--- /dev/null
+From 5719a189c9345977c16f10874fd5102f70094d8f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ren=C3=A9=20Rebe?= <rene@exactco.de>
+Date: Mon, 17 Nov 2025 18:23:51 +0100
+Subject: ALSA: hda/cirrus fix cs420x MacPro 6,1 inverted jack detection
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: René Rebe <rene@exactco.de>
+
+commit 5719a189c9345977c16f10874fd5102f70094d8f upstream.
+
+Turns out the Apple MacPro 6,1 trashcan also needs the inverted jack
+detection like Mac mini patched, too.
+
+Signed-off-by: René Rebe <rene@exactco.de>
+Cc: <sstable@vger.kernel.org>
+Link: https://patch.msgid.link/20251117.182351.1595411649664739497.rene@exactco.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/codecs/cirrus/cs420x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/hda/codecs/cirrus/cs420x.c
++++ b/sound/hda/codecs/cirrus/cs420x.c
+@@ -585,6 +585,7 @@ static const struct hda_quirk cs4208_mac
+ SND_PCI_QUIRK(0x106b, 0x6c00, "MacMini 7,1", CS4208_MACMINI),
+ SND_PCI_QUIRK(0x106b, 0x7100, "MacBookAir 6,1", CS4208_MBA6),
+ SND_PCI_QUIRK(0x106b, 0x7200, "MacBookAir 6,2", CS4208_MBA6),
++ SND_PCI_QUIRK(0x106b, 0x7800, "MacPro 6,1", CS4208_MACMINI),
+ SND_PCI_QUIRK(0x106b, 0x7b00, "MacBookPro 12,1", CS4208_MBP11),
+ {} /* terminator */
+ };
--- /dev/null
+From c83fc13960643c4429cd9dfef1321e6430a81b47 Mon Sep 17 00:00:00 2001
+From: Ivan Zhaldak <i.v.zhaldak@gmail.com>
+Date: Mon, 17 Nov 2025 15:58:35 +0300
+Subject: ALSA: usb-audio: Add DSD quirk for LEAK Stereo 230
+
+From: Ivan Zhaldak <i.v.zhaldak@gmail.com>
+
+commit c83fc13960643c4429cd9dfef1321e6430a81b47 upstream.
+
+Integrated amplifier LEAK Stereo 230 by IAG Limited has built-in
+ESS9038Q2M DAC served by XMOS controller. It supports both DSD Native
+and DSD-over-PCM (DoP) operational modes. But it doesn't work properly
+by default and tries DSD-to-PCM conversion. USB quirks below allow it
+to operate as designed.
+
+Add DSD_RAW quirk flag for IAG Limited devices (vendor ID 0x2622)
+Add DSD format quirk for LEAK Stereo 230 (USB ID 0x2622:0x0061)
+
+Signed-off-by: Ivan Zhaldak <i.v.zhaldak@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20251117125848.30769-1-i.v.zhaldak@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -2028,6 +2028,7 @@ u64 snd_usb_interface_dsd_format_quirks(
+ case USB_ID(0x249c, 0x9326): /* M2Tech Young MkIII */
+ case USB_ID(0x2616, 0x0106): /* PS Audio NuWave DAC */
+ case USB_ID(0x2622, 0x0041): /* Audiolab M-DAC+ */
++ case USB_ID(0x2622, 0x0061): /* LEAK Stereo 230 */
+ case USB_ID(0x278b, 0x5100): /* Rotel RC-1590 */
+ case USB_ID(0x27f7, 0x3002): /* W4S DAC-2v2SE */
+ case USB_ID(0x29a2, 0x0086): /* Mutec MC3+ USB */
+@@ -2411,6 +2412,8 @@ static const struct usb_audio_quirk_flag
+ QUIRK_FLAG_DSD_RAW),
+ VENDOR_FLG(0x25ce, /* Mytek devices */
+ QUIRK_FLAG_DSD_RAW),
++ VENDOR_FLG(0x2622, /* IAG Limited devices */
++ QUIRK_FLAG_DSD_RAW),
+ VENDOR_FLG(0x278b, /* Rotel? */
+ QUIRK_FLAG_DSD_RAW),
+ VENDOR_FLG(0x292b, /* Gustard/Ess based devices */
--- /dev/null
+From 1b03346314b791ad966d3c6d59253328226a2b2d Mon Sep 17 00:00:00 2001
+From: Maarten Zanders <maarten@zanders.be>
+Date: Fri, 24 Oct 2025 16:21:06 +0200
+Subject: ARM: dts: nxp: imx6ul: correct SAI3 interrupt line
+
+From: Maarten Zanders <maarten@zanders.be>
+
+commit 1b03346314b791ad966d3c6d59253328226a2b2d upstream.
+
+The i.MX6UL reference manual lists two possible interrupt lines for
+SAI3 (56 and 57, offset +32). The current device tree entry uses
+the first one (24), which prevents IRQs from being handled properly.
+
+Use the second interrupt line (25), which does allow interrupts
+to work as expected.
+
+Fixes: 36e2edf6ac07 ("ARM: dts: imx6ul: add sai support")
+Signed-off-by: Maarten Zanders <maarten@zanders.be>
+Cc: stable@vger.kernel.org
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/nxp/imx/imx6ul.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/nxp/imx/imx6ul.dtsi
++++ b/arch/arm/boot/dts/nxp/imx/imx6ul.dtsi
+@@ -339,7 +339,7 @@
+ #sound-dai-cells = <0>;
+ compatible = "fsl,imx6ul-sai", "fsl,imx6sx-sai";
+ reg = <0x02030000 0x4000>;
+- interrupts = <GIC_SPI 24 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 25 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&clks IMX6UL_CLK_SAI3_IPG>,
+ <&clks IMX6UL_CLK_SAI3>,
+ <&clks IMX6UL_CLK_DUMMY>, <&clks IMX6UL_CLK_DUMMY>;
--- /dev/null
+From f10a788e4b6a0ebe8629177894ca779b2dc6203d Mon Sep 17 00:00:00 2001
+From: Frank Li <Frank.Li@nxp.com>
+Date: Wed, 22 Oct 2025 12:50:21 -0400
+Subject: arm64: dts: imx8dxl: Correct pcie-ep interrupt number
+
+From: Frank Li <Frank.Li@nxp.com>
+
+commit f10a788e4b6a0ebe8629177894ca779b2dc6203d upstream.
+
+Correct i.MX8DXL's pcie-ep interrupt number.
+
+Fixes: d03743c5659a9 ("arm64: dts: imx8q: add PCIe EP for i.MX8QM and i.MX8QXP")
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8dxl-ss-hsio.dtsi | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8dxl-ss-hsio.dtsi b/arch/arm64/boot/dts/freescale/imx8dxl-ss-hsio.dtsi
+index ec466e4d7df5..5c0d09c5c086 100644
+--- a/arch/arm64/boot/dts/freescale/imx8dxl-ss-hsio.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8dxl-ss-hsio.dtsi
+@@ -54,3 +54,8 @@ pcie0_ep: pcie-ep@5f010000 {
+ interrupt-names = "dma";
+ };
+ };
++
++&pcieb_ep {
++ interrupts = <GIC_SPI 46 IRQ_TYPE_LEVEL_HIGH>;
++ interrupt-names = "dma";
++};
+--
+2.52.0
+
--- /dev/null
+From 5b6677d6451bbbac3b6ab93fae6506b59e2c19bd Mon Sep 17 00:00:00 2001
+From: Frank Li <Frank.Li@nxp.com>
+Date: Wed, 22 Oct 2025 12:50:22 -0400
+Subject: arm64: dts: imx8dxl-ss-conn: swap interrupts number of eqos
+
+From: Frank Li <Frank.Li@nxp.com>
+
+commit 5b6677d6451bbbac3b6ab93fae6506b59e2c19bd upstream.
+
+Swap interrupt numbers of eqos because the below commit just swap
+interrupt-names and missed swap interrupts also.
+
+The driver (drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c) use
+interrupt-names to get irq numbers.
+
+Fixes: f29c19a6e488 ("arm64: dts: imx8dxl-ss-conn: Fix Ethernet interrupt-names order")
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Tested-by: Alexander Dahl <ada@thorsis.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8dxl-ss-conn.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8dxl-ss-conn.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8dxl-ss-conn.dtsi
+@@ -27,8 +27,8 @@
+ compatible = "nxp,imx8dxl-dwmac-eqos", "snps,dwmac-5.10a";
+ reg = <0x5b050000 0x10000>;
+ interrupt-parent = <&gic>;
+- interrupts = <GIC_SPI 163 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 162 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 162 IRQ_TYPE_LEVEL_HIGH>,
++ <GIC_SPI 163 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "macirq", "eth_wake_irq";
+ clocks = <&eqos_lpcg IMX_LPCG_CLK_4>,
+ <&eqos_lpcg IMX_LPCG_CLK_6>,
--- /dev/null
+From e89ee35567d3d465ef0715953170be72f5ef1d4c Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Thu, 13 Nov 2025 19:14:44 +0800
+Subject: arm64: dts: imx8qm-mek: fix mux-controller select/enable-gpios polarity
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit e89ee35567d3d465ef0715953170be72f5ef1d4c upstream.
+
+According to the board design, set SEL to high means flipped
+connection (TX2/RX2). And the TCPM will output logical 1 if it needs
+flipped connection. So switch to active high for select-gpios.
+The EN pin on mux chip is low active, so switch to active low for
+enable-gpios too.
+
+Fixes: b237975b2cd5 ("arm64: dts: imx8qm-mek: add usb 3.0 and related type C nodes")
+Cc: stable@vger.kernel.org
+Reviewed-by: Jun Li <jun.li@nxp.com>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
++++ b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
+@@ -217,8 +217,8 @@
+ compatible = "nxp,cbdtu02043", "gpio-sbu-mux";
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_typec_mux>;
+- select-gpios = <&lsio_gpio4 6 GPIO_ACTIVE_LOW>;
+- enable-gpios = <&lsio_gpio4 19 GPIO_ACTIVE_HIGH>;
++ select-gpios = <&lsio_gpio4 6 GPIO_ACTIVE_HIGH>;
++ enable-gpios = <&lsio_gpio4 19 GPIO_ACTIVE_LOW>;
+ orientation-switch;
+
+ port {
--- /dev/null
+From 82fca3d8a4a34667f01ec2351a607135249c9cff Mon Sep 17 00:00:00 2001
+From: Gui-Dong Han <hanguidong02@gmail.com>
+Date: Thu, 20 Nov 2025 20:06:57 +0800
+Subject: atm/fore200e: Fix possible data race in fore200e_open()
+
+From: Gui-Dong Han <hanguidong02@gmail.com>
+
+commit 82fca3d8a4a34667f01ec2351a607135249c9cff upstream.
+
+Protect access to fore200e->available_cell_rate with rate_mtx lock in the
+error handling path of fore200e_open() to prevent a data race.
+
+The field fore200e->available_cell_rate is a shared resource used to track
+available bandwidth. It is concurrently accessed by fore200e_open(),
+fore200e_close(), and fore200e_change_qos().
+
+In fore200e_open(), the lock rate_mtx is correctly held when subtracting
+vcc->qos.txtp.max_pcr from available_cell_rate to reserve bandwidth.
+However, if the subsequent call to fore200e_activate_vcin() fails, the
+function restores the reserved bandwidth by adding back to
+available_cell_rate without holding the lock.
+
+This introduces a race condition because available_cell_rate is a global
+device resource shared across all VCCs. If the error path in
+fore200e_open() executes concurrently with operations like
+fore200e_close() or fore200e_change_qos() on other VCCs, a
+read-modify-write race occurs.
+
+Specifically, the error path reads the rate without the lock. If another
+CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in
+fore200e_close()) between this read and the subsequent write, the error
+path will overwrite the concurrent update with a stale value. This results
+in incorrect bandwidth accounting.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251120120657.2462194-1-hanguidong02@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/atm/fore200e.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/atm/fore200e.c
++++ b/drivers/atm/fore200e.c
+@@ -1374,7 +1374,9 @@ fore200e_open(struct atm_vcc *vcc)
+
+ vcc->dev_data = NULL;
+
++ mutex_lock(&fore200e->rate_mtx);
+ fore200e->available_cell_rate += vcc->qos.txtp.max_pcr;
++ mutex_unlock(&fore200e->rate_mtx);
+
+ kfree(fore200e_vcc);
+ return -EINVAL;
--- /dev/null
+From c884a0b27b4586e607431d86a1aa0bb4fb39169c Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Thu, 20 Nov 2025 08:12:28 -0800
+Subject: Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit c884a0b27b4586e607431d86a1aa0bb4fb39169c upstream.
