--- /dev/null
+From 0db77eccd964b11ab2b757031d1354fcc5a025ea Mon Sep 17 00:00:00 2001
+From: Christopher Eby <kreed@kreed.org>
+Date: Sat, 9 Aug 2025 20:00:06 -0700
+Subject: ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks
+
+From: Christopher Eby <kreed@kreed.org>
+
+commit 0db77eccd964b11ab2b757031d1354fcc5a025ea upstream.
+
+Framework Laptop 13 (AMD Ryzen AI 300) requires the same quirk for
+headset detection as other Framework 13 models.
+
+Signed-off-by: Christopher Eby <kreed@kreed.org>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20250810030006.9060-1-kreed@kreed.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10652,6 +10652,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0xf111, 0x0001, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x0006, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x0009, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0xf111, 0x000b, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x000c, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+
+ #if 0
--- /dev/null
+From b26e2afb3834d4a61ce54c8484ff6014bef0b4b7 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+Date: Mon, 11 Aug 2025 16:27:16 +0300
+Subject: ALSA: hda/realtek: Fix headset mic on HONOR BRB-X
+
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+
+commit b26e2afb3834d4a61ce54c8484ff6014bef0b4b7 upstream.
+
+Add a PCI quirk to enable microphone input on the headphone jack on
+the HONOR BRB-X M1010 laptop.
+
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20250811132716.45076-1-kovalev@altlinux.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10636,6 +10636,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1d72, 0x1945, "Redmi G", ALC256_FIXUP_ASUS_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1d72, 0x1947, "RedmiBook Air", ALC255_FIXUP_XIAOMI_HEADSET_MIC),
++ SND_PCI_QUIRK(0x1ee7, 0x2078, "HONOR BRB-X M1010", ALC2XX_FIXUP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1f66, 0x0105, "Ayaneo Portable Game Player", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x2014, 0x800a, "Positivo ARN50", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x2782, 0x0214, "VAIO VJFE-CL", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
--- /dev/null
+From ecfd41166b72b67d3bdeb88d224ff445f6163869 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 14 Aug 2025 10:12:43 +0200
+Subject: ALSA: usb-audio: Validate UAC3 cluster segment descriptors
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit ecfd41166b72b67d3bdeb88d224ff445f6163869 upstream.
+
+UAC3 class segment descriptors need to be verified whether their sizes
+match with the declared lengths and whether they fit with the
+allocated buffer sizes, too. Otherwise malicious firmware may lead to
+the unexpected OOB accesses.
+
+Fixes: 11785ef53228 ("ALSA: usb-audio: Initial Power Domain support")
+Reported-and-tested-by: Youngjun Lee <yjjuny.lee@samsung.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20250814081245.8902-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/stream.c | 25 ++++++++++++++++++++++---
+ 1 file changed, 22 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -341,20 +341,28 @@ snd_pcm_chmap_elem *convert_chmap_v3(str
+
+ len = le16_to_cpu(cluster->wLength);
+ c = 0;
+- p += sizeof(struct uac3_cluster_header_descriptor);
++ p += sizeof(*cluster);
++ len -= sizeof(*cluster);
+
+- while (((p - (void *)cluster) < len) && (c < channels)) {
++ while (len > 0 && (c < channels)) {
+ struct uac3_cluster_segment_descriptor *cs_desc = p;
+ u16 cs_len;
+ u8 cs_type;
+
++ if (len < sizeof(*p))
++ break;
+ cs_len = le16_to_cpu(cs_desc->wLength);
++ if (len < cs_len)
++ break;
+ cs_type = cs_desc->bSegmentType;
+
+ if (cs_type == UAC3_CHANNEL_INFORMATION) {
+ struct uac3_cluster_information_segment_descriptor *is = p;
+ unsigned char map;
+
++ if (cs_len < sizeof(*is))
++ break;
++
+ /*
+ * TODO: this conversion is not complete, update it
+ * after adding UAC3 values to asound.h
+@@ -456,6 +464,7 @@ snd_pcm_chmap_elem *convert_chmap_v3(str
+ chmap->map[c++] = map;
+ }
+ p += cs_len;
++ len -= cs_len;
+ }
+
+ if (channels < c)
+@@ -876,7 +885,7 @@ snd_usb_get_audioformat_uac3(struct snd_
+ u64 badd_formats = 0;
+ unsigned int num_channels;
+ struct audioformat *fp;
+- u16 cluster_id, wLength;
++ u16 cluster_id, wLength, cluster_wLength;
+ int clock = 0;
+ int err;
+
+@@ -1003,6 +1012,16 @@ snd_usb_get_audioformat_uac3(struct snd_
+ iface_no, altno);
+ kfree(cluster);
+ return ERR_PTR(-EIO);
++ }
++
++ cluster_wLength = le16_to_cpu(cluster->wLength);
++ if (cluster_wLength < sizeof(*cluster) ||
++ cluster_wLength > wLength) {
++ dev_err(&dev->dev,
++ "%u:%d : invalid Cluster Descriptor size\n",
++ iface_no, altno);
++ kfree(cluster);
++ return ERR_PTR(-EIO);
+ }
+
+ num_channels = cluster->bNrChannels;
--- /dev/null
+From d832ccbc301fbd9e5a1d691bdcf461cdb514595f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 14 Aug 2025 10:12:42 +0200
+Subject: ALSA: usb-audio: Validate UAC3 power domain descriptors, too
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d832ccbc301fbd9e5a1d691bdcf461cdb514595f upstream.
+
+UAC3 power domain descriptors need to be verified with its variable
+bLength for avoiding the unexpected OOB accesses by malicious
+firmware, too.
