--- /dev/null
+From 4cda78d6f8bf2b700529f2fbccb994c3e826d7c2 Mon Sep 17 00:00:00 2001
+From: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Date: Tue, 7 Apr 2026 12:50:31 +0500
+Subject: Input: uinput - fix circular locking dependency with ff-core
+
+From: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+
+commit 4cda78d6f8bf2b700529f2fbccb994c3e826d7c2 upstream.
+
+A lockdep circular locking dependency warning can be triggered
+reproducibly when using a force-feedback gamepad with uinput (for
+example, playing ELDEN RING under Wine with a Flydigi Vader 5
+controller):
+
+ ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex
+
+The cycle is caused by four lock acquisition paths:
+
+1. ff upload: input_ff_upload() holds ff->mutex and calls
+ uinput_dev_upload_effect() -> uinput_request_submit() ->
+ uinput_request_send(), which acquires udev->mutex.
+
+2. device create: uinput_ioctl_handler() holds udev->mutex and calls
+ uinput_create_device() -> input_register_device(), which acquires
+ input_mutex.
+
+3. device register: input_register_device() holds input_mutex and
+ calls kbd_connect() -> input_register_handle(), which acquires
+ dev->mutex.
+
+4. evdev release: evdev_release() calls input_flush_device() under
+ dev->mutex, which calls input_ff_flush() acquiring ff->mutex.
+
+Fix this by introducing a new state_lock spinlock to protect
+udev->state and udev->dev access in uinput_request_send() instead of
+acquiring udev->mutex. The function only needs to atomically check
+device state and queue an input event into the ring buffer via
+uinput_dev_event() -- both operations are safe under a spinlock
+(ktime_get_ts64() and wake_up_interruptible() do not sleep). This
+breaks the ff->mutex -> udev->mutex link since a spinlock is a leaf in
+the lock ordering and cannot form cycles with mutexes.
+
+To keep state transitions visible to uinput_request_send(), protect
+writes to udev->state in uinput_create_device() and
+uinput_destroy_device() with the same state_lock spinlock.
+
+Additionally, move init_completion(&request->done) from
+uinput_request_send() to uinput_request_submit() before
+uinput_request_reserve_slot(). Once the slot is allocated,
+uinput_flush_requests() may call complete() on it at any time from
+the destroy path, so the completion must be initialised before the
+request becomes visible.
+
+Lock ordering after the fix:
+
+ ff->mutex -> state_lock (spinlock, leaf)
+ udev->mutex -> state_lock (spinlock, leaf)
+ udev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge)
+
+Fixes: ff462551235d ("Input: uinput - switch to the new FF interface")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/CABXGCsMoxag+kEwHhb7KqhuyxfmGGd0P=tHZyb1uKE0pLr8Hkg@mail.gmail.com/
+Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Link: https://patch.msgid.link/20260407075031.38351-1-mikhail.v.gavrilov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/uinput.c | 28 +++++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -57,6 +57,7 @@ struct uinput_device {
+ struct input_dev *dev;
+ struct mutex mutex;
+ enum uinput_state state;
++ spinlock_t state_lock;
+ wait_queue_head_t waitq;
+ unsigned char ready;
+ unsigned char head;
+@@ -146,19 +147,15 @@ static void uinput_request_release_slot(
+ static int uinput_request_send(struct uinput_device *udev,
+ struct uinput_request *request)
+ {
+- int retval;
++ int retval = 0;
+
+- retval = mutex_lock_interruptible(&udev->mutex);
+- if (retval)
+- return retval;
++ spin_lock(&udev->state_lock);
+
+ if (udev->state != UIST_CREATED) {
+ retval = -ENODEV;
+ goto out;
+ }
+
+- init_completion(&request->done);
+-
+ /*
+ * Tell our userspace application about this new request
+ * by queueing an input event.
+@@ -166,7 +163,7 @@ static int uinput_request_send(struct ui
+ uinput_dev_event(udev->dev, EV_UINPUT, request->code, request->id);
+
+ out:
+- mutex_unlock(&udev->mutex);
++ spin_unlock(&udev->state_lock);
+ return retval;
+ }
+
+@@ -175,6 +172,13 @@ static int uinput_request_submit(struct
+ {
+ int retval;
+
++ /*
++ * Initialize completion before allocating the request slot.