+
+In btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to:
+ usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM)
+
+That function can return NULL in some cases. Even when it returns
+NULL, though, we still go on to call btusb_mtk_claim_iso_intf().
+
+As of commit e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for
+usb_driver_claim_interface()"), calling btusb_mtk_claim_iso_intf()
+when `btmtk_data->isopkt_intf` is NULL will cause a crash because
+we'll end up passing a bad pointer to device_lock(). Prior to that
+commit we'd pass the NULL pointer directly to
+usb_driver_claim_interface() which would detect it and return an
+error, which was handled.
+
+Resolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check
+at the start of the function. This makes the code handle a NULL
+`btmtk_data->isopkt_intf` the same way it did before the problematic
+commit (just with a slight change to the error message printed).
+
+Reported-by: IncogCyberpunk <incogcyberpunk@proton.me>
+Closes: http://lore.kernel.org/r/a380d061-479e-4713-bddd-1d6571ca7e86@leemhuis.info
+Fixes: e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()")
+Cc: stable@vger.kernel.org
+Tested-by: IncogCyberpunk <incogcyberpunk@proton.me>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btusb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -2721,6 +2721,11 @@ static void btusb_mtk_claim_iso_intf(str
+ if (!btmtk_data)
+ return;
+
++ if (!btmtk_data->isopkt_intf) {
++ bt_dev_err(data->hdev, "Can't claim NULL iso interface");
++ return;
++ }
++
+ /*
+ * The function usb_driver_claim_interface() is documented to need
+ * locks held if it's not called from a probe routine. The code here
--- /dev/null
+From 6d849ff573722afcf5508d2800017bdd40f27eb9 Mon Sep 17 00:00:00 2001
+From: Biju Das <biju.das.jz@bp.renesas.com>
+Date: Tue, 18 Nov 2025 12:39:25 +0000
+Subject: can: rcar_canfd: Fix CAN-FD mode as default
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+commit 6d849ff573722afcf5508d2800017bdd40f27eb9 upstream.
+
+The commit 5cff263606a1 ("can: rcar_canfd: Fix controller mode setting")
+has aligned with the flow mentioned in the hardware manual for all SoCs
+except R-Car Gen3 and RZ/G2L SoCs. On R-Car Gen4 and RZ/G3E SoCs, due to
+the wrong logic in the commit[1] sets the default mode to FD-Only mode
+instead of CAN-FD mode.
+
+This patch sets the CAN-FD mode as the default for all SoCs by dropping
+the rcar_canfd_set_mode() as some SoC requires mode setting in global
+reset mode, and the rest of the SoCs in channel reset mode and update the
+rcar_canfd_reset_controller() to take care of these constraints. Moreover,
+the RZ/G3E and R-Car Gen4 SoCs support 3 modes compared to 2 modes on the
+R-Car Gen3. Use inverted logic in rcar_canfd_reset_controller() to
+simplify the code later to support FD-only mode.
+
+[1]
+commit 45721c406dcf ("can: rcar_canfd: Add support for r8a779a0 SoC")
+
+Fixes: 5cff263606a1 ("can: rcar_canfd: Fix controller mode setting")
+Cc: stable@vger.kernel.org
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Link: https://patch.msgid.link/20251118123926.193445-1-biju.das.jz@bp.renesas.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/rcar/rcar_canfd.c | 53 ++++++++++++++++++++++----------------
+ 1 file changed, 31 insertions(+), 22 deletions(-)
+
+--- a/drivers/net/can/rcar/rcar_canfd.c
++++ b/drivers/net/can/rcar/rcar_canfd.c
+@@ -726,6 +726,11 @@ static void rcar_canfd_set_bit_reg(void
+ rcar_canfd_update(val, val, addr);
+ }
+
++static void rcar_canfd_clear_bit_reg(void __iomem *addr, u32 val)
++{
++ rcar_canfd_update(val, 0, addr);
++}
++
+ static void rcar_canfd_update_bit_reg(void __iomem *addr, u32 mask, u32 val)
+ {
+ rcar_canfd_update(mask, val, addr);
+@@ -772,25 +777,6 @@ static void rcar_canfd_set_rnc(struct rc
+ rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLCFG(w), rnc);
+ }
+
+-static void rcar_canfd_set_mode(struct rcar_canfd_global *gpriv)
+-{
+- if (gpriv->info->ch_interface_mode) {
+- u32 ch, val = gpriv->fdmode ? RCANFD_GEN4_FDCFG_FDOE
+- : RCANFD_GEN4_FDCFG_CLOE;
+-
+- for_each_set_bit(ch, &gpriv->channels_mask,
+- gpriv->info->max_channels)
+- rcar_canfd_set_bit_reg(&gpriv->fcbase[ch].cfdcfg, val);
+- } else {
+- if (gpriv->fdmode)
+- rcar_canfd_set_bit(gpriv->base, RCANFD_GRMCFG,
+- RCANFD_GRMCFG_RCMC);
+- else
+- rcar_canfd_clear_bit(gpriv->base, RCANFD_GRMCFG,
+- RCANFD_GRMCFG_RCMC);
+- }
+-}
+-
+ static int rcar_canfd_reset_controller(struct rcar_canfd_global *gpriv)
+ {
+ struct device *dev = &gpriv->pdev->dev;
+@@ -823,6 +809,16 @@ static int rcar_canfd_reset_controller(s
+ /* Reset Global error flags */
+ rcar_canfd_write(gpriv->base, RCANFD_GERFL, 0x0);
+
++ /* Set the controller into appropriate mode */
++ if (!gpriv->info->ch_interface_mode) {
++ if (gpriv->fdmode)
++ rcar_canfd_set_bit(gpriv->base, RCANFD_GRMCFG,
++ RCANFD_GRMCFG_RCMC);
++ else
++ rcar_canfd_clear_bit(gpriv->base, RCANFD_GRMCFG,
++ RCANFD_GRMCFG_RCMC);
++ }
++
+ /* Transition all Channels to reset mode */
+ for_each_set_bit(ch, &gpriv->channels_mask, gpriv->info->max_channels) {
+ rcar_canfd_clear_bit(gpriv->base,
+@@ -840,10 +836,23 @@ static int rcar_canfd_reset_controller(s
+ dev_dbg(dev, "channel %u reset failed\n", ch);
+ return err;
+ }
+- }
+
+- /* Set the controller into appropriate mode */
+- rcar_canfd_set_mode(gpriv);
++ /* Set the controller into appropriate mode */
++ if (gpriv->info->ch_interface_mode) {
++ /* Do not set CLOE and FDOE simultaneously */
++ if (!gpriv->fdmode) {
++ rcar_canfd_clear_bit_reg(&gpriv->fcbase[ch].cfdcfg,
++ RCANFD_GEN4_FDCFG_FDOE);
++ rcar_canfd_set_bit_reg(&gpriv->fcbase[ch].cfdcfg,
++ RCANFD_GEN4_FDCFG_CLOE);
++ } else {
++ rcar_canfd_clear_bit_reg(&gpriv->fcbase[ch].cfdcfg,
++ RCANFD_GEN4_FDCFG_FDOE);
++ rcar_canfd_clear_bit_reg(&gpriv->fcbase[ch].cfdcfg,
++ RCANFD_GEN4_FDCFG_CLOE);
++ }
++ }
++ }
+
+ return 0;
+ }
--- /dev/null
+From 30db4451c7f6aabcada029b15859a76962ec0cf8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20M=C3=BChlbacher?= <tmuehlbacher@posteo.net>
+Date: Sat, 15 Nov 2025 15:34:56 +0000
+Subject: can: sja1000: fix max irq loop handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Mühlbacher <tmuehlbacher@posteo.net>
+
+commit 30db4451c7f6aabcada029b15859a76962ec0cf8 upstream.
+
+Reading the interrupt register `SJA1000_IR` causes all of its bits to be
+reset. If we ever reach the condition of handling more than
+`SJA1000_MAX_IRQ` IRQs, we will have read the register and reset all its
+bits but without actually handling the interrupt inside of the loop
+body.
+
+This may, among other issues, cause us to never `netif_wake_queue()`
+again after a transmission interrupt.
+
+Fixes: 429da1cc841b ("can: Driver for the SJA1000 CAN controller")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Mühlbacher <tmuehlbacher@posteo.net>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://patch.msgid.link/20251115153437.11419-1-tmuehlbacher@posteo.net
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/sja1000/sja1000.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/can/sja1000/sja1000.c
++++ b/drivers/net/can/sja1000/sja1000.c
+@@ -548,8 +548,8 @@ irqreturn_t sja1000_interrupt(int irq, v
+ if (priv->read_reg(priv, SJA1000_IER) == IRQ_OFF)
+ goto out;
+
+- while ((isrc = priv->read_reg(priv, SJA1000_IR)) &&
+- (n < SJA1000_MAX_IRQ)) {
++ while ((n < SJA1000_MAX_IRQ) &&
++ (isrc = priv->read_reg(priv, SJA1000_IR))) {
+
+ status = priv->read_reg(priv, SJA1000_SR);
+ /* check for absent controller due to hw unplug */
--- /dev/null
+From 76544beea7cfe5bcce6d60f53811657b88ec8be1 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Sun, 16 Nov 2025 16:55:26 +0100
+Subject: can: sun4i_can: sun4i_can_interrupt(): fix max irq loop handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 76544beea7cfe5bcce6d60f53811657b88ec8be1 upstream.
+
+Reading the interrupt register `SUN4I_REG_INT_ADDR` causes all of its bits
+to be reset. If we ever reach the condition of handling more than
+`SUN4I_CAN_MAX_IRQ` IRQs, we will have read the register and reset all its
+bits but without actually handling the interrupt inside of the loop body.
+
+This may, among other issues, cause us to never `netif_wake_queue()` again
+after a transmission interrupt.
+
+Fixes: 0738eff14d81 ("can: Allwinner A10/A20 CAN Controller support - Kernel module")
+Cc: stable@vger.kernel.org
+Co-developed-by: Thomas Mühlbacher <tmuehlbacher@posteo.net>
+Signed-off-by: Thomas Mühlbacher <tmuehlbacher@posteo.net>
+Acked-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Link: https://patch.msgid.link/20251116-sun4i-fix-loop-v1-1-3d76d3f81950@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/sun4i_can.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/can/sun4i_can.c
++++ b/drivers/net/can/sun4i_can.c
+@@ -657,8 +657,8 @@ static irqreturn_t sun4i_can_interrupt(i
+ u8 isrc, status;
+ int n = 0;
+
+- while ((isrc = readl(priv->base + SUN4I_REG_INT_ADDR)) &&
+- (n < SUN4I_CAN_MAX_IRQ)) {
++ while ((n < SUN4I_CAN_MAX_IRQ) &&
++ (isrc = readl(priv->base + SUN4I_REG_INT_ADDR))) {
+ n++;
+ status = readl(priv->base + SUN4I_REG_STA_ADDR);
+
--- /dev/null
+From 43962db4a6f593903340c85591056a0cef812dfd Mon Sep 17 00:00:00 2001
+From: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Date: Thu, 13 Nov 2025 14:36:24 -0800
+Subject: ceph: fix crash in process_v2_sparse_read() for encrypted directories
+
+From: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+
+commit 43962db4a6f593903340c85591056a0cef812dfd upstream.