+
+Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support")
+Reported-and-tested-by: Youngjun Lee <yjjuny.lee@samsung.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20250814081245.8902-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/validate.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/sound/usb/validate.c
++++ b/sound/usb/validate.c
+@@ -221,6 +221,17 @@ static bool validate_uac3_feature_unit(c
+ return d->bLength >= sizeof(*d) + 4 + 2;
+ }
+
++static bool validate_uac3_power_domain_unit(const void *p,
++ const struct usb_desc_validator *v)
++{
++ const struct uac3_power_domain_descriptor *d = p;
++
++ if (d->bLength < sizeof(*d))
++ return false;
++ /* baEntities[] + wPDomainDescrStr */
++ return d->bLength >= sizeof(*d) + d->bNrEntities + 2;
++}
++
+ static bool validate_midi_out_jack(const void *p,
+ const struct usb_desc_validator *v)
+ {
+@@ -285,6 +296,7 @@ static const struct usb_desc_validator a
+ struct uac3_clock_multiplier_descriptor),
+ /* UAC_VERSION_3, UAC3_SAMPLE_RATE_CONVERTER: not implemented yet */
+ /* UAC_VERSION_3, UAC3_CONNECTORS: not implemented yet */
++ FUNC(UAC_VERSION_3, UAC3_POWER_DOMAIN, validate_uac3_power_domain_unit),
+ { } /* terminator */
+ };
+
--- /dev/null
+From 63c7bc53a35e785accdc2ceab8f72d94501931ab Mon Sep 17 00:00:00 2001
+From: David Thompson <davthompson@nvidia.com>
+Date: Mon, 28 Jul 2025 10:46:19 -0400
+Subject: gpio: mlxbf2: use platform_get_irq_optional()
+
+From: David Thompson <davthompson@nvidia.com>
+
+commit 63c7bc53a35e785accdc2ceab8f72d94501931ab upstream.
+
+The gpio-mlxbf2 driver interfaces with four GPIO controllers,
+device instances 0-3. There are two IRQ resources shared between
+the four controllers, and they are found in the ACPI table for
+instances 0 and 3. The driver should not use platform_get_irq(),
+otherwise this error is logged when probing instances 1 and 2:
+ mlxbf2_gpio MLNXBF22:01: error -ENXIO: IRQ index 0 not found
+
+Fixes: 2b725265cb08 ("gpio: mlxbf2: Introduce IRQ support")
+Cc: stable@vger.kernel.org
+Signed-off-by: David Thompson <davthompson@nvidia.com>
+Reviewed-by: Shravan Kumar Ramani <shravankr@nvidia.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Link: https://lore.kernel.org/r/20250728144619.29894-1-davthompson@nvidia.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-mlxbf2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-mlxbf2.c
++++ b/drivers/gpio/gpio-mlxbf2.c
+@@ -397,7 +397,7 @@ mlxbf2_gpio_probe(struct platform_device
+ gc->ngpio = npins;
+ gc->owner = THIS_MODULE;
+
+- irq = platform_get_irq(pdev, 0);
++ irq = platform_get_irq_optional(pdev, 0);
+ if (irq >= 0) {
+ girq = &gs->gc.irq;
+ gpio_irq_chip_set_chip(girq, &mlxbf2_gpio_irq_chip);
--- /dev/null
+From 810bd9066fb1871b8a9528f31f2fdbf2a8b73bf2 Mon Sep 17 00:00:00 2001
+From: David Thompson <davthompson@nvidia.com>
+Date: Mon, 11 Aug 2025 13:50:45 -0400
+Subject: gpio: mlxbf3: use platform_get_irq_optional()
+
+From: David Thompson <davthompson@nvidia.com>
+
+commit 810bd9066fb1871b8a9528f31f2fdbf2a8b73bf2 upstream.
+
+The gpio-mlxbf3 driver interfaces with two GPIO controllers,
+device instance 0 and 1. There is a single IRQ resource shared
+between the two controllers, and it is found in the ACPI table for
+device instance 0. The driver should not use platform_get_irq(),
+otherwise this error is logged when probing instance 1:
+ mlxbf3_gpio MLNXBF33:01: error -ENXIO: IRQ index 0 not found
+
+Cc: stable@vger.kernel.org
+Fixes: cd33f216d241 ("gpio: mlxbf3: Add gpio driver support")
+Signed-off-by: David Thompson <davthompson@nvidia.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/ce70b98a201ce82b9df9aa80ac7a5eeaa2268e52.1754928650.git.davthompson@nvidia.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-mlxbf3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-mlxbf3.c
++++ b/drivers/gpio/gpio-mlxbf3.c
+@@ -227,7 +227,7 @@ static int mlxbf3_gpio_probe(struct plat
+ gc->owner = THIS_MODULE;
+ gc->add_pin_ranges = mlxbf3_gpio_add_pin_ranges;
+
+- irq = platform_get_irq(pdev, 0);
++ irq = platform_get_irq_optional(pdev, 0);
+ if (irq >= 0) {
+ girq = &gs->gc.irq;
+ gpio_irq_chip_set_chip(girq, &gpio_mlxbf3_irqchip);
--- /dev/null
+From 4740e1e2f320061c2f0dbadc0dd3dfb58df986d5 Mon Sep 17 00:00:00 2001
+From: Harald Mommer <harald.mommer@oss.qualcomm.com>
+Date: Thu, 24 Jul 2025 16:36:53 +0200
+Subject: gpio: virtio: Fix config space reading.
