--- /dev/null
+From 91c9cb968d9a5b6338f840aebe53a6b258b0c018 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Sep 2025 18:06:59 +0300
+Subject: drm/gma500: Fix null dereference in hdmi teardown
+
+From: Zabelin Nikita <n.zabelin@mt-integration.ru>
+
+[ Upstream commit 352e66900cde63f3dadb142364d3c35170bbaaff ]
+
+pci_set_drvdata sets the value of pdev->driver_data to NULL,
+after which the driver_data obtained from the same dev is
+dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is
+extracted from it. To prevent this, swap these calls.
+
+Found by Linux Verification Center (linuxtesting.org) with Svacer.
+
+Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support")
+Signed-off-by: Zabelin Nikita <n.zabelin@mt-integration.ru>
+Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Link: https://lore.kernel.org/r/20250918150703.2562604-1-n.zabelin@mt-integration.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/gma500/oaktrail_hdmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/gma500/oaktrail_hdmi.c b/drivers/gpu/drm/gma500/oaktrail_hdmi.c
+index a097a59a9eaec..08e83b7513197 100644
+--- a/drivers/gpu/drm/gma500/oaktrail_hdmi.c
++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi.c
+@@ -724,8 +724,8 @@ void oaktrail_hdmi_teardown(struct drm_device *dev)
+
+ if (hdmi_dev) {
+ pdev = hdmi_dev->dev;
+- pci_set_drvdata(pdev, NULL);
+ oaktrail_hdmi_i2c_exit(pdev);
++ pci_set_drvdata(pdev, NULL);
+ iounmap(hdmi_dev->regs);
+ kfree(hdmi_dev);
+ pci_dev_put(pdev);
+--
+2.51.0
+
nexthop-emit-a-notification-when-a-single-nexthop-is.patch
nexthop-forbid-fdb-status-change-while-nexthop-is-in.patch
selftests-fib_nexthops-fix-creation-of-non-fdb-nexth.patch
+drm-gma500-fix-null-dereference-in-hdmi-teardown.patch
--- /dev/null
+From 7a1e440c772ae06fa55e17aa48eada5566a72d6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Sep 2025 18:06:59 +0300
+Subject: drm/gma500: Fix null dereference in hdmi teardown
+
+From: Zabelin Nikita <n.zabelin@mt-integration.ru>
+
+[ Upstream commit 352e66900cde63f3dadb142364d3c35170bbaaff ]
+
+pci_set_drvdata sets the value of pdev->driver_data to NULL,
+after which the driver_data obtained from the same dev is
+dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is
+extracted from it. To prevent this, swap these calls.
+
+Found by Linux Verification Center (linuxtesting.org) with Svacer.
+
+Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support")
+Signed-off-by: Zabelin Nikita <n.zabelin@mt-integration.ru>
+Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Link: https://lore.kernel.org/r/20250918150703.2562604-1-n.zabelin@mt-integration.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/gma500/oaktrail_hdmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/gma500/oaktrail_hdmi.c b/drivers/gpu/drm/gma500/oaktrail_hdmi.c
+index a097a59a9eaec..08e83b7513197 100644
+--- a/drivers/gpu/drm/gma500/oaktrail_hdmi.c
++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi.c
+@@ -724,8 +724,8 @@ void oaktrail_hdmi_teardown(struct drm_device *dev)
+
+ if (hdmi_dev) {
+ pdev = hdmi_dev->dev;
+- pci_set_drvdata(pdev, NULL);
+ oaktrail_hdmi_i2c_exit(pdev);
++ pci_set_drvdata(pdev, NULL);
+ iounmap(hdmi_dev->regs);
+ kfree(hdmi_dev);
+ pci_dev_put(pdev);
+--
+2.51.0
+
net-dsa-lantiq_gswip-do-also-enable-or-disable-cpu-p.patch
net-dsa-lantiq_gswip-move-gswip_add_single_port_br-c.patch
net-dsa-lantiq_gswip-suppress-einval-errors-for-brid.patch
+drm-gma500-fix-null-dereference-in-hdmi-teardown.patch
--- /dev/null
+From 2f12e66e831603cb4944c8a2b94d07e82043a0b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Sep 2025 18:06:59 +0300
+Subject: drm/gma500: Fix null dereference in hdmi teardown
+
+From: Zabelin Nikita <n.zabelin@mt-integration.ru>
+
+[ Upstream commit 352e66900cde63f3dadb142364d3c35170bbaaff ]
+
+pci_set_drvdata sets the value of pdev->driver_data to NULL,
+after which the driver_data obtained from the same dev is
+dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is
+extracted from it. To prevent this, swap these calls.
+
+Found by Linux Verification Center (linuxtesting.org) with Svacer.
+
+Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support")
+Signed-off-by: Zabelin Nikita <n.zabelin@mt-integration.ru>
+Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Link: https://lore.kernel.org/r/20250918150703.2562604-1-n.zabelin@mt-integration.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/gma500/oaktrail_hdmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/gma500/oaktrail_hdmi.c b/drivers/gpu/drm/gma500/oaktrail_hdmi.c
+index f4c520893ceb6..93a0a791b8c38 100644
+--- a/drivers/gpu/drm/gma500/oaktrail_hdmi.c
++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi.c
+@@ -741,8 +741,8 @@ void oaktrail_hdmi_teardown(struct drm_device *dev)
+
+ if (hdmi_dev) {
+ pdev = hdmi_dev->dev;
+- pci_set_drvdata(pdev, NULL);
+ oaktrail_hdmi_i2c_exit(pdev);
++ pci_set_drvdata(pdev, NULL);
+ iounmap(hdmi_dev->regs);
+ kfree(hdmi_dev);
+ pci_dev_put(pdev);
+--
+2.51.0
+
can-sun4i_can-populate-ndo_change_mtu-to-prevent-buf.patch
can-mcba_usb-populate-ndo_change_mtu-to-prevent-buff.patch
can-peak_usb-fix-shift-out-of-bounds-issue.patch
+drm-gma500-fix-null-dereference-in-hdmi-teardown.patch
--- /dev/null
+From 42232a4b46259a25df89da67582ae88f22240b70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Sep 2025 18:06:59 +0300
+Subject: drm/gma500: Fix null dereference in hdmi teardown
+
+From: Zabelin Nikita <n.zabelin@mt-integration.ru>
+
+[ Upstream commit 352e66900cde63f3dadb142364d3c35170bbaaff ]
+
+pci_set_drvdata sets the value of pdev->driver_data to NULL,
+after which the driver_data obtained from the same dev is
+dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is
+extracted from it. To prevent this, swap these calls.
+
+Found by Linux Verification Center (linuxtesting.org) with Svacer.
