--- /dev/null
+From 0db77eccd964b11ab2b757031d1354fcc5a025ea Mon Sep 17 00:00:00 2001
+From: Christopher Eby <kreed@kreed.org>
+Date: Sat, 9 Aug 2025 20:00:06 -0700
+Subject: ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks
+
+From: Christopher Eby <kreed@kreed.org>
+
+commit 0db77eccd964b11ab2b757031d1354fcc5a025ea upstream.
+
+Framework Laptop 13 (AMD Ryzen AI 300) requires the same quirk for
+headset detection as other Framework 13 models.
+
+Signed-off-by: Christopher Eby <kreed@kreed.org>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20250810030006.9060-1-kreed@kreed.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -11422,6 +11422,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0xf111, 0x0001, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x0006, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x0009, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0xf111, 0x000b, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x000c, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+
+ #if 0
--- /dev/null
+From b26e2afb3834d4a61ce54c8484ff6014bef0b4b7 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+Date: Mon, 11 Aug 2025 16:27:16 +0300
+Subject: ALSA: hda/realtek: Fix headset mic on HONOR BRB-X
+
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+
+commit b26e2afb3834d4a61ce54c8484ff6014bef0b4b7 upstream.
+
+Add a PCI quirk to enable microphone input on the headphone jack on
+the HONOR BRB-X M1010 laptop.
+
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20250811132716.45076-1-kovalev@altlinux.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -11405,6 +11405,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1d72, 0x1945, "Redmi G", ALC256_FIXUP_ASUS_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1d72, 0x1947, "RedmiBook Air", ALC255_FIXUP_XIAOMI_HEADSET_MIC),
++ SND_PCI_QUIRK(0x1ee7, 0x2078, "HONOR BRB-X M1010", ALC2XX_FIXUP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1f66, 0x0105, "Ayaneo Portable Game Player", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x2014, 0x800a, "Positivo ARN50", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x2782, 0x0214, "VAIO VJFE-CL", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
--- /dev/null
+From ecfd41166b72b67d3bdeb88d224ff445f6163869 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 14 Aug 2025 10:12:43 +0200
+Subject: ALSA: usb-audio: Validate UAC3 cluster segment descriptors
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit ecfd41166b72b67d3bdeb88d224ff445f6163869 upstream.
+
+UAC3 class segment descriptors need to be verified whether their sizes
+match with the declared lengths and whether they fit with the
+allocated buffer sizes, too. Otherwise malicious firmware may lead to
+the unexpected OOB accesses.
+
+Fixes: 11785ef53228 ("ALSA: usb-audio: Initial Power Domain support")
+Reported-and-tested-by: Youngjun Lee <yjjuny.lee@samsung.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20250814081245.8902-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/stream.c | 25 ++++++++++++++++++++++---
+ 1 file changed, 22 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -341,20 +341,28 @@ snd_pcm_chmap_elem *convert_chmap_v3(str
+
+ len = le16_to_cpu(cluster->wLength);
+ c = 0;
+- p += sizeof(struct uac3_cluster_header_descriptor);
++ p += sizeof(*cluster);
++ len -= sizeof(*cluster);
+
+- while (((p - (void *)cluster) < len) && (c < channels)) {
++ while (len > 0 && (c < channels)) {
+ struct uac3_cluster_segment_descriptor *cs_desc = p;
+ u16 cs_len;
+ u8 cs_type;
+
++ if (len < sizeof(*p))
++ break;
+ cs_len = le16_to_cpu(cs_desc->wLength);
++ if (len < cs_len)
++ break;
+ cs_type = cs_desc->bSegmentType;
+
+ if (cs_type == UAC3_CHANNEL_INFORMATION) {
+ struct uac3_cluster_information_segment_descriptor *is = p;
+ unsigned char map;
+
++ if (cs_len < sizeof(*is))
++ break;
++
+ /*
+ * TODO: this conversion is not complete, update it
+ * after adding UAC3 values to asound.h
+@@ -456,6 +464,7 @@ snd_pcm_chmap_elem *convert_chmap_v3(str
+ chmap->map[c++] = map;
+ }
+ p += cs_len;
++ len -= cs_len;
+ }
+
+ if (channels < c)
+@@ -880,7 +889,7 @@ snd_usb_get_audioformat_uac3(struct snd_
+ u64 badd_formats = 0;
+ unsigned int num_channels;
+ struct audioformat *fp;
+- u16 cluster_id, wLength;
++ u16 cluster_id, wLength, cluster_wLength;
+ int clock = 0;
+ int err;
+
+@@ -1008,6 +1017,16 @@ snd_usb_get_audioformat_uac3(struct snd_
+ iface_no, altno);
+ kfree(cluster);
+ return ERR_PTR(-EIO);
++ }
++
++ cluster_wLength = le16_to_cpu(cluster->wLength);
++ if (cluster_wLength < sizeof(*cluster) ||
++ cluster_wLength > wLength) {
++ dev_err(&dev->dev,
++ "%u:%d : invalid Cluster Descriptor size\n",
++ iface_no, altno);
++ kfree(cluster);
++ return ERR_PTR(-EIO);
+ }
+
+ num_channels = cluster->bNrChannels;
--- /dev/null
+From d832ccbc301fbd9e5a1d691bdcf461cdb514595f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 14 Aug 2025 10:12:42 +0200
+Subject: ALSA: usb-audio: Validate UAC3 power domain descriptors, too
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d832ccbc301fbd9e5a1d691bdcf461cdb514595f upstream.
+
+UAC3 power domain descriptors need to be verified with its variable
+bLength for avoiding the unexpected OOB accesses by malicious
+firmware, too.
+
+Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support")
+Reported-and-tested-by: Youngjun Lee <yjjuny.lee@samsung.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20250814081245.8902-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/validate.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/sound/usb/validate.c
++++ b/sound/usb/validate.c
+@@ -221,6 +221,17 @@ static bool validate_uac3_feature_unit(c
+ return d->bLength >= sizeof(*d) + 4 + 2;
+ }
+
++static bool validate_uac3_power_domain_unit(const void *p,
++ const struct usb_desc_validator *v)
++{
++ const struct uac3_power_domain_descriptor *d = p;
++
++ if (d->bLength < sizeof(*d))
++ return false;
++ /* baEntities[] + wPDomainDescrStr */
++ return d->bLength >= sizeof(*d) + d->bNrEntities + 2;
++}
++
+ static bool validate_midi_out_jack(const void *p,
+ const struct usb_desc_validator *v)
+ {
+@@ -285,6 +296,7 @@ static const struct usb_desc_validator a
+ struct uac3_clock_multiplier_descriptor),
+ /* UAC_VERSION_3, UAC3_SAMPLE_RATE_CONVERTER: not implemented yet */
+ /* UAC_VERSION_3, UAC3_CONNECTORS: not implemented yet */
++ FUNC(UAC_VERSION_3, UAC3_POWER_DOMAIN, validate_uac3_power_domain_unit),
+ { } /* terminator */
+ };
+
--- /dev/null
+From 65ba2a6e77e9e5c843a591055789050e77b5c65e Mon Sep 17 00:00:00 2001
+From: Siddharth Vadapalli <s-vadapalli@ti.com>
+Date: Mon, 23 Jun 2025 15:36:57 +0530
+Subject: arm64: dts: ti: k3-j722s-evm: Fix USB gpio-hog level for Type-C
+
+From: Siddharth Vadapalli <s-vadapalli@ti.com>
+
+commit 65ba2a6e77e9e5c843a591055789050e77b5c65e upstream.
+
+According to the "GPIO Expander Map / Table" section of the J722S EVM
+Schematic within the Evaluation Module Design Files package [0], the
+GPIO Pin P05 located on the GPIO Expander 1 (I2C0/0x23) has to be pulled
+down to select the Type-C interface. Since commit under Fixes claims to
+enable the Type-C interface, update the property within "p05-hog" from
+"output-high" to "output-low", thereby switching from the Type-A
+interface to the Type-C interface.