+
+From: Harald Mommer <harald.mommer@oss.qualcomm.com>
+
+commit 4740e1e2f320061c2f0dbadc0dd3dfb58df986d5 upstream.
+
+Quote from the virtio specification chapter 4.2.2.2:
+
+"For the device-specific configuration space, the driver MUST use 8 bit
+wide accesses for 8 bit wide fields, 16 bit wide and aligned accesses
+for 16 bit wide fields and 32 bit wide and aligned accesses for 32 and
+64 bit wide fields."
+
+Signed-off-by: Harald Mommer <harald.mommer@oss.qualcomm.com>
+Cc: stable@vger.kernel.org
+Fixes: 3a29355a22c0 ("gpio: Add virtio-gpio driver")
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Link: https://lore.kernel.org/r/20250724143718.5442-2-harald.mommer@oss.qualcomm.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-virtio.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpio/gpio-virtio.c
++++ b/drivers/gpio/gpio-virtio.c
+@@ -539,7 +539,6 @@ static const char **virtio_gpio_get_name
+
+ static int virtio_gpio_probe(struct virtio_device *vdev)
+ {
+- struct virtio_gpio_config config;
+ struct device *dev = &vdev->dev;
+ struct virtio_gpio *vgpio;
+ u32 gpio_names_size;
+@@ -551,9 +550,11 @@ static int virtio_gpio_probe(struct virt
+ return -ENOMEM;
+
+ /* Read configuration */
+- virtio_cread_bytes(vdev, 0, &config, sizeof(config));
+- gpio_names_size = le32_to_cpu(config.gpio_names_size);
+- ngpio = le16_to_cpu(config.ngpio);
++ gpio_names_size =
++ virtio_cread32(vdev, offsetof(struct virtio_gpio_config,
++ gpio_names_size));
++ ngpio = virtio_cread16(vdev, offsetof(struct virtio_gpio_config,
++ ngpio));
+ if (!ngpio) {
+ dev_err(dev, "Number of GPIOs can't be zero\n");
+ return -EINVAL;
--- /dev/null
+From cf73d9970ea4f8cace5d8f02d2565a2723003112 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Wed, 2 Jul 2025 21:31:54 +0100
+Subject: io_uring: don't use int for ABI
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit cf73d9970ea4f8cace5d8f02d2565a2723003112 upstream.
+
+__kernel_rwf_t is defined as int, the actual size of which is
+implementation defined. It won't go well if some compiler / archs
+ever defines it as i64, so replace it with __u32, hoping that
+there is no one using i16 for it.
+
+Cc: stable@vger.kernel.org
+Fixes: 2b188cc1bb857 ("Add io_uring IO interface")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/47c666c4ee1df2018863af3a2028af18feef11ed.1751412511.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/io_uring.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/uapi/linux/io_uring.h
++++ b/include/uapi/linux/io_uring.h
+@@ -46,7 +46,7 @@ struct io_uring_sqe {
+ };
+ __u32 len; /* buffer size or number of iovecs */
+ union {
+- __kernel_rwf_t rw_flags;
++ __u32 rw_flags;
+ __u32 fsync_flags;
+ __u16 poll_events; /* compatibility */
+ __u32 poll32_events; /* word-reversed for BE */
--- /dev/null
+From 3fa840230f534385b34a4f39c8dd313fbe723f05 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 25 Jul 2025 19:12:09 +0200
+Subject: net: dpaa: fix device leak when querying time stamp info
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3fa840230f534385b34a4f39c8dd313fbe723f05 upstream.
+
+Make sure to drop the reference to the ptp device taken by
+of_find_device_by_node() when querying the time stamping capabilities.
+
+Note that holding a reference to the ptp device does not prevent its
+driver data from going away.
+
+Fixes: 17ae0b0ee9db ("dpaa_eth: add the get_ts_info interface for ethtool")
+Cc: stable@vger.kernel.org # 4.19
+Cc: Yangbo Lu <yangbo.lu@nxp.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250725171213.880-2-johan@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
+@@ -415,8 +415,10 @@ static int dpaa_get_ts_info(struct net_d
+ of_node_put(ptp_node);
+ }
+
+- if (ptp_dev)
++ if (ptp_dev) {
+ ptp = platform_get_drvdata(ptp_dev);
++ put_device(&ptp_dev->dev);
++ }
+
+ if (ptp)
+ info->phc_index = ptp->phc_index;
--- /dev/null
+From 70458f8a6b44daf3ad39f0d9b6d1097c8a7780ed Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 25 Jul 2025 19:12:10 +0200
+Subject: net: enetc: fix device and OF node leak at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 70458f8a6b44daf3ad39f0d9b6d1097c8a7780ed upstream.
+
+Make sure to drop the references to the IERB OF node and platform device
+taken by of_parse_phandle() and of_find_device_by_node() during probe.