+
+Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support")
+Signed-off-by: Zabelin Nikita <n.zabelin@mt-integration.ru>
+Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Link: https://lore.kernel.org/r/20250918150703.2562604-1-n.zabelin@mt-integration.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/gma500/oaktrail_hdmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/gma500/oaktrail_hdmi.c b/drivers/gpu/drm/gma500/oaktrail_hdmi.c
+index 95b7cb099e638..9c7d9584aac7f 100644
+--- a/drivers/gpu/drm/gma500/oaktrail_hdmi.c
++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi.c
+@@ -724,8 +724,8 @@ void oaktrail_hdmi_teardown(struct drm_device *dev)
+
+ if (hdmi_dev) {
+ pdev = hdmi_dev->dev;
+- pci_set_drvdata(pdev, NULL);
+ oaktrail_hdmi_i2c_exit(pdev);
++ pci_set_drvdata(pdev, NULL);
+ iounmap(hdmi_dev->regs);
+ kfree(hdmi_dev);
+ pci_dev_put(pdev);
+--
+2.51.0
+
--- /dev/null
+From f91f67aacab71cd0bc29896f5e4c88c1ac9296d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Sep 2025 12:42:43 +0200
+Subject: futex: Prevent use-after-free during requeue-PI
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit b549113738e8c751b613118032a724b772aa83f2 ]
+
+syzbot managed to trigger the following race:
+
+ T1 T2
+
+ futex_wait_requeue_pi()
+ futex_do_wait()
+ schedule()
+ futex_requeue()
+ futex_proxy_trylock_atomic()
+ futex_requeue_pi_prepare()
+ requeue_pi_wake_futex()
+ futex_requeue_pi_complete()
+ /* preempt */
+
+ * timeout/ signal wakes T1 *
+
+ futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED
+ futex_hash_put()
+ // back to userland, on stack futex_q is garbage
+
+ /* back */
+ wake_up_state(q->task, TASK_NORMAL);
+
+In this scenario futex_wait_requeue_pi() is able to leave without using
+futex_q::lock_ptr for synchronization.
+
+This can be prevented by reading futex_q::task before updating the
+futex_q::requeue_state. A reference on the task_struct is not needed
+because requeue_pi_wake_futex() is invoked with a spinlock_t held which
+implies a RCU read section.
+
+Even if T1 terminates immediately after, the task_struct will remain valid
+during T2's wake_up_state(). A READ_ONCE on futex_q::task before
+futex_requeue_pi_complete() is enough because it ensures that the variable
+is read before the state is updated.
+
+Read futex_q::task before updating the requeue state, use it for the
+following wakeup.
+
+Fixes: 07d91ef510fb1 ("futex: Prevent requeue_pi() lock nesting issue on RT")
+Reported-by: syzbot+034246a838a10d181e78@syzkaller.appspotmail.com
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Closes: https://lore.kernel.org/all/68b75989.050a0220.3db4df.01dd.GAE@google.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/futex/requeue.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c
+index cba8b1a6a4cc2..7e43839ca7b05 100644
+--- a/kernel/futex/requeue.c
++++ b/kernel/futex/requeue.c
+@@ -223,18 +223,20 @@ static inline
+ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
+ struct futex_hash_bucket *hb)
+ {
+- q->key = *key;
++ struct task_struct *task;
+
++ q->key = *key;
+ __futex_unqueue(q);
+
+ WARN_ON(!q->rt_waiter);
+ q->rt_waiter = NULL;
+
+ q->lock_ptr = &hb->lock;
++ task = READ_ONCE(q->task);
+
+ /* Signal locked state to the waiter */
+ futex_requeue_pi_complete(q, 1);
+- wake_up_state(q->task, TASK_NORMAL);
++ wake_up_state(task, TASK_NORMAL);
+ }
+
+ /**
+--
+2.51.0
+
net-dsa-lantiq_gswip-move-gswip_add_single_port_br-c.patch
net-dsa-lantiq_gswip-suppress-einval-errors-for-brid.patch
octeontx2-pf-fix-potential-use-after-free-in-otx2_tc.patch
+drm-gma500-fix-null-dereference-in-hdmi-teardown.patch
+futex-prevent-use-after-free-during-requeue-pi.patch
--- /dev/null
+From cf345629545ad87432f871805380b6e5a5d381b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Sep 2025 18:06:59 +0300
+Subject: drm/gma500: Fix null dereference in hdmi teardown
+
+From: Zabelin Nikita <n.zabelin@mt-integration.ru>
+
+[ Upstream commit 352e66900cde63f3dadb142364d3c35170bbaaff ]
+
+pci_set_drvdata sets the value of pdev->driver_data to NULL,
+after which the driver_data obtained from the same dev is
+dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is
+extracted from it. To prevent this, swap these calls.
+
+Found by Linux Verification Center (linuxtesting.org) with Svacer.
+
+Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support")
+Signed-off-by: Zabelin Nikita <n.zabelin@mt-integration.ru>
+Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Link: https://lore.kernel.org/r/20250918150703.2562604-1-n.zabelin@mt-integration.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/gma500/oaktrail_hdmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/gma500/oaktrail_hdmi.c b/drivers/gpu/drm/gma500/oaktrail_hdmi.c
+index ed8626c73541c..f0ae675581d9a 100644
+--- a/drivers/gpu/drm/gma500/oaktrail_hdmi.c
++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi.c
+@@ -726,8 +726,8 @@ void oaktrail_hdmi_teardown(struct drm_device *dev)
+
+ if (hdmi_dev) {
+ pdev = hdmi_dev->dev;
+- pci_set_drvdata(pdev, NULL);
+ oaktrail_hdmi_i2c_exit(pdev);
++ pci_set_drvdata(pdev, NULL);
+ iounmap(hdmi_dev->regs);
+ kfree(hdmi_dev);
+ pci_dev_put(pdev);
+--
+2.51.0
+
--- /dev/null
+From 19633001c002899dc8b2dcfe227f38f51f4f6838 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Sep 2025 17:43:48 +0100
+Subject: drm/panthor: Defer scheduler entitiy destruction to queue release
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Adrián Larumbe <adrian.larumbe@collabora.com>
+
+[ Upstream commit 7d9c3442b02ab7dd3c44e20095a178fd57d2eccb ]
+
+Commit de8548813824 ("drm/panthor: Add the scheduler logical block")
+handled destruction of a group's queues' drm scheduler entities early
+into the group destruction procedure.
+
+However, that races with the group submit ioctl, because by the time
+entities are destroyed (through the group destroy ioctl), the submission
+procedure might've already obtained a group handle, and therefore the
+ability to push jobs into entities. This is met with a DRM error message
+within the drm scheduler core as a situation that should never occur.
+
+Fix by deferring drm scheduler entity destruction to queue release time.
+
+Fixes: de8548813824 ("drm/panthor: Add the scheduler logical block")
+Signed-off-by: Adrián Larumbe <adrian.larumbe@collabora.com>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
+Signed-off-by: Steven Price <steven.price@arm.com>
+Link: https://lore.kernel.org/r/20250919164436.531930-1-adrian.larumbe@collabora.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panthor/panthor_sched.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/panthor/panthor_sched.c b/drivers/gpu/drm/panthor/panthor_sched.c
+index 20135a9bc026e..0bc5b69ec636b 100644
+--- a/drivers/gpu/drm/panthor/panthor_sched.c
++++ b/drivers/gpu/drm/panthor/panthor_sched.c
+@@ -865,8 +865,7 @@ static void group_free_queue(struct panthor_group *group, struct panthor_queue *
+ if (IS_ERR_OR_NULL(queue))
+ return;
+
+- if (queue->entity.fence_context)
+- drm_sched_entity_destroy(&queue->entity);
++ drm_sched_entity_destroy(&queue->entity);
+
+ if (queue->scheduler.ops)
+ drm_sched_fini(&queue->scheduler);
+@@ -3458,11 +3457,6 @@ int panthor_group_destroy(struct panthor_file *pfile, u32 group_handle)
+ if (!group)
+ return -EINVAL;
+
+- for (u32 i = 0; i < group->queue_count; i++) {
+- if (group->queues[i])
+- drm_sched_entity_destroy(&group->queues[i]->entity);
+- }
+-
+ mutex_lock(&sched->reset.lock);
+ mutex_lock(&sched->lock);
+ group->destroyed = true;
+--
+2.51.0
+
--- /dev/null
+From 71c2180c1f3f1a882e6db1095e26f6fc3186aba9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Sep 2025 12:42:43 +0200
+Subject: futex: Prevent use-after-free during requeue-PI
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit b549113738e8c751b613118032a724b772aa83f2 ]
+
+syzbot managed to trigger the following race:
+
+ T1 T2
+
+ futex_wait_requeue_pi()
+ futex_do_wait()
+ schedule()
+ futex_requeue()
+ futex_proxy_trylock_atomic()
+ futex_requeue_pi_prepare()
+ requeue_pi_wake_futex()
+ futex_requeue_pi_complete()
+ /* preempt */
+
+ * timeout/ signal wakes T1 *
+
+ futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED
+ futex_hash_put()
+ // back to userland, on stack futex_q is garbage
+
+ /* back */
+ wake_up_state(q->task, TASK_NORMAL);
+
+In this scenario futex_wait_requeue_pi() is able to leave without using
+futex_q::lock_ptr for synchronization.