+
+[0]: https://www.ti.com/lit/zip/sprr495
+
+Cc: stable@vger.kernel.org
+Fixes: 485705df5d5f ("arm64: dts: ti: k3-j722s: Enable PCIe and USB support on J722S-EVM")
+Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
+Link: https://lore.kernel.org/r/20250623100657.4082031-1-s-vadapalli@ti.com
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/ti/k3-j722s-evm.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/ti/k3-j722s-evm.dts
++++ b/arch/arm64/boot/dts/ti/k3-j722s-evm.dts
+@@ -598,7 +598,7 @@
+ /* P05 - USB2.0_MUX_SEL */
+ gpio-hog;
+ gpios = <5 GPIO_ACTIVE_LOW>;
+- output-high;
++ output-low;
+ };
+
+ p01_hog: p01-hog {
--- /dev/null
+From cc678bf7aa9e2e6c2356fd7f955513c1bd7d4c97 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <brauner@kernel.org>
+Date: Tue, 24 Jun 2025 10:29:04 +0200
+Subject: fhandle: raise FILEID_IS_DIR in handle_type
+
+From: Christian Brauner <brauner@kernel.org>
+
+commit cc678bf7aa9e2e6c2356fd7f955513c1bd7d4c97 upstream.
+
+Currently FILEID_IS_DIR is raised in fh_flags which is wrong.
+Raise it in handle->handle_type were it's supposed to be.
+
+Link: https://lore.kernel.org/20250624-work-pidfs-fhandle-v2-1-d02a04858fe3@kernel.org
+Fixes: c374196b2b9f ("fs: name_to_handle_at() support for "explicit connectable" file handles")
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Amir Goldstein <amir73il@gmail.com>
+Cc: stable@kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fhandle.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fhandle.c
++++ b/fs/fhandle.c
+@@ -88,7 +88,7 @@ static long do_sys_name_to_handle(const
+ if (fh_flags & EXPORT_FH_CONNECTABLE) {
+ handle->handle_type |= FILEID_IS_CONNECTABLE;
+ if (d_is_dir(path->dentry))
+- fh_flags |= FILEID_IS_DIR;
++ handle->handle_type |= FILEID_IS_DIR;
+ }
+ retval = 0;
+ }
--- /dev/null
+From 63c7bc53a35e785accdc2ceab8f72d94501931ab Mon Sep 17 00:00:00 2001
+From: David Thompson <davthompson@nvidia.com>
+Date: Mon, 28 Jul 2025 10:46:19 -0400
+Subject: gpio: mlxbf2: use platform_get_irq_optional()
+
+From: David Thompson <davthompson@nvidia.com>
+
+commit 63c7bc53a35e785accdc2ceab8f72d94501931ab upstream.
+
+The gpio-mlxbf2 driver interfaces with four GPIO controllers,
+device instances 0-3. There are two IRQ resources shared between
+the four controllers, and they are found in the ACPI table for
+instances 0 and 3. The driver should not use platform_get_irq(),
+otherwise this error is logged when probing instances 1 and 2:
+ mlxbf2_gpio MLNXBF22:01: error -ENXIO: IRQ index 0 not found
+
+Fixes: 2b725265cb08 ("gpio: mlxbf2: Introduce IRQ support")
+Cc: stable@vger.kernel.org
+Signed-off-by: David Thompson <davthompson@nvidia.com>
+Reviewed-by: Shravan Kumar Ramani <shravankr@nvidia.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Link: https://lore.kernel.org/r/20250728144619.29894-1-davthompson@nvidia.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-mlxbf2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-mlxbf2.c
++++ b/drivers/gpio/gpio-mlxbf2.c
+@@ -397,7 +397,7 @@ mlxbf2_gpio_probe(struct platform_device
+ gc->ngpio = npins;
+ gc->owner = THIS_MODULE;
+
+- irq = platform_get_irq(pdev, 0);
++ irq = platform_get_irq_optional(pdev, 0);
+ if (irq >= 0) {
+ girq = &gs->gc.irq;
+ gpio_irq_chip_set_chip(girq, &mlxbf2_gpio_irq_chip);
--- /dev/null
+From 810bd9066fb1871b8a9528f31f2fdbf2a8b73bf2 Mon Sep 17 00:00:00 2001
+From: David Thompson <davthompson@nvidia.com>
+Date: Mon, 11 Aug 2025 13:50:45 -0400
+Subject: gpio: mlxbf3: use platform_get_irq_optional()
+
+From: David Thompson <davthompson@nvidia.com>
+
+commit 810bd9066fb1871b8a9528f31f2fdbf2a8b73bf2 upstream.
+
+The gpio-mlxbf3 driver interfaces with two GPIO controllers,
+device instance 0 and 1. There is a single IRQ resource shared
+between the two controllers, and it is found in the ACPI table for
+device instance 0. The driver should not use platform_get_irq(),
+otherwise this error is logged when probing instance 1:
+ mlxbf3_gpio MLNXBF33:01: error -ENXIO: IRQ index 0 not found
+
+Cc: stable@vger.kernel.org
+Fixes: cd33f216d241 ("gpio: mlxbf3: Add gpio driver support")
+Signed-off-by: David Thompson <davthompson@nvidia.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/ce70b98a201ce82b9df9aa80ac7a5eeaa2268e52.1754928650.git.davthompson@nvidia.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-mlxbf3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-mlxbf3.c
++++ b/drivers/gpio/gpio-mlxbf3.c
+@@ -227,7 +227,7 @@ static int mlxbf3_gpio_probe(struct plat
+ gc->owner = THIS_MODULE;
+ gc->add_pin_ranges = mlxbf3_gpio_add_pin_ranges;
+
+- irq = platform_get_irq(pdev, 0);
++ irq = platform_get_irq_optional(pdev, 0);
+ if (irq >= 0) {
+ girq = &gs->gc.irq;
+ gpio_irq_chip_set_chip(girq, &gpio_mlxbf3_irqchip);
--- /dev/null
+From 4740e1e2f320061c2f0dbadc0dd3dfb58df986d5 Mon Sep 17 00:00:00 2001
+From: Harald Mommer <harald.mommer@oss.qualcomm.com>
+Date: Thu, 24 Jul 2025 16:36:53 +0200
+Subject: gpio: virtio: Fix config space reading.
+
+From: Harald Mommer <harald.mommer@oss.qualcomm.com>
+
+commit 4740e1e2f320061c2f0dbadc0dd3dfb58df986d5 upstream.
+
+Quote from the virtio specification chapter 4.2.2.2:
+
+"For the device-specific configuration space, the driver MUST use 8 bit
+wide accesses for 8 bit wide fields, 16 bit wide and aligned accesses
+for 16 bit wide fields and 32 bit wide and aligned accesses for 32 and
+64 bit wide fields."
+
+Signed-off-by: Harald Mommer <harald.mommer@oss.qualcomm.com>
+Cc: stable@vger.kernel.org
+Fixes: 3a29355a22c0 ("gpio: Add virtio-gpio driver")
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Link: https://lore.kernel.org/r/20250724143718.5442-2-harald.mommer@oss.qualcomm.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-virtio.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpio/gpio-virtio.c
++++ b/drivers/gpio/gpio-virtio.c
+@@ -526,7 +526,6 @@ static const char **virtio_gpio_get_name
+
+ static int virtio_gpio_probe(struct virtio_device *vdev)
+ {
+- struct virtio_gpio_config config;
+ struct device *dev = &vdev->dev;
+ struct virtio_gpio *vgpio;
+ struct irq_chip *gpio_irq_chip;
+@@ -539,9 +538,11 @@ static int virtio_gpio_probe(struct virt
+ return -ENOMEM;
+
+ /* Read configuration */
+- virtio_cread_bytes(vdev, 0, &config, sizeof(config));
+- gpio_names_size = le32_to_cpu(config.gpio_names_size);
+- ngpio = le16_to_cpu(config.ngpio);
++ gpio_names_size =
++ virtio_cread32(vdev, offsetof(struct virtio_gpio_config,
++ gpio_names_size));
++ ngpio = virtio_cread16(vdev, offsetof(struct virtio_gpio_config,
++ ngpio));
+ if (!ngpio) {
+ dev_err(dev, "Number of GPIOs can't be zero\n");
+ return -EINVAL;
--- /dev/null
+From cf73d9970ea4f8cace5d8f02d2565a2723003112 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Wed, 2 Jul 2025 21:31:54 +0100
+Subject: io_uring: don't use int for ABI
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit cf73d9970ea4f8cace5d8f02d2565a2723003112 upstream.
