--- /dev/null
+From d2932a59c2d4fb364396f21df58431c44918dd47 Mon Sep 17 00:00:00 2001
+From: Tony Luck <tony.luck@intel.com>
+Date: Tue, 18 Nov 2025 17:27:12 -0800
+Subject: ACPI: APEI: EINJ: Fix EINJV2 initialization and injection
+
+From: Tony Luck <tony.luck@intel.com>
+
+commit d2932a59c2d4fb364396f21df58431c44918dd47 upstream.
+
+ACPI 6.6 specification for EINJV2 appends an extra structure to
+the end of the existing struct set_error_type_with_address.
+
+Several issues showed up in testing.
+
+ 1) Initialization was broken by an earlier fix [1] since is_v2 is only
+ set while performing an injection, not during initialization.
+
+ 2) A buggy BIOS provided invalid "revision" and "length" for the
+ extension structure. Add several sanity checks.
+
+ 3) When injecting legacy error types on an EINJV2 capable system,
+ don't copy the component arrays.
+
+Fixes: 6c7058514991 ("ACPI: APEI: EINJ: Check if user asked for EINJV2 injection") # [1]
+Fixes: b47610296d17 ("ACPI: APEI: EINJ: Enable EINJv2 error injections")
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+[ rjw: Changelog edits ]
+Cc: 6.17+ <stable@vger.kernel.org> # 6.17+
+Link: https://patch.msgid.link/20251119012712.178715-1-tony.luck@intel.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/apei/einj-core.c | 64 ++++++++++++++++++++++++++----------------
+ 1 file changed, 41 insertions(+), 23 deletions(-)
+
+--- a/drivers/acpi/apei/einj-core.c
++++ b/drivers/acpi/apei/einj-core.c
+@@ -182,6 +182,7 @@ bool einj_initialized __ro_after_init;
+
+ static void __iomem *einj_param;
+ static u32 v5param_size;
++static u32 v66param_size;
+ static bool is_v2;
+
+ static void einj_exec_ctx_init(struct apei_exec_context *ctx)
+@@ -283,6 +284,24 @@ static void check_vendor_extension(u64 p
+ acpi_os_unmap_iomem(p, sizeof(v));
+ }
+
++static u32 einjv2_init(struct einjv2_extension_struct *e)
++{
++ if (e->revision != 1) {
++ pr_info("Unknown v2 extension revision %u\n", e->revision);
++ return 0;
++ }
++ if (e->length < sizeof(*e) || e->length > PAGE_SIZE) {
++ pr_info(FW_BUG "Bad1 v2 extension length %u\n", e->length);
++ return 0;
++ }
++ if ((e->length - sizeof(*e)) % sizeof(e->component_arr[0])) {
++ pr_info(FW_BUG "Bad2 v2 extension length %u\n", e->length);
++ return 0;
++ }
++
++ return (e->length - sizeof(*e)) / sizeof(e->component_arr[0]);
++}
++
+ static void __iomem *einj_get_parameter_address(void)
+ {
+ int i;
+@@ -310,28 +329,21 @@ static void __iomem *einj_get_parameter_
+ v5param_size = sizeof(v5param);
+ p = acpi_os_map_iomem(pa_v5, sizeof(*p));
+ if (p) {
+- int offset, len;
+-
+ memcpy_fromio(&v5param, p, v5param_size);
+ acpi5 = 1;
+ check_vendor_extension(pa_v5, &v5param);
+- if (is_v2 && available_error_type & ACPI65_EINJV2_SUPP) {
+- len = v5param.einjv2_struct.length;
+- offset = offsetof(struct einjv2_extension_struct, component_arr);
+- max_nr_components = (len - offset) /
+- sizeof(v5param.einjv2_struct.component_arr[0]);
+- /*
+- * The first call to acpi_os_map_iomem above does not include the
+- * component array, instead it is used to read and calculate maximum
+- * number of components supported by the system. Below, the mapping
+- * is expanded to include the component array.
+- */
++ if (available_error_type & ACPI65_EINJV2_SUPP) {
++ struct einjv2_extension_struct *e;
++
++ e = &v5param.einjv2_struct;
++ max_nr_components = einjv2_init(e);
++
++ /* remap including einjv2_extension_struct */
+ acpi_os_unmap_iomem(p, v5param_size);
+- offset = offsetof(struct set_error_type_with_address, einjv2_struct);
+- v5param_size = offset + struct_size(&v5param.einjv2_struct,
+- component_arr, max_nr_components);
+- p = acpi_os_map_iomem(pa_v5, v5param_size);
++ v66param_size = v5param_size - sizeof(*e) + e->length;
++ p = acpi_os_map_iomem(pa_v5, v66param_size);
+ }
++
+ return p;
+ }
+ }
+@@ -527,6 +539,7 @@ static int __einj_error_inject(u32 type,
+ u64 param3, u64 param4)
+ {
+ struct apei_exec_context ctx;
++ u32 param_size = is_v2 ? v66param_size : v5param_size;
+ u64 val, trigger_paddr, timeout = FIRMWARE_TIMEOUT;
+ int i, rc;
+
+@@ -539,11 +552,11 @@ static int __einj_error_inject(u32 type,
+ if (acpi5) {
+ struct set_error_type_with_address *v5param;
+
+- v5param = kmalloc(v5param_size, GFP_KERNEL);
++ v5param = kmalloc(param_size, GFP_KERNEL);
+ if (!v5param)
+ return -ENOMEM;
+
+- memcpy_fromio(v5param, einj_param, v5param_size);
++ memcpy_fromio(v5param, einj_param, param_size);
+ v5param->type = type;
+ if (type & ACPI5_VENDOR_BIT) {
+ switch (vendor_flags) {
+@@ -601,7 +614,7 @@ static int __einj_error_inject(u32 type,
+ break;
+ }
+ }
+- memcpy_toio(einj_param, v5param, v5param_size);
++ memcpy_toio(einj_param, v5param, param_size);
+ kfree(v5param);
+ } else {
+ rc = apei_exec_run(&ctx, ACPI_EINJ_SET_ERROR_TYPE);
+@@ -1099,9 +1112,14 @@ static void einj_remove(struct faux_devi
+ struct apei_exec_context ctx;
+
+ if (einj_param) {
+- acpi_size size = (acpi5) ?
+- v5param_size :
+- sizeof(struct einj_parameter);
++ acpi_size size;
++
++ if (v66param_size)
++ size = v66param_size;
++ else if (acpi5)
++ size = v5param_size;
++ else
++ size = sizeof(struct einj_parameter);
+
+ acpi_os_unmap_iomem(einj_param, size);
+ if (vendor_errors.size)
--- /dev/null
+From baa18d577cd445145039e731d3de0fa49ca57204 Mon Sep 17 00:00:00 2001
+From: Quentin Schulz <quentin.schulz@cherry.de>
+Date: Wed, 12 Nov 2025 16:01:53 +0100
+Subject: arm64: dts: rockchip: disable HS400 on RK3588 Tiger
+
+From: Quentin Schulz <quentin.schulz@cherry.de>
+
+commit baa18d577cd445145039e731d3de0fa49ca57204 upstream.
+
+We've had reports from the field that some RK3588 Tiger have random
+issues with eMMC errors.
+
+Applying commit a28352cf2d2f ("mmc: sdhci-of-dwcmshc: Change
+DLL_STRBIN_TAPNUM_DEFAULT to 0x4") didn't help and seemed to have made
+things worse for our board.
+
+Our HW department checked the eMMC lines and reported that they are too
+long and don't look great so signal integrity is probably not the best.
+
+Note that not all Tigers with the same eMMC chip have errors, so the
+suspicion is that we're really on the edge in terms of signal integrity
+and only a handful devices are failing. Additionally, we have RK3588
+Jaguars with the same eMMC chip but the layout is different and we also
+haven't received reports about those so far.
+
+Lowering the max-frequency to 150MHz from 200MHz instead of simply
+disabling HS400 was briefly tested and seem to work as well. We've
+disabled HS400 downstream and haven't received reports since so we'll go
+with that instead of lowering the max-frequency.
+
+Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
+Fixes: 6173ef24b35b ("arm64: dts: rockchip: add RK3588-Q7 (Tiger) SoM")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20251112-tiger-hs200-v1-1-b50adac107c0@cherry.de
+[added Fixes tag and stable-cc from 2nd mail]
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi
+@@ -382,14 +382,12 @@
+ cap-mmc-highspeed;
+ mmc-ddr-1_8v;
+ mmc-hs200-1_8v;
+- mmc-hs400-1_8v;
+- mmc-hs400-enhanced-strobe;
+ mmc-pwrseq = <&emmc_pwrseq>;
+ no-sdio;
+ no-sd;
+ non-removable;
+ pinctrl-names = "default";
+- pinctrl-0 = <&emmc_bus8 &emmc_cmd &emmc_clk &emmc_data_strobe>;
++ pinctrl-0 = <&emmc_bus8 &emmc_cmd &emmc_clk>;
+ vmmc-supply = <&vcc_3v3_s3>;
+ vqmmc-supply = <&vcc_1v8_s3>;
+ status = "okay";
--- /dev/null
+From b5414520793e68d266fdd97a84989d9831156aad Mon Sep 17 00:00:00 2001
+From: Mykola Kvach <xakep.amatop@gmail.com>
+Date: Mon, 3 Nov 2025 12:27:40 +0200
+Subject: arm64: dts: rockchip: fix PCIe 3.3V regulator voltage on orangepi-5
+
+From: Mykola Kvach <xakep.amatop@gmail.com>
+
+commit b5414520793e68d266fdd97a84989d9831156aad upstream.
+
+The vcc3v3_pcie20 fixed regulator powers the PCIe device-side 3.3V rail
+for pcie2x1l2 via vpcie3v3-supply. The DTS mistakenly set its
+regulator-min/max-microvolt to 1800000 (1.8 V). Correct both to 3300000
+(3.3 V) to match the rail name, the PCIe/M.2 power requirement, and the
+actual hardware wiring on Orange Pi 5.
+
+Fixes: b6bc755d806e ("arm64: dts: rockchip: Add Orange Pi 5")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mykola Kvach <xakep.amatop@gmail.com>
+Reviewed-by: Michael Riesch <michael.riesch@collabora.com>
+Link: https://patch.msgid.link/cf6e08dfdfbf1c540685d12388baab1326f95d2c.1762165324.git.xakep.amatop@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3588s-orangepi-5.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3588s-orangepi-5.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3588s-orangepi-5.dts
+@@ -14,8 +14,8 @@
+ gpios = <&gpio0 RK_PC5 GPIO_ACTIVE_HIGH>;
+ regulator-name = "vcc3v3_pcie20";
+ regulator-boot-on;
+- regulator-min-microvolt = <1800000>;
+- regulator-max-microvolt = <1800000>;
++ regulator-min-microvolt = <3300000>;
++ regulator-max-microvolt = <3300000>;
+ startup-delay-us = <50000>;
+ vin-supply = <&vcc5v0_sys>;
+ };
--- /dev/null
+From 03c7e964a02e388ee168c804add7404eda23908c Mon Sep 17 00:00:00 2001
+From: Diederik de Haas <diederik@cknow-tech.com>
+Date: Mon, 27 Oct 2025 16:54:28 +0100
+Subject: arm64: dts: rockchip: Fix vccio4-supply on rk3566-pinetab2
+
+From: Diederik de Haas <diederik@cknow-tech.com>
+
+commit 03c7e964a02e388ee168c804add7404eda23908c upstream.
+
+Page 13 of the PineTab2 v2 schematic dd 20230417 shows VCCIO4's power
+source is VCCIO_WL. Page 19 shows that VCCIO_WL is connected to
+VCCA1V8_PMU, so fix the PineTab2 dtsi to reflect that.
+
+Fixes: 1b7e19448f8f ("arm64: dts: rockchip: Add devicetree for Pine64 PineTab2")
+Cc: stable@vger.kernel.org
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Signed-off-by: Diederik de Haas <diederik@cknow-tech.com>
+Link: https://patch.msgid.link/20251027155724.138096-1-diederik@cknow-tech.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi
+@@ -789,7 +789,7 @@
+ vccio1-supply = <&vccio_acodec>;
+ vccio2-supply = <&vcc_1v8>;
+ vccio3-supply = <&vccio_sd>;
+- vccio4-supply = <&vcc_1v8>;
++ vccio4-supply = <&vcca1v8_pmu>;
+ vccio5-supply = <&vcc_1v8>;
+ vccio6-supply = <&vcc1v8_dvp>;
+ vccio7-supply = <&vcc_3v3>;
--- /dev/null
+From 08d70143e3033d267507deb98a5fd187df3e6640 Mon Sep 17 00:00:00 2001
+From: Quentin Schulz <quentin.schulz@cherry.de>
+Date: Wed, 29 Oct 2025 14:50:59 +0100
+Subject: arm64: dts: rockchip: include rk3399-base instead of rk3399 in rk3399-op1
+
+From: Quentin Schulz <quentin.schulz@cherry.de>
+
+commit 08d70143e3033d267507deb98a5fd187df3e6640 upstream.
+
+In commit 296602b8e5f7 ("arm64: dts: rockchip: Move RK3399 OPPs to dtsi
+files for SoC variants"), everything shared between variants of RK3399
+was put into rk3399-base.dtsi and the rest in variant-specific DTSI,
+such as rk3399-t, rk3399-op1, rk3399, etc.
+Therefore, the variant-specific DTSI should include rk3399-base.dtsi and
+not another variant's DTSI.
+
+rk3399-op1 wrongly includes rk3399 (a variant) DTSI instead of
+rk3399-base DTSI, let's fix this oversight by including the intended
+DTSI.
+
+Fortunately, this had no impact on the resulting DTB since all nodes
+were named the same and all node properties were overridden in
+rk3399-op1.dtsi. This was checked by doing a checksum of rk3399-op1 DTBs
+before and after this commit.
+
+No intended change in behavior.
+
+Fixes: 296602b8e5f7 ("arm64: dts: rockchip: Move RK3399 OPPs to dtsi files for SoC variants")
+Cc: stable@vger.kernel.org
+Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Link: https://patch.msgid.link/20251029-rk3399-op1-include-v1-1-2472ee60e7f8@cherry.de
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi
+@@ -3,7 +3,7 @@
+ * Copyright (c) 2016-2017 Fuzhou Rockchip Electronics Co., Ltd
+ */
+
+-#include "rk3399.dtsi"
++#include "rk3399-base.dtsi"
+
+ / {
+ cluster0_opp: opp-table-0 {
--- /dev/null
+From 05b80cd1f37db042e074ecc7ee0d39869fed2f52 Mon Sep 17 00:00:00 2001
+From: Alexey Charkov <alchark@gmail.com>
+Date: Thu, 9 Oct 2025 16:34:01 +0400
+Subject: arm64: dts: rockchip: Remove non-functioning CPU OPPs from RK3576
+
+From: Alexey Charkov <alchark@gmail.com>
+
+commit 05b80cd1f37db042e074ecc7ee0d39869fed2f52 upstream.
+
+Drop the top-frequency OPPs from both the LITTLE and big CPU clusters on
+RK3576, as neither the opensource TF-A [1] nor the recent (after v1.08)
+binary BL31 images provided by Rockchip expose those.
+
+This fixes the problem [2] when the cpufreq governor tries to jump
+directly to the highest-frequency OPP, which results in a failed SCMI call
+leaving the system stuck at the previous OPP before the attempted change.
+
+[1] https://github.com/ARM-software/arm-trusted-firmware/blob/master/plat/rockchip/rk3576/scmi/rk3576_clk.c#L264-L304
+[2] https://lore.kernel.org/linux-rockchip/CABjd4Yz4NbqzZH4Qsed3ias56gcga9K6CmYA+BLDBxtbG915Ag@mail.gmail.com/
+
+Fixes: 57b1ce903966 ("arm64: dts: rockchip: Add rk3576 SoC base DT")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexey Charkov <alchark@gmail.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3576.dtsi | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3576.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3576.dtsi
+@@ -269,12 +269,6 @@
+ opp-microvolt = <900000 900000 950000>;
+ clock-latency-ns = <40000>;
+ };
+-
+- opp-2208000000 {
+- opp-hz = /bits/ 64 <2208000000>;
+- opp-microvolt = <950000 950000 950000>;
+- clock-latency-ns = <40000>;
+- };
+ };
+
+ cluster1_opp_table: opp-table-cluster1 {
+@@ -341,12 +335,6 @@
+ opp-microvolt = <925000 925000 950000>;
+ clock-latency-ns = <40000>;
+ };
+-
+- opp-2304000000 {
+- opp-hz = /bits/ 64 <2304000000>;
+- opp-microvolt = <950000 950000 950000>;
+- clock-latency-ns = <40000>;
+- };
+ };
+
+ gpu_opp_table: opp-table-gpu {
--- /dev/null
+From b32cc17d607e8ae7af037303fe101368cb4dc44c Mon Sep 17 00:00:00 2001
+From: Yihang Li <liyihang9@h-partners.com>
+Date: Thu, 20 Nov 2025 11:50:23 +0800
+Subject: ata: libata-scsi: Add missing scsi_device_put() in ata_scsi_dev_rescan()
+
+From: Yihang Li <liyihang9@h-partners.com>
+
+commit b32cc17d607e8ae7af037303fe101368cb4dc44c upstream.
+
+Call scsi_device_put() in ata_scsi_dev_rescan() if the device or its
+queue are not running.
+
+Fixes: 0c76106cb975 ("scsi: sd: Fix TCG OPAL unlock on system resume")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yihang Li <liyihang9@h-partners.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -4901,8 +4901,10 @@ void ata_scsi_dev_rescan(struct work_str
+ spin_unlock_irqrestore(ap->lock, flags);
+ if (do_resume) {
+ ret = scsi_resume_device(sdev);
+- if (ret == -EWOULDBLOCK)
++ if (ret == -EWOULDBLOCK) {
++ scsi_device_put(sdev);
+ goto unlock_scan;
++ }
+ dev->flags &= ~ATA_DFLAG_RESUMING;
+ }
+ ret = scsi_rescan_device(sdev);
--- /dev/null
+From b11890683380a36b8488229f818d5e76e8204587 Mon Sep 17 00:00:00 2001
+From: Niklas Cassel <cassel@kernel.org>
+Date: Wed, 19 Nov 2025 15:13:14 +0100
+Subject: ata: libata-scsi: Fix system suspend for a security locked drive
+
+From: Niklas Cassel <cassel@kernel.org>
+
+commit b11890683380a36b8488229f818d5e76e8204587 upstream.
+
+Commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status
+handling") fixed ata_to_sense_error() to properly generate sense key
+ABORTED COMMAND (without any additional sense code), instead of the
+previous bogus sense key ILLEGAL REQUEST with the additional sense code
+UNALIGNED WRITE COMMAND, for a failed command.
+
+However, this broke suspend for Security locked drives (drives that have
+Security enabled, and have not been Security unlocked by boot firmware).
+
+The reason for this is that the SCSI disk driver, for the Synchronize
+Cache command only, treats any sense data with sense key ILLEGAL REQUEST
+as a successful command (regardless of ASC / ASCQ).
+
+After commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error()
+status handling") the code that treats any sense data with sense key
+ILLEGAL REQUEST as a successful command is no longer applicable, so the
+command fails, which causes the system suspend to be aborted:
+
+ sd 1:0:0:0: PM: dpm_run_callback(): scsi_bus_suspend returns -5
+ sd 1:0:0:0: PM: failed to suspend async: error -5
+ PM: Some devices failed to suspend, or early wake event detected
+
+To make suspend work once again, for a Security locked device only,
+return sense data LOGICAL UNIT ACCESS NOT AUTHORIZED, the actual sense
+data which a real SCSI device would have returned if locked.
+The SCSI disk driver treats this sense data as a successful command.
+
+Cc: stable@vger.kernel.org
+Reported-by: Ilia Baryshnikov <qwelias@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220704
+Fixes: cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling")
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 7 +++++++
+ include/linux/ata.h | 1 +
+ 2 files changed, 8 insertions(+)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -992,6 +992,13 @@ static void ata_gen_ata_sense(struct ata
+ return;
+ }
+
++ if (ata_id_is_locked(dev->id)) {
++ /* Security locked */
++ /* LOGICAL UNIT ACCESS NOT AUTHORIZED */
++ ata_scsi_set_sense(dev, cmd, DATA_PROTECT, 0x74, 0x71);
++ return;
++ }
++
+ if (!(qc->flags & ATA_QCFLAG_RTF_FILLED)) {
+ ata_dev_dbg(dev,
+ "Missing result TF: reporting aborted command\n");
+--- a/include/linux/ata.h
++++ b/include/linux/ata.h
+@@ -566,6 +566,7 @@ struct ata_bmdma_prd {
+ #define ata_id_has_ncq(id) ((id)[ATA_ID_SATA_CAPABILITY] & (1 << 8))
+ #define ata_id_queue_depth(id) (((id)[ATA_ID_QUEUE_DEPTH] & 0x1f) + 1)
+ #define ata_id_removable(id) ((id)[ATA_ID_CONFIG] & (1 << 7))
++#define ata_id_is_locked(id) (((id)[ATA_ID_DLF] & 0x7) == 0x7)
+ #define ata_id_has_atapi_AN(id) \
+ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \
+ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \
--- /dev/null
+From 7d277a7a58578dd62fd546ddaef459ec24ccae36 Mon Sep 17 00:00:00 2001
+From: Andrey Vatoropin <a.vatoropin@crpt.ru>
+Date: Wed, 19 Nov 2025 10:51:12 +0000
+Subject: be2net: pass wrb_params in case of OS2BMC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrey Vatoropin <a.vatoropin@crpt.ru>
+
+commit 7d277a7a58578dd62fd546ddaef459ec24ccae36 upstream.