+
+This can be prevented by reading futex_q::task before updating the
+futex_q::requeue_state. A reference on the task_struct is not needed
+because requeue_pi_wake_futex() is invoked with a spinlock_t held which
+implies a RCU read section.
+
+Even if T1 terminates immediately after, the task_struct will remain valid
+during T2's wake_up_state(). A READ_ONCE on futex_q::task before
+futex_requeue_pi_complete() is enough because it ensures that the variable
+is read before the state is updated.
+
+Read futex_q::task before updating the requeue state, use it for the
+following wakeup.
+
+Fixes: 07d91ef510fb1 ("futex: Prevent requeue_pi() lock nesting issue on RT")
+Reported-by: syzbot+034246a838a10d181e78@syzkaller.appspotmail.com
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Closes: https://lore.kernel.org/all/68b75989.050a0220.3db4df.01dd.GAE@google.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/futex/requeue.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c
+index b47bb764b3520..559aae55792c6 100644
+--- a/kernel/futex/requeue.c
++++ b/kernel/futex/requeue.c
+@@ -225,18 +225,20 @@ static inline
+ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
+ struct futex_hash_bucket *hb)
+ {
+- q->key = *key;
++ struct task_struct *task;
+
++ q->key = *key;
+ __futex_unqueue(q);
+
+ WARN_ON(!q->rt_waiter);
+ q->rt_waiter = NULL;
+
+ q->lock_ptr = &hb->lock;
++ task = READ_ONCE(q->task);
+
+ /* Signal locked state to the waiter */
+ futex_requeue_pi_complete(q, 1);
+- wake_up_state(q->task, TASK_NORMAL);
++ wake_up_state(task, TASK_NORMAL);
+ }
+
+ /**
+--
+2.51.0
+
--- /dev/null
+From 184f9321b4ffefff4e183ea4795c046ad2b5aa12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Sep 2025 14:17:17 -0400
+Subject: platform/x86: lg-laptop: Fix WMAB call in fan_mode_store()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Lee <dany97@live.ca>
+
+[ Upstream commit 3ed17349f18774c24505b0c21dfbd3cc4f126518 ]
+
+When WMAB is called to set the fan mode, the new mode is read from either
+bits 0-1 or bits 4-5 (depending on the value of some other EC register).
+Thus when WMAB is called with bits 4-5 zeroed and called again with
+bits 0-1 zeroed, the second call undoes the effect of the first call.
+This causes writes to /sys/devices/platform/lg-laptop/fan_mode to have
+no effect (and causes reads to always report a status of zero).
+
+Fix this by calling WMAB once, with the mode set in bits 0,1 and 4,5.
+When the fan mode is returned from WMAB it always has this form, so
+there is no need to preserve the other bits. As a bonus, the driver
+now supports the "Performance" fan mode seen in the LG-provided Windows
+control app, which provides less aggressive CPU throttling but louder
+fan noise and shorter battery life.
+
+Also, correct the documentation to reflect that 0 corresponds to the
+default mode (what the Windows app calls "Optimal") and 1 corresponds
+to the silent mode.
+
+Fixes: dbf0c5a6b1f8 ("platform/x86: Add LG Gram laptop special features driver")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=204913#c4
+Signed-off-by: Daniel Lee <dany97@live.ca>
+Link: https://patch.msgid.link/MN2PR06MB55989CB10E91C8DA00EE868DDC1CA@MN2PR06MB5598.namprd06.prod.outlook.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../admin-guide/laptops/lg-laptop.rst | 4 +--
+ drivers/platform/x86/lg-laptop.c | 34 ++++++++-----------
+ 2 files changed, 16 insertions(+), 22 deletions(-)
+
+diff --git a/Documentation/admin-guide/laptops/lg-laptop.rst b/Documentation/admin-guide/laptops/lg-laptop.rst
+index 67fd6932cef4f..c4dd534f91edd 100644
+--- a/Documentation/admin-guide/laptops/lg-laptop.rst
++++ b/Documentation/admin-guide/laptops/lg-laptop.rst
+@@ -48,8 +48,8 @@ This value is reset to 100 when the kernel boots.
+ Fan mode
+ --------
+
+-Writing 1/0 to /sys/devices/platform/lg-laptop/fan_mode disables/enables
+-the fan silent mode.
++Writing 0/1/2 to /sys/devices/platform/lg-laptop/fan_mode sets fan mode to
++Optimal/Silent/Performance respectively.
+
+
+ USB charge
+diff --git a/drivers/platform/x86/lg-laptop.c b/drivers/platform/x86/lg-laptop.c
+index 4b57102c7f627..6af6cf477c5b5 100644
+--- a/drivers/platform/x86/lg-laptop.c
++++ b/drivers/platform/x86/lg-laptop.c
+@@ -8,6 +8,7 @@
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+ #include <linux/acpi.h>
++#include <linux/bitfield.h>
+ #include <linux/bits.h>
+ #include <linux/device.h>
+ #include <linux/dev_printk.h>
+@@ -75,6 +76,9 @@ MODULE_PARM_DESC(fw_debug, "Enable printing of firmware debug messages");
+ #define WMBB_USB_CHARGE 0x10B
+ #define WMBB_BATT_LIMIT 0x10C
+
++#define FAN_MODE_LOWER GENMASK(1, 0)
++#define FAN_MODE_UPPER GENMASK(5, 4)
++
+ #define PLATFORM_NAME "lg-laptop"
+
+ MODULE_ALIAS("wmi:" WMI_EVENT_GUID0);
+@@ -274,29 +278,19 @@ static ssize_t fan_mode_store(struct device *dev,
+ struct device_attribute *attr,
+ const char *buffer, size_t count)
+ {
+- bool value;
++ unsigned long value;
+ union acpi_object *r;
+- u32 m;
+ int ret;
+
+- ret = kstrtobool(buffer, &value);
++ ret = kstrtoul(buffer, 10, &value);
+ if (ret)
+ return ret;
++ if (value >= 3)
++ return -EINVAL;
+
+- r = lg_wmab(dev, WM_FAN_MODE, WM_GET, 0);
+- if (!r)
+- return -EIO;
+-
+- if (r->type != ACPI_TYPE_INTEGER) {
+- kfree(r);
+- return -EIO;
+- }
+-
+- m = r->integer.value;
+- kfree(r);
+- r = lg_wmab(dev, WM_FAN_MODE, WM_SET, (m & 0xffffff0f) | (value << 4));
+- kfree(r);
+- r = lg_wmab(dev, WM_FAN_MODE, WM_SET, (m & 0xfffffff0) | value);
++ r = lg_wmab(dev, WM_FAN_MODE, WM_SET,
++ FIELD_PREP(FAN_MODE_LOWER, value) |
++ FIELD_PREP(FAN_MODE_UPPER, value));
+ kfree(r);
+
+ return count;
+@@ -305,7 +299,7 @@ static ssize_t fan_mode_store(struct device *dev,
+ static ssize_t fan_mode_show(struct device *dev,
+ struct device_attribute *attr, char *buffer)
+ {
+- unsigned int status;
++ unsigned int mode;
+ union acpi_object *r;
+
+ r = lg_wmab(dev, WM_FAN_MODE, WM_GET, 0);
+@@ -317,10 +311,10 @@ static ssize_t fan_mode_show(struct device *dev,
+ return -EIO;
+ }
+
+- status = r->integer.value & 0x01;
++ mode = FIELD_GET(FAN_MODE_LOWER, r->integer.value);
+ kfree(r);
+
+- return sysfs_emit(buffer, "%d\n", status);
++ return sysfs_emit(buffer, "%d\n", mode);
+ }
+
+ static ssize_t usb_charge_store(struct device *dev,
+--
+2.51.0
+
mm-gup-local-lru_add_drain-to-avoid-lru_add_drain_al.patch
mm-revert-mm-gup-clear-the-lru-flag-of-a-page-before.patch
mm-folio_may_be_lru_cached-unless-folio_test_large.patch
+drm-gma500-fix-null-dereference-in-hdmi-teardown.patch
+futex-prevent-use-after-free-during-requeue-pi.patch
+drm-panthor-defer-scheduler-entitiy-destruction-to-q.patch
+platform-x86-lg-laptop-fix-wmab-call-in-fan_mode_sto.patch
+smb-client-fix-wrong-index-reference-in-smb2_compoun.patch
--- /dev/null
+From a868cfa5a1c8e69db8bdd9897340e552caba3cf3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Sep 2025 17:16:45 +0900
+Subject: smb: client: fix wrong index reference in smb2_compound_op()
+
+From: Sang-Heon Jeon <ekffu200098@gmail.com>
+
+[ Upstream commit fbe2dc6a9c7318f7263f5e4d50f6272b931c5756 ]
+
+In smb2_compound_op(), the loop that processes each command's response
+uses wrong indices when accessing response bufferes.