+
+__kernel_rwf_t is defined as int, the actual size of which is
+implementation defined. It won't go well if some compiler / archs
+ever defines it as i64, so replace it with __u32, hoping that
+there is no one using i16 for it.
+
+Cc: stable@vger.kernel.org
+Fixes: 2b188cc1bb857 ("Add io_uring IO interface")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/47c666c4ee1df2018863af3a2028af18feef11ed.1751412511.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/io_uring.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/uapi/linux/io_uring.h
++++ b/include/uapi/linux/io_uring.h
+@@ -50,7 +50,7 @@ struct io_uring_sqe {
+ };
+ __u32 len; /* buffer size or number of iovecs */
+ union {
+- __kernel_rwf_t rw_flags;
++ __u32 rw_flags;
+ __u32 fsync_flags;
+ __u16 poll_events; /* compatibility */
+ __u32 poll32_events; /* word-reversed for BE */
--- /dev/null
+From 11fbada7184f9e19bcdfa2f6b15828a78b8897a6 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Wed, 16 Jul 2025 22:04:08 +0100
+Subject: io_uring: export io_[un]account_mem
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 11fbada7184f9e19bcdfa2f6b15828a78b8897a6 upstream.
+
+Export pinned memory accounting helpers, they'll be used by zcrx
+shortly.
+
+Cc: stable@vger.kernel.org
+Fixes: cf96310c5f9a0 ("io_uring/zcrx: add io_zcrx_area")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/9a61e54bd89289b39570ae02fe620e12487439e4.1752699568.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/rsrc.c | 4 ++--
+ io_uring/rsrc.h | 2 ++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/io_uring/rsrc.c
++++ b/io_uring/rsrc.c
+@@ -55,7 +55,7 @@ int __io_account_mem(struct user_struct
+ return 0;
+ }
+
+-static void io_unaccount_mem(struct io_ring_ctx *ctx, unsigned long nr_pages)
++void io_unaccount_mem(struct io_ring_ctx *ctx, unsigned long nr_pages)
+ {
+ if (ctx->user)
+ __io_unaccount_mem(ctx->user, nr_pages);
+@@ -64,7 +64,7 @@ static void io_unaccount_mem(struct io_r
+ atomic64_sub(nr_pages, &ctx->mm_account->pinned_vm);
+ }
+
+-static int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages)
++int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages)
+ {
+ int ret;
+
+--- a/io_uring/rsrc.h
++++ b/io_uring/rsrc.h
+@@ -146,6 +146,8 @@ int io_files_update(struct io_kiocb *req
+ int io_files_update_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe);
+
+ int __io_account_mem(struct user_struct *user, unsigned long nr_pages);
++int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages);
++void io_unaccount_mem(struct io_ring_ctx *ctx, unsigned long nr_pages);
+
+ static inline void __io_unaccount_mem(struct user_struct *user,
+ unsigned long nr_pages)
--- /dev/null
+From 33503c083fda048c77903460ac0429e1e2c0e341 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Fri, 8 Aug 2025 06:35:14 -0600
+Subject: io_uring/memmap: cast nr_pages to size_t before shifting
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 33503c083fda048c77903460ac0429e1e2c0e341 upstream.
+
+If the allocated size exceeds UINT_MAX, then it's necessary to cast
+the mr->nr_pages value to size_t to prevent it from overflowing. In
+practice this isn't much of a concern as the required memory size will
+have been validated upfront, and accounted to the user. And > 4GB sizes
+will be necessary to make the lack of a cast a problem, which greatly
+exceeds normal user locked_vm settings that are generally in the kb to
+mb range. However, if root is used, then accounting isn't done, and
+then it's possible to hit this issue.
+
+Link: https://lore.kernel.org/all/6895b298.050a0220.7f033.0059.GAE@google.com/
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+23727438116feb13df15@syzkaller.appspotmail.com
+Fixes: 087f997870a9 ("io_uring/memmap: implement mmap for regions")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/memmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/io_uring/memmap.c
++++ b/io_uring/memmap.c
+@@ -155,7 +155,7 @@ static int io_region_allocate_pages(stru
+ unsigned long mmap_offset)
+ {
+ gfp_t gfp = GFP_KERNEL_ACCOUNT | __GFP_ZERO | __GFP_NOWARN;
+- unsigned long size = mr->nr_pages << PAGE_SHIFT;
++ size_t size = (size_t) mr->nr_pages << PAGE_SHIFT;
+ unsigned long nr_allocated;
+ struct page **pages;
+ void *p;
--- /dev/null
+From 41b70df5b38bc80967d2e0ed55cc3c3896bba781 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 12 Aug 2025 08:30:11 -0600
+Subject: io_uring/net: commit partial buffers on retry
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 41b70df5b38bc80967d2e0ed55cc3c3896bba781 upstream.
+
+Ring provided buffers are potentially only valid within the single
+execution context in which they were acquired. io_uring deals with this
+and invalidates them on retry. But on the networking side, if
+MSG_WAITALL is set, or if the socket is of the streaming type and too
+little was processed, then it will hang on to the buffer rather than
+recycle or commit it. This is problematic for two reasons:
+
+1) If someone unregisters the provided buffer ring before a later retry,
+ then the req->buf_list will no longer be valid.
+
+2) If multiple sockers are using the same buffer group, then multiple
+ receives can consume the same memory. This can cause data corruption
+ in the application, as either receive could land in the same
+ userspace buffer.
+
+Fix this by disallowing partial retries from pinning a provided buffer
+across multiple executions, if ring provided buffers are used.
+
+Cc: stable@vger.kernel.org
+Reported-by: pt x <superman.xpt@gmail.com>
+Fixes: c56e022c0a27 ("io_uring: add support for user mapped provided buffer ring")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -482,6 +482,15 @@ static int io_bundle_nbufs(struct io_asy
+ return nbufs;
+ }
+
++static int io_net_kbuf_recyle(struct io_kiocb *req,
++ struct io_async_msghdr *kmsg, int len)
++{
++ req->flags |= REQ_F_BL_NO_RECYCLE;
++ if (req->flags & REQ_F_BUFFERS_COMMIT)
++ io_kbuf_commit(req, req->buf_list, len, io_bundle_nbufs(kmsg, len));
++ return IOU_RETRY;
++}
++
+ static inline bool io_send_finish(struct io_kiocb *req, int *ret,
+ struct io_async_msghdr *kmsg,
+ unsigned issue_flags)
+@@ -550,8 +559,7 @@ int io_sendmsg(struct io_kiocb *req, uns
+ kmsg->msg.msg_controllen = 0;
+ kmsg->msg.msg_control = NULL;
+ sr->done_io += ret;
+- req->flags |= REQ_F_BL_NO_RECYCLE;
+- return -EAGAIN;
++ return io_net_kbuf_recyle(req, kmsg, ret);
+ }
+ if (ret == -ERESTARTSYS)
+ ret = -EINTR;
+@@ -661,8 +669,7 @@ retry_bundle:
+ sr->len -= ret;
+ sr->buf += ret;
+ sr->done_io += ret;
+- req->flags |= REQ_F_BL_NO_RECYCLE;
+- return -EAGAIN;
++ return io_net_kbuf_recyle(req, kmsg, ret);
+ }
+ if (ret == -ERESTARTSYS)
+ ret = -EINTR;
+@@ -1034,8 +1041,7 @@ retry_multishot:
+ }
+ if (ret > 0 && io_net_retry(sock, flags)) {
+ sr->done_io += ret;
+- req->flags |= REQ_F_BL_NO_RECYCLE;
+- return IOU_RETRY;
++ return io_net_kbuf_recyle(req, kmsg, ret);
+ }
+ if (ret == -ERESTARTSYS)
+ ret = -EINTR;
+@@ -1175,8 +1181,7 @@ retry_multishot:
+ sr->len -= ret;
+ sr->buf += ret;
+ sr->done_io += ret;
+- req->flags |= REQ_F_BL_NO_RECYCLE;
+- return -EAGAIN;
++ return io_net_kbuf_recyle(req, kmsg, ret);
+ }
+ if (ret == -ERESTARTSYS)
+ ret = -EINTR;
+@@ -1461,8 +1466,7 @@ int io_send_zc(struct io_kiocb *req, uns
+ zc->len -= ret;
+ zc->buf += ret;
+ zc->done_io += ret;
+- req->flags |= REQ_F_BL_NO_RECYCLE;
+- return -EAGAIN;
++ return io_net_kbuf_recyle(req, kmsg, ret);
+ }
+ if (ret == -ERESTARTSYS)
+ ret = -EINTR;
+@@ -1532,8 +1536,7 @@ int io_sendmsg_zc(struct io_kiocb *req,
+
+ if (ret > 0 && io_net_retry(sock, flags)) {
+ sr->done_io += ret;
+- req->flags |= REQ_F_BL_NO_RECYCLE;
+- return -EAGAIN;
++ return io_net_kbuf_recyle(req, kmsg, ret);
+ }
+ if (ret == -ERESTARTSYS)
+ ret = -EINTR;
--- /dev/null
+From fab15f57360b1e6620a1d0d6b0fbee896e6c1f07 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Thu, 29 May 2025 08:33:36 +0200
+Subject: leds: flash: leds-qcom-flash: Fix registry access after re-bind
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit fab15f57360b1e6620a1d0d6b0fbee896e6c1f07 upstream.