+
+Fixes: e7d48e5fbf30 ("net: enetc: add a mini driver for the Integrated Endpoint Register Block")
+Cc: stable@vger.kernel.org # 5.13
+Cc: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250725171213.880-3-johan@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/enetc/enetc_pf.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/enetc/enetc_pf.c
++++ b/drivers/net/ethernet/freescale/enetc/enetc_pf.c
+@@ -1179,19 +1179,29 @@ static int enetc_pf_register_with_ierb(s
+ {
+ struct platform_device *ierb_pdev;
+ struct device_node *ierb_node;
++ int ret;
+
+ ierb_node = of_find_compatible_node(NULL, NULL,
+ "fsl,ls1028a-enetc-ierb");
+- if (!ierb_node || !of_device_is_available(ierb_node))
++ if (!ierb_node)
+ return -ENODEV;
+
++ if (!of_device_is_available(ierb_node)) {
++ of_node_put(ierb_node);
++ return -ENODEV;
++ }
++
+ ierb_pdev = of_find_device_by_node(ierb_node);
+ of_node_put(ierb_node);
+
+ if (!ierb_pdev)
+ return -EPROBE_DEFER;
+
+- return enetc_ierb_register_pf(ierb_pdev, pdev);
++ ret = enetc_ierb_register_pf(ierb_pdev, pdev);
++
++ put_device(&ierb_pdev->dev);
++
++ return ret;
+ }
+
+ static struct enetc_si *enetc_psi_create(struct pci_dev *pdev)
--- /dev/null
+From da717540acd34e5056e3fa35791d50f6b3303f55 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 25 Jul 2025 19:12:11 +0200
+Subject: net: gianfar: fix device leak when querying time stamp info
+
+From: Johan Hovold <johan@kernel.org>
+
+commit da717540acd34e5056e3fa35791d50f6b3303f55 upstream.
+
+Make sure to drop the reference to the ptp device taken by
+of_find_device_by_node() when querying the time stamping capabilities.
+
+Note that holding a reference to the ptp device does not prevent its
+driver data from going away.
+
+Fixes: 7349a74ea75c ("net: ethernet: gianfar_ethtool: get phc index through drvdata")
+Cc: stable@vger.kernel.org # 4.18
+Cc: Yangbo Lu <yangbo.lu@nxp.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250725171213.880-4-johan@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/gianfar_ethtool.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/gianfar_ethtool.c
++++ b/drivers/net/ethernet/freescale/gianfar_ethtool.c
+@@ -1468,8 +1468,10 @@ static int gfar_get_ts_info(struct net_d
+ if (ptp_node) {
+ ptp_dev = of_find_device_by_node(ptp_node);
+ of_node_put(ptp_node);
+- if (ptp_dev)
++ if (ptp_dev) {
+ ptp = platform_get_drvdata(ptp_dev);
++ put_device(&ptp_dev->dev);
++ }
+ }
+
+ if (ptp)
--- /dev/null
+From 3e13274ca8750823e8b68181bdf185d238febe0d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 25 Jul 2025 19:12:12 +0200
+Subject: net: mtk_eth_soc: fix device leak at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3e13274ca8750823e8b68181bdf185d238febe0d upstream.
+
+The reference count to the WED devices has already been incremented when
+looking them up using of_find_device_by_node() so drop the bogus
+additional reference taken during probe.
+
+Fixes: 804775dfc288 ("net: ethernet: mtk_eth_soc: add support for Wireless Ethernet Dispatch (WED)")
+Cc: stable@vger.kernel.org # 5.19
+Cc: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250725171213.880-5-johan@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mediatek/mtk_wed.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/ethernet/mediatek/mtk_wed.c
++++ b/drivers/net/ethernet/mediatek/mtk_wed.c
+@@ -1886,7 +1886,6 @@ void mtk_wed_add_hw(struct device_node *
+ if (!pdev)
+ goto err_of_node_put;
+
+- get_device(&pdev->dev);
+ irq = platform_get_irq(pdev, 0);
+ if (irq < 0)
+ goto err_put_device;
--- /dev/null
+From 49db61c27c4bbd24364086dc0892bd3e14c1502e Mon Sep 17 00:00:00 2001
+From: Florian Larysch <fl@n621.de>
+Date: Thu, 24 Jul 2025 00:20:42 +0200
+Subject: net: phy: micrel: fix KSZ8081/KSZ8091 cable test
+
+From: Florian Larysch <fl@n621.de>
+
+commit 49db61c27c4bbd24364086dc0892bd3e14c1502e upstream.
+
+Commit 21b688dabecb ("net: phy: micrel: Cable Diag feature for lan8814
+phy") introduced cable_test support for the LAN8814 that reuses parts of
+the KSZ886x logic and introduced the cable_diag_reg and pair_mask
+parameters to account for differences between those chips.
+
+However, it did not update the ksz8081_type struct, so those members are
+now 0, causing no pairs to be tested in ksz886x_cable_test_get_status
+and ksz886x_cable_test_wait_for_completion to poll the wrong register
+for the affected PHYs (Basic Control/Reset, which is 0 in normal
+operation) and exit immediately.
+
+Fix this by setting both struct members accordingly.
+
+Fixes: 21b688dabecb ("net: phy: micrel: Cable Diag feature for lan8814 phy")
+Cc: stable@vger.kernel.org
+Signed-off-by: Florian Larysch <fl@n621.de>
+Link: https://patch.msgid.link/20250723222250.13960-1-fl@n621.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/micrel.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -372,6 +372,8 @@ static const struct kszphy_type ksz8051_
+
+ static const struct kszphy_type ksz8081_type = {
+ .led_mode_reg = MII_KSZPHY_CTRL_2,
++ .cable_diag_reg = KSZ8081_LMD,
++ .pair_mask = KSZPHY_WIRE_PAIR_MASK,
+ .has_broadcast_disable = true,
+ .has_nand_tree_disable = true,
+ .has_rmii_ref_clk_sel = true,
--- /dev/null
+From e05c54974a05ab19658433545d6ced88d9075cf0 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 25 Jul 2025 19:12:13 +0200
+Subject: net: ti: icss-iep: fix device and OF node leaks at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit e05c54974a05ab19658433545d6ced88d9075cf0 upstream.
+
+Make sure to drop the references to the IEP OF node and device taken by
+of_parse_phandle() and of_find_device_by_node() when looking up IEP
+devices during probe.