+
+This incorrect indexing leads to improper handling of command results.
+Also, if incorrectly computed index is greather than or equal to
+MAX_COMPOUND, it can cause out-of-bounds accesses.
+
+Fixes: 3681c74d342d ("smb: client: handle lack of EA support in smb2_query_path_info()") # 6.14
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Sang-Heon Jeon <ekffu200098@gmail.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/smb2inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
+index b51ccfb884394..104a563dc317f 100644
+--- a/fs/smb/client/smb2inode.c
++++ b/fs/smb/client/smb2inode.c
+@@ -641,7 +641,7 @@ static int smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon,
+
+ tmp_rc = rc;
+ for (i = 0; i < num_cmds; i++) {
+- char *buf = rsp_iov[i + i].iov_base;
++ char *buf = rsp_iov[i + 1].iov_base;
+
+ if (buf && resp_buftype[i + 1] != CIFS_NO_BUFFER)
+ rc = server->ops->map_error(buf, false);
+--
+2.51.0
+
--- /dev/null
+From a80ea5f5f03a4ad4121ac60eefd7b9c9f4342b3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 18:51:05 -0300
+Subject: drm/amd/display: remove output_tf_change flag
+
+From: Melissa Wen <mwen@igalia.com>
+
+[ Upstream commit 41b1f9fcba62b06195e625bb88c1031102892439 ]
+
+Remove this flag as the driver stopped managing it individually since
+commit a4056c2a6344 ("drm/amd/display: use HW hdr mult for brightness
+boost"). After some back and forth it was reintroduced as a condition to
+`set_output_transfer_func()` in [1]. Without direct management, this
+flag only changes value when all surface update flags are set true on
+UPDATE_TYPE_FULL with no output TF status meaning.
+
+Fixes: bb622e0c0044 ("drm/amd/display: program output tf when required") [1]
+Signed-off-by: Melissa Wen <mwen@igalia.com>
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 752e6f283ec59ae007aa15a93d5a4b2eefa8cec9)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dc.h | 1 -
+ drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 6 ++----
+ drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 6 ++----
+ 3 files changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dc.h b/drivers/gpu/drm/amd/display/dc/dc.h
+index 7dfbfb18593c1..f037f2d83400b 100644
+--- a/drivers/gpu/drm/amd/display/dc/dc.h
++++ b/drivers/gpu/drm/amd/display/dc/dc.h
+@@ -1292,7 +1292,6 @@ union surface_update_flags {
+ uint32_t in_transfer_func_change:1;
+ uint32_t input_csc_change:1;
+ uint32_t coeff_reduction_change:1;
+- uint32_t output_tf_change:1;
+ uint32_t pixel_format_change:1;
+ uint32_t plane_size_change:1;
+ uint32_t gamut_remap_change:1;
+diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c
+index 454e362ff096a..c0127d8b5b396 100644
+--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c
+@@ -1990,10 +1990,8 @@ static void dcn20_program_pipe(
+ * updating on slave planes
+ */
+ if (pipe_ctx->update_flags.bits.enable ||
+- pipe_ctx->update_flags.bits.plane_changed ||
+- pipe_ctx->stream->update_flags.bits.out_tf ||
+- (pipe_ctx->plane_state &&
+- pipe_ctx->plane_state->update_flags.bits.output_tf_change))
++ pipe_ctx->update_flags.bits.plane_changed ||
++ pipe_ctx->stream->update_flags.bits.out_tf)
+ hws->funcs.set_output_transfer_func(dc, pipe_ctx, pipe_ctx->stream);
+
+ /* If the pipe has been enabled or has a different opp, we
+diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c
+index c4177a9a662fa..c68d01f378602 100644
+--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c
+@@ -2289,10 +2289,8 @@ void dcn401_program_pipe(
+ * updating on slave planes
+ */
+ if (pipe_ctx->update_flags.bits.enable ||
+- pipe_ctx->update_flags.bits.plane_changed ||
+- pipe_ctx->stream->update_flags.bits.out_tf ||
+- (pipe_ctx->plane_state &&
+- pipe_ctx->plane_state->update_flags.bits.output_tf_change))
++ pipe_ctx->update_flags.bits.plane_changed ||
++ pipe_ctx->stream->update_flags.bits.out_tf)
+ hws->funcs.set_output_transfer_func(dc, pipe_ctx, pipe_ctx->stream);
+
+ /* If the pipe has been enabled or has a different opp, we
+--
+2.51.0
+
--- /dev/null
+From 75924c92cdf027ab521f179933aa59976d5e3c34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Sep 2025 18:06:59 +0300
+Subject: drm/gma500: Fix null dereference in hdmi teardown
+
+From: Zabelin Nikita <n.zabelin@mt-integration.ru>
+
+[ Upstream commit 352e66900cde63f3dadb142364d3c35170bbaaff ]
+
+pci_set_drvdata sets the value of pdev->driver_data to NULL,
+after which the driver_data obtained from the same dev is
+dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is
+extracted from it. To prevent this, swap these calls.
+
+Found by Linux Verification Center (linuxtesting.org) with Svacer.