++ * Once the slot is allocated, uinput_flush_requests() may
++ * complete it at any time, so it must be initialized first.
++ */
++ init_completion(&request->done);
++
+ retval = uinput_request_reserve_slot(udev, request);
+ if (retval)
+ return retval;
+@@ -289,7 +293,14 @@ static void uinput_destroy_device(struct
+ struct input_dev *dev = udev->dev;
+ enum uinput_state old_state = udev->state;
+
++ /*
++ * Update state under state_lock so that concurrent
++ * uinput_request_send() sees the state change before we
++ * flush pending requests and tear down the device.
++ */
++ spin_lock(&udev->state_lock);
+ udev->state = UIST_NEW_DEVICE;
++ spin_unlock(&udev->state_lock);
+
+ if (dev) {
+ name = dev->name;
+@@ -366,7 +377,9 @@ static int uinput_create_device(struct u
+ if (error)
+ goto fail2;
+
++ spin_lock(&udev->state_lock);
+ udev->state = UIST_CREATED;
++ spin_unlock(&udev->state_lock);
+
+ return 0;
+
+@@ -384,6 +397,7 @@ static int uinput_open(struct inode *ino
+ return -ENOMEM;
+
+ mutex_init(&newdev->mutex);
++ spin_lock_init(&newdev->state_lock);
+ spin_lock_init(&newdev->requests_lock);
+ init_waitqueue_head(&newdev->requests_waitq);
+ init_waitqueue_head(&newdev->waitq);
--- /dev/null
+From ff14dafde15c11403fac61367a34fea08926e9ee Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Tue, 7 Apr 2026 22:16:27 -0700
+Subject: Input: uinput - take event lock when submitting FF request "event"
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit ff14dafde15c11403fac61367a34fea08926e9ee upstream.
+
+To avoid racing with FF playback events and corrupting device's event
+queue take event_lock spinlock when calling uinput_dev_event() when
+submitting a FF upload or erase "event".
+
+Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Link: https://patch.msgid.link/adXkf6MWzlB8LA_s@google.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/uinput.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -25,8 +25,10 @@
+ #include <linux/module.h>
+ #include <linux/init.h>
+ #include <linux/fs.h>
++#include <linux/lockdep.h>
+ #include <linux/miscdevice.h>
+ #include <linux/overflow.h>
++#include <linux/spinlock.h>
+ #include <linux/input/mt.h>
+ #include "../input-compat.h"
+
+@@ -76,6 +78,8 @@ static int uinput_dev_event(struct input
+ struct uinput_device *udev = input_get_drvdata(dev);
+ struct timespec64 ts;
+
++ lockdep_assert_held(&dev->event_lock);
++
+ ktime_get_ts64(&ts);
+
+ udev->buff[udev->head] = (struct input_event) {
+@@ -147,6 +151,7 @@ static void uinput_request_release_slot(
+ static int uinput_request_send(struct uinput_device *udev,
+ struct uinput_request *request)
+ {
++ unsigned long flags;
+ int retval = 0;
+
+ spin_lock(&udev->state_lock);
+@@ -160,7 +165,9 @@ static int uinput_request_send(struct ui
+ * Tell our userspace application about this new request
+ * by queueing an input event.
+ */
++ spin_lock_irqsave(&udev->dev->event_lock, flags);
+ uinput_dev_event(udev->dev, EV_UINPUT, request->code, request->id);
++ spin_unlock_irqrestore(&udev->dev->event_lock, flags);
+
+ out:
+ spin_unlock(&udev->state_lock);
--- /dev/null
+From 9b55b253907e7431210483519c5ad711a37dafa1 Mon Sep 17 00:00:00 2001
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+Date: Mon, 6 Apr 2026 11:15:10 +0800
+Subject: mptcp: fix slab-use-after-free in __inet_lookup_established
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+commit 9b55b253907e7431210483519c5ad711a37dafa1 upstream.
+
+The ehash table lookups are lockless and rely on
+SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability
+during RCU read-side critical sections. Both tcp_prot and
+tcpv6_prot have their slab caches created with this flag
+via proto_register().