+
+be_insert_vlan_in_pkt() is called with the wrb_params argument being NULL
+at be_send_pkt_to_bmc() call site. This may lead to dereferencing a NULL
+pointer when processing a workaround for specific packet, as commit
+bc0c3405abbb ("be2net: fix a Tx stall bug caused by a specific ipv6
+packet") states.
+
+The correct way would be to pass the wrb_params from be_xmit().
+
+Fixes: 760c295e0e8d ("be2net: Support for OS2BMC.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru>
+Link: https://patch.msgid.link/20251119105015.194501-1-a.vatoropin@crpt.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/emulex/benet/be_main.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/emulex/benet/be_main.c
++++ b/drivers/net/ethernet/emulex/benet/be_main.c
+@@ -1296,7 +1296,8 @@ static void be_xmit_flush(struct be_adap
+ (adapter->bmc_filt_mask & BMC_FILT_MULTICAST)
+
+ static bool be_send_pkt_to_bmc(struct be_adapter *adapter,
+- struct sk_buff **skb)
++ struct sk_buff **skb,
++ struct be_wrb_params *wrb_params)
+ {
+ struct ethhdr *eh = (struct ethhdr *)(*skb)->data;
+ bool os2bmc = false;
+@@ -1360,7 +1361,7 @@ done:
+ * to BMC, asic expects the vlan to be inline in the packet.
+ */
+ if (os2bmc)
+- *skb = be_insert_vlan_in_pkt(adapter, *skb, NULL);
++ *skb = be_insert_vlan_in_pkt(adapter, *skb, wrb_params);
+
+ return os2bmc;
+ }
+@@ -1387,7 +1388,7 @@ static netdev_tx_t be_xmit(struct sk_buf
+ /* if os2bmc is enabled and if the pkt is destined to bmc,
+ * enqueue the pkt a 2nd time with mgmt bit set.
+ */
+- if (be_send_pkt_to_bmc(adapter, &skb)) {
++ if (be_send_pkt_to_bmc(adapter, &skb, &wrb_params)) {
+ BE_WRB_F_SET(wrb_params.features, OS2BMC, 1);
+ wrb_cnt = be_xmit_enqueue(adapter, txo, skb, &wrb_params);
+ if (unlikely(!wrb_cnt))
--- /dev/null
+From 316e361b5d2cdeb8d778983794a1c6eadcb26814 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Wed, 22 Oct 2025 15:34:26 +0200
+Subject: dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 316e361b5d2cdeb8d778983794a1c6eadcb26814 upstream.
+
+The "groups" property can hold multiple entries (e.g.
+toshiba/tmpv7708-rm-mbrc.dts file), so allow that by dropping incorrect
+type (pinmux-node.yaml schema already defines that as string-array) and
+adding constraints for items. This fixes dtbs_check warnings like:
+
+ toshiba/tmpv7708-rm-mbrc.dtb: pinctrl@24190000 (toshiba,tmpv7708-pinctrl):
+ pwm-pins:groups: ['pwm0_gpio16_grp', 'pwm1_gpio17_grp', 'pwm2_gpio18_grp', 'pwm3_gpio19_grp'] is too long
+
+Fixes: 1825c1fe0057 ("pinctrl: Add DT bindings for Toshiba Visconti TMPV7700 SoC")
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Acked-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml | 26 +++++-----
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+--- a/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml
++++ b/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml
+@@ -50,18 +50,20 @@ patternProperties:
+ groups:
+ description:
+ Name of the pin group to use for the functions.
+- $ref: /schemas/types.yaml#/definitions/string
+- enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp,
+- i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp,
+- spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp,
+- spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp,
+- uart0_grp, uart1_grp, uart2_grp, uart3_grp,
+- pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp,
+- pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp,
+- pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp,
+- pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp,
+- pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp,
+- pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp]
++ items:
++ enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp,
++ i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp,
++ spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp,
++ spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp,
++ uart0_grp, uart1_grp, uart2_grp, uart3_grp,
++ pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp,
++ pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp,
++ pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp,
++ pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp,
++ pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp,
++ pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp]
++ minItems: 1
++ maxItems: 8
+
+ drive-strength:
+ enum: [2, 4, 6, 8, 16, 24, 32]
--- /dev/null
+From f2c1f631630e01821fe4c3fdf6077bc7a8284f82 Mon Sep 17 00:00:00 2001
+From: Yongpeng Yang <yangyongpeng@xiaomi.com>
+Date: Tue, 4 Nov 2025 20:50:07 +0800
+Subject: exfat: check return value of sb_min_blocksize in exfat_read_boot_sector
+
+From: Yongpeng Yang <yangyongpeng@xiaomi.com>
+
+commit f2c1f631630e01821fe4c3fdf6077bc7a8284f82 upstream.
+
+sb_min_blocksize() may return 0. Check its return value to avoid
+accessing the filesystem super block when sb->s_blocksize is 0.
+
+Cc: stable@vger.kernel.org # v6.15
+Fixes: 719c1e1829166d ("exfat: add super block operations")
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
+Link: https://patch.msgid.link/20251104125009.2111925-3-yangyongpeng.storage@gmail.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/exfat/super.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/exfat/super.c
++++ b/fs/exfat/super.c
+@@ -423,7 +423,10 @@ static int exfat_read_boot_sector(struct
+ struct exfat_sb_info *sbi = EXFAT_SB(sb);
+
+ /* set block size to read super block */
+- sb_min_blocksize(sb, 512);
++ if (!sb_min_blocksize(sb, 512)) {
++ exfat_err(sb, "unable to set blocksize");
++ return -EINVAL;
++ }
+
+ /* read boot sector */
+ sbi->boot_bh = sb_bread(sb, 0);
--- /dev/null
+From 0778ac7df5137d5041783fadfc201f8fd55a1d9b Mon Sep 17 00:00:00 2001
+From: Zhen Ni <zhen.ni@easystack.cn>
+Date: Mon, 13 Oct 2025 19:41:51 +0800
+Subject: fs: Fix uninitialized 'offp' in statmount_string()
+
+From: Zhen Ni <zhen.ni@easystack.cn>
+
+commit 0778ac7df5137d5041783fadfc201f8fd55a1d9b upstream.
+
+In statmount_string(), most flags assign an output offset pointer (offp)
+which is later updated with the string offset. However, the
+STATMOUNT_MNT_UIDMAP and STATMOUNT_MNT_GIDMAP cases directly set the
+struct fields instead of using offp. This leaves offp uninitialized,
+leading to a possible uninitialized dereference when *offp is updated.
+
+Fix it by assigning offp for UIDMAP and GIDMAP as well, keeping the code
+path consistent.
+
+Fixes: 37c4a9590e1e ("statmount: allow to retrieve idmappings")
+Fixes: e52e97f09fb6 ("statmount: let unset strings be empty")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
+Link: https://patch.msgid.link/20251013114151.664341-1-zhen.ni@easystack.cn
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/namespace.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -5601,11 +5601,11 @@ static int statmount_string(struct kstat
+ ret = statmount_sb_source(s, seq);
+ break;
+ case STATMOUNT_MNT_UIDMAP:
+- sm->mnt_uidmap = start;
++ offp = &sm->mnt_uidmap;
+ ret = statmount_mnt_uidmap(s, seq);
+ break;
+ case STATMOUNT_MNT_GIDMAP:
+- sm->mnt_gidmap = start;
++ offp = &sm->mnt_gidmap;
+ ret = statmount_mnt_gidmap(s, seq);
+ break;
+ default:
--- /dev/null
+From 4d3a13afa8b64dc49293b3eab3e7beac11072c12 Mon Sep 17 00:00:00 2001
+From: "Mario Limonciello (AMD)" <superm1@kernel.org>
+Date: Mon, 20 Oct 2025 10:50:42 -0500
+Subject: HID: amd_sfh: Stop sensor before starting
+
+From: Mario Limonciello (AMD) <superm1@kernel.org>
+
+commit 4d3a13afa8b64dc49293b3eab3e7beac11072c12 upstream.
+
+Titas reports that the accelerometer sensor on their laptop only
+works after a warm boot or unloading/reloading the amd-sfh kernel
+module.
+
+Presumably the sensor is in a bad state on cold boot and failing to
+start, so explicitly stop it before starting.
+
+Cc: stable@vger.kernel.org
+Fixes: 93ce5e0231d79 ("HID: amd_sfh: Implement SFH1.1 functionality")
+Reported-by: Titas <novatitas366@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220670
+Tested-by: Titas <novatitas366@gmail.com>
+Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c
++++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c
+@@ -194,6 +194,8 @@ static int amd_sfh1_1_hid_client_init(st
+ if (rc)
+ goto cleanup;
+
++ mp2_ops->stop(privdata, cl_data->sensor_idx[i]);
++ amd_sfh_wait_for_response(privdata, cl_data->sensor_idx[i], DISABLE_SENSOR);
+ writel(0, privdata->mmio + amd_get_p2c_val(privdata, 0));
+ mp2_ops->start(privdata, info);
+ status = amd_sfh_wait_for_response
--- /dev/null
+From beab067dbcff642243291fd528355d64c41dc3b2 Mon Sep 17 00:00:00 2001
+From: Zhang Heng <zhangheng@kylinos.cn>
+Date: Fri, 12 Sep 2025 20:38:18 +0800
+Subject: HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155
+
+From: Zhang Heng <zhangheng@kylinos.cn>
+
+commit beab067dbcff642243291fd528355d64c41dc3b2 upstream.
+
+Based on available evidence, the USB ID 4c4a:4155 used by multiple
+devices has been attributed to Jieli. The commit 1a8953f4f774
+("HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY") affected touchscreen
+functionality. Added checks for manufacturer and serial number to
+maintain microphone compatibility, enabling both devices to function
+properly.
+
+[jkosina@suse.com: edit shortlog]
+Fixes: 1a8953f4f774 ("HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY")
+Cc: stable@vger.kernel.org
+Tested-by: staffan.melin@oscillator.se
+Reviewed-by: Terry Junge <linuxhid@cosmicgizmosystems.com>
+Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-ids.h | 4 ++--
+ drivers/hid/hid-quirks.c | 13 ++++++++++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -1543,7 +1543,7 @@
+ #define USB_VENDOR_ID_SIGNOTEC 0x2133
+ #define USB_DEVICE_ID_SIGNOTEC_VIEWSONIC_PD1011 0x0018
+
+-#define USB_VENDOR_ID_SMARTLINKTECHNOLOGY 0x4c4a
+-#define USB_DEVICE_ID_SMARTLINKTECHNOLOGY_4155 0x4155
++#define USB_VENDOR_ID_JIELI_SDK_DEFAULT 0x4c4a
++#define USB_DEVICE_ID_JIELI_SDK_4155 0x4155
+
+ #endif
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -915,7 +915,6 @@ static const struct hid_device_id hid_ig
+ #endif
+ { HID_USB_DEVICE(USB_VENDOR_ID_YEALINK, USB_DEVICE_ID_YEALINK_P1K_P4K_B2K) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_HP_5MP_CAMERA_5473) },
+- { HID_USB_DEVICE(USB_VENDOR_ID_SMARTLINKTECHNOLOGY, USB_DEVICE_ID_SMARTLINKTECHNOLOGY_4155) },
+ { }
+ };
+
+@@ -1064,6 +1063,18 @@ bool hid_ignore(struct hid_device *hdev)
+ strlen(elan_acpi_id[i].id)))
+ return true;
+ break;
++ case USB_VENDOR_ID_JIELI_SDK_DEFAULT:
++ /*
++ * Multiple USB devices with identical IDs (mic & touchscreen).
++ * The touch screen requires hid core processing, but the
++ * microphone does not. They can be distinguished by manufacturer
++ * and serial number.
++ */
++ if (hdev->product == USB_DEVICE_ID_JIELI_SDK_4155 &&
++ strncmp(hdev->name, "SmartlinkTechnology", 19) == 0 &&
++ strncmp(hdev->uniq, "20201111000001", 14) == 0)
++ return true;
++ break;
+ }
+
+ if (hdev->type == HID_TYPE_USBMOUSE &&
--- /dev/null
+From e08969c4d65ac31297fcb4d31d4808c789152f68 Mon Sep 17 00:00:00 2001
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+Date: Tue, 4 Nov 2025 07:03:10 +0000
+Subject: Input: cros_ec_keyb - fix an invalid memory access
+
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+
+commit e08969c4d65ac31297fcb4d31d4808c789152f68 upstream.
+
+If cros_ec_keyb_register_matrix() isn't called (due to
+`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains
+NULL. An invalid memory access is observed in cros_ec_keyb_process()
+when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()
+in such case.
+
+ Unable to handle kernel read from unreadable memory at virtual address 0000000000000028
+ ...
+ x3 : 0000000000000000 x2 : 0000000000000000
+ x1 : 0000000000000000 x0 : 0000000000000000
+ Call trace:
+ input_event
+ cros_ec_keyb_work
+ blocking_notifier_call_chain
+ ec_irq_thread
+
+It's still unknown about why the kernel receives such malformed event,
+in any cases, the kernel shouldn't access `ckdev->idev` and friends if
+the driver doesn't intend to initialize them.
+
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://patch.msgid.link/20251104070310.3212712-1-tzungbi@kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/cros_ec_keyb.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/input/keyboard/cros_ec_keyb.c
++++ b/drivers/input/keyboard/cros_ec_keyb.c
+@@ -261,6 +261,12 @@ static int cros_ec_keyb_work(struct noti
+ case EC_MKBP_EVENT_KEY_MATRIX:
+ pm_wakeup_event(ckdev->dev, 0);
+
++ if (!ckdev->idev) {
++ dev_warn_once(ckdev->dev,
++ "Unexpected key matrix event\n");
++ return NOTIFY_OK;
++ }
++
+ if (ckdev->ec->event_size != ckdev->cols) {
+ dev_err(ckdev->dev,
+ "Discarded incomplete key matrix event.\n");
--- /dev/null
+From c6d99e488117201c63efd747ce17b80687c3f5a9 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 13 Oct 2025 09:15:25 -0700
+Subject: Input: goodix - add support for ACPI ID GDIX1003
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit c6d99e488117201c63efd747ce17b80687c3f5a9 upstream.
+
+Some newer devices use an ACPI hardware ID of GDIX1003 for their Goodix
+touchscreen controller, instead of GDIX1001 / GDIX1002. Add GDIX1003
+to the goodix_acpi_match[] table.
+
+Reported-by: Weikang Guo <guoweikang.kernel@gmail.com>
+Closes: https://lore.kernel.org/linux-input/20250225024409.1467040-1-guoweikang.kernel@gmail.com/
+Tested-by: Weikang Guo <guoweikang.kernel@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20251013121022.44333-1-hansg@kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/goodix.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/touchscreen/goodix.c
++++ b/drivers/input/touchscreen/goodix.c
+@@ -1557,6 +1557,7 @@ MODULE_DEVICE_TABLE(i2c, goodix_ts_id);
+ static const struct acpi_device_id goodix_acpi_match[] = {
+ { "GDIX1001", 0 },
+ { "GDIX1002", 0 },
++ { "GDIX1003", 0 },
+ { "GDX9110", 0 },
+ { }
+ };
--- /dev/null
+From d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Sat, 1 Nov 2025 16:25:27 +0300
+Subject: Input: imx_sc_key - fix memory corruption on unload
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4 upstream.
+
+This is supposed to be "priv" but we accidentally pass "&priv" which is
+an address in the stack and so it will lead to memory corruption when
+the imx_sc_key_action() function is called. Remove the &.
+
+Fixes: 768062fd1284 ("Input: imx_sc_key - use devm_add_action_or_reset() to handle all cleanups")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/aQYKR75r2VMFJutT@stanley.mountain
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/imx_sc_key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/keyboard/imx_sc_key.c
++++ b/drivers/input/keyboard/imx_sc_key.c
+@@ -158,7 +158,7 @@ static int imx_sc_key_probe(struct platf
+ return error;
+ }
+
+- error = devm_add_action_or_reset(&pdev->dev, imx_sc_key_action, &priv);
++ error = devm_add_action_or_reset(&pdev->dev, imx_sc_key_action, priv);
+ if (error)
+ return error;
+
--- /dev/null
+From 69aeb507312306f73495598a055293fa749d454e Mon Sep 17 00:00:00 2001
+From: Seungjin Bae <eeodqql09@gmail.com>
+Date: Fri, 17 Oct 2025 15:36:31 -0700
+Subject: Input: pegasus-notetaker - fix potential out-of-bounds access
+
+From: Seungjin Bae <eeodqql09@gmail.com>
+
+commit 69aeb507312306f73495598a055293fa749d454e upstream.
+
+In the pegasus_notetaker driver, the pegasus_probe() function allocates
+the URB transfer buffer using the wMaxPacketSize value from
+the endpoint descriptor. An attacker can use a malicious USB descriptor
+to force the allocation of a very small buffer.
+
+Subsequently, if the device sends an interrupt packet with a specific
+pattern (e.g., where the first byte is 0x80 or 0x42),
+the pegasus_parse_packet() function parses the packet without checking
+the allocated buffer size. This leads to an out-of-bounds memory access.
+
+Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver")
+Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
+Link: https://lore.kernel.org/r/20251007214131.3737115-2-eeodqql09@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/tablet/pegasus_notetaker.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/input/tablet/pegasus_notetaker.c
++++ b/drivers/input/tablet/pegasus_notetaker.c
+@@ -63,6 +63,9 @@
+ #define BUTTON_PRESSED 0xb5
+ #define COMMAND_VERSION 0xa9
+
++/* 1 Status + 1 Color + 2 X + 2 Y = 6 bytes */
++#define NOTETAKER_PACKET_SIZE 6
++
+ /* in xy data packet */
+ #define BATTERY_NO_REPORT 0x40
+ #define BATTERY_LOW 0x41
+@@ -311,6 +314,12 @@ static int pegasus_probe(struct usb_inte
+ }
+
+ pegasus->data_len = usb_maxpacket(dev, pipe);
++ if (pegasus->data_len < NOTETAKER_PACKET_SIZE) {
++ dev_err(&intf->dev, "packet size is too small (%d)\n",
++ pegasus->data_len);
++ error = -EINVAL;
++ goto err_free_mem;
++ }
+
+ pegasus->data = usb_alloc_coherent(dev, pegasus->data_len, GFP_KERNEL,
+ &pegasus->data_dma);
--- /dev/null
+From 46447367a52965e9d35f112f5b26fc8ff8ec443d Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 20 Nov 2025 11:40:15 -0700
+Subject: io_uring/cmd_net: fix wrong argument types for skb_queue_splice()
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 46447367a52965e9d35f112f5b26fc8ff8ec443d upstream.
+
+If timestamp retriving needs to be retried and the local list of
+SKB's already has entries, then it's spliced back into the socket
+queue. However, the arguments for the splice helper are transposed,
+causing exactly the wrong direction of splicing into the on-stack
+list. Fix that up.
+
+Cc: stable@vger.kernel.org
+Reported-by: Google Big Sleep <big-sleep-vuln-reports+bigsleep-462435176@google.com>
+Fixes: 9e4ed359b8ef ("io_uring/netcmd: add tx timestamping cmd support")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/cmd_net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/io_uring/cmd_net.c
++++ b/io_uring/cmd_net.c
+@@ -126,7 +126,7 @@ static int io_uring_cmd_timestamp(struct
+
+ if (!unlikely(skb_queue_empty(&list))) {
+ scoped_guard(spinlock_irqsave, &q->lock)
+- skb_queue_splice(q, &list);
++ skb_queue_splice(&list, q);
+ }
+ return -EAGAIN;
+ }
--- /dev/null
+From e106e269c5cb38315eb0a0e7e38f71e9b20c8c66 Mon Sep 17 00:00:00 2001
+From: Yongpeng Yang <yangyongpeng@xiaomi.com>
+Date: Tue, 4 Nov 2025 20:50:08 +0800
+Subject: isofs: check the return value of sb_min_blocksize() in isofs_fill_super
+
+From: Yongpeng Yang <yangyongpeng@xiaomi.com>
+
+commit e106e269c5cb38315eb0a0e7e38f71e9b20c8c66 upstream.
+
+sb_min_blocksize() may return 0. Check its return value to avoid
+opt->blocksize and sb->s_blocksize is 0.
+
+Cc: stable@vger.kernel.org # v6.15
+Fixes: 1b17a46c9243e9 ("isofs: convert isofs to use the new mount API")
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
+Link: https://patch.msgid.link/20251104125009.2111925-4-yangyongpeng.storage@gmail.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/isofs/inode.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/isofs/inode.c
++++ b/fs/isofs/inode.c
+@@ -610,6 +610,11 @@ static int isofs_fill_super(struct super
+ goto out_freesbi;
+ }
+ opt->blocksize = sb_min_blocksize(s, opt->blocksize);
++ if (!opt->blocksize) {
++ printk(KERN_ERR
++ "ISOFS: unable to set blocksize\n");
++ goto out_freesbi;
++ }
+
+ sbi->s_high_sierra = 0; /* default is iso9660 */
+ sbi->s_session = opt->session;
--- /dev/null
+From 3fa05f96fc08dff5e846c2cc283a249c1bf029a1 Mon Sep 17 00:00:00 2001
+From: Yosry Ahmed <yosry.ahmed@linux.dev>
+Date: Wed, 12 Nov 2025 01:30:17 +0000
+Subject: KVM: SVM: Fix redundant updates of LBR MSR intercepts
+
+From: Yosry Ahmed <yosry.ahmed@linux.dev>
+
+commit 3fa05f96fc08dff5e846c2cc283a249c1bf029a1 upstream.
