patch.msgid.link/20251027103333.38353-1-shumingf@realtek.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt721-sdca.c | 4 ++++
+ sound/soc/codecs/rt721-sdca.h | 1 +
+ 2 files changed, 5 insertions(+)
+
+diff --git a/sound/soc/codecs/rt721-sdca.c b/sound/soc/codecs/rt721-sdca.c
+index a4bd29d7220b8..5f7b505d54147 100644
+--- a/sound/soc/codecs/rt721-sdca.c
++++ b/sound/soc/codecs/rt721-sdca.c
+@@ -281,6 +281,10 @@ static void rt721_sdca_jack_preset(struct rt721_sdca_priv *rt721)
+ rt_sdca_index_write(rt721->mbq_regmap, RT721_BOOST_CTRL,
+ RT721_BST_4CH_TOP_GATING_CTRL1, 0x002a);
+ regmap_write(rt721->regmap, 0x2f58, 0x07);
++
++ regmap_write(rt721->regmap, 0x2f51, 0x00);
++ rt_sdca_index_write(rt721->mbq_regmap, RT721_HDA_SDCA_FLOAT,
++ RT721_MISC_CTL, 0x0004);
+ }
+
+ static void rt721_sdca_jack_init(struct rt721_sdca_priv *rt721)
+diff --git a/sound/soc/codecs/rt721-sdca.h b/sound/soc/codecs/rt721-sdca.h
+index 71fac9cd87394..24ce188562baf 100644
+--- a/sound/soc/codecs/rt721-sdca.h
++++ b/sound/soc/codecs/rt721-sdca.h
+@@ -137,6 +137,7 @@ struct rt721_sdca_dmic_kctrl_priv {
+ #define RT721_HDA_LEGACY_UAJ_CTL 0x02
+ #define RT721_HDA_LEGACY_CTL1 0x05
+ #define RT721_HDA_LEGACY_RESET_CTL 0x06
++#define RT721_MISC_CTL 0x07
+ #define RT721_XU_REL_CTRL 0x0c
+ #define RT721_GE_REL_CTRL1 0x0d
+ #define RT721_HDA_LEGACY_GPIO_WAKE_EN_CTL 0x0e
+--
+2.51.0
+
--- /dev/null
+From 4a9d79aa3fba19433606d32b00976f7b0ac07ea6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Oct 2025 14:51:26 +0200
+Subject: bcma: don't register devices disabled in OF
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+[ Upstream commit a2a69add80411dd295c9088c1bcf925b1f4e53d7 ]
+
+Some bus devices can be marked as disabled for specific SoCs or models.
+Those should not be registered to avoid probing them.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20251003125126.27950-1-zajec5@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bcma/main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/bcma/main.c b/drivers/bcma/main.c
+index 6ecfc821cf833..72f045e6ed513 100644
+--- a/drivers/bcma/main.c
++++ b/drivers/bcma/main.c
+@@ -294,6 +294,8 @@ static int bcma_register_devices(struct bcma_bus *bus)
+ int err;
+
+ list_for_each_entry(core, &bus->cores, list) {
++ struct device_node *np;
++
+ /* We support that core ourselves */
+ switch (core->id.id) {
+ case BCMA_CORE_4706_CHIPCOMMON:
+@@ -311,6 +313,10 @@ static int bcma_register_devices(struct bcma_bus *bus)
+ if (bcma_is_core_needed_early(core->id.id))
+ continue;
+
++ np = core->dev.of_node;
++ if (np && !of_device_is_available(np))
++ continue;
++
+ /* Only first GMAC core on BCM4706 is connected and working */
+ if (core->id.id == BCMA_CORE_4706_MAC_GBIT &&
+ core->core_unit > 0)
+--
+2.51.0
+
--- /dev/null
+From ca6137099df179c26c3b0f7a8055dac065f882e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Oct 2025 04:39:18 +0000
+Subject: blk-crypto: use BLK_STS_INVAL for alignment errors
+
+From: Carlos Llamas <cmllamas@google.com>
+
+[ Upstream commit 0b39ca457241aeca07a613002512573e8804f93a ]
+
+Make __blk_crypto_bio_prep() propagate BLK_STS_INVAL when IO segments
+fail the data unit alignment check.
+
+This was flagged by an LTP test that expects EINVAL when performing an
+O_DIRECT read with a misaligned buffer [1].
+
+Cc: Eric Biggers <ebiggers@kernel.org>
+Cc: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/all/aP-c5gPjrpsn0vJA@google.com/ [1]
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Reviewed-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-crypto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/blk-crypto.c b/block/blk-crypto.c
+index 4b1ad84d1b5ab..3e7bf1974cbd8 100644
+--- a/block/blk-crypto.c
++++ b/block/blk-crypto.c
+@@ -292,7 +292,7 @@ bool __blk_crypto_bio_prep(struct bio **bio_ptr)
+ }
+
+ if (!bio_crypt_check_alignment(bio)) {
+- bio->bi_status = BLK_STS_IOERR;
++ bio->bi_status = BLK_STS_INVAL;
+ goto fail;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 945b2e49870f2eceed667e2f742a845f55cf7c9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Nov 2025 20:32:57 +0530
+Subject: cifs: fix memory leak in smb3_fs_context_parse_param error path
+
+From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+
+[ Upstream commit 7e4d9120cfa413dd34f4f434befc5dbe6c38b2e5 ]
+
+Add proper cleanup of ctx->source and fc->source to the
+cifs_parse_mount_err error handler. This ensures that memory allocated
+for the source strings is correctly freed on all error paths, matching
+the cleanup already performed in the success path by
+smb3_cleanup_fs_context_contents().
+Pointers are also set to NULL after freeing to prevent potential
+double-free issues.
+
+This change fixes a memory leak originally detected by syzbot. The
+leak occurred when processing Opt_source mount options if an error
+happened after ctx->source and fc->source were successfully
+allocated but before the function completed.
+
+The specific leak sequence was:
+1. ctx->source = smb3_fs_context_fullpath(ctx, '/') allocates memory
+2. fc->source = kstrdup(ctx->source, GFP_KERNEL) allocates more memory
+3. A subsequent error jumps to cifs_parse_mount_err
+4. The old error handler freed passwords but not the source strings,
+causing the memory to leak.
+
+This issue was not addressed by commit e8c73eb7db0a ("cifs: client:
+fix memory leak in smb3_fs_context_parse_param"), which only fixed
+leaks from repeated fsconfig() calls but not this error path.
+
+Patch updated with minor change suggested by kernel test robot
+
+Reported-by: syzbot+87be6809ed9bf6d718e3@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=87be6809ed9bf6d718e3
+Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api")
+Reviewed-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/fs_context.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
+index 55ea0ad894449..c9cd00b96cde1 100644
+--- a/fs/smb/client/fs_context.c
++++ b/fs/smb/client/fs_context.c
+@@ -1829,6 +1829,10 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
+ ctx->password = NULL;
+ kfree_sensitive(ctx->password2);
+ ctx->password2 = NULL;
++ kfree(ctx->source);
++ ctx->source = NULL;
++ kfree(fc->source);
++ fc->source = NULL;
+ return -EINVAL;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From feaa4bdb3708be6a386903ca6f803ec81d2123a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Oct 2025 21:17:01 -0500
+Subject: cifs: fix typo in enable_gcm_256 module parameter
+
+From: Steve French <stfrench@microsoft.com>
+
+[ Upstream commit f765fdfcd8b5bce92c6aa1a517ff549529ddf590 ]
+
+Fix typo in description of enable_gcm_256 module parameter
+
+Suggested-by: Thomas Spear <speeddymon@gmail.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifsfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/smb/client/cifsfs.c b/fs/smb/client/cifsfs.c
+index e1848276bab41..984545cfe30b7 100644
+--- a/fs/smb/client/cifsfs.c
++++ b/fs/smb/client/cifsfs.c
+@@ -133,7 +133,7 @@ module_param(enable_oplocks, bool, 0644);
+ MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1");
+
+ module_param(enable_gcm_256, bool, 0644);
+-MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/0");
++MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/1");
+
+ module_param(require_gcm_256, bool, 0644);
+ MODULE_PARM_DESC(require_gcm_256, "Require strongest (256 bit) GCM encryption. Default: n/N/0");
+--
+2.51.0
+
--- /dev/null
+From 661abf83efe7878793b62f4d5035cb1c6ba9cfa3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 17:27:04 +0200
+Subject: clk: sunxi-ng: Mark A523 bus-r-cpucfg clock as critical
+
+From: Jernej Skrabec <jernej.skrabec@gmail.com>
+
+[ Upstream commit 1dba74abf3e2fa4484b924d8ba6e54e64ebb8c82 ]
+
+bus-r-cpucfg clock is important for peripheral which takes care of
+powering CPU cores on and off. Since this operation is done by firmware
+(TF-A), mark it as critical. That way Linux won't interfere with that
+clock.
+
+Fixes: 8cea339cfb81 ("clk: sunxi-ng: add support for the A523/T527 PRCM CCU")
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Reviewed-by: Andre Przywara <andre.przywara@arm.com>
+Tested-by: Andre Przywara <andre.przywara@arm.com>
+Link: https://patch.msgid.link/20251020152704.4804-1-jernej.skrabec@gmail.com
+Signed-off-by: Chen-Yu Tsai <wens@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c b/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c
+index 70ce0ca0cb7db..c5b0d4a2e397e 100644
+--- a/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c
++++ b/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c
+@@ -125,7 +125,7 @@ static SUNXI_CCU_GATE_HW(bus_r_dma_clk, "bus-r-dma",
+ static SUNXI_CCU_GATE_HW(bus_r_rtc_clk, "bus-r-rtc",
+ &r_apb0_clk.common.hw, 0x20c, BIT(0), 0);
+ static SUNXI_CCU_GATE_HW(bus_r_cpucfg_clk, "bus-r-cpucfg",
+- &r_apb0_clk.common.hw, 0x22c, BIT(0), 0);
++ &r_apb0_clk.common.hw, 0x22c, BIT(0), CLK_IS_CRITICAL);
+
+ static struct ccu_common *sun55i_a523_r_ccu_clks[] = {
+ &r_ahb_clk.common,
+--
+2.51.0
+
--- /dev/null
+From d02dcdb3496ba64f238ead1ad43a6870dd6ca1e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 01:10:52 +0800
+Subject: clk: sunxi-ng: sun55i-a523-ccu: Lower audio0 pll minimum rate
+
+From: Chen-Yu Tsai <wens@kernel.org>
+
+[ Upstream commit 2050280a4bb660b47f8cccf75a69293ae7cbb087 ]
+
+While the user manual states that the PLL's rate should be between 180
+MHz and 3 GHz in the register defninition section, it also says the
+actual operating frequency is 22.5792*4 MHz in the PLL features table.
+
+22.5792*4 MHz is one of the actual clock rates that we want and is
+is available in the SDM table. Lower the minimum clock rate to 90 MHz
+so that both rates in the SDM table can be used.
+
+Fixes: 7cae1e2b5544 ("clk: sunxi-ng: Add support for the A523/T527 CCU PLLs")
+Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Link: https://patch.msgid.link/20251020171059.2786070-7-wens@kernel.org
+Signed-off-by: Chen-Yu Tsai <wens@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/sunxi-ng/ccu-sun55i-a523.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/sunxi-ng/ccu-sun55i-a523.c b/drivers/clk/sunxi-ng/ccu-sun55i-a523.c
+index 1a9a1cb869e23..9e0468fb012b6 100644
+--- a/drivers/clk/sunxi-ng/ccu-sun55i-a523.c
++++ b/drivers/clk/sunxi-ng/ccu-sun55i-a523.c
+@@ -299,7 +299,7 @@ static struct ccu_nm pll_audio0_4x_clk = {
+ .m = _SUNXI_CCU_DIV(16, 6),
+ .sdm = _SUNXI_CCU_SDM(pll_audio0_sdm_table, BIT(24),
+ 0x178, BIT(31)),
+- .min_rate = 180000000U,
++ .min_rate = 90000000U,
+ .max_rate = 3000000000U,
+ .common = {
+ .reg = 0x078,
+--
+2.51.0
+
--- /dev/null
+From 753839537b471a7927b98c902e192a0a1dacd718 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 01:10:51 +0800
+Subject: clk: sunxi-ng: sun55i-a523-r-ccu: Mark bus-r-dma as critical
+
+From: Chen-Yu Tsai <wens@kernel.org>
+
+[ Upstream commit 5888533c6011de319c5f23ae147f1f291ce81582 ]
+
+The "bus-r-dma" clock in the A523's PRCM clock controller is also
+referred to as "DMA_CLKEN_SW" or "DMA ADB400 gating". It is unclear how
+this ties into the DMA controller MBUS clock gate; however if the clock
+is not enabled, the DMA controller in the MCU block will fail to access
+DRAM, even failing to retrieve the DMA descriptors.
+
+Mark this clock as critical. This sort of mirrors what is done for the
+main DMA controller's MBUS clock, which has a separate toggle that is
+currently left out of the main clock controller driver.
+
+Fixes: 8cea339cfb81 ("clk: sunxi-ng: add support for the A523/T527 PRCM CCU")
+Acked-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Link: https://patch.msgid.link/20251020171059.2786070-6-wens@kernel.org
+Signed-off-by: Chen-Yu Tsai <wens@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c b/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c
+index c5b0d4a2e397e..0339c4af0fe5b 100644
+--- a/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c
++++ b/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c
+@@ -121,7 +121,7 @@ static SUNXI_CCU_GATE_HW(bus_r_ir_rx_clk, "bus-r-ir-rx",
+ &r_apb0_clk.common.hw, 0x1cc, BIT(0), 0);
+
+ static SUNXI_CCU_GATE_HW(bus_r_dma_clk, "bus-r-dma",
+- &r_apb0_clk.common.hw, 0x1dc, BIT(0), 0);
++ &r_apb0_clk.common.hw, 0x1dc, BIT(0), CLK_IS_CRITICAL);
+ static SUNXI_CCU_GATE_HW(bus_r_rtc_clk, "bus-r-rtc",
+ &r_apb0_clk.common.hw, 0x20c, BIT(0), 0);
+ static SUNXI_CCU_GATE_HW(bus_r_cpucfg_clk, "bus-r-cpucfg",
+--
+2.51.0
+
--- /dev/null
+From 6121737f6e125b2aac103eb8819ea9983a267cc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 14:05:49 +0200
+Subject: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit f94c1a114ac209977bdf5ca841b98424295ab1f0 ]
+
+The function devl_rate_nodes_destroy is documented to "Unset parent for
+all rate objects". However, it was only calling the driver-specific
+`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing
+the parent's refcount, without actually setting the
+`devlink_rate->parent` pointer to NULL.
+
+This leaves a dangling pointer in the `devlink_rate` struct, which cause
+refcount error in netdevsim[1] and mlx5[2]. In addition, this is
+inconsistent with the behavior of `devlink_nl_rate_parent_node_set`,
+where the parent pointer is correctly cleared.
+
+This patch fixes the issue by explicitly setting `devlink_rate->parent`
+to NULL after notifying the driver, thus fulfilling the function's
+documented behavior for all rate objects.
+
+[1]
+repro steps:
+echo 1 > /sys/bus/netdevsim/new_device
+devlink dev eswitch set netdevsim/netdevsim1 mode switchdev
+echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs
+devlink port function rate add netdevsim/netdevsim1/test_node
+devlink port function rate set netdevsim/netdevsim1/128 parent test_node
+echo 1 > /sys/bus/netdevsim/del_device
+
+dmesg:
+refcount_t: decrement hit 0; leaking memory.
+WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0
+CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+RIP: 0010:refcount_warn_saturate+0x42/0xe0
+Call Trace:
+ <TASK>
+ devl_rate_leaf_destroy+0x8d/0x90
+ __nsim_dev_port_del+0x6c/0x70 [netdevsim]
+ nsim_dev_reload_destroy+0x11c/0x140 [netdevsim]
+ nsim_drv_remove+0x2b/0xb0 [netdevsim]
+ device_release_driver_internal+0x194/0x1f0
+ bus_remove_device+0xc6/0x130
+ device_del+0x159/0x3c0
+ device_unregister+0x1a/0x60
+ del_device_store+0x111/0x170 [netdevsim]
+ kernfs_fop_write_iter+0x12e/0x1e0
+ vfs_write+0x215/0x3d0
+ ksys_write+0x5f/0xd0
+ do_syscall_64+0x55/0x10f0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+[2]
+devlink dev eswitch set pci/0000:08:00.0 mode switchdev
+devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000
+devlink port function rate add pci/0000:08:00.0/group1
+devlink port function rate set pci/0000:08:00.0/32768 parent group1
+modprobe -r mlx5_ib mlx5_fwctl mlx5_core
+
+dmesg:
+refcount_t: decrement hit 0; leaking memory.
+WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0
+CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
+RIP: 0010:refcount_warn_saturate+0x42/0xe0
+Call Trace:
+ <TASK>
+ devl_rate_leaf_destroy+0x8d/0x90
+ mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core]
+ mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core]
+ mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core]
+ mlx5_sf_esw_event+0xc4/0x120 [mlx5_core]
+ notifier_call_chain+0x33/0xa0
+ blocking_notifier_call_chain+0x3b/0x50
+ mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core]
+ mlx5_eswitch_disable+0x63/0x90 [mlx5_core]
+ mlx5_unload+0x1d/0x170 [mlx5_core]
+ mlx5_uninit_one+0xa2/0x130 [mlx5_core]
+ remove_one+0x78/0xd0 [mlx5_core]
+ pci_device_remove+0x39/0xa0
+ device_release_driver_internal+0x194/0x1f0
+ unbind_store+0x99/0xa0
+ kernfs_fop_write_iter+0x12e/0x1e0
+ vfs_write+0x215/0x3d0
+ ksys_write+0x5f/0xd0
+ do_syscall_64+0x53/0x1f0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Fixes: d75559845078 ("devlink: Allow setting parent node of rate objects")
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1763381149-1234377-1-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/devlink/rate.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/devlink/rate.c b/net/devlink/rate.c
+index 264fb82cba196..d157a8419bcad 100644
+--- a/net/devlink/rate.c
++++ b/net/devlink/rate.c
+@@ -828,13 +828,15 @@ void devl_rate_nodes_destroy(struct devlink *devlink)
+ if (!devlink_rate->parent)
+ continue;
+
+- refcount_dec(&devlink_rate->parent->refcnt);
+ if (devlink_rate_is_leaf(devlink_rate))
+ ops->rate_leaf_parent_set(devlink_rate, NULL, devlink_rate->priv,
+ NULL, NULL);
+ else if (devlink_rate_is_node(devlink_rate))
+ ops->rate_node_parent_set(devlink_rate, NULL, devlink_rate->priv,
+ NULL, NULL);
++
++ refcount_dec(&devlink_rate->parent->refcnt);
++ devlink_rate->parent = NULL;
+ }
+ list_for_each_entry_safe(devlink_rate, tmp, &devlink->rate_list, list) {
+ if (devlink_rate_is_node(devlink_rate)) {
+--
+2.51.0
+
--- /dev/null
+From de9578803067ed0b27af908b1d14890428b0aca6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Sep 2025 20:33:16 +0530
+Subject: drm/i915/display: Add definition for wcl as subplatform
+
+From: Dnyaneshwar Bhadane <dnyaneshwar.bhadane@intel.com>
+
+[ Upstream commit 913253ed47b9925454cbb17faa3e350015b3d67a ]
+
+We will need to differentiate between WCL and PTL in
+intel_encoder_is_c10phy(). Since WCL and PTL use the same display
+architecture, let's define WCL as a subplatform of PTL to allow the
+differentiation.
+
+v2: Update commit message and reorder wcl define (Gustavo)
+
+Fixes: 3c0f211bc8fc ("drm/xe: Add Wildcat Lake device IDs to PTL list")
+Signed-off-by: Dnyaneshwar Bhadane <dnyaneshwar.bhadane@intel.com>
+Reviewed-by: Gustavo Sousa <gustavo.sousa@intel.com>
+Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
+Link: https://lore.kernel.org/r/20250922150317.2334680-3-dnyaneshwar.bhadane@intel.com
+(cherry picked from commit 4dfaae643e59cf3ab71b88689dce1b874f036f00)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+[Rodrigo added Fixes tag when porting it to fixes]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_display_device.c | 12 ++++++++++++
+ drivers/gpu/drm/i915/display/intel_display_device.h | 4 +++-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_display_device.c b/drivers/gpu/drm/i915/display/intel_display_device.c
+index 9023c15f3645d..f7ea4ed2b176b 100644
+--- a/drivers/gpu/drm/i915/display/intel_display_device.c
++++ b/drivers/gpu/drm/i915/display/intel_display_device.c
+@@ -1391,8 +1391,20 @@ static const struct platform_desc bmg_desc = {
+ PLATFORM_GROUP(dgfx),
+ };
+
++static const u16 wcl_ids[] = {
++ INTEL_WCL_IDS(ID),
++ 0
++};
++
+ static const struct platform_desc ptl_desc = {
+ PLATFORM(pantherlake),
++ .subplatforms = (const struct subplatform_desc[]) {
++ {
++ SUBPLATFORM(pantherlake, wildcatlake),
++ .pciidlist = wcl_ids,
++ },
++ {},
++ }
+ };
+
+ __diag_pop();
+diff --git a/drivers/gpu/drm/i915/display/intel_display_device.h b/drivers/gpu/drm/i915/display/intel_display_device.h
+index 4308822f0415d..dddafb54188a6 100644
+--- a/drivers/gpu/drm/i915/display/intel_display_device.h
++++ b/drivers/gpu/drm/i915/display/intel_display_device.h
+@@ -102,7 +102,9 @@ struct pci_dev;
+ /* Display ver 14.1 (based on GMD ID) */ \
+ func(battlemage) \
+ /* Display ver 30 (based on GMD ID) */ \
+- func(pantherlake)
++ func(pantherlake) \
++ func(pantherlake_wildcatlake)
++
+
+ #define __MEMBER(name) unsigned long name:1;
+ #define __COUNT(x) 1 +
+--
+2.51.0
+
--- /dev/null
+From edc825bbdfcc229900df90174d7e5c9c856fe508 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Sep 2025 20:33:17 +0530
+Subject: drm/i915/xe3: Restrict PTL intel_encoder_is_c10phy() to only PHY A
+
+From: Dnyaneshwar Bhadane <dnyaneshwar.bhadane@intel.com>
+
+[ Upstream commit 5474560381775bc70cc90ed2acefad48ffd6ee07 ]
+
+On PTL, no combo PHY is connected to PORT B. However, PORT B can
+still be used for Type-C and will utilize the C20 PHY for eDP
+over Type-C. In such configurations, VBTs also enumerate PORT B.
+
+This leads to issues where PORT B is incorrectly identified as using the
+C10 PHY, due to the assumption that returning true for PORT B in
+intel_encoder_is_c10phy() would not cause problems.
+
+From PTL's perspective, only PORT A/PHY A uses the C10 PHY.
+
+Update the helper intel_encoder_is_c10phy() to return true only for
+PORT A/PHY on PTL.
+
+v2: Change the condition code style for ptl/wcl
+
+Bspec: 72571,73944
+Fixes: 9d10de78a37f ("drm/i915/wcl: C10 phy connected to port A and B")
+Signed-off-by: Dnyaneshwar Bhadane <dnyaneshwar.bhadane@intel.com>
+Reviewed-by: Gustavo Sousa <gustavo.sousa@intel.com>
+Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
+Link: https://lore.kernel.org/r/20250922150317.2334680-4-dnyaneshwar.bhadane@intel.com
+(cherry picked from commit 8147f7a1c083fd565fb958824f7c552de3b2dc46)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_cx0_phy.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_cx0_phy.c b/drivers/gpu/drm/i915/display/intel_cx0_phy.c
+index 801235a5bc0a3..a2d2cecf71217 100644
+--- a/drivers/gpu/drm/i915/display/intel_cx0_phy.c
++++ b/drivers/gpu/drm/i915/display/intel_cx0_phy.c
+@@ -39,14 +39,12 @@ bool intel_encoder_is_c10phy(struct intel_encoder *encoder)
+ struct intel_display *display = to_intel_display(encoder);
+ enum phy phy = intel_encoder_to_phy(encoder);
+
+- /* PTL doesn't have a PHY connected to PORT B; as such,
+- * there will never be a case where PTL uses PHY B.
+- * WCL uses PORT A and B with the C10 PHY.
+- * Reusing the condition for WCL and extending it for PORT B
+- * should not cause any issues for PTL.
+- */
+- if (display->platform.pantherlake && phy < PHY_C)
+- return true;
++ if (display->platform.pantherlake) {
++ if (display->platform.pantherlake_wildcatlake)
++ return phy <= PHY_B;
++ else
++ return phy == PHY_A;
++ }
+
+ if ((display->platform.lunarlake || display->platform.meteorlake) && phy < PHY_C)
+ return true;
+--
+2.51.0
+
--- /dev/null
+From e859338c20c359a50c33dc96bda061a7edeb89c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Oct 2025 18:45:17 +0530
+Subject: drm/i915/xe3lpd: Load DMC for Xe3_LPD version 30.02
+
+From: Dnyaneshwar Bhadane <dnyaneshwar.bhadane@intel.com>
+
+[ Upstream commit fa766e759ff7b128ab77323d9d9c232434621bb6 ]
+
+Load the DMC for Xe3_LPD version 30.02.
+
+Fixes: 3c0f211bc8fc ("drm/xe: Add Wildcat Lake device IDs to PTL list")
+Signed-off-by: Dnyaneshwar Bhadane <dnyaneshwar.bhadane@intel.com>
+Reviewed-by: Gustavo Sousa <gustavo.sousa@intel.com>
+Reviewed-by: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
+Link: https://lore.kernel.org/r/20251016131517.2032684-1-dnyaneshwar.bhadane@intel.com
+Signed-off-by: Gustavo Sousa <gustavo.sousa@intel.com>
+(cherry picked from commit a63db39a578b543f5e5719b9f14dd82d3b8648d1)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+[Rodrigo added the Fixes tag while cherry-picking to fixes]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_dmc.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_dmc.c b/drivers/gpu/drm/i915/display/intel_dmc.c
+index 4aa2aa6379787..8ec06a734d8e3 100644
+--- a/drivers/gpu/drm/i915/display/intel_dmc.c
++++ b/drivers/gpu/drm/i915/display/intel_dmc.c
+@@ -127,6 +127,9 @@ static bool dmc_firmware_param_disabled(struct intel_display *display)
+ #define DISPLAY_VER13_DMC_MAX_FW_SIZE 0x20000
+ #define DISPLAY_VER12_DMC_MAX_FW_SIZE ICL_DMC_MAX_FW_SIZE
+
++#define XE3LPD_3002_DMC_PATH DMC_PATH(xe3lpd_3002)
++MODULE_FIRMWARE(XE3LPD_3002_DMC_PATH);
++
+ #define XE3LPD_DMC_PATH DMC_PATH(xe3lpd)
+ MODULE_FIRMWARE(XE3LPD_DMC_PATH);
+
+@@ -183,9 +186,10 @@ static const char *dmc_firmware_default(struct intel_display *display, u32 *size
+ {
+ const char *fw_path = NULL;
+ u32 max_fw_size = 0;
+-
+- if (DISPLAY_VERx100(display) == 3002 ||
+- DISPLAY_VERx100(display) == 3000) {
++ if (DISPLAY_VERx100(display) == 3002) {
++ fw_path = XE3LPD_3002_DMC_PATH;
++ max_fw_size = XE2LPD_DMC_MAX_FW_SIZE;
++ } else if (DISPLAY_VERx100(display) == 3000) {
+ fw_path = XE3LPD_DMC_PATH;
+ max_fw_size = XE2LPD_DMC_MAX_FW_SIZE;
+ } else if (DISPLAY_VERx100(display) == 2000) {
+--
+2.51.0
+
--- /dev/null
+From 49cf9b5956c805e8e95142e023de5156c40edf70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Oct 2025 08:35:41 -0700
+Subject: drm/msm: Fix pgtable prealloc error path
+
+From: Rob Clark <robin.clark@oss.qualcomm.com>
+
+[ Upstream commit 830d68f2cb8ab6fb798bb9555016709a9e012af0 ]
+
+The following splat was reported:
+
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
+ Mem abort info:
+ ESR = 0x0000000096000004
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x04: level 0 translation fault
+ Data abort info:
+ ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
+ CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+ GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+ user pgtable: 4k pages, 48-bit VAs, pgdp=00000008d0fd8000
+ [0000000000000010] pgd=0000000000000000, p4d=0000000000000000
+ Internal error: Oops: 0000000096000004 [#1] SMP
+ CPU: 5 UID: 1000 PID: 149076 Comm: Xwayland Tainted: G S 6.16.0-rc2-00809-g0b6974bb4134-dirty #367 PREEMPT
+ Tainted: [S]=CPU_OUT_OF_SPEC
+ Hardware name: Qualcomm Technologies, Inc. SM8650 HDK (DT)
+ pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
+ pc : build_detached_freelist+0x28/0x224
+ lr : kmem_cache_free_bulk.part.0+0x38/0x244
+ sp : ffff000a508c7a20
+ x29: ffff000a508c7a20 x28: ffff000a508c7d50 x27: ffffc4e49d16f350
+ x26: 0000000000000058 x25: 00000000fffffffc x24: 0000000000000000
+ x23: ffff00098c4e1450 x22: 00000000fffffffc x21: 0000000000000000
+ x20: ffff000a508c7af8 x19: 0000000000000002 x18: 00000000000003e8
+ x17: ffff000809523850 x16: ffff000809523820 x15: 0000000000401640
+ x14: ffff000809371140 x13: 0000000000000130 x12: ffff0008b5711e30
+ x11: 00000000001058fa x10: 0000000000000a80 x9 : ffff000a508c7940
+ x8 : ffff000809371ba0 x7 : 781fffe033087fff x6 : 0000000000000000
+ x5 : ffff0008003cd000 x4 : 781fffe033083fff x3 : ffff000a508c7af8
+ x2 : fffffdffc0000000 x1 : 0001000000000000 x0 : ffff0008001a6a00
+ Call trace:
+ build_detached_freelist+0x28/0x224 (P)
+ kmem_cache_free_bulk.part.0+0x38/0x244
+ kmem_cache_free_bulk+0x10/0x1c
+ msm_iommu_pagetable_prealloc_cleanup+0x3c/0xd0
+ msm_vma_job_free+0x30/0x240
+ msm_ioctl_vm_bind+0x1d0/0x9a0
+ drm_ioctl_kernel+0x84/0x104
+ drm_ioctl+0x358/0x4d4
+ __arm64_sys_ioctl+0x8c/0xe0
+ invoke_syscall+0x44/0x100
+ el0_svc_common.constprop.0+0x3c/0xe0
+ do_el0_svc+0x18/0x20
+ el0_svc+0x30/0x100
+ el0t_64_sync_handler+0x104/0x130
+ el0t_64_sync+0x170/0x174
+ Code: aa0203f5 b26287e2 f2dfbfe2 aa0303f4 (f8737ab6)
+ ---[ end trace 0000000000000000 ]---
+
+Since msm_vma_job_free() is called directly from the ioctl, this looks
+like an error path cleanup issue. Which I think results from
+prealloc_cleanup() called without a preceding successful
+prealloc_allocate() call. So handle that case better.
+
+Reported-by: Connor Abbott <cwabbott0@gmail.com>
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Patchwork: https://patchwork.freedesktop.org/patch/678677/
+Message-ID: <20251006153542.419998-1-robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_iommu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/msm_iommu.c b/drivers/gpu/drm/msm/msm_iommu.c
+index 76cdd5ea06a02..10ef47ffb787a 100644
+--- a/drivers/gpu/drm/msm/msm_iommu.c
++++ b/drivers/gpu/drm/msm/msm_iommu.c
+@@ -338,6 +338,8 @@ msm_iommu_pagetable_prealloc_allocate(struct msm_mmu *mmu, struct msm_mmu_preall
+
+ ret = kmem_cache_alloc_bulk(pt_cache, GFP_KERNEL, p->count, p->pages);
+ if (ret != p->count) {
++ kfree(p->pages);
++ p->pages = NULL;
+ p->count = ret;
+ return -ENOMEM;
+ }
+@@ -351,6 +353,9 @@ msm_iommu_pagetable_prealloc_cleanup(struct msm_mmu *mmu, struct msm_mmu_preallo
+ struct kmem_cache *pt_cache = get_pt_cache(mmu);
+ uint32_t remaining_pt_count = p->count - p->ptr;
+
++ if (!p->pages)
++ return;
++
+ if (p->count > 0)
+ trace_msm_mmu_prealloc_cleanup(p->count, remaining_pt_count);
+
+--
+2.51.0
+
--- /dev/null
+From c2fba8452ea6a98af5477e63fb7d69d21d27df2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Sep 2025 20:33:15 +0530
+Subject: drm/pcids: Split PTL pciids group to make wcl subplatform
+
+From: Dnyaneshwar Bhadane <dnyaneshwar.bhadane@intel.com>
+
+[ Upstream commit 6eb2e056b0e418718fc5a3cfe79bdb41d9a2851d ]
+
+To form the WCL platform as a subplatform of PTL in definition,
+WCL pci ids are splited into saparate group from PTL.
+So update the pciidlist struct to cover all the pci ids.
+
+v2:
+- Squash wcl description in single patch for display and xe.(jani,gustavo)
+
+Fixes: 3c0f211bc8fc ("drm/xe: Add Wildcat Lake device IDs to PTL list")
+Signed-off-by: Dnyaneshwar Bhadane <dnyaneshwar.bhadane@intel.com>
+Reviewed-by: Gustavo Sousa <gustavo.sousa@intel.com>
+Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
+Link: https://lore.kernel.org/r/20250922150317.2334680-2-dnyaneshwar.bhadane@intel.com
+(cherry picked from commit 32620e176443bf23ec81bfe8f177c6721a904864)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+[Rodrigo added the Fixes tag when porting it to fixes]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_display_device.c | 1 +
+ drivers/gpu/drm/xe/xe_pci.c | 1 +
+ include/drm/intel/pciids.h | 5 ++++-
+ 3 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_display_device.c b/drivers/gpu/drm/i915/display/intel_display_device.c
+index 089cffabbad57..9023c15f3645d 100644
+--- a/drivers/gpu/drm/i915/display/intel_display_device.c
++++ b/drivers/gpu/drm/i915/display/intel_display_device.c
+@@ -1469,6 +1469,7 @@ static const struct {
+ INTEL_LNL_IDS(INTEL_DISPLAY_DEVICE, &lnl_desc),
+ INTEL_BMG_IDS(INTEL_DISPLAY_DEVICE, &bmg_desc),
+ INTEL_PTL_IDS(INTEL_DISPLAY_DEVICE, &ptl_desc),
++ INTEL_WCL_IDS(INTEL_DISPLAY_DEVICE, &ptl_desc),
+ };
+
+ static const struct {
+diff --git a/drivers/gpu/drm/xe/xe_pci.c b/drivers/gpu/drm/xe/xe_pci.c
+index 6c2637fc8f1ab..47236457e6a3b 100644
+--- a/drivers/gpu/drm/xe/xe_pci.c
++++ b/drivers/gpu/drm/xe/xe_pci.c
+@@ -367,6 +367,7 @@ static const struct pci_device_id pciidlist[] = {
+ INTEL_LNL_IDS(INTEL_VGA_DEVICE, &lnl_desc),
+ INTEL_BMG_IDS(INTEL_VGA_DEVICE, &bmg_desc),
+ INTEL_PTL_IDS(INTEL_VGA_DEVICE, &ptl_desc),
++ INTEL_WCL_IDS(INTEL_VGA_DEVICE, &ptl_desc),
+ { }
+ };
+ MODULE_DEVICE_TABLE(pci, pciidlist);
+diff --git a/include/drm/intel/pciids.h b/include/drm/intel/pciids.h
+index 76f8d26f9cc9d..97fde8356fb23 100644
+--- a/include/drm/intel/pciids.h
++++ b/include/drm/intel/pciids.h
+@@ -872,7 +872,10 @@
+ MACRO__(0xB08F, ## __VA_ARGS__), \
+ MACRO__(0xB090, ## __VA_ARGS__), \
+ MACRO__(0xB0A0, ## __VA_ARGS__), \
+- MACRO__(0xB0B0, ## __VA_ARGS__), \
++ MACRO__(0xB0B0, ## __VA_ARGS__)
++
++/* WCL */
++#define INTEL_WCL_IDS(MACRO__, ...) \
+ MACRO__(0xFD80, ## __VA_ARGS__), \
+ MACRO__(0xFD81, ## __VA_ARGS__)
+
+--
+2.51.0
+
--- /dev/null
+From c1b62307f45c4478c627a698fd21cdae1a8105eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Sep 2025 13:25:40 +0900
+Subject: drm/tegra: Add call to put_pid()
+
+From: Prateek Agarwal <praagarwal@nvidia.com>
+
+[ Upstream commit 6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a ]
+
+Add a call to put_pid() corresponding to get_task_pid().
+host1x_memory_context_alloc() does not take ownership of the PID so we
+need to free it here to avoid leaking.
