--- /dev/null
+From 20594cd104abaaabb676c7a2915b150ae5ff093d Mon Sep 17 00:00:00 2001
+From: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
+Date: Mon, 6 Oct 2025 14:17:06 +0530
+Subject: ACPI: button: Call input_free_device() on failing input device registration
+
+From: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
+
+commit 20594cd104abaaabb676c7a2915b150ae5ff093d upstream.
+
+Make acpi_button_add() call input_free_device() when
+input_register_device() fails as required according to the
+documentation of the latter.
+
+Fixes: 0d51157dfaac ("ACPI: button: Eliminate the driver notify callback")
+Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
+Cc: 6.5+ <stable@vger.kernel.org> # 6.5+
+[ rjw: Subject and changelog rewrite, Fixes: tag ]
+Link: https://patch.msgid.link/20251006084706.971855-1-kaushlendra.kumar@intel.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/button.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/button.c
++++ b/drivers/acpi/button.c
+@@ -619,8 +619,10 @@ static int acpi_button_add(struct acpi_d
+
+ input_set_drvdata(input, device);
+ error = input_register_device(input);
+- if (error)
++ if (error) {
++ input_free_device(input);
+ goto err_remove_fs;
++ }
+
+ switch (device->device_type) {
+ case ACPI_BUS_TYPE_POWER_BUTTON:
--- /dev/null
+From d91a1d129b63614fa4c2e45e60918409ce36db7e Mon Sep 17 00:00:00 2001
+From: Armin Wolf <W_Armin@gmx.de>
+Date: Wed, 8 Oct 2025 01:41:46 +0200
+Subject: ACPI: fan: Use platform device for devres-related actions
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+commit d91a1d129b63614fa4c2e45e60918409ce36db7e upstream.
+
+Device-managed resources are cleaned up when the driver unbinds from
+the underlying device. In our case this is the platform device as this
+driver is a platform driver. Registering device-managed resources on
+the associated ACPI device will thus result in a resource leak when
+this driver unbinds.
+
+Ensure that any device-managed resources are only registered on the
+platform device to ensure that they are cleaned up during removal.
+
+Fixes: 35c50d853adc ("ACPI: fan: Add hwmon support")
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Cc: 6.11+ <stable@vger.kernel.org> # 6.11+
+Link: https://patch.msgid.link/20251007234149.2769-4-W_Armin@gmx.de
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/fan.h | 4 ++--
+ drivers/acpi/fan_core.c | 2 +-
+ drivers/acpi/fan_hwmon.c | 8 ++++----
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/acpi/fan.h
++++ b/drivers/acpi/fan.h
+@@ -64,9 +64,9 @@ int acpi_fan_create_attributes(struct ac
+ void acpi_fan_delete_attributes(struct acpi_device *device);
+
+ #if IS_REACHABLE(CONFIG_HWMON)
+-int devm_acpi_fan_create_hwmon(struct acpi_device *device);
++int devm_acpi_fan_create_hwmon(struct device *dev);
+ #else
+-static inline int devm_acpi_fan_create_hwmon(struct acpi_device *device) { return 0; };
++static inline int devm_acpi_fan_create_hwmon(struct device *dev) { return 0; };
+ #endif
+
+ #endif
+--- a/drivers/acpi/fan_core.c
++++ b/drivers/acpi/fan_core.c
+@@ -347,7 +347,7 @@ static int acpi_fan_probe(struct platfor
+ }
+
+ if (fan->has_fst) {
+- result = devm_acpi_fan_create_hwmon(device);
++ result = devm_acpi_fan_create_hwmon(&pdev->dev);
+ if (result)
+ return result;
+
+--- a/drivers/acpi/fan_hwmon.c
++++ b/drivers/acpi/fan_hwmon.c
+@@ -167,12 +167,12 @@ static const struct hwmon_chip_info acpi
+ .info = acpi_fan_hwmon_info,
+ };
+
+-int devm_acpi_fan_create_hwmon(struct acpi_device *device)
++int devm_acpi_fan_create_hwmon(struct device *dev)
+ {
+- struct acpi_fan *fan = acpi_driver_data(device);
++ struct acpi_fan *fan = dev_get_drvdata(dev);
+ struct device *hdev;
+
+- hdev = devm_hwmon_device_register_with_info(&device->dev, "acpi_fan", fan,
+- &acpi_fan_hwmon_chip_info, NULL);
++ hdev = devm_hwmon_device_register_with_info(dev, "acpi_fan", fan, &acpi_fan_hwmon_chip_info,
++ NULL);
+ return PTR_ERR_OR_ZERO(hdev);
+ }
--- /dev/null
+From 8f067aa59430266386b83c18b983ca583faa6a11 Mon Sep 17 00:00:00 2001
+From: Yuhao Jiang <danisjiang@gmail.com>
+Date: Wed, 22 Oct 2025 15:07:04 -0500
+Subject: ACPI: video: Fix use-after-free in acpi_video_switch_brightness()
+
+From: Yuhao Jiang <danisjiang@gmail.com>
+
+commit 8f067aa59430266386b83c18b983ca583faa6a11 upstream.
+
+The switch_brightness_work delayed work accesses device->brightness
+and device->backlight, freed by acpi_video_dev_unregister_backlight()
+during device removal.
+
+If the work executes after acpi_video_bus_unregister_backlight()
+frees these resources, it causes a use-after-free when
+acpi_video_switch_brightness() dereferences device->brightness or
+device->backlight.
+
+Fix this by calling cancel_delayed_work_sync() for each device's
+switch_brightness_work in acpi_video_bus_remove_notify_handler()
+after removing the notify handler that queues the work. This ensures
+the work completes before the memory is freed.
+
+Fixes: 8ab58e8e7e097 ("ACPI / video: Fix backlight taking 2 steps on a brightness up/down keypress")
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Yuhao Jiang <danisjiang@gmail.com>
+Reviewed-by: Hans de Goede <hansg@kernel.org>
+[ rjw: Changelog edit ]
+Link: https://patch.msgid.link/20251022200704.2655507-1-danisjiang@gmail.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpi_video.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/acpi_video.c
++++ b/drivers/acpi/acpi_video.c
+@@ -1959,8 +1959,10 @@ static void acpi_video_bus_remove_notify
+ struct acpi_video_device *dev;
+
+ mutex_lock(&video->device_list_lock);
+- list_for_each_entry(dev, &video->video_device_list, entry)
++ list_for_each_entry(dev, &video->video_device_list, entry) {
+ acpi_video_dev_remove_notify_handler(dev);
++ cancel_delayed_work_sync(&dev->switch_brightness_work);
++ }
+ mutex_unlock(&video->device_list_lock);
+
+ acpi_video_bus_stop_devices(video);
--- /dev/null
+From fdbb53d318aa94a094434e5f226617f0eb1e8f22 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Date: Fri, 17 Oct 2025 09:52:56 +0100
+Subject: ASoC: qdsp6: q6asm: do not sleep while atomic
+
+From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+
+commit fdbb53d318aa94a094434e5f226617f0eb1e8f22 upstream.
+
+For some reason we ended up kfree between spinlock lock and unlock,
+which can sleep.
+
+move the kfree out of spinlock section.
+
+Fixes: a2a5d30218fd ("ASoC: qdsp6: q6asm: Add support to memory map and unmap")
+Cc: Stable@vger.kernel.org
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251017085307.4325-2-srinivas.kandagatla@oss.qualcomm.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6asm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/qcom/qdsp6/q6asm.c
++++ b/sound/soc/qcom/qdsp6/q6asm.c
+@@ -377,9 +377,9 @@ static void q6asm_audio_client_free_buf(
+
+ spin_lock_irqsave(&ac->lock, flags);
+ port->num_periods = 0;
++ spin_unlock_irqrestore(&ac->lock, flags);
+ kfree(port->buf);
+ port->buf = NULL;
+- spin_unlock_irqrestore(&ac->lock, flags);
+ }
+
+ /**
--- /dev/null
+From 22897e568646de5907d4981eae6cc895be2978d1 Mon Sep 17 00:00:00 2001
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Date: Wed, 29 Oct 2025 16:11:34 +0200
+Subject: ASoC: renesas: rz-ssi: Use proper dma_buffer_pos after resume
+
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+
+commit 22897e568646de5907d4981eae6cc895be2978d1 upstream.
+
+When the driver supports DMA, it enqueues four DMA descriptors per
+substream before the substream is started. New descriptors are enqueued in
+the DMA completion callback, and each time a new descriptor is queued, the
+dma_buffer_pos is incremented.
+
+During suspend, the DMA transactions are terminated. There might be cases
+where the four extra enqueued DMA descriptors are not completed and are
+instead canceled on suspend. However, the cancel operation does not take
+into account that the dma_buffer_pos was already incremented.
+
+Previously, the suspend code reinitialized dma_buffer_pos to zero, but this
+is not always correct.
+
+To avoid losing any audio periods during suspend/resume and to prevent
+clip sound, save the completed DMA buffer position in the DMA callback and
+reinitialize dma_buffer_pos on resume.