+
+However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into
+tcpv6_prot_override during inet_init() (fs_initcall, level 5),
+before inet6_init() (module_init/device_initcall, level 6) has
+called proto_register(&tcpv6_prot). At that point,
+tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab
+remains NULL permanently.
+
+This causes MPTCP v6 subflow child sockets to be allocated via
+kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab
+cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so
+when these sockets are freed without SOCK_RCU_FREE (which is
+cleared for child sockets by design), the memory can be
+immediately reused. Concurrent ehash lookups under
+rcu_read_lock can then access freed memory, triggering a
+slab-use-after-free in __inet_lookup_established.
+
+Fix this by splitting the IPv6-specific initialization out of
+mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called
+from mptcp_proto_v6_init() before protocol registration. This
+ensures tcpv6_prot_override.slab correctly inherits the
+SLAB_TYPESAFE_BY_RCU slab cache.
+
+Fixes: b19bc2945b40 ("mptcp: implement delegated actions")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260406031512.189159-1-jiayuan.chen@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 2 ++
+ net/mptcp/protocol.h | 1 +
+ net/mptcp/subflow.c | 15 +++++++++------
+ 3 files changed, 12 insertions(+), 6 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -4271,6 +4271,8 @@ int __init mptcp_proto_v6_init(void)
+ {
+ int err;
+
++ mptcp_subflow_v6_init();
++
+ mptcp_v6_prot = mptcp_prot;
+ strscpy(mptcp_v6_prot.name, "MPTCPv6", sizeof(mptcp_v6_prot.name));
+ mptcp_v6_prot.slab = NULL;
+--- a/net/mptcp/protocol.h
++++ b/net/mptcp/protocol.h
+@@ -830,6 +830,7 @@ static inline void mptcp_subflow_tcp_fal
+ void __init mptcp_proto_init(void);
+ #if IS_ENABLED(CONFIG_MPTCP_IPV6)
+ int __init mptcp_proto_v6_init(void);
++void __init mptcp_subflow_v6_init(void);
+ #endif
+
+ struct sock *mptcp_sk_clone_init(const struct sock *sk,
+--- a/net/mptcp/subflow.c
++++ b/net/mptcp/subflow.c
+@@ -2145,7 +2145,15 @@ void __init mptcp_subflow_init(void)
+ tcp_prot_override.psock_update_sk_prot = NULL;
+ #endif
+
++ mptcp_diag_subflow_init(&subflow_ulp_ops);
++
++ if (tcp_register_ulp(&subflow_ulp_ops) != 0)
++ panic("MPTCP: failed to register subflows to ULP\n");
++}
++
+ #if IS_ENABLED(CONFIG_MPTCP_IPV6)
++void __init mptcp_subflow_v6_init(void)
++{
+ /* In struct mptcp_subflow_request_sock, we assume the TCP request sock
+ * structures for v4 and v6 have the same size. It should not changed in
+ * the future but better to make sure to be warned if it is no longer
+@@ -2184,10 +2192,5 @@ void __init mptcp_subflow_init(void)
+ /* Disable sockmap processing for subflows */
+ tcpv6_prot_override.psock_update_sk_prot = NULL;
+ #endif
+-#endif
+-
+- mptcp_diag_subflow_init(&subflow_ulp_ops);
+-
+- if (tcp_register_ulp(&subflow_ulp_ops) != 0)
+- panic("MPTCP: failed to register subflows to ULP\n");
+ }
++#endif
--- /dev/null
+From ea245d78dec594372e27d8c79616baf49e98a4a1 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 30 Mar 2026 11:14:13 +0200
+Subject: net: rfkill: prevent unlimited numbers of rfkill events from being created
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit ea245d78dec594372e27d8c79616baf49e98a4a1 upstream.
+
+Userspace can create an unlimited number of rfkill events if the system
+is so configured, while not consuming them from the rfkill file
+descriptor, causing a potential out of memory situation. Prevent this
+from bounding the number of pending rfkill events at a "large" number
+(i.e. 1000) to prevent abuses like this.