+
+Don't update the LBR MSR intercept bitmaps if they're already up-to-date,
+as unconditionally updating the intercepts forces KVM to recalculate the
+MSR bitmaps for vmcb02 on every nested VMRUN. The redundant updates are
+functionally okay; however, they neuter an optimization in Hyper-V
+nested virtualization enlightenments and this manifests as a self-test
+failure.
+
+In particular, Hyper-V lets L1 mark "nested enlightenments" as clean, i.e.
+tell KVM that no changes were made to the MSR bitmap since the last VMRUN.
+The hyperv_svm_test KVM selftest intentionally changes the MSR bitmap
+"without telling KVM about it" to verify that KVM honors the clean hint,
+correctly fails because KVM notices the changed bitmap anyway:
+
+ ==== Test Assertion Failure ====
+ x86/hyperv_svm_test.c:120: vmcb->control.exit_code == 0x081
+ pid=193558 tid=193558 errno=4 - Interrupted system call
+ 1 0x0000000000411361: assert_on_unhandled_exception at processor.c:659
+ 2 0x0000000000406186: _vcpu_run at kvm_util.c:1699
+ 3 (inlined by) vcpu_run at kvm_util.c:1710
+ 4 0x0000000000401f2a: main at hyperv_svm_test.c:175
+ 5 0x000000000041d0d3: __libc_start_call_main at libc-start.o:?
+ 6 0x000000000041f27c: __libc_start_main_impl at ??:?
+ 7 0x00000000004021a0: _start at ??:?
+ vmcb->control.exit_code == SVM_EXIT_VMMCALL
+
+Do *not* fix this by skipping svm_hv_vmcb_dirty_nested_enlightenments()
+when svm_set_intercept_for_msr() performs a no-op change. changes to
+the L0 MSR interception bitmap are only triggered by full CPUID updates
+and MSR filter updates, both of which should be rare. Changing
+svm_set_intercept_for_msr() risks hiding unintended pessimizations
+like this one, and is actually more complex than this change.
+
+Fixes: fbe5e5f030c2 ("KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
+Link: https://patch.msgid.link/20251112013017.1836863-1-yosry.ahmed@linux.dev
+[Rewritten commit message based on mailing list discussion. - Paolo]
+Reviewed-by: Sean Christopherson <seanjc@google.com>
+Tested-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/svm.c | 9 ++++++++-
+ arch/x86/kvm/svm/svm.h | 1 +
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/svm/svm.c
++++ b/arch/x86/kvm/svm/svm.c
+@@ -713,7 +713,11 @@ void *svm_alloc_permissions_map(unsigned
+
+ static void svm_recalc_lbr_msr_intercepts(struct kvm_vcpu *vcpu)
+ {
+- bool intercept = !(to_svm(vcpu)->vmcb->control.virt_ext & LBR_CTL_ENABLE_MASK);
++ struct vcpu_svm *svm = to_svm(vcpu);
++ bool intercept = !(svm->vmcb->control.virt_ext & LBR_CTL_ENABLE_MASK);
++
++ if (intercept == svm->lbr_msrs_intercepted)
++ return;
+
+ svm_set_intercept_for_msr(vcpu, MSR_IA32_LASTBRANCHFROMIP, MSR_TYPE_RW, intercept);
+ svm_set_intercept_for_msr(vcpu, MSR_IA32_LASTBRANCHTOIP, MSR_TYPE_RW, intercept);
+@@ -722,6 +726,8 @@ static void svm_recalc_lbr_msr_intercept
+
+ if (sev_es_guest(vcpu->kvm))
+ svm_set_intercept_for_msr(vcpu, MSR_IA32_DEBUGCTLMSR, MSR_TYPE_RW, intercept);
++
++ svm->lbr_msrs_intercepted = intercept;
+ }
+
+ void svm_set_x2apic_msr_interception(struct vcpu_svm *svm, bool intercept)
+@@ -1278,6 +1284,7 @@ static int svm_vcpu_create(struct kvm_vc
+ }
+
+ svm->x2avic_msrs_intercepted = true;
++ svm->lbr_msrs_intercepted = true;
+
+ svm->vmcb01.ptr = page_address(vmcb01_page);
+ svm->vmcb01.pa = __sme_set(page_to_pfn(vmcb01_page) << PAGE_SHIFT);
+--- a/arch/x86/kvm/svm/svm.h
++++ b/arch/x86/kvm/svm/svm.h
+@@ -334,6 +334,7 @@ struct vcpu_svm {
+ bool guest_state_loaded;
+
+ bool x2avic_msrs_intercepted;
++ bool lbr_msrs_intercepted;
+
+ /* Guest GIF value, used when vGIF is not enabled */
+ bool guest_gif;
--- /dev/null
+From a26ec8f3d4e56d4a7ffa301e8032dca9df0bbc05 Mon Sep 17 00:00:00 2001
+From: Pasha Tatashin <pasha.tatashin@soleen.com>
+Date: Thu, 6 Nov 2025 17:06:35 -0500
+Subject: lib/test_kho: check if KHO is enabled
+
+From: Pasha Tatashin <pasha.tatashin@soleen.com>
+
+commit a26ec8f3d4e56d4a7ffa301e8032dca9df0bbc05 upstream.
+
+We must check whether KHO is enabled prior to issuing KHO commands,
+otherwise KHO internal data structures are not initialized.
+
+Link: https://lkml.kernel.org/r/20251106220635.2608494-1-pasha.tatashin@soleen.com
+Fixes: b753522bed0b ("kho: add test for kexec handover")
+Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202511061629.e242724-lkp@intel.com
+Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
+Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
+Cc: Alexander Graf <graf@amazon.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/test_kho.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/lib/test_kho.c
++++ b/lib/test_kho.c
+@@ -272,6 +272,9 @@ static int __init kho_test_init(void)
+ phys_addr_t fdt_phys;
+ int err;
+
++ if (!kho_is_enabled())
++ return 0;
++
+ err = kho_retrieve_subtree(KHO_TEST_FDT, &fdt_phys);
+ if (!err)
+ return kho_test_restore(fdt_phys);
--- /dev/null
+From 677e6123e3d24adaa252697dc89740f2ac07664e Mon Sep 17 00:00:00 2001
+From: Vincent Li <vincent.mc.li@gmail.com>
+Date: Thu, 20 Nov 2025 14:42:05 +0800
+Subject: LoongArch: BPF: Disable trampoline for kernel module function trace
+
+From: Vincent Li <vincent.mc.li@gmail.com>
+
+commit 677e6123e3d24adaa252697dc89740f2ac07664e upstream.
+
+The current LoongArch BPF trampoline implementation is incompatible
+with tracing functions in kernel modules. This causes several severe
+and user-visible problems:
+
+* The `bpf_selftests/module_attach` test fails consistently.
+* Kernel lockup when a BPF program is attached to a module function [1].
+* Critical kernel modules like WireGuard experience traffic disruption
+ when their functions are traced with fentry [2].
+
+Given the severity and the potential for other unknown side-effects, it
+is safest to disable the feature entirely for now. This patch prevents
+the BPF subsystem from allowing trampoline attachments to kernel module
+functions on LoongArch.
+
+This is a temporary mitigation until the core issues in the trampoline
+code for kernel module handling can be identified and fixed.
+
+[root@fedora bpf]# ./test_progs -a module_attach -v
+bpf_testmod.ko is already unloaded.
+Loading bpf_testmod.ko...
+Successfully loaded bpf_testmod.ko.
+test_module_attach:PASS:skel_open 0 nsec
+test_module_attach:PASS:set_attach_target 0 nsec
+test_module_attach:PASS:set_attach_target_explicit 0 nsec
+test_module_attach:PASS:skel_load 0 nsec
+libbpf: prog 'handle_fentry': failed to attach: -ENOTSUPP
+libbpf: prog 'handle_fentry': failed to auto-attach: -ENOTSUPP
+test_module_attach:FAIL:skel_attach skeleton attach failed: -524
+Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED
+Successfully unloaded bpf_testmod.ko.
+
+[1]: https://lore.kernel.org/loongarch/CAK3+h2wDmpC-hP4u4pJY8T-yfKyk4yRzpu2LMO+C13FMT58oqQ@mail.gmail.com/
+[2]: https://lore.kernel.org/loongarch/CAK3+h2wYcpc+OwdLDUBvg2rF9rvvyc5amfHT-KcFaK93uoELPg@mail.gmail.com/
+
+Cc: stable@vger.kernel.org
+Fixes: f9b6b41f0cf3 ("LoongArch: BPF: Add basic bpf trampoline support")
+Acked-by: Hengqi Chen <hengqi.chen@gmail.com>
+Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/net/bpf_jit.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/loongarch/net/bpf_jit.c
++++ b/arch/loongarch/net/bpf_jit.c
+@@ -1626,6 +1626,9 @@ static int __arch_prepare_bpf_trampoline
+ /* Direct jump skips 5 NOP instructions */
+ else if (is_bpf_text_address((unsigned long)orig_call))
+ orig_call += LOONGARCH_BPF_FENTRY_NBYTES;
++ /* Module tracing not supported - cause kernel lockups */
++ else if (is_module_text_address((unsigned long)orig_call))
++ return -ENOTSUPP;
+
+ if (flags & BPF_TRAMP_F_CALL_ORIG) {
+ move_addr(ctx, LOONGARCH_GPR_A0, (const u64)im);
--- /dev/null
+From a6b533adfc05ba15360631e019d3e18275080275 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Thu, 20 Nov 2025 14:42:05 +0800
+Subject: LoongArch: Don't panic if no valid cache info for PCI
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit a6b533adfc05ba15360631e019d3e18275080275 upstream.
+
+If there is no valid cache info detected (may happen in virtual machine)
+for pci_dfl_cache_line_size, kernel shouldn't panic. Because in the PCI
+core it will be evaluated to (L1_CACHE_BYTES >> 2).
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/pci/pci.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/loongarch/pci/pci.c
++++ b/arch/loongarch/pci/pci.c
+@@ -50,11 +50,11 @@ static int __init pcibios_init(void)
+ */
+ lsize = cpu_last_level_cache_line_size();
+
+- BUG_ON(!lsize);
++ if (lsize) {
++ pci_dfl_cache_line_size = lsize >> 2;
+
+- pci_dfl_cache_line_size = lsize >> 2;
+-
+- pr_debug("PCI: pci_cache_line_size set to %d bytes\n", lsize);
++ pr_debug("PCI: pci_cache_line_size set to %d bytes\n", lsize);
++ }
+
+ return 0;
+ }
--- /dev/null
+From acf5de1b23b0275eb69f235c8e9f2cef19fa39a1 Mon Sep 17 00:00:00 2001
+From: Bibo Mao <maobibo@loongson.cn>
+Date: Thu, 20 Nov 2025 14:42:05 +0800
+Subject: LoongArch: Fix NUMA node parsing with numa_memblks
+
+From: Bibo Mao <maobibo@loongson.cn>
+
+commit acf5de1b23b0275eb69f235c8e9f2cef19fa39a1 upstream.
+
+On physical machine, NUMA node id comes from high bit 44:48 of physical
+address. However it is not true on virt machine. With general method, it
+comes from ACPI SRAT table.
+
+Here the common function numa_memblks_init() is used to parse NUMA node
+information with numa_memblks.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Bibo Mao <maobibo@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kernel/numa.c | 60 ++++++++++++-------------------------------
+ 1 file changed, 18 insertions(+), 42 deletions(-)
+
+--- a/arch/loongarch/kernel/numa.c
++++ b/arch/loongarch/kernel/numa.c
+@@ -158,35 +158,9 @@ static void __init node_mem_init(unsigne
+
+ #ifdef CONFIG_ACPI_NUMA
+
+-/*
+- * add_numamem_region
+- *
+- * Add a uasable memory region described by BIOS. The
+- * routine gets each intersection between BIOS's region
+- * and node's region, and adds them into node's memblock
+- * pool.
+- *
+- */
+-static void __init add_numamem_region(u64 start, u64 end, u32 type)
+-{
+- u32 node = pa_to_nid(start);
+- u64 size = end - start;
+- static unsigned long num_physpages;
+-
+- if (start >= end) {
+- pr_debug("Invalid region: %016llx-%016llx\n", start, end);
+- return;
+- }
+-
+- num_physpages += (size >> PAGE_SHIFT);
+- pr_info("Node%d: mem_type:%d, mem_start:0x%llx, mem_size:0x%llx Bytes\n",
+- node, type, start, size);
+- pr_info(" start_pfn:0x%llx, end_pfn:0x%llx, num_physpages:0x%lx\n",
+- start >> PAGE_SHIFT, end >> PAGE_SHIFT, num_physpages);
+- memblock_set_node(start, size, &memblock.memory, node);
+-}
++static unsigned long num_physpages;
+
+-static void __init init_node_memblock(void)
++static void __init info_node_memblock(void)
+ {
+ u32 mem_type;
+ u64 mem_end, mem_start, mem_size;
+@@ -206,12 +180,20 @@ static void __init init_node_memblock(vo
+ case EFI_BOOT_SERVICES_DATA:
+ case EFI_PERSISTENT_MEMORY:
+ case EFI_CONVENTIONAL_MEMORY:
+- add_numamem_region(mem_start, mem_end, mem_type);
++ num_physpages += (mem_size >> PAGE_SHIFT);
++ pr_info("Node%d: mem_type:%d, mem_start:0x%llx, mem_size:0x%llx Bytes\n",
++ (u32)pa_to_nid(mem_start), mem_type, mem_start, mem_size);
++ pr_info(" start_pfn:0x%llx, end_pfn:0x%llx, num_physpages:0x%lx\n",
++ mem_start >> PAGE_SHIFT, mem_end >> PAGE_SHIFT, num_physpages);
+ break;
+ case EFI_PAL_CODE:
+ case EFI_UNUSABLE_MEMORY:
+ case EFI_ACPI_RECLAIM_MEMORY:
+- add_numamem_region(mem_start, mem_end, mem_type);
++ num_physpages += (mem_size >> PAGE_SHIFT);
++ pr_info("Node%d: mem_type:%d, mem_start:0x%llx, mem_size:0x%llx Bytes\n",
++ (u32)pa_to_nid(mem_start), mem_type, mem_start, mem_size);
++ pr_info(" start_pfn:0x%llx, end_pfn:0x%llx, num_physpages:0x%lx\n",
++ mem_start >> PAGE_SHIFT, mem_end >> PAGE_SHIFT, num_physpages);
+ fallthrough;
+ case EFI_RESERVED_TYPE:
+ case EFI_RUNTIME_SERVICES_CODE:
+@@ -249,22 +231,16 @@ int __init init_numa_memory(void)
+ for (i = 0; i < NR_CPUS; i++)
+ set_cpuid_to_node(i, NUMA_NO_NODE);
+
+- numa_reset_distance();
+- nodes_clear(numa_nodes_parsed);
+- nodes_clear(node_possible_map);
+- nodes_clear(node_online_map);
+- WARN_ON(memblock_clear_hotplug(0, PHYS_ADDR_MAX));
+-
+ /* Parse SRAT and SLIT if provided by firmware. */
+- ret = acpi_disabled ? fake_numa_init() : acpi_numa_init();
++ if (!acpi_disabled)
++ ret = numa_memblks_init(acpi_numa_init, false);
++ else
++ ret = numa_memblks_init(fake_numa_init, false);
++
+ if (ret < 0)
+ return ret;
+
+- node_possible_map = numa_nodes_parsed;
+- if (WARN_ON(nodes_empty(node_possible_map)))
+- return -EINVAL;
+-
+- init_node_memblock();
++ info_node_memblock();
+ if (!memblock_validate_numa_coverage(SZ_1M))
+ return -EINVAL;
+
--- /dev/null
+From ebd729fef31620e0bf74cbf8a4c7fda73a2a4e7e Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Mon, 20 Oct 2025 02:11:49 +0100
+Subject: MIPS: Malta: Fix !EVA SOC-it PCI MMIO
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit ebd729fef31620e0bf74cbf8a4c7fda73a2a4e7e upstream.
+
+Fix a regression that has caused accesses to the PCI MMIO window to
+complete unclaimed in non-EVA configurations with the SOC-it family of
+system controllers, preventing PCI devices from working that use MMIO.
+
+In the non-EVA case PHYS_OFFSET is set to 0, meaning that PCI_BAR0 is
+set with an empty mask (and PCI_HEAD4 matches addresses starting from 0
+accordingly). Consequently all addresses are matched for incoming DMA
+accesses from PCI. This seems to confuse the system controller's logic
+and outgoing bus cycles targeting the PCI MMIO window seem not to make
+it to the intended devices.
+
+This happens as well when a wider mask is used with PCI_BAR0, such as
+0x80000000 or 0xe0000000, that makes addresses match that overlap with
+the PCI MMIO window, which starts at 0x10000000 in our configuration.
+
+Set the mask in PCI_BAR0 to 0xf0000000 for non-EVA then, covering the
+non-EVA maximum 256 MiB of RAM, which is what YAMON does and which used
+to work correctly up to the offending commit. Set PCI_P2SCMSKL to match
+PCI_BAR0 as required by the system controller's specification, and match
+PCI_P2SCMAPL to PCI_HEAD4 for identity mapping.
+
+Verified with:
+
+Core board type/revision = 0x0d (Core74K) / 0x01
+System controller/revision = MIPS SOC-it 101 OCP / 1.3 SDR-FW-4:1
+Processor Company ID/options = 0x01 (MIPS Technologies, Inc.) / 0x1c
+Processor ID/revision = 0x97 (MIPS 74Kf) / 0x4c
+
+for non-EVA and with:
+
+Core board type/revision = 0x0c (CoreFPGA-5) / 0x00
+System controller/revision = MIPS ROC-it2 / 0.0 FW-1:1 (CLK_unknown) GIC
+Processor Company ID/options = 0x01 (MIPS Technologies, Inc.) / 0x00
+Processor ID/revision = 0xa0 (MIPS interAptiv UP) / 0x20
+
+for EVA/non-EVA, fixing:
+
+defxx 0000:00:12.0: assign IRQ: got 10
+defxx: v1.12 2021/03/10 Lawrence V. Stefani and others
+0000:00:12.0: Could not read adapter factory MAC address!
+
+vs:
+
+defxx 0000:00:12.0: assign IRQ: got 10
+defxx: v1.12 2021/03/10 Lawrence V. Stefani and others
+0000:00:12.0: DEFPA at MMIO addr = 0x10142000, IRQ = 10, Hardware addr = 00-00-f8-xx-xx-xx
+0000:00:12.0: registered as fddi0
+
+for non-EVA and causing no change for EVA.
+
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Fixes: 422dd256642b ("MIPS: Malta: Allow PCI devices DMA to lower 2GB physical")
+Cc: stable@vger.kernel.org # v4.9+
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mti-malta/malta-init.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/arch/mips/mti-malta/malta-init.c
++++ b/arch/mips/mti-malta/malta-init.c
+@@ -241,16 +241,22 @@ mips_pci_controller:
+ #endif
+
+ /*
+- * Setup the Malta max (2GB) memory for PCI DMA in host bridge
+- * in transparent addressing mode.
++ * Set up memory mapping in host bridge for PCI DMA masters,
++ * in transparent addressing mode. For EVA use the Malta
++ * maximum of 2 GiB memory in the alias space at 0x80000000
++ * as per PHYS_OFFSET. Otherwise use 256 MiB of memory in
++ * the regular space, avoiding mapping the PCI MMIO window
++ * for DMA as it seems to confuse the system controller's
++ * logic, causing PCI MMIO to stop working.
+ */
+- mask = PHYS_OFFSET | PCI_BASE_ADDRESS_MEM_PREFETCH;
+- MSC_WRITE(MSC01_PCI_BAR0, mask);
+- MSC_WRITE(MSC01_PCI_HEAD4, mask);
++ mask = PHYS_OFFSET ? PHYS_OFFSET : 0xf0000000;
++ MSC_WRITE(MSC01_PCI_BAR0,
++ mask | PCI_BASE_ADDRESS_MEM_PREFETCH);
++ MSC_WRITE(MSC01_PCI_HEAD4,
++ PHYS_OFFSET | PCI_BASE_ADDRESS_MEM_PREFETCH);
+
+- mask &= MSC01_PCI_BAR0_SIZE_MSK;
+ MSC_WRITE(MSC01_PCI_P2SCMSKL, mask);
+- MSC_WRITE(MSC01_PCI_P2SCMAPL, mask);
++ MSC_WRITE(MSC01_PCI_P2SCMAPL, PHYS_OFFSET);
+
+ /* Don't handle target retries indefinitely. */
+ if ((data & MSC01_PCI_CFG_MAXRTRY_MSK) ==
--- /dev/null
+From 9f048fa487409e364cf866c957cf0b0d782ca5a3 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Thu, 13 Nov 2025 05:21:10 +0000
+Subject: MIPS: mm: Prevent a TLB shutdown on initial uniquification
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit 9f048fa487409e364cf866c957cf0b0d782ca5a3 upstream.
+
+Depending on the particular CPU implementation a TLB shutdown may occur
+if multiple matching entries are detected upon the execution of a TLBP
+or the TLBWI/TLBWR instructions. Given that we don't know what entries
+we have been handed we need to be very careful with the initial TLB
+setup and avoid all these instructions.
+
+Therefore read all the TLB entries one by one with the TLBR instruction,
+bypassing the content addressing logic, and truncate any large pages in
+place so as to avoid a case in the second step where an incoming entry
+for a large page at a lower address overlaps with a replacement entry
+chosen at another index. Then preinitialize the TLB using addresses
+outside our usual unique range and avoiding clashes with any entries
+received, before making the usual call to local_flush_tlb_all().