+
+Cc: stable@vger.kernel.org
+Fixes: 1fc778f7c833a ("ASoC: renesas: rz-ssi: Add suspend to RAM support")
+Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Link: https://patch.msgid.link/20251029141134.2556926-3-claudiu.beznea.uj@bp.renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/renesas/rz-ssi.c | 25 ++++++++++++-------------
+ 1 file changed, 12 insertions(+), 13 deletions(-)
+
+--- a/sound/soc/renesas/rz-ssi.c
++++ b/sound/soc/renesas/rz-ssi.c
+@@ -85,6 +85,7 @@ struct rz_ssi_stream {
+ struct snd_pcm_substream *substream;
+ int fifo_sample_size; /* sample capacity of SSI FIFO */
+ int dma_buffer_pos; /* The address for the next DMA descriptor */
++ int completed_dma_buf_pos; /* The address of the last completed DMA descriptor. */
+ int period_counter; /* for keeping track of periods transferred */
+ int sample_width;
+ int buffer_pos; /* current frame position in the buffer */
+@@ -221,6 +222,7 @@ static void rz_ssi_stream_init(struct rz
+ rz_ssi_set_substream(strm, substream);
+ strm->sample_width = samples_to_bytes(runtime, 1);
+ strm->dma_buffer_pos = 0;
++ strm->completed_dma_buf_pos = 0;
+ strm->period_counter = 0;
+ strm->buffer_pos = 0;
+
+@@ -443,6 +445,10 @@ static void rz_ssi_pointer_update(struct
+ snd_pcm_period_elapsed(strm->substream);
+ strm->period_counter = current_period;
+ }
++
++ strm->completed_dma_buf_pos += runtime->period_size;
++ if (strm->completed_dma_buf_pos >= runtime->buffer_size)
++ strm->completed_dma_buf_pos = 0;
+ }
+
+ static int rz_ssi_pio_recv(struct rz_ssi_priv *ssi, struct rz_ssi_stream *strm)
+@@ -784,10 +790,14 @@ no_dma:
+ return -ENODEV;
+ }
+
+-static int rz_ssi_trigger_resume(struct rz_ssi_priv *ssi)
++static int rz_ssi_trigger_resume(struct rz_ssi_priv *ssi, struct rz_ssi_stream *strm)
+ {
++ struct snd_pcm_substream *substream = strm->substream;
++ struct snd_pcm_runtime *runtime = substream->runtime;
+ int ret;
+
++ strm->dma_buffer_pos = strm->completed_dma_buf_pos + runtime->period_size;
++
+ if (rz_ssi_is_stream_running(&ssi->playback) ||
+ rz_ssi_is_stream_running(&ssi->capture))
+ return 0;
+@@ -800,16 +810,6 @@ static int rz_ssi_trigger_resume(struct
+ ssi->hw_params_cache.channels);
+ }
+
+-static void rz_ssi_streams_suspend(struct rz_ssi_priv *ssi)
+-{
+- if (rz_ssi_is_stream_running(&ssi->playback) ||
+- rz_ssi_is_stream_running(&ssi->capture))
+- return;
+-
+- ssi->playback.dma_buffer_pos = 0;
+- ssi->capture.dma_buffer_pos = 0;
+-}
+-
+ static int rz_ssi_dai_trigger(struct snd_pcm_substream *substream, int cmd,
+ struct snd_soc_dai *dai)
+ {
+@@ -819,7 +819,7 @@ static int rz_ssi_dai_trigger(struct snd
+
+ switch (cmd) {
+ case SNDRV_PCM_TRIGGER_RESUME:
+- ret = rz_ssi_trigger_resume(ssi);
++ ret = rz_ssi_trigger_resume(ssi, strm);
+ if (ret)
+ return ret;
+
+@@ -858,7 +858,6 @@ static int rz_ssi_dai_trigger(struct snd
+
+ case SNDRV_PCM_TRIGGER_SUSPEND:
+ rz_ssi_stop(ssi, strm);
+- rz_ssi_streams_suspend(ssi);
+ break;
+
+ case SNDRV_PCM_TRIGGER_STOP:
--- /dev/null
+From f12b69d8f22824a07f17c1399c99757072de73e0 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 27 Sep 2025 19:39:08 +0200
+Subject: batman-adv: Release references to inactive interfaces
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit f12b69d8f22824a07f17c1399c99757072de73e0 upstream.
+
+Trying to dump the originators or the neighbors via netlink for a meshif
+with an inactive primary interface is not allowed. The dump functions were
+checking this correctly but they didn't handle non-existing primary
+interfaces and existing _inactive_ interfaces differently.
+
+(Primary) batadv_hard_ifaces hold a references to a net_device. And
+accessing them is only allowed when either being in a RCU/spinlock
+protected section or when holding a valid reference to them. The netlink
+dump functions use the latter.
+
+But because the missing specific error handling for inactive primary
+interfaces, the reference was never dropped. This reference counting error
+was only detected when the interface should have been removed from the
+system:
+
+ unregister_netdevice: waiting for batadv_slave_0 to become free. Usage count = 2
+
+Cc: stable@vger.kernel.org
+Fixes: 6ecc4fd6c2f4 ("batman-adv: netlink: reduce duplicate code by returning interfaces")
+Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com
+Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/originator.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/originator.c
++++ b/net/batman-adv/originator.c
+@@ -764,11 +764,16 @@ int batadv_hardif_neigh_dump(struct sk_b
+ bat_priv = netdev_priv(mesh_iface);
+
+ primary_if = batadv_primary_if_get_selected(bat_priv);
+- if (!primary_if || primary_if->if_status != BATADV_IF_ACTIVE) {
++ if (!primary_if) {
+ ret = -ENOENT;
+ goto out_put_mesh_iface;
+ }
+
++ if (primary_if->if_status != BATADV_IF_ACTIVE) {
++ ret = -ENOENT;
++ goto out_put_primary_if;
++ }
++
+ hard_iface = batadv_netlink_get_hardif(bat_priv, cb);
+ if (IS_ERR(hard_iface) && PTR_ERR(hard_iface) != -ENONET) {
+ ret = PTR_ERR(hard_iface);
+@@ -1333,11 +1338,16 @@ int batadv_orig_dump(struct sk_buff *msg
+ bat_priv = netdev_priv(mesh_iface);
+
+ primary_if = batadv_primary_if_get_selected(bat_priv);
+- if (!primary_if || primary_if->if_status != BATADV_IF_ACTIVE) {
++ if (!primary_if) {
+ ret = -ENOENT;
+ goto out_put_mesh_iface;
+ }
+
++ if (primary_if->if_status != BATADV_IF_ACTIVE) {
++ ret = -ENOENT;
++ goto out_put_primary_if;
++ }
++
+ hard_iface = batadv_netlink_get_hardif(bat_priv, cb);
+ if (IS_ERR(hard_iface) && PTR_ERR(hard_iface) != -ENONET) {
+ ret = PTR_ERR(hard_iface);
--- /dev/null
+From 91d35ec9b3956d6b3cf789c1593467e58855b03a Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 23 Oct 2025 14:05:30 +0200
+Subject: Bluetooth: rfcomm: fix modem control handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 91d35ec9b3956d6b3cf789c1593467e58855b03a upstream.
+
+The RFCOMM driver confuses the local and remote modem control signals,
+which specifically means that the reported DTR and RTS state will
+instead reflect the remote end (i.e. DSR and CTS).
+
+This issue dates back to the original driver (and a follow-on update)
+merged in 2002, which resulted in a non-standard implementation of
+TIOCMSET that allowed controlling also the TS07.10 IC and DV signals by
+mapping them to the RI and DCD input flags, while TIOCMGET failed to
+return the actual state of DTR and RTS.
+
+Note that the bogus control of input signals in tiocmset() is just
+dead code as those flags will have been masked out by the tty layer
+since 2003.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/rfcomm/tty.c | 26 +++++++++++---------------
+ 1 file changed, 11 insertions(+), 15 deletions(-)
+
+--- a/net/bluetooth/rfcomm/tty.c
++++ b/net/bluetooth/rfcomm/tty.c
+@@ -643,8 +643,8 @@ static void rfcomm_dev_modem_status(stru
+ tty_port_tty_hangup(&dev->port, true);
+
+ dev->modem_status =
+- ((v24_sig & RFCOMM_V24_RTC) ? (TIOCM_DSR | TIOCM_DTR) : 0) |
+- ((v24_sig & RFCOMM_V24_RTR) ? (TIOCM_RTS | TIOCM_CTS) : 0) |
++ ((v24_sig & RFCOMM_V24_RTC) ? TIOCM_DSR : 0) |
++ ((v24_sig & RFCOMM_V24_RTR) ? TIOCM_CTS : 0) |
+ ((v24_sig & RFCOMM_V24_IC) ? TIOCM_RI : 0) |
+ ((v24_sig & RFCOMM_V24_DV) ? TIOCM_CD : 0);
+ }
+@@ -1055,10 +1055,14 @@ static void rfcomm_tty_hangup(struct tty
+ static int rfcomm_tty_tiocmget(struct tty_struct *tty)
+ {
+ struct rfcomm_dev *dev = tty->driver_data;
++ struct rfcomm_dlc *dlc = dev->dlc;
++ u8 v24_sig;
+
+ BT_DBG("tty %p dev %p", tty, dev);
+
+- return dev->modem_status;
++ rfcomm_dlc_get_modem_status(dlc, &v24_sig);
++
++ return (v24_sig & (TIOCM_DTR | TIOCM_RTS)) | dev->modem_status;
+ }
+
+ static int rfcomm_tty_tiocmset(struct tty_struct *tty, unsigned int set, unsigned int clear)
+@@ -1071,23 +1075,15 @@ static int rfcomm_tty_tiocmset(struct tt
+
+ rfcomm_dlc_get_modem_status(dlc, &v24_sig);
+
+- if (set & TIOCM_DSR || set & TIOCM_DTR)
++ if (set & TIOCM_DTR)
+ v24_sig |= RFCOMM_V24_RTC;
+- if (set & TIOCM_RTS || set & TIOCM_CTS)
++ if (set & TIOCM_RTS)
+ v24_sig |= RFCOMM_V24_RTR;
+- if (set & TIOCM_RI)
+- v24_sig |= RFCOMM_V24_IC;
+- if (set & TIOCM_CD)
+- v24_sig |= RFCOMM_V24_DV;
+
+- if (clear & TIOCM_DSR || clear & TIOCM_DTR)
++ if (clear & TIOCM_DTR)
+ v24_sig &= ~RFCOMM_V24_RTC;
+- if (clear & TIOCM_RTS || clear & TIOCM_CTS)
++ if (clear & TIOCM_RTS)
+ v24_sig &= ~RFCOMM_V24_RTR;
+- if (clear & TIOCM_RI)
+- v24_sig &= ~RFCOMM_V24_IC;
+- if (clear & TIOCM_CD)
+- v24_sig &= ~RFCOMM_V24_DV;
+
+ rfcomm_dlc_set_modem_status(dlc, v24_sig);
+
--- /dev/null
+From a1f3058930745d2b938b6b4f5bd9630dc74b26b7 Mon Sep 17 00:00:00 2001
+From: Quanmin Yan <yanquanmin1@huawei.com>
+Date: Fri, 10 Oct 2025 16:16:59 +0800
+Subject: fbcon: Set fb_display[i]->mode to NULL when the mode is released
+
+From: Quanmin Yan <yanquanmin1@huawei.com>
+
+commit a1f3058930745d2b938b6b4f5bd9630dc74b26b7 upstream.