+
+The crash in process_v2_sparse_read() for fscrypt-encrypted directories
+has been reported. Issue takes place for Ceph msgr2 protocol in secure
+mode. It can be reproduced by the steps:
+
+sudo mount -t ceph :/ /mnt/cephfs/ -o name=admin,fs=cephfs,ms_mode=secure
+
+(1) mkdir /mnt/cephfs/fscrypt-test-3
+(2) cp area_decrypted.tar /mnt/cephfs/fscrypt-test-3
+(3) fscrypt encrypt --source=raw_key --key=./my.key /mnt/cephfs/fscrypt-test-3
+(4) fscrypt lock /mnt/cephfs/fscrypt-test-3
+(5) fscrypt unlock --key=my.key /mnt/cephfs/fscrypt-test-3
+(6) cat /mnt/cephfs/fscrypt-test-3/area_decrypted.tar
+(7) Issue has been triggered
+
+[ 408.072247] ------------[ cut here ]------------
+[ 408.072251] WARNING: CPU: 1 PID: 392 at net/ceph/messenger_v2.c:865
+ceph_con_v2_try_read+0x4b39/0x72f0
+[ 408.072267] Modules linked in: intel_rapl_msr intel_rapl_common
+intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery
+pmt_class intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypass
+polyval_clmulni ghash_clmulni_intel aesni_intel rapl input_leds psmouse
+serio_raw i2c_piix4 vga16fb bochs vgastate i2c_smbus floppy mac_hid qemu_fw_cfg
+pata_acpi sch_fq_codel rbd msr parport_pc ppdev lp parport efi_pstore
+[ 408.072304] CPU: 1 UID: 0 PID: 392 Comm: kworker/1:3 Not tainted 6.17.0-rc7+
+[ 408.072307] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+1.17.0-5.fc42 04/01/2014
+[ 408.072310] Workqueue: ceph-msgr ceph_con_workfn
+[ 408.072314] RIP: 0010:ceph_con_v2_try_read+0x4b39/0x72f0
+[ 408.072317] Code: c7 c1 20 f0 d4 ae 50 31 d2 48 c7 c6 60 27 d5 ae 48 c7 c7 f8
+8e 6f b0 68 60 38 d5 ae e8 00 47 61 fe 48 83 c4 18 e9 ac fc ff ff <0f> 0b e9 06
+fe ff ff 4c 8b 9d 98 fd ff ff 0f 84 64 e7 ff ff 89 85
+[ 408.072319] RSP: 0018:ffff88811c3e7a30 EFLAGS: 00010246
+[ 408.072322] RAX: ffffed1024874c6f RBX: ffffea00042c2b40 RCX: 0000000000000f38
+[ 408.072324] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+[ 408.072325] RBP: ffff88811c3e7ca8 R08: 0000000000000000 R09: 00000000000000c8
+[ 408.072326] R10: 00000000000000c8 R11: 0000000000000000 R12: 00000000000000c8
+[ 408.072327] R13: dffffc0000000000 R14: ffff8881243a6030 R15: 0000000000003000
+[ 408.072329] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000)
+knlGS:0000000000000000
+[ 408.072331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 408.072332] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0
+[ 408.072336] PKRU: 55555554
+[ 408.072337] Call Trace:
+[ 408.072338] <TASK>
+[ 408.072340] ? sched_clock_noinstr+0x9/0x10
+[ 408.072344] ? __pfx_ceph_con_v2_try_read+0x10/0x10
+[ 408.072347] ? _raw_spin_unlock+0xe/0x40
+[ 408.072349] ? finish_task_switch.isra.0+0x15d/0x830
+[ 408.072353] ? __kasan_check_write+0x14/0x30
+[ 408.072357] ? mutex_lock+0x84/0xe0
+[ 408.072359] ? __pfx_mutex_lock+0x10/0x10
+[ 408.072361] ceph_con_workfn+0x27e/0x10e0
+[ 408.072364] ? metric_delayed_work+0x311/0x2c50
+[ 408.072367] process_one_work+0x611/0xe20
+[ 408.072371] ? __kasan_check_write+0x14/0x30
+[ 408.072373] worker_thread+0x7e3/0x1580
+[ 408.072375] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+[ 408.072378] ? __pfx_worker_thread+0x10/0x10
+[ 408.072381] kthread+0x381/0x7a0
+[ 408.072383] ? __pfx__raw_spin_lock_irq+0x10/0x10
+[ 408.072385] ? __pfx_kthread+0x10/0x10
+[ 408.072387] ? __kasan_check_write+0x14/0x30
+[ 408.072389] ? recalc_sigpending+0x160/0x220
+[ 408.072392] ? _raw_spin_unlock_irq+0xe/0x50
+[ 408.072394] ? calculate_sigpending+0x78/0xb0
+[ 408.072395] ? __pfx_kthread+0x10/0x10
+[ 408.072397] ret_from_fork+0x2b6/0x380
+[ 408.072400] ? __pfx_kthread+0x10/0x10
+[ 408.072402] ret_from_fork_asm+0x1a/0x30
+[ 408.072406] </TASK>
+[ 408.072407] ---[ end trace 0000000000000000 ]---
+[ 408.072418] Oops: general protection fault, probably for non-canonical
+address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
+[ 408.072984] KASAN: null-ptr-deref in range [0x0000000000000000-
+0x0000000000000007]
+[ 408.073350] CPU: 1 UID: 0 PID: 392 Comm: kworker/1:3 Tainted: G W
+6.17.0-rc7+ #1 PREEMPT(voluntary)
+[ 408.073886] Tainted: [W]=WARN
+[ 408.074042] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+1.17.0-5.fc42 04/01/2014
+[ 408.074468] Workqueue: ceph-msgr ceph_con_workfn
+[ 408.074694] RIP: 0010:ceph_msg_data_advance+0x79/0x1a80
+[ 408.074976] Code: fc ff df 49 8d 77 08 48 c1 ee 03 80 3c 16 00 0f 85 07 11 00
+00 48 ba 00 00 00 00 00 fc ff df 49 8b 5f 08 48 89 de 48 c1 ee 03 <0f> b6 14 16
+84 d2 74 09 80 fa 03 0f 8e 0f 0e 00 00 8b 13 83 fa 03
+[ 408.075884] RSP: 0018:ffff88811c3e7990 EFLAGS: 00010246
+[ 408.076305] RAX: ffff8881243a6388 RBX: 0000000000000000 RCX: 0000000000000000
+[ 408.076909] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff8881243a6378
+[ 408.077466] RBP: ffff88811c3e7a20 R08: 0000000000000000 R09: 00000000000000c8
+[ 408.078034] R10: ffff8881243a6388 R11: 0000000000000000 R12: ffffed1024874c71
+[ 408.078575] R13: dffffc0000000000 R14: ffff8881243a6030 R15: ffff8881243a6378
+[ 408.079159] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000)
+knlGS:0000000000000000
+[ 408.079736] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 408.080039] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0
+[ 408.080376] PKRU: 55555554
+[ 408.080513] Call Trace:
+[ 408.080630] <TASK>
+[ 408.080729] ceph_con_v2_try_read+0x49b9/0x72f0
+[ 408.081115] ? __pfx_ceph_con_v2_try_read+0x10/0x10
+[ 408.081348] ? _raw_spin_unlock+0xe/0x40
+[ 408.081538] ? finish_task_switch.isra.0+0x15d/0x830
+[ 408.081768] ? __kasan_check_write+0x14/0x30
+[ 408.081986] ? mutex_lock+0x84/0xe0
+[ 408.082160] ? __pfx_mutex_lock+0x10/0x10
+[ 408.082343] ceph_con_workfn+0x27e/0x10e0
+[ 408.082529] ? metric_delayed_work+0x311/0x2c50
+[ 408.082737] process_one_work+0x611/0xe20
+[ 408.082948] ? __kasan_check_write+0x14/0x30
+[ 408.083156] worker_thread+0x7e3/0x1580
+[ 408.083331] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+[ 408.083557] ? __pfx_worker_thread+0x10/0x10
+[ 408.083751] kthread+0x381/0x7a0
+[ 408.083922] ? __pfx__raw_spin_lock_irq+0x10/0x10
+[ 408.084139] ? __pfx_kthread+0x10/0x10
+[ 408.084310] ? __kasan_check_write+0x14/0x30
+[ 408.084510] ? recalc_sigpending+0x160/0x220
+[ 408.084708] ? _raw_spin_unlock_irq+0xe/0x50
+[ 408.084917] ? calculate_sigpending+0x78/0xb0
+[ 408.085138] ? __pfx_kthread+0x10/0x10
+[ 408.085335] ret_from_fork+0x2b6/0x380
+[ 408.085525] ? __pfx_kthread+0x10/0x10
+[ 408.085720] ret_from_fork_asm+0x1a/0x30
+[ 408.085922] </TASK>
+[ 408.086036] Modules linked in: intel_rapl_msr intel_rapl_common
+intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery
+pmt_class intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypass
+polyval_clmulni ghash_clmulni_intel aesni_intel rapl input_leds psmouse
+serio_raw i2c_piix4 vga16fb bochs vgastate i2c_smbus floppy mac_hid qemu_fw_cfg
+pata_acpi sch_fq_codel rbd msr parport_pc ppdev lp parport efi_pstore
+[ 408.087778] ---[ end trace 0000000000000000 ]---
+[ 408.088007] RIP: 0010:ceph_msg_data_advance+0x79/0x1a80
+[ 408.088260] Code: fc ff df 49 8d 77 08 48 c1 ee 03 80 3c 16 00 0f 85 07 11 00
+00 48 ba 00 00 00 00 00 fc ff df 49 8b 5f 08 48 89 de 48 c1 ee 03 <0f> b6 14 16
+84 d2 74 09 80 fa 03 0f 8e 0f 0e 00 00 8b 13 83 fa 03
+[ 408.089118] RSP: 0018:ffff88811c3e7990 EFLAGS: 00010246
+[ 408.089357] RAX: ffff8881243a6388 RBX: 0000000000000000 RCX: 0000000000000000
+[ 408.089678] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff8881243a6378
+[ 408.090020] RBP: ffff88811c3e7a20 R08: 0000000000000000 R09: 00000000000000c8
+[ 408.090360] R10: ffff8881243a6388 R11: 0000000000000000 R12: ffffed1024874c71
+[ 408.090687] R13: dffffc0000000000 R14: ffff8881243a6030 R15: ffff8881243a6378
+[ 408.091035] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000)
+knlGS:0000000000000000
+[ 408.091452] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 408.092015] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0
+[ 408.092530] PKRU: 55555554
+[ 417.112915]
+==================================================================
+[ 417.113491] BUG: KASAN: slab-use-after-free in
+__mutex_lock.constprop.0+0x1522/0x1610
+[ 417.114014] Read of size 4 at addr ffff888124870034 by task kworker/2:0/4951
+
+[ 417.114587] CPU: 2 UID: 0 PID: 4951 Comm: kworker/2:0 Tainted: G D W
+6.17.0-rc7+ #1 PREEMPT(voluntary)
+[ 417.114592] Tainted: [D]=DIE, [W]=WARN
+[ 417.114593] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+1.17.0-5.fc42 04/01/2014
+[ 417.114596] Workqueue: events handle_timeout
+[ 417.114601] Call Trace:
+[ 417.114602] <TASK>
+[ 417.114604] dump_stack_lvl+0x5c/0x90
+[ 417.114610] print_report+0x171/0x4dc
+[ 417.114613] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+[ 417.114617] ? kasan_complete_mode_report_info+0x80/0x220
+[ 417.114621] kasan_report+0xbd/0x100
+[ 417.114625] ? __mutex_lock.constprop.0+0x1522/0x1610
+[ 417.114628] ? __mutex_lock.constprop.0+0x1522/0x1610
+[ 417.114630] __asan_report_load4_noabort+0x14/0x30
+[ 417.114633] __mutex_lock.constprop.0+0x1522/0x1610
+[ 417.114635] ? queue_con_delay+0x8d/0x200
+[ 417.114638] ? __pfx___mutex_lock.constprop.0+0x10/0x10
+[ 417.114641] ? __send_subscribe+0x529/0xb20
+[ 417.114644] __mutex_lock_slowpath+0x13/0x20
+[ 417.114646] mutex_lock+0xd4/0xe0
+[ 417.114649] ? __pfx_mutex_lock+0x10/0x10
+[ 417.114652] ? ceph_monc_renew_subs+0x2a/0x40
+[ 417.114654] ceph_con_keepalive+0x22/0x110
+[ 417.114656] handle_timeout+0x6b3/0x11d0
+[ 417.114659] ? _raw_spin_unlock_irq+0xe/0x50
+[ 417.114662] ? __pfx_handle_timeout+0x10/0x10
+[ 417.114664] ? queue_delayed_work_on+0x8e/0xa0
+[ 417.114669] process_one_work+0x611/0xe20
+[ 417.114672] ? __kasan_check_write+0x14/0x30
+[ 417.114676] worker_thread+0x7e3/0x1580
+[ 417.114678] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+[ 417.114682] ? __pfx_sched_setscheduler_nocheck+0x10/0x10
+[ 417.114687] ? __pfx_worker_thread+0x10/0x10
+[ 417.114689] kthread+0x381/0x7a0
+[ 417.114692] ? __pfx__raw_spin_lock_irq+0x10/0x10
+[ 417.114694] ? __pfx_kthread+0x10/0x10
+[ 417.114697] ? __kasan_check_write+0x14/0x30
+[ 417.114699] ? recalc_sigpending+0x160/0x220
+[ 417.114703] ? _raw_spin_unlock_irq+0xe/0x50