+
+This fixes (at least) R4x00 cores if TLBP hits multiple matching TLB
+entries (SGI IP22 PROM for examples sets up all TLBs to the same virtual
+address).
+
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Fixes: 35ad7e181541 ("MIPS: mm: tlb-r4k: Uniquify TLB entries on init")
+Cc: stable@vger.kernel.org
+Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Tested-by: Jiaxun Yang <jiaxun.yang@flygoat.com> # Boston I6400, M5150 sim
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mm/tlb-r4k.c | 102 ++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 64 insertions(+), 38 deletions(-)
+
+--- a/arch/mips/mm/tlb-r4k.c
++++ b/arch/mips/mm/tlb-r4k.c
+@@ -15,6 +15,7 @@
+ #include <linux/mm.h>
+ #include <linux/hugetlb.h>
+ #include <linux/export.h>
++#include <linux/sort.h>
+
+ #include <asm/cpu.h>
+ #include <asm/cpu-type.h>
+@@ -508,55 +509,79 @@ static int __init set_ntlb(char *str)
+
+ __setup("ntlb=", set_ntlb);
+
+-/* Initialise all TLB entries with unique values */
++
++/* Comparison function for EntryHi VPN fields. */
++static int r4k_vpn_cmp(const void *a, const void *b)
++{
++ long v = *(unsigned long *)a - *(unsigned long *)b;
++ int s = sizeof(long) > sizeof(int) ? sizeof(long) * 8 - 1: 0;
++ return s ? (v != 0) | v >> s : v;
++}
++
++/*
++ * Initialise all TLB entries with unique values that do not clash with
++ * what we have been handed over and what we'll be using ourselves.
++ */
+ static void r4k_tlb_uniquify(void)
+ {
+- int entry = num_wired_entries();
++ unsigned long tlb_vpns[1 << MIPS_CONF1_TLBS_SIZE];
++ int tlbsize = current_cpu_data.tlbsize;
++ int start = num_wired_entries();
++ unsigned long vpn_mask;
++ int cnt, ent, idx, i;
++
++ vpn_mask = GENMASK(cpu_vmbits - 1, 13);
++ vpn_mask |= IS_ENABLED(CONFIG_64BIT) ? 3ULL << 62 : 1 << 31;
+
+ htw_stop();
+- write_c0_entrylo0(0);
+- write_c0_entrylo1(0);
+
+- while (entry < current_cpu_data.tlbsize) {
+- unsigned long asid_mask = cpu_asid_mask(¤t_cpu_data);
+- unsigned long asid = 0;
+- int idx;
++ for (i = start, cnt = 0; i < tlbsize; i++, cnt++) {
++ unsigned long vpn;
+
+- /* Skip wired MMID to make ginvt_mmid work */
+- if (cpu_has_mmid)
+- asid = MMID_KERNEL_WIRED + 1;
++ write_c0_index(i);
++ mtc0_tlbr_hazard();
++ tlb_read();
++ tlb_read_hazard();
++ vpn = read_c0_entryhi();
++ vpn &= vpn_mask & PAGE_MASK;
++ tlb_vpns[cnt] = vpn;
+
+- /* Check for match before using UNIQUE_ENTRYHI */
+- do {
+- if (cpu_has_mmid) {
+- write_c0_memorymapid(asid);
+- write_c0_entryhi(UNIQUE_ENTRYHI(entry));
+- } else {
+- write_c0_entryhi(UNIQUE_ENTRYHI(entry) | asid);
+- }
+- mtc0_tlbw_hazard();
+- tlb_probe();
+- tlb_probe_hazard();
+- idx = read_c0_index();
+- /* No match or match is on current entry */
+- if (idx < 0 || idx == entry)
+- break;
+- /*
+- * If we hit a match, we need to try again with
+- * a different ASID.
+- */
+- asid++;
+- } while (asid < asid_mask);
+-
+- if (idx >= 0 && idx != entry)
+- panic("Unable to uniquify TLB entry %d", idx);
+-
+- write_c0_index(entry);
++ /* Prevent any large pages from overlapping regular ones. */
++ write_c0_pagemask(read_c0_pagemask() & PM_DEFAULT_MASK);
+ mtc0_tlbw_hazard();
+ tlb_write_indexed();
+- entry++;
++ tlbw_use_hazard();
+ }
+
++ sort(tlb_vpns, cnt, sizeof(tlb_vpns[0]), r4k_vpn_cmp, NULL);
++
++ write_c0_pagemask(PM_DEFAULT_MASK);
++ write_c0_entrylo0(0);
++ write_c0_entrylo1(0);
++
++ idx = 0;
++ ent = tlbsize;
++ for (i = start; i < tlbsize; i++)
++ while (1) {
++ unsigned long entryhi, vpn;
++
++ entryhi = UNIQUE_ENTRYHI(ent);
++ vpn = entryhi & vpn_mask & PAGE_MASK;
++
++ if (idx >= cnt || vpn < tlb_vpns[idx]) {
++ write_c0_entryhi(entryhi);
++ write_c0_index(i);
++ mtc0_tlbw_hazard();
++ tlb_write_indexed();
++ ent++;
++ break;
++ } else if (vpn == tlb_vpns[idx]) {
++ ent++;
++ } else {
++ idx++;
++ }
++ }
++
+ tlbw_use_hazard();
+ htw_start();
+ flush_micro_tlb();
+@@ -602,6 +627,7 @@ static void r4k_tlb_configure(void)
+
+ /* From this point on the ARC firmware is dead. */
+ r4k_tlb_uniquify();
++ local_flush_tlb_all();
+
+ /* Did I tell you that ARC SUCKS? */
+ }
--- /dev/null
+From ec33b59542d96830e3c89845ff833cf7b25ef172 Mon Sep 17 00:00:00 2001
+From: Vlastimil Babka <vbabka@suse.cz>
+Date: Thu, 13 Nov 2025 19:54:35 +0100
+Subject: mm/mempool: fix poisoning order>0 pages with HIGHMEM
+
+From: Vlastimil Babka <vbabka@suse.cz>
+
+commit ec33b59542d96830e3c89845ff833cf7b25ef172 upstream.
+
+The kernel test has reported:
+
+ BUG: unable to handle page fault for address: fffba000
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ *pde = 03171067 *pte = 00000000
+ Oops: Oops: 0002 [#1]
+ CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca
+ Tainted: [T]=RANDSTRUCT
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+ EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17)
+ Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 <f3> aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56
+ EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b
+ ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8
+ DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287
+ CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690
+ Call Trace:
+ poison_element (mm/mempool.c:83 mm/mempool.c:102)
+ mempool_init_node (mm/mempool.c:142 mm/mempool.c:226)
+ mempool_init_noprof (mm/mempool.c:250 (discriminator 1))
+ ? mempool_alloc_pages (mm/mempool.c:640)
+ bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8))
+ ? mempool_alloc_pages (mm/mempool.c:640)
+ do_one_initcall (init/main.c:1283)
+
+Christoph found out this is due to the poisoning code not dealing
+properly with CONFIG_HIGHMEM because only the first page is mapped but
+then the whole potentially high-order page is accessed.
+
+We could give up on HIGHMEM here, but it's straightforward to fix this
+with a loop that's mapping, poisoning or checking and unmapping
+individual pages.
+
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202511111411.9ebfa1ba-lkp@intel.com
+Analyzed-by: Christoph Hellwig <hch@lst.de>
+Fixes: bdfedb76f4f5 ("mm, mempool: poison elements backed by slab allocator")
+Cc: stable@vger.kernel.org
+Tested-by: kernel test robot <oliver.sang@intel.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://patch.msgid.link/20251113-mempool-poison-v1-1-233b3ef984c3@suse.cz
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mempool.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+--- a/mm/mempool.c
++++ b/mm/mempool.c
+@@ -68,10 +68,20 @@ static void check_element(mempool_t *poo
+ } else if (pool->free == mempool_free_pages) {
+ /* Mempools backed by page allocator */
+ int order = (int)(long)pool->pool_data;
+- void *addr = kmap_local_page((struct page *)element);
+
+- __check_element(pool, addr, 1UL << (PAGE_SHIFT + order));
+- kunmap_local(addr);
++#ifdef CONFIG_HIGHMEM
++ for (int i = 0; i < (1 << order); i++) {
++ struct page *page = (struct page *)element;
++ void *addr = kmap_local_page(page + i);
++
++ __check_element(pool, addr, PAGE_SIZE);
++ kunmap_local(addr);
++ }
++#else
++ void *addr = page_address((struct page *)element);
++
++ __check_element(pool, addr, PAGE_SIZE << order);
++#endif
+ }
+ }
+
+@@ -97,10 +107,20 @@ static void poison_element(mempool_t *po
+ } else if (pool->alloc == mempool_alloc_pages) {
+ /* Mempools backed by page allocator */
+ int order = (int)(long)pool->pool_data;
+- void *addr = kmap_local_page((struct page *)element);
+
+- __poison_element(addr, 1UL << (PAGE_SHIFT + order));
+- kunmap_local(addr);
++#ifdef CONFIG_HIGHMEM
++ for (int i = 0; i < (1 << order); i++) {
++ struct page *page = (struct page *)element;
++ void *addr = kmap_local_page(page + i);
++
++ __poison_element(addr, PAGE_SIZE);
++ kunmap_local(addr);
++ }
++#else
++ void *addr = page_address((struct page *)element);
++
++ __poison_element(addr, PAGE_SIZE << order);
++#endif
+ }
+ }
+ #else /* CONFIG_SLUB_DEBUG_ON */
--- /dev/null
+From fbade4bd08ba52cbc74a71c4e86e736f059f99f7 Mon Sep 17 00:00:00 2001
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+Date: Tue, 11 Nov 2025 14:02:50 +0800
+Subject: mptcp: Disallow MPTCP subflows from sockmap
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+commit fbade4bd08ba52cbc74a71c4e86e736f059f99f7 upstream.
+
+The sockmap feature allows bpf syscall from userspace, or based on bpf
+sockops, replacing the sk_prot of sockets during protocol stack processing
+with sockmap's custom read/write interfaces.
+'''
+tcp_rcv_state_process()
+ subflow_syn_recv_sock()
+ tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)
+ bpf_skops_established <== sockops
+ bpf_sock_map_update(sk) <== call bpf helper
+ tcp_bpf_update_proto() <== update sk_prot
+'''
+Consider two scenarios:
+
+1. When the server has MPTCP enabled and the client also requests MPTCP,
+ the sk passed to the BPF program is a subflow sk. Since subflows only
+ handle partial data, replacing their sk_prot is meaningless and will
+ cause traffic disruption.
+
+2. When the server has MPTCP enabled but the client sends a TCP SYN
+ without MPTCP, subflow_syn_recv_sock() performs a fallback on the
+ subflow, replacing the subflow sk's sk_prot with the native sk_prot.
+ '''
+ subflow_ulp_fallback()
+ subflow_drop_ctx()
+ mptcp_subflow_ops_undo_override()
+ '''
+ Subsequently, accept::mptcp_stream_accept::mptcp_fallback_tcp_ops()
+ converts the subflow to plain TCP.
+
+For the first case, we should prevent it from being combined with sockmap
+by setting sk_prot->psock_update_sk_prot to NULL, which will be blocked by
+sockmap's own flow.
+
+For the second case, since subflow_syn_recv_sock() has already restored
+sk_prot to native tcp_prot/tcpv6_prot, no further action is needed.
+
+Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20251111060307.194196-2-jiayuan.chen@linux.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/subflow.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/mptcp/subflow.c
++++ b/net/mptcp/subflow.c
+@@ -2144,6 +2144,10 @@ void __init mptcp_subflow_init(void)
+ tcp_prot_override = tcp_prot;
+ tcp_prot_override.release_cb = tcp_release_cb_override;
+ tcp_prot_override.diag_destroy = tcp_abort_override;
++#ifdef CONFIG_BPF_SYSCALL
++ /* Disable sockmap processing for subflows */
++ tcp_prot_override.psock_update_sk_prot = NULL;
++#endif
+
+ #if IS_ENABLED(CONFIG_MPTCP_IPV6)
+ /* In struct mptcp_subflow_request_sock, we assume the TCP request sock
+@@ -2180,6 +2184,10 @@ void __init mptcp_subflow_init(void)
+ tcpv6_prot_override = tcpv6_prot;
+ tcpv6_prot_override.release_cb = tcp_release_cb_override;
+ tcpv6_prot_override.diag_destroy = tcp_abort_override;
++#ifdef CONFIG_BPF_SYSCALL
++ /* Disable sockmap processing for subflows */
++ tcpv6_prot_override.psock_update_sk_prot = NULL;
++#endif
+ #endif
+
+ mptcp_diag_subflow_init(&subflow_ulp_ops);
--- /dev/null
+From c77b3b79a92e3345aa1ee296180d1af4e7031f8f Mon Sep 17 00:00:00 2001
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+Date: Tue, 11 Nov 2025 14:02:51 +0800
+Subject: mptcp: Fix proto fallback detection with BPF
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+commit c77b3b79a92e3345aa1ee296180d1af4e7031f8f upstream.
+
+The sockmap feature allows bpf syscall from userspace, or based
+on bpf sockops, replacing the sk_prot of sockets during protocol stack
+processing with sockmap's custom read/write interfaces.
+'''
+tcp_rcv_state_process()
+ syn_recv_sock()/subflow_syn_recv_sock()
+ tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)
+ bpf_skops_established <== sockops
+ bpf_sock_map_update(sk) <== call bpf helper
+ tcp_bpf_update_proto() <== update sk_prot
+'''
+
+When the server has MPTCP enabled but the client sends a TCP SYN
+without MPTCP, subflow_syn_recv_sock() performs a fallback on the
+subflow, replacing the subflow sk's sk_prot with the native sk_prot.
+'''
+subflow_syn_recv_sock()
+ subflow_ulp_fallback()
+ subflow_drop_ctx()
+ mptcp_subflow_ops_undo_override()
+'''
+
+Then, this subflow can be normally used by sockmap, which replaces the
+native sk_prot with sockmap's custom sk_prot. The issue occurs when the
+user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops().
+Here, it uses sk->sk_prot to compare with the native sk_prot, but this
+is incorrect when sockmap is used, as we may incorrectly set
+sk->sk_socket->ops.
+
+This fix uses the more generic sk_family for the comparison instead.
+
+Additionally, this also prevents a WARNING from occurring:
+
+result from ./scripts/decode_stacktrace.sh:
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \
+(net/mptcp/protocol.c:4005)
+Modules linked in:
+...
+
+PKRU: 55555554
+Call Trace:
+<TASK>
+do_accept (net/socket.c:1989)
+__sys_accept4 (net/socket.c:2028 net/socket.c:2057)
+__x64_sys_accept (net/socket.c:2067)
+x64_sys_call (arch/x86/entry/syscall_64.c:41)
+do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
+entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+RIP: 0033:0x7f87ac92b83d
+
+---[ end trace 0000000000000000 ]---
+
+Fixes: 0b4f33def7bb ("mptcp: fix tcp fallback crash")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20251111060307.194196-3-jiayuan.chen@linux.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -60,11 +60,13 @@ static u64 mptcp_wnd_end(const struct mp
+
+ static const struct proto_ops *mptcp_fallback_tcp_ops(const struct sock *sk)
+ {
++ unsigned short family = READ_ONCE(sk->sk_family);
++
+ #if IS_ENABLED(CONFIG_MPTCP_IPV6)
+- if (sk->sk_prot == &tcpv6_prot)
++ if (family == AF_INET6)
+ return &inet6_stream_ops;
+ #endif
+- WARN_ON_ONCE(sk->sk_prot != &tcp_prot);
++ WARN_ON_ONCE(family != AF_INET);
+ return &inet_stream_ops;
+ }
+
--- /dev/null
+From 035bca3f017ee9dea3a5a756e77a6f7138cc6eea Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 13 Nov 2025 10:39:24 +0000
+Subject: mptcp: fix race condition in mptcp_schedule_work()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 035bca3f017ee9dea3a5a756e77a6f7138cc6eea upstream.
+
+syzbot reported use-after-free in mptcp_schedule_work() [1]
+
+Issue here is that mptcp_schedule_work() schedules a work,
+then gets a refcount on sk->sk_refcnt if the work was scheduled.
+This refcount will be released by mptcp_worker().
+
+[A] if (schedule_work(...)) {
+[B] sock_hold(sk);
+ return true;
+ }
+
+Problem is that mptcp_worker() can run immediately and complete before [B]
+
+We need instead :
+
+ sock_hold(sk);
+ if (schedule_work(...))
+ return true;
+ sock_put(sk);
+
+[1]
+refcount_t: addition on 0; use-after-free.
+ WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25
+Call Trace:
+ <TASK>
+ __refcount_add include/linux/refcount.h:-1 [inline]
+ __refcount_inc include/linux/refcount.h:366 [inline]
+ refcount_inc include/linux/refcount.h:383 [inline]
+ sock_hold include/net/sock.h:816 [inline]
+ mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943
+ mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316
+ call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
+ expire_timers kernel/time/timer.c:1798 [inline]
+ __run_timers kernel/time/timer.c:2372 [inline]
+ __run_timer_base+0x648/0x970 kernel/time/timer.c:2384
+ run_timer_base kernel/time/timer.c:2393 [inline]
+ run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
+ handle_softirqs+0x22f/0x710 kernel/softirq.c:622
+ __do_softirq kernel/softirq.c:656 [inline]
+ run_ktimerd+0xcf/0x190 kernel/softirq.c:1138
+ smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+
+Cc: stable@vger.kernel.org
+Fixes: 3b1d6210a957 ("mptcp: implement and use MPTCP-level retransmission")
+Reported-by: syzbot+355158e7e301548a1424@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6915b46f.050a0220.3565dc.0028.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251113103924.3737425-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -895,14 +895,19 @@ static void mptcp_reset_rtx_timer(struct
+
+ bool mptcp_schedule_work(struct sock *sk)
+ {
+- if (inet_sk_state_load(sk) != TCP_CLOSE &&
+- schedule_work(&mptcp_sk(sk)->work)) {
+- /* each subflow already holds a reference to the sk, and the
+- * workqueue is invoked by a subflow, so sk can't go away here.
+- */
+- sock_hold(sk);
++ if (inet_sk_state_load(sk) == TCP_CLOSE)
++ return false;
++
++ /* Get a reference on this socket, mptcp_worker() will release it.
++ * As mptcp_worker() might complete before us, we can not avoid
++ * a sock_hold()/sock_put() if schedule_work() returns false.
++ */
++ sock_hold(sk);
++
++ if (schedule_work(&mptcp_sk(sk)->work))
+ return true;
+- }
++
++ sock_put(sk);
+ return false;
+ }
+
--- /dev/null
+From 5c56bf214af85ca042bf97f8584aab2151035840 Mon Sep 17 00:00:00 2001
+From: Niravkumar L Rabara <niravkumarlaxmidas.rabara@altera.com>
+Date: Thu, 23 Oct 2025 11:32:01 +0800
+Subject: mtd: rawnand: cadence: fix DMA device NULL pointer dereference
+
+From: Niravkumar L Rabara <niravkumarlaxmidas.rabara@altera.com>
+
+commit 5c56bf214af85ca042bf97f8584aab2151035840 upstream.
+
+The DMA device pointer `dma_dev` was being dereferenced before ensuring
+that `cdns_ctrl->dmac` is properly initialized.
+
+Move the assignment of `dma_dev` after successfully acquiring the DMA
+channel to ensure the pointer is valid before use.
+
+Fixes: d76d22b5096c ("mtd: rawnand: cadence: use dma_map_resource for sdma address")
+Cc: stable@vger.kernel.org
+Signed-off-by: Niravkumar L Rabara <niravkumarlaxmidas.rabara@altera.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/cadence-nand-controller.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/raw/cadence-nand-controller.c
++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c
+@@ -2871,7 +2871,7 @@ cadence_nand_irq_cleanup(int irqnum, str
+ static int cadence_nand_init(struct cdns_nand_ctrl *cdns_ctrl)
+ {
+ dma_cap_mask_t mask;
+- struct dma_device *dma_dev = cdns_ctrl->dmac->device;
++ struct dma_device *dma_dev;
+ int ret;
+
+ cdns_ctrl->cdma_desc = dma_alloc_coherent(cdns_ctrl->dev,
+@@ -2915,6 +2915,7 @@ static int cadence_nand_init(struct cdns
+ }
+ }
+
++ dma_dev = cdns_ctrl->dmac->device;
+ cdns_ctrl->io.iova_dma = dma_map_resource(dma_dev->dev, cdns_ctrl->io.dma,
+ cdns_ctrl->io.size,
+ DMA_BIDIRECTIONAL, 0);
--- /dev/null
+From e4185bed738da755b191aa3f2e16e8b48450e1b8 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Tue, 30 Sep 2025 15:32:34 +0300
+Subject: mtdchar: fix integer overflow in read/write ioctls
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit e4185bed738da755b191aa3f2e16e8b48450e1b8 upstream.
+
+The "req.start" and "req.len" variables are u64 values that come from the
+user at the start of the function. We mask away the high 32 bits of
+"req.len" so that's capped at U32_MAX but the "req.start" variable can go
+up to U64_MAX which means that the addition can still integer overflow.
+
+Use check_add_overflow() to fix this bug.