+
+Recently, we discovered the following issue through syzkaller:
+
+BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0
+Read of size 4 at addr ff11000001b3c69c by task syz.xxx
+...
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0xab/0xe0
+ print_address_description.constprop.0+0x2c/0x390
+ print_report+0xb9/0x280
+ kasan_report+0xb8/0xf0
+ fb_mode_is_equal+0x285/0x2f0
+ fbcon_mode_deleted+0x129/0x180
+ fb_set_var+0xe7f/0x11d0
+ do_fb_ioctl+0x6a0/0x750
+ fb_ioctl+0xe0/0x140
+ __x64_sys_ioctl+0x193/0x210
+ do_syscall_64+0x5f/0x9c0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Based on experimentation and analysis, during framebuffer unregistration,
+only the memory of fb_info->modelist is freed, without setting the
+corresponding fb_display[i]->mode to NULL for the freed modes. This leads
+to UAF issues during subsequent accesses. Here's an example of reproduction
+steps:
+1. With /dev/fb0 already registered in the system, load a kernel module
+ to register a new device /dev/fb1;
+2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP);
+3. Switch console from fb to VGA (to allow normal rmmod of the ko);
+4. Unload the kernel module, at this point fb1's modelist is freed, leaving
+ a wild pointer in fb_display[];
+5. Trigger the bug via system calls through fb0 attempting to delete a mode
+ from fb0.
+
+Add a check in do_unregister_framebuffer(): if the mode to be freed exists
+in fb_display[], set the corresponding mode pointer to NULL.
+
+Signed-off-by: Quanmin Yan <yanquanmin1@huawei.com>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/fbcon.c | 19 +++++++++++++++++++
+ drivers/video/fbdev/core/fbmem.c | 1 +
+ include/linux/fbcon.h | 2 ++
+ 3 files changed, 22 insertions(+)
+
+--- a/drivers/video/fbdev/core/fbcon.c
++++ b/drivers/video/fbdev/core/fbcon.c
+@@ -2817,6 +2817,25 @@ int fbcon_mode_deleted(struct fb_info *i
+ return found;
+ }
+
++static void fbcon_delete_mode(struct fb_videomode *m)
++{
++ struct fbcon_display *p;
++
++ for (int i = first_fb_vc; i <= last_fb_vc; i++) {
++ p = &fb_display[i];
++ if (p->mode == m)
++ p->mode = NULL;
++ }
++}
++
++void fbcon_delete_modelist(struct list_head *head)
++{
++ struct fb_modelist *modelist;
++
++ list_for_each_entry(modelist, head, list)
++ fbcon_delete_mode(&modelist->mode);
++}
++
+ #ifdef CONFIG_VT_HW_CONSOLE_BINDING
+ static void fbcon_unbind(void)
+ {
+--- a/drivers/video/fbdev/core/fbmem.c
++++ b/drivers/video/fbdev/core/fbmem.c
+@@ -544,6 +544,7 @@ static void do_unregister_framebuffer(st
+ fb_info->pixmap.addr = NULL;
+ }
+
++ fbcon_delete_modelist(&fb_info->modelist);
+ fb_destroy_modelist(&fb_info->modelist);
+ registered_fb[fb_info->node] = NULL;
+ num_registered_fb--;
+--- a/include/linux/fbcon.h
++++ b/include/linux/fbcon.h
+@@ -11,6 +11,7 @@ void fbcon_suspended(struct fb_info *inf
+ void fbcon_resumed(struct fb_info *info);
+ int fbcon_mode_deleted(struct fb_info *info,
+ struct fb_videomode *mode);
++void fbcon_delete_modelist(struct list_head *head);
+ void fbcon_new_modelist(struct fb_info *info);
+ void fbcon_get_requirement(struct fb_info *info,
+ struct fb_blit_caps *caps);
+@@ -31,6 +32,7 @@ static inline void fbcon_suspended(struc
+ static inline void fbcon_resumed(struct fb_info *info) {}
+ static inline int fbcon_mode_deleted(struct fb_info *info,
+ struct fb_videomode *mode) { return 0; }
++static inline void fbcon_delete_modelist(struct list_head *head) {}
+ static inline void fbcon_new_modelist(struct fb_info *info) {}
+ static inline void fbcon_get_requirement(struct fb_info *info,
+ struct fb_blit_caps *caps) {}
--- /dev/null
+From 7073c7fc8d8ba47194e5fc58fcafc0efe7586e9b Mon Sep 17 00:00:00 2001
+From: Daniel Palmer <daniel@0x0f.com>
+Date: Fri, 24 Oct 2025 18:37:15 +0900
+Subject: fbdev: atyfb: Check if pll_ops->init_pll failed
+
+From: Daniel Palmer <daniel@0x0f.com>
+
+commit 7073c7fc8d8ba47194e5fc58fcafc0efe7586e9b upstream.
+
+Actually check the return value from pll_ops->init_pll()
+as it can return an error.
+
+If the card's BIOS didn't run because it's not the primary VGA card
+the fact that the xclk source is unsupported is printed as shown
+below but the driver continues on regardless and on my machine causes
+a hard lock up.
+
+[ 61.470088] atyfb 0000:03:05.0: enabling device (0080 -> 0083)
+[ 61.476191] atyfb: using auxiliary register aperture
+[ 61.481239] atyfb: 3D RAGE XL (Mach64 GR, PCI-33) [0x4752 rev 0x27]
+[ 61.487569] atyfb: 512K SGRAM (1:1), 14.31818 MHz XTAL, 230 MHz PLL, 83 Mhz MCLK, 63 MHz XCLK
+[ 61.496112] atyfb: Unsupported xclk source: 5.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Daniel Palmer <daniel@0x0f.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/aty/atyfb_base.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/fbdev/aty/atyfb_base.c
++++ b/drivers/video/fbdev/aty/atyfb_base.c
+@@ -2614,8 +2614,12 @@ static int aty_init(struct fb_info *info
+ pr_cont("\n");
+ }
+ #endif
+- if (par->pll_ops->init_pll)
+- par->pll_ops->init_pll(info, &par->pll);
++ if (par->pll_ops->init_pll) {
++ ret = par->pll_ops->init_pll(info, &par->pll);
++ if (ret)
++ return ret;
++ }
++
+ if (par->pll_ops->resume_pll)
+ par->pll_ops->resume_pll(info, &par->pll);
+
--- /dev/null
+From 18c4ef4e765a798b47980555ed665d78b71aeadf Mon Sep 17 00:00:00 2001
+From: Junjie Cao <junjie.cao@intel.com>
+Date: Mon, 20 Oct 2025 21:47:01 +0800
+Subject: fbdev: bitblit: bound-check glyph index in bit_putcs*
+
+From: Junjie Cao <junjie.cao@intel.com>
+
+commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream.
+
+bit_putcs_aligned()/unaligned() derived the glyph pointer from the
+character value masked by 0xff/0x1ff, which may exceed the actual font's
+glyph count and read past the end of the built-in font array.
+Clamp the index to the actual glyph count before computing the address.
+
+This fixes a global out-of-bounds read reported by syzbot.
+
+Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
+Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
+Signed-off-by: Junjie Cao <junjie.cao@intel.com>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/video/fbdev/core/bitblit.c
++++ b/drivers/video/fbdev/core/bitblit.c
+@@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(str
+ struct fb_image *image, u8 *buf, u8 *dst)
+ {
+ u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
++ unsigned int charcnt = vc->vc_font.charcount;
+ u32 idx = vc->vc_font.width >> 3;
+ u8 *src;
+
+ while (cnt--) {
+- src = vc->vc_font.data + (scr_readw(s++)&
+- charmask)*cellsize;
++ u16 ch = scr_readw(s++) & charmask;
++
++ if (ch >= charcnt)
++ ch = 0;
++ src = vc->vc_font.data + (unsigned int)ch * cellsize;
+
+ if (attr) {
+ update_attr(buf, src, attr, vc);
+@@ -112,14 +116,18 @@ static inline void bit_putcs_unaligned(s
+ u8 *dst)
+ {
+ u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
++ unsigned int charcnt = vc->vc_font.charcount;
+ u32 shift_low = 0, mod = vc->vc_font.width % 8;
+ u32 shift_high = 8;
+ u32 idx = vc->vc_font.width >> 3;
+ u8 *src;
+
+ while (cnt--) {
+- src = vc->vc_font.data + (scr_readw(s++)&
+- charmask)*cellsize;
++ u16 ch = scr_readw(s++) & charmask;
++
++ if (ch >= charcnt)
++ ch = 0;
++ src = vc->vc_font.data + (unsigned int)ch * cellsize;
+
+ if (attr) {
+ update_attr(buf, src, attr, vc);
--- /dev/null
+From 5f566c0ac51cd2474e47da68dbe719d3acf7d999 Mon Sep 17 00:00:00 2001
+From: Florian Fuchs <fuchsfl@gmail.com>
+Date: Sun, 26 Oct 2025 00:38:50 +0200
+Subject: fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS
+
+From: Florian Fuchs <fuchsfl@gmail.com>
+
+commit 5f566c0ac51cd2474e47da68dbe719d3acf7d999 upstream.
+
+Commit e24cca19babe ("sh: Kill off MAX_DMA_ADDRESS leftovers.") removed
+the define ONCHIP_NR_DMA_CHANNELS. So that the leftover reference needs
+to be replaced by CONFIG_NR_ONCHIP_DMA_CHANNELS to compile successfully
+with CONFIG_PVR2_DMA enabled.
+
+Signed-off-by: Florian Fuchs <fuchsfl@gmail.com>
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/pvr2fb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/pvr2fb.c
++++ b/drivers/video/fbdev/pvr2fb.c
+@@ -192,7 +192,7 @@ static unsigned long pvr2fb_map;
+
+ #ifdef CONFIG_PVR2_DMA
+ static unsigned int shdma = PVR2_CASCADE_CHAN;
+-static unsigned int pvr2dma = ONCHIP_NR_DMA_CHANNELS;
++static unsigned int pvr2dma = CONFIG_NR_ONCHIP_DMA_CHANNELS;
+ #endif
+
+ static struct fb_videomode pvr2_modedb[] = {
--- /dev/null
+From eb53368f8d6e2dfba84c8a94d245719bcf9ae270 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Mon, 27 Oct 2025 16:43:37 +0800
+Subject: fbdev: valkyriefb: Fix reference count leak in valkyriefb_init
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit eb53368f8d6e2dfba84c8a94d245719bcf9ae270 upstream.