+
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://patch.msgid.link/2026033013-disfigure-scroll-e25e@gregkh
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rfkill/core.c | 35 ++++++++++++++++++++++++-----------
+ 1 file changed, 24 insertions(+), 11 deletions(-)
+
+--- a/net/rfkill/core.c
++++ b/net/rfkill/core.c
+@@ -73,11 +73,14 @@ struct rfkill_int_event {
+ struct rfkill_event_ext ev;
+ };
+
++/* Max rfkill events that can be "in-flight" for one data source */
++#define MAX_RFKILL_EVENT 1000
+ struct rfkill_data {
+ struct list_head list;
+ struct list_head events;
+ struct mutex mtx;
+ wait_queue_head_t read_wait;
++ u32 event_count;
+ bool input_handler;
+ u8 max_size;
+ };
+@@ -255,10 +258,12 @@ static void rfkill_global_led_trigger_un
+ }
+ #endif /* CONFIG_RFKILL_LEDS */
+
+-static void rfkill_fill_event(struct rfkill_event_ext *ev,
+- struct rfkill *rfkill,
+- enum rfkill_operation op)
++static int rfkill_fill_event(struct rfkill_int_event *int_ev,
++ struct rfkill *rfkill,
++ struct rfkill_data *data,
++ enum rfkill_operation op)
+ {
++ struct rfkill_event_ext *ev = &int_ev->ev;
+ unsigned long flags;
+
+ ev->idx = rfkill->idx;
+@@ -271,6 +276,15 @@ static void rfkill_fill_event(struct rfk
+ RFKILL_BLOCK_SW_PREV));
+ ev->hard_block_reasons = rfkill->hard_block_reasons;
+ spin_unlock_irqrestore(&rfkill->lock, flags);
++
++ scoped_guard(mutex, &data->mtx) {
++ if (data->event_count++ > MAX_RFKILL_EVENT) {
++ data->event_count--;
++ return -ENOSPC;
++ }
++ list_add_tail(&int_ev->list, &data->events);
++ }
++ return 0;
+ }
+
+ static void rfkill_send_events(struct rfkill *rfkill, enum rfkill_operation op)
+@@ -282,10 +296,10 @@ static void rfkill_send_events(struct rf
+ ev = kzalloc(sizeof(*ev), GFP_KERNEL);
+ if (!ev)
+ continue;
+- rfkill_fill_event(&ev->ev, rfkill, op);
+- mutex_lock(&data->mtx);
+- list_add_tail(&ev->list, &data->events);
+- mutex_unlock(&data->mtx);
++ if (rfkill_fill_event(ev, rfkill, data, op)) {
++ kfree(ev);
++ continue;
++ }
+ wake_up_interruptible(&data->read_wait);
+ }
+ }
+@@ -1186,10 +1200,8 @@ static int rfkill_fop_open(struct inode
+ if (!ev)
+ goto free;
+ rfkill_sync(rfkill);
+- rfkill_fill_event(&ev->ev, rfkill, RFKILL_OP_ADD);
+- mutex_lock(&data->mtx);
+- list_add_tail(&ev->list, &data->events);
+- mutex_unlock(&data->mtx);
++ if (rfkill_fill_event(ev, rfkill, data, RFKILL_OP_ADD))
++ kfree(ev);
+ }
+ list_add(&data->list, &rfkill_fds);
+ mutex_unlock(&rfkill_global_mutex);
+@@ -1259,6 +1271,7 @@ static ssize_t rfkill_fop_read(struct fi
+ ret = -EFAULT;
+
+ list_del(&ev->list);
++ data->event_count--;
+ kfree(ev);
+ out:
+ mutex_unlock(&data->mtx);
--- /dev/null
+From 8508e9118649f13f7b857e9e10147b241db615d7 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 7 Apr 2026 14:33:17 +0200
+Subject: Revert "ALSA: hda/realtek: Add quirk for Gigabyte Technology to fix headphone"
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8508e9118649f13f7b857e9e10147b241db615d7 upstream.
+
+This reverts commit 56fbbe096a89ff4b52af78a21a4afd9d94bdcc80.
+
+It caused regressions on other Gigabyte models, and looking at the
+bugzilla entry again, the suggested change appears rather dubious, as
+incorrectly setting the front mic pin as the headphone.