+
+Signed-off-by: Prateek Agarwal <praagarwal@nvidia.com>
+Fixes: e09db97889ec ("drm/tegra: Support context isolation")
+[mperttunen@nvidia.com: reword commit message]
+Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://patch.msgid.link/20250919-host1x-put-pid-v1-1-19c2163dfa87@nvidia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/uapi.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/tegra/uapi.c b/drivers/gpu/drm/tegra/uapi.c
+index 5adab6b229164..d0b6a1fa6efad 100644
+--- a/drivers/gpu/drm/tegra/uapi.c
++++ b/drivers/gpu/drm/tegra/uapi.c
+@@ -114,9 +114,12 @@ int tegra_drm_ioctl_channel_open(struct drm_device *drm, void *data, struct drm_
+ if (err)
+ goto put_channel;
+
+- if (supported)
++ if (supported) {
++ struct pid *pid = get_task_pid(current, PIDTYPE_TGID);
+ context->memory_context = host1x_memory_context_alloc(
+- host, client->base.dev, get_task_pid(current, PIDTYPE_TGID));
++ host, client->base.dev, pid);
++ put_pid(pid);
++ }
+
+ if (IS_ERR(context->memory_context)) {
+ if (PTR_ERR(context->memory_context) != -EOPNOTSUPP) {
+--
+2.51.0
+
--- /dev/null
+From 02056001cea7199271f18bceffb7b084e5a94ae1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Nov 2025 14:01:41 +0530
+Subject: drm/xe/irq: Handle msix vector0 interrupt
+
+From: Venkata Ramana Nayana <venkata.ramana.nayana@intel.com>
+
+[ Upstream commit 5b38c22687d9287d85dd3bef2fa708bf62cf3895 ]
+
+Current gu2host handler registered as MSI-X vector 0 and as per bspec for
+a msix vector 0 interrupt, the driver must check the legacy registers
+190008(TILE_INT_REG), 190060h (GT INTR Identity Reg 0) and other registers
+mentioned in "Interrupt Service Routine Pseudocode" otherwise it will block
+the next interrupts. To overcome this issue replacing guc2host handler
+with legacy xe_irq_handler.
+
+Fixes: da889070be7b2 ("drm/xe/irq: Separate MSI and MSI-X flows")
+Bspec: 62357
+Signed-off-by: Venkata Ramana Nayana <venkata.ramana.nayana@intel.com>
+Reviewed-by: Balasubramani Vivekanandan <balasubramani.vivekanandan@intel.com>
+Link: https://patch.msgid.link/20251107083141.2080189-1-venkata.ramana.nayana@intel.com
+Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
+(cherry picked from commit c34a14bce7090862ebe5a64abe8d85df75e62737)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_irq.c | 18 +-----------------
+ 1 file changed, 1 insertion(+), 17 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_irq.c b/drivers/gpu/drm/xe/xe_irq.c
+index 5df5b8c2a3e4d..da22f083e86a7 100644
+--- a/drivers/gpu/drm/xe/xe_irq.c
++++ b/drivers/gpu/drm/xe/xe_irq.c
+@@ -843,22 +843,6 @@ static int xe_irq_msix_init(struct xe_device *xe)
+ return 0;
+ }
+
+-static irqreturn_t guc2host_irq_handler(int irq, void *arg)
+-{
+- struct xe_device *xe = arg;
+- struct xe_tile *tile;
+- u8 id;
+-
+- if (!atomic_read(&xe->irq.enabled))
+- return IRQ_NONE;
+-
+- for_each_tile(tile, xe, id)
+- xe_guc_irq_handler(&tile->primary_gt->uc.guc,
+- GUC_INTR_GUC2HOST);
+-
+- return IRQ_HANDLED;
+-}
+-
+ static irqreturn_t xe_irq_msix_default_hwe_handler(int irq, void *arg)
+ {
+ unsigned int tile_id, gt_id;
+@@ -975,7 +959,7 @@ int xe_irq_msix_request_irqs(struct xe_device *xe)
+ u16 msix;
+
+ msix = GUC2HOST_MSIX;
+- err = xe_irq_msix_request_irq(xe, guc2host_irq_handler, xe,
++ err = xe_irq_msix_request_irq(xe, xe_irq_handler(xe), xe,
+ DRIVER_NAME "-guc2host", false, &msix);
+ if (err)
+ return err;
+--
+2.51.0
+
--- /dev/null
+From cc5db707831b2bbfd1af185df5bb2edf3781debd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 15:40:39 -0800
+Subject: drm/xe/kunit: Fix forcewake assertion in mocs test
+
+From: Matt Roper <matthew.d.roper@intel.com>
+
+[ Upstream commit 905a3468ec679293949438393de7e61310432662 ]
+
+The MOCS kunit test calls KUNIT_ASSERT_TRUE_MSG() with a condition of
+'true;' this prevents the assertion from ever failing. Replace
+KUNIT_ASSERT_TRUE_MSG with KUNIT_FAIL_AND_ABORT to get the intended
+failure behavior in cases where forcewake was not acquired successfully.
+
+Fixes: 51c0ee84e4dc ("drm/xe/tests/mocs: Hold XE_FORCEWAKE_ALL for LNCF regs")
+Cc: Tejas Upadhyay <tejas.upadhyay@intel.com>
+Cc: Gustavo Sousa <gustavo.sousa@intel.com>
+Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Reviewed-by: Gustavo Sousa <gustavo.sousa@intel.com>
+Link: https://patch.msgid.link/20251113234038.2256106-2-matthew.d.roper@intel.com
+Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
+(cherry picked from commit 9be4f0f687048ba77428ceca11994676736507b7)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/tests/xe_mocs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/xe/tests/xe_mocs.c b/drivers/gpu/drm/xe/tests/xe_mocs.c
+index 0e502feaca818..6bb278167aaf6 100644
+--- a/drivers/gpu/drm/xe/tests/xe_mocs.c
++++ b/drivers/gpu/drm/xe/tests/xe_mocs.c
+@@ -49,7 +49,7 @@ static void read_l3cc_table(struct xe_gt *gt,
+ fw_ref = xe_force_wake_get(gt_to_fw(gt), XE_FORCEWAKE_ALL);
+ if (!xe_force_wake_ref_has_domain(fw_ref, XE_FORCEWAKE_ALL)) {
+ xe_force_wake_put(gt_to_fw(gt), fw_ref);
+- KUNIT_ASSERT_TRUE_MSG(test, true, "Forcewake Failed.\n");
++ KUNIT_FAIL_AND_ABORT(test, "Forcewake Failed.\n");
+ }
+
+ for (i = 0; i < info->num_mocs_regs; i++) {
+--
+2.51.0
+
--- /dev/null
+From 00187ba251ed7635118e92d4a36c92dfb290ec84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 16:08:42 +0100
+Subject: gpio: cdev: make sure the cdev fd is still active before emitting
+ events
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+[ Upstream commit d4cd0902c156b2ca60fdda8cd8b5bcb4b0e9ed64 ]
+
+With the final call to fput() on a file descriptor, the release action
+may be deferred and scheduled on a work queue. The reference count of
+that descriptor is still zero and it must not be used. It's possible
+that a GPIO change, we want to notify the user-space about, happens
+AFTER the reference count on the file descriptor associated with the
+character device went down to zero but BEFORE the .release() callback
+was called from the workqueue and so BEFORE we unregistered from the
+notifier.
+
+Using the regular get_file() routine in this situation triggers the
+following warning:
+
+ struct file::f_count incremented from zero; use-after-free condition present!
+
+So use the get_file_active() variant that will return NULL on file
+descriptors that have been or are being released.
+
+Fixes: 40b7c49950bd ("gpio: cdev: put emitting the line state events on a workqueue")
+Reported-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Closes: https://lore.kernel.org/all/5d605f7fc99456804911403102a4fe999a14cc85.camel@siemens.com/
+Tested-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Link: https://lore.kernel.org/r/20251117-gpio-cdev-get-file-v1-1-28a16b5985b8@linaro.org
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib-cdev.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
+index e6a289fa0f8fd..6a52d812e4e7c 100644
+--- a/drivers/gpio/gpiolib-cdev.c
++++ b/drivers/gpio/gpiolib-cdev.c
+@@ -2548,10 +2548,17 @@ static int lineinfo_changed_notify(struct notifier_block *nb,
+ container_of(nb, struct gpio_chardev_data, lineinfo_changed_nb);
+ struct lineinfo_changed_ctx *ctx;
+ struct gpio_desc *desc = data;
++ struct file *fp;
+
+ if (!test_bit(gpio_chip_hwgpio(desc), cdev->watched_lines))
+ return NOTIFY_DONE;
+
++ /* Keep the file descriptor alive for the duration of the notification. */
++ fp = get_file_active(&cdev->fp);
++ if (!fp)
++ /* Chardev file descriptor was or is being released. */
++ return NOTIFY_DONE;
++
+ /*
+ * If this is called from atomic context (for instance: with a spinlock
+ * taken by the atomic notifier chain), any sleeping calls must be done
+@@ -2575,8 +2582,6 @@ static int lineinfo_changed_notify(struct notifier_block *nb,
+ /* Keep the GPIO device alive until we emit the event. */
+ ctx->gdev = gpio_device_get(desc->gdev);
+ ctx->cdev = cdev;
+- /* Keep the file descriptor alive too. */
+- get_file(ctx->cdev->fp);
+
+ INIT_WORK(&ctx->work, lineinfo_changed_func);
+ queue_work(ctx->gdev->line_state_wq, &ctx->work);
+--
+2.51.0
+
--- /dev/null
+From 4853411bc03c623b435f8ca06cb7dcd76dbd37db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 12:02:16 +0200
+Subject: ice: fix PTP cleanup on driver removal in error path
+
+From: Grzegorz Nitka <grzegorz.nitka@intel.com>
+
+[ Upstream commit 23a5b9b12de9dcd15ebae4f1abc8814ec1c51ab0 ]
+
+Improve the cleanup on releasing PTP resources in error path.
+The error case might happen either at the driver probe and PTP
+feature initialization or on PTP restart (errors in reset handling, NVM
+update etc). In both cases, calls to PF PTP cleanup (ice_ptp_cleanup_pf
+function) and 'ps_lock' mutex deinitialization were missed.
+Additionally, ptp clock was not unregistered in the latter case.
+
+Keep PTP state as 'uninitialized' on init to distinguish between error
+scenarios and to avoid resource release duplication at driver removal.
+
+The consequence of missing ice_ptp_cleanup_pf call is the following call
+trace dumped when ice_adapter object is freed (port list is not empty,
+as it is required at this stage):
+
+[ T93022] ------------[ cut here ]------------
+[ T93022] WARNING: CPU: 10 PID: 93022 at
+ice/ice_adapter.c:67 ice_adapter_put+0xef/0x100 [ice]
+...
+[ T93022] RIP: 0010:ice_adapter_put+0xef/0x100 [ice]
+...
+[ T93022] Call Trace:
+[ T93022] <TASK>
+[ T93022] ? ice_adapter_put+0xef/0x100 [ice
+33d2647ad4f6d866d41eefff1806df37c68aef0c]
+[ T93022] ? __warn.cold+0xb0/0x10e
+[ T93022] ? ice_adapter_put+0xef/0x100 [ice
+33d2647ad4f6d866d41eefff1806df37c68aef0c]
+[ T93022] ? report_bug+0xd8/0x150
+[ T93022] ? handle_bug+0xe9/0x110
+[ T93022] ? exc_invalid_op+0x17/0x70
+[ T93022] ? asm_exc_invalid_op+0x1a/0x20
+[ T93022] ? ice_adapter_put+0xef/0x100 [ice
+33d2647ad4f6d866d41eefff1806df37c68aef0c]
+[ T93022] pci_device_remove+0x42/0xb0
+[ T93022] device_release_driver_internal+0x19f/0x200
+[ T93022] driver_detach+0x48/0x90
+[ T93022] bus_remove_driver+0x70/0xf0
+[ T93022] pci_unregister_driver+0x42/0xb0
+[ T93022] ice_module_exit+0x10/0xdb0 [ice
+33d2647ad4f6d866d41eefff1806df37c68aef0c]
+...
+[ T93022] ---[ end trace 0000000000000000 ]---
+[ T93022] ice: module unloaded
+
+Fixes: e800654e85b5 ("ice: Use ice_adapter for PTP shared data instead of auxdev")
+Signed-off-by: Grzegorz Nitka <grzegorz.nitka@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ptp.c | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c
+index fb0f6365a6d6f..8ec0f7d0fcebd 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ptp.c
++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c
+@@ -3246,7 +3246,7 @@ void ice_ptp_init(struct ice_pf *pf)
+
+ err = ice_ptp_init_port(pf, &ptp->port);
+ if (err)
+- goto err_exit;
++ goto err_clean_pf;
+
+ /* Start the PHY timestamping block */
+ ice_ptp_reset_phy_timestamping(pf);
+@@ -3263,13 +3263,19 @@ void ice_ptp_init(struct ice_pf *pf)
+ dev_info(ice_pf_to_dev(pf), "PTP init successful\n");
+ return;
+
++err_clean_pf:
++ mutex_destroy(&ptp->port.ps_lock);
++ ice_ptp_cleanup_pf(pf);
+ err_exit:
+ /* If we registered a PTP clock, release it */
+ if (pf->ptp.clock) {
+ ptp_clock_unregister(ptp->clock);
+ pf->ptp.clock = NULL;
+ }
+- ptp->state = ICE_PTP_ERROR;
++ /* Keep ICE_PTP_UNINIT state to avoid ambiguity at driver unload
++ * and to avoid duplicated resources release.
++ */
++ ptp->state = ICE_PTP_UNINIT;
+ dev_err(ice_pf_to_dev(pf), "PTP failed %d\n", err);
+ }
+
+@@ -3282,9 +3288,19 @@ void ice_ptp_init(struct ice_pf *pf)
+ */
+ void ice_ptp_release(struct ice_pf *pf)
+ {
+- if (pf->ptp.state != ICE_PTP_READY)
++ if (pf->ptp.state == ICE_PTP_UNINIT)
+ return;
+
++ if (pf->ptp.state != ICE_PTP_READY) {
++ mutex_destroy(&pf->ptp.port.ps_lock);
++ ice_ptp_cleanup_pf(pf);
++ if (pf->ptp.clock) {
++ ptp_clock_unregister(pf->ptp.clock);
++ pf->ptp.clock = NULL;
++ }
++ return;
++ }
++
+ pf->ptp.state = ICE_PTP_UNINIT;
+
+ /* Disable timestamping for both Tx and Rx */
+--
+2.51.0
+
--- /dev/null
+From d5b113f54c6374a910161f8853e2eed47ab729a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 08:08:24 -0700
+Subject: idpf: fix possible vport_config NULL pointer deref in remove
+
+From: Emil Tantilov <emil.s.tantilov@intel.com>
+
+[ Upstream commit 118082368c2b6ddefe6cb607efc312285148f044 ]
+
+Attempting to remove the driver will cause a crash in cases where
+the vport failed to initialize. Following trace is from an instance where
+the driver failed during an attempt to create a VF:
+[ 1661.543624] idpf 0000:84:00.7: Device HW Reset initiated
+[ 1722.923726] idpf 0000:84:00.7: Transaction timed-out (op:1 cookie:2900 vc_op:1 salt:29 timeout:60000ms)
+[ 1723.353263] BUG: kernel NULL pointer dereference, address: 0000000000000028
+...
+[ 1723.358472] RIP: 0010:idpf_remove+0x11c/0x200 [idpf]
+...
+[ 1723.364973] Call Trace:
+[ 1723.365475] <TASK>
+[ 1723.365972] pci_device_remove+0x42/0xb0
+[ 1723.366481] device_release_driver_internal+0x1a9/0x210
+[ 1723.366987] pci_stop_bus_device+0x6d/0x90
+[ 1723.367488] pci_stop_and_remove_bus_device+0x12/0x20
+[ 1723.367971] pci_iov_remove_virtfn+0xbd/0x120
+[ 1723.368309] sriov_disable+0x34/0xe0
+[ 1723.368643] idpf_sriov_configure+0x58/0x140 [idpf]
+[ 1723.368982] sriov_numvfs_store+0xda/0x1c0
+
+Avoid the NULL pointer dereference by adding NULL pointer check for
+vport_config[i], before freeing user_config.q_coalesce.
+
+Fixes: e1e3fec3e34b ("idpf: preserve coalescing settings across resets")
+Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
+Reviewed-by: Chittim Madhu <madhu.chittim@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Samuel Salin <Samuel.salin@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/idpf/idpf_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_main.c b/drivers/net/ethernet/intel/idpf/idpf_main.c
+index dfe9126f1f4ab..1088cbbcf9487 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_main.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_main.c
+@@ -62,6 +62,8 @@ static void idpf_remove(struct pci_dev *pdev)
+ destroy_workqueue(adapter->vc_event_wq);
+
+ for (i = 0; i < adapter->max_vports; i++) {
++ if (!adapter->vport_config[i])
++ continue;
+ kfree(adapter->vport_config[i]->user_config.q_coalesce);
+ kfree(adapter->vport_config[i]);
+ adapter->vport_config[i] = NULL;
+--
+2.51.0
+
--- /dev/null
+From 4a45cc97f97ab54274c532541c4f8d332a3a352a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 17:49:32 +0200
+Subject: kconfig/mconf: Initialize the default locale at startup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jakub Horký <jakub.git@horky.net>
+
+[ Upstream commit 3927c4a1084c48ef97f11281a0a43ecb2cb4d6f1 ]
+
+Fix bug where make menuconfig doesn't initialize the default locale, which
+causes ncurses menu borders to be displayed incorrectly (lqqqqk) in
+UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY.
+
+Signed-off-by: Jakub Horký <jakub.git@horky.net>
+Link: https://patch.msgid.link/20251014154933.3990990-1-jakub.git@horky.net
+[nathan: Alphabetize locale.h include]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/mconf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/mconf.c b/scripts/kconfig/mconf.c
+index 84ea9215c0a7e..b8b7bba84a651 100644
+--- a/scripts/kconfig/mconf.c
++++ b/scripts/kconfig/mconf.c
+@@ -12,6 +12,7 @@
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <limits.h>
++#include <locale.h>
+ #include <stdarg.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -931,6 +932,8 @@ int main(int ac, char **av)
+
+ signal(SIGINT, sig_handler);
+
++ setlocale(LC_ALL, "");
++
+ if (ac > 1 && strcmp(av[1], "-s") == 0) {
+ silent = 1;
+ /* Silence conf_read() until the real callback is set up */
+--
+2.51.0
+
--- /dev/null
+From 1f3a20c760336b05f7526e9f956b459aea4c9b0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 16:44:06 +0200
+Subject: kconfig/nconf: Initialize the default locale at startup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jakub Horký <jakub.git@horky.net>
+
+[ Upstream commit 43c2931a95e6b295bfe9e3b90dbe0f7596933e91 ]
+
+Fix bug where make nconfig doesn't initialize the default locale, which
+causes ncurses menu borders to be displayed incorrectly (lqqqqk) in
+UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY.
+
+Signed-off-by: Jakub Horký <jakub.git@horky.net>
+Link: https://patch.msgid.link/20251014144405.3975275-2-jakub.git@horky.net
+[nathan: Alphabetize locale.h include]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/nconf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
+index ae1fe5f603270..521700ed71524 100644
+--- a/scripts/kconfig/nconf.c
++++ b/scripts/kconfig/nconf.c
+@@ -7,6 +7,7 @@
+ #ifndef _GNU_SOURCE
+ #define _GNU_SOURCE
+ #endif
++#include <locale.h>
+ #include <string.h>
+ #include <strings.h>
+ #include <stdlib.h>
+@@ -1478,6 +1479,8 @@ int main(int ac, char **av)
+ int lines, columns;
+ char *mode;
+
++ setlocale(LC_ALL, "");
++
+ if (ac > 1 && strcmp(av[1], "-s") == 0) {
+ /* Silence conf_read() until the real callback is set up */
+ conf_set_message_callback(NULL);
+--
+2.51.0
+
--- /dev/null
+From b24890369836616da4a3c51c780063a7d18836e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 14:42:05 +0800
+Subject: LoongArch: Use UAPI types in ptrace UAPI header
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit 20d7338f2d3bcb570068dd6d39b16f1a909fe976 ]
+
+The kernel UAPI headers already contain fixed-width integer types, there
+is no need to rely on the libc types. There may not be a libc available
+or the libc may not provides the <stdint.h>, like for example on nolibc.
+
+This also aligns the header with the rest of the LoongArch UAPI headers.
+
+Fixes: 803b0fc5c3f2 ("LoongArch: Add process management")
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/loongarch/include/uapi/asm/ptrace.h | 40 +++++++++++-------------
+ 1 file changed, 18 insertions(+), 22 deletions(-)
+
+diff --git a/arch/loongarch/include/uapi/asm/ptrace.h b/arch/loongarch/include/uapi/asm/ptrace.h
+index aafb3cd9e943e..215e0f9e8aa32 100644
+--- a/arch/loongarch/include/uapi/asm/ptrace.h
++++ b/arch/loongarch/include/uapi/asm/ptrace.h
+@@ -10,10 +10,6 @@
+
+ #include <linux/types.h>
+
+-#ifndef __KERNEL__
+-#include <stdint.h>
+-#endif
+-
+ /*
+ * For PTRACE_{POKE,PEEK}USR. 0 - 31 are GPRs,
+ * 32 is syscall's original ARG0, 33 is PC, 34 is BADVADDR.
+@@ -41,44 +37,44 @@ struct user_pt_regs {
+ } __attribute__((aligned(8)));
+
+ struct user_fp_state {
+- uint64_t fpr[32];
+- uint64_t fcc;
+- uint32_t fcsr;
++ __u64 fpr[32];
++ __u64 fcc;
++ __u32 fcsr;
+ };
+
+ struct user_lsx_state {
+ /* 32 registers, 128 bits width per register. */
+- uint64_t vregs[32*2];
++ __u64 vregs[32*2];
+ };
+
+ struct user_lasx_state {
+ /* 32 registers, 256 bits width per register. */
+- uint64_t vregs[32*4];
++ __u64 vregs[32*4];
+ };
+
+ struct user_lbt_state {
+- uint64_t scr[4];
+- uint32_t eflags;
+- uint32_t ftop;
++ __u64 scr[4];
++ __u32 eflags;
++ __u32 ftop;
+ };
+
+ struct user_watch_state {
+- uint64_t dbg_info;
++ __u64 dbg_info;
+ struct {
+- uint64_t addr;
+- uint64_t mask;
+- uint32_t ctrl;
+- uint32_t pad;
++ __u64 addr;
++ __u64 mask;
++ __u32 ctrl;
++ __u32 pad;
+ } dbg_regs[8];
+ };
+
+ struct user_watch_state_v2 {
+- uint64_t dbg_info;
++ __u64 dbg_info;
+ struct {
+- uint64_t addr;
+- uint64_t mask;
+- uint32_t ctrl;
+- uint32_t pad;
++ __u64 addr;
++ __u64 mask;
++ __u32 ctrl;
++ __u32 pad;
+ } dbg_regs[14];
+ };
+
+--
+2.51.0
+
--- /dev/null
+From 4206ce0bf35624169609c8f8a092b05cc943e4ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 20:01:19 +0200
+Subject: mips: dts: econet: fix EN751221 core type
+
+From: Aleksander Jan Bajkowski <olek2@wp.pl>
+
+[ Upstream commit 09782e72eec451fa14d327595f86cdc338ebe53c ]
+
+In fact, it is a multi-threaded MIPS34Kc, not a single-threaded MIPS24Kc.
+
+Fixes: 0ec488700972 ("mips: dts: Add EcoNet DTS with EN751221 and SmartFiber XP8421-B board")
+Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/boot/dts/econet/en751221.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/boot/dts/econet/en751221.dtsi b/arch/mips/boot/dts/econet/en751221.dtsi
+index 66197e73d4f04..2abeef5b744a8 100644
+--- a/arch/mips/boot/dts/econet/en751221.dtsi
++++ b/arch/mips/boot/dts/econet/en751221.dtsi
+@@ -18,7 +18,7 @@
+
+ cpu@0 {
+ device_type = "cpu";
+- compatible = "mips,mips24KEc";
++ compatible = "mips,mips34Kc";
+ reg = <0>;
+ };
+ };
+--
+2.51.0
+
--- /dev/null
+From d3388354bcfcbcc0767cacac577a90611dcaf90a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 13:10:29 +0100
+Subject: MIPS: kernel: Fix random segmentation faults
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+
+[ Upstream commit 14b46ba92bf547508b4a49370c99aba76cb53b53 ]
+
+Commit 69896119dc9d ("MIPS: vdso: Switch to generic storage
+implementation") switches to a generic vdso storage, which increases
+the number of data pages from 1 to 4. But there is only one page
+reserved, which causes segementation faults depending where the VDSO
+area is randomized to. To fix this use the same size of reservation
+and allocation of the VDSO data pages.
+
+Fixes: 69896119dc9d ("MIPS: vdso: Switch to generic storage implementation")
+Reviewed-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Reviewed-by: Huacai Chen <chenhuacai@loongson.cn>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/process.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
+index 29191fa1801e2..a3101f2268c6c 100644
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -692,7 +692,7 @@ unsigned long mips_stack_top(void)
+ /* Space for the VDSO, data page & GIC user page */
+ if (current->thread.abi) {
+ top -= PAGE_ALIGN(current->thread.abi->vdso->size);
+- top -= PAGE_SIZE;
++ top -= VDSO_NR_PAGES * PAGE_SIZE;
+ top -= mips_gic_present() ? PAGE_SIZE : 0;
+
+ /* Space to randomize the VDSO base */
+--
+2.51.0
+
--- /dev/null
+From b446c15661bb725c613dc3fa84cf76ee2b4cdd2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 05:21:14 +0000
+Subject: mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 407a06507c2358554958e8164dc97176feddcafc ]
+
+The function mlxsw_sp_flower_stats() calls mlxsw_sp_acl_ruleset_get() to
+obtain a ruleset reference. If the subsequent call to
+mlxsw_sp_acl_rule_lookup() fails to find a rule, the function returns
+an error without releasing the ruleset reference, causing a memory leak.
+
+Fix this by using a goto to the existing error handling label, which
+calls mlxsw_sp_acl_ruleset_put() to properly release the reference.
+
+Fixes: 7c1b8eb175b69 ("mlxsw: spectrum: Add support for TC flower offload statistics")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251112052114.1591695-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
+index 6a4a81c63451c..353fd9ca89a68 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
+@@ -830,8 +830,10 @@ int mlxsw_sp_flower_stats(struct mlxsw_sp *mlxsw_sp,
+ return -EINVAL;
+
+ rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, f->cookie);
+- if (!rule)
+- return -EINVAL;
++ if (!rule) {
++ err = -EINVAL;
++ goto err_rule_get_stats;
++ }
+
+ err = mlxsw_sp_acl_rule_get_stats(mlxsw_sp, rule, &packets, &bytes,
+ &drops, &lastuse, &used_hw_stats);
+--
+2.51.0
+
--- /dev/null
+From cad813bb9e53780910b86166fa308d58d0f1972a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:51:16 +0200
+Subject: net: airoha: Add wlan flowtable TX offload
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit a8bdd935d1ddb7186358fb60ffe84253e85340c8 ]
+
+Introduce support to offload the traffic received on the ethernet NIC
+and forwarded to the wireless one using HW Packet Processor Engine (PPE)
+capabilities.
+
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://patch.msgid.link/20250814-airoha-en7581-wlan-tx-offload-v1-1-72e0a312003e@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 8e0a754b0836 ("net: airoha: Do not loopback traffic to GDM2 if it is available on the device")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/airoha/airoha_eth.h | 11 +++
+ drivers/net/ethernet/airoha/airoha_ppe.c | 103 ++++++++++++++++-------
+ 2 files changed, 85 insertions(+), 29 deletions(-)
+
+diff --git a/drivers/net/ethernet/airoha/airoha_eth.h b/drivers/net/ethernet/airoha/airoha_eth.h
+index a970b789cf232..9f721e2b972f0 100644
+--- a/drivers/net/ethernet/airoha/airoha_eth.h
++++ b/drivers/net/ethernet/airoha/airoha_eth.h
+@@ -252,6 +252,10 @@ enum {
+ #define AIROHA_FOE_MAC_SMAC_ID GENMASK(20, 16)
+ #define AIROHA_FOE_MAC_PPPOE_ID GENMASK(15, 0)
+
++#define AIROHA_FOE_MAC_WDMA_QOS GENMASK(15, 12)
++#define AIROHA_FOE_MAC_WDMA_BAND BIT(11)
++#define AIROHA_FOE_MAC_WDMA_WCID GENMASK(10, 0)
++
+ struct airoha_foe_mac_info_common {
+ u16 vlan1;
+ u16 etype;
+@@ -481,6 +485,13 @@ struct airoha_flow_table_entry {
+ unsigned long cookie;
+ };
+
++struct airoha_wdma_info {
++ u8 idx;
++ u8 queue;
++ u16 wcid;
++ u8 bss;
++};
++
+ /* RX queue to IRQ mapping: BIT(q) in IRQ(n) */
+ #define RX_IRQ0_BANK_PIN_MASK 0x839f
+ #define RX_IRQ1_BANK_PIN_MASK 0x7fe00000
+diff --git a/drivers/net/ethernet/airoha/airoha_ppe.c b/drivers/net/ethernet/airoha/airoha_ppe.c
+index 88694b08afa1c..62e46a8d7e3c8 100644
+--- a/drivers/net/ethernet/airoha/airoha_ppe.c
++++ b/drivers/net/ethernet/airoha/airoha_ppe.c
+@@ -190,6 +190,31 @@ static int airoha_ppe_flow_mangle_ipv4(const struct flow_action_entry *act,
+ return 0;
+ }
+
++static int airoha_ppe_get_wdma_info(struct net_device *dev, const u8 *addr,
++ struct airoha_wdma_info *info)
++{
++ struct net_device_path_stack stack;
++ struct net_device_path *path;
++ int err;
++
++ if (!dev)
++ return -ENODEV;
++
++ err = dev_fill_forward_path(dev, addr, &stack);
++ if (err)
++ return err;
++
++ path = &stack.path[stack.num_paths - 1];
++ if (path->type != DEV_PATH_MTK_WDMA)
++ return -1;
++
++ info->idx = path->mtk_wdma.wdma_idx;
++ info->bss = path->mtk_wdma.bss;
++ info->wcid = path->mtk_wdma.wcid;
++
++ return 0;
++}
++
+ static int airoha_get_dsa_port(struct net_device **dev)
+ {
+ #if IS_ENABLED(CONFIG_NET_DSA)
+@@ -220,9 +245,9 @@ static int airoha_ppe_foe_entry_prepare(struct airoha_eth *eth,
+ struct airoha_flow_data *data,
+ int l4proto)
+ {
+- int dsa_port = airoha_get_dsa_port(&dev);
++ u32 qdata = FIELD_PREP(AIROHA_FOE_SHAPER_ID, 0x7f), ports_pad, val;
++ int wlan_etype = -EINVAL, dsa_port = airoha_get_dsa_port(&dev);
+ struct airoha_foe_mac_info_common *l2;
+- u32 qdata, ports_pad, val;
+ u8 smac_id = 0xf;
+
+ memset(hwe, 0, sizeof(*hwe));
+@@ -236,31 +261,47 @@ static int airoha_ppe_foe_entry_prepare(struct airoha_eth *eth,
+ AIROHA_FOE_IB1_BIND_TTL;
+ hwe->ib1 = val;
+
+- val = FIELD_PREP(AIROHA_FOE_IB2_PORT_AG, 0x1f) |
+- AIROHA_FOE_IB2_PSE_QOS;
+- if (dsa_port >= 0)
+- val |= FIELD_PREP(AIROHA_FOE_IB2_NBQ, dsa_port);
+-
++ val = FIELD_PREP(AIROHA_FOE_IB2_PORT_AG, 0x1f);
+ if (dev) {
+- struct airoha_gdm_port *port = netdev_priv(dev);
+- u8 pse_port;
+-
+- if (!airoha_is_valid_gdm_port(eth, port))
+- return -EINVAL;
+-
+- if (dsa_port >= 0)
+- pse_port = port->id == 4 ? FE_PSE_PORT_GDM4 : port->id;
+- else
+- pse_port = 2; /* uplink relies on GDM2 loopback */
+- val |= FIELD_PREP(AIROHA_FOE_IB2_PSE_PORT, pse_port);
+-
+- /* For downlink traffic consume SRAM memory for hw forwarding
+- * descriptors queue.
+- */
+- if (airhoa_is_lan_gdm_port(port))
+- val |= AIROHA_FOE_IB2_FAST_PATH;
+-
+- smac_id = port->id;
++ struct airoha_wdma_info info = {};
++
++ if (!airoha_ppe_get_wdma_info(dev, data->eth.h_dest, &info)) {
++ val |= FIELD_PREP(AIROHA_FOE_IB2_NBQ, info.idx) |
++ FIELD_PREP(AIROHA_FOE_IB2_PSE_PORT,
++ FE_PSE_PORT_CDM4);
++ qdata |= FIELD_PREP(AIROHA_FOE_ACTDP, info.bss);
++ wlan_etype = FIELD_PREP(AIROHA_FOE_MAC_WDMA_BAND,
++ info.idx) |
++ FIELD_PREP(AIROHA_FOE_MAC_WDMA_WCID,
++ info.wcid);
++ } else {
++ struct airoha_gdm_port *port = netdev_priv(dev);
++ u8 pse_port;
++
++ if (!airoha_is_valid_gdm_port(eth, port))
++ return -EINVAL;
++
++ if (dsa_port >= 0)
++ pse_port = port->id == 4 ? FE_PSE_PORT_GDM4
++ : port->id;
++ else
++ pse_port = 2; /* uplink relies on GDM2
++ * loopback
++ */
++
++ val |= FIELD_PREP(AIROHA_FOE_IB2_PSE_PORT, pse_port) |
++ AIROHA_FOE_IB2_PSE_QOS;
++ /* For downlink traffic consume SRAM memory for hw
++ * forwarding descriptors queue.
++ */
++ if (airhoa_is_lan_gdm_port(port))
++ val |= AIROHA_FOE_IB2_FAST_PATH;
++ if (dsa_port >= 0)
++ val |= FIELD_PREP(AIROHA_FOE_IB2_NBQ,
++ dsa_port);
++
++ smac_id = port->id;
++ }
+ }
+
+ if (is_multicast_ether_addr(data->eth.h_dest))
+@@ -272,7 +313,6 @@ static int airoha_ppe_foe_entry_prepare(struct airoha_eth *eth,
+ if (type == PPE_PKT_TYPE_IPV6_ROUTE_3T)
+ hwe->ipv6.ports = ports_pad;
+
+- qdata = FIELD_PREP(AIROHA_FOE_SHAPER_ID, 0x7f);
+ if (type == PPE_PKT_TYPE_BRIDGE) {
+ airoha_ppe_foe_set_bridge_addrs(&hwe->bridge, &data->eth);
+ hwe->bridge.data = qdata;
+@@ -313,7 +353,9 @@ static int airoha_ppe_foe_entry_prepare(struct airoha_eth *eth,
+ l2->vlan2 = data->vlan.hdr[1].id;
+ }
+
+- if (dsa_port >= 0) {
++ if (wlan_etype >= 0) {
++ l2->etype = wlan_etype;
++ } else if (dsa_port >= 0) {
+ l2->etype = BIT(dsa_port);
+ l2->etype |= !data->vlan.num ? BIT(15) : 0;
+ } else if (data->pppoe.num) {
+@@ -490,6 +532,10 @@ static void airoha_ppe_foe_flow_stats_update(struct airoha_ppe *ppe,
+ meter = &hwe->ipv4.l2.meter;
+ }
+
++ pse_port = FIELD_GET(AIROHA_FOE_IB2_PSE_PORT, *ib2);
++ if (pse_port == FE_PSE_PORT_CDM4)
++ return;
++
+ airoha_ppe_foe_flow_stat_entry_reset(ppe, npu, index);
+
+ val = FIELD_GET(AIROHA_FOE_CHANNEL | AIROHA_FOE_QID, *data);
+@@ -500,7 +546,6 @@ static void airoha_ppe_foe_flow_stats_update(struct airoha_ppe *ppe,
+ AIROHA_FOE_IB2_PSE_QOS | AIROHA_FOE_IB2_FAST_PATH);
+ *meter |= FIELD_PREP(AIROHA_FOE_TUNNEL_MTU, val);
+
+- pse_port = FIELD_GET(AIROHA_FOE_IB2_PSE_PORT, *ib2);
+ nbq = pse_port == 1 ? 6 : 5;
+ *ib2 &= ~(AIROHA_FOE_IB2_NBQ | AIROHA_FOE_IB2_PSE_PORT |
+ AIROHA_FOE_IB2_PSE_QOS);
+--
+2.51.0
+
--- /dev/null
+From 3997a505440827bfc0ca5078ff78b26753076b76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 18:19:38 +0100
+Subject: net: airoha: Do not loopback traffic to GDM2 if it is available on
+ the device
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 8e0a754b0836d996802713bbebc87bc1cc17925c ]
+
+Airoha_eth driver forwards offloaded uplink traffic (packets received
+on GDM1 and forwarded to GDM{3,4}) to GDM2 in order to apply hw QoS.