+
+Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support")
+Signed-off-by: Zabelin Nikita <n.zabelin@mt-integration.ru>
+Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Link: https://lore.kernel.org/r/20250918150703.2562604-1-n.zabelin@mt-integration.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/gma500/oaktrail_hdmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/gma500/oaktrail_hdmi.c b/drivers/gpu/drm/gma500/oaktrail_hdmi.c
+index 1cf3943691277..c0feca58511df 100644
+--- a/drivers/gpu/drm/gma500/oaktrail_hdmi.c
++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi.c
+@@ -726,8 +726,8 @@ void oaktrail_hdmi_teardown(struct drm_device *dev)
+
+ if (hdmi_dev) {
+ pdev = hdmi_dev->dev;
+- pci_set_drvdata(pdev, NULL);
+ oaktrail_hdmi_i2c_exit(pdev);
++ pci_set_drvdata(pdev, NULL);
+ iounmap(hdmi_dev->regs);
+ kfree(hdmi_dev);
+ pci_dev_put(pdev);
+--
+2.51.0
+
--- /dev/null
+From 34ec1a54b1103484c087a1467ea453779a836e47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Sep 2025 09:52:08 +0530
+Subject: drm/i915/ddi: Guard reg_val against a INVALID_TRANSCODER
+
+From: Suraj Kandpal <suraj.kandpal@intel.com>
+
+[ Upstream commit 7f97a0a871d9532f2e1a5ee7d16d0e364215bcac ]
+
+Currently we check if the encoder is INVALID or -1 and throw a
+WARN_ON but we still end up writing the temp value which will
+overflow and corrupt the whole programmed value.
+
+--v2
+-Assign a bogus transcoder to master in case we get a INVALID
+TRANSCODER [Jani]
+
+Fixes: 6671c367a9bea ("drm/i915/tgl: Select master transcoder for MST stream")
+Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://lore.kernel.org/r/20250908042208.1011144-1-suraj.kandpal@intel.com
+(cherry picked from commit c8e8e9ab14a6ea926641d161768e1e3ef286a853)
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_ddi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_ddi.c b/drivers/gpu/drm/i915/display/intel_ddi.c
+index d58f8fc373265..55b8bfcf364ae 100644
+--- a/drivers/gpu/drm/i915/display/intel_ddi.c
++++ b/drivers/gpu/drm/i915/display/intel_ddi.c
+@@ -593,8 +593,9 @@ intel_ddi_transcoder_func_reg_val_get(struct intel_encoder *encoder,
+ enum transcoder master;
+
+ master = crtc_state->mst_master_transcoder;
+- drm_WARN_ON(display->drm,
+- master == INVALID_TRANSCODER);
++ if (drm_WARN_ON(display->drm,
++ master == INVALID_TRANSCODER))
++ master = TRANSCODER_A;
+ temp |= TRANS_DDI_MST_TRANSPORT_SELECT(master);
+ }
+ } else {
+--
+2.51.0
+
--- /dev/null
+From 390f93d0562fb1a5fedf1928c86e7082dd0297cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Sep 2025 17:43:48 +0100
+Subject: drm/panthor: Defer scheduler entitiy destruction to queue release
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Adrián Larumbe <adrian.larumbe@collabora.com>
+
+[ Upstream commit 7d9c3442b02ab7dd3c44e20095a178fd57d2eccb ]
+
+Commit de8548813824 ("drm/panthor: Add the scheduler logical block")
+handled destruction of a group's queues' drm scheduler entities early
+into the group destruction procedure.
+
+However, that races with the group submit ioctl, because by the time
+entities are destroyed (through the group destroy ioctl), the submission
+procedure might've already obtained a group handle, and therefore the
+ability to push jobs into entities. This is met with a DRM error message
+within the drm scheduler core as a situation that should never occur.
+
+Fix by deferring drm scheduler entity destruction to queue release time.
+
+Fixes: de8548813824 ("drm/panthor: Add the scheduler logical block")
+Signed-off-by: Adrián Larumbe <adrian.larumbe@collabora.com>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
+Signed-off-by: Steven Price <steven.price@arm.com>
+Link: https://lore.kernel.org/r/20250919164436.531930-1-adrian.larumbe@collabora.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panthor/panthor_sched.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/panthor/panthor_sched.c b/drivers/gpu/drm/panthor/panthor_sched.c
+index 43ee57728de54..e927d80d6a2af 100644
+--- a/drivers/gpu/drm/panthor/panthor_sched.c
++++ b/drivers/gpu/drm/panthor/panthor_sched.c
+@@ -886,8 +886,7 @@ static void group_free_queue(struct panthor_group *group, struct panthor_queue *
+ if (IS_ERR_OR_NULL(queue))
+ return;
+
+- if (queue->entity.fence_context)
+- drm_sched_entity_destroy(&queue->entity);
++ drm_sched_entity_destroy(&queue->entity);
+
+ if (queue->scheduler.ops)
+ drm_sched_fini(&queue->scheduler);
+@@ -3558,11 +3557,6 @@ int panthor_group_destroy(struct panthor_file *pfile, u32 group_handle)
+ if (!group)
+ return -EINVAL;
+
+- for (u32 i = 0; i < group->queue_count; i++) {
+- if (group->queues[i])
+- drm_sched_entity_destroy(&group->queues[i]->entity);
+- }
+-
+ mutex_lock(&sched->reset.lock);
+ mutex_lock(&sched->lock);
+ group->destroyed = true;
+--
+2.51.0
+
--- /dev/null
+From 8812ffe47ffdcd19de216826ca21b9f73a421c1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Sep 2025 14:54:51 -0700
+Subject: drm/xe: Fix build with CONFIG_MODULES=n
+
+From: Lucas De Marchi <lucas.demarchi@intel.com>
+
+[ Upstream commit b67e7422d229dead0dddaad7e7c05558f24d552f ]
+
+When building with CONFIG_MODULES=n, the __exit functions are dropped.
+However our init functions may call them for error handling, so they are
+not good candidates for the exit sections.
+
+Fix this error reported by 0day:
+
+ ld.lld: error: relocation refers to a symbol in a discarded section: xe_configfs_exit
+ >>> defined in vmlinux.a(drivers/gpu/drm/xe/xe_configfs.o)
+ >>> referenced by xe_module.c
+ >>> drivers/gpu/drm/xe/xe_module.o:(init_funcs) in archive vmlinux.a
+
+This is the only exit function using __exit. Drop it to fix the build.