+
+Fixes: 095bb6e44eb1 ("mtdchar: add MEMREAD ioctl")
+Fixes: 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/mtdchar.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/mtdchar.c
++++ b/drivers/mtd/mtdchar.c
+@@ -599,6 +599,7 @@ mtdchar_write_ioctl(struct mtd_info *mtd
+ uint8_t *datbuf = NULL, *oobbuf = NULL;
+ size_t datbuf_len, oobbuf_len;
+ int ret = 0;
++ u64 end;
+
+ if (copy_from_user(&req, argp, sizeof(req)))
+ return -EFAULT;
+@@ -618,7 +619,7 @@ mtdchar_write_ioctl(struct mtd_info *mtd
+ req.len &= 0xffffffff;
+ req.ooblen &= 0xffffffff;
+
+- if (req.start + req.len > mtd->size)
++ if (check_add_overflow(req.start, req.len, &end) || end > mtd->size)
+ return -EINVAL;
+
+ datbuf_len = min_t(size_t, req.len, mtd->erasesize);
+@@ -698,6 +699,7 @@ mtdchar_read_ioctl(struct mtd_info *mtd,
+ size_t datbuf_len, oobbuf_len;
+ size_t orig_len, orig_ooblen;
+ int ret = 0;
++ u64 end;
+
+ if (copy_from_user(&req, argp, sizeof(req)))
+ return -EFAULT;
+@@ -724,7 +726,7 @@ mtdchar_read_ioctl(struct mtd_info *mtd,
+ req.len &= 0xffffffff;
+ req.ooblen &= 0xffffffff;
+
+- if (req.start + req.len > mtd->size) {
++ if (check_add_overflow(req.start, req.len, &end) || end > mtd->size) {
+ ret = -EINVAL;
+ goto out;
+ }
--- /dev/null
+From 3ceb6ac2116ecda1c5d779bb73271479e70fccb4 Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Fri, 14 Nov 2025 10:09:51 +0100
+Subject: net: dsa: microchip: lan937x: Fix RGMII delay tuning
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit 3ceb6ac2116ecda1c5d779bb73271479e70fccb4 upstream.
+
+Correct RGMII delay application logic in lan937x_set_tune_adj().
+
+The function was missing `data16 &= ~PORT_TUNE_ADJ` before setting the
+new delay value. This caused the new value to be bitwise-OR'd with the
+existing PORT_TUNE_ADJ field instead of replacing it.
+
+For example, when setting the RGMII 2 TX delay on port 4, the
+intended TUNE_ADJUST value of 0 (RGMII_2_TX_DELAY_2NS) was
+incorrectly OR'd with the default 0x1B (from register value 0xDA3),
+leaving the delay at the wrong setting.
+
+This patch adds the missing mask to clear the field, ensuring the
+correct delay value is written. Physical measurements on the RGMII TX
+lines confirm the fix, showing the delay changing from ~1ns (before
+change) to ~2ns.
+
+While testing on i.MX 8MP showed this was within the platform's timing
+tolerance, it did not match the intended hardware-characterized value.
+
+Fixes: b19ac41faa3f ("net: dsa: microchip: apply rgmii tx and rx delay in phylink mac config")
+Cc: stable@vger.kernel.org
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://patch.msgid.link/20251114090951.4057261-1-o.rempel@pengutronix.de
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/microchip/lan937x_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/dsa/microchip/lan937x_main.c
++++ b/drivers/net/dsa/microchip/lan937x_main.c
+@@ -540,6 +540,7 @@ static void lan937x_set_tune_adj(struct
+ ksz_pread16(dev, port, reg, &data16);
+
+ /* Update tune Adjust */
++ data16 &= ~PORT_TUNE_ADJ;
+ data16 |= FIELD_PREP(PORT_TUNE_ADJ, val);
+ ksz_pwrite16(dev, port, reg, data16);
+
--- /dev/null
+From 949f1fd2225baefbea2995afa807dba5cbdb6bd3 Mon Sep 17 00:00:00 2001
+From: Nam Cao <namcao@linutronix.de>
+Date: Mon, 17 Nov 2025 08:42:31 +0000
+Subject: nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot
+
+From: Nam Cao <namcao@linutronix.de>
+
+commit 949f1fd2225baefbea2995afa807dba5cbdb6bd3 upstream.
+
+nvkm_falcon_fw::boot is allocated, but no one frees it. This causes a
+kmemleak warning.
+
+Make sure this data is deallocated.
+
+Fixes: 2541626cfb79 ("drm/nouveau/acr: use common falcon HS FW code for ACR FWs")
+Signed-off-by: Nam Cao <namcao@linutronix.de>
+Cc: stable@vger.kernel.org
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Link: https://patch.msgid.link/20251117084231.2910561-1-namcao@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c
++++ b/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c
+@@ -159,6 +159,8 @@ nvkm_falcon_fw_dtor(struct nvkm_falcon_f
+ nvkm_memory_unref(&fw->inst);
+ nvkm_falcon_fw_dtor_sigs(fw);
+ nvkm_firmware_dtor(&fw->fw);
++ kfree(fw->boot);
++ fw->boot = NULL;
+ }
+
+ static const struct nvkm_firmware_func
--- /dev/null
+From 0a2c5495b6d1ecb0fa18ef6631450f391a888256 Mon Sep 17 00:00:00 2001
+From: "Ewan D. Milne" <emilne@redhat.com>
+Date: Mon, 10 Nov 2025 16:20:01 -0500
+Subject: nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()
+
+From: Ewan D. Milne <emilne@redhat.com>
+
+commit 0a2c5495b6d1ecb0fa18ef6631450f391a888256 upstream.
+
+nvme_fc_delete_assocation() waits for pending I/O to complete before
+returning, and an error can cause ->ioerr_work to be queued after
+cancel_work_sync() had been called. Move the call to cancel_work_sync() to
+be after nvme_fc_delete_association() to ensure ->ioerr_work is not running
+when the nvme_fc_ctrl object is freed. Otherwise the following can occur:
+
+[ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL
+[ 1135.917705] ------------[ cut here ]------------
+[ 1135.922336] kernel BUG at lib/list_debug.c:52!
+[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI
+[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)
+[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025
+[ 1135.950969] Workqueue: 0x0 (nvme-wq)
+[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b
+[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046
+[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000
+[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0
+[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08
+[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100
+[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0
+[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000
+[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0
+[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
+[ 1136.055910] PKRU: 55555554
+[ 1136.058623] Call Trace:
+[ 1136.061074] <TASK>
+[ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0
+[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0
+[ 1136.071898] ? move_linked_works+0x4a/0xa0
+[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.081744] ? __die_body.cold+0x8/0x12
+[ 1136.085584] ? die+0x2e/0x50
+[ 1136.088469] ? do_trap+0xca/0x110
+[ 1136.091789] ? do_error_trap+0x65/0x80
+[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.101289] ? exc_invalid_op+0x50/0x70
+[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20
+[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.120806] move_linked_works+0x4a/0xa0
+[ 1136.124733] worker_thread+0x216/0x3a0
+[ 1136.128485] ? __pfx_worker_thread+0x10/0x10
+[ 1136.132758] kthread+0xfa/0x240
+[ 1136.135904] ? __pfx_kthread+0x10/0x10
+[ 1136.139657] ret_from_fork+0x31/0x50
+[ 1136.143236] ? __pfx_kthread+0x10/0x10
+[ 1136.146988] ret_from_fork_asm+0x1a/0x30
+[ 1136.150915] </TASK>
+
+Fixes: 19fce0470f05 ("nvme-fc: avoid calling _nvme_fc_abort_outstanding_ios from interrupt context")
+Cc: stable@vger.kernel.org
+Tested-by: Marco Patalano <mpatalan@redhat.com>
+Reviewed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/fc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -3253,7 +3253,6 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nc
+ {
+ struct nvme_fc_ctrl *ctrl = to_fc_ctrl(nctrl);
+
+- cancel_work_sync(&ctrl->ioerr_work);
+ cancel_delayed_work_sync(&ctrl->connect_work);
+
+ /*
+@@ -3261,6 +3260,7 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nc
+ * waiting for io to terminate
+ */
+ nvme_fc_delete_association(ctrl);
++ cancel_work_sync(&ctrl->ioerr_work);
+
+ if (ctrl->ctrl.tagset)
+ nvme_remove_io_tag_set(&ctrl->ctrl);
--- /dev/null
+From ea3442efabd0aa3930c5bab73c3901ef38ef6ac3 Mon Sep 17 00:00:00 2001
+From: "Ewan D. Milne" <emilne@redhat.com>
+Date: Mon, 10 Nov 2025 16:20:00 -0500
+Subject: nvme: nvme-fc: move tagset removal to nvme_fc_delete_ctrl()
+
+From: Ewan D. Milne <emilne@redhat.com>
+
+commit ea3442efabd0aa3930c5bab73c3901ef38ef6ac3 upstream.
+
+Now target is removed from nvme_fc_ctrl_free() which is the ctrl->ref
+release handler. And even admin queue is unquiesced there, this way
+is definitely wrong because the ctr->ref is grabbed when submitting
+command.
+
+And Marco observed that nvme_fc_ctrl_free() can be called from request
+completion code path, and trigger kernel warning since request completes
+from softirq context.
+
+Fix the issue by moveing target removal into nvme_fc_delete_ctrl(),
+which is also aligned with nvme-tcp and nvme-rdma.
+
+Patch originally proposed by Ming Lei, then modified to move the tagset
+removal down to after nvme_fc_delete_association() after further testing.
+
+Cc: Marco Patalano <mpatalan@redhat.com>
+Cc: Ewan Milne <emilne@redhat.com>
+Cc: James Smart <james.smart@broadcom.com>
+Cc: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Cc: stable@vger.kernel.org
+Tested-by: Marco Patalano <mpatalan@redhat.com>
+Reviewed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/fc.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -2355,17 +2355,11 @@ nvme_fc_ctrl_free(struct kref *ref)
+ container_of(ref, struct nvme_fc_ctrl, ref);
+ unsigned long flags;
+
+- if (ctrl->ctrl.tagset)
+- nvme_remove_io_tag_set(&ctrl->ctrl);
+-
+ /* remove from rport list */
+ spin_lock_irqsave(&ctrl->rport->lock, flags);
+ list_del(&ctrl->ctrl_list);
+ spin_unlock_irqrestore(&ctrl->rport->lock, flags);
+
+- nvme_unquiesce_admin_queue(&ctrl->ctrl);
+- nvme_remove_admin_tag_set(&ctrl->ctrl);
+-
+ kfree(ctrl->queues);
+
+ put_device(ctrl->dev);
+@@ -3261,11 +3255,18 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nc
+
+ cancel_work_sync(&ctrl->ioerr_work);
+ cancel_delayed_work_sync(&ctrl->connect_work);
++
+ /*
+ * kill the association on the link side. this will block
+ * waiting for io to terminate
+ */
+ nvme_fc_delete_association(ctrl);
++
++ if (ctrl->ctrl.tagset)
++ nvme_remove_io_tag_set(&ctrl->ctrl);
++
++ nvme_unquiesce_admin_queue(&ctrl->ctrl);
++ nvme_remove_admin_tag_set(&ctrl->ctrl);
+ }
+
+ static void
--- /dev/null
+From 6f91ad24c6639220f2edb0ad8edb199b43cc3b22 Mon Sep 17 00:00:00 2001
+From: Anthony Wong <anthony.wong@ubuntu.com>
+Date: Mon, 17 Nov 2025 02:53:11 +0800
+Subject: platform/x86: alienware-wmi-wmax: Add AWCC support to Alienware 16 Aurora
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Anthony Wong <anthony.wong@ubuntu.com>
+
+commit 6f91ad24c6639220f2edb0ad8edb199b43cc3b22 upstream.
+
+Add AWCC support to Alienware 16 Aurora
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Anthony Wong <anthony.wong@ubuntu.com>
+Reviewed-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://patch.msgid.link/20251116185311.18074-1-anthony.wong@canonical.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/dell/alienware-wmi-wmax.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/platform/x86/dell/alienware-wmi-wmax.c
++++ b/drivers/platform/x86/dell/alienware-wmi-wmax.c
+@@ -90,6 +90,14 @@ static struct awcc_quirks empty_quirks;
+
+ static const struct dmi_system_id awcc_dmi_table[] __initconst = {
+ {
++ .ident = "Alienware 16 Aurora",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Alienware"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Alienware 16 Aurora"),
++ },
++ .driver_data = &g_series_quirks,
++ },
++ {
+ .ident = "Alienware Area-51m",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Alienware"),
--- /dev/null
+From a6003d90f02863898babbcb3f55b1cd33f7867c2 Mon Sep 17 00:00:00 2001
+From: Kurt Borja <kuurtb@gmail.com>
+Date: Mon, 3 Nov 2025 14:01:48 -0500
+Subject: platform/x86: alienware-wmi-wmax: Add support for the whole "G" family
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+commit a6003d90f02863898babbcb3f55b1cd33f7867c2 upstream.
+
+Add support for the whole "Dell G" laptop family.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://patch.msgid.link/20251103-family-supp-v1-5-a241075d1787@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/dell/alienware-wmi-wmax.c | 56 +++----------------------
+ 1 file changed, 8 insertions(+), 48 deletions(-)
+
+--- a/drivers/platform/x86/dell/alienware-wmi-wmax.c
++++ b/drivers/platform/x86/dell/alienware-wmi-wmax.c
+@@ -170,74 +170,34 @@ static const struct dmi_system_id awcc_d
+ .driver_data = &generic_quirks,
+ },
+ {
+- .ident = "Dell Inc. G15 5510",
++ .ident = "Dell Inc. G15",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+- DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15 5510"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15"),
+ },
+ .driver_data = &g_series_quirks,
+ },
+ {
+- .ident = "Dell Inc. G15 5511",
++ .ident = "Dell Inc. G16",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+- DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15 5511"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Dell G16"),
+ },
+ .driver_data = &g_series_quirks,
+ },
+ {
+- .ident = "Dell Inc. G15 5515",
++ .ident = "Dell Inc. G3",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+- DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15 5515"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "G3"),
+ },
+ .driver_data = &g_series_quirks,
+ },
+ {
+- .ident = "Dell Inc. G15 5530",
++ .ident = "Dell Inc. G5",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+- DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15 5530"),
+- },
+- .driver_data = &g_series_quirks,
+- },
+- {
+- .ident = "Dell Inc. G16 7630",
+- .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+- DMI_MATCH(DMI_PRODUCT_NAME, "Dell G16 7630"),
+- },
+- .driver_data = &g_series_quirks,
+- },
+- {
+- .ident = "Dell Inc. G3 3500",
+- .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+- DMI_MATCH(DMI_PRODUCT_NAME, "G3 3500"),
+- },
+- .driver_data = &g_series_quirks,
+- },
+- {
+- .ident = "Dell Inc. G3 3590",
+- .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+- DMI_MATCH(DMI_PRODUCT_NAME, "G3 3590"),
+- },
+- .driver_data = &g_series_quirks,
+- },
+- {
+- .ident = "Dell Inc. G5 5500",
+- .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+- DMI_MATCH(DMI_PRODUCT_NAME, "G5 5500"),
+- },
+- .driver_data = &g_series_quirks,
+- },
+- {
+- .ident = "Dell Inc. G5 5505",
+- .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+- DMI_MATCH(DMI_PRODUCT_NAME, "G5 5505"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "G5"),
+ },
+ .driver_data = &g_series_quirks,
+ },
--- /dev/null
+From e8c3c875e1017c04c594f0e6127ba82095b1cb87 Mon Sep 17 00:00:00 2001
+From: Kurt Borja <kuurtb@gmail.com>
+Date: Mon, 3 Nov 2025 14:01:46 -0500
+Subject: platform/x86: alienware-wmi-wmax: Add support for the whole "M" family
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+commit e8c3c875e1017c04c594f0e6127ba82095b1cb87 upstream.
+
+Add support for the whole "Alienware M" laptop family.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://patch.msgid.link/20251103-family-supp-v1-3-a241075d1787@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/dell/alienware-wmi-wmax.c | 20 ++++++--------------
+ 1 file changed, 6 insertions(+), 14 deletions(-)
+
+--- a/drivers/platform/x86/dell/alienware-wmi-wmax.c
++++ b/drivers/platform/x86/dell/alienware-wmi-wmax.c
+@@ -106,18 +106,10 @@ static const struct dmi_system_id awcc_d
+ .driver_data = &generic_quirks,
+ },
+ {
+- .ident = "Alienware m15 R5",
++ .ident = "Alienware m15",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Alienware"),
+- DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m15 R5"),
+- },
+- .driver_data = &generic_quirks,
+- },
+- {
+- .ident = "Alienware m15 R7",
+- .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "Alienware"),
+- DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m15 R7"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m15"),
+ },
+ .driver_data = &generic_quirks,
+ },
+@@ -146,18 +138,18 @@ static const struct dmi_system_id awcc_d
+ .driver_data = &generic_quirks,
+ },
+ {
+- .ident = "Alienware m17 R5",
++ .ident = "Alienware m17",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Alienware"),
+- DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m17 R5 AMD"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m17"),
+ },
+ .driver_data = &generic_quirks,
+ },
+ {
+- .ident = "Alienware m18 R2",
++ .ident = "Alienware m18",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Alienware"),
+- DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m18 R2"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m18"),
+ },
+ .driver_data = &generic_quirks,
+ },
--- /dev/null
+From 21ebfff1cf4727bc325c89b94ed93741f870744f Mon Sep 17 00:00:00 2001
+From: Kurt Borja <kuurtb@gmail.com>
+Date: Mon, 3 Nov 2025 14:01:47 -0500
+Subject: platform/x86: alienware-wmi-wmax: Add support for the whole "X" family
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+commit 21ebfff1cf4727bc325c89b94ed93741f870744f upstream.
+
+Add support for the whole "Alienware X" laptop family.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://patch.msgid.link/20251103-family-supp-v1-4-a241075d1787@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/dell/alienware-wmi-wmax.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+--- a/drivers/platform/x86/dell/alienware-wmi-wmax.c
++++ b/drivers/platform/x86/dell/alienware-wmi-wmax.c
+@@ -154,26 +154,18 @@ static const struct dmi_system_id awcc_d
+ .driver_data = &generic_quirks,
+ },
+ {
+- .ident = "Alienware x15 R1",
++ .ident = "Alienware x15",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Alienware"),
+- DMI_MATCH(DMI_PRODUCT_NAME, "Alienware x15 R1"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Alienware x15"),
+ },
+ .driver_data = &generic_quirks,
+ },
+ {
+- .ident = "Alienware x15 R2",
++ .ident = "Alienware x17",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Alienware"),
+- DMI_MATCH(DMI_PRODUCT_NAME, "Alienware x15 R2"),
+- },
+- .driver_data = &generic_quirks,
+- },
+- {
+- .ident = "Alienware x17 R2",
+- .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "Alienware"),
+- DMI_MATCH(DMI_PRODUCT_NAME, "Alienware x17 R2"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Alienware x17"),
+ },
+ .driver_data = &generic_quirks,
+ },
--- /dev/null
+From bd4f9f113dda07293ed4002a17d14f62121d324f Mon Sep 17 00:00:00 2001
+From: Kurt Borja <kuurtb@gmail.com>
+Date: Mon, 3 Nov 2025 14:01:44 -0500
+Subject: platform/x86: alienware-wmi-wmax: Fix "Alienware m16 R1 AMD" quirk order
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+commit bd4f9f113dda07293ed4002a17d14f62121d324f upstream.
+
+Quirks are matched using dmi_first_match(), therefore move the
+"Alienware m16 R1 AMD" entry above other m16 entries.
+
+Reported-by: Cihan Ozakca <cozakca@outlook.com>
+Fixes: e2468dc70074 ("Revert "platform/x86: alienware-wmi-wmax: Add G-Mode support to Alienware m16 R1"")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://patch.msgid.link/20251103-family-supp-v1-1-a241075d1787@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/dell/alienware-wmi-wmax.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/platform/x86/dell/alienware-wmi-wmax.c
++++ b/drivers/platform/x86/dell/alienware-wmi-wmax.c
+@@ -122,20 +122,20 @@ static const struct dmi_system_id awcc_d
+ .driver_data = &generic_quirks,
+ },
+ {
+- .ident = "Alienware m16 R1",
++ .ident = "Alienware m16 R1 AMD",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Alienware"),
+- DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m16 R1"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m16 R1 AMD"),
+ },
+- .driver_data = &g_series_quirks,
++ .driver_data = &generic_quirks,
+ },
+ {
+- .ident = "Alienware m16 R1 AMD",
++ .ident = "Alienware m16 R1",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Alienware"),
+- DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m16 R1 AMD"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m16 R1"),
+ },
+- .driver_data = &generic_quirks,
++ .driver_data = &g_series_quirks,
+ },
+ {
+ .ident = "Alienware m16 R2",
--- /dev/null
+From f384497a76ed9539f70f6e8fe81a193441c943d2 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Tue, 18 Nov 2025 15:16:04 +0100
+Subject: PM: sleep: core: Fix runtime PM enabling in device_resume_early()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit f384497a76ed9539f70f6e8fe81a193441c943d2 upstream.
+
+Runtime PM should only be enabled in device_resume_early() if it has
+been disabled for the given device by device_suspend_late(). Otherwise,
+it may cause runtime PM callbacks to run prematurely in some cases
+which leads to further functional issues.
+
+Make two changes to address this problem.
+
+First, reorder device_suspend_late() to only disable runtime PM for a
+device when it is going to look for the device's callback or if the
+device is a "syscore" one. In all of the other cases, disabling runtime
+PM for the device is not in fact necessary. However, if the device's
+callback returns an error and the power.is_late_suspended flag is not
+going to be set, enable runtime PM so it only remains disabled when
+power.is_late_suspended is set.
+
+Second, make device_resume_early() only enable runtime PM for the
+devices with the power.is_late_suspended flag set.