+
+The of_find_node_by_name() function returns a device tree node with its
+reference count incremented. The caller is responsible for calling
+of_node_put() to release this reference when done.
+
+Found via static analysis.
+
+Fixes: cc5d0189b9ba ("[PATCH] powerpc: Remove device_node addrs/n_addr")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/valkyriefb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/video/fbdev/valkyriefb.c
++++ b/drivers/video/fbdev/valkyriefb.c
+@@ -329,11 +329,13 @@ static int __init valkyriefb_init(void)
+
+ if (of_address_to_resource(dp, 0, &r)) {
+ printk(KERN_ERR "can't find address for valkyrie\n");
++ of_node_put(dp);
+ return 0;
+ }
+
+ frame_buffer_phys = r.start;
+ cmap_regs_phys = r.start + 0x304000;
++ of_node_put(dp);
+ }
+ #endif /* ppc (!CONFIG_MAC) */
+
--- /dev/null
+From 27b0e701d3872ba59c5b579a9e8a02ea49ad3d3b Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 28 Oct 2025 09:16:52 +0100
+Subject: mptcp: drop bogus optimization in __mptcp_check_push()
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 27b0e701d3872ba59c5b579a9e8a02ea49ad3d3b upstream.
+
+Accessing the transmit queue without owning the msk socket lock is
+inherently racy, hence __mptcp_check_push() could actually quit early
+even when there is pending data.
+
+That in turn could cause unexpected tx lock and timeout.
+
+Dropping the early check avoids the race, implicitly relaying on later
+tests under the relevant lock. With such change, all the other
+mptcp_send_head() call sites are now under the msk socket lock and we
+can additionally drop the now unneeded annotation on the transmit head
+pointer accesses.
+
+Fixes: 6e628cd3a8f7 ("mptcp: use mptcp release_cb for delayed tasks")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Tested-by: Geliang Tang <geliang@kernel.org>
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251028-net-mptcp-send-timeout-v1-1-38ffff5a9ec8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 11 ++++-------
+ net/mptcp/protocol.h | 2 +-
+ 2 files changed, 5 insertions(+), 8 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -965,7 +965,7 @@ static void __mptcp_clean_una(struct soc
+ if (WARN_ON_ONCE(!msk->recovery))
+ break;
+
+- WRITE_ONCE(msk->first_pending, mptcp_send_next(sk));
++ msk->first_pending = mptcp_send_next(sk);
+ }
+
+ dfrag_clear(sk, dfrag);
+@@ -1510,7 +1510,7 @@ static int __subflow_push_pending(struct
+
+ mptcp_update_post_push(msk, dfrag, ret);
+ }
+- WRITE_ONCE(msk->first_pending, mptcp_send_next(sk));
++ msk->first_pending = mptcp_send_next(sk);
+
+ if (msk->snd_burst <= 0 ||
+ !sk_stream_memory_free(ssk) ||
+@@ -1854,7 +1854,7 @@ static int mptcp_sendmsg(struct sock *sk
+ get_page(dfrag->page);
+ list_add_tail(&dfrag->list, &msk->rtx_queue);
+ if (!msk->first_pending)
+- WRITE_ONCE(msk->first_pending, dfrag);
++ msk->first_pending = dfrag;
+ }
+ pr_debug("msk=%p dfrag at seq=%llu len=%u sent=%u new=%d\n", msk,
+ dfrag->data_seq, dfrag->data_len, dfrag->already_sent,
+@@ -2854,7 +2854,7 @@ static void __mptcp_clear_xmit(struct so
+ struct mptcp_sock *msk = mptcp_sk(sk);
+ struct mptcp_data_frag *dtmp, *dfrag;
+
+- WRITE_ONCE(msk->first_pending, NULL);
++ msk->first_pending = NULL;
+ list_for_each_entry_safe(dfrag, dtmp, &msk->rtx_queue, list)
+ dfrag_clear(sk, dfrag);
+ }
+@@ -3394,9 +3394,6 @@ void __mptcp_data_acked(struct sock *sk)
+
+ void __mptcp_check_push(struct sock *sk, struct sock *ssk)
+ {
+- if (!mptcp_send_head(sk))
+- return;
+-
+ if (!sock_owned_by_user(sk))
+ __mptcp_subflow_push_pending(sk, ssk, false);
+ else
+--- a/net/mptcp/protocol.h
++++ b/net/mptcp/protocol.h
+@@ -414,7 +414,7 @@ static inline struct mptcp_data_frag *mp
+ {
+ const struct mptcp_sock *msk = mptcp_sk(sk);
+
+- return READ_ONCE(msk->first_pending);
++ return msk->first_pending;
+ }
+
+ static inline struct mptcp_data_frag *mptcp_send_next(struct sock *sk)
--- /dev/null
+From a824084b98d8a1dbd6e85d0842a8eb5e73467f59 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 28 Oct 2025 09:16:54 +0100
+Subject: mptcp: restore window probe
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit a824084b98d8a1dbd6e85d0842a8eb5e73467f59 upstream.
+
+Since commit 72377ab2d671 ("mptcp: more conservative check for zero
+probes") the MPTCP-level zero window probe check is always disabled, as
+the TCP-level write queue always contains at least the newly allocated
+skb.
+
+Refine the relevant check tacking in account that the above condition
+and that such skb can have zero length.
+
+Fixes: 72377ab2d671 ("mptcp: more conservative check for zero probes")
+Cc: stable@vger.kernel.org
+Reported-by: Geliang Tang <geliang@kernel.org>
+Closes: https://lore.kernel.org/d0a814c364e744ca6b836ccd5b6e9146882e8d42.camel@kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Tested-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251028-net-mptcp-send-timeout-v1-3-38ffff5a9ec8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -1257,7 +1257,12 @@ alloc_skb:
+ if (copy == 0) {
+ u64 snd_una = READ_ONCE(msk->snd_una);
+
+- if (snd_una != msk->snd_nxt || tcp_write_queue_tail(ssk)) {
++ /* No need for zero probe if there are any data pending
++ * either at the msk or ssk level; skb is the current write
++ * queue tail and can be empty at this point.
++ */
++ if (snd_una != msk->snd_nxt || skb->len ||
++ skb != tcp_send_head(ssk)) {
+ tcp_remove_empty_skb(ssk);
+ return 0;
+ }
--- /dev/null
+From 84a905290cb4c3d9a71a9e3b2f2e02e031e7512f Mon Sep 17 00:00:00 2001
+From: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Date: Thu, 23 Oct 2025 16:48:53 +0200
+Subject: net: phy: dp83867: Disable EEE support as not implemented
+
+From: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+
+commit 84a905290cb4c3d9a71a9e3b2f2e02e031e7512f upstream.
+
+While the DP83867 PHYs report EEE capability through their feature
+registers, the actual hardware does not support EEE (see Links).
+When the connected MAC enables EEE, it causes link instability and
+communication failures.
+
+The issue is reproducible with a iMX8MP and relevant stmmac ethernet port.
+Since the introduction of phylink-managed EEE support in the stmmac driver,
+EEE is now enabled by default, leading to issues on systems using the
+DP83867 PHY.
+
+Call phy_disable_eee during phy initialization to prevent EEE from being
+enabled on DP83867 PHYs.
+
+Link: https://e2e.ti.com/support/interface-group/interface/f/interface-forum/1445244/dp83867ir-dp83867-disable-eee-lpi
+Link: https://e2e.ti.com/support/interface-group/interface/f/interface-forum/658638/dp83867ir-eee-energy-efficient-ethernet
+Fixes: 2a10154abcb7 ("net: phy: dp83867: Add TI dp83867 phy")
+Cc: stable@vger.kernel.org
+Signed-off-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20251023144857.529566-1-ghidoliemanuele@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/dp83867.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/phy/dp83867.c
++++ b/drivers/net/phy/dp83867.c
+@@ -738,6 +738,12 @@ static int dp83867_config_init(struct ph
+ return ret;
+ }
+
++ /* Although the DP83867 reports EEE capability through the
++ * MDIO_PCS_EEE_ABLE and MDIO_AN_EEE_ADV registers, the feature
++ * is not actually implemented in hardware.
++ */
++ phy_disable_eee(phydev);
++
+ if (phy_interface_is_rgmii(phydev) ||
+ phydev->interface == PHY_INTERFACE_MODE_SGMII) {
+ val = phy_read(phydev, MII_DP83867_PHYCTRL);
--- /dev/null
+From dc89548c6926d68dfdda11bebc1a5258bc41d887 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Mon, 27 Oct 2025 00:43:16 +0800
+Subject: net: usb: asix_devices: Check return value of usbnet_get_endpoints
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit dc89548c6926d68dfdda11bebc1a5258bc41d887 upstream.
+
+The code did not check the return value of usbnet_get_endpoints.
+Add checks and return the error if it fails to transfer the error.
+
+Found via static anlaysis and this is similar to
+commit 07161b2416f7 ("sr9800: Add check for usbnet_get_endpoints").
+
+Fixes: 933a27d39e0e ("USB: asix - Add AX88178 support and many other changes")
+Fixes: 2e55cc7210fe ("[PATCH] USB: usbnet (3/9) module for ASIX Ethernet adapters")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://patch.msgid.link/20251026164318.57624-1-linmq006@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/asix_devices.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/usb/asix_devices.c
++++ b/drivers/net/usb/asix_devices.c
+@@ -230,7 +230,9 @@ static int ax88172_bind(struct usbnet *d
+ int i;
+ unsigned long gpio_bits = dev->driver_info->data;
+
+- usbnet_get_endpoints(dev,intf);
++ ret = usbnet_get_endpoints(dev, intf);
++ if (ret)
++ goto out;
+
+ /* Toggle the GPIOs in a manufacturer/model specific way */
+ for (i = 2; i >= 0; i--) {
+@@ -848,7 +850,9 @@ static int ax88772_bind(struct usbnet *d
+
+ dev->driver_priv = priv;
+
+- usbnet_get_endpoints(dev, intf);
++ ret = usbnet_get_endpoints(dev, intf);
++ if (ret)
++ return ret;
+
+ /* Maybe the boot loader passed the MAC address via device tree */
+ if (!eth_platform_get_mac_address(&dev->udev->dev, buf)) {
+@@ -1281,7 +1285,9 @@ static int ax88178_bind(struct usbnet *d
+ int ret;
+ u8 buf[ETH_ALEN] = {0};
+
+- usbnet_get_endpoints(dev,intf);
++ ret = usbnet_get_endpoints(dev, intf);
++ if (ret)
++ return ret;
+
+ /* Get the MAC address */
+ ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf, 0);
--- /dev/null
+From 4f76435fd517981f01608678c06ad9718a86ee98 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Mon, 29 Sep 2025 12:53:40 -0400
+Subject: NFSD: Define actions for the new time_deleg FATTR4 attributes
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 4f76435fd517981f01608678c06ad9718a86ee98 upstream.