+This is correct if the device does not support a dedicated GDM2 port.
+In this case, in order to enable hw offloading for uplink traffic,
+the packets should be sent to GDM{3,4} directly.
+
+Fixes: 9cd451d414f6 ("net: airoha: Add loopback support for GDM2")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://patch.msgid.link/20251113-airoha-hw-offload-gdm2-fix-v1-1-7e4ca300872f@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/airoha/airoha_ppe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/airoha/airoha_ppe.c b/drivers/net/ethernet/airoha/airoha_ppe.c
+index 62e46a8d7e3c8..20e77cdb86d0c 100644
+--- a/drivers/net/ethernet/airoha/airoha_ppe.c
++++ b/drivers/net/ethernet/airoha/airoha_ppe.c
+@@ -281,7 +281,7 @@ static int airoha_ppe_foe_entry_prepare(struct airoha_eth *eth,
+ if (!airoha_is_valid_gdm_port(eth, port))
+ return -EINVAL;
+
+- if (dsa_port >= 0)
++ if (dsa_port >= 0 || eth->ports[1])
+ pse_port = port->id == 4 ? FE_PSE_PORT_GDM4
+ : port->id;
+ else
+--
+2.51.0
+
--- /dev/null
+From 8c55e701b132ef42f1ea24dcbf5abaf9ef629e91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 01:36:52 +0800
+Subject: net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()
+
+From: Jiaming Zhang <r772577952@gmail.com>
+
+[ Upstream commit f796a8dec9beafcc0f6f0d3478ed685a15c5e062 ]
+
+The ethtool tsconfig Netlink path can trigger a null pointer
+dereference. A call chain such as:
+
+ tsconfig_prepare_data() ->
+ dev_get_hwtstamp_phylib() ->
+ vlan_hwtstamp_get() ->
+ generic_hwtstamp_get_lower() ->
+ generic_hwtstamp_ioctl_lower()
+
+results in generic_hwtstamp_ioctl_lower() being called with
+kernel_cfg->ifr as NULL.
+
+The generic_hwtstamp_ioctl_lower() function does not expect
+a NULL ifr and dereferences it, leading to a system crash.
+
+Fix this by adding a NULL check for kernel_cfg->ifr in
+generic_hwtstamp_ioctl_lower(). If ifr is NULL, return -EINVAL.
+
+Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to get/set hwtstamp config")
+Closes: https://lore.kernel.org/cd6a7056-fa6d-43f8-b78a-f5e811247ba8@linux.dev
+Signed-off-by: Jiaming Zhang <r772577952@gmail.com>
+Reviewed-by: Kory Maincent <kory.maincent@bootlin.com>
+Link: https://patch.msgid.link/20251111173652.749159-2-r772577952@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev_ioctl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
+index ad54b12d4b4c8..8bb71a10dba09 100644
+--- a/net/core/dev_ioctl.c
++++ b/net/core/dev_ioctl.c
+@@ -443,6 +443,9 @@ static int generic_hwtstamp_ioctl_lower(struct net_device *dev, int cmd,
+ struct ifreq ifrr;
+ int err;
+
++ if (!kernel_cfg->ifr)
++ return -EINVAL;
++
+ strscpy_pad(ifrr.ifr_name, dev->name, IFNAMSIZ);
+ ifrr.ifr_ifru = kernel_cfg->ifr->ifr_ifru;
+
+--
+2.51.0
+
--- /dev/null
+From edad189a993fd1897a6d50d69e8821c921564e54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 16:57:44 +0300
+Subject: net: dsa: hellcreek: fix missing error handling in LED registration
+
+From: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+
+[ Upstream commit e6751b0b19a6baab219a62e1e302b8aa6b5a55b2 ]
+
+The LED setup routine registered both led_sync_good
+and led_is_gm devices without checking the return
+values of led_classdev_register(). If either registration
+failed, the function continued silently, leaving the
+driver in a partially-initialized state and leaking
+a registered LED classdev.
+
+Add proper error handling
+
+Fixes: 7d9ee2e8ff15 ("net: dsa: hellcreek: Add PTP status LEDs")
+Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Acked-by: Kurt Kanzenbach <kurt@linutronix.de>
+Link: https://patch.msgid.link/20251113135745.92375-1-Pavel.Zhigulin@kaspersky.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/hirschmann/hellcreek_ptp.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/hirschmann/hellcreek_ptp.c b/drivers/net/dsa/hirschmann/hellcreek_ptp.c
+index bfe21f9f7dcd3..cb23bea9c21b8 100644
+--- a/drivers/net/dsa/hirschmann/hellcreek_ptp.c
++++ b/drivers/net/dsa/hirschmann/hellcreek_ptp.c
+@@ -376,8 +376,18 @@ static int hellcreek_led_setup(struct hellcreek *hellcreek)
+ hellcreek_set_brightness(hellcreek, STATUS_OUT_IS_GM, 1);
+
+ /* Register both leds */
+- led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good);
+- led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm);
++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good);
++ if (ret) {
++ dev_err(hellcreek->dev, "Failed to register sync_good LED\n");
++ goto out;
++ }
++
++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm);
++ if (ret) {
++ dev_err(hellcreek->dev, "Failed to register is_gm LED\n");
++ led_classdev_unregister(&hellcreek->led_sync_good);
++ goto out;
++ }
+
+ ret = 0;
+
+--
+2.51.0
+
--- /dev/null
+From 38cd643123e6c4882b3eea9086092fdb081e8b55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 14:16:08 +0200
+Subject: net/mlx5: Clean up only new IRQ glue on request_irq() failure
+
+From: Pradyumn Rahar <pradyumn.rahar@oracle.com>
+
+[ Upstream commit d47515af6cccd7484d8b0870376858c9848a18ec ]
+
+The mlx5_irq_alloc() function can inadvertently free the entire rmap
+and end up in a crash[1] when the other threads tries to access this,
+when request_irq() fails due to exhausted IRQ vectors. This commit
+modifies the cleanup to remove only the specific IRQ mapping that was
+just added.
+
+This prevents removal of other valid mappings and ensures precise
+cleanup of the failed IRQ allocation's associated glue object.
+
+Note: This error is observed when both fwctl and rds configs are enabled.
+
+[1]
+mlx5_core 0000:05:00.0: Successfully registered panic handler for port 1
+mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to
+request irq. err = -28
+infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while
+trying to test write-combining support
+mlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1
+mlx5_core 0000:06:00.0: Successfully registered panic handler for port 1
+mlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to
+request irq. err = -28
+infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while
+trying to test write-combining support
+mlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1
+mlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to
+request irq. err = -28
+mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to
+request irq. err = -28
+general protection fault, probably for non-canonical address
+0xe277a58fde16f291: 0000 [#1] SMP NOPTI
+
+RIP: 0010:free_irq_cpu_rmap+0x23/0x7d
+Call Trace:
+ <TASK>
+ ? show_trace_log_lvl+0x1d6/0x2f9
+ ? show_trace_log_lvl+0x1d6/0x2f9
+ ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]
+ ? __die_body.cold+0x8/0xa
+ ? die_addr+0x39/0x53
+ ? exc_general_protection+0x1c4/0x3e9
+ ? dev_vprintk_emit+0x5f/0x90
+ ? asm_exc_general_protection+0x22/0x27
+ ? free_irq_cpu_rmap+0x23/0x7d
+ mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]
+ irq_pool_request_vector+0x7d/0x90 [mlx5_core]
+ mlx5_irq_request+0x2e/0xe0 [mlx5_core]
+ mlx5_irq_request_vector+0xad/0xf7 [mlx5_core]
+ comp_irq_request_pci+0x64/0xf0 [mlx5_core]
+ create_comp_eq+0x71/0x385 [mlx5_core]
+ ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core]
+ mlx5_comp_eqn_get+0x72/0x90 [mlx5_core]
+ ? xas_load+0x8/0x91
+ mlx5_comp_irqn_get+0x40/0x90 [mlx5_core]
+ mlx5e_open_channel+0x7d/0x3c7 [mlx5_core]
+ mlx5e_open_channels+0xad/0x250 [mlx5_core]
+ mlx5e_open_locked+0x3e/0x110 [mlx5_core]
+ mlx5e_open+0x23/0x70 [mlx5_core]
+ __dev_open+0xf1/0x1a5
+ __dev_change_flags+0x1e1/0x249
+ dev_change_flags+0x21/0x5c
+ do_setlink+0x28b/0xcc4
+ ? __nla_parse+0x22/0x3d
+ ? inet6_validate_link_af+0x6b/0x108
+ ? cpumask_next+0x1f/0x35
+ ? __snmp6_fill_stats64.constprop.0+0x66/0x107
+ ? __nla_validate_parse+0x48/0x1e6
+ __rtnl_newlink+0x5ff/0xa57
+ ? kmem_cache_alloc_trace+0x164/0x2ce
+ rtnl_newlink+0x44/0x6e
+ rtnetlink_rcv_msg+0x2bb/0x362
+ ? __netlink_sendskb+0x4c/0x6c
+ ? netlink_unicast+0x28f/0x2ce
+ ? rtnl_calcit.isra.0+0x150/0x146
+ netlink_rcv_skb+0x5f/0x112
+ netlink_unicast+0x213/0x2ce
+ netlink_sendmsg+0x24f/0x4d9
+ __sock_sendmsg+0x65/0x6a
+ ____sys_sendmsg+0x28f/0x2c9
+ ? import_iovec+0x17/0x2b
+ ___sys_sendmsg+0x97/0xe0
+ __sys_sendmsg+0x81/0xd8
+ do_syscall_64+0x35/0x87
+ entry_SYSCALL_64_after_hwframe+0x6e/0x0
+RIP: 0033:0x7fc328603727
+Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed
+ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00
+f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48
+RSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727
+RDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d
+RBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
+R13: 0000000000000000 R14: 00007ffe8eb3f3c8 R15: 00007ffe8eb3f3bc
+ </TASK>
+---[ end trace f43ce73c3c2b13a2 ]---
+RIP: 0010:free_irq_cpu_rmap+0x23/0x7d
+Code: 0f 1f 80 00 00 00 00 48 85 ff 74 6b 55 48 89 fd 53 66 83 7f 06 00
+74 24 31 db 48 8b 55 08 0f b7 c3 48 8b 04 c2 48 85 c0 74 09 <8b> 38 31
+f6 e8 c4 0a b8 ff 83 c3 01 66 3b 5d 06 72 de b8 ff ff ff
+RSP: 0018:ff384881640eaca0 EFLAGS: 00010282
+RAX: e277a58fde16f291 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: ff2335e2e20b3600 RSI: 0000000000000000 RDI: ff2335e2e20b3400
+RBP: ff2335e2e20b3400 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 00000000ffffffe4 R12: ff384881640ead88
+R13: ff2335c3760751e0 R14: ff2335e2e1672200 R15: ff2335c3760751f8
+FS: 00007fc32ac22480(0000) GS:ff2335e2d6e00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f651ab54000 CR3: 00000029f1206003 CR4: 0000000000771ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Kernel panic - not syncing: Fatal exception
+Kernel Offset: 0x1dc00000 from 0xffffffff81000000 (relocation range:
+0xffffffff80000000-0xffffffffbfffffff)
+kvm-guest: disable async PF for cpu 0
+
+Fixes: 3354822cde5a ("net/mlx5: Use dynamic msix vectors allocation")
+Signed-off-by: Mohith Kumar Thummaluru<mohith.k.kumar.thummaluru@oracle.com>
+Tested-by: Mohith Kumar Thummaluru<mohith.k.kumar.thummaluru@oracle.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Shay Drori <shayd@nvidia.com>
+Signed-off-by: Pradyumn Rahar <pradyumn.rahar@oracle.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1763381768-1234998-1-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c b/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c
+index 692ef9c2f7293..82ada674f8e27 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c
+@@ -324,10 +324,8 @@ struct mlx5_irq *mlx5_irq_alloc(struct mlx5_irq_pool *pool, int i,
+ free_irq(irq->map.virq, &irq->nh);
+ err_req_irq:
+ #ifdef CONFIG_RFS_ACCEL
+- if (i && rmap && *rmap) {
+- free_irq_cpu_rmap(*rmap);
+- *rmap = NULL;
+- }
++ if (i && rmap && *rmap)
++ irq_cpu_rmap_remove(*rmap, irq->map.virq);
+ err_irq_rmap:
+ #endif
+ if (i && pci_msix_can_alloc_dyn(dev->pdev))
+--
+2.51.0
+
--- /dev/null
+From 4417c1b76d5791e5e920e884c6caf2f3d92723b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 19:19:21 +0300
+Subject: net: mlxsw: linecards: fix missing error check in
+ mlxsw_linecard_devlink_info_get()
+
+From: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+
+[ Upstream commit b0c959fec18f4595a6a6317ffc30615cfa37bf69 ]
+
+The call to devlink_info_version_fixed_put() in
+mlxsw_linecard_devlink_info_get() did not check for errors,
+although it is checked everywhere in the code.
+
+Add missed 'err' check to the mlxsw_linecard_devlink_info_get()
+
+Fixes: 3fc0c51905fb ("mlxsw: core_linecards: Expose device PSID over device info")
+Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251113161922.813828-1-Pavel.Zhigulin@kaspersky.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/core_linecards.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c
+index b032d5a4b3b84..10f5bc4892fc7 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c
+@@ -601,6 +601,8 @@ int mlxsw_linecard_devlink_info_get(struct mlxsw_linecard *linecard,
+ err = devlink_info_version_fixed_put(req,
+ DEVLINK_INFO_VERSION_GENERIC_FW_PSID,
+ info->psid);
++ if (err)
++ goto unlock;
+
+ sprintf(buf, "%u.%u.%u", info->fw_major, info->fw_minor,
+ info->fw_sub_minor);
+--
+2.51.0
+
--- /dev/null
+From 4ab1746529388cbe70878f166f6e84fce5d02e66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 12:14:03 +0100
+Subject: net: openvswitch: remove never-working support for setting nsh fields
+
+From: Ilya Maximets <i.maximets@ovn.org>
+
+[ Upstream commit dfe28c4167a9259fc0c372d9f9473e1ac95cff67 ]
+
+The validation of the set(nsh(...)) action is completely wrong.
+It runs through the nsh_key_put_from_nlattr() function that is the
+same function that validates NSH keys for the flow match and the
+push_nsh() action. However, the set(nsh(...)) has a very different
+memory layout. Nested attributes in there are doubled in size in
+case of the masked set(). That makes proper validation impossible.
+
+There is also confusion in the code between the 'masked' flag, that
+says that the nested attributes are doubled in size containing both
+the value and the mask, and the 'is_mask' that says that the value
+we're parsing is the mask. This is causing kernel crash on trying to
+write into mask part of the match with SW_FLOW_KEY_PUT() during
+validation, while validate_nsh() doesn't allocate any memory for it:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0
+ Oops: Oops: 0000 [#1] SMP NOPTI
+ CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)
+ RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]
+ Call Trace:
+ <TASK>
+ validate_nsh+0x60/0x90 [openvswitch]
+ validate_set.constprop.0+0x270/0x3c0 [openvswitch]
+ __ovs_nla_copy_actions+0x477/0x860 [openvswitch]
+ ovs_nla_copy_actions+0x8d/0x100 [openvswitch]
+ ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]
+ genl_family_rcv_msg_doit+0xdb/0x130
+ genl_family_rcv_msg+0x14b/0x220
+ genl_rcv_msg+0x47/0xa0
+ netlink_rcv_skb+0x53/0x100
+ genl_rcv+0x24/0x40
+ netlink_unicast+0x280/0x3b0
+ netlink_sendmsg+0x1f7/0x430
+ ____sys_sendmsg+0x36b/0x3a0
+ ___sys_sendmsg+0x87/0xd0
+ __sys_sendmsg+0x6d/0xd0
+ do_syscall_64+0x7b/0x2c0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+The third issue with this process is that while trying to convert
+the non-masked set into masked one, validate_set() copies and doubles
+the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested
+attributes. It should be copying each nested attribute and doubling
+them in size independently. And the process must be properly reversed
+during the conversion back from masked to a non-masked variant during
+the flow dump.
+
+In the end, the only two outcomes of trying to use this action are
+either validation failure or a kernel crash. And if somehow someone
+manages to install a flow with such an action, it will most definitely
+not do what it is supposed to, since all the keys and the masks are
+mixed up.
+
+Fixing all the issues is a complex task as it requires re-writing
+most of the validation code.
+
+Given that and the fact that this functionality never worked since
+introduction, let's just remove it altogether. It's better to
+re-introduce it later with a proper implementation instead of trying
+to fix it in stable releases.
+
+Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support")
+Reported-by: Junvy Yang <zhuque@tencent.com>
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Reviewed-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/20251112112246.95064-1-i.maximets@ovn.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/actions.c | 68 +---------------------------------
+ net/openvswitch/flow_netlink.c | 64 ++++----------------------------
+ net/openvswitch/flow_netlink.h | 2 -
+ 3 files changed, 9 insertions(+), 125 deletions(-)
+
+diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
+index 2832e07941971..792ca44a461da 100644
+--- a/net/openvswitch/actions.c
++++ b/net/openvswitch/actions.c
+@@ -572,69 +572,6 @@ static int set_ipv6(struct sk_buff *skb, struct sw_flow_key *flow_key,
+ return 0;
+ }
+
+-static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key,
+- const struct nlattr *a)
+-{
+- struct nshhdr *nh;
+- size_t length;
+- int err;
+- u8 flags;
+- u8 ttl;
+- int i;
+-
+- struct ovs_key_nsh key;
+- struct ovs_key_nsh mask;
+-
+- err = nsh_key_from_nlattr(a, &key, &mask);
+- if (err)
+- return err;
+-
+- /* Make sure the NSH base header is there */
+- if (!pskb_may_pull(skb, skb_network_offset(skb) + NSH_BASE_HDR_LEN))
+- return -ENOMEM;
+-
+- nh = nsh_hdr(skb);
+- length = nsh_hdr_len(nh);
+-
+- /* Make sure the whole NSH header is there */
+- err = skb_ensure_writable(skb, skb_network_offset(skb) +
+- length);
+- if (unlikely(err))
+- return err;
+-
+- nh = nsh_hdr(skb);
+- skb_postpull_rcsum(skb, nh, length);
+- flags = nsh_get_flags(nh);
+- flags = OVS_MASKED(flags, key.base.flags, mask.base.flags);
+- flow_key->nsh.base.flags = flags;
+- ttl = nsh_get_ttl(nh);
+- ttl = OVS_MASKED(ttl, key.base.ttl, mask.base.ttl);
+- flow_key->nsh.base.ttl = ttl;
+- nsh_set_flags_and_ttl(nh, flags, ttl);
+- nh->path_hdr = OVS_MASKED(nh->path_hdr, key.base.path_hdr,
+- mask.base.path_hdr);
+- flow_key->nsh.base.path_hdr = nh->path_hdr;
+- switch (nh->mdtype) {
+- case NSH_M_TYPE1:
+- for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) {
+- nh->md1.context[i] =
+- OVS_MASKED(nh->md1.context[i], key.context[i],
+- mask.context[i]);
+- }
+- memcpy(flow_key->nsh.context, nh->md1.context,
+- sizeof(nh->md1.context));
+- break;
+- case NSH_M_TYPE2:
+- memset(flow_key->nsh.context, 0,
+- sizeof(flow_key->nsh.context));
+- break;
+- default:
+- return -EINVAL;
+- }
+- skb_postpush_rcsum(skb, nh, length);
+- return 0;
+-}
+-
+ /* Must follow skb_ensure_writable() since that can move the skb data. */
+ static void set_tp_port(struct sk_buff *skb, __be16 *port,
+ __be16 new_port, __sum16 *check)
+@@ -1130,10 +1067,6 @@ static int execute_masked_set_action(struct sk_buff *skb,
+ get_mask(a, struct ovs_key_ethernet *));
+ break;
+
+- case OVS_KEY_ATTR_NSH:
+- err = set_nsh(skb, flow_key, a);
+- break;
+-
+ case OVS_KEY_ATTR_IPV4:
+ err = set_ipv4(skb, flow_key, nla_data(a),
+ get_mask(a, struct ovs_key_ipv4 *));
+@@ -1170,6 +1103,7 @@ static int execute_masked_set_action(struct sk_buff *skb,
+ case OVS_KEY_ATTR_CT_LABELS:
+ case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4:
+ case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6:
++ case OVS_KEY_ATTR_NSH:
+ err = -EINVAL;
+ break;
+ }
+diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
+index ad64bb9ab5e25..1cb4f97335d87 100644
+--- a/net/openvswitch/flow_netlink.c
++++ b/net/openvswitch/flow_netlink.c
+@@ -1305,6 +1305,11 @@ static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match,
+ return 0;
+ }
+
++/*
++ * Constructs NSH header 'nh' from attributes of OVS_ACTION_ATTR_PUSH_NSH,
++ * where 'nh' points to a memory block of 'size' bytes. It's assumed that
++ * attributes were previously validated with validate_push_nsh().
++ */
+ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ struct nshhdr *nh, size_t size)
+ {
+@@ -1314,8 +1319,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ u8 ttl = 0;
+ int mdlen = 0;
+
+- /* validate_nsh has check this, so we needn't do duplicate check here
+- */
+ if (size < NSH_BASE_HDR_LEN)
+ return -ENOBUFS;
+
+@@ -1359,46 +1362,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ return 0;
+ }
+
+-int nsh_key_from_nlattr(const struct nlattr *attr,
+- struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask)
+-{
+- struct nlattr *a;
+- int rem;
+-
+- /* validate_nsh has check this, so we needn't do duplicate check here
+- */
+- nla_for_each_nested(a, attr, rem) {
+- int type = nla_type(a);
+-
+- switch (type) {
+- case OVS_NSH_KEY_ATTR_BASE: {
+- const struct ovs_nsh_key_base *base = nla_data(a);
+- const struct ovs_nsh_key_base *base_mask = base + 1;
+-
+- nsh->base = *base;
+- nsh_mask->base = *base_mask;
+- break;
+- }
+- case OVS_NSH_KEY_ATTR_MD1: {
+- const struct ovs_nsh_key_md1 *md1 = nla_data(a);
+- const struct ovs_nsh_key_md1 *md1_mask = md1 + 1;
+-
+- memcpy(nsh->context, md1->context, sizeof(*md1));
+- memcpy(nsh_mask->context, md1_mask->context,
+- sizeof(*md1_mask));
+- break;
+- }
+- case OVS_NSH_KEY_ATTR_MD2:
+- /* Not supported yet */
+- return -ENOTSUPP;
+- default:
+- return -EINVAL;
+- }
+- }
+-
+- return 0;
+-}
+-
+ static int nsh_key_put_from_nlattr(const struct nlattr *attr,
+ struct sw_flow_match *match, bool is_mask,
+ bool is_push_nsh, bool log)
+@@ -2839,17 +2802,13 @@ static int validate_and_copy_set_tun(const struct nlattr *attr,
+ return err;
+ }
+
+-static bool validate_nsh(const struct nlattr *attr, bool is_mask,
+- bool is_push_nsh, bool log)
++static bool validate_push_nsh(const struct nlattr *attr, bool log)
+ {
+ struct sw_flow_match match;
+ struct sw_flow_key key;
+- int ret = 0;
+
+ ovs_match_init(&match, &key, true, NULL);
+- ret = nsh_key_put_from_nlattr(attr, &match, is_mask,
+- is_push_nsh, log);
+- return !ret;
++ return !nsh_key_put_from_nlattr(attr, &match, false, true, log);
+ }
+
+ /* Return false if there are any non-masked bits set.
+@@ -2997,13 +2956,6 @@ static int validate_set(const struct nlattr *a,
+
+ break;
+
+- case OVS_KEY_ATTR_NSH:
+- if (eth_type != htons(ETH_P_NSH))
+- return -EINVAL;
+- if (!validate_nsh(nla_data(a), masked, false, log))
+- return -EINVAL;
+- break;
+-
+ default:
+ return -EINVAL;
+ }
+@@ -3437,7 +3389,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
+ return -EINVAL;
+ }
+ mac_proto = MAC_PROTO_NONE;
+- if (!validate_nsh(nla_data(a), false, true, true))
++ if (!validate_push_nsh(nla_data(a), log))
+ return -EINVAL;
+ break;
+
+diff --git a/net/openvswitch/flow_netlink.h b/net/openvswitch/flow_netlink.h
+index fe7f77fc5f189..ff8cdecbe3465 100644
+--- a/net/openvswitch/flow_netlink.h
++++ b/net/openvswitch/flow_netlink.h
+@@ -65,8 +65,6 @@ int ovs_nla_put_actions(const struct nlattr *attr,
+ void ovs_nla_free_flow_actions(struct sw_flow_actions *);
+ void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *);
+
+-int nsh_key_from_nlattr(const struct nlattr *attr, struct ovs_key_nsh *nsh,
+- struct ovs_key_nsh *nsh_mask);
+ int nsh_hdr_from_nlattr(const struct nlattr *attr, struct nshhdr *nh,
+ size_t size);
+
+--
+2.51.0
+
--- /dev/null
+From bca7862cc186f7de90e28ed993f3455640294aaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 18:29:43 +0800
+Subject: net: phylink: add missing supported link modes for the fixed-link
+
+From: Wei Fang <wei.fang@nxp.com>
+
+[ Upstream commit e31a11be41cd134f245c01d1329e7bc89aba78fb ]
+
+Pause, Asym_Pause and Autoneg bits are not set when pl->supported is
+initialized, so these link modes will not work for the fixed-link. This
+leads to a TCP performance degradation issue observed on the i.MX943
+platform.
+
+The switch CPU port of i.MX943 is connected to an ENETC MAC, this link
+is a fixed link and the link speed is 2.5Gbps. And one of the switch
+user ports is the RGMII interface, and its link speed is 1Gbps. If the
+flow-control of the fixed link is not enabled, we can easily observe
+the iperf performance of TCP packets is very low. Because the inbound
+rate on the CPU port is greater than the outbound rate on the user port,
+the switch is prone to congestion, leading to the loss of some TCP
+packets and requiring multiple retransmissions.
+
+Solving this problem should be as simple as setting the Asym_Pause and
+Pause bits. The reason why the Autoneg bit needs to be set, Russell
+has gave a very good explanation in the thread [1], see below.
+
+"As the advertising and lp_advertising bitmasks have to be non-empty,
+and the swphy reports aneg capable, aneg complete, and AN enabled, then
+for consistency with that state, Autoneg should be set. This is how it
+was prior to the blamed commit."
+
+Fixes: de7d3f87be3c ("net: phylink: Use phy_caps_lookup for fixed-link configuration")
+Link: https://lore.kernel.org/aRjqLN8eQDIQfBjS@shell.armlinux.org.uk # [1]
+Signed-off-by: Wei Fang <wei.fang@nxp.com>
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20251117102943.1862680-1-wei.fang@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phylink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c
+index 1988b7d2089a6..928a1186f0d9a 100644
+--- a/drivers/net/phy/phylink.c
++++ b/drivers/net/phy/phylink.c
+@@ -637,6 +637,9 @@ static int phylink_validate(struct phylink *pl, unsigned long *supported,
+
+ static void phylink_fill_fixedlink_supported(unsigned long *supported)
+ {
++ linkmode_set_bit(ETHTOOL_LINK_MODE_Pause_BIT, supported);
++ linkmode_set_bit(ETHTOOL_LINK_MODE_Asym_Pause_BIT, supported);
++ linkmode_set_bit(ETHTOOL_LINK_MODE_Autoneg_BIT, supported);
+ linkmode_set_bit(ETHTOOL_LINK_MODE_10baseT_Half_BIT, supported);
+ linkmode_set_bit(ETHTOOL_LINK_MODE_10baseT_Full_BIT, supported);
+ linkmode_set_bit(ETHTOOL_LINK_MODE_100baseT_Half_BIT, supported);
+--
+2.51.0
+
--- /dev/null
+From 885dccd2d9e01292686d9e8bb1e2f7cc9f8918a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 14:27:56 +0300
+Subject: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont()
+ and qede_tpa_end()
+
+From: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+
+[ Upstream commit 896f1a2493b59beb2b5ccdf990503dbb16cb2256 ]
+
+The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate
+over 'cqe->len_list[]' using only a zero-length terminator as
+the stopping condition. If the terminator was missing or
+malformed, the loop could run past the end of the fixed-size array.
+
+Add an explicit bound check using ARRAY_SIZE() in both loops to prevent
+a potential out-of-bounds access.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 55482edc25f0 ("qede: Add slowpath/fastpath support and enable hardware GRO")
+Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+Link: https://patch.msgid.link/20251113112757.4166625-1-Pavel.Zhigulin@kaspersky.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_fp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qede/qede_fp.c b/drivers/net/ethernet/qlogic/qede/qede_fp.c
+index 847fa62c80df8..e338bfc8b7b2f 100644
+--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c
+@@ -4,6 +4,7 @@
+ * Copyright (c) 2019-2020 Marvell International Ltd.
+ */
+
++#include <linux/array_size.h>
+ #include <linux/netdevice.h>
+ #include <linux/etherdevice.h>
+ #include <linux/skbuff.h>
+@@ -960,7 +961,7 @@ static inline void qede_tpa_cont(struct qede_dev *edev,
+ {
+ int i;
+
+- for (i = 0; cqe->len_list[i]; i++)
++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++)
+ qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index,
+ le16_to_cpu(cqe->len_list[i]));
+
+@@ -985,7 +986,7 @@ static int qede_tpa_end(struct qede_dev *edev,
+ dma_unmap_page(rxq->dev, tpa_info->buffer.mapping,
+ PAGE_SIZE, rxq->data_direction);
+
+- for (i = 0; cqe->len_list[i]; i++)
++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++)
+ qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index,
+ le16_to_cpu(cqe->len_list[i]));
+ if (unlikely(i > 1))
+--
+2.51.0
+
--- /dev/null
+From 95e74d899dc322699020b00e4b23b9ac8b0ed13d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Oct 2025 22:03:02 +0200
+Subject: net: tls: Cancel RX async resync request on rcd_delta overflow
+
+From: Shahar Shitrit <shshitrit@nvidia.com>
+
+[ Upstream commit c15d5c62ab313c19121f10e25d4fec852bd1c40c ]
+
+When a netdev issues a RX async resync request for a TLS connection,
+the TLS module handles it by logging record headers and attempting to
+match them to the tcp_sn provided by the device. If a match is found,
+the TLS module approves the tcp_sn for resynchronization.
+
+While waiting for a device response, the TLS module also increments
+rcd_delta each time a new TLS record is received, tracking the distance
+from the original resync request.
+
+However, if the device response is delayed or fails (e.g due to
+unstable connection and device getting out of tracking, hardware
+errors, resource exhaustion etc.), the TLS module keeps logging and
+incrementing, which can lead to a WARN() when rcd_delta exceeds the
+threshold.
+
+To address this, introduce tls_offload_rx_resync_async_request_cancel()
+to explicitly cancel resync requests when a device response failure is
+detected. Call this helper also as a final safeguard when rcd_delta
+crosses its threshold, as reaching this point implies that earlier
+cancellation did not occur.
+
+Signed-off-by: Shahar Shitrit <shshitrit@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1761508983-937977-3-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/tls.h | 6 ++++++
+ net/tls/tls_device.c | 4 +++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/tls.h b/include/net/tls.h
+index b90f3b675c3c4..c7bcdb3afad75 100644
+--- a/include/net/tls.h
++++ b/include/net/tls.h
+@@ -467,6 +467,12 @@ tls_offload_rx_resync_async_request_end(struct tls_offload_resync_async *resync_
+ atomic64_set(&resync_async->req, ((u64)ntohl(seq) << 32) | RESYNC_REQ);
+ }
+
++static inline void
++tls_offload_rx_resync_async_request_cancel(struct tls_offload_resync_async *resync_async)
++{
++ atomic64_set(&resync_async->req, 0);
++}
++
+ static inline void
+ tls_offload_rx_resync_set_type(struct sock *sk, enum tls_offload_sync_type type)
+ {
+diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
+index a82fdcf199690..bb14d9b467f28 100644
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -723,8 +723,10 @@ tls_device_rx_resync_async(struct tls_offload_resync_async *resync_async,
+ /* shouldn't get to wraparound:
+ * too long in async stage, something bad happened
+ */
+- if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX))
++ if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) {
++ tls_offload_rx_resync_async_request_cancel(resync_async);
+ return false;
++ }
+
+ /* asynchronous stage: log all headers seq such that
+ * req_seq <= seq <= end_seq, and wait for real resync request
+--
+2.51.0
+
--- /dev/null
+From 8b106e05aefdf3a71e865e10967197ccc15481b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Oct 2025 22:03:01 +0200
+Subject: net: tls: Change async resync helpers argument
+
+From: Shahar Shitrit <shshitrit@nvidia.com>
+
+[ Upstream commit 34892cfec0c2d96787c4be7bda0d5f18d7dacf85 ]
+
+Update tls_offload_rx_resync_async_request_start() and
+tls_offload_rx_resync_async_request_end() to get a struct
+tls_offload_resync_async parameter directly, rather than
+extracting it from struct sock.
+
+This change aligns the function signatures with the upcoming
+tls_offload_rx_resync_async_request_cancel() helper, which
+will be introduced in a subsequent patch.
+
+Signed-off-by: Shahar Shitrit <shshitrit@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1761508983-937977-2-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/en_accel/ktls_rx.c | 9 ++++++--
+ include/net/tls.h | 21 +++++++------------
+ 2 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c
+index 65ccb33edafb7..c0089c704c0cc 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c
+@@ -425,12 +425,14 @@ void mlx5e_ktls_handle_get_psv_completion(struct mlx5e_icosq_wqe_info *wi,
+ {
+ struct mlx5e_ktls_rx_resync_buf *buf = wi->tls_get_params.buf;
+ struct mlx5e_ktls_offload_context_rx *priv_rx;
++ struct tls_offload_context_rx *rx_ctx;
+ u8 tracker_state, auth_state, *ctx;
+ struct device *dev;
+ u32 hw_seq;
+
+ priv_rx = buf->priv_rx;
+ dev = mlx5_core_dma_dev(sq->channel->mdev);
++ rx_ctx = tls_offload_ctx_rx(tls_get_ctx(priv_rx->sk));
+ if (unlikely(test_bit(MLX5E_PRIV_RX_FLAG_DELETING, priv_rx->flags)))
+ goto out;
+
+@@ -447,7 +449,8 @@ void mlx5e_ktls_handle_get_psv_completion(struct mlx5e_icosq_wqe_info *wi,
+ }
+
+ hw_seq = MLX5_GET(tls_progress_params, ctx, hw_resync_tcp_sn);
+- tls_offload_rx_resync_async_request_end(priv_rx->sk, cpu_to_be32(hw_seq));
++ tls_offload_rx_resync_async_request_end(rx_ctx->resync_async,
++ cpu_to_be32(hw_seq));
+ priv_rx->rq_stats->tls_resync_req_end++;
+ out:
+ mlx5e_ktls_priv_rx_put(priv_rx);
+@@ -482,6 +485,7 @@ static bool resync_queue_get_psv(struct sock *sk)
+ static void resync_update_sn(struct mlx5e_rq *rq, struct sk_buff *skb)
+ {
+ struct ethhdr *eth = (struct ethhdr *)(skb->data);
++ struct tls_offload_resync_async *resync_async;
+ struct net_device *netdev = rq->netdev;
+ struct net *net = dev_net(netdev);
+ struct sock *sk = NULL;
+@@ -528,7 +532,8 @@ static void resync_update_sn(struct mlx5e_rq *rq, struct sk_buff *skb)
+
+ seq = th->seq;
+ datalen = skb->len - depth;
+- tls_offload_rx_resync_async_request_start(sk, seq, datalen);
++ resync_async = tls_offload_ctx_rx(tls_get_ctx(sk))->resync_async;
++ tls_offload_rx_resync_async_request_start(resync_async, seq, datalen);
+ rq->stats->tls_resync_req_start++;
+
+ unref:
+diff --git a/include/net/tls.h b/include/net/tls.h
+index 857340338b694..b90f3b675c3c4 100644
+--- a/include/net/tls.h
++++ b/include/net/tls.h
+@@ -451,25 +451,20 @@ static inline void tls_offload_rx_resync_request(struct sock *sk, __be32 seq)
+
+ /* Log all TLS record header TCP sequences in [seq, seq+len] */
+ static inline void
+-tls_offload_rx_resync_async_request_start(struct sock *sk, __be32 seq, u16 len)
++tls_offload_rx_resync_async_request_start(struct tls_offload_resync_async *resync_async,
++ __be32 seq, u16 len)
+ {
+- struct tls_context *tls_ctx = tls_get_ctx(sk);
+- struct tls_offload_context_rx *rx_ctx = tls_offload_ctx_rx(tls_ctx);
+-
+- atomic64_set(&rx_ctx->resync_async->req, ((u64)ntohl(seq) << 32) |
++ atomic64_set(&resync_async->req, ((u64)ntohl(seq) << 32) |
+ ((u64)len << 16) | RESYNC_REQ | RESYNC_REQ_ASYNC);
+- rx_ctx->resync_async->loglen = 0;
+- rx_ctx->resync_async->rcd_delta = 0;
++ resync_async->loglen = 0;
++ resync_async->rcd_delta = 0;
+ }
+
+ static inline void
+-tls_offload_rx_resync_async_request_end(struct sock *sk, __be32 seq)
++tls_offload_rx_resync_async_request_end(struct tls_offload_resync_async *resync_async,
++ __be32 seq)
+ {
+- struct tls_context *tls_ctx = tls_get_ctx(sk);
+- struct tls_offload_context_rx *rx_ctx = tls_offload_ctx_rx(tls_ctx);
+-
+- atomic64_set(&rx_ctx->resync_async->req,
+- ((u64)ntohl(seq) << 32) | RESYNC_REQ);
++ atomic64_set(&resync_async->req, ((u64)ntohl(seq) << 32) | RESYNC_REQ);
+ }
+
+ static inline void
+--
+2.51.0
+
--- /dev/null
+From db3fd7facd18cffdff7588389c5c9584a9585574 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 11:23:39 +0900
+Subject: nvme-multipath: fix lockdep WARN due to partition scan work
+
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+
+[ Upstream commit 6d87cd5335784351280f82c47cc8a657271929c3 ]
+
+Blktests test cases nvme/014, 057 and 058 fail occasionally due to a
+lockdep WARN. As reported in the Closes tag URL, the WARN indicates that
+a deadlock can happen due to the dependency among disk->open_mutex,
+kblockd workqueue completion and partition_scan_work completion.