+
+Fixes: 443046d1ad66 ("PM: sleep: Make suspend of devices more asynchronous")
+Reported-by: Rose Wu <ya-jou.wu@mediatek.com>
+Closes: https://lore.kernel.org/linux-pm/70b25dca6f8c2756d78f076f4a7dee7edaaffc33.camel@mediatek.com/
+Cc: 6.16+ <stable@vger.kernel.org> # 6.16+
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Link: https://patch.msgid.link/12784270.O9o76ZdvQC@rafael.j.wysocki
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/power/main.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
+index e83503bdc1fd..1de1cd72b616 100644
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -888,12 +888,15 @@ static void device_resume_early(struct device *dev, pm_message_t state, bool asy
+ TRACE_DEVICE(dev);
+ TRACE_RESUME(0);
+
+- if (dev->power.syscore || dev->power.direct_complete)
++ if (dev->power.direct_complete)
+ goto Out;
+
+ if (!dev->power.is_late_suspended)
+ goto Out;
+
++ if (dev->power.syscore)
++ goto Skip;
++
+ if (!dpm_wait_for_superior(dev, async))
+ goto Out;
+
+@@ -926,11 +929,11 @@ static void device_resume_early(struct device *dev, pm_message_t state, bool asy
+
+ Skip:
+ dev->power.is_late_suspended = false;
++ pm_runtime_enable(dev);
+
+ Out:
+ TRACE_RESUME(error);
+
+- pm_runtime_enable(dev);
+ complete_all(&dev->power.completion);
+
+ if (error) {
+@@ -1615,12 +1618,6 @@ static void device_suspend_late(struct device *dev, pm_message_t state, bool asy
+ TRACE_DEVICE(dev);
+ TRACE_SUSPEND(0);
+
+- /*
+- * Disable runtime PM for the device without checking if there is a
+- * pending resume request for it.
+- */
+- __pm_runtime_disable(dev, false);
+-
+ dpm_wait_for_subordinate(dev, async);
+
+ if (READ_ONCE(async_error))
+@@ -1631,9 +1628,18 @@ static void device_suspend_late(struct device *dev, pm_message_t state, bool asy
+ goto Complete;
+ }
+
+- if (dev->power.syscore || dev->power.direct_complete)
++ if (dev->power.direct_complete)
+ goto Complete;
+
++ /*
++ * Disable runtime PM for the device without checking if there is a
++ * pending resume request for it.
++ */
++ __pm_runtime_disable(dev, false);
++
++ if (dev->power.syscore)
++ goto Skip;
++
+ if (dev->pm_domain) {
+ info = "late power domain ";
+ callback = pm_late_early_op(&dev->pm_domain->ops, state);
+@@ -1664,6 +1670,7 @@ static void device_suspend_late(struct device *dev, pm_message_t state, bool asy
+ WRITE_ONCE(async_error, error);
+ dpm_save_failed_dev(dev_name(dev));
+ pm_dev_err(dev, state, async ? " async late" : " late", error);
++ pm_runtime_enable(dev);
+ goto Complete;
+ }
+ dpm_propagate_wakeup_to_parent(dev);
+--
+2.52.0
+
--- /dev/null
+From 997c06330fd5c2e220b692f2a358986c6c8fd5a2 Mon Sep 17 00:00:00 2001
+From: Laurentiu Mihalcea <laurentiu.mihalcea@nxp.com>
+Date: Tue, 4 Nov 2025 04:02:54 -0800
+Subject: reset: imx8mp-audiomix: Fix bad mask values
+
+From: Laurentiu Mihalcea <laurentiu.mihalcea@nxp.com>
+
+commit 997c06330fd5c2e220b692f2a358986c6c8fd5a2 upstream.
+
+As per the i.MX8MP TRM, section 14.2 "AUDIO_BLK_CTRL", table 14.2.3.1.1
+"memory map", the definition of the EARC control register shows that the
+EARC controller software reset is controlled via bit 0, while the EARC PHY
+software reset is controlled via bit 1.
+
+This means that the current definitions of IMX8MP_AUDIOMIX_EARC_RESET_MASK
+and IMX8MP_AUDIOMIX_EARC_PHY_RESET_MASK are wrong since their values would
+imply that the EARC controller software reset is controlled via bit 1 and
+the EARC PHY software reset is controlled via bit 2. Fix them.
+
+Fixes: a83bc87cd30a ("reset: imx8mp-audiomix: Prepare the code for more reset bits")
+Cc: stable@vger.kernel.org
+Reviewed-by: Shengjiu Wang <shengjiu.wang@gmail.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
+Signed-off-by: Laurentiu Mihalcea <laurentiu.mihalcea@nxp.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/reset/reset-imx8mp-audiomix.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/reset/reset-imx8mp-audiomix.c b/drivers/reset/reset-imx8mp-audiomix.c
+index 6b357adfe646..eceb37ff5dc5 100644
+--- a/drivers/reset/reset-imx8mp-audiomix.c
++++ b/drivers/reset/reset-imx8mp-audiomix.c
+@@ -14,8 +14,8 @@
+ #include <linux/reset-controller.h>
+
+ #define IMX8MP_AUDIOMIX_EARC_RESET_OFFSET 0x200
+-#define IMX8MP_AUDIOMIX_EARC_RESET_MASK BIT(1)
+-#define IMX8MP_AUDIOMIX_EARC_PHY_RESET_MASK BIT(2)
++#define IMX8MP_AUDIOMIX_EARC_RESET_MASK BIT(0)
++#define IMX8MP_AUDIOMIX_EARC_PHY_RESET_MASK BIT(1)
+
+ #define IMX8MP_AUDIOMIX_DSP_RUNSTALL_OFFSET 0x108
+ #define IMX8MP_AUDIOMIX_DSP_RUNSTALL_MASK BIT(5)
+--
+2.52.0
+
--- /dev/null
+From 660b299bed2a2a55a1f9102d029549d0235f881c Mon Sep 17 00:00:00 2001
+From: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
+Date: Mon, 3 Nov 2025 14:14:15 +0000
+Subject: Revert "drm/tegra: dsi: Clear enable register if powered by bootloader"
+
+From: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
+
+commit 660b299bed2a2a55a1f9102d029549d0235f881c upstream.
+
+Commit b6bcbce33596 ("soc/tegra: pmc: Ensure power-domains are in a
+known state") was introduced so that all power domains get initialized
+to a known working state when booting and it does this by shutting them
+down (including asserting resets and disabling clocks) before registering
+each power domain with the genpd framework, leaving it to each driver to
+later on power its needed domains.
+
+This caused the Google Pixel C to hang when booting due to a workaround
+in the DSI driver introduced in commit b22fd0b9639e ("drm/tegra: dsi:
+Clear enable register if powered by bootloader") meant to handle the case
+where the bootloader enabled the DSI hardware module. The workaround relies
+on reading a hardware register to determine the current status and after
+b6bcbce33596 that now happens in a powered down state thus leading to
+the boot hang.
+
+Fix this by reverting b22fd0b9639e since currently we are guaranteed
+that the hardware will be fully reset by the time we start enabling the
+DSI module.
+
+Fixes: b6bcbce33596 ("soc/tegra: pmc: Ensure power-domains are in a known state")
+Cc: stable@vger.kernel.org
+Signed-off-by: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://patch.msgid.link/20251103-diogo-smaug_ec_typec-v1-1-be656ccda391@tecnico.ulisboa.pt
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/tegra/dsi.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/drivers/gpu/drm/tegra/dsi.c
++++ b/drivers/gpu/drm/tegra/dsi.c
+@@ -913,15 +913,6 @@ static void tegra_dsi_encoder_enable(str
+ u32 value;
+ int err;
+
+- /* If the bootloader enabled DSI it needs to be disabled
+- * in order for the panel initialization commands to be
+- * properly sent.
+- */
+- value = tegra_dsi_readl(dsi, DSI_POWER_CONTROL);
+-
+- if (value & DSI_POWER_CONTROL_ENABLE)
+- tegra_dsi_disable(dsi);
+-
+ err = tegra_dsi_prepare(dsi);
+ if (err < 0) {
+ dev_err(dsi->dev, "failed to prepare: %d\n", err);
--- /dev/null
+From 31475b88110c4725b4f9a79c3a0d9bbf97e69e1c Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <hca@linux.ibm.com>
+Date: Thu, 13 Nov 2025 13:21:47 +0100
+Subject: s390/mm: Fix __ptep_rdp() inline assembly
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+commit 31475b88110c4725b4f9a79c3a0d9bbf97e69e1c upstream.
+
+When a zero ASCE is passed to the __ptep_rdp() inline assembly, the
+generated instruction should have the R3 field of the instruction set to
+zero. However the inline assembly is written incorrectly: for such cases a
+zero is loaded into a register allocated by the compiler and this register
+is then used by the instruction.
+
+This means that selected TLB entries may not be flushed since the specified
+ASCE does not match the one which was used when the selected TLB entries
+were created.
+
+Fix this by removing the asce and opt parameters of __ptep_rdp(), since
+all callers always pass zero, and use a hard-coded register zero for
+the R3 field.
+
+Fixes: 0807b856521f ("s390/mm: add support for RDP (Reset DAT-Protection)")
+Cc: stable@vger.kernel.org
+Reviewed-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/pgtable.h | 12 +++++-------
+ arch/s390/mm/pgtable.c | 4 ++--
+ 2 files changed, 7 insertions(+), 9 deletions(-)
+
+--- a/arch/s390/include/asm/pgtable.h
++++ b/arch/s390/include/asm/pgtable.h
+@@ -1154,17 +1154,15 @@ static inline pte_t pte_mkhuge(pte_t pte
+ #define IPTE_NODAT 0x400
+ #define IPTE_GUEST_ASCE 0x800
+
+-static __always_inline void __ptep_rdp(unsigned long addr, pte_t *ptep,
+- unsigned long opt, unsigned long asce,
+- int local)
++static __always_inline void __ptep_rdp(unsigned long addr, pte_t *ptep, int local)
+ {
+ unsigned long pto;
+
+ pto = __pa(ptep) & ~(PTRS_PER_PTE * sizeof(pte_t) - 1);
+- asm volatile(".insn rrf,0xb98b0000,%[r1],%[r2],%[asce],%[m4]"
++ asm volatile(".insn rrf,0xb98b0000,%[r1],%[r2],%%r0,%[m4]"
+ : "+m" (*ptep)
+- : [r1] "a" (pto), [r2] "a" ((addr & PAGE_MASK) | opt),
+- [asce] "a" (asce), [m4] "i" (local));
++ : [r1] "a" (pto), [r2] "a" (addr & PAGE_MASK),
++ [m4] "i" (local));
+ }
+
+ static __always_inline void __ptep_ipte(unsigned long address, pte_t *ptep,
+@@ -1348,7 +1346,7 @@ static inline void flush_tlb_fix_spuriou
+ * A local RDP can be used to do the flush.
+ */
+ if (cpu_has_rdp() && !(pte_val(*ptep) & _PAGE_PROTECT))
+- __ptep_rdp(address, ptep, 0, 0, 1);
++ __ptep_rdp(address, ptep, 1);
+ }
+ #define flush_tlb_fix_spurious_fault flush_tlb_fix_spurious_fault
+
+--- a/arch/s390/mm/pgtable.c
++++ b/arch/s390/mm/pgtable.c
+@@ -274,9 +274,9 @@ void ptep_reset_dat_prot(struct mm_struc
+ preempt_disable();
+ atomic_inc(&mm->context.flush_count);
+ if (cpumask_equal(mm_cpumask(mm), cpumask_of(smp_processor_id())))
+- __ptep_rdp(addr, ptep, 0, 0, 1);
++ __ptep_rdp(addr, ptep, 1);
+ else
+- __ptep_rdp(addr, ptep, 0, 0, 0);
++ __ptep_rdp(addr, ptep, 0);
+ /*
+ * PTE is not invalidated by RDP, only _PAGE_PROTECT is cleared. That
+ * means it is still valid and active, and must not be changed according
--- /dev/null
+From 7b6216baae751369195fa3c83d434d23bcda406a Mon Sep 17 00:00:00 2001
+From: Saket Kumar Bhaskar <skb99@linux.ibm.com>
+Date: Wed, 19 Nov 2025 16:07:22 +0530
+Subject: sched_ext: Fix scx_enable() crash on helper kthread creation failure
+
+From: Saket Kumar Bhaskar <skb99@linux.ibm.com>
+
+commit 7b6216baae751369195fa3c83d434d23bcda406a upstream.
+
+A crash was observed when the sched_ext selftests runner was
+terminated with Ctrl+\ while test 15 was running:
+
+NIP [c00000000028fa58] scx_enable.constprop.0+0x358/0x12b0
+LR [c00000000028fa2c] scx_enable.constprop.0+0x32c/0x12b0
+Call Trace:
+scx_enable.constprop.0+0x32c/0x12b0 (unreliable)
+bpf_struct_ops_link_create+0x18c/0x22c
+__sys_bpf+0x23f8/0x3044
+sys_bpf+0x2c/0x6c
+system_call_exception+0x124/0x320
+system_call_vectored_common+0x15c/0x2ec
+
+kthread_run_worker() returns an ERR_PTR() on failure rather than NULL,
+but the current code in scx_alloc_and_add_sched() only checks for a NULL
+helper. Incase of failure on SIGQUIT, the error is not handled in
+scx_alloc_and_add_sched() and scx_enable() ends up dereferencing an
+error pointer.
+
+Error handling is fixed in scx_alloc_and_add_sched() to propagate
+PTR_ERR() into ret, so that scx_enable() jumps to the existing error
+path, avoiding random dereference on failure.
+
+Fixes: bff3b5aec1b7 ("sched_ext: Move disable machinery into scx_sched")
+Cc: stable@vger.kernel.org # v6.16+
+Reported-and-tested-by: Samir Mulani <samir@linux.ibm.com>
+Signed-off-by: Saket Kumar Bhaskar <skb99@linux.ibm.com>
+Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
+Reviewed-by: Andrea Righi <arighi@nvidia.com>
+Reviewed-by: Vishal Chourasia <vishalc@linux.ibm.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/ext.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -4446,8 +4446,11 @@ static struct scx_sched *scx_alloc_and_a
+ goto err_free_gdsqs;
+
+ sch->helper = kthread_run_worker(0, "sched_ext_helper");
+- if (!sch->helper)
++ if (IS_ERR(sch->helper)) {
++ ret = PTR_ERR(sch->helper);
+ goto err_free_pcpu;
++ }
++
+ sched_set_fifo(sch->helper->task);
+
+ atomic_set(&sch->exit_kind, SCX_EXIT_NONE);
--- /dev/null
+From 90449f2d1e1f020835cba5417234636937dd657e Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Thu, 13 Nov 2025 10:16:43 -0800
+Subject: scsi: sg: Do not sleep in atomic context
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 90449f2d1e1f020835cba5417234636937dd657e upstream.
+
+sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may
+sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead
+of disabled.
+
+Reported-by: syzbot+c01f8e6e73f20459912e@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-scsi/691560c4.a70a0220.3124cb.001a.GAE@google.com/
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: stable@vger.kernel.org
+Fixes: 97d27b0dd015 ("scsi: sg: close race condition in sg_remove_sfp_usercontext()")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20251113181643.1108973-1-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sg.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -2209,9 +2209,17 @@ sg_remove_sfp_usercontext(struct work_st
+ write_lock_irqsave(&sfp->rq_list_lock, iflags);
+ while (!list_empty(&sfp->rq_list)) {
+ srp = list_first_entry(&sfp->rq_list, Sg_request, entry);
+- sg_finish_rem_req(srp);
+ list_del(&srp->entry);
++ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
++
++ sg_finish_rem_req(srp);
++ /*
++ * sg_rq_end_io() uses srp->parentfp. Hence, only clear
++ * srp->parentfp after blk_mq_free_request() has been called.
++ */
+ srp->parentfp = NULL;
++
++ write_lock_irqsave(&sfp->rq_list_lock, iflags);
+ }
+ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
+
--- /dev/null
+From e6965188f84a7883e6a0d3448e86b0cf29b24dfc Mon Sep 17 00:00:00 2001
+From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+Date: Wed, 5 Nov 2025 11:25:46 -0800
+Subject: scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
+
+From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+
+commit e6965188f84a7883e6a0d3448e86b0cf29b24dfc upstream.
+
+If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we
+attempt to dereference it in tcm_loop_tpg_address_show() we will get a
+segfault, see below for an example. So, check tl_hba->sh before
+dereferencing it.
+
+ Unable to allocate struct scsi_host
+ BUG: kernel NULL pointer dereference, address: 0000000000000194
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1
+ Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024
+ RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop]
+...
+ Call Trace:
+ <TASK>
+ configfs_read_iter+0x12d/0x1d0 [configfs]
+ vfs_read+0x1b5/0x300
+ ksys_read+0x6f/0xf0
+...
+
+Cc: stable@vger.kernel.org
+Fixes: 2628b352c3d4 ("tcm_loop: Show address of tpg in configfs")
+Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Reviewed-by: Allen Pais <apais@linux.microsoft.com>
+Link: https://patch.msgid.link/1762370746-6304-1-git-send-email-hamzamahfooz@linux.microsoft.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/loopback/tcm_loop.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/target/loopback/tcm_loop.c
++++ b/drivers/target/loopback/tcm_loop.c
+@@ -894,6 +894,9 @@ static ssize_t tcm_loop_tpg_address_show
+ struct tcm_loop_tpg, tl_se_tpg);
+ struct tcm_loop_hba *tl_hba = tl_tpg->tl_hba;
+
++ if (!tl_hba->sh)
++ return -ENODEV;
++
+ return snprintf(page, PAGE_SIZE, "%d:0:%d\n",
+ tl_hba->sh->host_no, tl_tpg->tl_tpgt);
+ }
--- /dev/null
+From dde3a5d0f4dce1d1a6095e6b8eeb59b75d28fb3b Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+Date: Thu, 13 Nov 2025 15:23:14 -0500
+Subject: selinux: move avdcache to per-task security struct
+
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+
+commit dde3a5d0f4dce1d1a6095e6b8eeb59b75d28fb3b upstream.
+
+The avdcache is meant to be per-task; move it to a new
+task_security_struct that is duplicated per-task.
+
+Cc: stable@vger.kernel.org
+Fixes: 5d7ddc59b3d89b724a5aa8f30d0db94ff8d2d93f ("selinux: reduce path walk overhead")
+Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+[PM: line length fixes]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/hooks.c | 31 ++++++++++++++++++-------------
+ security/selinux/include/objsec.h | 14 ++++++++++++--
+ 2 files changed, 30 insertions(+), 15 deletions(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -215,7 +215,7 @@ static void cred_init_security(void)
+ /* NOTE: the lsm framework zeros out the buffer on allocation */
+
+ tsec = selinux_cred(unrcu_pointer(current->real_cred));
+- tsec->osid = tsec->sid = tsec->avdcache.sid = SECINITSID_KERNEL;
++ tsec->osid = tsec->sid = SECINITSID_KERNEL;
+ }
+
+ /*
+@@ -3106,10 +3106,10 @@ static noinline int audit_inode_permissi
+ * Clear the task's AVD cache in @tsec and reset it to the current policy's
+ * and task's info.
+ */
+-static inline void task_avdcache_reset(struct cred_security_struct *tsec)
++static inline void task_avdcache_reset(struct task_security_struct *tsec)
+ {
+ memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir));
+- tsec->avdcache.sid = tsec->sid;
++ tsec->avdcache.sid = current_sid();
+ tsec->avdcache.seqno = avc_policy_seqno();
+ tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1;
+ }
+@@ -3123,7 +3123,7 @@ static inline void task_avdcache_reset(s
+ * Search @tsec for a AVD cache entry that matches @isec and return it to the
+ * caller via @avdc. Returns 0 if a match is found, negative values otherwise.
+ */
+-static inline int task_avdcache_search(struct cred_security_struct *tsec,
++static inline int task_avdcache_search(struct task_security_struct *tsec,
+ struct inode_security_struct *isec,
+ struct avdc_entry **avdc)
+ {
+@@ -3133,7 +3133,7 @@ static inline int task_avdcache_search(s
+ if (isec->sclass != SECCLASS_DIR)
+ return -ENOENT;
+
+- if (unlikely(tsec->sid != tsec->avdcache.sid ||
++ if (unlikely(current_sid() != tsec->avdcache.sid ||
+ tsec->avdcache.seqno != avc_policy_seqno())) {
+ task_avdcache_reset(tsec);
+ return -ENOENT;
+@@ -3163,7 +3163,7 @@ static inline int task_avdcache_search(s
+ * Update the AVD cache in @tsec with the @avdc and @audited info associated
+ * with @isec.