+
+NFSv4 clients won't send legitimate GETATTR requests for these new
+attributes because they are intended to be used only with CB_GETATTR
+and SETATTR. But NFSD has to do something besides crashing if it
+ever sees a GETATTR request that queries these attributes.
+
+RFC 8881 Section 18.7.3 states:
+
+> The server MUST return a value for each attribute that the client
+> requests if the attribute is supported by the server for the
+> target file system. If the server does not support a particular
+> attribute on the target file system, then it MUST NOT return the
+> attribute value and MUST NOT set the attribute bit in the result
+> bitmap. The server MUST return an error if it supports an
+> attribute on the target but cannot obtain its value. In that case,
+> no attribute values will be returned.
+
+Further, RFC 9754 Section 5 states:
+
+> These new attributes are invalid to be used with GETATTR, VERIFY,
+> and NVERIFY, and they can only be used with CB_GETATTR and SETATTR
+> by a client holding an appropriate delegation.
+
+Thus there does not appear to be a specific server response mandated
+by specification. Taking the guidance that querying these attributes
+via GETATTR is "invalid", NFSD will return nfserr_inval, failing the
+request entirely.
+
+Reported-by: Robert Morris <rtm@csail.mit.edu>
+Closes: https://lore.kernel.org/linux-nfs/7819419cf0cb50d8130dc6b747765d2b8febc88a.camel@kernel.org/T/#t
+Fixes: 51c0d4f7e317 ("nfsd: add support for FATTR4_OPEN_ARGUMENTS")
+Cc: stable@vger.kernel.org
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4xdr.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -2939,6 +2939,12 @@ struct nfsd4_fattr_args {
+ typedef __be32(*nfsd4_enc_attr)(struct xdr_stream *xdr,
+ const struct nfsd4_fattr_args *args);
+
++static __be32 nfsd4_encode_fattr4__inval(struct xdr_stream *xdr,
++ const struct nfsd4_fattr_args *args)
++{
++ return nfserr_inval;
++}
++
+ static __be32 nfsd4_encode_fattr4__noop(struct xdr_stream *xdr,
+ const struct nfsd4_fattr_args *args)
+ {
+@@ -3560,6 +3566,8 @@ static const nfsd4_enc_attr nfsd4_enc_fa
+
+ [FATTR4_MODE_UMASK] = nfsd4_encode_fattr4__noop,
+ [FATTR4_XATTR_SUPPORT] = nfsd4_encode_fattr4_xattr_support,
++ [FATTR4_TIME_DELEG_ACCESS] = nfsd4_encode_fattr4__inval,
++ [FATTR4_TIME_DELEG_MODIFY] = nfsd4_encode_fattr4__inval,
+ [FATTR4_OPEN_ARGUMENTS] = nfsd4_encode_fattr4_open_arguments,
+ };
+
--- /dev/null
+From abb1f08a2121dd270193746e43b2a9373db9ad84 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Tue, 30 Sep 2025 10:05:20 -0400
+Subject: NFSD: Fix crash in nfsd4_read_release()
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit abb1f08a2121dd270193746e43b2a9373db9ad84 upstream.
+
+When tracing is enabled, the trace_nfsd_read_done trace point
+crashes during the pynfs read.testNoFh test.
+
+Fixes: 15a8b55dbb1b ("nfsd: call op_release, even when op_func returns an error")
+Cc: stable@vger.kernel.org
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4proc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -988,10 +988,11 @@ nfsd4_read(struct svc_rqst *rqstp, struc
+ static void
+ nfsd4_read_release(union nfsd4_op_u *u)
+ {
+- if (u->read.rd_nf)
++ if (u->read.rd_nf) {
++ trace_nfsd_read_done(u->read.rd_rqstp, u->read.rd_fhp,
++ u->read.rd_offset, u->read.rd_length);
+ nfsd_file_put(u->read.rd_nf);
+- trace_nfsd_read_done(u->read.rd_rqstp, u->read.rd_fhp,
+- u->read.rd_offset, u->read.rd_length);
++ }
+ }
+
+ static __be32
--- /dev/null
+From 76e20da0bd00c556ed0a1e7250bdb6ac3e808ea8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Danis?= <frederic.danis@collabora.com>
+Date: Mon, 6 Oct 2025 10:35:44 +0200
+Subject: Revert "Bluetooth: L2CAP: convert timeouts to secs_to_jiffies()"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frédéric Danis <frederic.danis@collabora.com>
+
+commit 76e20da0bd00c556ed0a1e7250bdb6ac3e808ea8 upstream.
+
+This reverts commit c9d84da18d1e0d28a7e16ca6df8e6d47570501d4. It
+replaces in L2CAP calls to msecs_to_jiffies() to secs_to_jiffies()
+and updates the constants accordingly. But the constants are also
+used in LCAP Configure Request and L2CAP Configure Response which
+expect values in milliseconds.
+This may prevent correct usage of L2CAP channel.
+
+To fix it, keep those constants in milliseconds and so revert this
+change.
+
+Fixes: c9d84da18d1e ("Bluetooth: L2CAP: convert timeouts to secs_to_jiffies()")
+Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/bluetooth/l2cap.h | 4 ++--
+ net/bluetooth/l2cap_core.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
+index 4bb0eaedda18..00e182a22720 100644
+--- a/include/net/bluetooth/l2cap.h
++++ b/include/net/bluetooth/l2cap.h
+@@ -38,8 +38,8 @@
+ #define L2CAP_DEFAULT_TX_WINDOW 63
+ #define L2CAP_DEFAULT_EXT_WINDOW 0x3FFF
+ #define L2CAP_DEFAULT_MAX_TX 3
+-#define L2CAP_DEFAULT_RETRANS_TO 2 /* seconds */
+-#define L2CAP_DEFAULT_MONITOR_TO 12 /* seconds */
++#define L2CAP_DEFAULT_RETRANS_TO 2000 /* 2 seconds */
++#define L2CAP_DEFAULT_MONITOR_TO 12000 /* 12 seconds */
+ #define L2CAP_DEFAULT_MAX_PDU_SIZE 1492 /* Sized for AMP packet */
+ #define L2CAP_DEFAULT_ACK_TO 200
+ #define L2CAP_DEFAULT_MAX_SDU_SIZE 0xFFFF
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 805c752ac0a9..d08320380ad6 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -282,7 +282,7 @@ static void __set_retrans_timer(struct l2cap_chan *chan)
+ if (!delayed_work_pending(&chan->monitor_timer) &&
+ chan->retrans_timeout) {
+ l2cap_set_timer(chan, &chan->retrans_timer,
+- secs_to_jiffies(chan->retrans_timeout));
++ msecs_to_jiffies(chan->retrans_timeout));
+ }
+ }
+
+@@ -291,7 +291,7 @@ static void __set_monitor_timer(struct l2cap_chan *chan)
+ __clear_retrans_timer(chan);
+ if (chan->monitor_timeout) {
+ l2cap_set_timer(chan, &chan->monitor_timer,
+- secs_to_jiffies(chan->monitor_timeout));
++ msecs_to_jiffies(chan->monitor_timeout));
+ }
+ }
+
+--
+2.51.2
+
--- /dev/null
+From 3e7f011c255582d7c914133785bbba1990441713 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Thu, 2 Oct 2025 10:00:51 -0400
+Subject: Revert "NFSD: Remove the cap on number of operations per NFSv4 COMPOUND"
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 3e7f011c255582d7c914133785bbba1990441713 upstream.
+
+I've found that pynfs COMP6 now leaves the connection or lease in a
+strange state, which causes CLOSE9 to hang indefinitely. I've dug
+into it a little, but I haven't been able to root-cause it yet.
+However, I bisected to commit 48aab1606fa8 ("NFSD: Remove the cap on
+number of operations per NFSv4 COMPOUND").
+
+Tianshuo Han also reports a potential vulnerability when decoding
+an NFSv4 COMPOUND. An attacker can place an arbitrarily large op
+count in the COMPOUND header, which results in:
+
+[ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total
+pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO),
+nodemask=(null),cpuset=/,mems_allowed=0
+
+when NFSD attempts to allocate the COMPOUND op array.
+
+Let's restore the operation-per-COMPOUND limit, but increased to 200
+for now.