+[ 417.114705] ? calculate_sigpending+0x78/0xb0
+[ 417.114707] ? __pfx_kthread+0x10/0x10
+[ 417.114710] ret_from_fork+0x2b6/0x380
+[ 417.114713] ? __pfx_kthread+0x10/0x10
+[ 417.114715] ret_from_fork_asm+0x1a/0x30
+[ 417.114720] </TASK>
+
+[ 417.125171] Allocated by task 2:
+[ 417.125333] kasan_save_stack+0x26/0x60
+[ 417.125522] kasan_save_track+0x14/0x40
+[ 417.125742] kasan_save_alloc_info+0x39/0x60
+[ 417.125945] __kasan_slab_alloc+0x8b/0xb0
+[ 417.126133] kmem_cache_alloc_node_noprof+0x13b/0x460
+[ 417.126381] copy_process+0x320/0x6250
+[ 417.126595] kernel_clone+0xb7/0x840
+[ 417.126792] kernel_thread+0xd6/0x120
+[ 417.126995] kthreadd+0x85c/0xbe0
+[ 417.127176] ret_from_fork+0x2b6/0x380
+[ 417.127378] ret_from_fork_asm+0x1a/0x30
+
+[ 417.127692] Freed by task 0:
+[ 417.127851] kasan_save_stack+0x26/0x60
+[ 417.128057] kasan_save_track+0x14/0x40
+[ 417.128267] kasan_save_free_info+0x3b/0x60
+[ 417.128491] __kasan_slab_free+0x6c/0xa0
+[ 417.128708] kmem_cache_free+0x182/0x550
+[ 417.128906] free_task+0xeb/0x140
+[ 417.129070] __put_task_struct+0x1d2/0x4f0
+[ 417.129259] __put_task_struct_rcu_cb+0x15/0x20
+[ 417.129480] rcu_do_batch+0x3d3/0xe70
+[ 417.129681] rcu_core+0x549/0xb30
+[ 417.129839] rcu_core_si+0xe/0x20
+[ 417.130005] handle_softirqs+0x160/0x570
+[ 417.130190] __irq_exit_rcu+0x189/0x1e0
+[ 417.130369] irq_exit_rcu+0xe/0x20
+[ 417.130531] sysvec_apic_timer_interrupt+0x9f/0xd0
+[ 417.130768] asm_sysvec_apic_timer_interrupt+0x1b/0x20
+
+[ 417.131082] Last potentially related work creation:
+[ 417.131305] kasan_save_stack+0x26/0x60
+[ 417.131484] kasan_record_aux_stack+0xae/0xd0
+[ 417.131695] __call_rcu_common+0xcd/0x14b0
+[ 417.131909] call_rcu+0x31/0x50
+[ 417.132071] delayed_put_task_struct+0x128/0x190
+[ 417.132295] rcu_do_batch+0x3d3/0xe70
+[ 417.132478] rcu_core+0x549/0xb30
+[ 417.132658] rcu_core_si+0xe/0x20
+[ 417.132808] handle_softirqs+0x160/0x570
+[ 417.132993] __irq_exit_rcu+0x189/0x1e0
+[ 417.133181] irq_exit_rcu+0xe/0x20
+[ 417.133353] sysvec_apic_timer_interrupt+0x9f/0xd0
+[ 417.133584] asm_sysvec_apic_timer_interrupt+0x1b/0x20
+
+[ 417.133921] Second to last potentially related work creation:
+[ 417.134183] kasan_save_stack+0x26/0x60
+[ 417.134362] kasan_record_aux_stack+0xae/0xd0
+[ 417.134566] __call_rcu_common+0xcd/0x14b0
+[ 417.134782] call_rcu+0x31/0x50
+[ 417.134929] put_task_struct_rcu_user+0x58/0xb0
+[ 417.135143] finish_task_switch.isra.0+0x5d3/0x830
+[ 417.135366] __schedule+0xd30/0x5100
+[ 417.135534] schedule_idle+0x5a/0x90
+[ 417.135712] do_idle+0x25f/0x410
+[ 417.135871] cpu_startup_entry+0x53/0x70
+[ 417.136053] start_secondary+0x216/0x2c0
+[ 417.136233] common_startup_64+0x13e/0x141
+
+[ 417.136894] The buggy address belongs to the object at ffff888124870000
+ which belongs to the cache task_struct of size 10504
+[ 417.138122] The buggy address is located 52 bytes inside of
+ freed 10504-byte region [ffff888124870000, ffff888124872908)
+
+[ 417.139465] The buggy address belongs to the physical page:
+[ 417.140016] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
+pfn:0x124870
+[ 417.140789] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0
+pincount:0
+[ 417.141519] memcg:ffff88811aa20e01
+[ 417.141874] anon flags:
+0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
+[ 417.142600] page_type: f5(slab)
+[ 417.142922] raw: 0017ffffc0000040 ffff88810094f040 0000000000000000
+dead000000000001
+[ 417.143554] raw: 0000000000000000 0000000000030003 00000000f5000000
+ffff88811aa20e01
+[ 417.143954] head: 0017ffffc0000040 ffff88810094f040 0000000000000000
+dead000000000001
+[ 417.144329] head: 0000000000000000 0000000000030003 00000000f5000000
+ffff88811aa20e01
+[ 417.144710] head: 0017ffffc0000003 ffffea0004921c01 00000000ffffffff
+00000000ffffffff
+[ 417.145106] head: ffffffffffffffff 0000000000000000 00000000ffffffff
+0000000000000008
+[ 417.145485] page dumped because: kasan: bad access detected
+
+[ 417.145859] Memory state around the buggy address:
+[ 417.146094] ffff88812486ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+fc
+[ 417.146439] ffff88812486ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+fc
+[ 417.146791] >ffff888124870000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+fb
+[ 417.147145] ^
+[ 417.147387] ffff888124870080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+fb
+[ 417.147751] ffff888124870100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+fb
+[ 417.148123]
+==================================================================
+
+First of all, we have warning in get_bvec_at() because
+cursor->total_resid contains zero value. And, finally,
+we have crash in ceph_msg_data_advance() because
+cursor->data is NULL. It means that get_bvec_at()
+receives not initialized ceph_msg_data_cursor structure
+because data is NULL and total_resid contains zero.
+
+Moreover, we don't have likewise issue for the case of
+Ceph msgr1 protocol because ceph_msg_data_cursor_init()
+has been called before reading sparse data.
+
+This patch adds calling of ceph_msg_data_cursor_init()
+in the beginning of process_v2_sparse_read() with
+the goal to guarantee that logic of reading sparse data
+works correctly for the case of Ceph msgr2 protocol.
+
+Cc: stable@vger.kernel.org
+Link: https://tracker.ceph.com/issues/73152
+Signed-off-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/messenger_v2.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/ceph/messenger_v2.c
++++ b/net/ceph/messenger_v2.c
+@@ -1087,13 +1087,16 @@ static int decrypt_control_remainder(str
+ static int process_v2_sparse_read(struct ceph_connection *con,
+ struct page **pages, int spos)
+ {
+- struct ceph_msg_data_cursor *cursor = &con->v2.in_cursor;
++ struct ceph_msg_data_cursor cursor;
+ int ret;
+
++ ceph_msg_data_cursor_init(&cursor, con->in_msg,
++ con->in_msg->sparse_read_total);
++
+ for (;;) {
+ char *buf = NULL;
+
+- ret = con->ops->sparse_read(con, cursor, &buf);
++ ret = con->ops->sparse_read(con, &cursor, &buf);
+ if (ret <= 0)
+ return ret;
+
+@@ -1111,11 +1114,11 @@ static int process_v2_sparse_read(struct
+ } else {
+ struct bio_vec bv;
+
+- get_bvec_at(cursor, &bv);
++ get_bvec_at(&cursor, &bv);
+ len = min_t(int, len, bv.bv_len);
+ memcpy_page(bv.bv_page, bv.bv_offset,
+ spage, soff, len);
+- ceph_msg_data_advance(cursor, len);
++ ceph_msg_data_advance(&cursor, len);
+ }
+ spos += len;
+ ret -= len;
--- /dev/null
+From 109ff654934a4752f8875ded672efd1fbfe4d31d Mon Sep 17 00:00:00 2001
+From: Dharma Balasubiramani <dharma.b@microchip.com>
+Date: Mon, 6 Oct 2025 16:21:50 +0530
+Subject: counter: microchip-tcb-capture: Allow shared IRQ for multi-channel TCBs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dharma Balasubiramani <dharma.b@microchip.com>
+
+commit 109ff654934a4752f8875ded672efd1fbfe4d31d upstream.
+
+Mark the interrupt as IRQF_SHARED to permit multiple counter channels to
+share the same TCB IRQ line.
+
+Each Timer/Counter Block (TCB) instance shares a single IRQ line among its
+three internal channels. When multiple counter channels (e.g., counter@0
+and counter@1) within the same TCB are enabled, the second call to
+devm_request_irq() fails because the IRQ line is already requested by the
+first channel.
+
+Cc: stable@vger.kernel.org
+Fixes: e5d581396821 ("counter: microchip-tcb-capture: Add IRQ handling")
+Signed-off-by: Dharma Balasubiramani <dharma.b@microchip.com>
+Reviewed-by: Kamel Bouhara <kamel.bouhara@bootlin.com>
+Reviewed-by: Bence Csókás <bence98@sch.bme.hu>
+Link: https://lore.kernel.org/r/20251006-microchip-tcb-v1-1-09c19181bb4a@microchip.com
+Signed-off-by: William Breathitt Gray <wbg@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/counter/microchip-tcb-capture.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/counter/microchip-tcb-capture.c b/drivers/counter/microchip-tcb-capture.c
+index 1a299d1f350b..19d457ae4c3b 100644
+--- a/drivers/counter/microchip-tcb-capture.c
++++ b/drivers/counter/microchip-tcb-capture.c
+@@ -451,7 +451,7 @@ static void mchp_tc_irq_remove(void *ptr)
+ static int mchp_tc_irq_enable(struct counter_device *const counter, int irq)
+ {
+ struct mchp_tc_data *const priv = counter_priv(counter);
+- int ret = devm_request_irq(counter->parent, irq, mchp_tc_isr, 0,
++ int ret = devm_request_irq(counter->parent, irq, mchp_tc_isr, IRQF_SHARED,
+ dev_name(counter->parent), counter);
+
+ if (ret < 0)
+--
+2.52.0
+
--- /dev/null
+From fe680d8c747f4e676ac835c8c7fb0f287cd98758 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 17 Nov 2025 21:42:02 +0100
+Subject: dm-verity: fix unreliable memory allocation
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit fe680d8c747f4e676ac835c8c7fb0f287cd98758 upstream.
+
+GFP_NOWAIT allocation may fail anytime. It needs to be changed to
+GFP_NOIO. There's no need to handle an error because mempool_alloc with
+GFP_NOIO can't fail.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-verity-fec.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/md/dm-verity-fec.c
++++ b/drivers/md/dm-verity-fec.c
+@@ -320,11 +320,7 @@ static int fec_alloc_bufs(struct dm_veri
+ if (fio->bufs[n])
+ continue;
+
+- fio->bufs[n] = mempool_alloc(&v->fec->prealloc_pool, GFP_NOWAIT);
+- if (unlikely(!fio->bufs[n])) {
+- DMERR("failed to allocate FEC buffer");
+- return -ENOMEM;
+- }
++ fio->bufs[n] = mempool_alloc(&v->fec->prealloc_pool, GFP_NOIO);
+ }
+
+ /* try to allocate the maximum number of buffers */
--- /dev/null
+From 40f8d17eed7533ed2bbb5e3cc680049b19411b2e Mon Sep 17 00:00:00 2001
+From: Jamie Iles <jamie.iles@oss.qualcomm.com>
+Date: Fri, 7 Nov 2025 10:44:37 +0000
+Subject: drivers/usb/dwc3: fix PCI parent check
+
+From: Jamie Iles <jamie.iles@oss.qualcomm.com>
+
+commit 40f8d17eed7533ed2bbb5e3cc680049b19411b2e upstream.
+
+The sysdev_is_parent check was being used to infer PCI devices that have
+the DMA mask set from the PCI capabilities, but sysdev_is_parent is also
+used for non-PCI ACPI devices in which case the DMA mask would be the
+bus default or as set by the _DMA method.
+
+Without this fix the DMA mask would default to 32-bits and so allocation
+would fail if there was no DRAM below 4GB.