+
+Drop the bogus additional reference taken on successful lookup so that
+the device is released correctly by icss_iep_put().
+
+Fixes: c1e0230eeaab ("net: ti: icss-iep: Add IEP driver")
+Cc: stable@vger.kernel.org # 6.6
+Cc: Roger Quadros <rogerq@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250725171213.880-6-johan@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/icssg/icss_iep.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/ti/icssg/icss_iep.c
++++ b/drivers/net/ethernet/ti/icssg/icss_iep.c
+@@ -702,11 +702,17 @@ struct icss_iep *icss_iep_get_idx(struct
+ struct platform_device *pdev;
+ struct device_node *iep_np;
+ struct icss_iep *iep;
++ int ret;
+
+ iep_np = of_parse_phandle(np, "ti,iep", idx);
+- if (!iep_np || !of_device_is_available(iep_np))
++ if (!iep_np)
+ return ERR_PTR(-ENODEV);
+
++ if (!of_device_is_available(iep_np)) {
++ of_node_put(iep_np);
++ return ERR_PTR(-ENODEV);
++ }
++
+ pdev = of_find_device_by_node(iep_np);
+ of_node_put(iep_np);
+
+@@ -715,21 +721,28 @@ struct icss_iep *icss_iep_get_idx(struct
+ return ERR_PTR(-EPROBE_DEFER);
+
+ iep = platform_get_drvdata(pdev);
+- if (!iep)
+- return ERR_PTR(-EPROBE_DEFER);
++ if (!iep) {
++ ret = -EPROBE_DEFER;
++ goto err_put_pdev;
++ }
+
+ device_lock(iep->dev);
+ if (iep->client_np) {
+ device_unlock(iep->dev);
+ dev_err(iep->dev, "IEP is already acquired by %s",
+ iep->client_np->name);
+- return ERR_PTR(-EBUSY);
++ ret = -EBUSY;
++ goto err_put_pdev;
+ }
+ iep->client_np = np;
+ device_unlock(iep->dev);
+- get_device(iep->dev);
+
+ return iep;
++
++err_put_pdev:
++ put_device(&pdev->dev);
++
++ return ERR_PTR(ret);
+ }
+ EXPORT_SYMBOL_GPL(icss_iep_get_idx);
+
--- /dev/null
+From 4faff70959d51078f9ee8372f8cff0d7045e4114 Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Mon, 11 Aug 2025 17:29:31 +0800
+Subject: net: usb: asix_devices: add phy_mask for ax88772 mdio bus
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit 4faff70959d51078f9ee8372f8cff0d7045e4114 upstream.
+
+Without setting phy_mask for ax88772 mdio bus, current driver may create
+at most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f.
+DLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy
+device will bind to net phy driver. This is creating issue during system
+suspend/resume since phy_polling_mode() in phy_state_machine() will
+directly deference member of phydev->drv for non-main phy devices. Then
+NULL pointer dereference issue will occur. Due to only external phy or
+internal phy is necessary, add phy_mask for ax88772 mdio bus to workarnoud
+the issue.
+
+Closes: https://lore.kernel.org/netdev/20250806082931.3289134-1-xu.yang_2@nxp.com
+Fixes: e532a096be0e ("net: usb: asix: ax88772: add phylib support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Tested-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://patch.msgid.link/20250811092931.860333-1-xu.yang_2@nxp.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/asix_devices.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/asix_devices.c
++++ b/drivers/net/usb/asix_devices.c
+@@ -676,6 +676,7 @@ static int ax88772_init_mdio(struct usbn
+ priv->mdio->read = &asix_mdio_bus_read;
+ priv->mdio->write = &asix_mdio_bus_write;
+ priv->mdio->name = "Asix MDIO Bus";
++ priv->mdio->phy_mask = ~(BIT(priv->phy_addr) | BIT(AX_EMBD_PHY_ADDR));
+ /* mii bus name is usb-<usb bus number>-<usb device number> */
+ snprintf(priv->mdio->id, MII_BUS_ID_SIZE, "usb-%03d:%03d",
+ dev->udev->bus->busnum, dev->udev->devnum);
--- /dev/null
+From 759dfc7d04bab1b0b86113f1164dc1fec192b859 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Mon, 28 Jul 2025 11:06:47 +0300
+Subject: netlink: avoid infinite retry looping in netlink_unicast()
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit 759dfc7d04bab1b0b86113f1164dc1fec192b859 upstream.
+
+netlink_attachskb() checks for the socket's read memory allocation
+constraints. Firstly, it has:
+
+ rmem < READ_ONCE(sk->sk_rcvbuf)
+
+to check if the just increased rmem value fits into the socket's receive
+buffer. If not, it proceeds and tries to wait for the memory under:
+
+ rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)
+
+The checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is
+equal to sk->sk_rcvbuf. Thus the function neither successfully accepts
+these conditions, nor manages to reschedule the task - and is called in
+retry loop for indefinite time which is caught as:
+
+ rcu: INFO: rcu_sched self-detected stall on CPU
+ rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212
+ (t=26000 jiffies g=230833 q=259957)
+ NMI backtrace for cpu 0
+ CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014
+ Call Trace:
+ <IRQ>
+ dump_stack lib/dump_stack.c:120
+ nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105
+ nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62
+ rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335
+ rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590
+ update_process_times kernel/time/timer.c:1953
+ tick_sched_handle kernel/time/tick-sched.c:227
+ tick_sched_timer kernel/time/tick-sched.c:1399
+ __hrtimer_run_queues kernel/time/hrtimer.c:1652
+ hrtimer_interrupt kernel/time/hrtimer.c:1717
+ __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113
+ asm_call_irq_on_stack arch/x86/entry/entry_64.S:808
+ </IRQ>
+
+ netlink_attachskb net/netlink/af_netlink.c:1234
+ netlink_unicast net/netlink/af_netlink.c:1349
+ kauditd_send_queue kernel/audit.c:776
+ kauditd_thread kernel/audit.c:897
+ kthread kernel/kthread.c:328
+ ret_from_fork arch/x86/entry/entry_64.S:304
+
+Restore the original behavior of the check which commit in Fixes
+accidentally missed when restructuring the code.