+
+Reported-by: tianshuo han <hantianshuo233@gmail.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Cc: stable@vger.kernel.org
+Tested-by: Tianshuo Han <hantianshuo233@gmail.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4proc.c | 14 ++++++++++++--
+ fs/nfsd/nfs4state.c | 1 +
+ fs/nfsd/nfs4xdr.c | 4 +++-
+ fs/nfsd/nfsd.h | 3 +++
+ fs/nfsd/xdr4.h | 1 +
+ 5 files changed, 20 insertions(+), 3 deletions(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -2859,10 +2859,20 @@ nfsd4_proc_compound(struct svc_rqst *rqs
+
+ rqstp->rq_lease_breaker = (void **)&cstate->clp;
+
+- trace_nfsd_compound(rqstp, args->tag, args->taglen, args->opcnt);
++ trace_nfsd_compound(rqstp, args->tag, args->taglen, args->client_opcnt);
+ while (!status && resp->opcnt < args->opcnt) {
+ op = &args->ops[resp->opcnt++];
+
++ if (unlikely(resp->opcnt == NFSD_MAX_OPS_PER_COMPOUND)) {
++ /* If there are still more operations to process,
++ * stop here and report NFS4ERR_RESOURCE. */
++ if (cstate->minorversion == 0 &&
++ args->client_opcnt > resp->opcnt) {
++ op->status = nfserr_resource;
++ goto encode_op;
++ }
++ }
++
+ /*
+ * The XDR decode routines may have pre-set op->status;
+ * for example, if there is a miscellaneous XDR error
+@@ -2939,7 +2949,7 @@ encode_op:
+ status = op->status;
+ }
+
+- trace_nfsd_compound_status(args->opcnt, resp->opcnt,
++ trace_nfsd_compound_status(args->client_opcnt, resp->opcnt,
+ status, nfsd4_op_name(op->opnum));
+
+ nfsd4_cstate_clear_replay(cstate);
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -3865,6 +3865,7 @@ static __be32 check_forechannel_attrs(st
+ ca->headerpadsz = 0;
+ ca->maxreq_sz = min_t(u32, ca->maxreq_sz, maxrpc);
+ ca->maxresp_sz = min_t(u32, ca->maxresp_sz, maxrpc);
++ ca->maxops = min_t(u32, ca->maxops, NFSD_MAX_OPS_PER_COMPOUND);
+ ca->maxresp_cached = min_t(u32, ca->maxresp_cached,
+ NFSD_SLOT_CACHE_SIZE + NFSD_MIN_HDR_SEQ_SZ);
+ ca->maxreqs = min_t(u32, ca->maxreqs, NFSD_MAX_SLOTS_PER_SESSION);
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -2488,8 +2488,10 @@ nfsd4_decode_compound(struct nfsd4_compo
+
+ if (xdr_stream_decode_u32(argp->xdr, &argp->minorversion) < 0)
+ return false;
+- if (xdr_stream_decode_u32(argp->xdr, &argp->opcnt) < 0)
++ if (xdr_stream_decode_u32(argp->xdr, &argp->client_opcnt) < 0)
+ return false;
++ argp->opcnt = min_t(u32, argp->client_opcnt,
++ NFSD_MAX_OPS_PER_COMPOUND);
+
+ if (argp->opcnt > ARRAY_SIZE(argp->iops)) {
+ argp->ops = vcalloc(argp->opcnt, sizeof(*argp->ops));
+--- a/fs/nfsd/nfsd.h
++++ b/fs/nfsd/nfsd.h
+@@ -57,6 +57,9 @@ struct readdir_cd {
+ __be32 err; /* 0, nfserr, or nfserr_eof */
+ };
+
++/* Maximum number of operations per session compound */
++#define NFSD_MAX_OPS_PER_COMPOUND 200
++
+ struct nfsd_genl_rqstp {
+ struct sockaddr rq_daddr;
+ struct sockaddr rq_saddr;
+--- a/fs/nfsd/xdr4.h
++++ b/fs/nfsd/xdr4.h
+@@ -903,6 +903,7 @@ struct nfsd4_compoundargs {
+ char * tag;
+ u32 taglen;
+ u32 minorversion;
++ u32 client_opcnt;
+ u32 opcnt;
+ bool splice_ok;
+ struct nfsd4_op *ops;
--- /dev/null
+From b45873c3f09153d1ad9b3a7bf9e5c0b0387fd2ea Mon Sep 17 00:00:00 2001
+From: Farhan Ali <alifm@linux.ibm.com>
+Date: Wed, 22 Oct 2025 09:47:26 -0700
+Subject: s390/pci: Restore IRQ unconditionally for the zPCI device
+
+From: Farhan Ali <alifm@linux.ibm.com>
+
+commit b45873c3f09153d1ad9b3a7bf9e5c0b0387fd2ea upstream.
+
+Commit c1e18c17bda6 ("s390/pci: add zpci_set_irq()/zpci_clear_irq()"),
+introduced the zpci_set_irq() and zpci_clear_irq(), to be used while
+resetting a zPCI device.
+
+Commit da995d538d3a ("s390/pci: implement reset_slot for hotplug
+slot"), mentions zpci_clear_irq() being called in the path for
+zpci_hot_reset_device(). But that is not the case anymore and these
+functions are not called outside of this file. Instead
+zpci_hot_reset_device() relies on zpci_disable_device() also clearing
+the IRQs, but misses to reset the zdev->irqs_registered flag.
+
+However after a CLP disable/enable reset, the device's IRQ are
+unregistered, but the flag zdev->irq_registered does not get cleared. It
+creates an inconsistent state and so arch_restore_msi_irqs() doesn't
+correctly restore the device's IRQ. This becomes a problem when a PCI
+driver tries to restore the state of the device through
+pci_restore_state(). Restore IRQ unconditionally for the device and remove
+the irq_registered flag as its redundant.
+
+Fixes: c1e18c17bda6 ("s390/pci: add zpci_set_irq()/zpci_clear_irq()")
+Cc: stable@vger.kernnel.org
+Reviewed-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
+Signed-off-by: Farhan Ali <alifm@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/pci.h | 1 -
+ arch/s390/pci/pci_irq.c | 9 +--------
+ 2 files changed, 1 insertion(+), 9 deletions(-)
+
+--- a/arch/s390/include/asm/pci.h
++++ b/arch/s390/include/asm/pci.h
+@@ -145,7 +145,6 @@ struct zpci_dev {
+ u8 has_resources : 1;
+ u8 is_physfn : 1;
+ u8 util_str_avail : 1;
+- u8 irqs_registered : 1;
+ u8 tid_avail : 1;
+ u8 rtr_avail : 1; /* Relaxed translation allowed */
+ unsigned int devfn; /* DEVFN part of the RID*/
+--- a/arch/s390/pci/pci_irq.c
++++ b/arch/s390/pci/pci_irq.c
+@@ -107,9 +107,6 @@ static int zpci_set_irq(struct zpci_dev
+ else
+ rc = zpci_set_airq(zdev);
+
+- if (!rc)
+- zdev->irqs_registered = 1;
+-
+ return rc;
+ }
+
+@@ -123,9 +120,6 @@ static int zpci_clear_irq(struct zpci_de
+ else
+ rc = zpci_clear_airq(zdev);
+
+- if (!rc)
+- zdev->irqs_registered = 0;
+-
+ return rc;
+ }
+
+@@ -427,8 +421,7 @@ bool arch_restore_msi_irqs(struct pci_de
+ {
+ struct zpci_dev *zdev = to_zpci(pdev);
+
+- if (!zdev->irqs_registered)
+- zpci_set_irq(zdev);
++ zpci_set_irq(zdev);
+ return true;
+ }
+
--- /dev/null
+From 54e96258a6930909b690fd7e8889749231ba8085 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 6 Oct 2025 15:35:36 -1000
+Subject: sched_ext: Mark scx_bpf_dsq_move_set_[slice|vtime]() with KF_RCU
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 54e96258a6930909b690fd7e8889749231ba8085 upstream.
+
+scx_bpf_dsq_move_set_slice() and scx_bpf_dsq_move_set_vtime() take a DSQ
+iterator argument which has to be valid. Mark them with KF_RCU.
+
+Fixes: 4c30f5ce4f7a ("sched_ext: Implement scx_bpf_dispatch[_vtime]_from_dsq()")
+Cc: stable@vger.kernel.org # v6.12+
+Acked-by: Andrea Righi <arighi@nvidia.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/ext.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -5706,8 +5706,8 @@ BTF_KFUNCS_START(scx_kfunc_ids_dispatch)
+ BTF_ID_FLAGS(func, scx_bpf_dispatch_nr_slots)
+ BTF_ID_FLAGS(func, scx_bpf_dispatch_cancel)
+ BTF_ID_FLAGS(func, scx_bpf_dsq_move_to_local)
+-BTF_ID_FLAGS(func, scx_bpf_dsq_move_set_slice)
+-BTF_ID_FLAGS(func, scx_bpf_dsq_move_set_vtime)
++BTF_ID_FLAGS(func, scx_bpf_dsq_move_set_slice, KF_RCU)
++BTF_ID_FLAGS(func, scx_bpf_dsq_move_set_vtime, KF_RCU)
+ BTF_ID_FLAGS(func, scx_bpf_dsq_move, KF_RCU)
+ BTF_ID_FLAGS(func, scx_bpf_dsq_move_vtime, KF_RCU)
+ BTF_KFUNCS_END(scx_kfunc_ids_dispatch)
+@@ -5832,8 +5832,8 @@ __bpf_kfunc_end_defs();
+
+ BTF_KFUNCS_START(scx_kfunc_ids_unlocked)
+ BTF_ID_FLAGS(func, scx_bpf_create_dsq, KF_SLEEPABLE)
+-BTF_ID_FLAGS(func, scx_bpf_dsq_move_set_slice)
+-BTF_ID_FLAGS(func, scx_bpf_dsq_move_set_vtime)
++BTF_ID_FLAGS(func, scx_bpf_dsq_move_set_slice, KF_RCU)
++BTF_ID_FLAGS(func, scx_bpf_dsq_move_set_vtime, KF_RCU)
+ BTF_ID_FLAGS(func, scx_bpf_dsq_move, KF_RCU)
+ BTF_ID_FLAGS(func, scx_bpf_dsq_move_vtime, KF_RCU)
+ BTF_KFUNCS_END(scx_kfunc_ids_unlocked)
--- /dev/null
+revert-bluetooth-l2cap-convert-timeouts-to-secs_to_jiffies.patch
+sched_ext-mark-scx_bpf_dsq_move_set_-with-kf_rcu.patch
+nfsd-define-actions-for-the-new-time_deleg-fattr4-attributes.patch
+nfsd-fix-crash-in-nfsd4_read_release.patch
+revert-nfsd-remove-the-cap-on-number-of-operations-per-nfsv4-compound.patch
+net-usb-asix_devices-check-return-value-of-usbnet_get_endpoints.patch
+fbcon-set-fb_display-mode-to-null-when-the-mode-is-released.patch
+fbdev-atyfb-check-if-pll_ops-init_pll-failed.patch
+acpi-video-fix-use-after-free-in-acpi_video_switch_brightness.patch
+acpi-button-call-input_free_device-on-failing-input-device-registration.patch
+acpi-fan-use-platform-device-for-devres-related-actions.patch
+virtio-net-drop-the-multi-buffer-xdp-packet-in-zerocopy.patch
+batman-adv-release-references-to-inactive-interfaces.patch
+fbdev-bitblit-bound-check-glyph-index-in-bit_putcs.patch
+bluetooth-rfcomm-fix-modem-control-handling.patch
+net-phy-dp83867-disable-eee-support-as-not-implemented.patch
+wifi-brcmfmac-fix-crash-while-sending-action-frames-in-standalone-ap-mode.patch
+fbdev-pvr2fb-fix-leftover-reference-to-onchip_nr_dma_channels.patch
+fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch
+mptcp-drop-bogus-optimization-in-__mptcp_check_push.patch
+mptcp-restore-window-probe.patch
+asoc-qdsp6-q6asm-do-not-sleep-while-atomic.patch
+asoc-renesas-rz-ssi-use-proper-dma_buffer_pos-after-resume.patch
+s390-pci-restore-irq-unconditionally-for-the-zpci-device.patch
+smb-client-fix-potential-cfid-uaf-in-smb2_query_info_compound.patch
+x86-build-disable-sse4a.patch
+x86-cpu-amd-add-rdseed-fix-for-zen5.patch
+x86-fpu-ensure-xfd-state-on-signal-delivery.patch
--- /dev/null
+From 5c76f9961c170552c1d07c830b5e145475151600 Mon Sep 17 00:00:00 2001
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+Date: Mon, 27 Oct 2025 18:29:19 -0300
+Subject: smb: client: fix potential cfid UAF in smb2_query_info_compound
+
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+
+commit 5c76f9961c170552c1d07c830b5e145475151600 upstream.