+
+Fixes: 47ce45906ca9 ("usb: dwc3: leave default DMA for PCI devices")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Jamie Iles <jamie.iles@oss.qualcomm.com>
+Signed-off-by: Punit Agrawal <punit.agrawal@oss.qualcomm.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://patch.msgid.link/20251107104437.1602509-1-punit.agrawal@oss.qualcomm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -25,6 +25,7 @@
+ #include <linux/of.h>
+ #include <linux/of_graph.h>
+ #include <linux/acpi.h>
++#include <linux/pci.h>
+ #include <linux/pinctrl/consumer.h>
+ #include <linux/pinctrl/devinfo.h>
+ #include <linux/reset.h>
+@@ -2240,7 +2241,7 @@ int dwc3_core_probe(const struct dwc3_pr
+ dev_set_drvdata(dev, dwc);
+ dwc3_cache_hwparams(dwc);
+
+- if (!dwc->sysdev_is_parent &&
++ if (!dev_is_pci(dwc->sysdev) &&
+ DWC3_GHWPARAMS0_AWIDTH(dwc->hwparams.hwparams0) == 64) {
+ ret = dma_set_mask_and_coherent(dwc->sysdev, DMA_BIT_MASK(64));
+ if (ret)
--- /dev/null
+From eb76d0f5553575599561010f24c277cc5b31d003 Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Wed, 5 Nov 2025 17:14:49 +0100
+Subject: drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit eb76d0f5553575599561010f24c277cc5b31d003 upstream.
+
+Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB
+access in fbcon_remap_all(). Without holding the console lock the call
+races with switching outputs.
+
+VGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon
+function uses struct fb_info.node, which is set by register_framebuffer().
+As the fb-helper code currently sets up VGA switcheroo before registering
+the framebuffer, the value of node is -1 and therefore not a legal value.
+For example, fbcon uses the value within set_con2fb_map() [1] as an index
+into an array.
+
+Moving vga_switcheroo_client_fb_set() after register_framebuffer() can
+result in VGA switching that does not switch fbcon correctly.
+
+Therefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(),
+which already holds the console lock. Fbdev calls fbcon_fb_registered()
+from within register_framebuffer(). Serializes the helper with VGA
+switcheroo's call to fbcon_remap_all().
+
+Although vga_switcheroo_client_fb_set() takes an instance of struct fb_info
+as parameter, it really only needs the contained fbcon state. Moving the
+call to fbcon initialization is therefore cleaner than before. Only amdgpu,
+i915, nouveau and radeon support vga_switcheroo. For all other drivers,
+this change does nothing.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://elixir.bootlin.com/linux/v6.17/source/drivers/video/fbdev/core/fbcon.c#L2942 # [1]
+Fixes: 6a9ee8af344e ("vga_switcheroo: initial implementation (v15)")
+Acked-by: Javier Martinez Canillas <javierm@redhat.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: nouveau@lists.freedesktop.org
+Cc: amd-gfx@lists.freedesktop.org
+Cc: linux-fbdev@vger.kernel.org
+Cc: <stable@vger.kernel.org> # v2.6.34+
+Link: https://patch.msgid.link/20251105161549.98836-1-tzimmermann@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_fb_helper.c | 14 --------------
+ drivers/video/fbdev/core/fbcon.c | 9 +++++++++
+ 2 files changed, 9 insertions(+), 14 deletions(-)
+
+--- a/drivers/gpu/drm/drm_fb_helper.c
++++ b/drivers/gpu/drm/drm_fb_helper.c
+@@ -31,9 +31,7 @@
+
+ #include <linux/console.h>
+ #include <linux/export.h>
+-#include <linux/pci.h>
+ #include <linux/sysrq.h>
+-#include <linux/vga_switcheroo.h>
+
+ #include <drm/drm_atomic.h>
+ #include <drm/drm_drv.h>
+@@ -566,11 +564,6 @@ EXPORT_SYMBOL(drm_fb_helper_release_info
+ */
+ void drm_fb_helper_unregister_info(struct drm_fb_helper *fb_helper)
+ {
+- struct fb_info *info = fb_helper->info;
+- struct device *dev = info->device;
+-
+- if (dev_is_pci(dev))
+- vga_switcheroo_client_fb_set(to_pci_dev(dev), NULL);
+ unregister_framebuffer(fb_helper->info);
+ }
+ EXPORT_SYMBOL(drm_fb_helper_unregister_info);
+@@ -1632,7 +1625,6 @@ static int drm_fb_helper_single_fb_probe
+ struct drm_client_dev *client = &fb_helper->client;
+ struct drm_device *dev = fb_helper->dev;
+ struct drm_fb_helper_surface_size sizes;
+- struct fb_info *info;
+ int ret;
+
+ if (drm_WARN_ON(dev, !dev->driver->fbdev_probe))
+@@ -1653,12 +1645,6 @@ static int drm_fb_helper_single_fb_probe
+
+ strcpy(fb_helper->fb->comm, "[fbcon]");
+
+- info = fb_helper->info;
+-
+- /* Set the fb info for vgaswitcheroo clients. Does nothing otherwise. */
+- if (dev_is_pci(info->device))
+- vga_switcheroo_client_fb_set(to_pci_dev(info->device), info);
+-
+ return 0;
+ }
+
+--- a/drivers/video/fbdev/core/fbcon.c
++++ b/drivers/video/fbdev/core/fbcon.c
+@@ -66,6 +66,7 @@
+ #include <linux/string.h>
+ #include <linux/kd.h>
+ #include <linux/panic.h>
++#include <linux/pci.h>
+ #include <linux/printk.h>
+ #include <linux/slab.h>
+ #include <linux/fb.h>
+@@ -78,6 +79,7 @@
+ #include <linux/interrupt.h>
+ #include <linux/crc32.h> /* For counting font checksums */
+ #include <linux/uaccess.h>
++#include <linux/vga_switcheroo.h>
+ #include <asm/irq.h>
+
+ #include "fbcon.h"
+@@ -2906,6 +2908,9 @@ void fbcon_fb_unregistered(struct fb_inf
+
+ console_lock();
+
++ if (info->device && dev_is_pci(info->device))
++ vga_switcheroo_client_fb_set(to_pci_dev(info->device), NULL);
++
+ fbcon_registered_fb[info->node] = NULL;
+ fbcon_num_registered_fb--;
+
+@@ -3039,6 +3044,10 @@ static int do_fb_registered(struct fb_in
+ }
+ }
+
++ /* Set the fb info for vga_switcheroo clients. Does nothing otherwise. */
++ if (info->device && dev_is_pci(info->device))
++ vga_switcheroo_client_fb_set(to_pci_dev(info->device), info);
++
+ return ret;
+ }
+
--- /dev/null
+From d0fcf70c680e4d1669fcb3a8632f41400b9a73c2 Mon Sep 17 00:00:00 2001
+From: Khairul Anuar Romli <khairul.anuar.romli@altera.com>
+Date: Mon, 3 Nov 2025 07:21:28 +0800
+Subject: firmware: stratix10-svc: fix bug in saving controller data
+
+From: Khairul Anuar Romli <khairul.anuar.romli@altera.com>
+
+commit d0fcf70c680e4d1669fcb3a8632f41400b9a73c2 upstream.
+
+Fix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They
+both are of the same data and overrides each other. This resulted in the
+rmmod of the svc driver to fail and throw a kernel panic for kthread_stop
+and fifo free.
+
+Fixes: b5dc75c915cd ("firmware: stratix10-svc: extend svc to support new RSU features")
+Cc: stable@vger.kernel.org # 6.6+
+Signed-off-by: Ang Tien Sung <tiensung.ang@altera.com>
+Signed-off-by: Khairul Anuar Romli <khairul.anuar.romli@altera.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/stratix10-svc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/firmware/stratix10-svc.c
++++ b/drivers/firmware/stratix10-svc.c
+@@ -134,6 +134,7 @@ struct stratix10_svc_data {
+ * @complete_status: state for completion
+ * @svc_fifo_lock: protect access to service message data queue
+ * @invoke_fn: function to issue secure monitor call or hypervisor call
++ * @svc: manages the list of client svc drivers
+ *
+ * This struct is used to create communication channels for service clients, to
+ * handle secure monitor or hypervisor call.
+@@ -150,6 +151,7 @@ struct stratix10_svc_controller {
+ struct completion complete_status;
+ spinlock_t svc_fifo_lock;
+ svc_invoke_fn *invoke_fn;
++ struct stratix10_svc *svc;
+ };
+
+ /**
+@@ -1206,6 +1208,7 @@ static int stratix10_svc_drv_probe(struc
+ ret = -ENOMEM;
+ goto err_free_kfifo;
+ }
++ controller->svc = svc;
+
+ svc->stratix10_svc_rsu = platform_device_alloc(STRATIX10_RSU, 0);
+ if (!svc->stratix10_svc_rsu) {
+@@ -1237,8 +1240,6 @@ static int stratix10_svc_drv_probe(struc
+ if (ret)
+ goto err_unregister_fcs_dev;
+
+- dev_set_drvdata(dev, svc);
+-
+ pr_info("Intel Service Layer Driver Initialized\n");
+
+ return 0;
+@@ -1256,8 +1257,8 @@ err_destroy_pool:
+
+ static void stratix10_svc_drv_remove(struct platform_device *pdev)
+ {
+- struct stratix10_svc *svc = dev_get_drvdata(&pdev->dev);
+ struct stratix10_svc_controller *ctrl = platform_get_drvdata(pdev);
++ struct stratix10_svc *svc = ctrl->svc;
+
+ of_platform_depopulate(ctrl->dev);
+
--- /dev/null
+From f6041803a831266a2a5a5b5af66f7de0845bcbf3 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 24 Nov 2025 10:59:02 -0700
+Subject: io_uring/net: ensure vectored buffer node import is tied to notification
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit f6041803a831266a2a5a5b5af66f7de0845bcbf3 upstream.
+
+When support for vectored registered buffers was added, the import
+itself is using 'req' rather than the notification io_kiocb, sr->notif.
+For non-vectored imports, sr->notif is correctly used. This is important
+as the lifetime of the two may be different. Use the correct io_kiocb
+for the vectored buffer import.
+
+Cc: stable@vger.kernel.org
+Fixes: 23371eac7d9a ("io_uring/net: implement vectored reg bufs for zctx")
+Reported-by: Google Big Sleep <big-sleep-vuln-reports+bigsleep-463332873@google.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -1542,8 +1542,10 @@ int io_sendmsg_zc(struct io_kiocb *req,
+ unsigned uvec_segs = kmsg->msg.msg_iter.nr_segs;
+ int ret;
+
+- ret = io_import_reg_vec(ITER_SOURCE, &kmsg->msg.msg_iter, req,
+- &kmsg->vec, uvec_segs, issue_flags);
++ sr->notif->buf_index = req->buf_index;
++ ret = io_import_reg_vec(ITER_SOURCE, &kmsg->msg.msg_iter,
++ sr->notif, &kmsg->vec, uvec_segs,
++ issue_flags);
+ if (unlikely(ret))
+ return ret;
+ req->flags &= ~REQ_F_IMPORT_BUFFER;
--- /dev/null
+From ac84ff453305d12bc799074a9f9af30ff97fff70 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
+Date: Tue, 11 Nov 2025 18:01:24 +0900
+Subject: iommufd/driver: Fix counter initialization for counted_by annotation
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+commit ac84ff453305d12bc799074a9f9af30ff97fff70 upstream.
+
+One of the requirements for counted_by annotations is that the counter
+member must be initialized before the first reference to the
+flexible-array member.
+
+Move the vevent->data_len = data_len; initialization to before the
+first access to flexible array vevent->event_data.
+
+Link: https://patch.msgid.link/r/aRL7ZFFqM5bRTd2D@kspp
+Cc: stable@vger.kernel.org
+Fixes: e8e1ef9b77a7 ("iommufd/viommu: Add iommufd_viommu_report_event helper")
+Signed-off-by: "Gustavo A. R. Silva" <gustavoars@kernel.org>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Reviewed-by: Nicolin Chen <nicolinc@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/iommufd/driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/iommufd/driver.c b/drivers/iommu/iommufd/driver.c
+index 6f1010da221c..21d4a35538f6 100644
+--- a/drivers/iommu/iommufd/driver.c
++++ b/drivers/iommu/iommufd/driver.c
+@@ -161,8 +161,8 @@ int iommufd_viommu_report_event(struct iommufd_viommu *viommu,
+ vevent = &veventq->lost_events_header;
+ goto out_set_header;
+ }
+- memcpy(vevent->event_data, event_data, data_len);
+ vevent->data_len = data_len;
++ memcpy(vevent->event_data, event_data, data_len);
+ veventq->num_events++;
+
+ out_set_header:
+--
+2.52.0
+
--- /dev/null
+From cff47b9e39a6abf03dde5f4f156f841b0c54bba0 Mon Sep 17 00:00:00 2001
+From: Wei Yang <richard.weiyang@gmail.com>
+Date: Wed, 19 Nov 2025 23:53:02 +0000
+Subject: mm/huge_memory: fix NULL pointer deference when splitting folio
+
+From: Wei Yang <richard.weiyang@gmail.com>
+
+commit cff47b9e39a6abf03dde5f4f156f841b0c54bba0 upstream.