+
+Driver in probe() updates each of 'reg_field' with 'reg_base':
+
+ for (i = 0; i < REG_MAX_COUNT; i++)
+ regs[i].reg += reg_base;
+
+'reg_field' array (under variable 'regs' above) is statically allocated,
+thus each re-bind would add another 'reg_base' leading to bogus
+register addresses. Constify the local 'reg_field' array and duplicate
+it in probe to solve this.
+
+Fixes: 96a2e242a5dc ("leds: flash: Add driver to support flash LED module in QCOM PMICs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Fenglin Wu <fenglin.wu@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250529063335.8785-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/leds/flash/leds-qcom-flash.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/leds/flash/leds-qcom-flash.c
++++ b/drivers/leds/flash/leds-qcom-flash.c
+@@ -117,7 +117,7 @@ enum {
+ REG_MAX_COUNT,
+ };
+
+-static struct reg_field mvflash_3ch_regs[REG_MAX_COUNT] = {
++static const struct reg_field mvflash_3ch_regs[REG_MAX_COUNT] = {
+ REG_FIELD(0x08, 0, 7), /* status1 */
+ REG_FIELD(0x09, 0, 7), /* status2 */
+ REG_FIELD(0x0a, 0, 7), /* status3 */
+@@ -132,7 +132,7 @@ static struct reg_field mvflash_3ch_regs
+ REG_FIELD(0x58, 0, 2), /* therm_thrsh3 */
+ };
+
+-static struct reg_field mvflash_4ch_regs[REG_MAX_COUNT] = {
++static const struct reg_field mvflash_4ch_regs[REG_MAX_COUNT] = {
+ REG_FIELD(0x06, 0, 7), /* status1 */
+ REG_FIELD(0x07, 0, 6), /* status2 */
+ REG_FIELD(0x09, 0, 7), /* status3 */
+@@ -854,11 +854,17 @@ static int qcom_flash_led_probe(struct p
+ if (val == FLASH_SUBTYPE_3CH_PM8150_VAL || val == FLASH_SUBTYPE_3CH_PMI8998_VAL) {
+ flash_data->hw_type = QCOM_MVFLASH_3CH;
+ flash_data->max_channels = 3;
+- regs = mvflash_3ch_regs;
++ regs = devm_kmemdup(dev, mvflash_3ch_regs, sizeof(mvflash_3ch_regs),
++ GFP_KERNEL);
++ if (!regs)
++ return -ENOMEM;
+ } else if (val == FLASH_SUBTYPE_4CH_VAL) {
+ flash_data->hw_type = QCOM_MVFLASH_4CH;
+ flash_data->max_channels = 4;
+- regs = mvflash_4ch_regs;
++ regs = devm_kmemdup(dev, mvflash_4ch_regs, sizeof(mvflash_4ch_regs),
++ GFP_KERNEL);
++ if (!regs)
++ return -ENOMEM;
+
+ rc = regmap_read(regmap, reg_base + FLASH_REVISION_REG, &val);
+ if (rc < 0) {
+@@ -880,6 +886,7 @@ static int qcom_flash_led_probe(struct p
+ dev_err(dev, "Failed to allocate regmap field, rc=%d\n", rc);
+ return rc;
+ }
++ devm_kfree(dev, regs); /* devm_regmap_field_bulk_alloc() makes copies */
+
+ platform_set_drvdata(pdev, flash_data);
+ mutex_init(&flash_data->lock);
--- /dev/null
+From 3c607baf68639d6bfe1a336523c4c9597f4b512a Mon Sep 17 00:00:00 2001
+From: Dongcheng Yan <dongcheng.yan@intel.com>
+Date: Wed, 21 May 2025 15:15:19 +0800
+Subject: media: i2c: set lt6911uxe's reset_gpio to GPIOD_OUT_LOW
+
+From: Dongcheng Yan <dongcheng.yan@intel.com>
+
+commit 3c607baf68639d6bfe1a336523c4c9597f4b512a upstream.
+
+reset_gpio needs to be an output and set to GPIOD_OUT_LOW, to ensure
+lt6911uxe is in reset state during probe.
+
+This issue was found on the onboard lt6911uxe, where the reset_pin was
+not reset, causing the lt6911uxe to fail to probe.
+
+Fixes: e49563c3be09d4 ("media: i2c: add lt6911uxe hdmi bridge driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dongcheng Yan <dongcheng.yan@intel.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/lt6911uxe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/lt6911uxe.c
++++ b/drivers/media/i2c/lt6911uxe.c
+@@ -600,7 +600,7 @@ static int lt6911uxe_probe(struct i2c_cl
+
+ v4l2_i2c_subdev_init(<6911uxe->sd, client, <6911uxe_subdev_ops);
+
+- lt6911uxe->reset_gpio = devm_gpiod_get(dev, "reset", GPIOD_IN);
++ lt6911uxe->reset_gpio = devm_gpiod_get(dev, "reset", GPIOD_OUT_LOW);
+ if (IS_ERR(lt6911uxe->reset_gpio))
+ return dev_err_probe(dev, PTR_ERR(lt6911uxe->reset_gpio),
+ "failed to get reset gpio\n");
--- /dev/null
+From 3fa840230f534385b34a4f39c8dd313fbe723f05 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 25 Jul 2025 19:12:09 +0200
+Subject: net: dpaa: fix device leak when querying time stamp info
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3fa840230f534385b34a4f39c8dd313fbe723f05 upstream.
+
+Make sure to drop the reference to the ptp device taken by
+of_find_device_by_node() when querying the time stamping capabilities.
+
+Note that holding a reference to the ptp device does not prevent its
+driver data from going away.
+
+Fixes: 17ae0b0ee9db ("dpaa_eth: add the get_ts_info interface for ethtool")
+Cc: stable@vger.kernel.org # 4.19
+Cc: Yangbo Lu <yangbo.lu@nxp.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250725171213.880-2-johan@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
+@@ -401,8 +401,10 @@ static int dpaa_get_ts_info(struct net_d
+ of_node_put(ptp_node);
+ }
+
+- if (ptp_dev)
++ if (ptp_dev) {
+ ptp = platform_get_drvdata(ptp_dev);
++ put_device(&ptp_dev->dev);
++ }
+
+ if (ptp)
+ info->phc_index = ptp->phc_index;
--- /dev/null
+From 70458f8a6b44daf3ad39f0d9b6d1097c8a7780ed Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 25 Jul 2025 19:12:10 +0200
+Subject: net: enetc: fix device and OF node leak at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 70458f8a6b44daf3ad39f0d9b6d1097c8a7780ed upstream.
+
+Make sure to drop the references to the IERB OF node and platform device
+taken by of_parse_phandle() and of_find_device_by_node() during probe.