+
+Fixes: 56fbbe096a89 ("ALSA: hda/realtek: Add quirk for Gigabyte Technology to fix headphone")
+Cc: <stable@vger.kernel.org>
+Reported-by: Marcin Krycki <m.krycki@gmail.com>
+Reported-by: Theodoros Orfanidis <teoulas@gmail.com>
+Closes: https://lore.kernel.org/CAEfRphPU_ABuVFzaHhspxgp2WAqi7kKNGo4yOOt0zeVFPSj8+Q@mail.gmail.com
+Link: https://patch.msgid.link/20260407123333.171130-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/codecs/realtek/alc662.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/sound/hda/codecs/realtek/alc662.c
++++ b/sound/hda/codecs/realtek/alc662.c
+@@ -313,7 +313,6 @@ enum {
+ ALC897_FIXUP_HEADSET_MIC_PIN2,
+ ALC897_FIXUP_UNIS_H3C_X500S,
+ ALC897_FIXUP_HEADSET_MIC_PIN3,
+- ALC897_FIXUP_H610M_HP_PIN,
+ };
+
+ static const struct hda_fixup alc662_fixups[] = {
+@@ -767,13 +766,6 @@ static const struct hda_fixup alc662_fix
+ { }
+ },
+ },
+- [ALC897_FIXUP_H610M_HP_PIN] = {
+- .type = HDA_FIXUP_PINS,
+- .v.pins = (const struct hda_pintbl[]) {
+- { 0x19, 0x0321403f }, /* HP out */
+- { }
+- },
+- },
+ };
+
+ static const struct hda_quirk alc662_fixup_tbl[] = {
+@@ -823,7 +815,6 @@ static const struct hda_quirk alc662_fix
+ SND_PCI_QUIRK(0x1043, 0x8469, "ASUS mobo", ALC662_FIXUP_NO_JACK_DETECT),
+ SND_PCI_QUIRK(0x105b, 0x0cd6, "Foxconn", ALC662_FIXUP_ASUS_MODE2),
+ SND_PCI_QUIRK(0x144d, 0xc051, "Samsung R720", ALC662_FIXUP_IDEAPAD),
+- SND_PCI_QUIRK(0x1458, 0xa194, "H610M H V2 DDR4", ALC897_FIXUP_H610M_HP_PIN),
+ SND_PCI_QUIRK(0x14cd, 0x5003, "USI", ALC662_FIXUP_USI_HEADSET_MODE),
+ SND_PCI_QUIRK(0x17aa, 0x1036, "Lenovo P520", ALC662_FIXUP_LENOVO_MULTI_CODECS),
+ SND_PCI_QUIRK(0x17aa, 0x1057, "Lenovo P360", ALC897_FIXUP_HEADSET_MIC_PIN),
--- /dev/null
+From 8e2760eaab778494fc1fa257031e0e1799647f46 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Tue, 7 Apr 2026 10:41:41 +0200
+Subject: Revert "mptcp: add needs_id for netlink appending addr"
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 8e2760eaab778494fc1fa257031e0e1799647f46 upstream.
+
+This commit was originally adding the ability to add MPTCP endpoints
+with ID 0 by accident. The in-kernel PM, handling MPTCP endpoints at the
+net namespace level, is not supposed to handle endpoints with such ID,
+because this ID 0 is reserved to the initial subflow, as mentioned in
+the MPTCPv1 protocol [1], a per-connection setting.
+
+Note that 'ip mptcp endpoint add id 0' stops early with an error, but
+other tools might still request the in-kernel PM to create MPTCP
+endpoints with this restricted ID 0.
+
+In other words, it was wrong to call the mptcp_pm_has_addr_attr_id
+helper to check whether the address ID attribute is set: if it was set
+to 0, a new MPTCP endpoint would be created with ID 0, which is not
+expected, and might cause various issues later.