+
+Commit c010d47f107f ("mm: thp: split huge page to any lower order pages")
+introduced an early check on the folio's order via mapping->flags before
+proceeding with the split work.
+
+This check introduced a bug: for shmem folios in the swap cache and
+truncated folios, the mapping pointer can be NULL. Accessing
+mapping->flags in this state leads directly to a NULL pointer dereference.
+
+This commit fixes the issue by moving the check for mapping != NULL before
+any attempt to access mapping->flags.
+
+Link: https://lkml.kernel.org/r/20251119235302.24773-1-richard.weiyang@gmail.com
+Fixes: c010d47f107f ("mm: thp: split huge page to any lower order pages")
+Signed-off-by: Wei Yang <richard.weiyang@gmail.com>
+Reviewed-by: Zi Yan <ziy@nvidia.com>
+Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
+Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/huge_memory.c | 22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -3626,6 +3626,16 @@ static int __folio_split(struct folio *f
+ if (folio != page_folio(split_at) || folio != page_folio(lock_at))
+ return -EINVAL;
+
++ /*
++ * Folios that just got truncated cannot get split. Signal to the
++ * caller that there was a race.
++ *
++ * TODO: this will also currently refuse shmem folios that are in the
++ * swapcache.
++ */
++ if (!is_anon && !folio->mapping)
++ return -EBUSY;
++
+ if (new_order >= folio_order(folio))
+ return -EINVAL;
+
+@@ -3666,18 +3676,6 @@ static int __folio_split(struct folio *f
+ gfp_t gfp;
+
+ mapping = folio->mapping;
+-
+- /* Truncated ? */
+- /*
+- * TODO: add support for large shmem folio in swap cache.
+- * When shmem is in swap cache, mapping is NULL and
+- * folio_test_swapcache() is true.
+- */
+- if (!mapping) {
+- ret = -EBUSY;
+- goto out;
+- }
+-
+ min_order = mapping_min_folio_order(folio->mapping);
+ if (new_order < min_order) {
+ ret = -EINVAL;
--- /dev/null
+From de8798965fd0d9a6c47fc2ac57767ec32de12b49 Mon Sep 17 00:00:00 2001
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+Date: Wed, 12 Nov 2025 20:20:34 +0530
+Subject: mm/memfd: fix information leak in hugetlb folios
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+commit de8798965fd0d9a6c47fc2ac57767ec32de12b49 upstream.
+
+When allocating hugetlb folios for memfd, three initialization steps are
+missing:
+
+1. Folios are not zeroed, leading to kernel memory disclosure to userspace
+2. Folios are not marked uptodate before adding to page cache
+3. hugetlb_fault_mutex is not taken before hugetlb_add_to_page_cache()
+
+The memfd allocation path bypasses the normal page fault handler
+(hugetlb_no_page) which would handle all of these initialization steps.
+This is problematic especially for udmabuf use cases where folios are
+pinned and directly accessed by userspace via DMA.
+
+Fix by matching the initialization pattern used in hugetlb_no_page():
+- Zero the folio using folio_zero_user() which is optimized for huge pages
+- Mark it uptodate with folio_mark_uptodate()
+- Take hugetlb_fault_mutex before adding to page cache to prevent races
+
+The folio_zero_user() change also fixes a potential security issue where
+uninitialized kernel memory could be disclosed to userspace through read()
+or mmap() operations on the memfd.
+
+Link: https://lkml.kernel.org/r/20251112145034.2320452-1-kartikey406@gmail.com
+Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios")
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Reported-by: syzbot+f64019ba229e3a5c411b@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/all/20251112031631.2315651-1-kartikey406@gmail.com/ [v1]
+Closes: https://syzkaller.appspot.com/bug?extid=f64019ba229e3a5c411b
+Suggested-by: Oscar Salvador <osalvador@suse.de>
+Suggested-by: David Hildenbrand <david@redhat.com>
+Tested-by: syzbot+f64019ba229e3a5c411b@syzkaller.appspotmail.com
+Acked-by: Oscar Salvador <osalvador@suse.de>
+Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
+Acked-by: Hugh Dickins <hughd@google.com>
+Cc: Vivek Kasireddy <vivek.kasireddy@intel.com>
+Cc: Jason Gunthorpe <jgg@nvidia.com>
+Cc: Jason Gunthorpe <jgg@nvidia.com> (v2)
+Cc: Christoph Hellwig <hch@lst.de> (v6)
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Gerd Hoffmann <kraxel@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memfd.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+--- a/mm/memfd.c
++++ b/mm/memfd.c
+@@ -96,9 +96,36 @@ struct folio *memfd_alloc_folio(struct f
+ NULL,
+ gfp_mask);
+ if (folio) {
++ u32 hash;
++
++ /*
++ * Zero the folio to prevent information leaks to userspace.
++ * Use folio_zero_user() which is optimized for huge/gigantic
++ * pages. Pass 0 as addr_hint since this is not a faulting path
++ * and we don't have a user virtual address yet.
++ */
++ folio_zero_user(folio, 0);
++
++ /*
++ * Mark the folio uptodate before adding to page cache,
++ * as required by filemap.c and other hugetlb paths.
++ */
++ __folio_mark_uptodate(folio);
++
++ /*
++ * Serialize hugepage allocation and instantiation to prevent
++ * races with concurrent allocations, as required by all other
++ * callers of hugetlb_add_to_page_cache().
++ */
++ hash = hugetlb_fault_mutex_hash(memfd->f_mapping, idx);
++ mutex_lock(&hugetlb_fault_mutex_table[hash]);
++
+ err = hugetlb_add_to_page_cache(folio,
+ memfd->f_mapping,
+ idx);
++
++ mutex_unlock(&hugetlb_fault_mutex_table[hash]);
++
+ if (err) {
+ folio_put(folio);
+ goto err_unresv;
--- /dev/null
+From 747528729c9b6733839f9c95f300d5bef95ee52c Mon Sep 17 00:00:00 2001
+From: Jisheng Zhang <jszhang@kernel.org>
+Date: Mon, 17 Nov 2025 08:01:32 +0800
+Subject: mmc: sdhci-of-dwcmshc: Promote the th1520 reset handling to ip level
+
+From: Jisheng Zhang <jszhang@kernel.org>
+
+commit 747528729c9b6733839f9c95f300d5bef95ee52c upstream.
+
+Commit 27e8fe0da3b7 ("mmc: sdhci-of-dwcmshc: Prevent stale command
+interrupt handling") clears pending interrupts when resetting
+host->pending_reset to ensure no pending stale interrupts after
+sdhci_threaded_irq restores interrupts. But this fix is only added for
+th1520 platforms, in fact per my test, this issue exists on all
+dwcmshc users, such as cv1800b, sg2002, and synaptics platforms.
+
+So promote the above reset handling from th1520 to ip level. And keep
+reset handling on rk, sg2042 and bf3 as is, until it's confirmed that
+the same issue exists on these platforms too.
+
+Fixes: 017199c2849c ("mmc: sdhci-of-dwcmshc: Add support for Sophgo CV1800B and SG2002")
+Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-of-dwcmshc.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-of-dwcmshc.c
++++ b/drivers/mmc/host/sdhci-of-dwcmshc.c
+@@ -289,6 +289,19 @@ static void dwcmshc_adma_write_desc(stru
+ sdhci_adma_write_desc(host, desc, addr, len, cmd);
+ }
+
++static void dwcmshc_reset(struct sdhci_host *host, u8 mask)
++{
++ sdhci_reset(host, mask);
++
++ /* The dwcmshc does not comply with the SDHCI specification
++ * regarding the "Software Reset for CMD line should clear 'Command
++ * Complete' in the Normal Interrupt Status Register." Clear the bit
++ * here to compensate for this quirk.
++ */
++ if (mask & SDHCI_RESET_CMD)
++ sdhci_writel(host, SDHCI_INT_RESPONSE, SDHCI_INT_STATUS);
++}
++
+ static unsigned int dwcmshc_get_max_clock(struct sdhci_host *host)
+ {
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+@@ -832,15 +845,7 @@ static void th1520_sdhci_reset(struct sd
+ struct dwcmshc_priv *priv = sdhci_pltfm_priv(pltfm_host);
+ u16 ctrl_2;
+
+- sdhci_reset(host, mask);
+-
+- /* The T-Head 1520 SoC does not comply with the SDHCI specification
+- * regarding the "Software Reset for CMD line should clear 'Command
+- * Complete' in the Normal Interrupt Status Register." Clear the bit
+- * here to compensate for this quirk.
+- */
+- if (mask & SDHCI_RESET_CMD)
+- sdhci_writel(host, SDHCI_INT_RESPONSE, SDHCI_INT_STATUS);
++ dwcmshc_reset(host, mask);
+
+ if (priv->flags & FLAG_IO_FIXED_1V8) {
+ ctrl_2 = sdhci_readw(host, SDHCI_HOST_CONTROL2);
+@@ -886,7 +891,7 @@ static void cv18xx_sdhci_reset(struct sd
+ struct dwcmshc_priv *priv = sdhci_pltfm_priv(pltfm_host);
+ u32 val, emmc_caps = MMC_CAP2_NO_SD | MMC_CAP2_NO_SDIO;
+
+- sdhci_reset(host, mask);
++ dwcmshc_reset(host, mask);
+
+ if ((host->mmc->caps2 & emmc_caps) == emmc_caps) {
+ val = sdhci_readl(host, priv->vendor_specific_area1 + CV18XX_SDHCI_MSHC_CTRL);
+@@ -958,7 +963,7 @@ static void cv18xx_sdhci_post_tuning(str
+ val |= SDHCI_INT_DATA_AVAIL;
+ sdhci_writel(host, val, SDHCI_INT_STATUS);
+
+- sdhci_reset(host, SDHCI_RESET_CMD | SDHCI_RESET_DATA);
++ dwcmshc_reset(host, SDHCI_RESET_CMD | SDHCI_RESET_DATA);
+ }
+
+ static int cv18xx_sdhci_execute_tuning(struct sdhci_host *host, u32 opcode)
+@@ -1100,7 +1105,7 @@ static const struct sdhci_ops sdhci_dwcm
+ .set_bus_width = sdhci_set_bus_width,
+ .set_uhs_signaling = dwcmshc_set_uhs_signaling,
+ .get_max_clock = dwcmshc_get_max_clock,
+- .reset = sdhci_reset,
++ .reset = dwcmshc_reset,
+ .adma_write_desc = dwcmshc_adma_write_desc,
+ .irq = dwcmshc_cqe_irq_handler,
+ };
--- /dev/null
+From 27fd02860164bfa78cec2640dfad630d832e302c Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 25 Nov 2025 17:59:11 +0100
+Subject: mptcp: clear scheduled subflows on retransmit
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 27fd02860164bfa78cec2640dfad630d832e302c upstream.
+
+When __mptcp_retrans() kicks-in, it schedules one or more subflows for
+retransmission, but such subflows could be actually left alone if there
+is no more data to retransmit and/or in case of concurrent fallback.
+
+Scheduled subflows could be processed much later in time, i.e. when new
+data will be transmitted, leading to bad subflow selection.
+
+Explicitly clear all scheduled subflows before leaving the
+retransmission function.
+
+Fixes: ee2708aedad0 ("mptcp: use get_retrans wrapper")
+Cc: stable@vger.kernel.org
+Reported-by: Filip Pokryvka <fpokryvk@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251125-net-mptcp-clear-sched-rtx-v1-1-1cea4ad2165f@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -2637,7 +2637,7 @@ static void __mptcp_retrans(struct sock
+ }
+
+ if (!mptcp_send_head(sk))
+- return;
++ goto clear_scheduled;
+
+ goto reset_timer;
+ }
+@@ -2668,7 +2668,7 @@ static void __mptcp_retrans(struct sock
+ if (__mptcp_check_fallback(msk)) {
+ spin_unlock_bh(&msk->fallback_lock);
+ release_sock(ssk);
+- return;
++ goto clear_scheduled;
+ }
+
+ while (info.sent < info.limit) {
+@@ -2700,6 +2700,15 @@ reset_timer:
+
+ if (!mptcp_rtx_timer_pending(sk))
+ mptcp_reset_rtx_timer(sk);
++
++clear_scheduled:
++ /* If no rtx data was available or in case of fallback, there
++ * could be left-over scheduled subflows; clear them all
++ * or later xmit could use bad ones
++ */
++ mptcp_for_each_subflow(msk, subflow)
++ if (READ_ONCE(subflow->scheduled))
++ mptcp_subflow_set_scheduled(subflow, false);
+ }
+
+ /* schedule the timeout timer for the relevant event: either close timeout
--- /dev/null
+From f07f4ea53e22429c84b20832fa098b5ecc0d4e35 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@google.com>
+Date: Tue, 25 Nov 2025 19:53:29 +0000
+Subject: mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+commit f07f4ea53e22429c84b20832fa098b5ecc0d4e35 upstream.