+
+Cc: Riana Tauro <riana.tauro@intel.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202506092221.1FmUQmI8-lkp@intel.com/
+Fixes: 16280ded45fb ("drm/xe: Add configfs to enable survivability mode")
+Reviewed-by: Balasubramani Vivekanandan <balasubramani.vivekanandan@intel.com>
+Link: https://lore.kernel.org/r/20250912-fix-nomodule-build-v1-1-d11b70a92516@intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+(cherry picked from commit d9b2623319fa20c2206754284291817488329648)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_configfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_configfs.c b/drivers/gpu/drm/xe/xe_configfs.c
+index 9a2b96b111ef5..2b591ed055612 100644
+--- a/drivers/gpu/drm/xe/xe_configfs.c
++++ b/drivers/gpu/drm/xe/xe_configfs.c
+@@ -244,7 +244,7 @@ int __init xe_configfs_init(void)
+ return 0;
+ }
+
+-void __exit xe_configfs_exit(void)
++void xe_configfs_exit(void)
+ {
+ configfs_unregister_subsystem(&xe_configfs);
+ }
+--
+2.51.0
+
--- /dev/null
+From 94361615c92670fa595dfae130617b54c286d23b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Sep 2025 19:00:28 +0200
+Subject: drm/xe/vf: Don't expose sysfs attributes not applicable for VFs
+
+From: Michal Wajdeczko <michal.wajdeczko@intel.com>
+
+[ Upstream commit 500dad428e5b0de4c1bdfa893822a6e06ddad0b5 ]
+
+VFs can't read BMG_PCIE_CAP(0x138340) register nor access PCODE
+(already guarded by the info.skip_pcode flag) so we shouldn't
+expose attributes that require any of them to avoid errors like:
+
+ [] xe 0000:03:00.1: [drm] Tile0: GT0: VF is trying to read an \
+ inaccessible register 0x138340+0x0
+ [] RIP: 0010:xe_gt_sriov_vf_read32+0x6c2/0x9a0 [xe]
+ [] Call Trace:
+ [] xe_mmio_read32+0x110/0x280 [xe]
+ [] auto_link_downgrade_capable_show+0x2e/0x70 [xe]
+ [] dev_attr_show+0x1a/0x70
+ [] sysfs_kf_seq_show+0xaa/0x120
+ [] kernfs_seq_show+0x41/0x60
+
+Fixes: 0e414bf7ad01 ("drm/xe: Expose PCIe link downgrade attributes")
+Fixes: cdc36b66cd41 ("drm/xe: Expose fan control and voltage regulator version")
+Signed-off-by: Michal Wajdeczko <michal.wajdeczko@intel.com>
+Cc: Lucas De Marchi <lucas.demarchi@intel.com>
+Cc: Lukasz Laguna <lukasz.laguna@intel.com>
+Reviewed-by: Raag Jadav <raag.jadav@intel.com>
+Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Link: https://lore.kernel.org/r/20250916170029.3313-2-michal.wajdeczko@intel.com
+(cherry picked from commit a2d6223d224f333f705ed8495bf8bebfbc585c35)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_device_sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_device_sysfs.c b/drivers/gpu/drm/xe/xe_device_sysfs.c
+index b9440f8c781e3..652da4d294c0b 100644
+--- a/drivers/gpu/drm/xe/xe_device_sysfs.c
++++ b/drivers/gpu/drm/xe/xe_device_sysfs.c
+@@ -166,7 +166,7 @@ int xe_device_sysfs_init(struct xe_device *xe)
+ return ret;
+ }
+
+- if (xe->info.platform == XE_BATTLEMAGE) {
++ if (xe->info.platform == XE_BATTLEMAGE && !IS_SRIOV_VF(xe)) {
+ ret = sysfs_create_files(&dev->kobj, auto_link_downgrade_attrs);
+ if (ret)
+ return ret;
+--
+2.51.0
+
--- /dev/null
+From 2c87b95bc7d75c9a308d7c4647c66afda9d4e853 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Sep 2025 12:42:43 +0200
+Subject: futex: Prevent use-after-free during requeue-PI
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit b549113738e8c751b613118032a724b772aa83f2 ]
+
+syzbot managed to trigger the following race:
+
+ T1 T2
+
+ futex_wait_requeue_pi()
+ futex_do_wait()
+ schedule()
+ futex_requeue()
+ futex_proxy_trylock_atomic()
+ futex_requeue_pi_prepare()
+ requeue_pi_wake_futex()
+ futex_requeue_pi_complete()
+ /* preempt */
+
+ * timeout/ signal wakes T1 *
+
+ futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED
+ futex_hash_put()
+ // back to userland, on stack futex_q is garbage
+
+ /* back */
+ wake_up_state(q->task, TASK_NORMAL);
+
+In this scenario futex_wait_requeue_pi() is able to leave without using
+futex_q::lock_ptr for synchronization.
+
+This can be prevented by reading futex_q::task before updating the
+futex_q::requeue_state. A reference on the task_struct is not needed
+because requeue_pi_wake_futex() is invoked with a spinlock_t held which
+implies a RCU read section.
+
+Even if T1 terminates immediately after, the task_struct will remain valid
+during T2's wake_up_state(). A READ_ONCE on futex_q::task before
+futex_requeue_pi_complete() is enough because it ensures that the variable
+is read before the state is updated.
+
+Read futex_q::task before updating the requeue state, use it for the
+following wakeup.
+
+Fixes: 07d91ef510fb1 ("futex: Prevent requeue_pi() lock nesting issue on RT")
+Reported-by: syzbot+034246a838a10d181e78@syzkaller.appspotmail.com
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Closes: https://lore.kernel.org/all/68b75989.050a0220.3db4df.01dd.GAE@google.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/futex/requeue.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c
+index c716a66f86929..d818b4d47f1ba 100644
+--- a/kernel/futex/requeue.c
++++ b/kernel/futex/requeue.c
+@@ -230,8 +230,9 @@ static inline
+ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
+ struct futex_hash_bucket *hb)
+ {
+- q->key = *key;
++ struct task_struct *task;
+
++ q->key = *key;
+ __futex_unqueue(q);
+
+ WARN_ON(!q->rt_waiter);
+@@ -243,10 +244,11 @@ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
+ futex_hash_get(hb);
+ q->drop_hb_ref = true;
+ q->lock_ptr = &hb->lock;
++ task = READ_ONCE(q->task);
+
+ /* Signal locked state to the waiter */
+ futex_requeue_pi_complete(q, 1);
+- wake_up_state(q->task, TASK_NORMAL);
++ wake_up_state(task, TASK_NORMAL);
+ }
+
+ /**
+--
+2.51.0
+
--- /dev/null
+From 7d512f9bcf2e974ea5e578e4eeae80851109d59d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Sep 2025 15:09:45 +0200
+Subject: futex: Use correct exit on failure from futex_hash_allocate_default()
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 4ec3c15462b9f44562f45723a92e2807746ba7d1 ]
+
+copy_process() uses the wrong error exit path from futex_hash_allocate_default().
+After exiting from futex_hash_allocate_default(), neither tasklist_lock
+nor siglock has been acquired. The exit label bad_fork_core_free unlocks
+both of these locks which is wrong.
+
+The next exit label, bad_fork_cancel_cgroup, is the correct exit.
+sched_cgroup_fork() did not allocate any resources that need to freed.
+
+Use bad_fork_cancel_cgroup on error exit from futex_hash_allocate_default().
+
+Fixes: 7c4f75a21f636 ("futex: Allow automatic allocation of process wide futex hash")
+Reported-by: syzbot+80cb3cc5c14fad191a10@syzkaller.appspotmail.com
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Closes: https://lore.kernel.org/all/68cb1cbd.050a0220.2ff435.0599.GAE@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/fork.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 1ee8eb11f38ba..0cbc174da76ac 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -2289,7 +2289,7 @@ __latent_entropy struct task_struct *copy_process(
+ if (need_futex_hash_allocate_default(clone_flags)) {
+ retval = futex_hash_allocate_default();
+ if (retval)
+- goto bad_fork_core_free;
++ goto bad_fork_cancel_cgroup;
+ /*
+ * If we fail beyond this point we don't free the allocated
+ * futex hash map. We assume that another thread will be created
+--
+2.51.0
+
--- /dev/null
+From b6ed2bc22892267cf1fb29615c310b902267c015 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Sep 2025 17:24:21 +0300
+Subject: gpio: regmap: fix memory leak of gpio_regmap structure
+
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+
+[ Upstream commit 3bd44edd6c55828fd4e11cb0efce5b7160bfa2de ]
+
+The gpio_regmap structure is leaked on the error path. Fix this by
+jumping to the appropriate kfree instead of returning directly.