+
+Fixes: e7d48e5fbf30 ("net: enetc: add a mini driver for the Integrated Endpoint Register Block")
+Cc: stable@vger.kernel.org # 5.13
+Cc: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250725171213.880-3-johan@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/enetc/enetc_pf.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/enetc/enetc_pf.c
++++ b/drivers/net/ethernet/freescale/enetc/enetc_pf.c
+@@ -924,19 +924,29 @@ static int enetc_pf_register_with_ierb(s
+ {
+ struct platform_device *ierb_pdev;
+ struct device_node *ierb_node;
++ int ret;
+
+ ierb_node = of_find_compatible_node(NULL, NULL,
+ "fsl,ls1028a-enetc-ierb");
+- if (!ierb_node || !of_device_is_available(ierb_node))
++ if (!ierb_node)
+ return -ENODEV;
+
++ if (!of_device_is_available(ierb_node)) {
++ of_node_put(ierb_node);
++ return -ENODEV;
++ }
++
+ ierb_pdev = of_find_device_by_node(ierb_node);
+ of_node_put(ierb_node);
+
+ if (!ierb_pdev)
+ return -EPROBE_DEFER;
+
+- return enetc_ierb_register_pf(ierb_pdev, pdev);
++ ret = enetc_ierb_register_pf(ierb_pdev, pdev);
++
++ put_device(&ierb_pdev->dev);
++
++ return ret;
+ }
+
+ static struct enetc_si *enetc_psi_create(struct pci_dev *pdev)
--- /dev/null
+From e88fbc30dda1cb7438515303704ceddb3ade4ecd Mon Sep 17 00:00:00 2001
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Wed, 30 Jul 2025 22:23:23 +0200
+Subject: net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+commit e88fbc30dda1cb7438515303704ceddb3ade4ecd upstream.
+
+After the call to phy_disconnect() netdev->phydev is reset to NULL.
+So fixed_phy_unregister() would be called with a NULL pointer as argument.
+Therefore cache the phy_device before this call.
+
+Fixes: e24a6c874601 ("net: ftgmac100: Get link speed and duplex for NC-SI")
+Cc: stable@vger.kernel.org
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
+Link: https://patch.msgid.link/2b80a77a-06db-4dd7-85dc-3a8e0de55a1d@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/faraday/ftgmac100.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/faraday/ftgmac100.c
++++ b/drivers/net/ethernet/faraday/ftgmac100.c
+@@ -1730,16 +1730,17 @@ err_register_mdiobus:
+ static void ftgmac100_phy_disconnect(struct net_device *netdev)
+ {
+ struct ftgmac100 *priv = netdev_priv(netdev);
++ struct phy_device *phydev = netdev->phydev;
+
+- if (!netdev->phydev)
++ if (!phydev)
+ return;
+
+- phy_disconnect(netdev->phydev);
++ phy_disconnect(phydev);
+ if (of_phy_is_fixed_link(priv->dev->of_node))
+ of_phy_deregister_fixed_link(priv->dev->of_node);
+
+ if (priv->use_ncsi)
+- fixed_phy_unregister(netdev->phydev);
++ fixed_phy_unregister(phydev);
+ }
+
+ static void ftgmac100_destroy_mdio(struct net_device *netdev)
--- /dev/null
+From da717540acd34e5056e3fa35791d50f6b3303f55 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 25 Jul 2025 19:12:11 +0200
+Subject: net: gianfar: fix device leak when querying time stamp info
+
+From: Johan Hovold <johan@kernel.org>
+
+commit da717540acd34e5056e3fa35791d50f6b3303f55 upstream.
+
+Make sure to drop the reference to the ptp device taken by
+of_find_device_by_node() when querying the time stamping capabilities.
+
+Note that holding a reference to the ptp device does not prevent its
+driver data from going away.
+
+Fixes: 7349a74ea75c ("net: ethernet: gianfar_ethtool: get phc index through drvdata")
+Cc: stable@vger.kernel.org # 4.18
+Cc: Yangbo Lu <yangbo.lu@nxp.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250725171213.880-4-johan@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/gianfar_ethtool.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/gianfar_ethtool.c
++++ b/drivers/net/ethernet/freescale/gianfar_ethtool.c
+@@ -1466,8 +1466,10 @@ static int gfar_get_ts_info(struct net_d
+ if (ptp_node) {
+ ptp_dev = of_find_device_by_node(ptp_node);
+ of_node_put(ptp_node);
+- if (ptp_dev)
++ if (ptp_dev) {
+ ptp = platform_get_drvdata(ptp_dev);
++ put_device(&ptp_dev->dev);
++ }
+ }
+
+ if (ptp)
--- /dev/null
+From 3e13274ca8750823e8b68181bdf185d238febe0d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 25 Jul 2025 19:12:12 +0200
+Subject: net: mtk_eth_soc: fix device leak at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3e13274ca8750823e8b68181bdf185d238febe0d upstream.
+
+The reference count to the WED devices has already been incremented when
+looking them up using of_find_device_by_node() so drop the bogus
+additional reference taken during probe.
+
+Fixes: 804775dfc288 ("net: ethernet: mtk_eth_soc: add support for Wireless Ethernet Dispatch (WED)")
+Cc: stable@vger.kernel.org # 5.19
+Cc: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250725171213.880-5-johan@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mediatek/mtk_wed.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/ethernet/mediatek/mtk_wed.c
++++ b/drivers/net/ethernet/mediatek/mtk_wed.c
+@@ -2794,7 +2794,6 @@ void mtk_wed_add_hw(struct device_node *
+ if (!pdev)
+ goto err_of_node_put;
+
+- get_device(&pdev->dev);
+ irq = platform_get_irq(pdev, 0);
+ if (irq < 0)
+ goto err_put_device;
--- /dev/null
+From 49db61c27c4bbd24364086dc0892bd3e14c1502e Mon Sep 17 00:00:00 2001
+From: Florian Larysch <fl@n621.de>
+Date: Thu, 24 Jul 2025 00:20:42 +0200
+Subject: net: phy: micrel: fix KSZ8081/KSZ8091 cable test
+
+From: Florian Larysch <fl@n621.de>
+
+commit 49db61c27c4bbd24364086dc0892bd3e14c1502e upstream.
+
+Commit 21b688dabecb ("net: phy: micrel: Cable Diag feature for lan8814
+phy") introduced cable_test support for the LAN8814 that reuses parts of
+the KSZ886x logic and introduced the cable_diag_reg and pair_mask
+parameters to account for differences between those chips.
+
+However, it did not update the ksz8081_type struct, so those members are
+now 0, causing no pairs to be tested in ksz886x_cable_test_get_status
+and ksz886x_cable_test_wait_for_completion to poll the wrong register
+for the affected PHYs (Basic Control/Reset, which is 0 in normal
+operation) and exit immediately.
+
+Fix this by setting both struct members accordingly.
+
+Fixes: 21b688dabecb ("net: phy: micrel: Cable Diag feature for lan8814 phy")
+Cc: stable@vger.kernel.org
+Signed-off-by: Florian Larysch <fl@n621.de>
+Link: https://patch.msgid.link/20250723222250.13960-1-fl@n621.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/micrel.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -472,6 +472,8 @@ static const struct kszphy_type ksz8051_
+
+ static const struct kszphy_type ksz8081_type = {
+ .led_mode_reg = MII_KSZPHY_CTRL_2,
++ .cable_diag_reg = KSZ8081_LMD,
++ .pair_mask = KSZPHY_WIRE_PAIR_MASK,
+ .has_broadcast_disable = true,
+ .has_nand_tree_disable = true,
+ .has_rmii_ref_clk_sel = true,
--- /dev/null
+From e05c54974a05ab19658433545d6ced88d9075cf0 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 25 Jul 2025 19:12:13 +0200
+Subject: net: ti: icss-iep: fix device and OF node leaks at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit e05c54974a05ab19658433545d6ced88d9075cf0 upstream.
+
+Make sure to drop the references to the IEP OF node and device taken by
+of_parse_phandle() and of_find_device_by_node() when looking up IEP
+devices during probe.
+
+Drop the bogus additional reference taken on successful lookup so that
+the device is released correctly by icss_iep_put().