+ */
+-static inline void task_avdcache_update(struct cred_security_struct *tsec,
++static inline void task_avdcache_update(struct task_security_struct *tsec,
+ struct inode_security_struct *isec,
+ struct av_decision *avd,
+ u32 audited)
+@@ -3197,7 +3197,8 @@ static int selinux_inode_permission(stru
+ {
+ int mask;
+ u32 perms;
+- struct cred_security_struct *tsec;
++ u32 sid = current_sid();
++ struct task_security_struct *tsec;
+ struct inode_security_struct *isec;
+ struct avdc_entry *avdc;
+ int rc, rc2;
+@@ -3209,8 +3210,8 @@ static int selinux_inode_permission(stru
+ if (!mask)
+ return 0;
+
+- tsec = selinux_cred(current_cred());
+- if (task_avdcache_permnoaudit(tsec))
++ tsec = selinux_task(current);
++ if (task_avdcache_permnoaudit(tsec, sid))
+ return 0;
+
+ isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK);
+@@ -3230,7 +3231,7 @@ static int selinux_inode_permission(stru
+ struct av_decision avd;
+
+ /* Cache miss. */
+- rc = avc_has_perm_noaudit(tsec->sid, isec->sid, isec->sclass,
++ rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass,
+ perms, 0, &avd);
+ audited = avc_audit_required(perms, &avd, rc,
+ (requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0,
+@@ -3279,11 +3280,11 @@ static int selinux_inode_setattr(struct
+
+ static int selinux_inode_getattr(const struct path *path)
+ {
+- struct cred_security_struct *tsec;
++ struct task_security_struct *tsec;
+
+- tsec = selinux_cred(current_cred());
++ tsec = selinux_task(current);
+
+- if (task_avdcache_permnoaudit(tsec))
++ if (task_avdcache_permnoaudit(tsec, current_sid()))
+ return 0;
+
+ return path_has_perm(current_cred(), path, FILE__GETATTR);
+@@ -4147,7 +4148,10 @@ static int selinux_task_alloc(struct tas
+ unsigned long clone_flags)
+ {
+ u32 sid = current_sid();
++ struct task_security_struct *old_tsec = selinux_task(current);
++ struct task_security_struct *new_tsec = selinux_task(task);
+
++ *new_tsec = *old_tsec;
+ return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
+ }
+
+@@ -7170,6 +7174,7 @@ static void selinux_bpf_token_free(struc
+
+ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
+ .lbs_cred = sizeof(struct cred_security_struct),
++ .lbs_task = sizeof(struct task_security_struct),
+ .lbs_file = sizeof(struct file_security_struct),
+ .lbs_inode = sizeof(struct inode_security_struct),
+ .lbs_ipc = sizeof(struct ipc_security_struct),
+--- a/security/selinux/include/objsec.h
++++ b/security/selinux/include/objsec.h
+@@ -43,6 +43,9 @@ struct cred_security_struct {
+ u32 create_sid; /* fscreate SID */
+ u32 keycreate_sid; /* keycreate SID */
+ u32 sockcreate_sid; /* fscreate SID */
++} __randomize_layout;
++
++struct task_security_struct {
+ #define TSEC_AVDC_DIR_SIZE (1 << 2)
+ struct {
+ u32 sid; /* current SID for cached entries */
+@@ -53,10 +56,11 @@ struct cred_security_struct {
+ } avdcache;
+ } __randomize_layout;
+
+-static inline bool task_avdcache_permnoaudit(struct cred_security_struct *tsec)
++static inline bool task_avdcache_permnoaudit(struct task_security_struct *tsec,
++ u32 sid)
+ {
+ return (tsec->avdcache.permissive_neveraudit &&
+- tsec->sid == tsec->avdcache.sid &&
++ sid == tsec->avdcache.sid &&
+ tsec->avdcache.seqno == avc_policy_seqno());
+ }
+
+@@ -176,6 +180,12 @@ static inline struct cred_security_struc
+ return cred->security + selinux_blob_sizes.lbs_cred;
+ }
+
++static inline struct task_security_struct *
++selinux_task(const struct task_struct *task)
++{
++ return task->security + selinux_blob_sizes.lbs_task;
++}
++
+ static inline struct file_security_struct *selinux_file(const struct file *file)
+ {
+ return file->f_security + selinux_blob_sizes.lbs_file;
--- /dev/null
+From 75f72fe289a7f76204a728668edcf20e4a2a6097 Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+Date: Thu, 13 Nov 2025 15:23:13 -0500
+Subject: selinux: rename task_security_struct to cred_security_struct
+
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+
+commit 75f72fe289a7f76204a728668edcf20e4a2a6097 upstream.
+
+Before Linux had cred structures, the SELinux task_security_struct was
+per-task and although the structure was switched to being per-cred
+long ago, the name was never updated. This change renames it to
+cred_security_struct to avoid confusion and pave the way for the
+introduction of an actual per-task security structure for SELinux. No
+functional change.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/hooks.c | 68 +++++++++++++++++++-------------------
+ security/selinux/include/objsec.h | 8 ++--
+ 2 files changed, 38 insertions(+), 38 deletions(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -210,7 +210,7 @@ static int selinux_lsm_notifier_avc_call
+ */
+ static void cred_init_security(void)
+ {
+- struct task_security_struct *tsec;
++ struct cred_security_struct *tsec;
+
+ /* NOTE: the lsm framework zeros out the buffer on allocation */
+
+@@ -223,7 +223,7 @@ static void cred_init_security(void)
+ */
+ static inline u32 cred_sid(const struct cred *cred)
+ {
+- const struct task_security_struct *tsec;
++ const struct cred_security_struct *tsec;
+
+ tsec = selinux_cred(cred);
+ return tsec->sid;
+@@ -437,7 +437,7 @@ static int may_context_mount_sb_relabel(
+ struct superblock_security_struct *sbsec,
+ const struct cred *cred)
+ {
+- const struct task_security_struct *tsec = selinux_cred(cred);
++ const struct cred_security_struct *tsec = selinux_cred(cred);
+ int rc;
+
+ rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
+@@ -454,7 +454,7 @@ static int may_context_mount_inode_relab
+ struct superblock_security_struct *sbsec,
+ const struct cred *cred)
+ {
+- const struct task_security_struct *tsec = selinux_cred(cred);
++ const struct cred_security_struct *tsec = selinux_cred(cred);
+ int rc;
+ rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
+ FILESYSTEM__RELABELFROM, NULL);
+@@ -1784,7 +1784,7 @@ out:
+ * Determine the label for an inode that might be unioned.
+ */
+ static int
+-selinux_determine_inode_label(const struct task_security_struct *tsec,
++selinux_determine_inode_label(const struct cred_security_struct *tsec,
+ struct inode *dir,
+ const struct qstr *name, u16 tclass,
+ u32 *_new_isid)
+@@ -1813,7 +1813,7 @@ static int may_create(struct inode *dir,
+ struct dentry *dentry,
+ u16 tclass)
+ {
+- const struct task_security_struct *tsec = selinux_cred(current_cred());
++ const struct cred_security_struct *tsec = selinux_cred(current_cred());
+ struct inode_security_struct *dsec;
+ struct superblock_security_struct *sbsec;
+ u32 sid, newsid;
+@@ -2247,8 +2247,8 @@ static u32 ptrace_parent_sid(void)
+ }
+
+ static int check_nnp_nosuid(const struct linux_binprm *bprm,
+- const struct task_security_struct *old_tsec,
+- const struct task_security_struct *new_tsec)
++ const struct cred_security_struct *old_tsec,
++ const struct cred_security_struct *new_tsec)
+ {
+ int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
+ int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
+@@ -2301,8 +2301,8 @@ static int check_nnp_nosuid(const struct
+
+ static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
+ {
+- const struct task_security_struct *old_tsec;
+- struct task_security_struct *new_tsec;
++ const struct cred_security_struct *old_tsec;
++ struct cred_security_struct *new_tsec;
+ struct inode_security_struct *isec;
+ struct common_audit_data ad;
+ struct inode *inode = file_inode(bprm->file);
+@@ -2479,7 +2479,7 @@ static inline void flush_unauthorized_fi
+ */
+ static void selinux_bprm_committing_creds(const struct linux_binprm *bprm)
+ {
+- struct task_security_struct *new_tsec;
++ struct cred_security_struct *new_tsec;
+ struct rlimit *rlim, *initrlim;
+ int rc, i;
+
+@@ -2525,7 +2525,7 @@ static void selinux_bprm_committing_cred
+ */
+ static void selinux_bprm_committed_creds(const struct linux_binprm *bprm)
+ {
+- const struct task_security_struct *tsec = selinux_cred(current_cred());
++ const struct cred_security_struct *tsec = selinux_cred(current_cred());
+ u32 osid, sid;
+ int rc;
+
+@@ -2907,7 +2907,7 @@ static int selinux_dentry_create_files_a
+ {
+ u32 newsid;
+ int rc;
+- struct task_security_struct *tsec;
++ struct cred_security_struct *tsec;
+
+ rc = selinux_determine_inode_label(selinux_cred(old),
+ d_inode(dentry->d_parent), name,
+@@ -2925,7 +2925,7 @@ static int selinux_inode_init_security(s
+ const struct qstr *qstr,
+ struct xattr *xattrs, int *xattr_count)
+ {
+- const struct task_security_struct *tsec = selinux_cred(current_cred());
++ const struct cred_security_struct *tsec = selinux_cred(current_cred());
+ struct superblock_security_struct *sbsec;
+ struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
+ u32 newsid, clen;
+@@ -3106,7 +3106,7 @@ static noinline int audit_inode_permissi
+ * Clear the task's AVD cache in @tsec and reset it to the current policy's
+ * and task's info.
+ */
+-static inline void task_avdcache_reset(struct task_security_struct *tsec)
++static inline void task_avdcache_reset(struct cred_security_struct *tsec)
+ {
+ memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir));
+ tsec->avdcache.sid = tsec->sid;
+@@ -3123,7 +3123,7 @@ static inline void task_avdcache_reset(s
+ * Search @tsec for a AVD cache entry that matches @isec and return it to the
+ * caller via @avdc. Returns 0 if a match is found, negative values otherwise.
+ */
+-static inline int task_avdcache_search(struct task_security_struct *tsec,
++static inline int task_avdcache_search(struct cred_security_struct *tsec,
+ struct inode_security_struct *isec,
+ struct avdc_entry **avdc)
+ {
+@@ -3163,7 +3163,7 @@ static inline int task_avdcache_search(s
+ * Update the AVD cache in @tsec with the @avdc and @audited info associated
+ * with @isec.
+ */
+-static inline void task_avdcache_update(struct task_security_struct *tsec,
++static inline void task_avdcache_update(struct cred_security_struct *tsec,
+ struct inode_security_struct *isec,
+ struct av_decision *avd,
+ u32 audited)
+@@ -3197,7 +3197,7 @@ static int selinux_inode_permission(stru
+ {
+ int mask;
+ u32 perms;
+- struct task_security_struct *tsec;
++ struct cred_security_struct *tsec;
+ struct inode_security_struct *isec;
+ struct avdc_entry *avdc;
+ int rc, rc2;
+@@ -3279,7 +3279,7 @@ static int selinux_inode_setattr(struct
+
+ static int selinux_inode_getattr(const struct path *path)
+ {
+- struct task_security_struct *tsec;
++ struct cred_security_struct *tsec;
+
+ tsec = selinux_cred(current_cred());
+
+@@ -3655,7 +3655,7 @@ static void selinux_inode_getlsmprop(str
+ static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
+ {
+ struct lsm_prop prop;
+- struct task_security_struct *tsec;
++ struct cred_security_struct *tsec;
+ struct cred *new_creds = *new;
+
+ if (new_creds == NULL) {
+@@ -3693,7 +3693,7 @@ static int selinux_inode_copy_up_xattr(s
+ static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
+ struct kernfs_node *kn)
+ {
+- const struct task_security_struct *tsec = selinux_cred(current_cred());
++ const struct cred_security_struct *tsec = selinux_cred(current_cred());
+ u32 parent_sid, newsid, clen;
+ int rc;
+ char *context;
+@@ -4157,8 +4157,8 @@ static int selinux_task_alloc(struct tas
+ static int selinux_cred_prepare(struct cred *new, const struct cred *old,
+ gfp_t gfp)
+ {
+- const struct task_security_struct *old_tsec = selinux_cred(old);
+- struct task_security_struct *tsec = selinux_cred(new);
++ const struct cred_security_struct *old_tsec = selinux_cred(old);
++ struct cred_security_struct *tsec = selinux_cred(new);
+
+ *tsec = *old_tsec;
+ return 0;
+@@ -4169,8 +4169,8 @@ static int selinux_cred_prepare(struct c
+ */
+ static void selinux_cred_transfer(struct cred *new, const struct cred *old)
+ {
+- const struct task_security_struct *old_tsec = selinux_cred(old);
+- struct task_security_struct *tsec = selinux_cred(new);
++ const struct cred_security_struct *old_tsec = selinux_cred(old);
++ struct cred_security_struct *tsec = selinux_cred(new);
+
+ *tsec = *old_tsec;
+ }
+@@ -4191,7 +4191,7 @@ static void selinux_cred_getlsmprop(cons
+ */
+ static int selinux_kernel_act_as(struct cred *new, u32 secid)
+ {
+- struct task_security_struct *tsec = selinux_cred(new);
++ struct cred_security_struct *tsec = selinux_cred(new);
+ u32 sid = current_sid();
+ int ret;
+
+@@ -4215,7 +4215,7 @@ static int selinux_kernel_act_as(struct
+ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
+ {
+ struct inode_security_struct *isec = inode_security(inode);
+- struct task_security_struct *tsec = selinux_cred(new);
++ struct cred_security_struct *tsec = selinux_cred(new);
+ u32 sid = current_sid();
+ int ret;
+
+@@ -4740,7 +4740,7 @@ static int selinux_conn_sid(u32 sk_sid,
+
+ /* socket security operations */
+
+-static int socket_sockcreate_sid(const struct task_security_struct *tsec,
++static int socket_sockcreate_sid(const struct cred_security_struct *tsec,
+ u16 secclass, u32 *socksid)
+ {
+ if (tsec->sockcreate_sid > SECSID_NULL) {
+@@ -4793,7 +4793,7 @@ static int sock_has_perm(struct sock *sk
+ static int selinux_socket_create(int family, int type,
+ int protocol, int kern)
+ {
+- const struct task_security_struct *tsec = selinux_cred(current_cred());
++ const struct cred_security_struct *tsec = selinux_cred(current_cred());
+ u32 newsid;
+ u16 secclass;
+ int rc;
+@@ -4812,7 +4812,7 @@ static int selinux_socket_create(int fam
+ static int selinux_socket_post_create(struct socket *sock, int family,
+ int type, int protocol, int kern)
+ {
+- const struct task_security_struct *tsec = selinux_cred(current_cred());
++ const struct cred_security_struct *tsec = selinux_cred(current_cred());
+ struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
+ struct sk_security_struct *sksec;
+ u16 sclass = socket_type_to_security_class(family, type, protocol);
+@@ -6522,7 +6522,7 @@ static void selinux_d_instantiate(struct
+ static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p,
+ char **value)
+ {
+- const struct task_security_struct *tsec;
++ const struct cred_security_struct *tsec;
+ int error;
+ u32 sid;
+ u32 len;
+@@ -6577,7 +6577,7 @@ err_unlock:
+
+ static int selinux_lsm_setattr(u64 attr, void *value, size_t size)
+ {
+- struct task_security_struct *tsec;
++ struct cred_security_struct *tsec;
+ struct cred *new;
+ u32 mysid = current_sid(), sid = 0, ptsid;
+ int error;
+@@ -6872,7 +6872,7 @@ static int selinux_inode_getsecctx(struc
+ static int selinux_key_alloc(struct key *k, const struct cred *cred,
+ unsigned long flags)
+ {
+- const struct task_security_struct *tsec;
++ const struct cred_security_struct *tsec;
+ struct key_security_struct *ksec = selinux_key(k);
+
+ tsec = selinux_cred(cred);
+@@ -7169,7 +7169,7 @@ static void selinux_bpf_token_free(struc
+ #endif
+
+ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
+- .lbs_cred = sizeof(struct task_security_struct),
++ .lbs_cred = sizeof(struct cred_security_struct),
+ .lbs_file = sizeof(struct file_security_struct),
+ .lbs_inode = sizeof(struct inode_security_struct),
+ .lbs_ipc = sizeof(struct ipc_security_struct),
+--- a/security/selinux/include/objsec.h
++++ b/security/selinux/include/objsec.h
+@@ -36,7 +36,7 @@ struct avdc_entry {
+ bool permissive; /* AVC permissive flag */
+ };
+
+-struct task_security_struct {
++struct cred_security_struct {
+ u32 osid; /* SID prior to last execve */
+ u32 sid; /* current SID */
+ u32 exec_sid; /* exec SID */
+@@ -53,7 +53,7 @@ struct task_security_struct {
+ } avdcache;
+ } __randomize_layout;
+
+-static inline bool task_avdcache_permnoaudit(struct task_security_struct *tsec)
++static inline bool task_avdcache_permnoaudit(struct cred_security_struct *tsec)
+ {
+ return (tsec->avdcache.permissive_neveraudit &&
+ tsec->sid == tsec->avdcache.sid &&
+@@ -171,7 +171,7 @@ struct perf_event_security_struct {
+ };
+
+ extern struct lsm_blob_sizes selinux_blob_sizes;
+-static inline struct task_security_struct *selinux_cred(const struct cred *cred)
++static inline struct cred_security_struct *selinux_cred(const struct cred *cred)
+ {
+ return cred->security + selinux_blob_sizes.lbs_cred;
+ }
+@@ -206,7 +206,7 @@ selinux_ipc(const struct kern_ipc_perm *
+ */
+ static inline u32 current_sid(void)
+ {
+- const struct task_security_struct *tsec = selinux_cred(current_cred());
++ const struct cred_security_struct *tsec = selinux_cred(current_cred());
+
+ return tsec->sid;
+ }
kvm-arm64-check-the-untrusted-offset-in-ff-a-memory-share.patch
+timers-fix-null-function-pointer-race-in-timer_shutdown_sync.patch
+arm64-dts-rockchip-remove-non-functioning-cpu-opps-from-rk3576.patch
+hid-amd_sfh-stop-sensor-before-starting.patch
+hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch
+arm64-dts-rockchip-fix-vccio4-supply-on-rk3566-pinetab2.patch
+arm64-dts-rockchip-fix-pcie-3.3v-regulator-voltage-on-orangepi-5.patch
+reset-imx8mp-audiomix-fix-bad-mask-values.patch
+arm64-dts-rockchip-include-rk3399-base-instead-of-rk3399-in-rk3399-op1.patch
+arm64-dts-rockchip-disable-hs400-on-rk3588-tiger.patch
+kvm-svm-fix-redundant-updates-of-lbr-msr-intercepts.patch
+vfat-fix-missing-sb_min_blocksize-return-value-checks.patch
+mtd-rawnand-cadence-fix-dma-device-null-pointer-dereference.patch
+fs-fix-uninitialized-offp-in-statmount_string.patch
+mtdchar-fix-integer-overflow-in-read-write-ioctls.patch
+xfs-check-the-return-value-of-sb_min_blocksize-in-xfs_fs_fill_super.patch
+isofs-check-the-return-value-of-sb_min_blocksize-in-isofs_fill_super.patch
+shmem-fix-tmpfs-reconfiguration-remount-when-noswap-is-set.patch
+exfat-check-return-value-of-sb_min_blocksize-in-exfat_read_boot_sector.patch
+mptcp-disallow-mptcp-subflows-from-sockmap.patch
+s390-mm-fix-__ptep_rdp-inline-assembly.patch
+mptcp-fix-proto-fallback-detection-with-bpf.patch
+lib-test_kho-check-if-kho-is-enabled.patch
+acpi-apei-einj-fix-einjv2-initialization-and-injection.patch
+ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch
+mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch
+selinux-rename-task_security_struct-to-cred_security_struct.patch
+selinux-move-avdcache-to-per-task-security-struct.patch
+smb-client-introduce-close_cached_dir_locked.patch
+wifi-rtw89-hw_scan-don-t-let-the-operating-channel-be-last.patch
+ata-libata-scsi-add-missing-scsi_device_put-in-ata_scsi_dev_rescan.patch
+be2net-pass-wrb_params-in-case-of-os2bmc.patch
+io_uring-cmd_net-fix-wrong-argument-types-for-skb_queue_splice.patch
+net-dsa-microchip-lan937x-fix-rgmii-delay-tuning.patch
+revert-drm-tegra-dsi-clear-enable-register-if-powered-by-bootloader.patch
+input-cros_ec_keyb-fix-an-invalid-memory-access.patch
+input-goodix-add-support-for-acpi-id-gdix1003.patch
+input-imx_sc_key-fix-memory-corruption-on-unload.patch
+input-pegasus-notetaker-fix-potential-out-of-bounds-access.patch
+mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch
+nouveau-firmware-add-missing-kfree-of-nvkm_falcon_fw-boot.patch
+nvme-nvme-fc-move-tagset-removal-to-nvme_fc_delete_ctrl.patch
+nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch
+pm-sleep-core-fix-runtime-pm-enabling-in-device_resume_early.patch
+sched_ext-fix-scx_enable-crash-on-helper-kthread-creation-failure.patch
+scsi-sg-do-not-sleep-in-atomic-context.patch
+scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch
+mips-malta-fix-eva-soc-it-pci-mmio.patch
+dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch
+loongarch-bpf-disable-trampoline-for-kernel-module-function-trace.patch
+loongarch-don-t-panic-if-no-valid-cache-info-for-pci.patch
+loongarch-fix-numa-node-parsing-with-numa_memblks.patch
+platform-x86-alienware-wmi-wmax-fix-alienware-m16-r1-amd-quirk-order.patch
+platform-x86-alienware-wmi-wmax-add-support-for-the-whole-m-family.patch
+platform-x86-alienware-wmi-wmax-add-support-for-the-whole-x-family.patch
+platform-x86-alienware-wmi-wmax-add-support-for-the-whole-g-family.patch
+platform-x86-alienware-wmi-wmax-add-awcc-support-to-alienware-16-aurora.patch
+mptcp-fix-race-condition-in-mptcp_schedule_work.patch
--- /dev/null
+From 3cd1548a278c7d6a9bdef1f1866e7cf66bfd3518 Mon Sep 17 00:00:00 2001
+From: Mike Yuan <me@yhndnzj.com>
+Date: Sat, 8 Nov 2025 19:09:47 +0000
+Subject: shmem: fix tmpfs reconfiguration (remount) when noswap is set
+
+From: Mike Yuan <me@yhndnzj.com>
+
+commit 3cd1548a278c7d6a9bdef1f1866e7cf66bfd3518 upstream.