+
+To avoid the lockdep WARN and the potential deadlock, cut the dependency
+by running the partition_scan_work not by kblockd workqueue but by
+nvme_wq.
+
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Closes: https://lore.kernel.org/linux-block/CAHj4cs8mJ+R_GmQm9R8ebResKAWUE8kF5+_WVg0v8zndmqd6BQ@mail.gmail.com/
+Link: https://lore.kernel.org/linux-block/oeyzci6ffshpukpfqgztsdeke5ost5hzsuz4rrsjfmvpqcevax@5nhnwbkzbrpa/
+Fixes: 1f021341eef4 ("nvme-multipath: defer partition scanning")
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index 543e17aead12b..e35eccacee8c8 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -793,7 +793,7 @@ static void nvme_mpath_set_live(struct nvme_ns *ns)
+ return;
+ }
+ nvme_add_ns_head_cdev(head);
+- kblockd_schedule_work(&head->partition_scan_work);
++ queue_work(nvme_wq, &head->partition_scan_work);
+ }
+
+ nvme_mpath_add_sysfs_link(ns->head);
+--
+2.51.0
+
--- /dev/null
+From 7ac4fcebd9f993037d058fb8f27cbd8da2bbbee0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Nov 2025 09:17:11 +1000
+Subject: nvmet-auth: update sc_c in target host hash calculation
+
+From: Alistair Francis <alistair.francis@wdc.com>
+
+[ Upstream commit 159de7a825aea4242d3f8d32de5853d269dbe72f ]
+
+Commit 7e091add9c43 "nvme-auth: update sc_c in host response" added
+the sc_c variable to the dhchap queue context structure which is
+appropriately set during negotiate and then used in the host response.
+
+This breaks secure concat connections with a Linux target as the target
+code wasn't updated at the same time. This patch fixes this by adding a
+new sc_c variable to the host hash calculations.
+
+Fixes: 7e091add9c43 ("nvme-auth: update sc_c in host response")
+Tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Tested-by: Yi Zhang <yi.zhang@redhat.com>
+Reviewed-by: Martin George <marting@netapp.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/auth.c | 4 ++--
+ drivers/nvme/target/fabrics-cmd-auth.c | 1 +
+ drivers/nvme/target/nvmet.h | 1 +
+ 3 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c
+index ceba21684e82c..300d5e032f6d4 100644
+--- a/drivers/nvme/target/auth.c
++++ b/drivers/nvme/target/auth.c
+@@ -298,7 +298,7 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response,
+ const char *hash_name;
+ u8 *challenge = req->sq->dhchap_c1;
+ struct nvme_dhchap_key *transformed_key;
+- u8 buf[4], sc_c = ctrl->concat ? 1 : 0;
++ u8 buf[4];
+ int ret;
+
+ hash_name = nvme_auth_hmac_name(ctrl->shash_id);
+@@ -367,7 +367,7 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response,
+ ret = crypto_shash_update(shash, buf, 2);
+ if (ret)
+ goto out;
+- *buf = sc_c;
++ *buf = req->sq->sc_c;
+ ret = crypto_shash_update(shash, buf, 1);
+ if (ret)
+ goto out;
+diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
+index bf01ec414c55f..5946681cb0e32 100644
+--- a/drivers/nvme/target/fabrics-cmd-auth.c
++++ b/drivers/nvme/target/fabrics-cmd-auth.c
+@@ -43,6 +43,7 @@ static u8 nvmet_auth_negotiate(struct nvmet_req *req, void *d)
+ data->auth_protocol[0].dhchap.halen,
+ data->auth_protocol[0].dhchap.dhlen);
+ req->sq->dhchap_tid = le16_to_cpu(data->t_id);
++ req->sq->sc_c = data->sc_c;
+ if (data->sc_c != NVME_AUTH_SECP_NOSC) {
+ if (!IS_ENABLED(CONFIG_NVME_TARGET_TCP_TLS))
+ return NVME_AUTH_DHCHAP_FAILURE_CONCAT_MISMATCH;
+diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h
+index 51df72f5e89b7..f3b09f4099f08 100644
+--- a/drivers/nvme/target/nvmet.h
++++ b/drivers/nvme/target/nvmet.h
+@@ -159,6 +159,7 @@ struct nvmet_sq {
+ bool authenticated;
+ struct delayed_work auth_expired_work;
+ u16 dhchap_tid;
++ u8 sc_c;
+ u8 dhchap_status;
+ u8 dhchap_step;
+ u8 *dhchap_c1;
+--
+2.51.0
+
--- /dev/null
+From bd0935649fe873e44e26ceac70cf609632ddb7b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 16:05:26 +0800
+Subject: perf: Fix 0 count issue of cpu-clock
+
+From: Dapeng Mi <dapeng1.mi@linux.intel.com>
+
+[ Upstream commit f1f96511b1c4c33e53f05909dd267878e0643a9a ]
+
+Currently cpu-clock event always returns 0 count, e.g.,
+
+perf stat -e cpu-clock -- sleep 1
+
+ Performance counter stats for 'sleep 1':
+ 0 cpu-clock # 0.000 CPUs utilized
+ 1.002308394 seconds time elapsed
+
+The root cause is the commit 'bc4394e5e79c ("perf: Fix the throttle
+ error of some clock events")' adds PERF_EF_UPDATE flag check before
+calling cpu_clock_event_update() to update the count, however the
+PERF_EF_UPDATE flag is never set when the cpu-clock event is stopped in
+counting mode (pmu->dev() -> cpu_clock_event_del() ->
+cpu_clock_event_stop()). This leads to the cpu-clock event count is
+never updated.
+
+To fix this issue, force to set PERF_EF_UPDATE flag for cpu-clock event
+just like what task-clock does.
+
+Fixes: bc4394e5e79c ("perf: Fix the throttle error of some clock events")
+Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Ian Rogers <irogers@google.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Link: https://patch.msgid.link/20251112080526.3971392-1-dapeng1.mi@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index f13565d0eb699..970c4a5ab763b 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -11885,7 +11885,7 @@ static int cpu_clock_event_add(struct perf_event *event, int flags)
+
+ static void cpu_clock_event_del(struct perf_event *event, int flags)
+ {
+- cpu_clock_event_stop(event, flags);
++ cpu_clock_event_stop(event, PERF_EF_UPDATE);
+ }
+
+ static void cpu_clock_event_read(struct perf_event *event)
+--
+2.51.0
+
--- /dev/null
+From 42c532e8326568224b5ba130f90593b82d837f80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Sep 2025 14:16:39 +0800
+Subject: perf/x86/intel/uncore: Add uncore PMU support for Wildcat Lake
+
+From: dongsheng <dongsheng.x.zhang@intel.com>
+
+[ Upstream commit f4c12e5cefc8ec2eda93bc17ea734407228449ab ]
+
+WildcatLake (WCL) is a variant of PantherLake (PTL) and shares the same
+uncore PMU features with PTL. Therefore, directly reuse Pantherlake's
+uncore PMU enabling code for WildcatLake.
+
+Signed-off-by: dongsheng <dongsheng.x.zhang@intel.com>
+Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://patch.msgid.link/20250908061639.938105-2-dapeng1.mi@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c
+index a762f7f5b1616..d6c945cc5d07c 100644
+--- a/arch/x86/events/intel/uncore.c
++++ b/arch/x86/events/intel/uncore.c
+@@ -1895,6 +1895,7 @@ static const struct x86_cpu_id intel_uncore_match[] __initconst = {
+ X86_MATCH_VFM(INTEL_ARROWLAKE_H, &mtl_uncore_init),
+ X86_MATCH_VFM(INTEL_LUNARLAKE_M, &lnl_uncore_init),
+ X86_MATCH_VFM(INTEL_PANTHERLAKE_L, &ptl_uncore_init),
++ X86_MATCH_VFM(INTEL_WILDCATLAKE_L, &ptl_uncore_init),
+ X86_MATCH_VFM(INTEL_SAPPHIRERAPIDS_X, &spr_uncore_init),
+ X86_MATCH_VFM(INTEL_EMERALDRAPIDS_X, &spr_uncore_init),
+ X86_MATCH_VFM(INTEL_GRANITERAPIDS_X, &gnr_uncore_init),
+--
+2.51.0
+
--- /dev/null
+From f9199dd49551032ec32f60112c7432709ac9dea0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Oct 2025 11:05:09 +0800
+Subject: pinctrl: cirrus: Fix fwnode leak in cs42l43_pin_probe()
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit 9b07cdf86a0b90556f5b68a6b20b35833b558df3 ]
+
+The driver calls fwnode_get_named_child_node() which takes a reference
+on the child node, but never releases it, which causes a reference leak.
+
+Fix by using devm_add_action_or_reset() to automatically release the
+reference when the device is removed.
+
+Fixes: d5282a539297 ("pinctrl: cs42l43: Add support for the cs42l43")
+Suggested-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/cirrus/pinctrl-cs42l43.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pinctrl/cirrus/pinctrl-cs42l43.c b/drivers/pinctrl/cirrus/pinctrl-cs42l43.c
+index 68abb6d6cecd8..a8f82104a3842 100644
+--- a/drivers/pinctrl/cirrus/pinctrl-cs42l43.c
++++ b/drivers/pinctrl/cirrus/pinctrl-cs42l43.c
+@@ -532,6 +532,11 @@ static int cs42l43_gpio_add_pin_ranges(struct gpio_chip *chip)
+ return ret;
+ }
+
++static void cs42l43_fwnode_put(void *data)
++{
++ fwnode_handle_put(data);
++}
++
+ static int cs42l43_pin_probe(struct platform_device *pdev)
+ {
+ struct cs42l43 *cs42l43 = dev_get_drvdata(pdev->dev.parent);
+@@ -563,10 +568,20 @@ static int cs42l43_pin_probe(struct platform_device *pdev)
+ priv->gpio_chip.ngpio = CS42L43_NUM_GPIOS;
+
+ if (is_of_node(fwnode)) {
+- fwnode = fwnode_get_named_child_node(fwnode, "pinctrl");
+-
+- if (fwnode && !fwnode->dev)
+- fwnode->dev = priv->dev;
++ struct fwnode_handle *child;
++
++ child = fwnode_get_named_child_node(fwnode, "pinctrl");
++ if (child) {
++ ret = devm_add_action_or_reset(&pdev->dev,
++ cs42l43_fwnode_put, child);
++ if (ret) {
++ fwnode_handle_put(child);
++ return ret;
++ }
++ if (!child->dev)
++ child->dev = priv->dev;
++ fwnode = child;
++ }
+ }
+
+ priv->gpio_chip.fwnode = fwnode;
+--
+2.51.0
+
--- /dev/null
+From 4821043c7399a0891922fb1728ab4a6e88e0d1c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Oct 2025 15:48:49 +0200
+Subject: pinctrl: mediatek: mt8189: align register base names to dt-bindings
+ ones
+
+From: Louis-Alexis Eyraud <louisalexis.eyraud@collabora.com>
+
+[ Upstream commit 518919276c4119e34e24334003af70ab12477f00 ]
+
+The mt8189-pinctrl driver requires to probe that a device tree uses
+in the device node the same names than mt8189_pinctrl_register_base_names
+array. But they are not matching the required ones in the
+"mediatek,mt8189-pinctrl" dt-bindings, leading to possible dtbs check
+issues. The mt8189_pinctrl_register_base_names entry order is also
+different.
+So, align all mt8189_pinctrl_register_base_names entry names and order
+on dt-bindings.
+
+Fixes: a3fe1324c3c5 ("pinctrl: mediatek: Add pinctrl driver for mt8189")
+Signed-off-by: Louis-Alexis Eyraud <louisalexis.eyraud@collabora.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/mediatek/pinctrl-mt8189.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/pinctrl/mediatek/pinctrl-mt8189.c b/drivers/pinctrl/mediatek/pinctrl-mt8189.c
+index 7028aff55ae58..f6a3e584588b0 100644
+--- a/drivers/pinctrl/mediatek/pinctrl-mt8189.c
++++ b/drivers/pinctrl/mediatek/pinctrl-mt8189.c
+@@ -1642,9 +1642,7 @@ static const struct mtk_pin_reg_calc mt8189_reg_cals[PINCTRL_PIN_REG_MAX] = {
+ };
+
+ static const char * const mt8189_pinctrl_register_base_names[] = {
+- "gpio_base", "iocfg_bm0_base", "iocfg_bm1_base", "iocfg_bm2_base", "iocfg_lm_base",
+- "iocfg_lt0_base", "iocfg_lt1_base", "iocfg_rb0_base", "iocfg_rb1_base",
+- "iocfg_rt_base"
++ "base", "lm", "rb0", "rb1", "bm0", "bm1", "bm2", "lt0", "lt1", "rt",
+ };
+
+ static const struct mtk_eint_hw mt8189_eint_hw = {
+--
+2.51.0
+
--- /dev/null
+From 524226ac7b6b32732bd9e389629a1dfc2c909975 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Oct 2025 16:00:28 +0200
+Subject: pinctrl: mediatek: mt8196: align register base names to dt-bindings
+ ones
+
+From: Louis-Alexis Eyraud <louisalexis.eyraud@collabora.com>
+
+[ Upstream commit 404ee89b4008cf2130554dac2c64cd8412601356 ]
+
+The mt8196-pinctrl driver requires to probe that a device tree uses
+in the device node the same names than mt8196_pinctrl_register_base_names
+array. But they are not matching the required ones in the
+"mediatek,mt8196-pinctrl" dt-bindings, leading to possible dtbs check
+issues.
+So, align all mt8196_pinctrl_register_base_names entries on dt-bindings
+ones.
+
+Fixes: f7a29377c253 ("pinctrl: mediatek: Add pinctrl driver on mt8196")
+Signed-off-by: Louis-Alexis Eyraud <louisalexis.eyraud@collabora.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/mediatek/pinctrl-mt8196.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pinctrl/mediatek/pinctrl-mt8196.c b/drivers/pinctrl/mediatek/pinctrl-mt8196.c
+index 82a73929c7a0f..dec957c1724b0 100644
+--- a/drivers/pinctrl/mediatek/pinctrl-mt8196.c
++++ b/drivers/pinctrl/mediatek/pinctrl-mt8196.c
+@@ -1801,10 +1801,8 @@ static const struct mtk_pin_reg_calc mt8196_reg_cals[PINCTRL_PIN_REG_MAX] = {
+ };
+
+ static const char * const mt8196_pinctrl_register_base_names[] = {
+- "iocfg0", "iocfg_rt", "iocfg_rm1", "iocfg_rm2",
+- "iocfg_rb", "iocfg_bm1", "iocfg_bm2", "iocfg_bm3",
+- "iocfg_lt", "iocfg_lm1", "iocfg_lm2", "iocfg_lb1",
+- "iocfg_lb2", "iocfg_tm1", "iocfg_tm2", "iocfg_tm3",
++ "base", "rt", "rm1", "rm2", "rb", "bm1", "bm2", "bm3",
++ "lt", "lm1", "lm2", "lb1", "lb2", "tm1", "tm2", "tm3",
+ };
+
+ static const struct mtk_eint_hw mt8196_eint_hw = {
+--
+2.51.0
+
--- /dev/null
+From 81101a429928e2f63ce2a9d56e99913f661dae93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 15:55:29 +0800
+Subject: pinctrl: realtek: Select REGMAP_MMIO for RTD driver
+
+From: Yu-Chun Lin <eleanor.lin@realtek.com>
+
+[ Upstream commit 369f772299821f93f872bf1b4d7d7ed2fc50243b ]
+
+The pinctrl-rtd driver uses 'devm_regmap_init_mmio', which requires
+'REGMAP_MMIO' to be enabled.
+
+Without this selection, the build fails with an undefined reference:
+aarch64-none-linux-gnu-ld: drivers/pinctrl/realtek/pinctrl-rtd.o: in
+function rtd_pinctrl_probe': pinctrl-rtd.c:(.text+0x5a0): undefined
+reference to __devm_regmap_init_mmio_clk'
+
+Fix this by selecting 'REGMAP_MMIO' in the Kconfig.
+
+Fixes: e99ce78030db ("pinctrl: realtek: Add common pinctrl driver for Realtek DHC RTD SoCs")
+Signed-off-by: Yu-Chun Lin <eleanor.lin@realtek.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/realtek/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/realtek/Kconfig b/drivers/pinctrl/realtek/Kconfig
+index 0fc6bd4fcb7ec..400c9e5b16ada 100644
+--- a/drivers/pinctrl/realtek/Kconfig
++++ b/drivers/pinctrl/realtek/Kconfig
+@@ -6,6 +6,7 @@ config PINCTRL_RTD
+ default y
+ select PINMUX
+ select GENERIC_PINCONF
++ select REGMAP_MMIO
+
+ config PINCTRL_RTD1619B
+ tristate "Realtek DHC 1619B pin controller driver"
+--
+2.51.0
+
--- /dev/null
+From 745ddeba5305f20aad6ea18ed6cd0b044e1f27d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Nov 2025 13:54:11 -0800
+Subject: pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc
+
+From: Jared Kangas <jkangas@redhat.com>
+
+[ Upstream commit 97ea34defbb57bfaf71ce487b1b0865ffd186e81 ]
+
+s32_pinctrl_desc is allocated with devm_kmalloc(), but not all of its
+fields are initialized. Notably, num_custom_params is used in
+pinconf_generic_parse_dt_config(), resulting in intermittent allocation
+errors, such as the following splat when probing i2c-imx:
+
+ WARNING: CPU: 0 PID: 176 at mm/page_alloc.c:4795 __alloc_pages_noprof+0x290/0x300
+ [...]
+ Hardware name: NXP S32G3 Reference Design Board 3 (S32G-VNP-RDB3) (DT)
+ [...]
+ Call trace:
+ __alloc_pages_noprof+0x290/0x300 (P)
+ ___kmalloc_large_node+0x84/0x168
+ __kmalloc_large_node_noprof+0x34/0x120
+ __kmalloc_noprof+0x2ac/0x378
+ pinconf_generic_parse_dt_config+0x68/0x1a0
+ s32_dt_node_to_map+0x104/0x248
+ dt_to_map_one_config+0x154/0x1d8
+ pinctrl_dt_to_map+0x12c/0x280
+ create_pinctrl+0x6c/0x270
+ pinctrl_get+0xc0/0x170
+ devm_pinctrl_get+0x50/0xa0
+ pinctrl_bind_pins+0x60/0x2a0
+ really_probe+0x60/0x3a0
+ [...]
+ __platform_driver_register+0x2c/0x40
+ i2c_adap_imx_init+0x28/0xff8 [i2c_imx]
+ [...]
+
+This results in later parse failures that can cause issues in dependent
+drivers:
+
+ s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property
+ s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property
+ [...]
+ pca953x 0-0022: failed writing register: -6
+ i2c i2c-0: IMX I2C adapter registered
+ s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property
+ s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property
+ i2c i2c-1: IMX I2C adapter registered
+ s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property
+ s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property
+ i2c i2c-2: IMX I2C adapter registered
+
+Fix this by initializing s32_pinctrl_desc with devm_kzalloc() instead of
+devm_kmalloc() in s32_pinctrl_probe(), which sets the previously
+uninitialized fields to zero.
+
+Fixes: fd84aaa8173d ("pinctrl: add NXP S32 SoC family support")
+Signed-off-by: Jared Kangas <jkangas@redhat.com>
+Tested-by: Jan Petrous (OSS) <jan.petrous@oss.nxp.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/nxp/pinctrl-s32cc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/nxp/pinctrl-s32cc.c b/drivers/pinctrl/nxp/pinctrl-s32cc.c
+index 501eb296c7605..51ecb8d0fb7e8 100644
+--- a/drivers/pinctrl/nxp/pinctrl-s32cc.c
++++ b/drivers/pinctrl/nxp/pinctrl-s32cc.c
+@@ -951,7 +951,7 @@ int s32_pinctrl_probe(struct platform_device *pdev,
+ spin_lock_init(&ipctl->gpio_configs_lock);
+
+ s32_pinctrl_desc =
+- devm_kmalloc(&pdev->dev, sizeof(*s32_pinctrl_desc), GFP_KERNEL);
++ devm_kzalloc(&pdev->dev, sizeof(*s32_pinctrl_desc), GFP_KERNEL);
+ if (!s32_pinctrl_desc)
+ return -ENOMEM;
+
+--
+2.51.0
+
--- /dev/null
+From b97852ba42c8f9856cfc7adbc3c932ea66a3c326 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Nov 2025 13:54:12 -0800
+Subject: pinctrl: s32cc: initialize gpio_pin_config::list after kmalloc()
+
+From: Jared Kangas <jkangas@redhat.com>
+
+[ Upstream commit 6010d4d8b55b5d3ae1efb5502c54312e15c14f21 ]
+
+s32_pmx_gpio_request_enable() does not initialize the newly-allocated
+gpio_pin_config::list before adding it to s32_pinctrl::gpio_configs.
+This could result in a linked list corruption.
+
+Initialize the new list_head with INIT_LIST_HEAD() to fix this.
+
+Fixes: fd84aaa8173d ("pinctrl: add NXP S32 SoC family support")
+Signed-off-by: Jared Kangas <jkangas@redhat.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/nxp/pinctrl-s32cc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/nxp/pinctrl-s32cc.c b/drivers/pinctrl/nxp/pinctrl-s32cc.c
+index 51ecb8d0fb7e8..35511f83d0560 100644
+--- a/drivers/pinctrl/nxp/pinctrl-s32cc.c
++++ b/drivers/pinctrl/nxp/pinctrl-s32cc.c
+@@ -392,6 +392,7 @@ static int s32_pmx_gpio_request_enable(struct pinctrl_dev *pctldev,
+
+ gpio_pin->pin_id = offset;
+ gpio_pin->config = config;
++ INIT_LIST_HEAD(&gpio_pin->list);
+
+ spin_lock_irqsave(&ipctl->gpio_configs_lock, flags);
+ list_add(&gpio_pin->list, &ipctl->gpio_configs);
+--
+2.51.0
+
--- /dev/null
+From 31df8f7456b2dadfcef3c98c888698c648159542 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 11:33:54 +0800
+Subject: platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to
+ errnos
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit d8bb447efc5622577994287dc77c684fa8840b30 ]
+
+isst_if_probe() uses pci_read_config_dword() that returns PCIBIOS_*
+codes. The return code is returned from the probe function as is but
+probe functions should return normal errnos. A proper implementation
+can be found in drivers/leds/leds-ss4200.c.
+
+Convert PCIBIOS_* return codes using pcibios_err_to_errno() into
+normal errno before returning.
+
+Fixes: d3a23584294c ("platform/x86: ISST: Add Intel Speed Select mmio interface")
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Link: https://patch.msgid.link/20251117033354.132-1-vulab@iscas.ac.cn
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c
+index 3f4343147dadb..950ede5eab769 100644
+--- a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c
++++ b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c
+@@ -108,11 +108,11 @@ static int isst_if_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ ret = pci_read_config_dword(pdev, 0xD0, &mmio_base);
+ if (ret)
+- return ret;
++ return pcibios_err_to_errno(ret);
+
+ ret = pci_read_config_dword(pdev, 0xFC, &pcu_base);
+ if (ret)
+- return ret;
++ return pcibios_err_to_errno(ret);
+
+ pcu_base &= GENMASK(10, 0);
+ base_addr = (u64)mmio_base << 23 | (u64) pcu_base << 12;
+--
+2.51.0
+
--- /dev/null
+From 7578753349324607ce3857cecb3143059060c719 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Nov 2025 22:09:34 -0800
+Subject: platform/x86: intel-uncore-freq: fix all header kernel-doc warnings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit db30233361f94e1a84450c607989bdb671100fb6 ]
+
+In file uncore-frequency/uncore-frequency-common.h,
+correct all kernel-doc warnings by adding missing leading " *" to some
+lines, adding a missing kernel-doc entry, and fixing a name typo.
+
+Warning: uncore-frequency-common.h:50 bad line:
+ Storage for kobject attribute elc_low_threshold_percent
+Warning: uncore-frequency-common.h:52 bad line:
+ Storage for kobject attribute elc_high_threshold_percent
+Warning: uncore-frequency-common.h:54 bad line:
+ Storage for kobject attribute elc_high_threshold_enable
+Warning: uncore-frequency-common.h:92 struct member
+ 'min_freq_khz_kobj_attr' not described in 'uncore_data'
+Warning: uncore-frequency-common.h:92 struct member
+ 'die_id_kobj_attr' not described in 'uncore_data'
+
+Fixes: 24b6616355f7 ("platform/x86/intel-uncore-freq: Add efficiency latency control to sysfs interface")
+Fixes: 416de0246f35 ("platform/x86: intel-uncore-freq: Fix types in sysfs callbacks")
+Fixes: 247b43fcd872 ("platform/x86/intel-uncore-freq: Add attributes to show die_id")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Link: https://patch.msgid.link/20251111060938.1998542-1-rdunlap@infradead.org
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../x86/intel/uncore-frequency/uncore-frequency-common.h | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/platform/x86/intel/uncore-frequency/uncore-frequency-common.h b/drivers/platform/x86/intel/uncore-frequency/uncore-frequency-common.h
+index 70ae11519837e..0abe850ef54ea 100644
+--- a/drivers/platform/x86/intel/uncore-frequency/uncore-frequency-common.h
++++ b/drivers/platform/x86/intel/uncore-frequency/uncore-frequency-common.h
+@@ -40,7 +40,7 @@
+ * @agent_type_mask: Bit mask of all hardware agents for this domain
+ * @uncore_attr_group: Attribute group storage
+ * @max_freq_khz_kobj_attr: Storage for kobject attribute max_freq_khz
+- * @mix_freq_khz_kobj_attr: Storage for kobject attribute min_freq_khz
++ * @min_freq_khz_kobj_attr: Storage for kobject attribute min_freq_khz
+ * @initial_max_freq_khz_kobj_attr: Storage for kobject attribute initial_max_freq_khz
+ * @initial_min_freq_khz_kobj_attr: Storage for kobject attribute initial_min_freq_khz
+ * @current_freq_khz_kobj_attr: Storage for kobject attribute current_freq_khz
+@@ -48,13 +48,14 @@
+ * @fabric_cluster_id_kobj_attr: Storage for kobject attribute fabric_cluster_id
+ * @package_id_kobj_attr: Storage for kobject attribute package_id
+ * @elc_low_threshold_percent_kobj_attr:
+- Storage for kobject attribute elc_low_threshold_percent
++ * Storage for kobject attribute elc_low_threshold_percent
+ * @elc_high_threshold_percent_kobj_attr:
+- Storage for kobject attribute elc_high_threshold_percent
++ * Storage for kobject attribute elc_high_threshold_percent
+ * @elc_high_threshold_enable_kobj_attr:
+- Storage for kobject attribute elc_high_threshold_enable
++ * Storage for kobject attribute elc_high_threshold_enable
+ * @elc_floor_freq_khz_kobj_attr: Storage for kobject attribute elc_floor_freq_khz
+ * @agent_types_kobj_attr: Storage for kobject attribute agent_type
++ * @die_id_kobj_attr: Attribute storage for die_id information
+ * @uncore_attrs: Attribute storage for group creation
+ *
+ * This structure is used to encapsulate all data related to uncore sysfs
+--
+2.51.0
+
--- /dev/null
+From 9787d8618f4f9d260ed45c060cf0fcb9971b70a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Nov 2025 12:12:53 +0100
+Subject: platform/x86: msi-wmi-platform: Fix typo in WMI GUID
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+[ Upstream commit 97b726eb1dc2b4a2532544eb3da72bb6acbd39a3 ]
+
+The WMI driver core only supports GUID strings containing only
+uppercase characters, however the GUID string used by the
+msi-wmi-platform driver contains a single lowercase character.
+This prevents the WMI driver core from matching said driver to
+its WMI device.
+
+Fix this by turning the lowercase character into a uppercase
+character. Also update the WMI driver development guide to warn
+about this.
+
+Reported-by: Antheas Kapenekakis <lkml@antheas.dev>
+Fixes: 9c0beb6b29e7 ("platform/x86: wmi: Add MSI WMI Platform driver")
+Tested-by: Antheas Kapenekakis <lkml@antheas.dev>
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Link: https://patch.msgid.link/20251110111253.16204-3-W_Armin@gmx.de
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/wmi/driver-development-guide.rst | 1 +
+ drivers/platform/x86/msi-wmi-platform.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/wmi/driver-development-guide.rst b/Documentation/wmi/driver-development-guide.rst
+index 99ef21fc1c1ed..5680303ae314e 100644
+--- a/Documentation/wmi/driver-development-guide.rst
++++ b/Documentation/wmi/driver-development-guide.rst
+@@ -54,6 +54,7 @@ to matching WMI devices using a struct wmi_device_id table:
+ ::
+
+ static const struct wmi_device_id foo_id_table[] = {
++ /* Only use uppercase letters! */
+ { "936DA01F-9ABD-4D9D-80C7-02AF85C822A8", NULL },
+ { }
+ };
+diff --git a/drivers/platform/x86/msi-wmi-platform.c b/drivers/platform/x86/msi-wmi-platform.c
+index bd2687828a2e6..e912fcc12d124 100644
+--- a/drivers/platform/x86/msi-wmi-platform.c
++++ b/drivers/platform/x86/msi-wmi-platform.c
+@@ -29,7 +29,7 @@
+
+ #define DRIVER_NAME "msi-wmi-platform"
+
+-#define MSI_PLATFORM_GUID "ABBC0F6E-8EA1-11d1-00A0-C90629100000"
++#define MSI_PLATFORM_GUID "ABBC0F6E-8EA1-11D1-00A0-C90629100000"
+
+ #define MSI_WMI_PLATFORM_INTERFACE_VERSION 2
+
+--
+2.51.0
+
--- /dev/null
+From 1892ca0afb4e38858b5d19eab64609de0280985b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Nov 2025 12:12:52 +0100
+Subject: platform/x86: msi-wmi-platform: Only load on MSI devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+[ Upstream commit c93433fd4e2bbbe7caa67b53d808b4a084852ff3 ]
+
+It turns out that the GUID used by the msi-wmi-platform driver
+(ABBC0F60-8EA1-11D1-00A0-C90629100000) is not unique, but was instead
+copied from the WIndows Driver Samples. This means that this driver
+could load on devices from other manufacturers that also copied this
+GUID, potentially causing hardware errors.
+
+Prevent this by only loading on devices whitelisted via DMI. The DMI
+matches where taken from the msi-ec driver.
+
+Reported-by: Antheas Kapenekakis <lkml@antheas.dev>
+Fixes: 9c0beb6b29e7 ("platform/x86: wmi: Add MSI WMI Platform driver")
+Tested-by: Antheas Kapenekakis <lkml@antheas.dev>
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Link: https://patch.msgid.link/20251110111253.16204-2-W_Armin@gmx.de
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/Kconfig | 1 +
+ drivers/platform/x86/msi-wmi-platform.c | 41 ++++++++++++++++++++++++-
+ 2 files changed, 41 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig
+index 6d238e120dce7..98252cc19aab7 100644
+--- a/drivers/platform/x86/Kconfig
++++ b/drivers/platform/x86/Kconfig
+@@ -533,6 +533,7 @@ config MSI_WMI
+ config MSI_WMI_PLATFORM
+ tristate "MSI WMI Platform features"
+ depends on ACPI_WMI
++ depends on DMI
+ depends on HWMON
+ help
+ Say Y here if you want to have support for WMI-based platform features
+diff --git a/drivers/platform/x86/msi-wmi-platform.c b/drivers/platform/x86/msi-wmi-platform.c
+index dc5e9878cb682..bd2687828a2e6 100644
+--- a/drivers/platform/x86/msi-wmi-platform.c
++++ b/drivers/platform/x86/msi-wmi-platform.c
+@@ -14,6 +14,7 @@
+ #include <linux/debugfs.h>
+ #include <linux/device.h>
+ #include <linux/device/driver.h>
++#include <linux/dmi.h>
+ #include <linux/errno.h>
+ #include <linux/hwmon.h>
+ #include <linux/kernel.h>
+@@ -448,7 +449,45 @@ static struct wmi_driver msi_wmi_platform_driver = {
+ .probe = msi_wmi_platform_probe,
+ .no_singleton = true,
+ };
+-module_wmi_driver(msi_wmi_platform_driver);
++
++/*
++ * MSI reused the WMI GUID from the WMI-ACPI sample code provided by Microsoft,
++ * so other manufacturers might use it as well for their WMI-ACPI implementations.
++ */
++static const struct dmi_system_id msi_wmi_platform_whitelist[] __initconst = {
++ {
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "MICRO-STAR INT"),
++ },
++ },
++ {
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Micro-Star International"),
++ },
++ },
++ { }
++};
++
++static int __init msi_wmi_platform_module_init(void)
++{
++ if (!dmi_check_system(msi_wmi_platform_whitelist)) {
++ if (!force)
++ return -ENODEV;
++
++ pr_warn("Ignoring DMI whitelist\n");
++ }
++
++ return wmi_driver_register(&msi_wmi_platform_driver);
++}
++
++static void __exit msi_wmi_platform_module_exit(void)
++{
++ wmi_driver_unregister(&msi_wmi_platform_driver);
++}
++
++module_init(msi_wmi_platform_module_init);
++module_exit(msi_wmi_platform_module_exit);
++
+
+ MODULE_AUTHOR("Armin Wolf <W_Armin@gmx.de>");
+ MODULE_DESCRIPTION("MSI WMI platform features");
+--
+2.51.0
+
--- /dev/null
+From 927a848a5243e28bebfa8657942466303af3560d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 19:27:24 +0100
+Subject: s390/ctcm: Fix double-kfree
+
+From: Aleksei Nikiforov <aleksei.nikiforov@linux.ibm.com>
+
+[ Upstream commit da02a1824884d6c84c5e5b5ac373b0c9e3288ec2 ]
+
+The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally
+from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo.
+After that a call to function 'kfree' in function 'ctcmpc_unpack_skb'
+frees it again.
+
+Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'.
+
+Bug detected by the clang static analyzer.
+
+Fixes: 0c0b20587b9f25a2 ("s390/ctcm: fix potential memory leak")
+Reviewed-by: Aswin Karuvally <aswin@linux.ibm.com>
+Signed-off-by: Aleksei Nikiforov <aleksei.nikiforov@linux.ibm.com>
+Signed-off-by: Aswin Karuvally <aswin@linux.ibm.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251112182724.1109474-1-aswin@linux.ibm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/ctcm_mpc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/s390/net/ctcm_mpc.c b/drivers/s390/net/ctcm_mpc.c
+index 0aeafa772fb1e..407b7c5166585 100644
+--- a/drivers/s390/net/ctcm_mpc.c
++++ b/drivers/s390/net/ctcm_mpc.c
+@@ -701,7 +701,6 @@ static void mpc_rcvd_sweep_req(struct mpcg_info *mpcginfo)
+
+ grp->sweep_req_pend_num--;
+ ctcmpc_send_sweep_resp(ch);
+- kfree(mpcginfo);
+ return;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 73b76f56d89fe8284f8a47d5a1434b641ca27849 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Oct 2025 13:43:26 -1000
+Subject: sched_ext: Allocate scx_kick_cpus_pnt_seqs lazily using kvzalloc()
+
+From: Tejun Heo <tj@kernel.org>
+
+[ Upstream commit 14c1da3895a116f4e32c20487046655f26d3999b ]
+
+On systems with >4096 CPUs, scx_kick_cpus_pnt_seqs allocation fails during
+boot because it exceeds the 32,768 byte percpu allocator limit.
+
+Restructure to use DEFINE_PER_CPU() for the per-CPU pointers, with each CPU
+pointing to its own kvzalloc'd array. Move allocation from boot time to
+scx_enable() and free in scx_disable(), so the O(nr_cpu_ids^2) memory is only
+consumed when sched_ext is active.