+
+Fixes: 584f38942626 ("mptcp: add needs_id for netlink appending addr")
+Cc: stable@vger.kernel.org
+Link: https://datatracker.ietf.org/doc/html/rfc8684#section-3.2-9 [1]
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260407-net-mptcp-revert-pm-needs-id-v2-1-7a25cbc324f8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_kernel.c | 24 +++++-------------------
+ 1 file changed, 5 insertions(+), 19 deletions(-)
+
+--- a/net/mptcp/pm_kernel.c
++++ b/net/mptcp/pm_kernel.c
+@@ -710,7 +710,7 @@ static void __mptcp_pm_release_addr_entr
+
+ static int mptcp_pm_nl_append_new_local_addr(struct pm_nl_pernet *pernet,
+ struct mptcp_pm_addr_entry *entry,
+- bool needs_id, bool replace)
++ bool replace)
+ {
+ struct mptcp_pm_addr_entry *cur, *del_entry = NULL;
+ int ret = -EINVAL;
+@@ -769,7 +769,7 @@ static int mptcp_pm_nl_append_new_local_
+ }
+ }
+
+- if (!entry->addr.id && needs_id) {
++ if (!entry->addr.id) {
+ find_next:
+ entry->addr.id = find_next_zero_bit(pernet->id_bitmap,
+ MPTCP_PM_MAX_ADDR_ID + 1,
+@@ -780,7 +780,7 @@ find_next:
+ }
+ }
+
+- if (!entry->addr.id && needs_id)
++ if (!entry->addr.id)
+ goto out;
+
+ __set_bit(entry->addr.id, pernet->id_bitmap);
+@@ -909,7 +909,7 @@ int mptcp_pm_nl_get_local_id(struct mptc
+ return -ENOMEM;
+
+ entry->addr.port = 0;
+- ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, true, false);
++ ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, false);
+ if (ret < 0)
+ kfree(entry);
+
+@@ -963,18 +963,6 @@ next:
+ return 0;
+ }
+
+-static bool mptcp_pm_has_addr_attr_id(const struct nlattr *attr,
+- struct genl_info *info)
+-{
+- struct nlattr *tb[MPTCP_PM_ADDR_ATTR_MAX + 1];
+-
+- if (!nla_parse_nested_deprecated(tb, MPTCP_PM_ADDR_ATTR_MAX, attr,
+- mptcp_pm_address_nl_policy, info->extack) &&
+- tb[MPTCP_PM_ADDR_ATTR_ID])
+- return true;
+- return false;
+-}
+-
+ /* Add an MPTCP endpoint */
+ int mptcp_pm_nl_add_addr_doit(struct sk_buff *skb, struct genl_info *info)
+ {
+@@ -1023,9 +1011,7 @@ int mptcp_pm_nl_add_addr_doit(struct sk_
+ goto out_free;
+ }
+ }
+- ret = mptcp_pm_nl_append_new_local_addr(pernet, entry,
+- !mptcp_pm_has_addr_attr_id(attr, info),
+- true);
++ ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, true);
+ if (ret < 0) {
+ GENL_SET_ERR_MSG_FMT(info, "too many addresses or duplicate one: %d", ret);
+ goto out_free;
--- /dev/null
+From c3812651b522fe8437ebb7063b75ddb95b571643 Mon Sep 17 00:00:00 2001
+From: Andrea Mayer <andrea.mayer@uniroma2.it>
+Date: Sat, 4 Apr 2026 02:44:04 +0200
+Subject: seg6: separate dst_cache for input and output paths in seg6 lwtunnel
+
+From: Andrea Mayer <andrea.mayer@uniroma2.it>
+
+commit c3812651b522fe8437ebb7063b75ddb95b571643 upstream.
+
+The seg6 lwtunnel uses a single dst_cache per encap route, shared
+between seg6_input_core() and seg6_output_core(). These two paths
+can perform the post-encap SID lookup in different routing contexts
+(e.g., ip rules matching on the ingress interface, or VRF table
+separation). Whichever path runs first populates the cache, and the
+other reuses it blindly, bypassing its own lookup.
+
+Fix this by splitting the cache into cache_input and cache_output,
+so each path maintains its own cached dst independently.