+
+Fixes: c1e0230eeaab ("net: ti: icss-iep: Add IEP driver")
+Cc: stable@vger.kernel.org # 6.6
+Cc: Roger Quadros <rogerq@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250725171213.880-6-johan@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/icssg/icss_iep.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/ti/icssg/icss_iep.c
++++ b/drivers/net/ethernet/ti/icssg/icss_iep.c
+@@ -685,11 +685,17 @@ struct icss_iep *icss_iep_get_idx(struct
+ struct platform_device *pdev;
+ struct device_node *iep_np;
+ struct icss_iep *iep;
++ int ret;
+
+ iep_np = of_parse_phandle(np, "ti,iep", idx);
+- if (!iep_np || !of_device_is_available(iep_np))
++ if (!iep_np)
+ return ERR_PTR(-ENODEV);
+
++ if (!of_device_is_available(iep_np)) {
++ of_node_put(iep_np);
++ return ERR_PTR(-ENODEV);
++ }
++
+ pdev = of_find_device_by_node(iep_np);
+ of_node_put(iep_np);
+
+@@ -698,21 +704,28 @@ struct icss_iep *icss_iep_get_idx(struct
+ return ERR_PTR(-EPROBE_DEFER);
+
+ iep = platform_get_drvdata(pdev);
+- if (!iep)
+- return ERR_PTR(-EPROBE_DEFER);
++ if (!iep) {
++ ret = -EPROBE_DEFER;
++ goto err_put_pdev;
++ }
+
+ device_lock(iep->dev);
+ if (iep->client_np) {
+ device_unlock(iep->dev);
+ dev_err(iep->dev, "IEP is already acquired by %s",
+ iep->client_np->name);
+- return ERR_PTR(-EBUSY);
++ ret = -EBUSY;
++ goto err_put_pdev;
+ }
+ iep->client_np = np;
+ device_unlock(iep->dev);
+- get_device(iep->dev);
+
+ return iep;
++
++err_put_pdev:
++ put_device(&pdev->dev);
++
++ return ERR_PTR(ret);
+ }
+ EXPORT_SYMBOL_GPL(icss_iep_get_idx);
+
--- /dev/null
+From 4faff70959d51078f9ee8372f8cff0d7045e4114 Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Mon, 11 Aug 2025 17:29:31 +0800
+Subject: net: usb: asix_devices: add phy_mask for ax88772 mdio bus
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit 4faff70959d51078f9ee8372f8cff0d7045e4114 upstream.
+
+Without setting phy_mask for ax88772 mdio bus, current driver may create
+at most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f.
+DLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy
+device will bind to net phy driver. This is creating issue during system
+suspend/resume since phy_polling_mode() in phy_state_machine() will
+directly deference member of phydev->drv for non-main phy devices. Then
+NULL pointer dereference issue will occur. Due to only external phy or
+internal phy is necessary, add phy_mask for ax88772 mdio bus to workarnoud
+the issue.
+
+Closes: https://lore.kernel.org/netdev/20250806082931.3289134-1-xu.yang_2@nxp.com
+Fixes: e532a096be0e ("net: usb: asix: ax88772: add phylib support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Tested-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://patch.msgid.link/20250811092931.860333-1-xu.yang_2@nxp.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/asix_devices.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/asix_devices.c
++++ b/drivers/net/usb/asix_devices.c
+@@ -676,6 +676,7 @@ static int ax88772_init_mdio(struct usbn
+ priv->mdio->read = &asix_mdio_bus_read;
+ priv->mdio->write = &asix_mdio_bus_write;
+ priv->mdio->name = "Asix MDIO Bus";
++ priv->mdio->phy_mask = ~(BIT(priv->phy_addr) | BIT(AX_EMBD_PHY_ADDR));
+ /* mii bus name is usb-<usb bus number>-<usb device number> */
+ snprintf(priv->mdio->id, MII_BUS_ID_SIZE, "usb-%03d:%03d",
+ dev->udev->bus->busnum, dev->udev->devnum);
--- /dev/null
+From 61aaca8b89fb98be58b8df19f01181bb983cccff Mon Sep 17 00:00:00 2001
+From: Fabio Porcedda <fabio.porcedda@gmail.com>
+Date: Fri, 8 Aug 2025 15:31:08 +0200
+Subject: net: usb: qmi_wwan: add Telit Cinterion FN990A w/audio composition
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fabio Porcedda <fabio.porcedda@gmail.com>
+
+commit 61aaca8b89fb98be58b8df19f01181bb983cccff upstream.
+
+Add the following Telit Cinterion FN990A w/audio composition:
+
+0x1077: tty (diag) + adb + rmnet + audio + tty (AT/NMEA) + tty (AT) +
+tty (AT) + tty (AT)
+T: Bus=01 Lev=01 Prnt=01 Port=09 Cnt=01 Dev#= 8 Spd=480 MxCh= 0
+D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1bc7 ProdID=1077 Rev=05.04
+S: Manufacturer=Telit Wireless Solutions
+S: Product=FN990
+S: SerialNumber=67e04c35
+C: #Ifs=10 Cfg#= 1 Atr=e0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
+E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 3 Alt= 0 #EPs= 0 Cls=01(audio) Sub=01 Prot=20 Driver=snd-usb-audio
+I: If#= 4 Alt= 1 #EPs= 1 Cls=01(audio) Sub=02 Prot=20 Driver=snd-usb-audio
+E: Ad=03(O) Atr=0d(Isoc) MxPS= 68 Ivl=1ms
+I: If#= 5 Alt= 1 #EPs= 1 Cls=01(audio) Sub=02 Prot=20 Driver=snd-usb-audio
+E: Ad=84(I) Atr=0d(Isoc) MxPS= 68 Ivl=1ms
+I: If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 7 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 8 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 9 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=8c(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1361,6 +1361,7 @@ static const struct usb_device_id produc
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1057, 2)}, /* Telit FN980 */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1060, 2)}, /* Telit LN920 */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1070, 2)}, /* Telit FN990A */
++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1077, 2)}, /* Telit FN990A w/audio */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1080, 2)}, /* Telit FE990A */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a0, 0)}, /* Telit FN920C04 */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a4, 0)}, /* Telit FN920C04 */
--- /dev/null
+From 759dfc7d04bab1b0b86113f1164dc1fec192b859 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Mon, 28 Jul 2025 11:06:47 +0300
+Subject: netlink: avoid infinite retry looping in netlink_unicast()
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit 759dfc7d04bab1b0b86113f1164dc1fec192b859 upstream.
+
+netlink_attachskb() checks for the socket's read memory allocation
+constraints. Firstly, it has:
+
+ rmem < READ_ONCE(sk->sk_rcvbuf)
+
+to check if the just increased rmem value fits into the socket's receive
+buffer. If not, it proceeds and tries to wait for the memory under:
+
+ rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)
+
+The checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is
+equal to sk->sk_rcvbuf. Thus the function neither successfully accepts
+these conditions, nor manages to reschedule the task - and is called in
+retry loop for indefinite time which is caught as:
+
+ rcu: INFO: rcu_sched self-detected stall on CPU
+ rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212
+ (t=26000 jiffies g=230833 q=259957)
+ NMI backtrace for cpu 0
+ CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014
+ Call Trace:
+ <IRQ>
+ dump_stack lib/dump_stack.c:120
+ nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105
+ nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62
+ rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335
+ rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590
+ update_process_times kernel/time/timer.c:1953
+ tick_sched_handle kernel/time/tick-sched.c:227
+ tick_sched_timer kernel/time/tick-sched.c:1399
+ __hrtimer_run_queues kernel/time/hrtimer.c:1652
+ hrtimer_interrupt kernel/time/hrtimer.c:1717
+ __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113
+ asm_call_irq_on_stack arch/x86/entry/entry_64.S:808
+ </IRQ>
+
+ netlink_attachskb net/netlink/af_netlink.c:1234
+ netlink_unicast net/netlink/af_netlink.c:1349
+ kauditd_send_queue kernel/audit.c:776
+ kauditd_thread kernel/audit.c:897
+ kthread kernel/kthread.c:328
+ ret_from_fork arch/x86/entry/entry_64.S:304
+
+Restore the original behavior of the check which commit in Fixes
+accidentally missed when restructuring the code.
+
+Found by Linux Verification Center (linuxtesting.org).