+
+syzbot reported divide-by-zero in __tcp_select_window() by
+MPTCP socket. [0]
+
+We had a similar issue for the bare TCP and fixed in commit
+499350a5a6e7 ("tcp: initialize rcv_mss to TCP_MIN_MSS instead
+of 0").
+
+Let's apply the same fix to mptcp_do_fastclose().
+
+[0]:
+Oops: divide error: 0000 [#1] SMP KASAN PTI
+CPU: 0 UID: 0 PID: 6068 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+RIP: 0010:__tcp_select_window+0x824/0x1320 net/ipv4/tcp_output.c:3336
+Code: ff ff ff 44 89 f1 d3 e0 89 c1 f7 d1 41 01 cc 41 21 c4 e9 a9 00 00 00 e8 ca 49 01 f8 e9 9c 00 00 00 e8 c0 49 01 f8 44 89 e0 99 <f7> 7c 24 1c 41 29 d4 48 bb 00 00 00 00 00 fc ff df e9 80 00 00 00
+RSP: 0018:ffffc90003017640 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807b469e40
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: ffffc90003017730 R08: ffff888033268143 R09: 1ffff1100664d028
+R10: dffffc0000000000 R11: ffffed100664d029 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+FS: 000055557faa0500(0000) GS:ffff888126135000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f64a1912ff8 CR3: 0000000072122000 CR4: 00000000003526f0
+Call Trace:
+ <TASK>
+ tcp_select_window net/ipv4/tcp_output.c:281 [inline]
+ __tcp_transmit_skb+0xbc7/0x3aa0 net/ipv4/tcp_output.c:1568
+ tcp_transmit_skb net/ipv4/tcp_output.c:1649 [inline]
+ tcp_send_active_reset+0x2d1/0x5b0 net/ipv4/tcp_output.c:3836
+ mptcp_do_fastclose+0x27e/0x380 net/mptcp/protocol.c:2793
+ mptcp_disconnect+0x238/0x710 net/mptcp/protocol.c:3253
+ mptcp_sendmsg_fastopen+0x2f8/0x580 net/mptcp/protocol.c:1776
+ mptcp_sendmsg+0x1774/0x1980 net/mptcp/protocol.c:1855
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg+0xe5/0x270 net/socket.c:742
+ __sys_sendto+0x3bd/0x520 net/socket.c:2244
+ __do_sys_sendto net/socket.c:2251 [inline]
+ __se_sys_sendto net/socket.c:2247 [inline]
+ __x64_sys_sendto+0xde/0x100 net/socket.c:2247
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f66e998f749
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffff9acedb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00007f66e9be5fa0 RCX: 00007f66e998f749
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 00007ffff9acee10 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
+R13: 00007f66e9be5fa0 R14: 00007f66e9be5fa0 R15: 0000000000000006
+ </TASK>
+
+Fixes: ae155060247b ("mptcp: fix duplicate reset on fastclose")
+Reported-by: syzbot+3a92d359bc2ec6255a33@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/69260882.a70a0220.d98e3.00b4.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20251125195331.309558-1-kuniyu@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -2770,6 +2770,12 @@ static void mptcp_do_fastclose(struct so
+ goto unlock;
+
+ subflow->send_fastclose = 1;
++
++ /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0
++ * issue in __tcp_select_window(), see tcp_disconnect().
++ */
++ inet_csk(ssk)->icsk_ack.rcv_mss = TCP_MIN_MSS;
++
+ tcp_send_active_reset(ssk, ssk->sk_allocation,
+ SK_RST_REASON_TCP_ABORT_ON_CLOSE);
+ unlock:
--- /dev/null
+From 03bc4831ef064e114328dea906101cff7c6fb8b3 Mon Sep 17 00:00:00 2001
+From: Wentao Guan <guanwentao@uniontech.com>
+Date: Fri, 14 Nov 2025 11:05:39 +0000
+Subject: nvmem: layouts: fix nvmem_layout_bus_uevent
+
+From: Wentao Guan <guanwentao@uniontech.com>
+
+commit 03bc4831ef064e114328dea906101cff7c6fb8b3 upstream.
+
+correctly check the ENODEV return value.
+
+Fixes: 810b790033cc ("nvmem: layouts: fix automatic module loading")
+CC: stable@vger.kernel.org
+Co-developed-by: WangYuli <wangyl5933@chinaunicom.cn>
+Signed-off-by: WangYuli <wangyl5933@chinaunicom.cn>
+Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20251114110539.143154-1-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/layouts.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvmem/layouts.c
++++ b/drivers/nvmem/layouts.c
+@@ -51,7 +51,7 @@ static int nvmem_layout_bus_uevent(const
+ int ret;
+
+ ret = of_device_uevent_modalias(dev, env);
+- if (ret != ENODEV)
++ if (ret != -ENODEV)
+ return ret;
+
+ return 0;
--- /dev/null
+From c98c99d5dbdf9fb0063650594edfd7d49b5f4e29 Mon Sep 17 00:00:00 2001
+From: Jon Hunter <jonathanh@nvidia.com>
+Date: Fri, 21 Nov 2025 14:10:03 +0000
+Subject: pmdomain: tegra: Add GENPD_FLAG_NO_STAY_ON flag
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+commit c98c99d5dbdf9fb0063650594edfd7d49b5f4e29 upstream.
+
+Commit 13a4b7fb6260 ("pmdomain: core: Leave powered-on genpds on until
+late_initcall_sync") kept power-domains on longer during boot which is
+causing some GPU related tests to fail on Tegra234. While this is being
+investigated, add the flag GENPD_FLAG_NO_STAY_ON for Tegra devices to
+restore the previous behaviour to fix this.
+
+Fixes: 13a4b7fb6260 ("pmdomain: core: Leave powered-on genpds on until late_initcall_sync")
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pmdomain/tegra/powergate-bpmp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pmdomain/tegra/powergate-bpmp.c
++++ b/drivers/pmdomain/tegra/powergate-bpmp.c
+@@ -184,6 +184,7 @@ tegra_powergate_add(struct tegra_bpmp *b
+ powergate->genpd.name = kstrdup(info->name, GFP_KERNEL);
+ powergate->genpd.power_on = tegra_powergate_power_on;
+ powergate->genpd.power_off = tegra_powergate_power_off;
++ powergate->genpd.flags = GENPD_FLAG_NO_STAY_ON;
+
+ err = pm_genpd_init(&powergate->genpd, NULL, off);
+ if (err < 0) {
--- /dev/null
+From ae1737e7339b513f8c2fc21b500a0fc215d155c3 Mon Sep 17 00:00:00 2001
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Sat, 22 Nov 2025 15:23:02 +0100
+Subject: r8169: fix RTL8127 hang on suspend/shutdown
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+commit ae1737e7339b513f8c2fc21b500a0fc215d155c3 upstream.
+
+There have been reports that RTL8127 hangs on suspend and shutdown,
+partially disappearing from lspci until power-cycling.
+According to Realtek disabling PLL's when switching to D3 should be
+avoided on that chip version. Fix this by aligning disabling PLL's
+with the vendor drivers, what in addition results in PLL's not being
+disabled when switching to D3hot on other chip versions.
+
+Fixes: f24f7b2f3af9 ("r8169: add support for RTL8127A")
+Tested-by: Fabio Baltieri <fabio.baltieri@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Link: https://patch.msgid.link/d7faae7e-66bc-404a-a432-3a496600575f@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index d18734fe12e4..853aabedb128 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -1514,11 +1514,20 @@ static enum rtl_dash_type rtl_get_dash_type(struct rtl8169_private *tp)
+
+ static void rtl_set_d3_pll_down(struct rtl8169_private *tp, bool enable)
+ {
+- if (tp->mac_version >= RTL_GIGA_MAC_VER_25 &&
+- tp->mac_version != RTL_GIGA_MAC_VER_28 &&
+- tp->mac_version != RTL_GIGA_MAC_VER_31 &&
+- tp->mac_version != RTL_GIGA_MAC_VER_38)
+- r8169_mod_reg8_cond(tp, PMCH, D3_NO_PLL_DOWN, !enable);
++ switch (tp->mac_version) {
++ case RTL_GIGA_MAC_VER_02 ... RTL_GIGA_MAC_VER_24:
++ case RTL_GIGA_MAC_VER_28:
++ case RTL_GIGA_MAC_VER_31:
++ case RTL_GIGA_MAC_VER_38:
++ break;
++ case RTL_GIGA_MAC_VER_80:
++ r8169_mod_reg8_cond(tp, PMCH, D3_NO_PLL_DOWN, true);
++ break;
++ default:
++ r8169_mod_reg8_cond(tp, PMCH, D3HOT_NO_PLL_DOWN, true);
++ r8169_mod_reg8_cond(tp, PMCH, D3COLD_NO_PLL_DOWN, !enable);
++ break;
++ }
+ }
+
+ static void rtl_reset_packet_filter(struct rtl8169_private *tp)
+--
+2.52.0
+
--- /dev/null
+From 45cc214152bc1f6b1cc135532cd7cdbe08716aaf Mon Sep 17 00:00:00 2001
+From: ChiYuan Huang <cy_huang@richtek.com>
+Date: Thu, 27 Nov 2025 10:25:50 +0800
+Subject: regulator: rtq2208: Correct buck group2 phase mapping logic
+
+From: ChiYuan Huang <cy_huang@richtek.com>
+
+commit 45cc214152bc1f6b1cc135532cd7cdbe08716aaf upstream.
+
+Correct buck group2 H and F mapping logic.
+
+Cc: stable@vger.kernel.org
+Reported-by: Yoon Dong Min <dm.youn@telechips.com>
+Fixes: 1742e7e978ba ("regulator: rtq2208: Fix incorrect buck converter phase mapping")
+Signed-off-by: ChiYuan Huang <cy_huang@richtek.com>
+Link: https://patch.msgid.link/8527ae02a72b754d89b7580a5fe7474d6f80f5c3.1764209258.git.cy_huang@richtek.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/regulator/rtq2208-regulator.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/regulator/rtq2208-regulator.c b/drivers/regulator/rtq2208-regulator.c
+index 9cde7181b0f0..4a174e27c579 100644
+--- a/drivers/regulator/rtq2208-regulator.c
++++ b/drivers/regulator/rtq2208-regulator.c
+@@ -543,14 +543,14 @@ static int rtq2208_regulator_check(struct device *dev, int *num, int *regulator_
+
+ switch (FIELD_GET(RTQ2208_MASK_BUCKPH_GROUP2, buck_phase)) {
+ case 2:
+- rtq2208_used_table[RTQ2208_BUCK_F] = true;
++ rtq2208_used_table[RTQ2208_BUCK_H] = true;
+ fallthrough;
+ case 1:
+ rtq2208_used_table[RTQ2208_BUCK_E] = true;
+ fallthrough;
+ case 0:
+ case 3:
+- rtq2208_used_table[RTQ2208_BUCK_H] = true;
++ rtq2208_used_table[RTQ2208_BUCK_F] = true;
+ fallthrough;
+ default:
+ rtq2208_used_table[RTQ2208_BUCK_G] = true;
+--
+2.52.0
+
--- /dev/null
+From 8684229e19c4185d53d6fb7004d733907c865a91 Mon Sep 17 00:00:00 2001
+From: ChiYuan Huang <cy_huang@richtek.com>
+Date: Thu, 27 Nov 2025 10:25:51 +0800
+Subject: regulator: rtq2208: Correct LDO2 logic judgment bits
+
+From: ChiYuan Huang <cy_huang@richtek.com>
+
+commit 8684229e19c4185d53d6fb7004d733907c865a91 upstream.
+
+The LDO2 judgement bit position should be 7, not 6.