+
+When smb2_query_info_compound() retries, a previously allocated cfid may
+have been freed in the first attempt.
+Because cfid wasn't reset on replay, later cleanup could act on a stale
+pointer, leading to a potential use-after-free.
+
+Reinitialize cfid to NULL under the replay label.
+
+Example trace (trimmed):
+
+refcount_t: underflow; use-after-free.
+WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110
+[...]
+RIP: 0010:refcount_warn_saturate+0x9c/0x110
+[...]
+Call Trace:
+ <TASK>
+ smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]
+ ? step_into+0x10d/0x690
+ ? __legitimize_path+0x28/0x60
+ smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]
+ smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f]
+ ? kmem_cache_alloc+0x18a/0x340
+ ? getname_flags+0x46/0x1e0
+ cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]
+ statfs_by_dentry+0x67/0x90
+ vfs_statfs+0x16/0xd0
+ user_statfs+0x54/0xa0
+ __do_sys_statfs+0x20/0x50
+ do_syscall_64+0x58/0x80
+
+Cc: stable@kernel.org
+Fixes: 4f1fffa237692 ("cifs: commands that are retried should have replay flag set")
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Acked-by: Shyam Prasad N <sprasad@microsoft.com>
+Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
+Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2ops.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/client/smb2ops.c
++++ b/fs/smb/client/smb2ops.c
+@@ -2716,11 +2716,12 @@ smb2_query_info_compound(const unsigned
+ struct cifs_fid fid;
+ int rc;
+ __le16 *utf16_path;
+- struct cached_fid *cfid = NULL;
++ struct cached_fid *cfid;
+ int retries = 0, cur_sleep = 1;
+
+ replay_again:
+ /* reinitialize for possible replay */
++ cfid = NULL;
+ flags = CIFS_CP_CREATE_CLOSE_OP;
+ oplock = SMB2_OPLOCK_LEVEL_NONE;
+ server = cifs_pick_channel(ses);
--- /dev/null
+From 1ab665817448c31f4758dce43c455bd4c5e460aa Mon Sep 17 00:00:00 2001
+From: Bui Quang Minh <minhquangbui99@gmail.com>
+Date: Wed, 22 Oct 2025 22:56:30 +0700
+Subject: virtio-net: drop the multi-buffer XDP packet in zerocopy
+
+From: Bui Quang Minh <minhquangbui99@gmail.com>
+
+commit 1ab665817448c31f4758dce43c455bd4c5e460aa upstream.
+
+In virtio-net, we have not yet supported multi-buffer XDP packet in
+zerocopy mode when there is a binding XDP program. However, in that
+case, when receiving multi-buffer XDP packet, we skip the XDP program
+and return XDP_PASS. As a result, the packet is passed to normal network
+stack which is an incorrect behavior (e.g. a XDP program for packet
+count is installed, multi-buffer XDP packet arrives and does go through
+XDP program. As a result, the packet count does not increase but the
+packet is still received from network stack).This commit instead returns
+XDP_ABORTED in that case.
+
+Fixes: 99c861b44eb1 ("virtio_net: xsk: rx: support recv merge mode")
+Cc: stable@vger.kernel.org
+Acked-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
+Link: https://patch.msgid.link/20251022155630.49272-1-minhquangbui99@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1379,9 +1379,14 @@ static struct sk_buff *virtnet_receive_x
+ ret = XDP_PASS;
+ rcu_read_lock();
+ prog = rcu_dereference(rq->xdp_prog);
+- /* TODO: support multi buffer. */
+- if (prog && num_buf == 1)
+- ret = virtnet_xdp_handler(prog, xdp, dev, xdp_xmit, stats);
++ if (prog) {
++ /* TODO: support multi buffer. */
++ if (num_buf == 1)
++ ret = virtnet_xdp_handler(prog, xdp, dev, xdp_xmit,
++ stats);
++ else
++ ret = XDP_ABORTED;
++ }
+ rcu_read_unlock();
+
+ switch (ret) {
--- /dev/null
+From 3776c685ebe5f43e9060af06872661de55e80b9a Mon Sep 17 00:00:00 2001
+From: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
+Date: Mon, 13 Oct 2025 15:58:19 +0530
+Subject: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode
+
+From: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
+
+commit 3776c685ebe5f43e9060af06872661de55e80b9a upstream.
+
+Currently, whenever there is a need to transmit an Action frame,
+the brcmfmac driver always uses the P2P vif to send the "actframe" IOVAR to
+firmware. The P2P interfaces were available when wpa_supplicant is managing
+the wlan interface.
+
+However, the P2P interfaces are not created/initialized when only hostapd
+is managing the wlan interface. And if hostapd receives an ANQP Query REQ
+Action frame even from an un-associated STA, the brcmfmac driver tries
+to use an uninitialized P2P vif pointer for sending the IOVAR to firmware.
+This NULL pointer dereferencing triggers a driver crash.
+
+ [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual
+ address 0000000000000000
+ [...]
+ [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)
+ [...]
+ [ 1417.075653] Call trace:
+ [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]
+ [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac]
+ [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211]
+ [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211]
+ [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158
+ [ 1417.076302] genl_rcv_msg+0x220/0x2a0
+ [ 1417.076317] netlink_rcv_skb+0x68/0x140
+ [ 1417.076330] genl_rcv+0x40/0x60
+ [ 1417.076343] netlink_unicast+0x330/0x3b8
+ [ 1417.076357] netlink_sendmsg+0x19c/0x3f8
+ [ 1417.076370] __sock_sendmsg+0x64/0xc0
+ [ 1417.076391] ____sys_sendmsg+0x268/0x2a0
+ [ 1417.076408] ___sys_sendmsg+0xb8/0x118
+ [ 1417.076427] __sys_sendmsg+0x90/0xf8
+ [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40
+ [ 1417.076465] invoke_syscall+0x50/0x120
+ [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0
+ [ 1417.076506] do_el0_svc+0x24/0x38
+ [ 1417.076525] el0_svc+0x30/0x100
+ [ 1417.076548] el0t_64_sync_handler+0x100/0x130
+ [ 1417.076569] el0t_64_sync+0x190/0x198
+ [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000)
+
+Fix this, by always using the vif corresponding to the wdev on which the
+Action frame Transmission request was initiated by the userspace. This way,
+even if P2P vif is not available, the IOVAR is sent to firmware on AP vif
+and the ANQP Query RESP Action frame is transmitted without crashing the
+driver.
+
+Move init_completion() for "send_af_done" from brcmf_p2p_create_p2pdev()
+to brcmf_p2p_attach(). Because the former function would not get executed
+when only hostapd is managing wlan interface, and it is not safe to do
+reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior
+init_completion().
+
+And in the brcmf_p2p_tx_action_frame() function, the condition check for
+P2P Presence response frame is not needed, since the wpa_supplicant is
+properly sending the P2P Presense Response frame on the P2P-GO vif instead
+of the P2P-Device vif.
+
+Cc: stable@vger.kernel.org
+Fixes: 18e2f61db3b7 ("brcmfmac: P2P action frame tx")
+Signed-off-by: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Link: https://patch.msgid.link/20251013102819.9727-1-gokulkumar.sivakumar@infineon.com
+[Cc stable]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 -
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 28 ++++--------
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h | 3 -
+ 3 files changed, 12 insertions(+), 22 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -5627,8 +5627,7 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wip
+ *cookie, le16_to_cpu(action_frame->len),
+ le32_to_cpu(af_params->channel));
+
+- ack = brcmf_p2p_send_action_frame(cfg, cfg_to_ndev(cfg),
+- af_params);
++ ack = brcmf_p2p_send_action_frame(vif->ifp, af_params);
+
+ cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, ack,
+ GFP_KERNEL);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
+@@ -1529,6 +1529,7 @@ int brcmf_p2p_notify_action_tx_complete(
+ /**
+ * brcmf_p2p_tx_action_frame() - send action frame over fil.
+ *
++ * @ifp: interface to transmit on.
+ * @p2p: p2p info struct for vif.
+ * @af_params: action frame data/info.
+ *
+@@ -1538,12 +1539,11 @@ int brcmf_p2p_notify_action_tx_complete(
+ * The WLC_E_ACTION_FRAME_COMPLETE event will be received when the action
+ * frame is transmitted.
+ */
+-static s32 brcmf_p2p_tx_action_frame(struct brcmf_p2p_info *p2p,
++static s32 brcmf_p2p_tx_action_frame(struct brcmf_if *ifp,
++ struct brcmf_p2p_info *p2p,
+ struct brcmf_fil_af_params_le *af_params)
+ {
+ struct brcmf_pub *drvr = p2p->cfg->pub;
+- struct brcmf_cfg80211_vif *vif;
+- struct brcmf_p2p_action_frame *p2p_af;
+ s32 err = 0;
+
+ brcmf_dbg(TRACE, "Enter\n");
+@@ -1552,14 +1552,7 @@ static s32 brcmf_p2p_tx_action_frame(str
+ clear_bit(BRCMF_P2P_STATUS_ACTION_TX_COMPLETED, &p2p->status);
+ clear_bit(BRCMF_P2P_STATUS_ACTION_TX_NOACK, &p2p->status);
+
+- /* check if it is a p2p_presence response */
+- p2p_af = (struct brcmf_p2p_action_frame *)af_params->action_frame.data;
+- if (p2p_af->subtype == P2P_AF_PRESENCE_RSP)
+- vif = p2p->bss_idx[P2PAPI_BSSCFG_CONNECTION].vif;
+- else
+- vif = p2p->bss_idx[P2PAPI_BSSCFG_DEVICE].vif;
+-
+- err = brcmf_fil_bsscfg_data_set(vif->ifp, "actframe", af_params,
++ err = brcmf_fil_bsscfg_data_set(ifp, "actframe", af_params,
+ sizeof(*af_params));
+ if (err) {
+ bphy_err(drvr, " sending action frame has failed\n");
+@@ -1711,16 +1704,14 @@ static bool brcmf_p2p_check_dwell_overfl
+ /**
+ * brcmf_p2p_send_action_frame() - send action frame .