+
+Fixes: ae8f160e7eb2 ("netlink: Fix wraparounds of sk->sk_rmem_alloc.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250728080727.255138-1-pchelkin@ispras.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1218,7 +1218,7 @@ int netlink_attachskb(struct sock *sk, s
+ nlk = nlk_sk(sk);
+ rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc);
+
+- if ((rmem == skb->truesize || rmem < READ_ONCE(sk->sk_rcvbuf)) &&
++ if ((rmem == skb->truesize || rmem <= READ_ONCE(sk->sk_rcvbuf)) &&
+ !test_bit(NETLINK_S_CONGESTED, &nlk->state)) {
+ netlink_skb_set_owner_r(skb, sk);
+ return 0;
--- /dev/null
+From 56bdf7270ff4f870e2d4bfacdc00161e766dba2d Mon Sep 17 00:00:00 2001
+From: David Thompson <davthompson@nvidia.com>
+Date: Mon, 11 Aug 2025 13:50:44 -0400
+Subject: Revert "gpio: mlxbf3: only get IRQ for device instance 0"
+
+From: David Thompson <davthompson@nvidia.com>
+
+commit 56bdf7270ff4f870e2d4bfacdc00161e766dba2d upstream.
+
+This reverts commit 10af0273a35ab4513ca1546644b8c853044da134.
+
+While this change was merged, it is not the preferred solution.
+During review of a similar change to the gpio-mlxbf2 driver, the
+use of "platform_get_irq_optional" was identified as the preferred
+solution, so let's use it for gpio-mlxbf3 driver as well.
+
+Cc: stable@vger.kernel.org
+Fixes: 10af0273a35a ("gpio: mlxbf3: only get IRQ for device instance 0")
+Signed-off-by: David Thompson <davthompson@nvidia.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/8d2b630c71b3742f2c74242cf7d602706a6108e6.1754928650.git.davthompson@nvidia.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-mlxbf3.c | 54 +++++++++++++++------------------------------
+ 1 file changed, 19 insertions(+), 35 deletions(-)
+
+--- a/drivers/gpio/gpio-mlxbf3.c
++++ b/drivers/gpio/gpio-mlxbf3.c
+@@ -190,9 +190,7 @@ static int mlxbf3_gpio_probe(struct plat
+ struct mlxbf3_gpio_context *gs;
+ struct gpio_irq_chip *girq;
+ struct gpio_chip *gc;
+- char *colon_ptr;
+ int ret, irq;
+- long num;
+
+ gs = devm_kzalloc(dev, sizeof(*gs), GFP_KERNEL);
+ if (!gs)
+@@ -229,39 +227,25 @@ static int mlxbf3_gpio_probe(struct plat
+ gc->owner = THIS_MODULE;
+ gc->add_pin_ranges = mlxbf3_gpio_add_pin_ranges;
+
+- colon_ptr = strchr(dev_name(dev), ':');
+- if (!colon_ptr) {
+- dev_err(dev, "invalid device name format\n");
+- return -EINVAL;
+- }
+-
+- ret = kstrtol(++colon_ptr, 16, &num);
+- if (ret) {
+- dev_err(dev, "invalid device instance\n");
+- return ret;
+- }
+-
+- if (!num) {
+- irq = platform_get_irq(pdev, 0);
+- if (irq >= 0) {
+- girq = &gs->gc.irq;
+- gpio_irq_chip_set_chip(girq, &gpio_mlxbf3_irqchip);
+- girq->default_type = IRQ_TYPE_NONE;
+- /* This will let us handle the parent IRQ in the driver */
+- girq->num_parents = 0;
+- girq->parents = NULL;
+- girq->parent_handler = NULL;
+- girq->handler = handle_bad_irq;
+-
+- /*
+- * Directly request the irq here instead of passing
+- * a flow-handler because the irq is shared.
+- */
+- ret = devm_request_irq(dev, irq, mlxbf3_gpio_irq_handler,
+- IRQF_SHARED, dev_name(dev), gs);
+- if (ret)
+- return dev_err_probe(dev, ret, "failed to request IRQ");
+- }
++ irq = platform_get_irq(pdev, 0);
++ if (irq >= 0) {
++ girq = &gs->gc.irq;
++ gpio_irq_chip_set_chip(girq, &gpio_mlxbf3_irqchip);
++ girq->default_type = IRQ_TYPE_NONE;
++ /* This will let us handle the parent IRQ in the driver */
++ girq->num_parents = 0;
++ girq->parents = NULL;
++ girq->parent_handler = NULL;
++ girq->handler = handle_bad_irq;
++
++ /*
++ * Directly request the irq here instead of passing
++ * a flow-handler because the irq is shared.
++ */
++ ret = devm_request_irq(dev, irq, mlxbf3_gpio_irq_handler,
++ IRQF_SHARED, dev_name(dev), gs);
++ if (ret)
++ return dev_err_probe(dev, ret, "failed to request IRQ");
+ }
+
+ platform_set_drvdata(pdev, gs);
--- /dev/null
+From 26f732791f2bcab18f59c61915bbe35225f30136 Mon Sep 17 00:00:00 2001
+From: Daniel Golle <daniel@makrotopia.org>
+Date: Sat, 12 Jul 2025 16:39:21 +0100
+Subject: Revert "leds: trigger: netdev: Configure LED blink interval for HW offload"
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+commit 26f732791f2bcab18f59c61915bbe35225f30136 upstream.
+
+This reverts commit c629c972b310af41e9e072febb6dae9a299edde6.
+
+While .led_blink_set() would previously put an LED into an unconditional
+permanently blinking state, the offending commit now uses same operation
+to (also?) set the blink timing of the netdev trigger when offloading.
+
+This breaks many if not all of the existing PHY drivers which offer
+offloading LED operations, as those drivers would just put the LED into
+blinking state after .led_blink_set() has been called.
+
+Unfortunately the change even made it into stable kernels for unknown
+reasons, so it should be reverted there as well.
+
+Fixes: c629c972b310a ("leds: trigger: netdev: Configure LED blink interval for HW offload")
+Link: https://lore.kernel.org/linux-leds/c6134e26-2e45-4121-aa15-58aaef327201@lunn.ch/T/#m9d6fe81bbcb273e59f12bbedbd633edd32118387
+Suggested-by: Andrew Lunn <andrew@lunn.ch>
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/6dcc77ee1c9676891d6250d8994850f521426a0f.1752334655.git.daniel@makrotopia.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/leds/trigger/ledtrig-netdev.c | 16 +++-------------
+ 1 file changed, 3 insertions(+), 13 deletions(-)
+
+--- a/drivers/leds/trigger/ledtrig-netdev.c
++++ b/drivers/leds/trigger/ledtrig-netdev.c
+@@ -68,7 +68,6 @@ struct led_netdev_data {
+ unsigned int last_activity;
+
+ unsigned long mode;
+- unsigned long blink_delay;
+ int link_speed;
+ __ETHTOOL_DECLARE_LINK_MODE_MASK(supported_link_modes);
+ u8 duplex;
+@@ -87,10 +86,6 @@ static void set_baseline_state(struct le
+ /* Already validated, hw control is possible with the requested mode */
+ if (trigger_data->hw_control) {
+ led_cdev->hw_control_set(led_cdev, trigger_data->mode);
+- if (led_cdev->blink_set) {
+- led_cdev->blink_set(led_cdev, &trigger_data->blink_delay,
+- &trigger_data->blink_delay);
+- }
+
+ return;
+ }
+@@ -459,11 +454,10 @@ static ssize_t interval_store(struct dev
+ size_t size)
+ {
+ struct led_netdev_data *trigger_data = led_trigger_get_drvdata(dev);
+- struct led_classdev *led_cdev = trigger_data->led_cdev;
+ unsigned long value;
+ int ret;
+
+- if (trigger_data->hw_control && !led_cdev->blink_set)
++ if (trigger_data->hw_control)
+ return -EINVAL;
+
+ ret = kstrtoul(buf, 0, &value);
+@@ -472,13 +466,9 @@ static ssize_t interval_store(struct dev
+
+ /* impose some basic bounds on the timer interval */
+ if (value >= 5 && value <= 10000) {
+- if (trigger_data->hw_control) {
+- trigger_data->blink_delay = value;
+- } else {
+- cancel_delayed_work_sync(&trigger_data->work);
++ cancel_delayed_work_sync(&trigger_data->work);
+
+- atomic_set(&trigger_data->interval, msecs_to_jiffies(value));
+- }
++ atomic_set(&trigger_data->interval, msecs_to_jiffies(value));
+ set_baseline_state(trigger_data); /* resets timer */
+ }
+
--- /dev/null
+io_uring-don-t-use-int-for-abi.patch
+io_uring-export-io_account_mem.patch