+
+In systemd we're trying to switch the internal credentials setup logic
+to new mount API [1], and I noticed fsconfig(FSCONFIG_CMD_RECONFIGURE)
+consistently fails on tmpfs with noswap option. This can be trivially
+reproduced with the following:
+
+```
+int fs_fd = fsopen("tmpfs", 0);
+fsconfig(fs_fd, FSCONFIG_SET_FLAG, "noswap", NULL, 0);
+fsconfig(fs_fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);
+fsmount(fs_fd, 0, 0);
+fsconfig(fs_fd, FSCONFIG_CMD_RECONFIGURE, NULL, NULL, 0); <------ EINVAL
+```
+
+After some digging the culprit is shmem_reconfigure() rejecting
+!(ctx->seen & SHMEM_SEEN_NOSWAP) && sbinfo->noswap, which is bogus
+as ctx->seen serves as a mask for whether certain options are touched
+at all. On top of that, noswap option doesn't use fsparam_flag_no,
+hence it's not really possible to "reenable" swap to begin with.
+Drop the check and redundant SHMEM_SEEN_NOSWAP flag.
+
+[1] https://github.com/systemd/systemd/pull/39637
+
+Fixes: 2c6efe9cf2d7 ("shmem: add support to ignore swap")
+Signed-off-by: Mike Yuan <me@yhndnzj.com>
+Link: https://patch.msgid.link/20251108190930.440685-1-me@yhndnzj.com
+Cc: Luis Chamberlain <mcgrof@kernel.org>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/shmem.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -131,8 +131,7 @@ struct shmem_options {
+ #define SHMEM_SEEN_INODES 2
+ #define SHMEM_SEEN_HUGE 4
+ #define SHMEM_SEEN_INUMS 8
+-#define SHMEM_SEEN_NOSWAP 16
+-#define SHMEM_SEEN_QUOTA 32
++#define SHMEM_SEEN_QUOTA 16
+ };
+
+ #ifdef CONFIG_TRANSPARENT_HUGEPAGE
+@@ -4744,7 +4743,6 @@ static int shmem_parse_one(struct fs_con
+ "Turning off swap in unprivileged tmpfs mounts unsupported");
+ }
+ ctx->noswap = true;
+- ctx->seen |= SHMEM_SEEN_NOSWAP;
+ break;
+ case Opt_quota:
+ if (fc->user_ns != &init_user_ns)
+@@ -4894,14 +4892,15 @@ static int shmem_reconfigure(struct fs_c
+ err = "Current inum too high to switch to 32-bit inums";
+ goto out;
+ }
+- if ((ctx->seen & SHMEM_SEEN_NOSWAP) && ctx->noswap && !sbinfo->noswap) {
++
++ /*
++ * "noswap" doesn't use fsparam_flag_no, i.e. there's no "swap"
++ * counterpart for (re-)enabling swap.
++ */
++ if (ctx->noswap && !sbinfo->noswap) {
+ err = "Cannot disable swap on remount";
+ goto out;
+ }
+- if (!(ctx->seen & SHMEM_SEEN_NOSWAP) && !ctx->noswap && sbinfo->noswap) {
+- err = "Cannot enable swap on remount if it was disabled on first mount";
+- goto out;
+- }
+
+ if (ctx->seen & SHMEM_SEEN_QUOTA &&
+ !sb_any_quota_loaded(fc->root->d_sb)) {
--- /dev/null
+From a9d1f38df7ecd0e21233447c9cc6fa1799eddaf3 Mon Sep 17 00:00:00 2001
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+Date: Thu, 13 Nov 2025 15:09:13 -0300
+Subject: smb: client: introduce close_cached_dir_locked()
+
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+
+commit a9d1f38df7ecd0e21233447c9cc6fa1799eddaf3 upstream.
+
+Replace close_cached_dir() calls under cfid_list_lock with a new
+close_cached_dir_locked() variant that uses kref_put() instead of
+kref_put_lock() to avoid recursive locking when dropping references.
+
+While the existing code works if the refcount >= 2 invariant holds,
+this area has proven error-prone. Make deadlocks impossible and WARN
+on invariant violations.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cached_dir.c | 41 ++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 38 insertions(+), 3 deletions(-)
+
+--- a/fs/smb/client/cached_dir.c
++++ b/fs/smb/client/cached_dir.c
+@@ -16,6 +16,7 @@ static struct cached_fid *init_cached_di
+ static void free_cached_dir(struct cached_fid *cfid);
+ static void smb2_close_cached_fid(struct kref *ref);
+ static void cfids_laundromat_worker(struct work_struct *work);
++static void close_cached_dir_locked(struct cached_fid *cfid);
+
+ struct cached_dir_dentry {
+ struct list_head entry;
+@@ -389,7 +390,7 @@ out:
+ * lease. Release one here, and the second below.
+ */
+ cfid->has_lease = false;
+- close_cached_dir(cfid);
++ close_cached_dir_locked(cfid);
+ }
+ spin_unlock(&cfids->cfid_list_lock);
+
+@@ -476,18 +477,52 @@ void drop_cached_dir_by_name(const unsig
+ spin_lock(&cfid->cfids->cfid_list_lock);
+ if (cfid->has_lease) {
+ cfid->has_lease = false;
+- close_cached_dir(cfid);
++ close_cached_dir_locked(cfid);
+ }
+ spin_unlock(&cfid->cfids->cfid_list_lock);
+ close_cached_dir(cfid);
+ }
+
+-
++/**
++ * close_cached_dir - drop a reference of a cached dir
++ *
++ * The release function will be called with cfid_list_lock held to remove the
++ * cached dirs from the list before any other thread can take another @cfid
++ * ref. Must not be called with cfid_list_lock held; use
++ * close_cached_dir_locked() called instead.
++ *
++ * @cfid: cached dir
++ */
+ void close_cached_dir(struct cached_fid *cfid)
+ {
++ lockdep_assert_not_held(&cfid->cfids->cfid_list_lock);
+ kref_put_lock(&cfid->refcount, smb2_close_cached_fid, &cfid->cfids->cfid_list_lock);
+ }
+
++/**
++ * close_cached_dir_locked - put a reference of a cached dir with
++ * cfid_list_lock held
++ *
++ * Calling close_cached_dir() with cfid_list_lock held has the potential effect
++ * of causing a deadlock if the invariant of refcount >= 2 is false.
++ *
++ * This function is used in paths that hold cfid_list_lock and expect at least
++ * two references. If that invariant is violated, WARNs and returns without
++ * dropping a reference; the final put must still go through
++ * close_cached_dir().
++ *
++ * @cfid: cached dir
++ */
++static void close_cached_dir_locked(struct cached_fid *cfid)
++{
++ lockdep_assert_held(&cfid->cfids->cfid_list_lock);
++
++ if (WARN_ON(kref_read(&cfid->refcount) < 2))
++ return;
++
++ kref_put(&cfid->refcount, smb2_close_cached_fid);
++}
++
+ /*
+ * Called from cifs_kill_sb when we unmount a share
+ */
--- /dev/null
+From 20739af07383e6eb1ec59dcd70b72ebfa9ac362c Mon Sep 17 00:00:00 2001
+From: Yipeng Zou <zouyipeng@huawei.com>
+Date: Sat, 22 Nov 2025 09:39:42 +0000
+Subject: timers: Fix NULL function pointer race in timer_shutdown_sync()
+
+From: Yipeng Zou <zouyipeng@huawei.com>
+
+commit 20739af07383e6eb1ec59dcd70b72ebfa9ac362c upstream.
+
+There is a race condition between timer_shutdown_sync() and timer
+expiration that can lead to hitting a WARN_ON in expire_timers().
+
+The issue occurs when timer_shutdown_sync() clears the timer function
+to NULL while the timer is still running on another CPU. The race
+scenario looks like this:
+
+CPU0 CPU1
+ <SOFTIRQ>
+ lock_timer_base()
+ expire_timers()
+ base->running_timer = timer;
+ unlock_timer_base()
+ [call_timer_fn enter]
+ mod_timer()
+ ...
+timer_shutdown_sync()
+lock_timer_base()
+// For now, will not detach the timer but only clear its function to NULL
+if (base->running_timer != timer)
+ ret = detach_if_pending(timer, base, true);
+if (shutdown)
+ timer->function = NULL;
+unlock_timer_base()
+ [call_timer_fn exit]
+ lock_timer_base()
+ base->running_timer = NULL;
+ unlock_timer_base()
+ ...
+ // Now timer is pending while its function set to NULL.
+ // next timer trigger
+ <SOFTIRQ>
+ expire_timers()
+ WARN_ON_ONCE(!fn) // hit
+ ...
+lock_timer_base()
+// Now timer will detach
+if (base->running_timer != timer)
+ ret = detach_if_pending(timer, base, true);
+if (shutdown)
+ timer->function = NULL;
+unlock_timer_base()
+
+The problem is that timer_shutdown_sync() clears the timer function
+regardless of whether the timer is currently running. This can leave a
+pending timer with a NULL function pointer, which triggers the
+WARN_ON_ONCE(!fn) check in expire_timers().
+
+Fix this by only clearing the timer function when actually detaching the
+timer. If the timer is running, leave the function pointer intact, which is
+safe because the timer will be properly detached when it finishes running.
+
+Fixes: 0cc04e80458a ("timers: Add shutdown mechanism to the internal functions")
+Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20251122093942.301559-1-zouyipeng@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/time/timer.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -1458,10 +1458,11 @@ static int __try_to_del_timer_sync(struc
+
+ base = lock_timer_base(timer, &flags);
+
+- if (base->running_timer != timer)
++ if (base->running_timer != timer) {
+ ret = detach_if_pending(timer, base, true);
+- if (shutdown)
+- timer->function = NULL;
++ if (shutdown)
++ timer->function = NULL;
++ }
+
+ raw_spin_unlock_irqrestore(&base->lock, flags);
+
--- /dev/null
+From 63b5aa01da0f38cdbd97d021477258e511631497 Mon Sep 17 00:00:00 2001
+From: Yongpeng Yang <yangyongpeng@xiaomi.com>
+Date: Tue, 4 Nov 2025 20:50:06 +0800
+Subject: vfat: fix missing sb_min_blocksize() return value checks
+
+From: Yongpeng Yang <yangyongpeng@xiaomi.com>
+
+commit 63b5aa01da0f38cdbd97d021477258e511631497 upstream.
+
+When emulating an nvme device on qemu with both logical_block_size and
+physical_block_size set to 8 KiB, but without format, a kernel panic
+was triggered during the early boot stage while attempting to mount a
+vfat filesystem.
+
+[95553.682035] EXT4-fs (nvme0n1): unable to set blocksize
+[95553.684326] EXT4-fs (nvme0n1): unable to set blocksize
+[95553.686501] EXT4-fs (nvme0n1): unable to set blocksize
+[95553.696448] ISOFS: unsupported/invalid hardware sector size 8192
+[95553.697117] ------------[ cut here ]------------
+[95553.697567] kernel BUG at fs/buffer.c:1582!
+[95553.697984] Oops: invalid opcode: 0000 [#1] SMP NOPTI
+[95553.698602] CPU: 0 UID: 0 PID: 7212 Comm: mount Kdump: loaded Not tainted 6.18.0-rc2+ #38 PREEMPT(voluntary)
+[95553.699511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
+[95553.700534] RIP: 0010:folio_alloc_buffers+0x1bb/0x1c0
+[95553.701018] Code: 48 8b 15 e8 93 18 02 65 48 89 35 e0 93 18 02 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff c3 cc cc cc cc <0f> 0b 90 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f
+[95553.702648] RSP: 0018:ffffd1b0c676f990 EFLAGS: 00010246
+[95553.703132] RAX: ffff8cfc4176d820 RBX: 0000000000508c48 RCX: 0000000000000001
+[95553.703805] RDX: 0000000000002000 RSI: 0000000000000000 RDI: 0000000000000000
+[95553.704481] RBP: ffffd1b0c676f9c8 R08: 0000000000000000 R09: 0000000000000000
+[95553.705148] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
+[95553.705816] R13: 0000000000002000 R14: fffff8bc8257e800 R15: 0000000000000000
+[95553.706483] FS: 000072ee77315840(0000) GS:ffff8cfdd2c8d000(0000) knlGS:0000000000000000
+[95553.707248] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[95553.707782] CR2: 00007d8f2a9e5a20 CR3: 0000000039d0c006 CR4: 0000000000772ef0
+[95553.708439] PKRU: 55555554
+[95553.708734] Call Trace:
+[95553.709015] <TASK>
+[95553.709266] __getblk_slow+0xd2/0x230
+[95553.709641] ? find_get_block_common+0x8b/0x530
+[95553.710084] bdev_getblk+0x77/0xa0
+[95553.710449] __bread_gfp+0x22/0x140
+[95553.710810] fat_fill_super+0x23a/0xfc0
+[95553.711216] ? __pfx_setup+0x10/0x10
+[95553.711580] ? __pfx_vfat_fill_super+0x10/0x10
+[95553.712014] vfat_fill_super+0x15/0x30
+[95553.712401] get_tree_bdev_flags+0x141/0x1e0
+[95553.712817] get_tree_bdev+0x10/0x20
+[95553.713177] vfat_get_tree+0x15/0x20
+[95553.713550] vfs_get_tree+0x2a/0x100
+[95553.713910] vfs_cmd_create+0x62/0xf0
+[95553.714273] __do_sys_fsconfig+0x4e7/0x660
+[95553.714669] __x64_sys_fsconfig+0x20/0x40
+[95553.715062] x64_sys_call+0x21ee/0x26a0
+[95553.715453] do_syscall_64+0x80/0x670
+[95553.715816] ? __fs_parse+0x65/0x1e0
+[95553.716172] ? fat_parse_param+0x103/0x4b0
+[95553.716587] ? vfs_parse_fs_param_source+0x21/0xa0
+[95553.717034] ? __do_sys_fsconfig+0x3d9/0x660
+[95553.717548] ? __x64_sys_fsconfig+0x20/0x40
+[95553.717957] ? x64_sys_call+0x21ee/0x26a0
+[95553.718360] ? do_syscall_64+0xb8/0x670
+[95553.718734] ? __x64_sys_fsconfig+0x20/0x40
+[95553.719141] ? x64_sys_call+0x21ee/0x26a0
+[95553.719545] ? do_syscall_64+0xb8/0x670
+[95553.719922] ? x64_sys_call+0x1405/0x26a0
+[95553.720317] ? do_syscall_64+0xb8/0x670
+[95553.720702] ? __x64_sys_close+0x3e/0x90
+[95553.721080] ? x64_sys_call+0x1b5e/0x26a0
+[95553.721478] ? do_syscall_64+0xb8/0x670
+[95553.721841] ? irqentry_exit+0x43/0x50
+[95553.722211] ? exc_page_fault+0x90/0x1b0
+[95553.722681] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[95553.723166] RIP: 0033:0x72ee774f3afe
+[95553.723562] Code: 73 01 c3 48 8b 0d 0a 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 49 89 ca b8 af 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d da 32 0f 00 f7 d8 64 89 01 48
+[95553.725188] RSP: 002b:00007ffe97148978 EFLAGS: 00000246 ORIG_RAX: 00000000000001af
+[95553.725892] RAX: ffffffffffffffda RBX: 00005dcfe53d0080 RCX: 000072ee774f3afe
+[95553.726526] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003
+[95553.727176] RBP: 00007ffe97148ac0 R08: 0000000000000000 R09: 000072ee775e7ac0
+[95553.727818] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+[95553.728459] R13: 00005dcfe53d04b0 R14: 000072ee77670b00 R15: 00005dcfe53d1a28
+[95553.729086] </TASK>
+
+The panic occurs as follows:
+1. logical_block_size is 8KiB, causing {struct super_block *sb}->s_blocksize
+is initialized to 0.
+vfat_fill_super
+ - fat_fill_super
+ - sb_min_blocksize
+ - sb_set_blocksize //return 0 when size is 8KiB.
+2. __bread_gfp is called with size == 0, causing folio_alloc_buffers() to
+compute an offset equal to folio_size(folio), which triggers a BUG_ON.
+fat_fill_super
+ - sb_bread
+ - __bread_gfp // size == {struct super_block *sb}->s_blocksize == 0
+ - bdev_getblk
+ - __getblk_slow
+ - grow_buffers
+ - grow_dev_folio
+ - folio_alloc_buffers // size == 0
+ - folio_set_bh //offset == folio_size(folio) and panic
+
+To fix this issue, add proper return value checks for
+sb_min_blocksize().
+
+Cc: stable@vger.kernel.org # v6.15
+Fixes: a64e5a596067bd ("bdev: add back PAGE_SIZE block size validation for sb_set_blocksize()")
+Reviewed-by: Matthew Wilcox <willy@infradead.org>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
+Link: https://patch.msgid.link/20251104125009.2111925-2-yangyongpeng.storage@gmail.com
+Acked-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fat/inode.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/fat/inode.c b/fs/fat/inode.c
+index 9648ed097816..9cfe20a3daaf 100644
+--- a/fs/fat/inode.c
++++ b/fs/fat/inode.c
+@@ -1595,8 +1595,12 @@ int fat_fill_super(struct super_block *sb, struct fs_context *fc,
+
+ setup(sb); /* flavour-specific stuff that needs options */
+
++ error = -EINVAL;
++ if (!sb_min_blocksize(sb, 512)) {
++ fat_msg(sb, KERN_ERR, "unable to set blocksize");
++ goto out_fail;
++ }
+ error = -EIO;
+- sb_min_blocksize(sb, 512);
+ bh = sb_bread(sb, 0);
+ if (bh == NULL) {
+ fat_msg(sb, KERN_ERR, "unable to read boot sector");
+--
+2.52.0
+
--- /dev/null
+From e837b9091b277ae6f309d7e9fc93cb0308cf461f Mon Sep 17 00:00:00 2001
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Date: Fri, 14 Nov 2025 00:54:48 +0200
+Subject: wifi: rtw89: hw_scan: Don't let the operating channel be last
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+commit e837b9091b277ae6f309d7e9fc93cb0308cf461f upstream.
+
+Scanning can be offloaded to the firmware. To that end, the driver
+prepares a list of channels to scan, including periodic visits back to
+the operating channel, and sends the list to the firmware.
+
+When the channel list is too long to fit in a single H2C message, the
+driver splits the list, sends the first part, and tells the firmware to
+scan. When the scan is complete, the driver sends the next part of the
+list and tells the firmware to scan.
+
+When the last channel that fit in the H2C message is the operating
+channel something seems to go wrong in the firmware. It will
+acknowledge receiving the list of channels but apparently it will not
+do anything more. The AP can't be pinged anymore. The driver still
+receives beacons, though.
+
+One way to avoid this is to split the list of channels before the
+operating channel.
+
+Affected devices:
+
+* RTL8851BU with firmware 0.29.41.3
+* RTL8832BU with firmware 0.29.29.8
+* RTL8852BE with firmware 0.29.29.8
+
+The commit 57a5fbe39a18 ("wifi: rtw89: refactor flow that hw scan handles channel list")
+is found by git blame, but it is actually to refine the scan flow, but not
+a culprit, so skip Fixes tag.
+
+Reported-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Closes: https://lore.kernel.org/linux-wireless/0abbda91-c5c2-4007-84c8-215679e652e1@gmail.com/
+Cc: stable@vger.kernel.org # 6.16+
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/c1e61744-8db4-4646-867f-241b47d30386@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtw89/fw.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/wireless/realtek/rtw89/fw.c
++++ b/drivers/net/wireless/realtek/rtw89/fw.c
+@@ -7705,6 +7705,13 @@ int rtw89_hw_scan_add_chan_list_be(struc
+ INIT_LIST_HEAD(&list);
+
+ list_for_each_entry_safe(ch_info, tmp, &scan_info->chan_list, list) {
++ /* The operating channel (tx_null == true) should
++ * not be last in the list, to avoid breaking
++ * RTL8851BU and RTL8832BU.
++ */
++ if (list_len + 1 == RTW89_SCAN_LIST_LIMIT_AX && ch_info->tx_null)
++ break;
++
+ list_move_tail(&ch_info->list, &list);
+
+ list_len++;
--- /dev/null
+From 124af0868ec6929ba838fb76d25f00c06ba8fc0d Mon Sep 17 00:00:00 2001
+From: Yongpeng Yang <yangyongpeng@xiaomi.com>
+Date: Tue, 4 Nov 2025 20:50:09 +0800
+Subject: xfs: check the return value of sb_min_blocksize() in xfs_fs_fill_super
+
+From: Yongpeng Yang <yangyongpeng@xiaomi.com>
+
+commit 124af0868ec6929ba838fb76d25f00c06ba8fc0d upstream.
+
+sb_min_blocksize() may return 0. Check its return value to avoid the
+filesystem super block when sb->s_blocksize is 0.
+
+Cc: stable@vger.kernel.org # v6.15
+Fixes: a64e5a596067bd ("bdev: add back PAGE_SIZE block size validation for sb_set_blocksize()")
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
+Link: https://patch.msgid.link/20251104125009.2111925-5-yangyongpeng.storage@gmail.com
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_super.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_super.c
++++ b/fs/xfs/xfs_super.c
+@@ -1710,7 +1710,10 @@ xfs_fs_fill_super(
+ if (error)
+ return error;
+
+- sb_min_blocksize(sb, BBSIZE);
++ if (!sb_min_blocksize(sb, BBSIZE)) {
++ xfs_err(mp, "unable to set blocksize");
++ return -EINVAL;
++ }
+ sb->s_xattr = xfs_xattr_handlers;
+ sb->s_export_op = &xfs_export_operations;
+ #ifdef CONFIG_XFS_QUOTA
projects / thirdparty / kernel / stable-queue.git / commitdiff