+
+Found by Linux Verification Center (linuxtesting.org).
+
+Fixes: ae8f160e7eb2 ("netlink: Fix wraparounds of sk->sk_rmem_alloc.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250728080727.255138-1-pchelkin@ispras.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1229,7 +1229,7 @@ int netlink_attachskb(struct sock *sk, s
+ nlk = nlk_sk(sk);
+ rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc);
+
+- if ((rmem == skb->truesize || rmem < READ_ONCE(sk->sk_rcvbuf)) &&
++ if ((rmem == skb->truesize || rmem <= READ_ONCE(sk->sk_rcvbuf)) &&
+ !test_bit(NETLINK_S_CONGESTED, &nlk->state)) {
+ netlink_skb_set_owner_r(skb, sk);
+ return 0;
--- /dev/null
+From 56bdf7270ff4f870e2d4bfacdc00161e766dba2d Mon Sep 17 00:00:00 2001
+From: David Thompson <davthompson@nvidia.com>
+Date: Mon, 11 Aug 2025 13:50:44 -0400
+Subject: Revert "gpio: mlxbf3: only get IRQ for device instance 0"
+
+From: David Thompson <davthompson@nvidia.com>
+
+commit 56bdf7270ff4f870e2d4bfacdc00161e766dba2d upstream.
+
+This reverts commit 10af0273a35ab4513ca1546644b8c853044da134.
+
+While this change was merged, it is not the preferred solution.
+During review of a similar change to the gpio-mlxbf2 driver, the
+use of "platform_get_irq_optional" was identified as the preferred
+solution, so let's use it for gpio-mlxbf3 driver as well.
+
+Cc: stable@vger.kernel.org
+Fixes: 10af0273a35a ("gpio: mlxbf3: only get IRQ for device instance 0")
+Signed-off-by: David Thompson <davthompson@nvidia.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/8d2b630c71b3742f2c74242cf7d602706a6108e6.1754928650.git.davthompson@nvidia.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-mlxbf3.c | 54 +++++++++++++++------------------------------
+ 1 file changed, 19 insertions(+), 35 deletions(-)
+
+--- a/drivers/gpio/gpio-mlxbf3.c
++++ b/drivers/gpio/gpio-mlxbf3.c
+@@ -190,9 +190,7 @@ static int mlxbf3_gpio_probe(struct plat
+ struct mlxbf3_gpio_context *gs;
+ struct gpio_irq_chip *girq;
+ struct gpio_chip *gc;
+- char *colon_ptr;
+ int ret, irq;
+- long num;
+
+ gs = devm_kzalloc(dev, sizeof(*gs), GFP_KERNEL);
+ if (!gs)
+@@ -229,39 +227,25 @@ static int mlxbf3_gpio_probe(struct plat
+ gc->owner = THIS_MODULE;
+ gc->add_pin_ranges = mlxbf3_gpio_add_pin_ranges;
+
+- colon_ptr = strchr(dev_name(dev), ':');
+- if (!colon_ptr) {
+- dev_err(dev, "invalid device name format\n");
+- return -EINVAL;
+- }
+-
+- ret = kstrtol(++colon_ptr, 16, &num);
+- if (ret) {
+- dev_err(dev, "invalid device instance\n");
+- return ret;
+- }
+-
+- if (!num) {
+- irq = platform_get_irq(pdev, 0);
+- if (irq >= 0) {
+- girq = &gs->gc.irq;
+- gpio_irq_chip_set_chip(girq, &gpio_mlxbf3_irqchip);
+- girq->default_type = IRQ_TYPE_NONE;
+- /* This will let us handle the parent IRQ in the driver */
+- girq->num_parents = 0;
+- girq->parents = NULL;
+- girq->parent_handler = NULL;
+- girq->handler = handle_bad_irq;
+-
+- /*
+- * Directly request the irq here instead of passing
+- * a flow-handler because the irq is shared.
+- */
+- ret = devm_request_irq(dev, irq, mlxbf3_gpio_irq_handler,
+- IRQF_SHARED, dev_name(dev), gs);
+- if (ret)
+- return dev_err_probe(dev, ret, "failed to request IRQ");
+- }
++ irq = platform_get_irq(pdev, 0);
++ if (irq >= 0) {
++ girq = &gs->gc.irq;
++ gpio_irq_chip_set_chip(girq, &gpio_mlxbf3_irqchip);
++ girq->default_type = IRQ_TYPE_NONE;
++ /* This will let us handle the parent IRQ in the driver */
++ girq->num_parents = 0;
++ girq->parents = NULL;
++ girq->parent_handler = NULL;
++ girq->handler = handle_bad_irq;
++
++ /*
++ * Directly request the irq here instead of passing
++ * a flow-handler because the irq is shared.