+ *
+- * @cfg: driver private data for cfg80211 interface.
+- * @ndev: net device to transmit on.
++ * @ifp: interface to transmit on.
+ * @af_params: configuration data for action frame.
+ */
+-bool brcmf_p2p_send_action_frame(struct brcmf_cfg80211_info *cfg,
+- struct net_device *ndev,
++bool brcmf_p2p_send_action_frame(struct brcmf_if *ifp,
+ struct brcmf_fil_af_params_le *af_params)
+ {
++ struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
+ struct brcmf_p2p_info *p2p = &cfg->p2p;
+- struct brcmf_if *ifp = netdev_priv(ndev);
+ struct brcmf_fil_action_frame_le *action_frame;
+ struct brcmf_config_af_params config_af_params;
+ struct afx_hdl *afx_hdl = &p2p->afx_hdl;
+@@ -1857,7 +1848,7 @@ bool brcmf_p2p_send_action_frame(struct
+ if (af_params->channel)
+ msleep(P2P_AF_RETRY_DELAY_TIME);
+
+- ack = !brcmf_p2p_tx_action_frame(p2p, af_params);
++ ack = !brcmf_p2p_tx_action_frame(ifp, p2p, af_params);
+ tx_retry++;
+ dwell_overflow = brcmf_p2p_check_dwell_overflow(requested_dwell,
+ dwell_jiffies);
+@@ -2217,7 +2208,6 @@ static struct wireless_dev *brcmf_p2p_cr
+
+ WARN_ON(p2p_ifp->bsscfgidx != bsscfgidx);
+
+- init_completion(&p2p->send_af_done);
+ INIT_WORK(&p2p->afx_hdl.afx_work, brcmf_p2p_afx_handler);
+ init_completion(&p2p->afx_hdl.act_frm_scan);
+ init_completion(&p2p->wait_next_af);
+@@ -2513,6 +2503,8 @@ s32 brcmf_p2p_attach(struct brcmf_cfg802
+ pri_ifp = brcmf_get_ifp(cfg->pub, 0);
+ p2p->bss_idx[P2PAPI_BSSCFG_PRIMARY].vif = pri_ifp->vif;
+
++ init_completion(&p2p->send_af_done);
++
+ if (p2pdev_forced) {
+ err_ptr = brcmf_p2p_create_p2pdev(p2p, NULL, NULL);
+ if (IS_ERR(err_ptr)) {
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h
+@@ -168,8 +168,7 @@ int brcmf_p2p_notify_action_frame_rx(str
+ int brcmf_p2p_notify_action_tx_complete(struct brcmf_if *ifp,
+ const struct brcmf_event_msg *e,
+ void *data);
+-bool brcmf_p2p_send_action_frame(struct brcmf_cfg80211_info *cfg,
+- struct net_device *ndev,
++bool brcmf_p2p_send_action_frame(struct brcmf_if *ifp,
+ struct brcmf_fil_af_params_le *af_params);
+ bool brcmf_p2p_scan_finding_common_channel(struct brcmf_cfg80211_info *cfg,
+ struct brcmf_bss_info_le *bi);
--- /dev/null
+From 0d6e9ec80cebf9b378a1d3a01144e576d731c397 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Mon, 27 Oct 2025 12:40:59 +0100
+Subject: x86/build: Disable SSE4a
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 0d6e9ec80cebf9b378a1d3a01144e576d731c397 upstream.
+
+Leyvi Rose reported that his X86_NATIVE_CPU=y build is failing because our
+instruction decoder doesn't support SSE4a and the AMDGPU code seems to be
+generating those with his compiler of choice (CLANG+LTO).
+
+Now, our normal build flags disable SSE MMX SSE2 3DNOW AVX, but then
+CC_FLAGS_FPU re-enable SSE SSE2.
+
+Since nothing mentions SSE3 or SSE4, I'm assuming that -msse (or its negative)
+control all SSE variants -- but why then explicitly enumerate SSE2 ?
+
+Anyway, until the instruction decoder gets fixed, explicitly disallow SSE4a
+(an AMD specific SSE4 extension).
+
+Fixes: ea1dcca1de12 ("x86/kbuild/64: Add the CONFIG_X86_NATIVE_CPU option to locally optimize the kernel with '-march=native'")
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Arisu Tachibana <arisu.tachibana@miraclelinux.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Acked-by: Harry Wentland <harry.wentland@amd.com>
+Cc: <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -74,7 +74,7 @@ export BITS
+ #
+ # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=53383
+ #
+-KBUILD_CFLAGS += -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx
++KBUILD_CFLAGS += -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx -mno-sse4a
+ KBUILD_RUSTFLAGS += --target=$(objtree)/scripts/target.json
+ KBUILD_RUSTFLAGS += -Ctarget-feature=-sse,-sse2,-sse3,-ssse3,-sse4.1,-sse4.2,-avx,-avx2
+
--- /dev/null
+From 607b9fb2ce248cc5b633c5949e0153838992c152 Mon Sep 17 00:00:00 2001
+From: Gregory Price <gourry@gourry.net>
+Date: Mon, 20 Oct 2025 11:13:55 +0200
+Subject: x86/CPU/AMD: Add RDSEED fix for Zen5
+
+From: Gregory Price <gourry@gourry.net>
+
+commit 607b9fb2ce248cc5b633c5949e0153838992c152 upstream.
+
+There's an issue with RDSEED's 16-bit and 32-bit register output
+variants on Zen5 which return a random value of 0 "at a rate inconsistent
+with randomness while incorrectly signaling success (CF=1)". Search the
+web for AMD-SB-7055 for more detail.
+
+Add a fix glue which checks microcode revisions.
+
+ [ bp: Add microcode revisions checking, rewrite. ]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gregory Price <gourry@gourry.net>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/20251018024010.4112396-1-gourry@gourry.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/amd.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -1018,8 +1018,18 @@ static void init_amd_zen4(struct cpuinfo
+ }
+ }
+
++static const struct x86_cpu_id zen5_rdseed_microcode[] = {
++ ZEN_MODEL_STEP_UCODE(0x1a, 0x02, 0x1, 0x0b00215a),
++ ZEN_MODEL_STEP_UCODE(0x1a, 0x11, 0x0, 0x0b101054),
++};
++
+ static void init_amd_zen5(struct cpuinfo_x86 *c)
+ {
++ if (!x86_match_min_microcode_rev(zen5_rdseed_microcode)) {
++ clear_cpu_cap(c, X86_FEATURE_RDSEED);
++ msr_clear_bit(MSR_AMD64_CPUID_FN_7, 18);
++ pr_emerg_once("RDSEED32 is broken. Disabling the corresponding CPUID bit.\n");
++ }
+ }
+
+ static void init_amd(struct cpuinfo_x86 *c)
--- /dev/null
+From 388eff894d6bc5f921e9bfff0e4b0ab2684a96e9 Mon Sep 17 00:00:00 2001
+From: "Chang S. Bae" <chang.seok.bae@intel.com>
+Date: Mon, 9 Jun 2025 17:16:59 -0700
+Subject: x86/fpu: Ensure XFD state on signal delivery
+
+From: Chang S. Bae <chang.seok.bae@intel.com>
+
+commit 388eff894d6bc5f921e9bfff0e4b0ab2684a96e9 upstream.
+
+Sean reported [1] the following splat when running KVM tests:
+
+ WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70
+ Call Trace:
+ <TASK>
+ fpu__clear_user_states+0x9c/0x100
+ arch_do_signal_or_restart+0x142/0x210
+ exit_to_user_mode_loop+0x55/0x100
+ do_syscall_64+0x205/0x2c0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Chao further identified [2] a reproducible scenario involving signal
+delivery: a non-AMX task is preempted by an AMX-enabled task which
+modifies the XFD MSR.
+
+When the non-AMX task resumes and reloads XSTATE with init values,
+a warning is triggered due to a mismatch between fpstate::xfd and the
+CPU's current XFD state. fpu__clear_user_states() does not currently
+re-synchronize the XFD state after such preemption.
+
+Invoke xfd_update_state() which detects and corrects the mismatch if
+there is a dynamic feature.
+
+This also benefits the sigreturn path, as fpu__restore_sig() may call
+fpu__clear_user_states() when the sigframe is inaccessible.
+
+[ dhansen: minor changelog munging ]
+
+Closes: https://lore.kernel.org/lkml/aDCo_SczQOUaB2rS@google.com [1]
+Fixes: 672365477ae8a ("x86/fpu: Update XFD state where required")
+Reported-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Chang S. Bae <chang.seok.bae@intel.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Chao Gao <chao.gao@intel.com>
+Tested-by: Chao Gao <chao.gao@intel.com>
+Link: https://lore.kernel.org/all/aDWbctO%2FRfTGiCg3@intel.com [2]
+Cc:stable@vger.kernel.org
+Link: https://patch.msgid.link/20250610001700.4097-1-chang.seok.bae%40intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/fpu/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kernel/fpu/core.c
++++ b/arch/x86/kernel/fpu/core.c
+@@ -825,6 +825,9 @@ void fpu__clear_user_states(struct fpu *
+ !fpregs_state_valid(fpu, smp_processor_id()))
+ os_xrstor_supervisor(fpu->fpstate);
+
++ /* Ensure XFD state is in sync before reloading XSTATE */
++ xfd_update_state(fpu->fpstate);
++
+ /* Reset user states in registers. */
+ restore_fpregs_from_init_fpstate(XFEATURE_MASK_USER_RESTORE);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