+
+Use RCU to guard against racing with free. Arrays are freed via call_rcu()
+and kick_cpus_irq_workfn() uses rcu_dereference_bh() with a NULL check.
+
+While at it, rename to scx_kick_pseqs for brevity and update comments to
+clarify these are pick_task sequence numbers.
+
+v2: RCU protect scx_kick_seqs to manage kick_cpus_irq_workfn() racing
+ against disable as per Andrea.
+
+v3: Fix bugs notcied by Andrea.
+
+Reported-by: Phil Auld <pauld@redhat.com>
+Link: http://lkml.kernel.org/r/20251007133523.GA93086@pauld.westford.csb
+Cc: Andrea Righi <arighi@nvidia.com>
+Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
+Reviewed-by: Phil Auld <pauld@redhat.com>
+Reviewed-by: Andrea Righi <arighi@nvidia.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/ext.c | 89 ++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 79 insertions(+), 10 deletions(-)
+
+diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
+index 77eec6f16a5ed..b454206100ce5 100644
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -67,8 +67,19 @@ static unsigned long scx_watchdog_timestamp = INITIAL_JIFFIES;
+
+ static struct delayed_work scx_watchdog_work;
+
+-/* for %SCX_KICK_WAIT */
+-static unsigned long __percpu *scx_kick_cpus_pnt_seqs;
++/*
++ * For %SCX_KICK_WAIT: Each CPU has a pointer to an array of pick_task sequence
++ * numbers. The arrays are allocated with kvzalloc() as size can exceed percpu
++ * allocator limits on large machines. O(nr_cpu_ids^2) allocation, allocated
++ * lazily when enabling and freed when disabling to avoid waste when sched_ext
++ * isn't active.
++ */
++struct scx_kick_pseqs {
++ struct rcu_head rcu;
++ unsigned long seqs[];
++};
++
++static DEFINE_PER_CPU(struct scx_kick_pseqs __rcu *, scx_kick_pseqs);
+
+ /*
+ * Direct dispatch marker.
+@@ -3905,6 +3916,27 @@ static const char *scx_exit_reason(enum scx_exit_kind kind)
+ }
+ }
+
++static void free_kick_pseqs_rcu(struct rcu_head *rcu)
++{
++ struct scx_kick_pseqs *pseqs = container_of(rcu, struct scx_kick_pseqs, rcu);
++
++ kvfree(pseqs);
++}
++
++static void free_kick_pseqs(void)
++{
++ int cpu;
++
++ for_each_possible_cpu(cpu) {
++ struct scx_kick_pseqs **pseqs = per_cpu_ptr(&scx_kick_pseqs, cpu);
++ struct scx_kick_pseqs *to_free;
++
++ to_free = rcu_replace_pointer(*pseqs, NULL, true);
++ if (to_free)
++ call_rcu(&to_free->rcu, free_kick_pseqs_rcu);
++ }
++}
++
+ static void scx_disable_workfn(struct kthread_work *work)
+ {
+ struct scx_sched *sch = container_of(work, struct scx_sched, disable_work);
+@@ -4041,6 +4073,7 @@ static void scx_disable_workfn(struct kthread_work *work)
+ free_percpu(scx_dsp_ctx);
+ scx_dsp_ctx = NULL;
+ scx_dsp_max_batch = 0;
++ free_kick_pseqs();
+
+ mutex_unlock(&scx_enable_mutex);
+
+@@ -4402,6 +4435,33 @@ static void scx_vexit(struct scx_sched *sch,
+ irq_work_queue(&sch->error_irq_work);
+ }
+
++static int alloc_kick_pseqs(void)
++{
++ int cpu;
++
++ /*
++ * Allocate per-CPU arrays sized by nr_cpu_ids. Use kvzalloc as size
++ * can exceed percpu allocator limits on large machines.
++ */
++ for_each_possible_cpu(cpu) {
++ struct scx_kick_pseqs **pseqs = per_cpu_ptr(&scx_kick_pseqs, cpu);
++ struct scx_kick_pseqs *new_pseqs;
++
++ WARN_ON_ONCE(rcu_access_pointer(*pseqs));
++
++ new_pseqs = kvzalloc_node(struct_size(new_pseqs, seqs, nr_cpu_ids),
++ GFP_KERNEL, cpu_to_node(cpu));
++ if (!new_pseqs) {
++ free_kick_pseqs();
++ return -ENOMEM;
++ }
++
++ rcu_assign_pointer(*pseqs, new_pseqs);
++ }
++
++ return 0;
++}
++
+ static struct scx_sched *scx_alloc_and_add_sched(struct sched_ext_ops *ops)
+ {
+ struct scx_sched *sch;
+@@ -4547,15 +4607,19 @@ static int scx_enable(struct sched_ext_ops *ops, struct bpf_link *link)
+
+ mutex_lock(&scx_enable_mutex);
+
++ ret = alloc_kick_pseqs();
++ if (ret)
++ goto err_unlock;
++
+ if (scx_enable_state() != SCX_DISABLED) {
+ ret = -EBUSY;
+- goto err_unlock;
++ goto err_free_pseqs;
+ }
+
+ sch = scx_alloc_and_add_sched(ops);
+ if (IS_ERR(sch)) {
+ ret = PTR_ERR(sch);
+- goto err_unlock;
++ goto err_free_pseqs;
+ }
+
+ /*
+@@ -4759,6 +4823,8 @@ static int scx_enable(struct sched_ext_ops *ops, struct bpf_link *link)
+
+ return 0;
+
++err_free_pseqs:
++ free_kick_pseqs();
+ err_unlock:
+ mutex_unlock(&scx_enable_mutex);
+ return ret;
+@@ -5140,10 +5206,18 @@ static void kick_cpus_irq_workfn(struct irq_work *irq_work)
+ {
+ struct rq *this_rq = this_rq();
+ struct scx_rq *this_scx = &this_rq->scx;
+- unsigned long *pseqs = this_cpu_ptr(scx_kick_cpus_pnt_seqs);
++ struct scx_kick_pseqs __rcu *pseqs_pcpu = __this_cpu_read(scx_kick_pseqs);
+ bool should_wait = false;
++ unsigned long *pseqs;
+ s32 cpu;
+
++ if (unlikely(!pseqs_pcpu)) {
++ pr_warn_once("kick_cpus_irq_workfn() called with NULL scx_kick_pseqs");
++ return;
++ }
++
++ pseqs = rcu_dereference_bh(pseqs_pcpu)->seqs;
++
+ for_each_cpu(cpu, this_scx->cpus_to_kick) {
+ should_wait |= kick_one_cpu(cpu, this_rq, pseqs);
+ cpumask_clear_cpu(cpu, this_scx->cpus_to_kick);
+@@ -5266,11 +5340,6 @@ void __init init_sched_ext_class(void)
+
+ scx_idle_init_masks();
+
+- scx_kick_cpus_pnt_seqs =
+- __alloc_percpu(sizeof(scx_kick_cpus_pnt_seqs[0]) * nr_cpu_ids,
+- __alignof__(scx_kick_cpus_pnt_seqs[0]));
+- BUG_ON(!scx_kick_cpus_pnt_seqs);
+-
+ for_each_possible_cpu(cpu) {
+ struct rq *rq = cpu_rq(cpu);
+ int n = cpu_to_node(cpu);
+--
+2.51.0
+
--- /dev/null
+From 4b1b455d3fae1451c370e5a23cb38905eeedd91d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Oct 2025 12:12:50 -0700
+Subject: sched_ext: defer queue_balance_callback() until after ops.dispatch
+
+From: Emil Tsalapatis <etsal@meta.com>
+
+[ Upstream commit a8ad873113d3fe01f9b5d737d4b0570fa36826b0 ]
+
+The sched_ext code calls queue_balance_callback() during enqueue_task()
+to defer operations that drop multiple locks until we can unpin them.
+The call assumes that the rq lock is held until the callbacks are
+invoked, and the pending callbacks will not be visible to any other
+threads. This is enforced by a WARN_ON_ONCE() in rq_pin_lock().
+
+However, balance_one() may actually drop the lock during a BPF dispatch
+call. Another thread may win the race to get the rq lock and see the
+pending callback. To avoid this, sched_ext must only queue the callback
+after the dispatch calls have completed.
+
+CPU 0 CPU 1 CPU 2
+
+scx_balance()
+ rq_unpin_lock()
+ scx_balance_one()
+ |= IN_BALANCE scx_enqueue()
+ ops.dispatch()
+ rq_unlock()
+ rq_lock()
+ queue_balance_callback()
+ rq_unlock()
+ [WARN] rq_pin_lock()
+ rq_lock()
+ &= ~IN_BALANCE
+rq_repin_lock()
+
+Changelog
+
+v2-> v1 (https://lore.kernel.org/sched-ext/aOgOxtHCeyRT_7jn@gpd4)
+
+- Fixed explanation in patch description (Andrea)
+- Fixed scx_rq mask state updates (Andrea)
+- Added Reviewed-by tag from Andrea
+
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
+Reviewed-by: Andrea Righi <arighi@nvidia.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/ext.c | 29 +++++++++++++++++++++++++++--
+ kernel/sched/sched.h | 1 +
+ 2 files changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
+index b454206100ce5..d6d2eea9d1483 100644
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -820,13 +820,23 @@ static void schedule_deferred(struct rq *rq)
+ if (rq->scx.flags & SCX_RQ_IN_WAKEUP)
+ return;
+
++ /* Don't do anything if there already is a deferred operation. */
++ if (rq->scx.flags & SCX_RQ_BAL_PENDING)
++ return;
++
+ /*
+ * If in balance, the balance callbacks will be called before rq lock is
+ * released. Schedule one.
++ *
++ *
++ * We can't directly insert the callback into the
++ * rq's list: The call can drop its lock and make the pending balance
++ * callback visible to unrelated code paths that call rq_pin_lock().
++ *
++ * Just let balance_one() know that it must do it itself.
+ */
+ if (rq->scx.flags & SCX_RQ_IN_BALANCE) {
+- queue_balance_callback(rq, &rq->scx.deferred_bal_cb,
+- deferred_bal_cb_workfn);
++ rq->scx.flags |= SCX_RQ_BAL_CB_PENDING;
+ return;
+ }
+
+@@ -2043,6 +2053,19 @@ static void flush_dispatch_buf(struct scx_sched *sch, struct rq *rq)
+ dspc->cursor = 0;
+ }
+
++static inline void maybe_queue_balance_callback(struct rq *rq)
++{
++ lockdep_assert_rq_held(rq);
++
++ if (!(rq->scx.flags & SCX_RQ_BAL_CB_PENDING))
++ return;
++
++ queue_balance_callback(rq, &rq->scx.deferred_bal_cb,
++ deferred_bal_cb_workfn);
++
++ rq->scx.flags &= ~SCX_RQ_BAL_CB_PENDING;
++}
++
+ static int balance_one(struct rq *rq, struct task_struct *prev)
+ {
+ struct scx_sched *sch = scx_root;
+@@ -2190,6 +2213,8 @@ static int balance_scx(struct rq *rq, struct task_struct *prev,
+ #endif
+ rq_repin_lock(rq, rf);
+
++ maybe_queue_balance_callback(rq);
++
+ return ret;
+ }
+
+diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
+index 72fb9129afb6a..c7f67f54d4e3e 100644
+--- a/kernel/sched/sched.h
++++ b/kernel/sched/sched.h
+@@ -782,6 +782,7 @@ enum scx_rq_flags {
+ SCX_RQ_BAL_KEEP = 1 << 3, /* balance decided to keep current */
+ SCX_RQ_BYPASSING = 1 << 4,
+ SCX_RQ_CLK_VALID = 1 << 5, /* RQ clock is fresh and valid */
++ SCX_RQ_BAL_CB_PENDING = 1 << 6, /* must queue a cb after dispatching */
+
+ SCX_RQ_IN_WAKEUP = 1 << 16,
+ SCX_RQ_IN_BALANCE = 1 << 17,
+--
+2.51.0
+
--- /dev/null
+From 124fb533b20fd495f3e08c4363c0ce5913c431ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Oct 2025 14:48:00 -0700
+Subject: scsi: core: Fix a regression triggered by scsi_host_busy()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit a0b7780602b1b196f47e527fec82166a7e67c4d0 ]
+
+Commit 995412e23bb2 ("blk-mq: Replace tags->lock with SRCU for tag
+iterators") introduced the following regression:
+
+Call trace:
+ __srcu_read_lock+0x30/0x80 (P)
+ blk_mq_tagset_busy_iter+0x44/0x300
+ scsi_host_busy+0x38/0x70
+ ufshcd_print_host_state+0x34/0x1bc
+ ufshcd_link_startup.constprop.0+0xe4/0x2e0
+ ufshcd_init+0x944/0xf80
+ ufshcd_pltfrm_init+0x504/0x820
+ ufs_rockchip_probe+0x2c/0x88
+ platform_probe+0x5c/0xa4
+ really_probe+0xc0/0x38c
+ __driver_probe_device+0x7c/0x150
+ driver_probe_device+0x40/0x120
+ __driver_attach+0xc8/0x1e0
+ bus_for_each_dev+0x7c/0xdc
+ driver_attach+0x24/0x30
+ bus_add_driver+0x110/0x230
+ driver_register+0x68/0x130
+ __platform_driver_register+0x20/0x2c
+ ufs_rockchip_pltform_init+0x1c/0x28
+ do_one_initcall+0x60/0x1e0
+ kernel_init_freeable+0x248/0x2c4
+ kernel_init+0x20/0x140
+ ret_from_fork+0x10/0x20
+
+Fix this regression by making scsi_host_busy() check whether the SCSI
+host tag set has already been initialized. tag_set->ops is set by
+scsi_mq_setup_tags() just before blk_mq_alloc_tag_set() is called. This
+fix is based on the assumption that scsi_host_busy() and
+scsi_mq_setup_tags() calls are serialized. This is the case in the UFS
+driver.
+
+Reported-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Closes: https://lore.kernel.org/linux-block/pnezafputodmqlpumwfbn644ohjybouveehcjhz2hmhtcf2rka@sdhoiivync4y/
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Tested-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Link: https://patch.msgid.link/20251007214800.1678255-1-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hosts.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
+index cc5d05dc395c4..17173239301e6 100644
+--- a/drivers/scsi/hosts.c
++++ b/drivers/scsi/hosts.c
+@@ -611,8 +611,9 @@ int scsi_host_busy(struct Scsi_Host *shost)
+ {
+ int cnt = 0;
+
+- blk_mq_tagset_busy_iter(&shost->tag_set,
+- scsi_host_check_in_flight, &cnt);
++ if (shost->tag_set.ops)
++ blk_mq_tagset_busy_iter(&shost->tag_set,
++ scsi_host_check_in_flight, &cnt);
+ return cnt;
+ }
+ EXPORT_SYMBOL(scsi_host_busy);
+--
+2.51.0
+
--- /dev/null
+From 1e024dd0161e836241cd9a170141d7ff30078bce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Sep 2025 17:24:06 +0530
+Subject: selftests: cachestat: Fix warning on declaration under label
+
+From: Sidharth Seela <sidharthseela@gmail.com>
+
+[ Upstream commit 920aa3a7705a061cb3004572d8b7932b54463dbf ]
+
+Fix warning caused from declaration under a case label. The proper way
+is to declare variable at the beginning of the function. The warning
+came from running clang using LLVM=1; and is as follows:
+
+-test_cachestat.c:260:3: warning: label followed by a declaration is a C23 extension [-Wc23-extensions]
+ 260 | char *map = mmap(NULL, filesize, PROT_READ | PROT_WRITE,
+ |
+
+Link: https://lore.kernel.org/r/20250929115405.25695-2-sidharthseela@gmail.com
+Signed-off-by: Sidharth Seela <sidharthseela@gmail.com>
+Reviewed-by: SeongJae Park <sj@kernel.org>
+Reviewed-by: wang lian <lianux.mm@gmail.com>
+Reviewed-by: Dev Jain <dev.jain@arm.com>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Acked-by: Nhat Pham <nphamcs@gmail.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/cachestat/test_cachestat.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/cachestat/test_cachestat.c b/tools/testing/selftests/cachestat/test_cachestat.c
+index c952640f163b5..ab838bcb9ec55 100644
+--- a/tools/testing/selftests/cachestat/test_cachestat.c
++++ b/tools/testing/selftests/cachestat/test_cachestat.c
+@@ -226,7 +226,7 @@ bool run_cachestat_test(enum file_type type)
+ int syscall_ret;
+ size_t compute_len = PS * 512;
+ struct cachestat_range cs_range = { PS, compute_len };
+- char *filename = "tmpshmcstat";
++ char *filename = "tmpshmcstat", *map;
+ struct cachestat cs;
+ bool ret = true;
+ int fd;
+@@ -257,7 +257,7 @@ bool run_cachestat_test(enum file_type type)
+ }
+ break;
+ case FILE_MMAP:
+- char *map = mmap(NULL, filesize, PROT_READ | PROT_WRITE,
++ map = mmap(NULL, filesize, PROT_READ | PROT_WRITE,
+ MAP_SHARED, fd, 0);
+
+ if (map == MAP_FAILED) {
+--
+2.51.0
+
--- /dev/null
+From 86c17397677554999cbd8c63740f3a2351548d3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Nov 2025 10:10:29 +0200
+Subject: selftests: net: lib: Do not overwrite error messages
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit bed22c7b90af732978715a1789bca1c3cfa245a6 ]
+
+ret_set_ksft_status() calls ksft_status_merge() with the current return
+status and the last one. It treats a non-zero return code from
+ksft_status_merge() as an indication that the return status was
+overwritten by the last one and therefore overwrites the return message
+with the last one.
+
+Currently, ksft_status_merge() returns a non-zero return code even if
+the current return status and the last one are equal. This results in
+return messages being overwritten which is counter-productive since we
+are more interested in the first failure message and not the last one.
+
+Fix by changing ksft_status_merge() to only return a non-zero return
+code if the current return status was actually changed.
+
+Add a test case which checks that the first error message is not
+overwritten.
+
+Before:
+
+ # ./lib_sh_test.sh
+ [...]
+ TEST: RET tfail2 tfail -> fail [FAIL]
+ retmsg=tfail expected tfail2
+ [...]
+ # echo $?
+ 1
+
+After:
+
+ # ./lib_sh_test.sh
+ [...]
+ TEST: RET tfail2 tfail -> fail [ OK ]
+ [...]
+ # echo $?
+ 0
+
+Fixes: 596c8819cb78 ("selftests: forwarding: Have RET track kselftest framework constants")
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251116081029.69112-1-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/forwarding/lib_sh_test.sh | 7 +++++++
+ tools/testing/selftests/net/lib.sh | 2 +-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/forwarding/lib_sh_test.sh b/tools/testing/selftests/net/forwarding/lib_sh_test.sh
+index ff2accccaf4d4..b4eda6c6199ed 100755
+--- a/tools/testing/selftests/net/forwarding/lib_sh_test.sh
++++ b/tools/testing/selftests/net/forwarding/lib_sh_test.sh
+@@ -30,6 +30,11 @@ tfail()
+ do_test "tfail" false
+ }
+
++tfail2()
++{
++ do_test "tfail2" false
++}
++
+ txfail()
+ {
+ FAIL_TO_XFAIL=yes do_test "txfail" false
+@@ -132,6 +137,8 @@ test_ret()
+ ret_subtest $ksft_fail "tfail" txfail tfail
+
+ ret_subtest $ksft_xfail "txfail" txfail txfail
++
++ ret_subtest $ksft_fail "tfail2" tfail2 tfail
+ }
+
+ exit_status_tests_run()
+diff --git a/tools/testing/selftests/net/lib.sh b/tools/testing/selftests/net/lib.sh
+index 80cf1a75136cf..bc332ab3f7b88 100644
+--- a/tools/testing/selftests/net/lib.sh
++++ b/tools/testing/selftests/net/lib.sh
+@@ -43,7 +43,7 @@ __ksft_status_merge()
+ weights[$i]=$((weight++))
+ done
+
+- if [[ ${weights[$a]} > ${weights[$b]} ]]; then
++ if [[ ${weights[$a]} -ge ${weights[$b]} ]]; then
+ echo "$a"
+ return 0
+ else
+--
+2.51.0
+
--- /dev/null
+From eaa556a401fb50893561ee3235a3365c8bc9b2de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Oct 2025 17:57:10 +0800
+Subject: selftests: net: use BASH for bareudp testing
+
+From: Po-Hsu Lin <po-hsu.lin@canonical.com>
+
+[ Upstream commit 9311e9540a8b406d9f028aa87fb072a3819d4c82 ]
+
+In bareudp.sh, this script uses /bin/sh and it will load another lib.sh
+BASH script at the very beginning.
+
+But on some operating systems like Ubuntu, /bin/sh is actually pointed to
+DASH, thus it will try to run BASH commands with DASH and consequently
+leads to syntax issues:
+ # ./bareudp.sh: 4: ./lib.sh: Bad substitution
+ # ./bareudp.sh: 5: ./lib.sh: source: not found
+ # ./bareudp.sh: 24: ./lib.sh: Syntax error: "(" unexpected
+
+Fix this by explicitly using BASH for bareudp.sh. This fixes test
+execution failures on systems where /bin/sh is not BASH.
+
+Reported-by: Edoardo Canepa <edoardo.canepa@canonical.com>
+Link: https://bugs.launchpad.net/bugs/2129812
+Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Link: https://patch.msgid.link/20251027095710.2036108-2-po-hsu.lin@canonical.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/bareudp.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/bareudp.sh b/tools/testing/selftests/net/bareudp.sh
+index 4046131e78882..d9e5b967f8151 100755
+--- a/tools/testing/selftests/net/bareudp.sh
++++ b/tools/testing/selftests/net/bareudp.sh
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ # SPDX-License-Identifier: GPL-2.0
+
+ # Test various bareudp tunnel configurations.
+--
+2.51.0
+
drm-amd-display-move-sleep-into-each-retry-for-retrieve_link_cap.patch
drm-amd-display-fix-pbn-to-kbps-conversion.patch
drm-amd-display-clear-the-cur_enable-register-on-dcn20-on-dpp5.patch
+pinctrl-mediatek-mt8196-align-register-base-names-to.patch
+pinctrl-mediatek-mt8189-align-register-base-names-to.patch
+xfrm-drop-sa-reference-in-xfrm_state_update-if-dir-d.patch
+xfrm-also-call-xfrm_state_delete_tunnel-at-destroy-t.patch
+xfrm-call-xfrm_dev_state_delete-when-xfrm_state_migr.patch
+xfrm-set-err-and-extack-on-failure-to-create-pcpu-sa.patch
+clk-sunxi-ng-mark-a523-bus-r-cpucfg-clock-as-critica.patch
+clk-sunxi-ng-sun55i-a523-r-ccu-mark-bus-r-dma-as-cri.patch
+clk-sunxi-ng-sun55i-a523-ccu-lower-audio0-pll-minimu.patch
+pinctrl-realtek-select-regmap_mmio-for-rtd-driver.patch
+xfrm-check-inner-packet-family-directly-from-skb_dst.patch
+xfrm-determine-inner-gso-type-from-packet-inner-prot.patch
+xfrm-prevent-locally-generated-packets-from-direct-o.patch
+pinctrl-cirrus-fix-fwnode-leak-in-cs42l43_pin_probe.patch
+platform-x86-msi-wmi-platform-only-load-on-msi-devic.patch
+platform-x86-msi-wmi-platform-fix-typo-in-wmi-guid.patch
+mips-dts-econet-fix-en751221-core-type.patch
+net-core-prevent-null-deref-in-generic_hwtstamp_ioct.patch
+mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch
+drm-tegra-add-call-to-put_pid.patch
+net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch
+net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch
+net-openvswitch-remove-never-working-support-for-set.patch
+veth-more-robust-handing-of-race-to-avoid-txq-gettin.patch
+tools-riscv-fixed-misalignment-of-csr-related-defini.patch
+nvmet-auth-update-sc_c-in-target-host-hash-calculati.patch
+nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch
+drm-i915-xe3lpd-load-dmc-for-xe3_lpd-version-30.02.patch
+s390-ctcm-fix-double-kfree.patch
+selftests-net-lib-do-not-overwrite-error-messages.patch
+net-airoha-add-wlan-flowtable-tx-offload.patch
+net-airoha-do-not-loopback-traffic-to-gdm2-if-it-is-.patch
+platform-x86-intel-speed_select_if-convert-pcibios_-.patch
+platform-x86-intel-uncore-freq-fix-all-header-kernel.patch
+net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch
+drm-pcids-split-ptl-pciids-group-to-make-wcl-subplat.patch
+drm-i915-display-add-definition-for-wcl-as-subplatfo.patch
+drm-i915-xe3-restrict-ptl-intel_encoder_is_c10phy-to.patch
+drm-xe-kunit-fix-forcewake-assertion-in-mocs-test.patch
+drm-xe-irq-handle-msix-vector0-interrupt.patch
+idpf-fix-possible-vport_config-null-pointer-deref-in.patch
+ice-fix-ptp-cleanup-on-driver-removal-in-error-path.patch
+pinctrl-s32cc-fix-uninitialized-memory-in-s32_pinctr.patch
+pinctrl-s32cc-initialize-gpio_pin_config-list-after-.patch
+devlink-rate-unset-parent-pointer-in-devl_rate_nodes.patch
+net-mlx5-clean-up-only-new-irq-glue-on-request_irq-f.patch
+af_unix-read-sk_peek_offset-again-after-sleeping-in-.patch
+gpio-cdev-make-sure-the-cdev-fd-is-still-active-befo.patch
+net-phylink-add-missing-supported-link-modes-for-the.patch
+tick-sched-fix-bogus-condition-in-report_idle_softir.patch
+loongarch-use-uapi-types-in-ptrace-uapi-header.patch
+cifs-fix-memory-leak-in-smb3_fs_context_parse_param-.patch
+perf-fix-0-count-issue-of-cpu-clock.patch
+vsock-ignore-signal-timeout-on-connect-if-already-es.patch
+timekeeping-fix-resource-leak-in-tk_aux_sysfs_init-e.patch
+mips-kernel-fix-random-segmentation-faults.patch
+alsa-hda-realtek-add-quirk-for-lenovo-yoga-7-2-in-1-.patch
+sched_ext-allocate-scx_kick_cpus_pnt_seqs-lazily-usi.patch
+bcma-don-t-register-devices-disabled-in-of.patch
+sched_ext-defer-queue_balance_callback-until-after-o.patch
+drm-msm-fix-pgtable-prealloc-error-path.patch
+asoc-rt721-fix-prepare-clock-stop-failed.patch
+cifs-fix-typo-in-enable_gcm_256-module-parameter.patch
+scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch
+alsa-hda-realtek-fix-mute-led-for-hp-victus-15-fa1xx.patch
+perf-x86-intel-uncore-add-uncore-pmu-support-for-wil.patch
+x86-microcode-amd-limit-entrysign-signature-checking.patch
+selftests-cachestat-fix-warning-on-declaration-under.patch
+smb-client-handle-lack-of-ipc-in-dfs_cache_refresh.patch
+selftests-net-use-bash-for-bareudp-testing.patch
+net-tls-change-async-resync-helpers-argument.patch
+blk-crypto-use-blk_sts_inval-for-alignment-errors.patch
+net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch
+x86-cpu-amd-extend-zen6-model-range.patch
+kconfig-mconf-initialize-the-default-locale-at-start.patch
+kconfig-nconf-initialize-the-default-locale-at-start.patch
--- /dev/null
+From 44207b06e5cd3f68615b2786cd4db6a80160e9db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 18:59:47 -0300
+Subject: smb: client: handle lack of IPC in dfs_cache_refresh()
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+[ Upstream commit fac56c4651ae95f3f2b468c2cf1884cf0e6d18c1 ]
+
+In very rare cases, DFS mounts could end up with SMB sessions without
+any IPC connections. These mounts are only possible when having
+unexpired cached DFS referrals, hence not requiring any IPC
+connections during the mount process.
+
+Try to establish those missing IPC connections when refreshing DFS
+referrals. If the server is still rejecting it, then simply ignore
+and leave expired cached DFS referral for any potential DFS failovers.
+
+Reported-by: Jay Shin <jaeshin@redhat.com>
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Cc: David Howells <dhowells@redhat.com>
+Cc: linux-cifs@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifsproto.h | 2 ++
+ fs/smb/client/connect.c | 38 ++++++++++++---------------
+ fs/smb/client/dfs_cache.c | 55 +++++++++++++++++++++++++++++++++------
+ 3 files changed, 66 insertions(+), 29 deletions(-)
+
+diff --git a/fs/smb/client/cifsproto.h b/fs/smb/client/cifsproto.h
+index e8fba98690ce3..8c00ff52a12a6 100644
+--- a/fs/smb/client/cifsproto.h
++++ b/fs/smb/client/cifsproto.h
+@@ -615,6 +615,8 @@ extern int E_md4hash(const unsigned char *passwd, unsigned char *p16,
+ extern struct TCP_Server_Info *
+ cifs_find_tcp_session(struct smb3_fs_context *ctx);
+
++struct cifs_tcon *cifs_setup_ipc(struct cifs_ses *ses, bool seal);
++
+ void __cifs_put_smb_ses(struct cifs_ses *ses);
+
+ extern struct cifs_ses *
+diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c
+index dd12f3eb61dcb..d65ab7e4b1c26 100644
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -2015,39 +2015,31 @@ static int match_session(struct cifs_ses *ses,
+ /**
+ * cifs_setup_ipc - helper to setup the IPC tcon for the session
+ * @ses: smb session to issue the request on
+- * @ctx: the superblock configuration context to use for building the
+- * new tree connection for the IPC (interprocess communication RPC)
++ * @seal: if encryption is requested
+ *
+ * A new IPC connection is made and stored in the session
+ * tcon_ipc. The IPC tcon has the same lifetime as the session.
+ */
+-static int
+-cifs_setup_ipc(struct cifs_ses *ses, struct smb3_fs_context *ctx)
++struct cifs_tcon *cifs_setup_ipc(struct cifs_ses *ses, bool seal)
+ {
+ int rc = 0, xid;
+ struct cifs_tcon *tcon;
+ char unc[SERVER_NAME_LENGTH + sizeof("//x/IPC$")] = {0};
+- bool seal = false;
+ struct TCP_Server_Info *server = ses->server;
+
+ /*
+ * If the mount request that resulted in the creation of the
+ * session requires encryption, force IPC to be encrypted too.
+ */
+- if (ctx->seal) {
+- if (server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION)
+- seal = true;
+- else {
+- cifs_server_dbg(VFS,
+- "IPC: server doesn't support encryption\n");
+- return -EOPNOTSUPP;
+- }
++ if (seal && !(server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION)) {
++ cifs_server_dbg(VFS, "IPC: server doesn't support encryption\n");
++ return ERR_PTR(-EOPNOTSUPP);
+ }
+
+ /* no need to setup directory caching on IPC share, so pass in false */
+ tcon = tcon_info_alloc(false, netfs_trace_tcon_ref_new_ipc);
+ if (tcon == NULL)
+- return -ENOMEM;
++ return ERR_PTR(-ENOMEM);
+
+ spin_lock(&server->srv_lock);
+ scnprintf(unc, sizeof(unc), "\\\\%s\\IPC$", server->hostname);
+@@ -2057,13 +2049,13 @@ cifs_setup_ipc(struct cifs_ses *ses, struct smb3_fs_context *ctx)
+ tcon->ses = ses;
+ tcon->ipc = true;
+ tcon->seal = seal;
+- rc = server->ops->tree_connect(xid, ses, unc, tcon, ctx->local_nls);
++ rc = server->ops->tree_connect(xid, ses, unc, tcon, ses->local_nls);
+ free_xid(xid);
+
+ if (rc) {
+- cifs_server_dbg(VFS, "failed to connect to IPC (rc=%d)\n", rc);
++ cifs_server_dbg(VFS | ONCE, "failed to connect to IPC (rc=%d)\n", rc);
+ tconInfoFree(tcon, netfs_trace_tcon_ref_free_ipc_fail);
+- goto out;
++ return ERR_PTR(rc);
+ }
+
+ cifs_dbg(FYI, "IPC tcon rc=%d ipc tid=0x%x\n", rc, tcon->tid);
+@@ -2071,9 +2063,7 @@ cifs_setup_ipc(struct cifs_ses *ses, struct smb3_fs_context *ctx)
+ spin_lock(&tcon->tc_lock);
+ tcon->status = TID_GOOD;
+ spin_unlock(&tcon->tc_lock);
+- ses->tcon_ipc = tcon;
+-out:
+- return rc;
++ return tcon;
+ }
+
+ static struct cifs_ses *
+@@ -2347,6 +2337,7 @@ cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb3_fs_context *ctx)
+ {
+ struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *)&server->dstaddr;
+ struct sockaddr_in *addr = (struct sockaddr_in *)&server->dstaddr;
++ struct cifs_tcon *ipc;
+ struct cifs_ses *ses;
+ unsigned int xid;
+ int retries = 0;
+@@ -2525,7 +2516,12 @@ cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb3_fs_context *ctx)
+ list_add(&ses->smb_ses_list, &server->smb_ses_list);
+ spin_unlock(&cifs_tcp_ses_lock);
+
+- cifs_setup_ipc(ses, ctx);
++ ipc = cifs_setup_ipc(ses, ctx->seal);
++ spin_lock(&cifs_tcp_ses_lock);
++ spin_lock(&ses->ses_lock);
++ ses->tcon_ipc = !IS_ERR(ipc) ? ipc : NULL;
++ spin_unlock(&ses->ses_lock);
++ spin_unlock(&cifs_tcp_ses_lock);
+
+ free_xid(xid);
+
+diff --git a/fs/smb/client/dfs_cache.c b/fs/smb/client/dfs_cache.c
+index 4dada26d56b5f..f2ad0ccd08a77 100644
+--- a/fs/smb/client/dfs_cache.c
++++ b/fs/smb/client/dfs_cache.c
+@@ -1120,24 +1120,63 @@ static bool target_share_equal(struct cifs_tcon *tcon, const char *s1)
+ return match;
+ }
+
+-static bool is_ses_good(struct cifs_ses *ses)
++static bool is_ses_good(struct cifs_tcon *tcon, struct cifs_ses *ses)
+ {
+ struct TCP_Server_Info *server = ses->server;
+- struct cifs_tcon *tcon = ses->tcon_ipc;
++ struct cifs_tcon *ipc = NULL;
+ bool ret;
+
++ spin_lock(&cifs_tcp_ses_lock);
+ spin_lock(&ses->ses_lock);
+ spin_lock(&ses->chan_lock);
++
+ ret = !cifs_chan_needs_reconnect(ses, server) &&
+- ses->ses_status == SES_GOOD &&
+- !tcon->need_reconnect;
++ ses->ses_status == SES_GOOD;
++
+ spin_unlock(&ses->chan_lock);
++
++ if (!ret)
++ goto out;
++
++ if (likely(ses->tcon_ipc)) {
++ if (ses->tcon_ipc->need_reconnect) {
++ ret = false;
++ goto out;
++ }
++ } else {
++ spin_unlock(&ses->ses_lock);
++ spin_unlock(&cifs_tcp_ses_lock);
++
++ ipc = cifs_setup_ipc(ses, tcon->seal);
++
++ spin_lock(&cifs_tcp_ses_lock);
++ spin_lock(&ses->ses_lock);
++ if (!IS_ERR(ipc)) {
++ if (!ses->tcon_ipc) {
++ ses->tcon_ipc = ipc;
++ ipc = NULL;
++ }
++ } else {
++ ret = false;
++ ipc = NULL;
++ }
++ }
++
++out:
+ spin_unlock(&ses->ses_lock);
++ spin_unlock(&cifs_tcp_ses_lock);
++ if (ipc && server->ops->tree_disconnect) {
++ unsigned int xid = get_xid();
++
++ (void)server->ops->tree_disconnect(xid, ipc);
++ _free_xid(xid);
++ }
++ tconInfoFree(ipc, netfs_trace_tcon_ref_free_ipc);
+ return ret;
+ }
+
+ /* Refresh dfs referral of @ses */
+-static void refresh_ses_referral(struct cifs_ses *ses)
++static void refresh_ses_referral(struct cifs_tcon *tcon, struct cifs_ses *ses)
+ {
+ struct cache_entry *ce;
+ unsigned int xid;
+@@ -1153,7 +1192,7 @@ static void refresh_ses_referral(struct cifs_ses *ses)
+ }
+
+ ses = CIFS_DFS_ROOT_SES(ses);
+- if (!is_ses_good(ses)) {
++ if (!is_ses_good(tcon, ses)) {
+ cifs_dbg(FYI, "%s: skip cache refresh due to disconnected ipc\n",
+ __func__);
+ goto out;
+@@ -1241,7 +1280,7 @@ static void refresh_tcon_referral(struct cifs_tcon *tcon, bool force_refresh)
+ up_read(&htable_rw_lock);
+
+ ses = CIFS_DFS_ROOT_SES(ses);
+- if (!is_ses_good(ses)) {
++ if (!is_ses_good(tcon, ses)) {
+ cifs_dbg(FYI, "%s: skip cache refresh due to disconnected ipc\n",
+ __func__);
+ goto out;
+@@ -1309,7 +1348,7 @@ void dfs_cache_refresh(struct work_struct *work)
+ tcon = container_of(work, struct cifs_tcon, dfs_cache_work.work);
+
+ list_for_each_entry(ses, &tcon->dfs_ses_list, dlist)
+- refresh_ses_referral(ses);
++ refresh_ses_referral(tcon, ses);
+ refresh_tcon_referral(tcon, false);
+
+ queue_delayed_work(dfscache_wq, &tcon->dfs_cache_work,
+--
+2.51.0
+
--- /dev/null
+From f5421a384ca06c9a6c7d71fc5d9f838f87a310a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 01:45:25 +0800
+Subject: tick/sched: Fix bogus condition in report_idle_softirq()
+
+From: Wen Yang <wen.yang@linux.dev>
+
+[ Upstream commit 807e0d187da4c0b22036b5e34000f7a8c52f6e50 ]
+
+In commit 0345691b24c0 ("tick/rcu: Stop allowing RCU_SOFTIRQ in idle") the
+new function report_idle_softirq() was created by breaking code out of the
+existing can_stop_idle_tick() for kernels v5.18 and newer.