+
+Fixes: db305161880a ("gpio: regmap: Allow ngpio to be read from the property")
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Suggested-by: Michael Walle <mwalle@kernel.org>
+Reviewed-by: Michael Walle <mwalle@kernel.org>
+Link: https://lore.kernel.org/r/20250922142427.3310221-7-ioana.ciornei@nxp.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-regmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-regmap.c b/drivers/gpio/gpio-regmap.c
+index 87c4225784cfa..b3b84a404485e 100644
+--- a/drivers/gpio/gpio-regmap.c
++++ b/drivers/gpio/gpio-regmap.c
+@@ -274,7 +274,7 @@ struct gpio_regmap *gpio_regmap_register(const struct gpio_regmap_config *config
+ if (!chip->ngpio) {
+ ret = gpiochip_get_ngpios(chip, chip->parent);
+ if (ret)
+- return ERR_PTR(ret);
++ goto err_free_gpio;
+ }
+
+ /* if not set, assume there is only one register */
+--
+2.51.0
+
--- /dev/null
+From df497b94ae5eff3e9fabeec0de9a6cb079691fb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Sep 2025 14:17:17 -0400
+Subject: platform/x86: lg-laptop: Fix WMAB call in fan_mode_store()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Lee <dany97@live.ca>
+
+[ Upstream commit 3ed17349f18774c24505b0c21dfbd3cc4f126518 ]
+
+When WMAB is called to set the fan mode, the new mode is read from either
+bits 0-1 or bits 4-5 (depending on the value of some other EC register).
+Thus when WMAB is called with bits 4-5 zeroed and called again with
+bits 0-1 zeroed, the second call undoes the effect of the first call.
+This causes writes to /sys/devices/platform/lg-laptop/fan_mode to have
+no effect (and causes reads to always report a status of zero).
+
+Fix this by calling WMAB once, with the mode set in bits 0,1 and 4,5.
+When the fan mode is returned from WMAB it always has this form, so
+there is no need to preserve the other bits. As a bonus, the driver
+now supports the "Performance" fan mode seen in the LG-provided Windows
+control app, which provides less aggressive CPU throttling but louder
+fan noise and shorter battery life.
+
+Also, correct the documentation to reflect that 0 corresponds to the
+default mode (what the Windows app calls "Optimal") and 1 corresponds
+to the silent mode.
+
+Fixes: dbf0c5a6b1f8 ("platform/x86: Add LG Gram laptop special features driver")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=204913#c4
+Signed-off-by: Daniel Lee <dany97@live.ca>
+Link: https://patch.msgid.link/MN2PR06MB55989CB10E91C8DA00EE868DDC1CA@MN2PR06MB5598.namprd06.prod.outlook.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../admin-guide/laptops/lg-laptop.rst | 4 +--
+ drivers/platform/x86/lg-laptop.c | 34 ++++++++-----------
+ 2 files changed, 16 insertions(+), 22 deletions(-)
+
+diff --git a/Documentation/admin-guide/laptops/lg-laptop.rst b/Documentation/admin-guide/laptops/lg-laptop.rst
+index 67fd6932cef4f..c4dd534f91edd 100644
+--- a/Documentation/admin-guide/laptops/lg-laptop.rst
++++ b/Documentation/admin-guide/laptops/lg-laptop.rst
+@@ -48,8 +48,8 @@ This value is reset to 100 when the kernel boots.
+ Fan mode
+ --------
+
+-Writing 1/0 to /sys/devices/platform/lg-laptop/fan_mode disables/enables
+-the fan silent mode.
++Writing 0/1/2 to /sys/devices/platform/lg-laptop/fan_mode sets fan mode to
++Optimal/Silent/Performance respectively.
+
+
+ USB charge
+diff --git a/drivers/platform/x86/lg-laptop.c b/drivers/platform/x86/lg-laptop.c
+index 4b57102c7f627..6af6cf477c5b5 100644
+--- a/drivers/platform/x86/lg-laptop.c
++++ b/drivers/platform/x86/lg-laptop.c
+@@ -8,6 +8,7 @@
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+ #include <linux/acpi.h>
++#include <linux/bitfield.h>
+ #include <linux/bits.h>
+ #include <linux/device.h>
+ #include <linux/dev_printk.h>
+@@ -75,6 +76,9 @@ MODULE_PARM_DESC(fw_debug, "Enable printing of firmware debug messages");
+ #define WMBB_USB_CHARGE 0x10B
+ #define WMBB_BATT_LIMIT 0x10C
+
++#define FAN_MODE_LOWER GENMASK(1, 0)
++#define FAN_MODE_UPPER GENMASK(5, 4)
++
+ #define PLATFORM_NAME "lg-laptop"
+
+ MODULE_ALIAS("wmi:" WMI_EVENT_GUID0);
+@@ -274,29 +278,19 @@ static ssize_t fan_mode_store(struct device *dev,
+ struct device_attribute *attr,
+ const char *buffer, size_t count)
+ {
+- bool value;
++ unsigned long value;
+ union acpi_object *r;
+- u32 m;
+ int ret;
+
+- ret = kstrtobool(buffer, &value);
++ ret = kstrtoul(buffer, 10, &value);
+ if (ret)
+ return ret;
++ if (value >= 3)
++ return -EINVAL;
+
+- r = lg_wmab(dev, WM_FAN_MODE, WM_GET, 0);
+- if (!r)
+- return -EIO;
+-
+- if (r->type != ACPI_TYPE_INTEGER) {
+- kfree(r);
+- return -EIO;
+- }
+-
+- m = r->integer.value;
+- kfree(r);
+- r = lg_wmab(dev, WM_FAN_MODE, WM_SET, (m & 0xffffff0f) | (value << 4));
+- kfree(r);
+- r = lg_wmab(dev, WM_FAN_MODE, WM_SET, (m & 0xfffffff0) | value);
++ r = lg_wmab(dev, WM_FAN_MODE, WM_SET,
++ FIELD_PREP(FAN_MODE_LOWER, value) |
++ FIELD_PREP(FAN_MODE_UPPER, value));
+ kfree(r);
+
+ return count;
+@@ -305,7 +299,7 @@ static ssize_t fan_mode_store(struct device *dev,
+ static ssize_t fan_mode_show(struct device *dev,
+ struct device_attribute *attr, char *buffer)
+ {
+- unsigned int status;
++ unsigned int mode;
+ union acpi_object *r;
+
+ r = lg_wmab(dev, WM_FAN_MODE, WM_GET, 0);
+@@ -317,10 +311,10 @@ static ssize_t fan_mode_show(struct device *dev,
+ return -EIO;
+ }
+
+- status = r->integer.value & 0x01;
++ mode = FIELD_GET(FAN_MODE_LOWER, r->integer.value);
+ kfree(r);
+
+- return sysfs_emit(buffer, "%d\n", status);
++ return sysfs_emit(buffer, "%d\n", mode);
+ }
+
+ static ssize_t usb_charge_store(struct device *dev,
+--
+2.51.0
+
net-dsa-lantiq_gswip-move-gswip_add_single_port_br-c.patch
net-dsa-lantiq_gswip-suppress-einval-errors-for-brid.patch
octeontx2-pf-fix-potential-use-after-free-in-otx2_tc.patch
+drm-gma500-fix-null-dereference-in-hdmi-teardown.patch
+futex-prevent-use-after-free-during-requeue-pi.patch
+gpio-regmap-fix-memory-leak-of-gpio_regmap-structure.patch
+drm-xe-vf-don-t-expose-sysfs-attributes-not-applicab.patch
+drm-xe-fix-build-with-config_modules-n.patch
+drm-i915-ddi-guard-reg_val-against-a-invalid_transco.patch
+drm-amd-display-remove-output_tf_change-flag.patch
+futex-use-correct-exit-on-failure-from-futex_hash_al.patch
+drm-panthor-defer-scheduler-entitiy-destruction-to-q.patch
+platform-x86-lg-laptop-fix-wmab-call-in-fan_mode_sto.patch
+smb-client-fix-wrong-index-reference-in-smb2_compoun.patch
--- /dev/null
+From 0ddfb3315b3eefd9df9de761f3c29b8c472fefdc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Sep 2025 17:16:45 +0900
+Subject: smb: client: fix wrong index reference in smb2_compound_op()
+
+From: Sang-Heon Jeon <ekffu200098@gmail.com>
+
+[ Upstream commit fbe2dc6a9c7318f7263f5e4d50f6272b931c5756 ]
+
+In smb2_compound_op(), the loop that processes each command's response
+uses wrong indices when accessing response bufferes.