+
+Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrea Mayer <andrea.mayer@uniroma2.it>
+Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
+Link: https://patch.msgid.link/20260404004405.4057-2-andrea.mayer@uniroma2.it
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/seg6_iptunnel.c | 34 +++++++++++++++++++++++-----------
+ 1 file changed, 23 insertions(+), 11 deletions(-)
+
+--- a/net/ipv6/seg6_iptunnel.c
++++ b/net/ipv6/seg6_iptunnel.c
+@@ -48,7 +48,8 @@ static size_t seg6_lwt_headroom(struct s
+ }
+
+ struct seg6_lwt {
+- struct dst_cache cache;
++ struct dst_cache cache_input;
++ struct dst_cache cache_output;
+ struct seg6_iptunnel_encap tuninfo[];
+ };
+
+@@ -488,7 +489,7 @@ static int seg6_input_core(struct net *n
+ slwt = seg6_lwt_lwtunnel(lwtst);
+
+ local_bh_disable();
+- dst = dst_cache_get(&slwt->cache);
++ dst = dst_cache_get(&slwt->cache_input);
+ local_bh_enable();
+
+ err = seg6_do_srh(skb, dst);
+@@ -504,7 +505,7 @@ static int seg6_input_core(struct net *n
+ /* cache only if we don't create a dst reference loop */
+ if (!dst->error && lwtst != dst->lwtstate) {
+ local_bh_disable();
+- dst_cache_set_ip6(&slwt->cache, dst,
++ dst_cache_set_ip6(&slwt->cache_input, dst,
+ &ipv6_hdr(skb)->saddr);
+ local_bh_enable();
+ }
+@@ -564,7 +565,7 @@ static int seg6_output_core(struct net *
+ slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate);
+
+ local_bh_disable();
+- dst = dst_cache_get(&slwt->cache);
++ dst = dst_cache_get(&slwt->cache_output);
+ local_bh_enable();
+
+ err = seg6_do_srh(skb, dst);
+@@ -591,7 +592,7 @@ static int seg6_output_core(struct net *
+ /* cache only if we don't create a dst reference loop */
+ if (orig_dst->lwtstate != dst->lwtstate) {
+ local_bh_disable();
+- dst_cache_set_ip6(&slwt->cache, dst, &fl6.saddr);
++ dst_cache_set_ip6(&slwt->cache_output, dst, &fl6.saddr);
+ local_bh_enable();
+ }
+
+@@ -701,11 +702,13 @@ static int seg6_build_state(struct net *
+
+ slwt = seg6_lwt_lwtunnel(newts);
+
+- err = dst_cache_init(&slwt->cache, GFP_ATOMIC);
+- if (err) {
+- kfree(newts);
+- return err;
+- }
++ err = dst_cache_init(&slwt->cache_input, GFP_ATOMIC);
++ if (err)
++ goto err_free_newts;
++
++ err = dst_cache_init(&slwt->cache_output, GFP_ATOMIC);
++ if (err)
++ goto err_destroy_input;
+
+ memcpy(&slwt->tuninfo, tuninfo, tuninfo_len);
+
+@@ -720,11 +723,20 @@ static int seg6_build_state(struct net *
+ *ts = newts;
+
+ return 0;
++
++err_destroy_input:
++ dst_cache_destroy(&slwt->cache_input);
++err_free_newts:
++ kfree(newts);
++ return err;
+ }
+
+ static void seg6_destroy_state(struct lwtunnel_state *lwt)
+ {
+- dst_cache_destroy(&seg6_lwt_lwtunnel(lwt)->cache);
++ struct seg6_lwt *slwt = seg6_lwt_lwtunnel(lwt);
++
++ dst_cache_destroy(&slwt->cache_input);
++ dst_cache_destroy(&slwt->cache_output);
+ }
+
+ static int seg6_fill_encap_info(struct sk_buff *skb,
--- /dev/null
+usb-typec-ucsi-skip-connector-validation-before-init.patch
+wifi-rt2x00usb-fix-devres-lifetime.patch
+xfrm_user-fix-info-leak-in-build_report.patch
+net-rfkill-prevent-unlimited-numbers-of-rfkill-events-from-being-created.patch
+revert-alsa-hda-realtek-add-quirk-for-gigabyte-technology-to-fix-headphone.patch
+revert-mptcp-add-needs_id-for-netlink-appending-addr.patch
+mptcp-fix-slab-use-after-free-in-__inet_lookup_established.patch
+seg6-separate-dst_cache-for-input-and-output-paths-in-seg6-lwtunnel.patch
+input-uinput-fix-circular-locking-dependency-with-ff-core.patch
+input-uinput-take-event-lock-when-submitting-ff-request-event.patch
--- /dev/null
+From 5a1140404cbf7ba40137dfb1fb96893aa9a67d68 Mon Sep 17 00:00:00 2001
+From: Nathan Rebello <nathan.c.rebello@gmail.com>
+Date: Tue, 7 Apr 2026 02:39:58 -0400
+Subject: usb: typec: ucsi: skip connector validation before init
+
+From: Nathan Rebello <nathan.c.rebello@gmail.com>
+
+commit 5a1140404cbf7ba40137dfb1fb96893aa9a67d68 upstream.