+io_uring-memmap-cast-nr_pages-to-size_t-before-shifting.patch
+io_uring-net-commit-partial-buffers-on-retry.patch
+alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch
+alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch
+alsa-hda-realtek-fix-headset-mic-on-honor-brb-x.patch
+alsa-hda-realtek-add-framework-laptop-13-amd-ryzen-ai-300-to-quirks.patch
+smb3-fix-for-slab-out-of-bounds-on-mount-to-ksmbd.patch
+smb-client-remove-redundant-lstrp-update-in-negotiate-protocol.patch
+gpio-virtio-fix-config-space-reading.patch
+arm64-dts-ti-k3-j722s-evm-fix-usb-gpio-hog-level-for-type-c.patch
+media-i2c-set-lt6911uxe-s-reset_gpio-to-gpiod_out_low.patch
+gpio-mlxbf2-use-platform_get_irq_optional.patch
+revert-gpio-mlxbf3-only-get-irq-for-device-instance-0.patch
+gpio-mlxbf3-use-platform_get_irq_optional.patch
+leds-flash-leds-qcom-flash-fix-registry-access-after-re-bind.patch
+revert-leds-trigger-netdev-configure-led-blink-interval-for-hw-offload.patch
+netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch
+net-phy-micrel-fix-ksz8081-ksz8091-cable-test.patch
+net-ftgmac100-fix-potential-null-pointer-access-in-ftgmac100_phy_disconnect.patch
+net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch
+net-enetc-fix-device-and-of-node-leak-at-probe.patch
+net-mtk_eth_soc-fix-device-leak-at-probe.patch
+net-ti-icss-iep-fix-device-and-of-node-leaks-at-probe.patch
+net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch
+net-usb-asix_devices-add-phy_mask-for-ax88772-mdio-bus.patch
+net-usb-qmi_wwan-add-telit-cinterion-fn990a-w-audio-composition.patch
+fhandle-raise-fileid_is_dir-in-handle_type.patch
--- /dev/null
+From e19d8dd694d261ac26adb2a26121a37c107c81ad Mon Sep 17 00:00:00 2001
+From: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+Date: Fri, 1 Aug 2025 17:07:24 +0800
+Subject: smb: client: remove redundant lstrp update in negotiate protocol
+
+From: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+
+commit e19d8dd694d261ac26adb2a26121a37c107c81ad upstream.
+
+Commit 34331d7beed7 ("smb: client: fix first command failure during
+re-negotiation") addressed a race condition by updating lstrp before
+entering negotiate state. However, this approach may have some unintended
+side effects.
+
+The lstrp field is documented as "when we got last response from this
+server", and updating it before actually receiving a server response
+could potentially affect other mechanisms that rely on this timestamp.
+For example, the SMB echo detection logic also uses lstrp as a reference
+point. In scenarios with frequent user operations during reconnect states,
+the repeated calls to cifs_negotiate_protocol() might continuously
+update lstrp, which could interfere with the echo detection timing.
+
+Additionally, commit 266b5d02e14f ("smb: client: fix race condition in
+negotiate timeout by using more precise timing") introduced a dedicated
+neg_start field specifically for tracking negotiate start time. This
+provides a more precise solution for the original race condition while
+preserving the intended semantics of lstrp.
+
+Since the race condition is now properly handled by the neg_start
+mechanism, the lstrp update in cifs_negotiate_protocol() is no longer
+necessary and can be safely removed.
+
+Fixes: 266b5d02e14f ("smb: client: fix race condition in negotiate timeout by using more precise timing")
+Cc: stable@vger.kernel.org
+Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/connect.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -4198,7 +4198,6 @@ retry:
+ return 0;
+ }
+
+- server->lstrp = jiffies;
+ server->tcpStatus = CifsInNegotiate;
+ server->neg_start = jiffies;
+ spin_unlock(&server->srv_lock);
--- /dev/null
+From 7d34ec36abb84fdfb6632a0f2cbda90379ae21fc Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Mon, 11 Aug 2025 23:14:55 -0500
+Subject: smb3: fix for slab out of bounds on mount to ksmbd
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 7d34ec36abb84fdfb6632a0f2cbda90379ae21fc upstream.
+
+With KASAN enabled, it is possible to get a slab out of bounds
+during mount to ksmbd due to missing check in parse_server_interfaces()
+(see below):
+
+ BUG: KASAN: slab-out-of-bounds in
+ parse_server_interfaces+0x14ee/0x1880 [cifs]
+ Read of size 4 at addr ffff8881433dba98 by task mount/9827
+
+ CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G
+ OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary)
+ Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
+ Hardware name: Dell Inc. Precision Tower 3620/0MWYPT,
+ BIOS 2.13.1 06/14/2019
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x9f/0xf0
+ print_report+0xd1/0x670
+ __virt_addr_valid+0x22c/0x430
+ ? parse_server_interfaces+0x14ee/0x1880 [cifs]
+ ? kasan_complete_mode_report_info+0x2a/0x1f0
+ ? parse_server_interfaces+0x14ee/0x1880 [cifs]
+ kasan_report+0xd6/0x110
+ parse_server_interfaces+0x14ee/0x1880 [cifs]
+ __asan_report_load_n_noabort+0x13/0x20
+ parse_server_interfaces+0x14ee/0x1880 [cifs]
+ ? __pfx_parse_server_interfaces+0x10/0x10 [cifs]
+ ? trace_hardirqs_on+0x51/0x60
+ SMB3_request_interfaces+0x1ad/0x3f0 [cifs]
+ ? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs]
+ ? SMB2_tcon+0x23c/0x15d0 [cifs]
+ smb3_qfs_tcon+0x173/0x2b0 [cifs]
+ ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]
+ ? cifs_get_tcon+0x105d/0x2120 [cifs]
+ ? do_raw_spin_unlock+0x5d/0x200
+ ? cifs_get_tcon+0x105d/0x2120 [cifs]
+ ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]
+ cifs_mount_get_tcon+0x369/0xb90 [cifs]
+ ? dfs_cache_find+0xe7/0x150 [cifs]
+ dfs_mount_share+0x985/0x2970 [cifs]
+ ? check_path.constprop.0+0x28/0x50
+ ? save_trace+0x54/0x370
+ ? __pfx_dfs_mount_share+0x10/0x10 [cifs]
+ ? __lock_acquire+0xb82/0x2ba0
+ ? __kasan_check_write+0x18/0x20
+ cifs_mount+0xbc/0x9e0 [cifs]
+ ? __pfx_cifs_mount+0x10/0x10 [cifs]
+ ? do_raw_spin_unlock+0x5d/0x200
+ ? cifs_setup_cifs_sb+0x29d/0x810 [cifs]
+ cifs_smb3_do_mount+0x263/0x1990 [cifs]
+
+Reported-by: Namjae Jeon <linkinjeon@kernel.org>
+Tested-by: Namjae Jeon <linkinjeon@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2ops.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/client/smb2ops.c
++++ b/fs/smb/client/smb2ops.c
+@@ -772,6 +772,13 @@ next_iface:
+ bytes_left -= sizeof(*p);
+ break;
+ }
++ /* Validate that Next doesn't point beyond the buffer */
++ if (next > bytes_left) {
++ cifs_dbg(VFS, "%s: invalid Next pointer %zu > %zd\n",
++ __func__, next, bytes_left);
++ rc = -EINVAL;
++ goto out;
++ }
+ p = (struct network_interface_info_ioctl_rsp *)((u8 *)p+next);
+ bytes_left -= next;
+ }
+@@ -783,7 +790,9 @@ next_iface:
+ }
+
+ /* Azure rounds the buffer size up 8, to a 16 byte boundary */
+- if ((bytes_left > 8) || p->Next)
++ if ((bytes_left > 8) ||
++ (bytes_left >= offsetof(struct network_interface_info_ioctl_rsp, Next)
++ + sizeof(p->Next) && p->Next))
+ cifs_dbg(VFS, "%s: incomplete interface info\n", __func__);
+
+ ses->iface_last_update = jiffies;
projects / thirdparty / kernel / stable-queue.git / commitdiff