+
+In doing so, the code essentially went from this form:
+
+ if (A) {
+ static int ratelimit;
+ if (ratelimit < 10 && !C && A&D) {
+ pr_warn("NOHZ tick-stop error: ...");
+ ratelimit++;
+ }
+ return false;
+ }
+
+to a new function:
+
+static bool report_idle_softirq(void)
+{
+ static int ratelimit;
+
+ if (likely(!A))
+ return false;
+
+ if (ratelimit < 10)
+ return false;
+...
+ pr_warn("NOHZ tick-stop error: local softirq work is pending, handler #%02x!!!\n",
+ pending);
+ ratelimit++;
+
+ return true;
+}
+
+commit a7e282c77785 ("tick/rcu: Fix bogus ratelimit condition") realized
+ratelimit was essentially set to zero instead of ten, and hence *no*
+softirq pending messages would ever be issued, but "fixed" it as:
+
+- if (ratelimit < 10)
++ if (ratelimit >= 10)
+ return false;
+
+However, this fix introduced another issue:
+
+When ratelimit is greater than or equal 10, even if A is true, it will
+directly return false. While ratelimit in the original code was only used
+to control printing and will not affect the return value.
+
+Restore the original logic and restrict ratelimit to control the printk and
+not the return value.
+
+Fixes: 0345691b24c0 ("tick/rcu: Stop allowing RCU_SOFTIRQ in idle")
+Fixes: a7e282c77785 ("tick/rcu: Fix bogus ratelimit condition")
+Signed-off-by: Wen Yang <wen.yang@linux.dev>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://patch.msgid.link/20251119174525.29470-1-wen.yang@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/tick-sched.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c
+index c527b421c8652..466e083c82721 100644
+--- a/kernel/time/tick-sched.c
++++ b/kernel/time/tick-sched.c
+@@ -1152,16 +1152,15 @@ static bool report_idle_softirq(void)
+ return false;
+ }
+
+- if (ratelimit >= 10)
+- return false;
+-
+ /* On RT, softirq handling may be waiting on some lock */
+ if (local_bh_blocked())
+ return false;
+
+- pr_warn("NOHZ tick-stop error: local softirq work is pending, handler #%02x!!!\n",
+- pending);
+- ratelimit++;
++ if (ratelimit < 10) {
++ pr_warn("NOHZ tick-stop error: local softirq work is pending, handler #%02x!!!\n",
++ pending);
++ ratelimit++;
++ }
+
+ return true;
+ }
+--
+2.51.0
+
--- /dev/null
+From b52b6d480c33c7a08d5e3d765b21faa0e61bd2f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 20:32:13 +0530
+Subject: timekeeping: Fix resource leak in tk_aux_sysfs_init() error paths
+
+From: Malaya Kumar Rout <mrout@redhat.com>
+
+[ Upstream commit 7b5ab04f035f829ed6008e4685501ec00b3e73c9 ]
+
+tk_aux_sysfs_init() returns immediately on error during the auxiliary clock
+initialization loop without cleaning up previously allocated kobjects and
+sysfs groups.
+
+If kobject_create_and_add() or sysfs_create_group() fails during loop
+iteration, the parent kobjects (tko and auxo) and any previously created
+child kobjects are leaked.
+
+Fix this by adding proper error handling with goto labels to ensure all
+allocated resources are cleaned up on failure. kobject_put() on the
+parent kobjects will handle cleanup of their children.
+
+Fixes: 7b95663a3d96 ("timekeeping: Provide interface to control auxiliary clocks")
+Signed-off-by: Malaya Kumar Rout <mrout@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://patch.msgid.link/20251120150213.246777-1-mrout@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/timekeeping.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
+index 3a4d3b2e3f740..08e0943b54da6 100644
+--- a/kernel/time/timekeeping.c
++++ b/kernel/time/timekeeping.c
+@@ -3060,29 +3060,32 @@ static const struct attribute_group aux_clock_enable_attr_group = {
+ static int __init tk_aux_sysfs_init(void)
+ {
+ struct kobject *auxo, *tko = kobject_create_and_add("time", kernel_kobj);
++ int ret = -ENOMEM;
+
+ if (!tko)
+- return -ENOMEM;
++ return ret;
+
+ auxo = kobject_create_and_add("aux_clocks", tko);
+- if (!auxo) {
+- kobject_put(tko);
+- return -ENOMEM;
+- }
++ if (!auxo)
++ goto err_clean;
+
+ for (int i = 0; i < MAX_AUX_CLOCKS; i++) {
+ char id[2] = { [0] = '0' + i, };
+ struct kobject *clk = kobject_create_and_add(id, auxo);
+
+ if (!clk)
+- return -ENOMEM;
+-
+- int ret = sysfs_create_group(clk, &aux_clock_enable_attr_group);
++ goto err_clean;
+
++ ret = sysfs_create_group(clk, &aux_clock_enable_attr_group);
+ if (ret)
+- return ret;
++ goto err_clean;
+ }
+ return 0;
++
++err_clean:
++ kobject_put(auxo);
++ kobject_put(tko);
++ return ret;
+ }
+ late_initcall(tk_aux_sysfs_init);
+
+--
+2.51.0
+
--- /dev/null
+From 560b9838100434a477392d3bca4b0de398de786d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Nov 2025 15:12:15 +0800
+Subject: tools: riscv: Fixed misalignment of CSR related definitions
+
+From: Chen Pei <cp0613@linux.alibaba.com>
+
+[ Upstream commit e2cb69263e797c0aa6676bcef23e9e27e44c83b0 ]
+
+The file tools/arch/riscv/include/asm/csr.h borrows from
+arch/riscv/include/asm/csr.h, and subsequent modifications
+related to CSR should maintain consistency.
+
+Signed-off-by: Chen Pei <cp0613@linux.alibaba.com>
+Link: https://patch.msgid.link/20251114071215.816-1-cp0613@linux.alibaba.com
+[pjw@kernel.org: dropped Fixes: lines for patches that weren't broken; removed superfluous blank line]
+Signed-off-by: Paul Walmsley <pjw@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/riscv_pmu_sbi.c | 2 +-
+ tools/arch/riscv/include/asm/csr.h | 5 +++--
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/perf/riscv_pmu_sbi.c b/drivers/perf/riscv_pmu_sbi.c
+index 698de8ddf895b..824209f0a3641 100644
+--- a/drivers/perf/riscv_pmu_sbi.c
++++ b/drivers/perf/riscv_pmu_sbi.c
+@@ -1019,7 +1019,7 @@ static irqreturn_t pmu_sbi_ovf_handler(int irq, void *dev)
+ /* compute hardware counter index */
+ hidx = info->csr - CSR_CYCLE;
+
+- /* check if the corresponding bit is set in sscountovf or overflow mask in shmem */
++ /* check if the corresponding bit is set in scountovf or overflow mask in shmem */
+ if (!(overflow & BIT(hidx)))
+ continue;
+
+diff --git a/tools/arch/riscv/include/asm/csr.h b/tools/arch/riscv/include/asm/csr.h
+index 0dfc09254f99a..1cd824aaa3ba2 100644
+--- a/tools/arch/riscv/include/asm/csr.h
++++ b/tools/arch/riscv/include/asm/csr.h
+@@ -167,7 +167,8 @@
+ #define VSIP_TO_HVIP_SHIFT (IRQ_VS_SOFT - IRQ_S_SOFT)
+ #define VSIP_VALID_MASK ((_AC(1, UL) << IRQ_S_SOFT) | \
+ (_AC(1, UL) << IRQ_S_TIMER) | \
+- (_AC(1, UL) << IRQ_S_EXT))
++ (_AC(1, UL) << IRQ_S_EXT) | \
++ (_AC(1, UL) << IRQ_PMU_OVF))
+
+ /* AIA CSR bits */
+ #define TOPI_IID_SHIFT 16
+@@ -280,7 +281,7 @@
+ #define CSR_HPMCOUNTER30H 0xc9e
+ #define CSR_HPMCOUNTER31H 0xc9f
+
+-#define CSR_SSCOUNTOVF 0xda0
++#define CSR_SCOUNTOVF 0xda0
+
+ #define CSR_SSTATUS 0x100
+ #define CSR_SIE 0x104
+--
+2.51.0
+
--- /dev/null
+From 64f4778b5bccd2a593bb963cd526351eeb42b6e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 14:13:52 +0100
+Subject: veth: more robust handing of race to avoid txq getting stuck
+
+From: Jesper Dangaard Brouer <hawk@kernel.org>
+
+[ Upstream commit 5442a9da69789741bfda39f34ee7f69552bf0c56 ]
+
+Commit dc82a33297fc ("veth: apply qdisc backpressure on full ptr_ring to
+reduce TX drops") introduced a race condition that can lead to a permanently
+stalled TXQ. This was observed in production on ARM64 systems (Ampere Altra
+Max).
+
+The race occurs in veth_xmit(). The producer observes a full ptr_ring and
+stops the queue (netif_tx_stop_queue()). The subsequent conditional logic,
+intended to re-wake the queue if the consumer had just emptied it (if
+(__ptr_ring_empty(...)) netif_tx_wake_queue()), can fail. This leads to a
+"lost wakeup" where the TXQ remains stopped (QUEUE_STATE_DRV_XOFF) and
+traffic halts.
+
+This failure is caused by an incorrect use of the __ptr_ring_empty() API
+from the producer side. As noted in kernel comments, this check is not
+guaranteed to be correct if a consumer is operating on another CPU. The
+empty test is based on ptr_ring->consumer_head, making it reliable only for
+the consumer. Using this check from the producer side is fundamentally racy.
+
+This patch fixes the race by adopting the more robust logic from an earlier
+version V4 of the patchset, which always flushed the peer:
+
+(1) In veth_xmit(), the racy conditional wake-up logic and its memory barrier
+are removed. Instead, after stopping the queue, we unconditionally call
+__veth_xdp_flush(rq). This guarantees that the NAPI consumer is scheduled,
+making it solely responsible for re-waking the TXQ.
+ This handles the race where veth_poll() consumes all packets and completes
+NAPI *before* veth_xmit() on the producer side has called netif_tx_stop_queue.
+The __veth_xdp_flush(rq) will observe rx_notify_masked is false and schedule
+NAPI.
+
+(2) On the consumer side, the logic for waking the peer TXQ is moved out of
+veth_xdp_rcv() and placed at the end of the veth_poll() function. This
+placement is part of fixing the race, as the netif_tx_queue_stopped() check
+must occur after rx_notify_masked is potentially set to false during NAPI
+completion.
+ This handles the race where veth_poll() consumes all packets, but haven't
+finished (rx_notify_masked is still true). The producer veth_xmit() stops the
+TXQ and __veth_xdp_flush(rq) will observe rx_notify_masked is true, meaning
+not starting NAPI. Then veth_poll() change rx_notify_masked to false and
+stops NAPI. Before exiting veth_poll() will observe TXQ is stopped and wake
+it up.
+
+Fixes: dc82a33297fc ("veth: apply qdisc backpressure on full ptr_ring to reduce TX drops")
+Reviewed-by: Toshiaki Makita <toshiaki.makita1@gmail.com>
+Signed-off-by: Jesper Dangaard Brouer <hawk@kernel.org>
+Link: https://patch.msgid.link/176295323282.307447.14790015927673763094.stgit@firesoul
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/veth.c | 38 ++++++++++++++++++++------------------
+ 1 file changed, 20 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/veth.c b/drivers/net/veth.c
+index a3046142cb8e2..35dd89aff4a94 100644
+--- a/drivers/net/veth.c
++++ b/drivers/net/veth.c
+@@ -392,14 +392,12 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev)
+ }
+ /* Restore Eth hdr pulled by dev_forward_skb/eth_type_trans */
+ __skb_push(skb, ETH_HLEN);
+- /* Depend on prior success packets started NAPI consumer via
+- * __veth_xdp_flush(). Cancel TXQ stop if consumer stopped,
+- * paired with empty check in veth_poll().
+- */
+ netif_tx_stop_queue(txq);
+- smp_mb__after_atomic();
+- if (unlikely(__ptr_ring_empty(&rq->xdp_ring)))
+- netif_tx_wake_queue(txq);
++ /* Makes sure NAPI peer consumer runs. Consumer is responsible
++ * for starting txq again, until then ndo_start_xmit (this
++ * function) will not be invoked by the netstack again.
++ */
++ __veth_xdp_flush(rq);
+ break;
+ case NET_RX_DROP: /* same as NET_XMIT_DROP */
+ drop:
+@@ -900,17 +898,9 @@ static int veth_xdp_rcv(struct veth_rq *rq, int budget,
+ struct veth_xdp_tx_bq *bq,
+ struct veth_stats *stats)
+ {
+- struct veth_priv *priv = netdev_priv(rq->dev);
+- int queue_idx = rq->xdp_rxq.queue_index;
+- struct netdev_queue *peer_txq;
+- struct net_device *peer_dev;
+ int i, done = 0, n_xdpf = 0;
+ void *xdpf[VETH_XDP_BATCH];
+
+- /* NAPI functions as RCU section */
+- peer_dev = rcu_dereference_check(priv->peer, rcu_read_lock_bh_held());
+- peer_txq = peer_dev ? netdev_get_tx_queue(peer_dev, queue_idx) : NULL;
+-
+ for (i = 0; i < budget; i++) {
+ void *ptr = __ptr_ring_consume(&rq->xdp_ring);
+
+@@ -959,9 +949,6 @@ static int veth_xdp_rcv(struct veth_rq *rq, int budget,
+ rq->stats.vs.xdp_packets += done;
+ u64_stats_update_end(&rq->stats.syncp);
+
+- if (peer_txq && unlikely(netif_tx_queue_stopped(peer_txq)))
+- netif_tx_wake_queue(peer_txq);
+-
+ return done;
+ }
+
+@@ -969,12 +956,20 @@ static int veth_poll(struct napi_struct *napi, int budget)
+ {
+ struct veth_rq *rq =
+ container_of(napi, struct veth_rq, xdp_napi);
++ struct veth_priv *priv = netdev_priv(rq->dev);
++ int queue_idx = rq->xdp_rxq.queue_index;
++ struct netdev_queue *peer_txq;
+ struct veth_stats stats = {};
++ struct net_device *peer_dev;
+ struct veth_xdp_tx_bq bq;
+ int done;
+
+ bq.count = 0;
+
++ /* NAPI functions as RCU section */
++ peer_dev = rcu_dereference_check(priv->peer, rcu_read_lock_bh_held());
++ peer_txq = peer_dev ? netdev_get_tx_queue(peer_dev, queue_idx) : NULL;
++
+ xdp_set_return_frame_no_direct();
+ done = veth_xdp_rcv(rq, budget, &bq, &stats);
+
+@@ -996,6 +991,13 @@ static int veth_poll(struct napi_struct *napi, int budget)
+ veth_xdp_flush(rq, &bq);
+ xdp_clear_return_frame_no_direct();
+
++ /* Release backpressure per NAPI poll */
++ smp_rmb(); /* Paired with netif_tx_stop_queue set_bit */
++ if (peer_txq && netif_tx_queue_stopped(peer_txq)) {
++ txq_trans_cond_update(peer_txq);
++ netif_tx_wake_queue(peer_txq);
++ }
++
+ return done;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From cfe68c66df01f827da0cf3a9070479b94cfc2646 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Nov 2025 15:02:59 +0100
+Subject: vsock: Ignore signal/timeout on connect() if already established
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 002541ef650b742a198e4be363881439bb9d86b4 ]
+
+During connect(), acting on a signal/timeout by disconnecting an already
+established socket leads to several issues:
+
+1. connect() invoking vsock_transport_cancel_pkt() ->
+ virtio_transport_purge_skbs() may race with sendmsg() invoking
+ virtio_transport_get_credit(). This results in a permanently elevated
+ `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.
+
+2. connect() resetting a connected socket's state may race with socket
+ being placed in a sockmap. A disconnected socket remaining in a sockmap
+ breaks sockmap's assumptions. And gives rise to WARNs.
+
+3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a
+ transport change/drop after TCP_ESTABLISHED. Which poses a problem for
+ any simultaneous sendmsg() or connect() and may result in a
+ use-after-free/null-ptr-deref.
+
+Do not disconnect socket on signal/timeout. Keep the logic for unconnected
+sockets: they don't linger, can't be placed in a sockmap, are rejected by
+sendmsg().
+
+[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/
+[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/
+[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20251119-vsock-interrupted-connect-v2-1-70734cf1233f@rbox.co
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 40 +++++++++++++++++++++++++++++++---------
+ 1 file changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index 21758f59edc13..67bd6779448a5 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1666,18 +1666,40 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr,
+ timeout = schedule_timeout(timeout);
+ lock_sock(sk);
+
+- if (signal_pending(current)) {
+- err = sock_intr_errno(timeout);
+- sk->sk_state = sk->sk_state == TCP_ESTABLISHED ? TCP_CLOSING : TCP_CLOSE;
+- sock->state = SS_UNCONNECTED;
+- vsock_transport_cancel_pkt(vsk);
+- vsock_remove_connected(vsk);
+- goto out_wait;
+- } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) {
+- err = -ETIMEDOUT;
++ /* Connection established. Whatever happens to socket once we
++ * release it, that's not connect()'s concern. No need to go
++ * into signal and timeout handling. Call it a day.
++ *
++ * Note that allowing to "reset" an already established socket
++ * here is racy and insecure.
++ */
++ if (sk->sk_state == TCP_ESTABLISHED)
++ break;
++
++ /* If connection was _not_ established and a signal/timeout came
++ * to be, we want the socket's state reset. User space may want
++ * to retry.
++ *
++ * sk_state != TCP_ESTABLISHED implies that socket is not on
++ * vsock_connected_table. We keep the binding and the transport
++ * assigned.
++ */
++ if (signal_pending(current) || timeout == 0) {
++ err = timeout == 0 ? -ETIMEDOUT : sock_intr_errno(timeout);
++
++ /* Listener might have already responded with
++ * VIRTIO_VSOCK_OP_RESPONSE. Its handling expects our
++ * sk_state == TCP_SYN_SENT, which hereby we break.
++ * In such case VIRTIO_VSOCK_OP_RST will follow.
++ */
+ sk->sk_state = TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
++
++ /* Try to cancel VIRTIO_VSOCK_OP_REQUEST skb sent out by
++ * transport->connect().
++ */
+ vsock_transport_cancel_pkt(vsk);
++
+ goto out_wait;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 869cf8de0da6e7d0d38fa618b652180f4b0e56bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Oct 2025 12:34:31 +0100
+Subject: x86/CPU/AMD: Extend Zen6 model range
+
+From: Borislav Petkov (AMD) <bp@alien8.de>
+
+[ Upstream commit 847ebc4476714f81d7dea73e5ea69448d7fe9d3a ]
+
+Add some more Zen6 models.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://patch.msgid.link/20251029123056.19987-1-bp@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index 3139713e3a78f..9390312c93b6e 100644
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -516,7 +516,7 @@ static void bsp_init_amd(struct cpuinfo_x86 *c)
+ setup_force_cpu_cap(X86_FEATURE_ZEN5);
+ break;
+ case 0x50 ... 0x5f:
+- case 0x90 ... 0xaf:
++ case 0x80 ... 0xaf:
+ case 0xc0 ... 0xcf:
+ setup_force_cpu_cap(X86_FEATURE_ZEN6);
+ break;
+--
+2.51.0
+
--- /dev/null
+From caa236a481b5e071764503aa79eb1377394ac026 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 14:46:29 +0200
+Subject: x86/microcode/AMD: Limit Entrysign signature checking to known
+ generations
+
+From: Borislav Petkov (AMD) <bp@alien8.de>
+
+[ Upstream commit 8a9fb5129e8e64d24543ebc70de941a2d77a9e77 ]
+
+Limit Entrysign sha256 signature checking to CPUs in the range Zen1-Zen5.
+
+X86_BUG cannot be used here because the loading on the BSP happens way
+too early, before the cpufeatures machinery has been set up.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://patch.msgid.link/all/20251023124629.5385-1-bp@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/microcode/amd.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
+index c5363e6563798..ff40fe7ef58eb 100644
+--- a/arch/x86/kernel/cpu/microcode/amd.c
++++ b/arch/x86/kernel/cpu/microcode/amd.c
+@@ -236,13 +236,31 @@ static bool need_sha_check(u32 cur_rev)
+ return true;
+ }
+
++static bool cpu_has_entrysign(void)
++{
++ unsigned int fam = x86_family(bsp_cpuid_1_eax);
++ unsigned int model = x86_model(bsp_cpuid_1_eax);
++
++ if (fam == 0x17 || fam == 0x19)
++ return true;
++
++ if (fam == 0x1a) {
++ if (model <= 0x2f ||
++ (0x40 <= model && model <= 0x4f) ||
++ (0x60 <= model && model <= 0x6f))
++ return true;
++ }
++
++ return false;
++}
++
+ static bool verify_sha256_digest(u32 patch_id, u32 cur_rev, const u8 *data, unsigned int len)
+ {
+ struct patch_digest *pd = NULL;
+ u8 digest[SHA256_DIGEST_SIZE];
+ int i;
+
+- if (x86_family(bsp_cpuid_1_eax) < 0x17)
++ if (!cpu_has_entrysign())
+ return true;
+
+ if (!need_sha_check(cur_rev))
+--
+2.51.0
+
--- /dev/null
+From 44830d1db5f7ee9661165c9d043e0145de1bc5f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Oct 2025 12:39:13 +0200
+Subject: xfrm: also call xfrm_state_delete_tunnel at destroy time for states
+ that were never added
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 10deb69864840ccf96b00ac2ab3a2055c0c04721 ]
+
+In commit b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x"), I
+missed the case where state creation fails between full
+initialization (->init_state has been called) and being inserted on
+the lists.
+
+In this situation, ->init_state has been called, so for IPcomp
+tunnels, the fallback tunnel has been created and added onto the
+lists, but the user state never gets added, because we fail before
+that. The user state doesn't go through __xfrm_state_delete, so we
+don't call xfrm_state_delete_tunnel for those states, and we end up
+leaking the FB tunnel.
+
+There are several codepaths affected by this: the add/update paths, in
+both net/key and xfrm, and the migrate code (xfrm_migrate,
+xfrm_state_migrate). A "proper" rollback of the init_state work would
+probably be doable in the add/update code, but for migrate it gets
+more complicated as multiple states may be involved.
+
+At some point, the new (not-inserted) state will be destroyed, so call
+xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states
+will have their fallback tunnel cleaned up during __xfrm_state_delete,
+which solves the issue that b441cf3f8c4b (and other patches before it)
+aimed at. All states (including FB tunnels) will be removed from the
+lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).
+
+Reported-by: syzbot+999eb23467f83f9bf9bf@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=999eb23467f83f9bf9bf
+Fixes: b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index e4736d1ebb443..721ef0f409b51 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -592,6 +592,7 @@ void xfrm_state_free(struct xfrm_state *x)
+ }
+ EXPORT_SYMBOL(xfrm_state_free);
+
++static void xfrm_state_delete_tunnel(struct xfrm_state *x);
+ static void xfrm_state_gc_destroy(struct xfrm_state *x)
+ {
+ if (x->mode_cbs && x->mode_cbs->destroy_state)
+@@ -607,6 +608,7 @@ static void xfrm_state_gc_destroy(struct xfrm_state *x)
+ kfree(x->replay_esn);
+ kfree(x->preplay_esn);
+ xfrm_unset_type_offload(x);
++ xfrm_state_delete_tunnel(x);
+ if (x->type) {
+ x->type->destructor(x);
+ xfrm_put_type(x->type);
+@@ -806,7 +808,6 @@ void __xfrm_state_destroy(struct xfrm_state *x)
+ }
+ EXPORT_SYMBOL(__xfrm_state_destroy);
+
+-static void xfrm_state_delete_tunnel(struct xfrm_state *x);
+ int __xfrm_state_delete(struct xfrm_state *x)
+ {
+ struct net *net = xs_net(x);
+--
+2.51.0
+
--- /dev/null
+From e0622576776a0cd64fe9861908b9d28c5e5c0f15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Oct 2025 12:39:15 +0200
+Subject: xfrm: call xfrm_dev_state_delete when xfrm_state_migrate fails to add
+ the state
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 7f02285764790e0ff1a731b4187fa3e389ed02c7 ]
+
+In case xfrm_state_migrate fails after calling xfrm_dev_state_add, we
+directly release the last reference and destroy the new state, without
+calling xfrm_dev_state_delete (this only happens in
+__xfrm_state_delete, which we're not calling on this path, since the
+state was never added).
+
+Call xfrm_dev_state_delete on error when an offload configuration was
+provided.
+
+Fixes: ab244a394c7f ("xfrm: Migrate offload configuration")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index 721ef0f409b51..f8a5837457a35 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -2158,10 +2158,13 @@ struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
+ xfrm_state_insert(xc);
+ } else {
+ if (xfrm_state_add(xc) < 0)
+- goto error;
++ goto error_add;
+ }
+
+ return xc;
++error_add:
++ if (xuo)
++ xfrm_dev_state_delete(xc);
+ error:
+ xfrm_state_put(xc);
+ return NULL;
+--
+2.51.0
+
--- /dev/null
+From 702fba0f8075e89d6c256178191a70a5e8f4ae0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Oct 2025 04:22:47 +0200
+Subject: xfrm: Check inner packet family directly from skb_dst
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 082ef944e55da8a9a8df92e3842ca82a626d359a ]
+
+In the output path, xfrm_dev_offload_ok and xfrm_get_inner_ipproto
+need to determine the protocol family of the inner packet (skb) before
+it gets encapsulated.
+
+In xfrm_dev_offload_ok, the code checked x->inner_mode.family. This is
+unreliable because, for states handling both IPv4 and IPv6, the
+relevant inner family could be either x->inner_mode.family or
+x->inner_mode_iaf.family. Checking only the former can lead to a
+mismatch with the actual packet being processed.
+
+In xfrm_get_inner_ipproto, the code checked x->outer_mode.family. This
+is also incorrect for tunnel mode, as the inner packet's family can be
+different from the outer header's family.
+
+At both of these call sites, the skb variable holds the original inner
+packet. The most direct and reliable source of truth for its protocol
+family is its destination entry. This patch fixes the issue by using
+skb_dst(skb)->ops->family to ensure protocol-specific headers are only
+accessed for the correct packet type.
+
+Fixes: 91d8a53db219 ("xfrm: fix offloading of cross-family tunnels")
+Fixes: 45a98ef4922d ("net/xfrm: IPsec tunnel mode fix inner_ipproto setting in sec_path")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_device.c | 2 +-
+ net/xfrm/xfrm_output.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
+index 44b9de6e4e778..52ae0e034d29e 100644
+--- a/net/xfrm/xfrm_device.c
++++ b/net/xfrm/xfrm_device.c
+@@ -438,7 +438,7 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
+
+ check_tunnel_size = x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&
+ x->props.mode == XFRM_MODE_TUNNEL;
+- switch (x->inner_mode.family) {
++ switch (skb_dst(skb)->ops->family) {
+ case AF_INET:
+ /* Check for IPv4 options */
+ if (ip_hdr(skb)->ihl != 5)
+diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
+index 9077730ff7d0e..a98b5bf55ac31 100644
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -698,7 +698,7 @@ static void xfrm_get_inner_ipproto(struct sk_buff *skb, struct xfrm_state *x)
+ return;
+
+ if (x->outer_mode.encap == XFRM_MODE_TUNNEL) {
+- switch (x->outer_mode.family) {
++ switch (skb_dst(skb)->ops->family) {
+ case AF_INET:
+ xo->inner_ipproto = ip_hdr(skb)->protocol;
+ break;
+--
+2.51.0
+
--- /dev/null
+From 2163af01c94d56c82a747c6a48ce74197ae2bf62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Oct 2025 04:22:48 +0200
+Subject: xfrm: Determine inner GSO type from packet inner protocol
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 61fafbee6cfed283c02a320896089f658fa67e56 ]
+
+The GSO segmentation functions for ESP tunnel mode
+(xfrm4_tunnel_gso_segment and xfrm6_tunnel_gso_segment) were
+determining the inner packet's L2 protocol type by checking the static
+x->inner_mode.family field from the xfrm state.
+
+This is unreliable. In tunnel mode, the state's actual inner family
+could be defined by x->inner_mode.family or by
+x->inner_mode_iaf.family. Checking only the former can lead to a
+mismatch with the actual packet being processed, causing GSO to create
+segments with the wrong L2 header type.
+
+This patch fixes the bug by deriving the inner mode directly from the
+packet's inner protocol stored in XFRM_MODE_SKB_CB(skb)->protocol.
+
+Instead of replicating the code, this patch modifies the
+xfrm_ip2inner_mode helper function. It now correctly returns
+&x->inner_mode if the selector family (x->sel.family) is already
+specified, thereby handling both specific and AF_UNSPEC cases
+appropriately.
+
+With this change, ESP GSO can use xfrm_ip2inner_mode to get the
+correct inner mode. It doesn't affect existing callers, as the updated
+logic now mirrors the checks they were already performing externally.
+
+Fixes: 26dbd66eab80 ("esp: choose the correct inner protocol for GSO on inter address family tunnels")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xfrm.h | 3 ++-
+ net/ipv4/esp4_offload.c | 6 ++++--
+ net/ipv6/esp6_offload.c | 6 ++++--
+ 3 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index f3014e4f54fc3..0a14daaa5dd40 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -536,7 +536,8 @@ static inline int xfrm_af2proto(unsigned int family)
+
+ static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
+ {
+- if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
++ if ((x->sel.family != AF_UNSPEC) ||
++ (ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
+ (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
+ return &x->inner_mode;
+ else
+diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
+index e0d94270da28a..05828d4cb6cdb 100644
+--- a/net/ipv4/esp4_offload.c
++++ b/net/ipv4/esp4_offload.c
+@@ -122,8 +122,10 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x,
+ struct sk_buff *skb,
+ netdev_features_t features)
+ {
+- __be16 type = x->inner_mode.family == AF_INET6 ? htons(ETH_P_IPV6)
+- : htons(ETH_P_IP);
++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
++ XFRM_MODE_SKB_CB(skb)->protocol);
++ __be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6)
++ : htons(ETH_P_IP);
+
+ return skb_eth_gso_segment(skb, features, type);
+ }
+diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
+index 7b41fb4f00b58..22410243ebe88 100644
+--- a/net/ipv6/esp6_offload.c
++++ b/net/ipv6/esp6_offload.c
+@@ -158,8 +158,10 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x,
+ struct sk_buff *skb,
+ netdev_features_t features)
+ {
+- __be16 type = x->inner_mode.family == AF_INET ? htons(ETH_P_IP)
+- : htons(ETH_P_IPV6);
++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
++ XFRM_MODE_SKB_CB(skb)->protocol);
++ __be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP)
++ : htons(ETH_P_IPV6);
+
+ return skb_eth_gso_segment(skb, features, type);
+ }
+--
+2.51.0
+
--- /dev/null
+From 9961ac39afaa0f275878bf9942651d7b80bd4579 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Oct 2025 12:39:12 +0200
+Subject: xfrm: drop SA reference in xfrm_state_update if dir doesn't match
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 8d2a2a49c30f67a480fa9ed25e08436a446f057e ]
+
+We're not updating x1, but we still need to put() it.
+
+Fixes: a4a87fa4e96c ("xfrm: Add Direction to the SA in or out")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index d213ca3653a8f..e4736d1ebb443 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -2191,14 +2191,18 @@ int xfrm_state_update(struct xfrm_state *x)
+ }
+
+ if (x1->km.state == XFRM_STATE_ACQ) {
+- if (x->dir && x1->dir != x->dir)
++ if (x->dir && x1->dir != x->dir) {
++ to_put = x1;
+ goto out;
++ }
+
+ __xfrm_state_insert(x);
+ x = NULL;
+ } else {
+- if (x1->dir != x->dir)
++ if (x1->dir != x->dir) {
++ to_put = x1;
+ goto out;
++ }
+ }
+ err = 0;
+
+--
+2.51.0
+
--- /dev/null
+From 934226cc6cbda62606d7dcd84677f3f81d11dd2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Oct 2025 11:50:25 +0200
+Subject: xfrm: Prevent locally generated packets from direct output in tunnel
+ mode
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 59630e2ccd728703cc826e3a3515d70f8c7a766c ]
+
+Add a check to ensure locally generated packets (skb->sk != NULL) do
+not use direct output in tunnel mode, as these packets require proper
+L2 header setup that is handled by the normal XFRM processing path.
+
+Fixes: 5eddd76ec2fd ("xfrm: fix tunnel mode TX datapath in packet offload mode")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_output.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
+index a98b5bf55ac31..54222fcbd7fd8 100644
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -772,8 +772,12 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb)
+ /* Exclusive direct xmit for tunnel mode, as
+ * some filtering or matching rules may apply
+ * in transport mode.
++ * Locally generated packets also require
++ * the normal XFRM path for L2 header setup,
++ * as the hardware needs the L2 header to match
++ * for encryption, so skip direct output as well.
+ */
+- if (x->props.mode == XFRM_MODE_TUNNEL)
++ if (x->props.mode == XFRM_MODE_TUNNEL && !skb->sk)
+ return xfrm_dev_direct_output(sk, x, skb);
+
+ return xfrm_output_resume(sk, skb, 0);
+--
+2.51.0
+
--- /dev/null
+From d20c8811f8dea67671c50b448cbf228156c3de81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Oct 2025 12:39:16 +0200
+Subject: xfrm: set err and extack on failure to create pcpu SA
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 1dcf617bec5cb85f68ca19969e7537ef6f6931d3 ]
+
+xfrm_state_construct can fail without setting an error if the
+requested pcpu_num value is too big. Set err and add an extack message
+to avoid confusing userspace.
+
+Fixes: 1ddf9916ac09 ("xfrm: Add support for per cpu xfrm state handling.")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 684239018bec4..977a03291f6a5 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -947,8 +947,11 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
+
+ if (attrs[XFRMA_SA_PCPU]) {
+ x->pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]);
+- if (x->pcpu_num >= num_possible_cpus())
++ if (x->pcpu_num >= num_possible_cpus()) {
++ err = -ERANGE;
++ NL_SET_ERR_MSG(extack, "pCPU number too big");
+ goto error;
++ }
+ }
+
+ err = __xfrm_init_state(x, extack);
+--
+2.51.0
+
--- /dev/null
+From 207e7bfe243841b9c985c39dc6ee7287d8ba1d9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Oct 2025 14:51:26 +0200
+Subject: bcma: don't register devices disabled in OF
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+[ Upstream commit a2a69add80411dd295c9088c1bcf925b1f4e53d7 ]
+
+Some bus devices can be marked as disabled for specific SoCs or models.
+Those should not be registered to avoid probing them.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20251003125126.27950-1-zajec5@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bcma/main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/bcma/main.c b/drivers/bcma/main.c
+index 7061d3ee836a1..c69c05256b59f 100644
+--- a/drivers/bcma/main.c
++++ b/drivers/bcma/main.c
+@@ -294,6 +294,8 @@ static int bcma_register_devices(struct bcma_bus *bus)
+ int err;
+
+ list_for_each_entry(core, &bus->cores, list) {
++ struct device_node *np;
++
+ /* We support that core ourselves */
+ switch (core->id.id) {
+ case BCMA_CORE_4706_CHIPCOMMON:
+@@ -311,6 +313,10 @@ static int bcma_register_devices(struct bcma_bus *bus)
+ if (bcma_is_core_needed_early(core->id.id))
+ continue;
+
++ np = core->dev.of_node;
++ if (np && !of_device_is_available(np))
++ continue;
++
+ /* Only first GMAC core on BCM4706 is connected and working */
+ if (core->id.id == BCMA_CORE_4706_MAC_GBIT &&
+ core->core_unit > 0)
+--
+2.51.0
+
--- /dev/null
+From ca225e0952249d92bbbe3726b8bfb1f390720d89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Nov 2025 20:32:57 +0530
+Subject: cifs: fix memory leak in smb3_fs_context_parse_param error path
+
+From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+
+[ Upstream commit 7e4d9120cfa413dd34f4f434befc5dbe6c38b2e5 ]
+
+Add proper cleanup of ctx->source and fc->source to the
+cifs_parse_mount_err error handler. This ensures that memory allocated
+for the source strings is correctly freed on all error paths, matching
+the cleanup already performed in the success path by
+smb3_cleanup_fs_context_contents().