+
+Notifications can arrive before ucsi_init() has populated
+ucsi->cap.num_connectors via GET_CAPABILITY. At that point
+num_connectors is still 0, causing all valid connector numbers to be
+incorrectly rejected as bogus.
+
+Skip the bounds check when num_connectors is 0 (not yet initialized).
+Pre-init notifications are already handled safely by the early-event
+guard in ucsi_connector_change().
+
+Reported-by: Takashi Iwai <tiwai@suse.de>
+Fixes: d2d8c17ac01a ("usb: typec: ucsi: validate connector number in ucsi_notify_common()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nathan Rebello <nathan.c.rebello@gmail.com>
+Tested-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20260407063958.863-1-nathan.c.rebello@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/ucsi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/ucsi/ucsi.c
++++ b/drivers/usb/typec/ucsi/ucsi.c
+@@ -43,7 +43,8 @@ void ucsi_notify_common(struct ucsi *ucs
+ return;
+
+ if (UCSI_CCI_CONNECTOR(cci)) {
+- if (UCSI_CCI_CONNECTOR(cci) <= ucsi->cap.num_connectors)
++ if (!ucsi->cap.num_connectors ||
++ UCSI_CCI_CONNECTOR(cci) <= ucsi->cap.num_connectors)
+ ucsi_connector_change(ucsi, UCSI_CCI_CONNECTOR(cci));
+ else
+ dev_err(ucsi->dev, "bogus connector number in CCI: %lu\n",
--- /dev/null
+From 25369b22223d1c56e42a0cd4ac9137349d5a898e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 27 Mar 2026 12:32:19 +0100
+Subject: wifi: rt2x00usb: fix devres lifetime
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 25369b22223d1c56e42a0cd4ac9137349d5a898e upstream.
+
+USB drivers bind to USB interfaces and any device managed resources
+should have their lifetime tied to the interface rather than parent USB
+device. This avoids issues like memory leaks when drivers are unbound
+without their devices being physically disconnected (e.g. on probe
+deferral or configuration changes).
+
+Fix the USB anchor lifetime so that it is released on driver unbind.
+
+Fixes: 8b4c0009313f ("rt2x00usb: Use usb anchor to manage URB")
+Cc: stable@vger.kernel.org # 4.7
+Cc: Vishal Thanki <vishalthanki@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://patch.msgid.link/20260327113219.1313748-1-johan@kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ralink/rt2x00/rt2x00usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c
+@@ -828,7 +828,7 @@ int rt2x00usb_probe(struct usb_interface
+ if (retval)
+ goto exit_free_device;
+
+- rt2x00dev->anchor = devm_kmalloc(&usb_dev->dev,
++ rt2x00dev->anchor = devm_kmalloc(&usb_intf->dev,
+ sizeof(struct usb_anchor),
+ GFP_KERNEL);
+ if (!rt2x00dev->anchor) {
--- /dev/null
+From d10119968d0e1f2b669604baf2a8b5fdb72fa6b4 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 6 Apr 2026 17:34:22 +0200
+Subject: xfrm_user: fix info leak in build_report()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit d10119968d0e1f2b669604baf2a8b5fdb72fa6b4 upstream.
+
+struct xfrm_user_report is a __u8 proto field followed by a struct
+xfrm_selector which means there is three "empty" bytes of padding, but
+the padding is never zeroed before copying to userspace. Fix that up by
+zeroing the structure before setting individual member variables.
+
+Cc: stable <stable@kernel.org>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Simon Horman <horms@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_user.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -4108,6 +4108,7 @@ static int build_report(struct sk_buff *
+ return -EMSGSIZE;
+
+ ur = nlmsg_data(nlh);
++ memset(ur, 0, sizeof(*ur));
+ ur->proto = proto;
+ memcpy(&ur->sel, sel, sizeof(ur->sel));
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