++ */
++ ret = devm_request_irq(dev, irq, mlxbf3_gpio_irq_handler,
++ IRQF_SHARED, dev_name(dev), gs);
++ if (ret)
++ return dev_err_probe(dev, ret, "failed to request IRQ");
+ }
+
+ platform_set_drvdata(pdev, gs);
--- /dev/null
+From 26f732791f2bcab18f59c61915bbe35225f30136 Mon Sep 17 00:00:00 2001
+From: Daniel Golle <daniel@makrotopia.org>
+Date: Sat, 12 Jul 2025 16:39:21 +0100
+Subject: Revert "leds: trigger: netdev: Configure LED blink interval for HW offload"
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+commit 26f732791f2bcab18f59c61915bbe35225f30136 upstream.
+
+This reverts commit c629c972b310af41e9e072febb6dae9a299edde6.
+
+While .led_blink_set() would previously put an LED into an unconditional
+permanently blinking state, the offending commit now uses same operation
+to (also?) set the blink timing of the netdev trigger when offloading.
+
+This breaks many if not all of the existing PHY drivers which offer
+offloading LED operations, as those drivers would just put the LED into
+blinking state after .led_blink_set() has been called.
+
+Unfortunately the change even made it into stable kernels for unknown
+reasons, so it should be reverted there as well.
+
+Fixes: c629c972b310a ("leds: trigger: netdev: Configure LED blink interval for HW offload")
+Link: https://lore.kernel.org/linux-leds/c6134e26-2e45-4121-aa15-58aaef327201@lunn.ch/T/#m9d6fe81bbcb273e59f12bbedbd633edd32118387
+Suggested-by: Andrew Lunn <andrew@lunn.ch>
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/6dcc77ee1c9676891d6250d8994850f521426a0f.1752334655.git.daniel@makrotopia.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/leds/trigger/ledtrig-netdev.c | 16 +++-------------
+ 1 file changed, 3 insertions(+), 13 deletions(-)
+
+--- a/drivers/leds/trigger/ledtrig-netdev.c
++++ b/drivers/leds/trigger/ledtrig-netdev.c
+@@ -54,7 +54,6 @@ struct led_netdev_data {
+ unsigned int last_activity;
+
+ unsigned long mode;
+- unsigned long blink_delay;
+ int link_speed;
+ u8 duplex;
+
+@@ -70,10 +69,6 @@ static void set_baseline_state(struct le
+ /* Already validated, hw control is possible with the requested mode */
+ if (trigger_data->hw_control) {
+ led_cdev->hw_control_set(led_cdev, trigger_data->mode);
+- if (led_cdev->blink_set) {
+- led_cdev->blink_set(led_cdev, &trigger_data->blink_delay,
+- &trigger_data->blink_delay);
+- }
+
+ return;
+ }
+@@ -391,11 +386,10 @@ static ssize_t interval_store(struct dev
+ size_t size)
+ {
+ struct led_netdev_data *trigger_data = led_trigger_get_drvdata(dev);
+- struct led_classdev *led_cdev = trigger_data->led_cdev;
+ unsigned long value;
+ int ret;
+
+- if (trigger_data->hw_control && !led_cdev->blink_set)
++ if (trigger_data->hw_control)
+ return -EINVAL;
+
+ ret = kstrtoul(buf, 0, &value);
+@@ -404,13 +398,9 @@ static ssize_t interval_store(struct dev
+
+ /* impose some basic bounds on the timer interval */
+ if (value >= 5 && value <= 10000) {
+- if (trigger_data->hw_control) {
+- trigger_data->blink_delay = value;
+- } else {
+- cancel_delayed_work_sync(&trigger_data->work);
++ cancel_delayed_work_sync(&trigger_data->work);
+
+- atomic_set(&trigger_data->interval, msecs_to_jiffies(value));
+- }
++ atomic_set(&trigger_data->interval, msecs_to_jiffies(value));
+ set_baseline_state(trigger_data); /* resets timer */
+ }
+
--- /dev/null
+io_uring-don-t-use-int-for-abi.patch
+alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch
+alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch
+alsa-hda-realtek-fix-headset-mic-on-honor-brb-x.patch
+alsa-hda-realtek-add-framework-laptop-13-amd-ryzen-ai-300-to-quirks.patch
+smb3-fix-for-slab-out-of-bounds-on-mount-to-ksmbd.patch
+smb-client-remove-redundant-lstrp-update-in-negotiate-protocol.patch
+gpio-virtio-fix-config-space-reading.patch
+gpio-mlxbf2-use-platform_get_irq_optional.patch
+revert-gpio-mlxbf3-only-get-irq-for-device-instance-0.patch
+gpio-mlxbf3-use-platform_get_irq_optional.patch
+revert-leds-trigger-netdev-configure-led-blink-interval-for-hw-offload.patch
+netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch
+net-phy-micrel-fix-ksz8081-ksz8091-cable-test.patch
+net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch
+net-enetc-fix-device-and-of-node-leak-at-probe.patch
+net-mtk_eth_soc-fix-device-leak-at-probe.patch
+net-ti-icss-iep-fix-device-and-of-node-leaks-at-probe.patch
+net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch
+net-usb-asix_devices-add-phy_mask-for-ax88772-mdio-bus.patch
--- /dev/null
+From e19d8dd694d261ac26adb2a26121a37c107c81ad Mon Sep 17 00:00:00 2001
+From: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+Date: Fri, 1 Aug 2025 17:07:24 +0800
+Subject: smb: client: remove redundant lstrp update in negotiate protocol
+
+From: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+
+commit e19d8dd694d261ac26adb2a26121a37c107c81ad upstream.
+
+Commit 34331d7beed7 ("smb: client: fix first command failure during
+re-negotiation") addressed a race condition by updating lstrp before
+entering negotiate state. However, this approach may have some unintended
+side effects.