+
+This incorrect indexing leads to improper handling of command results.
+Also, if incorrectly computed index is greather than or equal to
+MAX_COMPOUND, it can cause out-of-bounds accesses.
+
+Fixes: 3681c74d342d ("smb: client: handle lack of EA support in smb2_query_path_info()") # 6.14
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Sang-Heon Jeon <ekffu200098@gmail.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/smb2inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
+index 86cad8ee8e6f3..ac3ce183bd59a 100644
+--- a/fs/smb/client/smb2inode.c
++++ b/fs/smb/client/smb2inode.c
+@@ -687,7 +687,7 @@ static int smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon,
+ }
+
+ for (i = 0; i < num_cmds; i++) {
+- char *buf = rsp_iov[i + i].iov_base;
++ char *buf = rsp_iov[i + 1].iov_base;
+
+ if (buf && resp_buftype[i + 1] != CIFS_NO_BUFFER)
+ rc = server->ops->map_error(buf, false);
+--
+2.51.0
+
--- /dev/null
+From 7547a79ccaaba43bc2643efdfaa885ae92e401ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Sep 2025 18:06:59 +0300
+Subject: drm/gma500: Fix null dereference in hdmi teardown
+
+From: Zabelin Nikita <n.zabelin@mt-integration.ru>
+
+[ Upstream commit 352e66900cde63f3dadb142364d3c35170bbaaff ]
+
+pci_set_drvdata sets the value of pdev->driver_data to NULL,
+after which the driver_data obtained from the same dev is
+dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is
+extracted from it. To prevent this, swap these calls.
+
+Found by Linux Verification Center (linuxtesting.org) with Svacer.
+
+Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support")
+Signed-off-by: Zabelin Nikita <n.zabelin@mt-integration.ru>
+Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Link: https://lore.kernel.org/r/20250918150703.2562604-1-n.zabelin@mt-integration.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/gma500/oaktrail_hdmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/gma500/oaktrail_hdmi.c b/drivers/gpu/drm/gma500/oaktrail_hdmi.c
+index ed8626c73541c..f0ae675581d9a 100644
+--- a/drivers/gpu/drm/gma500/oaktrail_hdmi.c
++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi.c
+@@ -726,8 +726,8 @@ void oaktrail_hdmi_teardown(struct drm_device *dev)
+
+ if (hdmi_dev) {
+ pdev = hdmi_dev->dev;
+- pci_set_drvdata(pdev, NULL);
+ oaktrail_hdmi_i2c_exit(pdev);
++ pci_set_drvdata(pdev, NULL);
+ iounmap(hdmi_dev->regs);
+ kfree(hdmi_dev);
+ pci_dev_put(pdev);
+--
+2.51.0
+
--- /dev/null
+From 359be6397a24e6e5d3953aa314a3b00e1a6eaadb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Sep 2025 12:42:43 +0200
+Subject: futex: Prevent use-after-free during requeue-PI
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit b549113738e8c751b613118032a724b772aa83f2 ]
+
+syzbot managed to trigger the following race:
+
+ T1 T2
+
+ futex_wait_requeue_pi()
+ futex_do_wait()
+ schedule()
+ futex_requeue()
+ futex_proxy_trylock_atomic()
+ futex_requeue_pi_prepare()
+ requeue_pi_wake_futex()
+ futex_requeue_pi_complete()
+ /* preempt */
+
+ * timeout/ signal wakes T1 *
+
+ futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED
+ futex_hash_put()
+ // back to userland, on stack futex_q is garbage
+
+ /* back */
+ wake_up_state(q->task, TASK_NORMAL);
+
+In this scenario futex_wait_requeue_pi() is able to leave without using
+futex_q::lock_ptr for synchronization.
+
+This can be prevented by reading futex_q::task before updating the
+futex_q::requeue_state. A reference on the task_struct is not needed
+because requeue_pi_wake_futex() is invoked with a spinlock_t held which
+implies a RCU read section.
+
+Even if T1 terminates immediately after, the task_struct will remain valid
+during T2's wake_up_state(). A READ_ONCE on futex_q::task before
+futex_requeue_pi_complete() is enough because it ensures that the variable
+is read before the state is updated.
+
+Read futex_q::task before updating the requeue state, use it for the
+following wakeup.
+
+Fixes: 07d91ef510fb1 ("futex: Prevent requeue_pi() lock nesting issue on RT")
+Reported-by: syzbot+034246a838a10d181e78@syzkaller.appspotmail.com
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Closes: https://lore.kernel.org/all/68b75989.050a0220.3db4df.01dd.GAE@google.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/futex/requeue.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c
+index cba8b1a6a4cc2..7e43839ca7b05 100644
+--- a/kernel/futex/requeue.c
++++ b/kernel/futex/requeue.c
+@@ -223,18 +223,20 @@ static inline
+ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
+ struct futex_hash_bucket *hb)
+ {
+- q->key = *key;
++ struct task_struct *task;
+
++ q->key = *key;
+ __futex_unqueue(q);
+
+ WARN_ON(!q->rt_waiter);
+ q->rt_waiter = NULL;
+
+ q->lock_ptr = &hb->lock;
++ task = READ_ONCE(q->task);
+
+ /* Signal locked state to the waiter */
+ futex_requeue_pi_complete(q, 1);
+- wake_up_state(q->task, TASK_NORMAL);
++ wake_up_state(task, TASK_NORMAL);
+ }
+
+ /**
+--
+2.51.0
+
net-dsa-lantiq_gswip-move-gswip_add_single_port_br-c.patch
net-dsa-lantiq_gswip-suppress-einval-errors-for-brid.patch
octeontx2-pf-fix-potential-use-after-free-in-otx2_tc.patch
+drm-gma500-fix-null-dereference-in-hdmi-teardown.patch
+futex-prevent-use-after-free-during-requeue-pi.patch
+smb-client-fix-wrong-index-reference-in-smb2_compoun.patch
--- /dev/null
+From 51253b642c778d5efe348ed89a3f5cc802faacdd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Sep 2025 17:16:45 +0900
+Subject: smb: client: fix wrong index reference in smb2_compound_op()
+
+From: Sang-Heon Jeon <ekffu200098@gmail.com>
+
+[ Upstream commit fbe2dc6a9c7318f7263f5e4d50f6272b931c5756 ]
+
+In smb2_compound_op(), the loop that processes each command's response
+uses wrong indices when accessing response bufferes.
+
+This incorrect indexing leads to improper handling of command results.
+Also, if incorrectly computed index is greather than or equal to
+MAX_COMPOUND, it can cause out-of-bounds accesses.
+
+Fixes: 3681c74d342d ("smb: client: handle lack of EA support in smb2_query_path_info()") # 6.14
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Sang-Heon Jeon <ekffu200098@gmail.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/smb2inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
+index 0cc80f472432a..79641d1ee8675 100644
+--- a/fs/smb/client/smb2inode.c
++++ b/fs/smb/client/smb2inode.c
+@@ -641,7 +641,7 @@ static int smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon,
+
+ tmp_rc = rc;
+ for (i = 0; i < num_cmds; i++) {
+- char *buf = rsp_iov[i + i].iov_base;
++ char *buf = rsp_iov[i + 1].iov_base;
+
+ if (buf && resp_buftype[i + 1] != CIFS_NO_BUFFER)
+ rc = server->ops->map_error(buf, false);
+--
+2.51.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