+Pointers are also set to NULL after freeing to prevent potential
+double-free issues.
+
+This change fixes a memory leak originally detected by syzbot. The
+leak occurred when processing Opt_source mount options if an error
+happened after ctx->source and fc->source were successfully
+allocated but before the function completed.
+
+The specific leak sequence was:
+1. ctx->source = smb3_fs_context_fullpath(ctx, '/') allocates memory
+2. fc->source = kstrdup(ctx->source, GFP_KERNEL) allocates more memory
+3. A subsequent error jumps to cifs_parse_mount_err
+4. The old error handler freed passwords but not the source strings,
+causing the memory to leak.
+
+This issue was not addressed by commit e8c73eb7db0a ("cifs: client:
+fix memory leak in smb3_fs_context_parse_param"), which only fixed
+leaks from repeated fsconfig() calls but not this error path.
+
+Patch updated with minor change suggested by kernel test robot
+
+Reported-by: syzbot+87be6809ed9bf6d718e3@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=87be6809ed9bf6d718e3
+Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api")
+Reviewed-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/fs_context.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
+index cf233cb9c1943..a64c0b0dbec78 100644
+--- a/fs/smb/client/fs_context.c
++++ b/fs/smb/client/fs_context.c
+@@ -1726,6 +1726,10 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
+ ctx->password = NULL;
+ kfree_sensitive(ctx->password2);
+ ctx->password2 = NULL;
++ kfree(ctx->source);
++ ctx->source = NULL;
++ kfree(fc->source);
++ fc->source = NULL;
+ return -EINVAL;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 49f86c7310df03015a9fc10e98d88718c37ac5c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Oct 2025 21:17:01 -0500
+Subject: cifs: fix typo in enable_gcm_256 module parameter
+
+From: Steve French <stfrench@microsoft.com>
+
+[ Upstream commit f765fdfcd8b5bce92c6aa1a517ff549529ddf590 ]
+
+Fix typo in description of enable_gcm_256 module parameter
+
+Suggested-by: Thomas Spear <speeddymon@gmail.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifsfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/smb/client/cifsfs.c b/fs/smb/client/cifsfs.c
+index 2744d5580d195..0461f89c4852e 100644
+--- a/fs/smb/client/cifsfs.c
++++ b/fs/smb/client/cifsfs.c
+@@ -133,7 +133,7 @@ module_param(enable_oplocks, bool, 0644);
+ MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1");
+
+ module_param(enable_gcm_256, bool, 0644);
+-MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/0");
++MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/1");
+
+ module_param(require_gcm_256, bool, 0644);
+ MODULE_PARM_DESC(require_gcm_256, "Require strongest (256 bit) GCM encryption. Default: n/N/0");
+--
+2.51.0
+
--- /dev/null
+From f806cfef7f9744fc0d1944161d199766391706ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 14:05:49 +0200
+Subject: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit f94c1a114ac209977bdf5ca841b98424295ab1f0 ]
+
+The function devl_rate_nodes_destroy is documented to "Unset parent for
+all rate objects". However, it was only calling the driver-specific
+`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing
+the parent's refcount, without actually setting the
+`devlink_rate->parent` pointer to NULL.
+
+This leaves a dangling pointer in the `devlink_rate` struct, which cause
+refcount error in netdevsim[1] and mlx5[2]. In addition, this is
+inconsistent with the behavior of `devlink_nl_rate_parent_node_set`,
+where the parent pointer is correctly cleared.
+
+This patch fixes the issue by explicitly setting `devlink_rate->parent`
+to NULL after notifying the driver, thus fulfilling the function's
+documented behavior for all rate objects.
+
+[1]
+repro steps:
+echo 1 > /sys/bus/netdevsim/new_device
+devlink dev eswitch set netdevsim/netdevsim1 mode switchdev
+echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs
+devlink port function rate add netdevsim/netdevsim1/test_node
+devlink port function rate set netdevsim/netdevsim1/128 parent test_node
+echo 1 > /sys/bus/netdevsim/del_device
+
+dmesg:
+refcount_t: decrement hit 0; leaking memory.
+WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0
+CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+RIP: 0010:refcount_warn_saturate+0x42/0xe0
+Call Trace:
+ <TASK>
+ devl_rate_leaf_destroy+0x8d/0x90
+ __nsim_dev_port_del+0x6c/0x70 [netdevsim]
+ nsim_dev_reload_destroy+0x11c/0x140 [netdevsim]
+ nsim_drv_remove+0x2b/0xb0 [netdevsim]
+ device_release_driver_internal+0x194/0x1f0
+ bus_remove_device+0xc6/0x130
+ device_del+0x159/0x3c0
+ device_unregister+0x1a/0x60
+ del_device_store+0x111/0x170 [netdevsim]
+ kernfs_fop_write_iter+0x12e/0x1e0
+ vfs_write+0x215/0x3d0
+ ksys_write+0x5f/0xd0
+ do_syscall_64+0x55/0x10f0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+[2]
+devlink dev eswitch set pci/0000:08:00.0 mode switchdev
+devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000
+devlink port function rate add pci/0000:08:00.0/group1
+devlink port function rate set pci/0000:08:00.0/32768 parent group1
+modprobe -r mlx5_ib mlx5_fwctl mlx5_core
+
+dmesg:
+refcount_t: decrement hit 0; leaking memory.
+WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0
+CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
+RIP: 0010:refcount_warn_saturate+0x42/0xe0
+Call Trace:
+ <TASK>
+ devl_rate_leaf_destroy+0x8d/0x90
+ mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core]
+ mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core]
+ mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core]
+ mlx5_sf_esw_event+0xc4/0x120 [mlx5_core]
+ notifier_call_chain+0x33/0xa0
+ blocking_notifier_call_chain+0x3b/0x50
+ mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core]
+ mlx5_eswitch_disable+0x63/0x90 [mlx5_core]
+ mlx5_unload+0x1d/0x170 [mlx5_core]
+ mlx5_uninit_one+0xa2/0x130 [mlx5_core]
+ remove_one+0x78/0xd0 [mlx5_core]
+ pci_device_remove+0x39/0xa0
+ device_release_driver_internal+0x194/0x1f0
+ unbind_store+0x99/0xa0
+ kernfs_fop_write_iter+0x12e/0x1e0
+ vfs_write+0x215/0x3d0
+ ksys_write+0x5f/0xd0
+ do_syscall_64+0x53/0x1f0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Fixes: d75559845078 ("devlink: Allow setting parent node of rate objects")
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1763381149-1234377-1-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/devlink/rate.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/devlink/rate.c b/net/devlink/rate.c
+index dff1593b8406a..e7e80af4abaf6 100644
+--- a/net/devlink/rate.c
++++ b/net/devlink/rate.c
+@@ -702,13 +702,15 @@ void devl_rate_nodes_destroy(struct devlink *devlink)
+ if (!devlink_rate->parent)
+ continue;
+
+- refcount_dec(&devlink_rate->parent->refcnt);
+ if (devlink_rate_is_leaf(devlink_rate))
+ ops->rate_leaf_parent_set(devlink_rate, NULL, devlink_rate->priv,
+ NULL, NULL);
+ else if (devlink_rate_is_node(devlink_rate))
+ ops->rate_node_parent_set(devlink_rate, NULL, devlink_rate->priv,
+ NULL, NULL);
++
++ refcount_dec(&devlink_rate->parent->refcnt);
++ devlink_rate->parent = NULL;
+ }
+ list_for_each_entry_safe(devlink_rate, tmp, &devlink->rate_list, list) {
+ if (devlink_rate_is_node(devlink_rate)) {
+--
+2.51.0
+
--- /dev/null
+From a21b9511ab9d4e98ee32091135f175c93272a6f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Sep 2025 13:25:40 +0900
+Subject: drm/tegra: Add call to put_pid()
+
+From: Prateek Agarwal <praagarwal@nvidia.com>
+
+[ Upstream commit 6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a ]
+
+Add a call to put_pid() corresponding to get_task_pid().
+host1x_memory_context_alloc() does not take ownership of the PID so we
+need to free it here to avoid leaking.
+
+Signed-off-by: Prateek Agarwal <praagarwal@nvidia.com>
+Fixes: e09db97889ec ("drm/tegra: Support context isolation")
+[mperttunen@nvidia.com: reword commit message]
+Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://patch.msgid.link/20250919-host1x-put-pid-v1-1-19c2163dfa87@nvidia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/uapi.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/tegra/uapi.c b/drivers/gpu/drm/tegra/uapi.c
+index 5adab6b229164..d0b6a1fa6efad 100644
+--- a/drivers/gpu/drm/tegra/uapi.c
++++ b/drivers/gpu/drm/tegra/uapi.c
+@@ -114,9 +114,12 @@ int tegra_drm_ioctl_channel_open(struct drm_device *drm, void *data, struct drm_
+ if (err)
+ goto put_channel;
+
+- if (supported)
++ if (supported) {
++ struct pid *pid = get_task_pid(current, PIDTYPE_TGID);
+ context->memory_context = host1x_memory_context_alloc(
+- host, client->base.dev, get_task_pid(current, PIDTYPE_TGID));
++ host, client->base.dev, pid);
++ put_pid(pid);
++ }
+
+ if (IS_ERR(context->memory_context)) {
+ if (PTR_ERR(context->memory_context) != -EOPNOTSUPP) {
+--
+2.51.0
+
--- /dev/null
+From b3e9a26ebc63f7c2b875219349a864b3851857d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 17:49:32 +0200
+Subject: kconfig/mconf: Initialize the default locale at startup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jakub Horký <jakub.git@horky.net>
+
+[ Upstream commit 3927c4a1084c48ef97f11281a0a43ecb2cb4d6f1 ]
+
+Fix bug where make menuconfig doesn't initialize the default locale, which
+causes ncurses menu borders to be displayed incorrectly (lqqqqk) in
+UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY.
+
+Signed-off-by: Jakub Horký <jakub.git@horky.net>
+Link: https://patch.msgid.link/20251014154933.3990990-1-jakub.git@horky.net
+[nathan: Alphabetize locale.h include]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/mconf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/mconf.c b/scripts/kconfig/mconf.c
+index 3795c36a9181a..2364140596c5d 100644
+--- a/scripts/kconfig/mconf.c
++++ b/scripts/kconfig/mconf.c
+@@ -12,6 +12,7 @@
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <limits.h>
++#include <locale.h>
+ #include <stdarg.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -1015,6 +1016,8 @@ int main(int ac, char **av)
+
+ signal(SIGINT, sig_handler);
+
++ setlocale(LC_ALL, "");
++
+ if (ac > 1 && strcmp(av[1], "-s") == 0) {
+ silent = 1;
+ /* Silence conf_read() until the real callback is set up */
+--
+2.51.0
+
--- /dev/null
+From 927ead667b7ff08984f0e31f6fca1809da503038 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 16:44:06 +0200
+Subject: kconfig/nconf: Initialize the default locale at startup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jakub Horký <jakub.git@horky.net>
+
+[ Upstream commit 43c2931a95e6b295bfe9e3b90dbe0f7596933e91 ]
+
+Fix bug where make nconfig doesn't initialize the default locale, which
+causes ncurses menu borders to be displayed incorrectly (lqqqqk) in
+UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY.
+
+Signed-off-by: Jakub Horký <jakub.git@horky.net>
+Link: https://patch.msgid.link/20251014144405.3975275-2-jakub.git@horky.net
+[nathan: Alphabetize locale.h include]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/nconf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
+index 7a17c94a15941..a7cfa6813c63f 100644
+--- a/scripts/kconfig/nconf.c
++++ b/scripts/kconfig/nconf.c
+@@ -7,6 +7,7 @@
+ #ifndef _GNU_SOURCE
+ #define _GNU_SOURCE
+ #endif
++#include <locale.h>
+ #include <string.h>
+ #include <strings.h>
+ #include <stdlib.h>
+@@ -1569,6 +1570,8 @@ int main(int ac, char **av)
+ int lines, columns;
+ char *mode;
+
++ setlocale(LC_ALL, "");
++
+ if (ac > 1 && strcmp(av[1], "-s") == 0) {
+ /* Silence conf_read() until the real callback is set up */
+ conf_set_message_callback(NULL);
+--
+2.51.0
+
--- /dev/null
+From b7e710e6a14e60df8b9c4c9321d7382f5f5e1840 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Oct 2023 14:59:53 +0300
+Subject: kernel.h: Move ARRAY_SIZE() to a separate header
+
+From: Alejandro Colomar <alx@kernel.org>
+
+[ Upstream commit 3cd39bc3b11b8d34b7d7c961a35fdfd18b0ebf75 ]
+
+Touching files so used for the kernel,
+forces 'make' to recompile most of the kernel.
+
+Having those definitions in more granular files
+helps avoid recompiling so much of the kernel.
+
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20230817143352.132583-2-lucas.segarra.fernandez@intel.com
+[andy: reduced to cover only string.h for now]
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Stable-dep-of: 896f1a2493b5 ("net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/array_size.h | 13 +++++++++++++
+ include/linux/kernel.h | 7 +------
+ include/linux/string.h | 1 +
+ 3 files changed, 15 insertions(+), 6 deletions(-)
+ create mode 100644 include/linux/array_size.h
+
+diff --git a/include/linux/array_size.h b/include/linux/array_size.h
+new file mode 100644
+index 0000000000000..06d7d83196ca3
+--- /dev/null
++++ b/include/linux/array_size.h
+@@ -0,0 +1,13 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++#ifndef _LINUX_ARRAY_SIZE_H
++#define _LINUX_ARRAY_SIZE_H
++
++#include <linux/compiler.h>
++
++/**
++ * ARRAY_SIZE - get the number of elements in array @arr
++ * @arr: array to be sized
++ */
++#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr))
++
++#endif /* _LINUX_ARRAY_SIZE_H */
+diff --git a/include/linux/kernel.h b/include/linux/kernel.h
+index cee8fe87e9f4f..d9ad21058eed9 100644
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -13,6 +13,7 @@
+
+ #include <linux/stdarg.h>
+ #include <linux/align.h>
++#include <linux/array_size.h>
+ #include <linux/limits.h>
+ #include <linux/linkage.h>
+ #include <linux/stddef.h>
+@@ -50,12 +51,6 @@
+ #define READ 0
+ #define WRITE 1
+
+-/**
+- * ARRAY_SIZE - get the number of elements in array @arr
+- * @arr: array to be sized
+- */
+-#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr))
+-
+ #define PTR_IF(cond, ptr) ((cond) ? (ptr) : NULL)
+
+ #define u64_to_user_ptr(x) ( \
+diff --git a/include/linux/string.h b/include/linux/string.h
+index 5077776e995e0..ce137830a0b99 100644
+--- a/include/linux/string.h
++++ b/include/linux/string.h
+@@ -2,6 +2,7 @@
+ #ifndef _LINUX_STRING_H_
+ #define _LINUX_STRING_H_
+
++#include <linux/array_size.h>
+ #include <linux/compiler.h> /* for inline */
+ #include <linux/types.h> /* for size_t */
+ #include <linux/stddef.h> /* for NULL */
+--
+2.51.0
+
--- /dev/null
+From fe4f109741ad4322c2cf52b7b40b719704f65ae8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 14:42:05 +0800
+Subject: LoongArch: Use UAPI types in ptrace UAPI header
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit 20d7338f2d3bcb570068dd6d39b16f1a909fe976 ]
+
+The kernel UAPI headers already contain fixed-width integer types, there
+is no need to rely on the libc types. There may not be a libc available
+or the libc may not provides the <stdint.h>, like for example on nolibc.
+
+This also aligns the header with the rest of the LoongArch UAPI headers.
+
+Fixes: 803b0fc5c3f2 ("LoongArch: Add process management")
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/loongarch/include/uapi/asm/ptrace.h | 40 +++++++++++-------------
+ 1 file changed, 18 insertions(+), 22 deletions(-)
+
+diff --git a/arch/loongarch/include/uapi/asm/ptrace.h b/arch/loongarch/include/uapi/asm/ptrace.h
+index aafb3cd9e943e..215e0f9e8aa32 100644
+--- a/arch/loongarch/include/uapi/asm/ptrace.h
++++ b/arch/loongarch/include/uapi/asm/ptrace.h
+@@ -10,10 +10,6 @@
+
+ #include <linux/types.h>
+
+-#ifndef __KERNEL__
+-#include <stdint.h>
+-#endif
+-
+ /*
+ * For PTRACE_{POKE,PEEK}USR. 0 - 31 are GPRs,
+ * 32 is syscall's original ARG0, 33 is PC, 34 is BADVADDR.
+@@ -41,44 +37,44 @@ struct user_pt_regs {
+ } __attribute__((aligned(8)));
+
+ struct user_fp_state {
+- uint64_t fpr[32];
+- uint64_t fcc;
+- uint32_t fcsr;
++ __u64 fpr[32];
++ __u64 fcc;
++ __u32 fcsr;
+ };
+
+ struct user_lsx_state {
+ /* 32 registers, 128 bits width per register. */
+- uint64_t vregs[32*2];
++ __u64 vregs[32*2];
+ };
+
+ struct user_lasx_state {
+ /* 32 registers, 256 bits width per register. */
+- uint64_t vregs[32*4];
++ __u64 vregs[32*4];
+ };
+
+ struct user_lbt_state {
+- uint64_t scr[4];
+- uint32_t eflags;
+- uint32_t ftop;
++ __u64 scr[4];
++ __u32 eflags;
++ __u32 ftop;
+ };
+
+ struct user_watch_state {
+- uint64_t dbg_info;
++ __u64 dbg_info;
+ struct {
+- uint64_t addr;
+- uint64_t mask;
+- uint32_t ctrl;
+- uint32_t pad;
++ __u64 addr;
++ __u64 mask;
++ __u32 ctrl;
++ __u32 pad;
+ } dbg_regs[8];
+ };
+
+ struct user_watch_state_v2 {
+- uint64_t dbg_info;
++ __u64 dbg_info;
+ struct {
+- uint64_t addr;
+- uint64_t mask;
+- uint32_t ctrl;
+- uint32_t pad;
++ __u64 addr;
++ __u64 mask;
++ __u32 ctrl;
++ __u32 pad;
+ } dbg_regs[14];
+ };
+
+--
+2.51.0
+
--- /dev/null
+From 9b8d4dd095f8876c8e23cc822a7af05b87cf395e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 05:21:14 +0000
+Subject: mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 407a06507c2358554958e8164dc97176feddcafc ]
+
+The function mlxsw_sp_flower_stats() calls mlxsw_sp_acl_ruleset_get() to
+obtain a ruleset reference. If the subsequent call to
+mlxsw_sp_acl_rule_lookup() fails to find a rule, the function returns
+an error without releasing the ruleset reference, causing a memory leak.
+
+Fix this by using a goto to the existing error handling label, which
+calls mlxsw_sp_acl_ruleset_put() to properly release the reference.
+
+Fixes: 7c1b8eb175b69 ("mlxsw: spectrum: Add support for TC flower offload statistics")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251112052114.1591695-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
+index 9fd1ca0792584..fba545938fd7d 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
+@@ -816,8 +816,10 @@ int mlxsw_sp_flower_stats(struct mlxsw_sp *mlxsw_sp,
+ return -EINVAL;
+
+ rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, f->cookie);
+- if (!rule)
+- return -EINVAL;
++ if (!rule) {
++ err = -EINVAL;
++ goto err_rule_get_stats;
++ }
+
+ err = mlxsw_sp_acl_rule_get_stats(mlxsw_sp, rule, &packets, &bytes,
+ &drops, &lastuse, &used_hw_stats);
+--
+2.51.0
+
--- /dev/null
+From 3043eb6e1b2481a3777e7176c33772e38e406293 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 16:57:44 +0300
+Subject: net: dsa: hellcreek: fix missing error handling in LED registration
+
+From: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+
+[ Upstream commit e6751b0b19a6baab219a62e1e302b8aa6b5a55b2 ]
+
+The LED setup routine registered both led_sync_good
+and led_is_gm devices without checking the return
+values of led_classdev_register(). If either registration
+failed, the function continued silently, leaving the
+driver in a partially-initialized state and leaking
+a registered LED classdev.
+
+Add proper error handling
+
+Fixes: 7d9ee2e8ff15 ("net: dsa: hellcreek: Add PTP status LEDs")
+Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Acked-by: Kurt Kanzenbach <kurt@linutronix.de>
+Link: https://patch.msgid.link/20251113135745.92375-1-Pavel.Zhigulin@kaspersky.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/hirschmann/hellcreek_ptp.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/hirschmann/hellcreek_ptp.c b/drivers/net/dsa/hirschmann/hellcreek_ptp.c
+index 5249a1c2a80b8..1bb994f785963 100644
+--- a/drivers/net/dsa/hirschmann/hellcreek_ptp.c
++++ b/drivers/net/dsa/hirschmann/hellcreek_ptp.c
+@@ -371,8 +371,18 @@ static int hellcreek_led_setup(struct hellcreek *hellcreek)
+ hellcreek_set_brightness(hellcreek, STATUS_OUT_IS_GM, 1);
+
+ /* Register both leds */
+- led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good);
+- led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm);
++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good);
++ if (ret) {
++ dev_err(hellcreek->dev, "Failed to register sync_good LED\n");
++ goto out;
++ }
++
++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm);
++ if (ret) {
++ dev_err(hellcreek->dev, "Failed to register is_gm LED\n");
++ led_classdev_unregister(&hellcreek->led_sync_good);
++ goto out;
++ }
+
+ ret = 0;
+
+--
+2.51.0
+
--- /dev/null
+From aa7b172281273a902dda502c12bd33f892a2e7e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 14:16:08 +0200
+Subject: net/mlx5: Clean up only new IRQ glue on request_irq() failure
+
+From: Pradyumn Rahar <pradyumn.rahar@oracle.com>
+
+[ Upstream commit d47515af6cccd7484d8b0870376858c9848a18ec ]
+
+The mlx5_irq_alloc() function can inadvertently free the entire rmap
+and end up in a crash[1] when the other threads tries to access this,
+when request_irq() fails due to exhausted IRQ vectors. This commit
+modifies the cleanup to remove only the specific IRQ mapping that was
+just added.
+
+This prevents removal of other valid mappings and ensures precise
+cleanup of the failed IRQ allocation's associated glue object.
+
+Note: This error is observed when both fwctl and rds configs are enabled.
+
+[1]
+mlx5_core 0000:05:00.0: Successfully registered panic handler for port 1
+mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to
+request irq. err = -28
+infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while
+trying to test write-combining support
+mlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1
+mlx5_core 0000:06:00.0: Successfully registered panic handler for port 1
+mlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to
+request irq. err = -28
+infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while
+trying to test write-combining support
+mlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1
+mlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to
+request irq. err = -28
+mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to
+request irq. err = -28
+general protection fault, probably for non-canonical address
+0xe277a58fde16f291: 0000 [#1] SMP NOPTI
+
+RIP: 0010:free_irq_cpu_rmap+0x23/0x7d
+Call Trace:
+ <TASK>
+ ? show_trace_log_lvl+0x1d6/0x2f9
+ ? show_trace_log_lvl+0x1d6/0x2f9
+ ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]
+ ? __die_body.cold+0x8/0xa
+ ? die_addr+0x39/0x53
+ ? exc_general_protection+0x1c4/0x3e9
+ ? dev_vprintk_emit+0x5f/0x90
+ ? asm_exc_general_protection+0x22/0x27
+ ? free_irq_cpu_rmap+0x23/0x7d
+ mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]
+ irq_pool_request_vector+0x7d/0x90 [mlx5_core]
+ mlx5_irq_request+0x2e/0xe0 [mlx5_core]
+ mlx5_irq_request_vector+0xad/0xf7 [mlx5_core]
+ comp_irq_request_pci+0x64/0xf0 [mlx5_core]
+ create_comp_eq+0x71/0x385 [mlx5_core]
+ ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core]
+ mlx5_comp_eqn_get+0x72/0x90 [mlx5_core]
+ ? xas_load+0x8/0x91
+ mlx5_comp_irqn_get+0x40/0x90 [mlx5_core]
+ mlx5e_open_channel+0x7d/0x3c7 [mlx5_core]
+ mlx5e_open_channels+0xad/0x250 [mlx5_core]
+ mlx5e_open_locked+0x3e/0x110 [mlx5_core]
+ mlx5e_open+0x23/0x70 [mlx5_core]
+ __dev_open+0xf1/0x1a5
+ __dev_change_flags+0x1e1/0x249
+ dev_change_flags+0x21/0x5c
+ do_setlink+0x28b/0xcc4
+ ? __nla_parse+0x22/0x3d
+ ? inet6_validate_link_af+0x6b/0x108
+ ? cpumask_next+0x1f/0x35
+ ? __snmp6_fill_stats64.constprop.0+0x66/0x107
+ ? __nla_validate_parse+0x48/0x1e6
+ __rtnl_newlink+0x5ff/0xa57
+ ? kmem_cache_alloc_trace+0x164/0x2ce
+ rtnl_newlink+0x44/0x6e
+ rtnetlink_rcv_msg+0x2bb/0x362
+ ? __netlink_sendskb+0x4c/0x6c
+ ? netlink_unicast+0x28f/0x2ce
+ ? rtnl_calcit.isra.0+0x150/0x146
+ netlink_rcv_skb+0x5f/0x112
+ netlink_unicast+0x213/0x2ce
+ netlink_sendmsg+0x24f/0x4d9
+ __sock_sendmsg+0x65/0x6a
+ ____sys_sendmsg+0x28f/0x2c9
+ ? import_iovec+0x17/0x2b
+ ___sys_sendmsg+0x97/0xe0
+ __sys_sendmsg+0x81/0xd8
+ do_syscall_64+0x35/0x87
+ entry_SYSCALL_64_after_hwframe+0x6e/0x0
+RIP: 0033:0x7fc328603727
+Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed
+ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00
+f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48
+RSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727
+RDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d
+RBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
+R13: 0000000000000000 R14: 00007ffe8eb3f3c8 R15: 00007ffe8eb3f3bc
+ </TASK>
+---[ end trace f43ce73c3c2b13a2 ]---
+RIP: 0010:free_irq_cpu_rmap+0x23/0x7d
+Code: 0f 1f 80 00 00 00 00 48 85 ff 74 6b 55 48 89 fd 53 66 83 7f 06 00
+74 24 31 db 48 8b 55 08 0f b7 c3 48 8b 04 c2 48 85 c0 74 09 <8b> 38 31
+f6 e8 c4 0a b8 ff 83 c3 01 66 3b 5d 06 72 de b8 ff ff ff
+RSP: 0018:ff384881640eaca0 EFLAGS: 00010282
+RAX: e277a58fde16f291 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: ff2335e2e20b3600 RSI: 0000000000000000 RDI: ff2335e2e20b3400
+RBP: ff2335e2e20b3400 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 00000000ffffffe4 R12: ff384881640ead88
+R13: ff2335c3760751e0 R14: ff2335e2e1672200 R15: ff2335c3760751f8
+FS: 00007fc32ac22480(0000) GS:ff2335e2d6e00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f651ab54000 CR3: 00000029f1206003 CR4: 0000000000771ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Kernel panic - not syncing: Fatal exception
+Kernel Offset: 0x1dc00000 from 0xffffffff81000000 (relocation range:
+0xffffffff80000000-0xffffffffbfffffff)
+kvm-guest: disable async PF for cpu 0
+
+Fixes: 3354822cde5a ("net/mlx5: Use dynamic msix vectors allocation")
+Signed-off-by: Mohith Kumar Thummaluru<mohith.k.kumar.thummaluru@oracle.com>
+Tested-by: Mohith Kumar Thummaluru<mohith.k.kumar.thummaluru@oracle.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Shay Drori <shayd@nvidia.com>
+Signed-off-by: Pradyumn Rahar <pradyumn.rahar@oracle.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1763381768-1234998-1-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c b/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c
+index a8d6fd18c0f55..487d8b413a41d 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c
+@@ -323,10 +323,8 @@ struct mlx5_irq *mlx5_irq_alloc(struct mlx5_irq_pool *pool, int i,
+ free_irq(irq->map.virq, &irq->nh);
+ err_req_irq:
+ #ifdef CONFIG_RFS_ACCEL
+- if (i && rmap && *rmap) {
+- free_irq_cpu_rmap(*rmap);
+- *rmap = NULL;
+- }
++ if (i && rmap && *rmap)
++ irq_cpu_rmap_remove(*rmap, irq->map.virq);
+ err_irq_rmap:
+ #endif
+ if (i && pci_msix_can_alloc_dyn(dev->pdev))
+--
+2.51.0
+
--- /dev/null
+From 7a5e31c2bddeb497aed20eadc9feb17da9ca6573 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 19:19:21 +0300
+Subject: net: mlxsw: linecards: fix missing error check in
+ mlxsw_linecard_devlink_info_get()
+
+From: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+
+[ Upstream commit b0c959fec18f4595a6a6317ffc30615cfa37bf69 ]
+
+The call to devlink_info_version_fixed_put() in
+mlxsw_linecard_devlink_info_get() did not check for errors,
+although it is checked everywhere in the code.
+
+Add missed 'err' check to the mlxsw_linecard_devlink_info_get()
+
+Fixes: 3fc0c51905fb ("mlxsw: core_linecards: Expose device PSID over device info")
+Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251113161922.813828-1-Pavel.Zhigulin@kaspersky.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/core_linecards.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c
+index b032d5a4b3b84..10f5bc4892fc7 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c
+@@ -601,6 +601,8 @@ int mlxsw_linecard_devlink_info_get(struct mlxsw_linecard *linecard,
+ err = devlink_info_version_fixed_put(req,
+ DEVLINK_INFO_VERSION_GENERIC_FW_PSID,
+ info->psid);
++ if (err)
++ goto unlock;
+
+ sprintf(buf, "%u.%u.%u", info->fw_major, info->fw_minor,
+ info->fw_sub_minor);
+--
+2.51.0
+
--- /dev/null
+From 08907e2da85dcdc2843c2ba0073a6334aab8f18c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 12:14:03 +0100
+Subject: net: openvswitch: remove never-working support for setting nsh fields
+
+From: Ilya Maximets <i.maximets@ovn.org>
+
+[ Upstream commit dfe28c4167a9259fc0c372d9f9473e1ac95cff67 ]
+
+The validation of the set(nsh(...)) action is completely wrong.
+It runs through the nsh_key_put_from_nlattr() function that is the
+same function that validates NSH keys for the flow match and the
+push_nsh() action. However, the set(nsh(...)) has a very different
+memory layout. Nested attributes in there are doubled in size in
+case of the masked set(). That makes proper validation impossible.
+
+There is also confusion in the code between the 'masked' flag, that
+says that the nested attributes are doubled in size containing both
+the value and the mask, and the 'is_mask' that says that the value
+we're parsing is the mask. This is causing kernel crash on trying to
+write into mask part of the match with SW_FLOW_KEY_PUT() during
+validation, while validate_nsh() doesn't allocate any memory for it:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0
+ Oops: Oops: 0000 [#1] SMP NOPTI
+ CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)
+ RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]
+ Call Trace:
+ <TASK>
+ validate_nsh+0x60/0x90 [openvswitch]
+ validate_set.constprop.0+0x270/0x3c0 [openvswitch]
+ __ovs_nla_copy_actions+0x477/0x860 [openvswitch]
+ ovs_nla_copy_actions+0x8d/0x100 [openvswitch]
+ ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]
+ genl_family_rcv_msg_doit+0xdb/0x130
+ genl_family_rcv_msg+0x14b/0x220
+ genl_rcv_msg+0x47/0xa0
+ netlink_rcv_skb+0x53/0x100
+ genl_rcv+0x24/0x40
+ netlink_unicast+0x280/0x3b0
+ netlink_sendmsg+0x1f7/0x430
+ ____sys_sendmsg+0x36b/0x3a0
+ ___sys_sendmsg+0x87/0xd0
+ __sys_sendmsg+0x6d/0xd0
+ do_syscall_64+0x7b/0x2c0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+The third issue with this process is that while trying to convert
+the non-masked set into masked one, validate_set() copies and doubles
+the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested
+attributes. It should be copying each nested attribute and doubling
+them in size independently. And the process must be properly reversed
+during the conversion back from masked to a non-masked variant during
+the flow dump.
+
+In the end, the only two outcomes of trying to use this action are
+either validation failure or a kernel crash. And if somehow someone
+manages to install a flow with such an action, it will most definitely
+not do what it is supposed to, since all the keys and the masks are
+mixed up.
+
+Fixing all the issues is a complex task as it requires re-writing
+most of the validation code.
+
+Given that and the fact that this functionality never worked since
+introduction, let's just remove it altogether. It's better to
+re-introduce it later with a proper implementation instead of trying
+to fix it in stable releases.
+
+Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support")
+Reported-by: Junvy Yang <zhuque@tencent.com>
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Reviewed-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/20251112112246.95064-1-i.maximets@ovn.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/actions.c | 68 +---------------------------------
+ net/openvswitch/flow_netlink.c | 64 ++++----------------------------
+ net/openvswitch/flow_netlink.h | 2 -
+ 3 files changed, 9 insertions(+), 125 deletions(-)
+
+diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
+index 10c646b32b9d0..0ea4fc2a755bf 100644
+--- a/net/openvswitch/actions.c
++++ b/net/openvswitch/actions.c
+@@ -597,69 +597,6 @@ static int set_ipv6(struct sk_buff *skb, struct sw_flow_key *flow_key,
+ return 0;
+ }
+
+-static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key,
+- const struct nlattr *a)
+-{
+- struct nshhdr *nh;
+- size_t length;
+- int err;
+- u8 flags;
+- u8 ttl;
+- int i;
+-
+- struct ovs_key_nsh key;
+- struct ovs_key_nsh mask;
+-
+- err = nsh_key_from_nlattr(a, &key, &mask);
+- if (err)
+- return err;
+-
+- /* Make sure the NSH base header is there */
+- if (!pskb_may_pull(skb, skb_network_offset(skb) + NSH_BASE_HDR_LEN))
+- return -ENOMEM;
+-
+- nh = nsh_hdr(skb);
+- length = nsh_hdr_len(nh);
+-
+- /* Make sure the whole NSH header is there */
+- err = skb_ensure_writable(skb, skb_network_offset(skb) +
+- length);
+- if (unlikely(err))
+- return err;
+-
+- nh = nsh_hdr(skb);
+- skb_postpull_rcsum(skb, nh, length);
+- flags = nsh_get_flags(nh);
+- flags = OVS_MASKED(flags, key.base.flags, mask.base.flags);
+- flow_key->nsh.base.flags = flags;
+- ttl = nsh_get_ttl(nh);
+- ttl = OVS_MASKED(ttl, key.base.ttl, mask.base.ttl);
+- flow_key->nsh.base.ttl = ttl;
+- nsh_set_flags_and_ttl(nh, flags, ttl);
+- nh->path_hdr = OVS_MASKED(nh->path_hdr, key.base.path_hdr,
+- mask.base.path_hdr);
+- flow_key->nsh.base.path_hdr = nh->path_hdr;
+- switch (nh->mdtype) {
+- case NSH_M_TYPE1:
+- for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) {
+- nh->md1.context[i] =
+- OVS_MASKED(nh->md1.context[i], key.context[i],
+- mask.context[i]);
+- }
+- memcpy(flow_key->nsh.context, nh->md1.context,
+- sizeof(nh->md1.context));
+- break;
+- case NSH_M_TYPE2:
+- memset(flow_key->nsh.context, 0,
+- sizeof(flow_key->nsh.context));
+- break;
+- default:
+- return -EINVAL;
+- }
+- skb_postpush_rcsum(skb, nh, length);
+- return 0;
+-}
+-
+ /* Must follow skb_ensure_writable() since that can move the skb data. */
+ static void set_tp_port(struct sk_buff *skb, __be16 *port,
+ __be16 new_port, __sum16 *check)
+@@ -1143,10 +1080,6 @@ static int execute_masked_set_action(struct sk_buff *skb,
+ get_mask(a, struct ovs_key_ethernet *));
+ break;
+
+- case OVS_KEY_ATTR_NSH:
+- err = set_nsh(skb, flow_key, a);
+- break;
+-
+ case OVS_KEY_ATTR_IPV4:
+ err = set_ipv4(skb, flow_key, nla_data(a),
+ get_mask(a, struct ovs_key_ipv4 *));
+@@ -1183,6 +1116,7 @@ static int execute_masked_set_action(struct sk_buff *skb,
+ case OVS_KEY_ATTR_CT_LABELS:
+ case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4:
+ case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6:
++ case OVS_KEY_ATTR_NSH:
+ err = -EINVAL;
+ break;
+ }
+diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
+index 089ab1826e1d5..836e8e705d40e 100644
+--- a/net/openvswitch/flow_netlink.c
++++ b/net/openvswitch/flow_netlink.c
+@@ -1292,6 +1292,11 @@ static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match,
+ return 0;
+ }
+
++/*
++ * Constructs NSH header 'nh' from attributes of OVS_ACTION_ATTR_PUSH_NSH,
++ * where 'nh' points to a memory block of 'size' bytes. It's assumed that
++ * attributes were previously validated with validate_push_nsh().