+
+The lstrp field is documented as "when we got last response from this
+server", and updating it before actually receiving a server response
+could potentially affect other mechanisms that rely on this timestamp.
+For example, the SMB echo detection logic also uses lstrp as a reference
+point. In scenarios with frequent user operations during reconnect states,
+the repeated calls to cifs_negotiate_protocol() might continuously
+update lstrp, which could interfere with the echo detection timing.
+
+Additionally, commit 266b5d02e14f ("smb: client: fix race condition in
+negotiate timeout by using more precise timing") introduced a dedicated
+neg_start field specifically for tracking negotiate start time. This
+provides a more precise solution for the original race condition while
+preserving the intended semantics of lstrp.
+
+Since the race condition is now properly handled by the neg_start
+mechanism, the lstrp update in cifs_negotiate_protocol() is no longer
+necessary and can be safely removed.
+
+Fixes: 266b5d02e14f ("smb: client: fix race condition in negotiate timeout by using more precise timing")
+Cc: stable@vger.kernel.org
+Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/connect.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -3998,7 +3998,6 @@ retry:
+ return 0;
+ }
+
+- server->lstrp = jiffies;
+ server->tcpStatus = CifsInNegotiate;
+ server->neg_start = jiffies;
+ spin_unlock(&server->srv_lock);
--- /dev/null
+From 7d34ec36abb84fdfb6632a0f2cbda90379ae21fc Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Mon, 11 Aug 2025 23:14:55 -0500
+Subject: smb3: fix for slab out of bounds on mount to ksmbd
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 7d34ec36abb84fdfb6632a0f2cbda90379ae21fc upstream.
+
+With KASAN enabled, it is possible to get a slab out of bounds
+during mount to ksmbd due to missing check in parse_server_interfaces()
+(see below):
+
+ BUG: KASAN: slab-out-of-bounds in
+ parse_server_interfaces+0x14ee/0x1880 [cifs]
+ Read of size 4 at addr ffff8881433dba98 by task mount/9827
+
+ CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G
+ OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary)
+ Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
+ Hardware name: Dell Inc. Precision Tower 3620/0MWYPT,
+ BIOS 2.13.1 06/14/2019
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x9f/0xf0
+ print_report+0xd1/0x670
+ __virt_addr_valid+0x22c/0x430
+ ? parse_server_interfaces+0x14ee/0x1880 [cifs]
+ ? kasan_complete_mode_report_info+0x2a/0x1f0
+ ? parse_server_interfaces+0x14ee/0x1880 [cifs]
+ kasan_report+0xd6/0x110
+ parse_server_interfaces+0x14ee/0x1880 [cifs]
+ __asan_report_load_n_noabort+0x13/0x20
+ parse_server_interfaces+0x14ee/0x1880 [cifs]
+ ? __pfx_parse_server_interfaces+0x10/0x10 [cifs]
+ ? trace_hardirqs_on+0x51/0x60
+ SMB3_request_interfaces+0x1ad/0x3f0 [cifs]
+ ? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs]
+ ? SMB2_tcon+0x23c/0x15d0 [cifs]
+ smb3_qfs_tcon+0x173/0x2b0 [cifs]
+ ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]
+ ? cifs_get_tcon+0x105d/0x2120 [cifs]
+ ? do_raw_spin_unlock+0x5d/0x200
+ ? cifs_get_tcon+0x105d/0x2120 [cifs]
+ ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]
+ cifs_mount_get_tcon+0x369/0xb90 [cifs]
+ ? dfs_cache_find+0xe7/0x150 [cifs]
+ dfs_mount_share+0x985/0x2970 [cifs]
+ ? check_path.constprop.0+0x28/0x50
+ ? save_trace+0x54/0x370
+ ? __pfx_dfs_mount_share+0x10/0x10 [cifs]
+ ? __lock_acquire+0xb82/0x2ba0
+ ? __kasan_check_write+0x18/0x20
+ cifs_mount+0xbc/0x9e0 [cifs]
+ ? __pfx_cifs_mount+0x10/0x10 [cifs]
+ ? do_raw_spin_unlock+0x5d/0x200
+ ? cifs_setup_cifs_sb+0x29d/0x810 [cifs]
+ cifs_smb3_do_mount+0x263/0x1990 [cifs]
+
+Reported-by: Namjae Jeon <linkinjeon@kernel.org>
+Tested-by: Namjae Jeon <linkinjeon@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2ops.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/client/smb2ops.c
++++ b/fs/smb/client/smb2ops.c
+@@ -730,6 +730,13 @@ next_iface:
+ bytes_left -= sizeof(*p);
+ break;
+ }
++ /* Validate that Next doesn't point beyond the buffer */
++ if (next > bytes_left) {
++ cifs_dbg(VFS, "%s: invalid Next pointer %zu > %zd\n",
++ __func__, next, bytes_left);
++ rc = -EINVAL;
++ goto out;
++ }
+ p = (struct network_interface_info_ioctl_rsp *)((u8 *)p+next);
+ bytes_left -= next;
+ }
+@@ -741,7 +748,9 @@ next_iface:
+ }
+
+ /* Azure rounds the buffer size up 8, to a 16 byte boundary */
+- if ((bytes_left > 8) || p->Next)
++ if ((bytes_left > 8) ||
++ (bytes_left >= offsetof(struct network_interface_info_ioctl_rsp, Next)
++ + sizeof(p->Next) && p->Next))
+ cifs_dbg(VFS, "%s: incomplete interface info\n", __func__);
+
+ ses->iface_last_update = jiffies;
projects / thirdparty / kernel / stable-queue.git / commitdiff