++ */
+ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ struct nshhdr *nh, size_t size)
+ {
+@@ -1301,8 +1306,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ u8 ttl = 0;
+ int mdlen = 0;
+
+- /* validate_nsh has check this, so we needn't do duplicate check here
+- */
+ if (size < NSH_BASE_HDR_LEN)
+ return -ENOBUFS;
+
+@@ -1346,46 +1349,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ return 0;
+ }
+
+-int nsh_key_from_nlattr(const struct nlattr *attr,
+- struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask)
+-{
+- struct nlattr *a;
+- int rem;
+-
+- /* validate_nsh has check this, so we needn't do duplicate check here
+- */
+- nla_for_each_nested(a, attr, rem) {
+- int type = nla_type(a);
+-
+- switch (type) {
+- case OVS_NSH_KEY_ATTR_BASE: {
+- const struct ovs_nsh_key_base *base = nla_data(a);
+- const struct ovs_nsh_key_base *base_mask = base + 1;
+-
+- nsh->base = *base;
+- nsh_mask->base = *base_mask;
+- break;
+- }
+- case OVS_NSH_KEY_ATTR_MD1: {
+- const struct ovs_nsh_key_md1 *md1 = nla_data(a);
+- const struct ovs_nsh_key_md1 *md1_mask = md1 + 1;
+-
+- memcpy(nsh->context, md1->context, sizeof(*md1));
+- memcpy(nsh_mask->context, md1_mask->context,
+- sizeof(*md1_mask));
+- break;
+- }
+- case OVS_NSH_KEY_ATTR_MD2:
+- /* Not supported yet */
+- return -ENOTSUPP;
+- default:
+- return -EINVAL;
+- }
+- }
+-
+- return 0;
+-}
+-
+ static int nsh_key_put_from_nlattr(const struct nlattr *attr,
+ struct sw_flow_match *match, bool is_mask,
+ bool is_push_nsh, bool log)
+@@ -2825,17 +2788,13 @@ static int validate_and_copy_set_tun(const struct nlattr *attr,
+ return err;
+ }
+
+-static bool validate_nsh(const struct nlattr *attr, bool is_mask,
+- bool is_push_nsh, bool log)
++static bool validate_push_nsh(const struct nlattr *attr, bool log)
+ {
+ struct sw_flow_match match;
+ struct sw_flow_key key;
+- int ret = 0;
+
+ ovs_match_init(&match, &key, true, NULL);
+- ret = nsh_key_put_from_nlattr(attr, &match, is_mask,
+- is_push_nsh, log);
+- return !ret;
++ return !nsh_key_put_from_nlattr(attr, &match, false, true, log);
+ }
+
+ /* Return false if there are any non-masked bits set.
+@@ -2983,13 +2942,6 @@ static int validate_set(const struct nlattr *a,
+
+ break;
+
+- case OVS_KEY_ATTR_NSH:
+- if (eth_type != htons(ETH_P_NSH))
+- return -EINVAL;
+- if (!validate_nsh(nla_data(a), masked, false, log))
+- return -EINVAL;
+- break;
+-
+ default:
+ return -EINVAL;
+ }
+@@ -3399,7 +3351,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
+ return -EINVAL;
+ }
+ mac_proto = MAC_PROTO_NONE;
+- if (!validate_nsh(nla_data(a), false, true, true))
++ if (!validate_push_nsh(nla_data(a), log))
+ return -EINVAL;
+ break;
+
+diff --git a/net/openvswitch/flow_netlink.h b/net/openvswitch/flow_netlink.h
+index fe7f77fc5f189..ff8cdecbe3465 100644
+--- a/net/openvswitch/flow_netlink.h
++++ b/net/openvswitch/flow_netlink.h
+@@ -65,8 +65,6 @@ int ovs_nla_put_actions(const struct nlattr *attr,
+ void ovs_nla_free_flow_actions(struct sw_flow_actions *);
+ void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *);
+
+-int nsh_key_from_nlattr(const struct nlattr *attr, struct ovs_key_nsh *nsh,
+- struct ovs_key_nsh *nsh_mask);
+ int nsh_hdr_from_nlattr(const struct nlattr *attr, struct nshhdr *nh,
+ size_t size);
+
+--
+2.51.0
+
--- /dev/null
+From 4a4c7c819827713f213fe536da0e9a92e1e9e638 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 14:27:56 +0300
+Subject: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont()
+ and qede_tpa_end()
+
+From: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+
+[ Upstream commit 896f1a2493b59beb2b5ccdf990503dbb16cb2256 ]
+
+The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate
+over 'cqe->len_list[]' using only a zero-length terminator as
+the stopping condition. If the terminator was missing or
+malformed, the loop could run past the end of the fixed-size array.
+
+Add an explicit bound check using ARRAY_SIZE() in both loops to prevent
+a potential out-of-bounds access.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 55482edc25f0 ("qede: Add slowpath/fastpath support and enable hardware GRO")
+Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
+Link: https://patch.msgid.link/20251113112757.4166625-1-Pavel.Zhigulin@kaspersky.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_fp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qede/qede_fp.c b/drivers/net/ethernet/qlogic/qede/qede_fp.c
+index cb1746bc0e0c5..273dae622c411 100644
+--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c
+@@ -4,6 +4,7 @@
+ * Copyright (c) 2019-2020 Marvell International Ltd.
+ */
+
++#include <linux/array_size.h>
+ #include <linux/netdevice.h>
+ #include <linux/etherdevice.h>
+ #include <linux/skbuff.h>
+@@ -960,7 +961,7 @@ static inline void qede_tpa_cont(struct qede_dev *edev,
+ {
+ int i;
+
+- for (i = 0; cqe->len_list[i]; i++)
++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++)
+ qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index,
+ le16_to_cpu(cqe->len_list[i]));
+
+@@ -985,7 +986,7 @@ static int qede_tpa_end(struct qede_dev *edev,
+ dma_unmap_page(rxq->dev, tpa_info->buffer.mapping,
+ PAGE_SIZE, rxq->data_direction);
+
+- for (i = 0; cqe->len_list[i]; i++)
++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++)
+ qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index,
+ le16_to_cpu(cqe->len_list[i]));
+ if (unlikely(i > 1))
+--
+2.51.0
+
--- /dev/null
+From d06f76927c035493090d756be3746a06924adf1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Oct 2025 22:03:02 +0200
+Subject: net: tls: Cancel RX async resync request on rcd_delta overflow
+
+From: Shahar Shitrit <shshitrit@nvidia.com>
+
+[ Upstream commit c15d5c62ab313c19121f10e25d4fec852bd1c40c ]
+
+When a netdev issues a RX async resync request for a TLS connection,
+the TLS module handles it by logging record headers and attempting to
+match them to the tcp_sn provided by the device. If a match is found,
+the TLS module approves the tcp_sn for resynchronization.
+
+While waiting for a device response, the TLS module also increments
+rcd_delta each time a new TLS record is received, tracking the distance
+from the original resync request.
+
+However, if the device response is delayed or fails (e.g due to
+unstable connection and device getting out of tracking, hardware
+errors, resource exhaustion etc.), the TLS module keeps logging and
+incrementing, which can lead to a WARN() when rcd_delta exceeds the
+threshold.
+
+To address this, introduce tls_offload_rx_resync_async_request_cancel()
+to explicitly cancel resync requests when a device response failure is
+detected. Call this helper also as a final safeguard when rcd_delta
+crosses its threshold, as reaching this point implies that earlier
+cancellation did not occur.
+
+Signed-off-by: Shahar Shitrit <shshitrit@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1761508983-937977-3-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/tls.h | 6 ++++++
+ net/tls/tls_device.c | 4 +++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/tls.h b/include/net/tls.h
+index 6c642ea180504..66527376ca973 100644
+--- a/include/net/tls.h
++++ b/include/net/tls.h
+@@ -474,6 +474,12 @@ tls_offload_rx_resync_async_request_end(struct sock *sk, __be32 seq)
+ ((u64)ntohl(seq) << 32) | RESYNC_REQ);
+ }
+
++static inline void
++tls_offload_rx_resync_async_request_cancel(struct tls_offload_resync_async *resync_async)
++{
++ atomic64_set(&resync_async->req, 0);
++}
++
+ static inline void
+ tls_offload_rx_resync_set_type(struct sock *sk, enum tls_offload_sync_type type)
+ {
+diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
+index 8c94c926606ad..4f72fd26ab405 100644
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -727,8 +727,10 @@ tls_device_rx_resync_async(struct tls_offload_resync_async *resync_async,
+ /* shouldn't get to wraparound:
+ * too long in async stage, something bad happened
+ */
+- if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX))
++ if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) {
++ tls_offload_rx_resync_async_request_cancel(resync_async);
+ return false;
++ }
+
+ /* asynchronous stage: log all headers seq such that
+ * req_seq <= seq <= end_seq, and wait for real resync request
+--
+2.51.0
+
--- /dev/null
+From 052450ca844622b17a455791d9a3e8f31752148a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 11:23:39 +0900
+Subject: nvme-multipath: fix lockdep WARN due to partition scan work
+
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+
+[ Upstream commit 6d87cd5335784351280f82c47cc8a657271929c3 ]
+
+Blktests test cases nvme/014, 057 and 058 fail occasionally due to a
+lockdep WARN. As reported in the Closes tag URL, the WARN indicates that
+a deadlock can happen due to the dependency among disk->open_mutex,
+kblockd workqueue completion and partition_scan_work completion.
+
+To avoid the lockdep WARN and the potential deadlock, cut the dependency
+by running the partition_scan_work not by kblockd workqueue but by
+nvme_wq.
+
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Closes: https://lore.kernel.org/linux-block/CAHj4cs8mJ+R_GmQm9R8ebResKAWUE8kF5+_WVg0v8zndmqd6BQ@mail.gmail.com/
+Link: https://lore.kernel.org/linux-block/oeyzci6ffshpukpfqgztsdeke5ost5hzsuz4rrsjfmvpqcevax@5nhnwbkzbrpa/
+Fixes: 1f021341eef4 ("nvme-multipath: defer partition scanning")
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index 57416bbf9344f..578f4f29eacfe 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -686,7 +686,7 @@ static void nvme_mpath_set_live(struct nvme_ns *ns)
+ return;
+ }
+ nvme_add_ns_head_cdev(head);
+- kblockd_schedule_work(&head->partition_scan_work);
++ queue_work(nvme_wq, &head->partition_scan_work);
+ }
+
+ mutex_lock(&head->lock);
+--
+2.51.0
+
--- /dev/null
+From 9e4c93dbe16bff7145d2e5d4b9c24c438448fd02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Oct 2025 11:05:09 +0800
+Subject: pinctrl: cirrus: Fix fwnode leak in cs42l43_pin_probe()
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit 9b07cdf86a0b90556f5b68a6b20b35833b558df3 ]
+
+The driver calls fwnode_get_named_child_node() which takes a reference
+on the child node, but never releases it, which causes a reference leak.
+
+Fix by using devm_add_action_or_reset() to automatically release the
+reference when the device is removed.
+
+Fixes: d5282a539297 ("pinctrl: cs42l43: Add support for the cs42l43")
+Suggested-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/cirrus/pinctrl-cs42l43.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pinctrl/cirrus/pinctrl-cs42l43.c b/drivers/pinctrl/cirrus/pinctrl-cs42l43.c
+index c096463184195..e1ac89be7c847 100644
+--- a/drivers/pinctrl/cirrus/pinctrl-cs42l43.c
++++ b/drivers/pinctrl/cirrus/pinctrl-cs42l43.c
+@@ -532,6 +532,11 @@ static int cs42l43_gpio_add_pin_ranges(struct gpio_chip *chip)
+ return ret;
+ }
+
++static void cs42l43_fwnode_put(void *data)
++{
++ fwnode_handle_put(data);
++}
++
+ static int cs42l43_pin_probe(struct platform_device *pdev)
+ {
+ struct cs42l43 *cs42l43 = dev_get_drvdata(pdev->dev.parent);
+@@ -563,10 +568,20 @@ static int cs42l43_pin_probe(struct platform_device *pdev)
+ priv->gpio_chip.ngpio = CS42L43_NUM_GPIOS;
+
+ if (is_of_node(fwnode)) {
+- fwnode = fwnode_get_named_child_node(fwnode, "pinctrl");
+-
+- if (fwnode && !fwnode->dev)
+- fwnode->dev = priv->dev;
++ struct fwnode_handle *child;
++
++ child = fwnode_get_named_child_node(fwnode, "pinctrl");
++ if (child) {
++ ret = devm_add_action_or_reset(&pdev->dev,
++ cs42l43_fwnode_put, child);
++ if (ret) {
++ fwnode_handle_put(child);
++ return ret;
++ }
++ if (!child->dev)
++ child->dev = priv->dev;
++ fwnode = child;
++ }
+ }
+
+ priv->gpio_chip.fwnode = fwnode;
+--
+2.51.0
+
--- /dev/null
+From 410cac81be0ecce5353247a9a8a3b67e4c033f85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Nov 2025 13:54:11 -0800
+Subject: pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc
+
+From: Jared Kangas <jkangas@redhat.com>
+
+[ Upstream commit 97ea34defbb57bfaf71ce487b1b0865ffd186e81 ]
+
+s32_pinctrl_desc is allocated with devm_kmalloc(), but not all of its
+fields are initialized. Notably, num_custom_params is used in
+pinconf_generic_parse_dt_config(), resulting in intermittent allocation
+errors, such as the following splat when probing i2c-imx:
+
+ WARNING: CPU: 0 PID: 176 at mm/page_alloc.c:4795 __alloc_pages_noprof+0x290/0x300
+ [...]
+ Hardware name: NXP S32G3 Reference Design Board 3 (S32G-VNP-RDB3) (DT)
+ [...]
+ Call trace:
+ __alloc_pages_noprof+0x290/0x300 (P)
+ ___kmalloc_large_node+0x84/0x168
+ __kmalloc_large_node_noprof+0x34/0x120
+ __kmalloc_noprof+0x2ac/0x378
+ pinconf_generic_parse_dt_config+0x68/0x1a0
+ s32_dt_node_to_map+0x104/0x248
+ dt_to_map_one_config+0x154/0x1d8
+ pinctrl_dt_to_map+0x12c/0x280
+ create_pinctrl+0x6c/0x270
+ pinctrl_get+0xc0/0x170
+ devm_pinctrl_get+0x50/0xa0
+ pinctrl_bind_pins+0x60/0x2a0
+ really_probe+0x60/0x3a0
+ [...]
+ __platform_driver_register+0x2c/0x40
+ i2c_adap_imx_init+0x28/0xff8 [i2c_imx]
+ [...]
+
+This results in later parse failures that can cause issues in dependent
+drivers:
+
+ s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property
+ s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property
+ [...]
+ pca953x 0-0022: failed writing register: -6
+ i2c i2c-0: IMX I2C adapter registered
+ s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property
+ s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property
+ i2c i2c-1: IMX I2C adapter registered
+ s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property
+ s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property
+ i2c i2c-2: IMX I2C adapter registered
+
+Fix this by initializing s32_pinctrl_desc with devm_kzalloc() instead of
+devm_kmalloc() in s32_pinctrl_probe(), which sets the previously
+uninitialized fields to zero.
+
+Fixes: fd84aaa8173d ("pinctrl: add NXP S32 SoC family support")
+Signed-off-by: Jared Kangas <jkangas@redhat.com>
+Tested-by: Jan Petrous (OSS) <jan.petrous@oss.nxp.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/nxp/pinctrl-s32cc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/nxp/pinctrl-s32cc.c b/drivers/pinctrl/nxp/pinctrl-s32cc.c
+index 08d80fb935b3a..9e97968e25fcd 100644
+--- a/drivers/pinctrl/nxp/pinctrl-s32cc.c
++++ b/drivers/pinctrl/nxp/pinctrl-s32cc.c
+@@ -943,7 +943,7 @@ int s32_pinctrl_probe(struct platform_device *pdev,
+ spin_lock_init(&ipctl->gpio_configs_lock);
+
+ s32_pinctrl_desc =
+- devm_kmalloc(&pdev->dev, sizeof(*s32_pinctrl_desc), GFP_KERNEL);
++ devm_kzalloc(&pdev->dev, sizeof(*s32_pinctrl_desc), GFP_KERNEL);
+ if (!s32_pinctrl_desc)
+ return -ENOMEM;
+
+--
+2.51.0
+
--- /dev/null
+From 6af1e52fc77b68bf693796d2296bd009ea5fcb1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Nov 2025 13:54:12 -0800
+Subject: pinctrl: s32cc: initialize gpio_pin_config::list after kmalloc()
+
+From: Jared Kangas <jkangas@redhat.com>
+
+[ Upstream commit 6010d4d8b55b5d3ae1efb5502c54312e15c14f21 ]
+
+s32_pmx_gpio_request_enable() does not initialize the newly-allocated
+gpio_pin_config::list before adding it to s32_pinctrl::gpio_configs.
+This could result in a linked list corruption.
+
+Initialize the new list_head with INIT_LIST_HEAD() to fix this.
+
+Fixes: fd84aaa8173d ("pinctrl: add NXP S32 SoC family support")
+Signed-off-by: Jared Kangas <jkangas@redhat.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/nxp/pinctrl-s32cc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/nxp/pinctrl-s32cc.c b/drivers/pinctrl/nxp/pinctrl-s32cc.c
+index 9e97968e25fcd..9c435e44abb4f 100644
+--- a/drivers/pinctrl/nxp/pinctrl-s32cc.c
++++ b/drivers/pinctrl/nxp/pinctrl-s32cc.c
+@@ -392,6 +392,7 @@ static int s32_pmx_gpio_request_enable(struct pinctrl_dev *pctldev,
+
+ gpio_pin->pin_id = offset;
+ gpio_pin->config = config;
++ INIT_LIST_HEAD(&gpio_pin->list);
+
+ spin_lock_irqsave(&ipctl->gpio_configs_lock, flags);
+ list_add(&gpio_pin->list, &ipctl->gpio_configs);
+--
+2.51.0
+
--- /dev/null
+From 7853c47f4984dbd7197d24e9427343476359dd5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 11:33:54 +0800
+Subject: platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to
+ errnos
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit d8bb447efc5622577994287dc77c684fa8840b30 ]
+
+isst_if_probe() uses pci_read_config_dword() that returns PCIBIOS_*
+codes. The return code is returned from the probe function as is but
+probe functions should return normal errnos. A proper implementation
+can be found in drivers/leds/leds-ss4200.c.
+
+Convert PCIBIOS_* return codes using pcibios_err_to_errno() into
+normal errno before returning.
+
+Fixes: d3a23584294c ("platform/x86: ISST: Add Intel Speed Select mmio interface")
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Link: https://patch.msgid.link/20251117033354.132-1-vulab@iscas.ac.cn
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c
+index ff49025ec0856..bb38e5f021a80 100644
+--- a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c
++++ b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c
+@@ -106,11 +106,11 @@ static int isst_if_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ ret = pci_read_config_dword(pdev, 0xD0, &mmio_base);
+ if (ret)
+- return ret;
++ return pcibios_err_to_errno(ret);
+
+ ret = pci_read_config_dword(pdev, 0xFC, &pcu_base);
+ if (ret)
+- return ret;
++ return pcibios_err_to_errno(ret);
+
+ pcu_base &= GENMASK(10, 0);
+ base_addr = (u64)mmio_base << 23 | (u64) pcu_base << 12;
+--
+2.51.0
+
--- /dev/null
+From bc64ca5b10cf4e275c8f71a91ddce9ec5d126761 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 19:27:24 +0100
+Subject: s390/ctcm: Fix double-kfree
+
+From: Aleksei Nikiforov <aleksei.nikiforov@linux.ibm.com>
+
+[ Upstream commit da02a1824884d6c84c5e5b5ac373b0c9e3288ec2 ]
+
+The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally
+from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo.
+After that a call to function 'kfree' in function 'ctcmpc_unpack_skb'
+frees it again.
+
+Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'.
+
+Bug detected by the clang static analyzer.
+
+Fixes: 0c0b20587b9f25a2 ("s390/ctcm: fix potential memory leak")
+Reviewed-by: Aswin Karuvally <aswin@linux.ibm.com>
+Signed-off-by: Aleksei Nikiforov <aleksei.nikiforov@linux.ibm.com>
+Signed-off-by: Aswin Karuvally <aswin@linux.ibm.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251112182724.1109474-1-aswin@linux.ibm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/ctcm_mpc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/s390/net/ctcm_mpc.c b/drivers/s390/net/ctcm_mpc.c
+index 7a2f34a5e0e09..f8b3e3f7b8ce0 100644
+--- a/drivers/s390/net/ctcm_mpc.c
++++ b/drivers/s390/net/ctcm_mpc.c
+@@ -700,7 +700,6 @@ static void mpc_rcvd_sweep_req(struct mpcg_info *mpcginfo)
+
+ grp->sweep_req_pend_num--;
+ ctcmpc_send_sweep_resp(ch);
+- kfree(mpcginfo);
+ return;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 1e2982393cb6ed5c927bf22bc5bab0886f0e373c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Oct 2025 14:48:00 -0700
+Subject: scsi: core: Fix a regression triggered by scsi_host_busy()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit a0b7780602b1b196f47e527fec82166a7e67c4d0 ]
+
+Commit 995412e23bb2 ("blk-mq: Replace tags->lock with SRCU for tag
+iterators") introduced the following regression:
+
+Call trace:
+ __srcu_read_lock+0x30/0x80 (P)
+ blk_mq_tagset_busy_iter+0x44/0x300
+ scsi_host_busy+0x38/0x70
+ ufshcd_print_host_state+0x34/0x1bc
+ ufshcd_link_startup.constprop.0+0xe4/0x2e0
+ ufshcd_init+0x944/0xf80
+ ufshcd_pltfrm_init+0x504/0x820
+ ufs_rockchip_probe+0x2c/0x88
+ platform_probe+0x5c/0xa4
+ really_probe+0xc0/0x38c
+ __driver_probe_device+0x7c/0x150
+ driver_probe_device+0x40/0x120
+ __driver_attach+0xc8/0x1e0
+ bus_for_each_dev+0x7c/0xdc
+ driver_attach+0x24/0x30
+ bus_add_driver+0x110/0x230
+ driver_register+0x68/0x130
+ __platform_driver_register+0x20/0x2c
+ ufs_rockchip_pltform_init+0x1c/0x28
+ do_one_initcall+0x60/0x1e0
+ kernel_init_freeable+0x248/0x2c4
+ kernel_init+0x20/0x140
+ ret_from_fork+0x10/0x20
+
+Fix this regression by making scsi_host_busy() check whether the SCSI
+host tag set has already been initialized. tag_set->ops is set by
+scsi_mq_setup_tags() just before blk_mq_alloc_tag_set() is called. This
+fix is based on the assumption that scsi_host_busy() and
+scsi_mq_setup_tags() calls are serialized. This is the case in the UFS
+driver.
+
+Reported-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Closes: https://lore.kernel.org/linux-block/pnezafputodmqlpumwfbn644ohjybouveehcjhz2hmhtcf2rka@sdhoiivync4y/
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Tested-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Link: https://patch.msgid.link/20251007214800.1678255-1-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hosts.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
+index 445f4a220df3e..f274812aee1e8 100644
+--- a/drivers/scsi/hosts.c
++++ b/drivers/scsi/hosts.c
+@@ -602,8 +602,9 @@ int scsi_host_busy(struct Scsi_Host *shost)
+ {
+ int cnt = 0;
+
+- blk_mq_tagset_busy_iter(&shost->tag_set,
+- scsi_host_check_in_flight, &cnt);
++ if (shost->tag_set.ops)
++ blk_mq_tagset_busy_iter(&shost->tag_set,
++ scsi_host_check_in_flight, &cnt);
+ return cnt;
+ }
+ EXPORT_SYMBOL(scsi_host_busy);
+--
+2.51.0
+
--- /dev/null
+From 717affa8622d07e46396a58a88e2099e1ef0d936 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Oct 2025 17:57:10 +0800
+Subject: selftests: net: use BASH for bareudp testing
+
+From: Po-Hsu Lin <po-hsu.lin@canonical.com>
+
+[ Upstream commit 9311e9540a8b406d9f028aa87fb072a3819d4c82 ]
+
+In bareudp.sh, this script uses /bin/sh and it will load another lib.sh
+BASH script at the very beginning.
+
+But on some operating systems like Ubuntu, /bin/sh is actually pointed to
+DASH, thus it will try to run BASH commands with DASH and consequently
+leads to syntax issues:
+ # ./bareudp.sh: 4: ./lib.sh: Bad substitution
+ # ./bareudp.sh: 5: ./lib.sh: source: not found
+ # ./bareudp.sh: 24: ./lib.sh: Syntax error: "(" unexpected
+
+Fix this by explicitly using BASH for bareudp.sh. This fixes test
+execution failures on systems where /bin/sh is not BASH.
+
+Reported-by: Edoardo Canepa <edoardo.canepa@canonical.com>
+Link: https://bugs.launchpad.net/bugs/2129812
+Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Link: https://patch.msgid.link/20251027095710.2036108-2-po-hsu.lin@canonical.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/bareudp.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/bareudp.sh b/tools/testing/selftests/net/bareudp.sh
+index f366cadbc5e86..ff4308b48e65d 100755
+--- a/tools/testing/selftests/net/bareudp.sh
++++ b/tools/testing/selftests/net/bareudp.sh
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ # SPDX-License-Identifier: GPL-2.0
+
+ # Test various bareudp tunnel configurations.
+--
+2.51.0
+
drm-amdgpu-skip-emit-de-meta-data-on-gfx11-with-rs64-enabled.patch
drm-amd-display-increase-dpcd-read-retries.patch
drm-amd-display-move-sleep-into-each-retry-for-retrieve_link_cap.patch
+xfrm-determine-inner-gso-type-from-packet-inner-prot.patch
+xfrm-prevent-locally-generated-packets-from-direct-o.patch
+pinctrl-cirrus-fix-fwnode-leak-in-cs42l43_pin_probe.patch
+mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch
+drm-tegra-add-call-to-put_pid.patch
+net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch
+net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch
+net-openvswitch-remove-never-working-support-for-set.patch
+nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch
+s390-ctcm-fix-double-kfree.patch
+platform-x86-intel-speed_select_if-convert-pcibios_-.patch
+kernel.h-move-array_size-to-a-separate-header.patch
+net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch
+pinctrl-s32cc-fix-uninitialized-memory-in-s32_pinctr.patch
+pinctrl-s32cc-initialize-gpio_pin_config-list-after-.patch
+devlink-rate-unset-parent-pointer-in-devl_rate_nodes.patch
+net-mlx5-clean-up-only-new-irq-glue-on-request_irq-f.patch
+loongarch-use-uapi-types-in-ptrace-uapi-header.patch
+cifs-fix-memory-leak-in-smb3_fs_context_parse_param-.patch
+vsock-ignore-signal-timeout-on-connect-if-already-es.patch
+bcma-don-t-register-devices-disabled-in-of.patch
+cifs-fix-typo-in-enable_gcm_256-module-parameter.patch
+scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch
+x86-microcode-amd-limit-entrysign-signature-checking.patch
+selftests-net-use-bash-for-bareudp-testing.patch
+net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch
+kconfig-mconf-initialize-the-default-locale-at-start.patch
+kconfig-nconf-initialize-the-default-locale-at-start.patch
--- /dev/null
+From c667c46df8bc45a4cc4efde5b0a0419476488ce3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Nov 2025 15:02:59 +0100
+Subject: vsock: Ignore signal/timeout on connect() if already established
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 002541ef650b742a198e4be363881439bb9d86b4 ]
+
+During connect(), acting on a signal/timeout by disconnecting an already
+established socket leads to several issues:
+
+1. connect() invoking vsock_transport_cancel_pkt() ->
+ virtio_transport_purge_skbs() may race with sendmsg() invoking
+ virtio_transport_get_credit(). This results in a permanently elevated
+ `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.
+
+2. connect() resetting a connected socket's state may race with socket
+ being placed in a sockmap. A disconnected socket remaining in a sockmap
+ breaks sockmap's assumptions. And gives rise to WARNs.
+
+3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a
+ transport change/drop after TCP_ESTABLISHED. Which poses a problem for
+ any simultaneous sendmsg() or connect() and may result in a
+ use-after-free/null-ptr-deref.
+
+Do not disconnect socket on signal/timeout. Keep the logic for unconnected
+sockets: they don't linger, can't be placed in a sockmap, are rejected by
+sendmsg().
+
+[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/
+[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/
+[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20251119-vsock-interrupted-connect-v2-1-70734cf1233f@rbox.co
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 40 +++++++++++++++++++++++++++++++---------
+ 1 file changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index 64790062cfa2e..ca1289e64bcc8 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1550,18 +1550,40 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr,
+ timeout = schedule_timeout(timeout);
+ lock_sock(sk);
+
+- if (signal_pending(current)) {
+- err = sock_intr_errno(timeout);
+- sk->sk_state = sk->sk_state == TCP_ESTABLISHED ? TCP_CLOSING : TCP_CLOSE;
+- sock->state = SS_UNCONNECTED;
+- vsock_transport_cancel_pkt(vsk);
+- vsock_remove_connected(vsk);
+- goto out_wait;
+- } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) {
+- err = -ETIMEDOUT;
++ /* Connection established. Whatever happens to socket once we
++ * release it, that's not connect()'s concern. No need to go
++ * into signal and timeout handling. Call it a day.
++ *
++ * Note that allowing to "reset" an already established socket
++ * here is racy and insecure.
++ */
++ if (sk->sk_state == TCP_ESTABLISHED)
++ break;
++
++ /* If connection was _not_ established and a signal/timeout came
++ * to be, we want the socket's state reset. User space may want
++ * to retry.
++ *
++ * sk_state != TCP_ESTABLISHED implies that socket is not on
++ * vsock_connected_table. We keep the binding and the transport
++ * assigned.
++ */
++ if (signal_pending(current) || timeout == 0) {
++ err = timeout == 0 ? -ETIMEDOUT : sock_intr_errno(timeout);
++
++ /* Listener might have already responded with
++ * VIRTIO_VSOCK_OP_RESPONSE. Its handling expects our
++ * sk_state == TCP_SYN_SENT, which hereby we break.
++ * In such case VIRTIO_VSOCK_OP_RST will follow.
++ */
+ sk->sk_state = TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
++
++ /* Try to cancel VIRTIO_VSOCK_OP_REQUEST skb sent out by
++ * transport->connect().
++ */
+ vsock_transport_cancel_pkt(vsk);
++
+ goto out_wait;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From a641232abaf0d4758b3e2c5f4ed420c6d86d9a60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 14:46:29 +0200
+Subject: x86/microcode/AMD: Limit Entrysign signature checking to known
+ generations
+
+From: Borislav Petkov (AMD) <bp@alien8.de>
+
+[ Upstream commit 8a9fb5129e8e64d24543ebc70de941a2d77a9e77 ]
+
+Limit Entrysign sha256 signature checking to CPUs in the range Zen1-Zen5.
+
+X86_BUG cannot be used here because the loading on the BSP happens way
+too early, before the cpufeatures machinery has been set up.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://patch.msgid.link/all/20251023124629.5385-1-bp@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/microcode/amd.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
+index f9b6e2043e6b2..9952c774eaa69 100644
+--- a/arch/x86/kernel/cpu/microcode/amd.c
++++ b/arch/x86/kernel/cpu/microcode/amd.c
+@@ -226,6 +226,24 @@ static bool need_sha_check(u32 cur_rev)
+ return true;
+ }
+
++static bool cpu_has_entrysign(void)
++{
++ unsigned int fam = x86_family(bsp_cpuid_1_eax);
++ unsigned int model = x86_model(bsp_cpuid_1_eax);
++
++ if (fam == 0x17 || fam == 0x19)
++ return true;
++
++ if (fam == 0x1a) {
++ if (model <= 0x2f ||
++ (0x40 <= model && model <= 0x4f) ||
++ (0x60 <= model && model <= 0x6f))
++ return true;
++ }
++
++ return false;
++}
++
+ static bool verify_sha256_digest(u32 patch_id, u32 cur_rev, const u8 *data, unsigned int len)
+ {
+ struct patch_digest *pd = NULL;
+@@ -233,7 +251,7 @@ static bool verify_sha256_digest(u32 patch_id, u32 cur_rev, const u8 *data, unsi
+ struct sha256_state s;
+ int i;
+
+- if (x86_family(bsp_cpuid_1_eax) < 0x17)
++ if (!cpu_has_entrysign())
+ return true;
+
+ if (!need_sha_check(cur_rev))
+--
+2.51.0
+
--- /dev/null
+From 0b1a52a49ffbf5a2de3762e39cd94e9274e200d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Oct 2025 04:22:48 +0200
+Subject: xfrm: Determine inner GSO type from packet inner protocol
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 61fafbee6cfed283c02a320896089f658fa67e56 ]
+
+The GSO segmentation functions for ESP tunnel mode
+(xfrm4_tunnel_gso_segment and xfrm6_tunnel_gso_segment) were
+determining the inner packet's L2 protocol type by checking the static
+x->inner_mode.family field from the xfrm state.
+
+This is unreliable. In tunnel mode, the state's actual inner family
+could be defined by x->inner_mode.family or by
+x->inner_mode_iaf.family. Checking only the former can lead to a
+mismatch with the actual packet being processed, causing GSO to create
+segments with the wrong L2 header type.
+
+This patch fixes the bug by deriving the inner mode directly from the
+packet's inner protocol stored in XFRM_MODE_SKB_CB(skb)->protocol.
+
+Instead of replicating the code, this patch modifies the
+xfrm_ip2inner_mode helper function. It now correctly returns
+&x->inner_mode if the selector family (x->sel.family) is already
+specified, thereby handling both specific and AF_UNSPEC cases
+appropriately.
+
+With this change, ESP GSO can use xfrm_ip2inner_mode to get the
+correct inner mode. It doesn't affect existing callers, as the updated
+logic now mirrors the checks they were already performing externally.
+
+Fixes: 26dbd66eab80 ("esp: choose the correct inner protocol for GSO on inter address family tunnels")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xfrm.h | 3 ++-
+ net/ipv4/esp4_offload.c | 6 ++++--
+ net/ipv6/esp6_offload.c | 6 ++++--
+ 3 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index fd550c0b56345..84a1c8c861d29 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -462,7 +462,8 @@ static inline int xfrm_af2proto(unsigned int family)
+
+ static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
+ {
+- if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
++ if ((x->sel.family != AF_UNSPEC) ||
++ (ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
+ (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
+ return &x->inner_mode;
+ else
+diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
+index 10e96ed6c9e39..11e33a4312674 100644
+--- a/net/ipv4/esp4_offload.c
++++ b/net/ipv4/esp4_offload.c
+@@ -111,8 +111,10 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x,
+ struct sk_buff *skb,
+ netdev_features_t features)
+ {
+- __be16 type = x->inner_mode.family == AF_INET6 ? htons(ETH_P_IPV6)
+- : htons(ETH_P_IP);
++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
++ XFRM_MODE_SKB_CB(skb)->protocol);
++ __be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6)
++ : htons(ETH_P_IP);
+
+ return skb_eth_gso_segment(skb, features, type);
+ }
+diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
+index a189e08370a5e..438f9cbdca299 100644
+--- a/net/ipv6/esp6_offload.c
++++ b/net/ipv6/esp6_offload.c
+@@ -145,8 +145,10 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x,
+ struct sk_buff *skb,
+ netdev_features_t features)
+ {
+- __be16 type = x->inner_mode.family == AF_INET ? htons(ETH_P_IP)
+- : htons(ETH_P_IPV6);
++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
++ XFRM_MODE_SKB_CB(skb)->protocol);
++ __be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP)
++ : htons(ETH_P_IPV6);
+
+ return skb_eth_gso_segment(skb, features, type);
+ }
+--
+2.51.0
+
--- /dev/null
+From 6cd5eceb711f96b6321804451a2b2fe40022f7f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Oct 2025 11:50:25 +0200
+Subject: xfrm: Prevent locally generated packets from direct output in tunnel
+ mode
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 59630e2ccd728703cc826e3a3515d70f8c7a766c ]
+
+Add a check to ensure locally generated packets (skb->sk != NULL) do
+not use direct output in tunnel mode, as these packets require proper
+L2 header setup that is handled by the normal XFRM processing path.
+
+Fixes: 5eddd76ec2fd ("xfrm: fix tunnel mode TX datapath in packet offload mode")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_output.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
+index a30538a980cc7..9277dd4ed541a 100644
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -766,8 +766,12 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb)
+ /* Exclusive direct xmit for tunnel mode, as
+ * some filtering or matching rules may apply
+ * in transport mode.
++ * Locally generated packets also require
++ * the normal XFRM path for L2 header setup,
++ * as the hardware needs the L2 header to match
++ * for encryption, so skip direct output as well.
+ */
+- if (x->props.mode == XFRM_MODE_TUNNEL)
++ if (x->props.mode == XFRM_MODE_TUNNEL && !skb->sk)
+ return xfrm_dev_direct_output(sk, x, skb);
+
+ return xfrm_output_resume(sk, skb, 0);
+--
+2.51.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