+
+Cc: stable@vger.kernel.org
+Reported-by: Yoon Dong Min <dm.youn@telechips.com>
+Fixes: b65439d90150 ("regulator: rtq2208: Fix the LDO DVS capability")
+Signed-off-by: ChiYuan Huang <cy_huang@richtek.com>
+Link: https://patch.msgid.link/faadb009f84b88bfcabe39fc5009c7357b00bbe2.1764209258.git.cy_huang@richtek.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/regulator/rtq2208-regulator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/rtq2208-regulator.c b/drivers/regulator/rtq2208-regulator.c
+index 4a174e27c579..f669a562f036 100644
+--- a/drivers/regulator/rtq2208-regulator.c
++++ b/drivers/regulator/rtq2208-regulator.c
+@@ -53,7 +53,7 @@
+ #define RTQ2208_MASK_BUCKPH_GROUP1 GENMASK(6, 4)
+ #define RTQ2208_MASK_BUCKPH_GROUP2 GENMASK(2, 0)
+ #define RTQ2208_MASK_LDO2_OPT0 BIT(7)
+-#define RTQ2208_MASK_LDO2_OPT1 BIT(6)
++#define RTQ2208_MASK_LDO2_OPT1 BIT(7)
+ #define RTQ2208_MASK_LDO1_FIXED BIT(6)
+
+ /* Size */
+--
+2.52.0
+
--- /dev/null
+From 2bf95a9bcb50002ca9d47403d60aedaeb2e19abe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= <ilpo.jarvinen@linux.intel.com>
+Date: Mon, 10 Nov 2025 12:50:43 +0200
+Subject: serial: 8250: Fix 8250_rsa symbol loop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+commit 2bf95a9bcb50002ca9d47403d60aedaeb2e19abe upstream.
+
+Depmod fails for a kernel made with:
+ make allnoconfig
+ echo -e "CONFIG_MODULES=y\nCONFIG_SERIAL_8250=m\nCONFIG_SERIAL_8250_EXTENDED=y\nCONFIG_SERIAL_8250_RSA=y" >> .config
+ make olddefconfig
+
+...due to a dependency loop:
+
+ depmod: ERROR: Cycle detected: 8250 -> 8250_base -> 8250
+ depmod: ERROR: Found 2 modules in dependency cycles!
+
+This is caused by the move of 8250 RSA code from 8250_port.c (in
+8250_base.ko) into 8250_rsa.c (in 8250.ko) by the commit 5a128fb475fb
+("serial: 8250: move RSA functions to 8250_rsa.c"). The commit
+b20d6576cdb3 ("serial: 8250: export RSA functions") tried to fix a
+missing symbol issue with EXPORTs but those then cause this dependency
+cycle.
+
+Break dependency loop by moving 8250_rsa.o from 8250.ko to 8250_base.ko
+and by passing univ8250_port_base_ops to univ8250_rsa_support() that
+can make a local copy of it.
+
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Reported-by: Alex Davis <alex47794@gmail.com>
+Fixes: 5a128fb475fb ("serial: 8250: move RSA functions to 8250_rsa.c")
+Fixes: b20d6576cdb3 ("serial: 8250: export RSA functions")
+Cc: stable <stable@kernel.org>
+Link: https://lore.kernel.org/all/87frc3sd8d.fsf@posteo.net/
+Link: https://lore.kernel.org/all/CADiockCvM6v+d+UoFZpJSMoLAdpy99_h-hJdzUsdfaWGn3W7-g@mail.gmail.com/
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://patch.msgid.link/20251110105043.4062-1-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250.h | 4 ++--
+ drivers/tty/serial/8250/8250_platform.c | 2 +-
+ drivers/tty/serial/8250/8250_rsa.c | 26 +++++++++++++++++---------
+ drivers/tty/serial/8250/Makefile | 2 +-
+ 4 files changed, 21 insertions(+), 13 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250.h
++++ b/drivers/tty/serial/8250/8250.h
+@@ -317,13 +317,13 @@ static inline void serial8250_pnp_exit(v
+ #endif
+
+ #ifdef CONFIG_SERIAL_8250_RSA
+-void univ8250_rsa_support(struct uart_ops *ops);
++void univ8250_rsa_support(struct uart_ops *ops, const struct uart_ops *core_ops);
+ void rsa_enable(struct uart_8250_port *up);
+ void rsa_disable(struct uart_8250_port *up);
+ void rsa_autoconfig(struct uart_8250_port *up);
+ void rsa_reset(struct uart_8250_port *up);
+ #else
+-static inline void univ8250_rsa_support(struct uart_ops *ops) { }
++static inline void univ8250_rsa_support(struct uart_ops *ops, const struct uart_ops *core_ops) { }
+ static inline void rsa_enable(struct uart_8250_port *up) {}
+ static inline void rsa_disable(struct uart_8250_port *up) {}
+ static inline void rsa_autoconfig(struct uart_8250_port *up) {}
+--- a/drivers/tty/serial/8250/8250_platform.c
++++ b/drivers/tty/serial/8250/8250_platform.c
+@@ -74,7 +74,7 @@ static void __init __serial8250_isa_init
+
+ /* chain base port ops to support Remote Supervisor Adapter */
+ univ8250_port_ops = *univ8250_port_base_ops;
+- univ8250_rsa_support(&univ8250_port_ops);
++ univ8250_rsa_support(&univ8250_port_ops, univ8250_port_base_ops);
+
+ if (share_irqs)
+ irqflag = IRQF_SHARED;
+--- a/drivers/tty/serial/8250/8250_rsa.c
++++ b/drivers/tty/serial/8250/8250_rsa.c
+@@ -14,6 +14,8 @@
+ static unsigned long probe_rsa[PORT_RSA_MAX];
+ static unsigned int probe_rsa_count;
+
++static const struct uart_ops *core_port_base_ops;
++
+ static int rsa8250_request_resource(struct uart_8250_port *up)
+ {
+ struct uart_port *port = &up->port;
+@@ -67,7 +69,7 @@ static void univ8250_config_port(struct
+ }
+ }
+
+- univ8250_port_base_ops->config_port(port, flags);
++ core_port_base_ops->config_port(port, flags);
+
+ if (port->type != PORT_RSA && up->probe & UART_PROBE_RSA)
+ rsa8250_release_resource(up);
+@@ -78,11 +80,11 @@ static int univ8250_request_port(struct
+ struct uart_8250_port *up = up_to_u8250p(port);
+ int ret;
+
+- ret = univ8250_port_base_ops->request_port(port);
++ ret = core_port_base_ops->request_port(port);
+ if (ret == 0 && port->type == PORT_RSA) {
+ ret = rsa8250_request_resource(up);
+ if (ret < 0)
+- univ8250_port_base_ops->release_port(port);
++ core_port_base_ops->release_port(port);
+ }
+
+ return ret;
+@@ -94,15 +96,25 @@ static void univ8250_release_port(struct
+
+ if (port->type == PORT_RSA)
+ rsa8250_release_resource(up);
+- univ8250_port_base_ops->release_port(port);
++ core_port_base_ops->release_port(port);
+ }
+
+-void univ8250_rsa_support(struct uart_ops *ops)
++/*
++ * It is not allowed to directly reference any symbols from 8250.ko here as
++ * that would result in a dependency loop between the 8250.ko and
++ * 8250_base.ko modules. This function is called from 8250.ko and is used to
++ * break the symbolic dependency cycle. Anything that is needed from 8250.ko
++ * has to be passed as pointers to this function which then can adjust those
++ * variables on 8250.ko side or store them locally as needed.
++ */
++void univ8250_rsa_support(struct uart_ops *ops, const struct uart_ops *core_ops)
+ {
++ core_port_base_ops = core_ops;
+ ops->config_port = univ8250_config_port;
+ ops->request_port = univ8250_request_port;
+ ops->release_port = univ8250_release_port;
+ }
++EXPORT_SYMBOL_FOR_MODULES(univ8250_rsa_support, "8250");
+
+ module_param_hw_array(probe_rsa, ulong, ioport, &probe_rsa_count, 0444);
+ MODULE_PARM_DESC(probe_rsa, "Probe I/O ports for RSA");
+@@ -147,7 +159,6 @@ void rsa_enable(struct uart_8250_port *u
+ if (up->port.uartclk == SERIAL_RSA_BAUD_BASE * 16)
+ serial_out(up, UART_RSA_FRR, 0);
+ }
+-EXPORT_SYMBOL_FOR_MODULES(rsa_enable, "8250_base");
+
+ /*
+ * Attempts to turn off the RSA FIFO and resets the RSA board back to 115kbps compat mode. It is
+@@ -179,7 +190,6 @@ void rsa_disable(struct uart_8250_port *
+ up->port.uartclk = SERIAL_RSA_BAUD_BASE_LO * 16;
+ uart_port_unlock_irq(&up->port);
+ }
+-EXPORT_SYMBOL_FOR_MODULES(rsa_disable, "8250_base");
+
+ void rsa_autoconfig(struct uart_8250_port *up)
+ {
+@@ -192,7 +202,6 @@ void rsa_autoconfig(struct uart_8250_por
+ if (__rsa_enable(up))
+ up->port.type = PORT_RSA;
+ }
+-EXPORT_SYMBOL_FOR_MODULES(rsa_autoconfig, "8250_base");
+
+ void rsa_reset(struct uart_8250_port *up)
+ {
+@@ -201,7 +210,6 @@ void rsa_reset(struct uart_8250_port *up
+
+ serial_out(up, UART_RSA_FRR, 0);
+ }
+-EXPORT_SYMBOL_FOR_MODULES(rsa_reset, "8250_base");
+
+ #ifdef CONFIG_SERIAL_8250_DEPRECATED_OPTIONS
+ #ifndef MODULE
+--- a/drivers/tty/serial/8250/Makefile
++++ b/drivers/tty/serial/8250/Makefile
+@@ -7,7 +7,6 @@ obj-$(CONFIG_SERIAL_8250) += 8250.o
+ 8250-y := 8250_core.o
+ 8250-y += 8250_platform.o
+ 8250-$(CONFIG_SERIAL_8250_PNP) += 8250_pnp.o
+-8250-$(CONFIG_SERIAL_8250_RSA) += 8250_rsa.o
+
+ obj-$(CONFIG_SERIAL_8250) += 8250_base.o
+ 8250_base-y := 8250_port.o
+@@ -15,6 +14,7 @@ obj-$(CONFIG_SERIAL_8250) += 8250_base.
+ 8250_base-$(CONFIG_SERIAL_8250_DWLIB) += 8250_dwlib.o
+ 8250_base-$(CONFIG_SERIAL_8250_FINTEK) += 8250_fintek.o
+ 8250_base-$(CONFIG_SERIAL_8250_PCILIB) += 8250_pcilib.o
++8250_base-$(CONFIG_SERIAL_8250_RSA) += 8250_rsa.o
+
+ obj-$(CONFIG_SERIAL_8250_CONSOLE) += 8250_early.o
+
--- /dev/null
+From eb4917f557d43c7a1c805dd73ffcdfddb2aba39a Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Mon, 27 Oct 2025 17:20:50 +0800
+Subject: serial: amba-pl011: prefer dma_mapping_error() over explicit address checking
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit eb4917f557d43c7a1c805dd73ffcdfddb2aba39a upstream.
+
+Check for returned DMA addresses using specialized dma_mapping_error()
+helper which is generally recommended for this purpose by
+Documentation/core-api/dma-api.rst:
+
+ "In some circumstances dma_map_single(), ...
+will fail to create a mapping. A driver can check for these errors
+by testing the returned DMA address with dma_mapping_error()."
+
+Found via static analysis and this is similar to commit fa0308134d26
+("ALSA: memalloc: prefer dma_mapping_error() over explicit address checking")
+
+Fixes: 58ac1b379979 ("ARM: PL011: Fix DMA support")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Link: https://patch.msgid.link/20251027092053.87937-1-linmq006@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/amba-pl011.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c
+index 22939841b1de..7f17d288c807 100644
+--- a/drivers/tty/serial/amba-pl011.c
++++ b/drivers/tty/serial/amba-pl011.c
+@@ -628,7 +628,7 @@ static int pl011_dma_tx_refill(struct uart_amba_port *uap)
+ dmatx->len = count;
+ dmatx->dma = dma_map_single(dma_dev->dev, dmatx->buf, count,
+ DMA_TO_DEVICE);
+- if (dmatx->dma == DMA_MAPPING_ERROR) {
++ if (dma_mapping_error(dma_dev->dev, dmatx->dma)) {
+ uap->dmatx.queued = false;
+ dev_dbg(uap->port.dev, "unable to map TX DMA\n");
+ return -EBUSY;
+--
+2.52.0
+
virtio-net-avoid-unnecessary-checksum-calculation-on-guest-rx.patch
vhost-rewind-next_avail_head-while-discarding-descriptors.patch
tracing-fix-warn_on-in-tracing_buffers_mmap_close-for-split-vmas.patch
+alsa-hda-cirrus-fix-cs420x-macpro-6-1-inverted-jack-detection.patch
+alsa-usb-audio-add-dsd-quirk-for-leak-stereo-230.patch
+arm64-dts-imx8dxl-ss-conn-swap-interrupts-number-of-eqos.patch
+arm64-dts-imx8dxl-correct-pcie-ep-interrupt-number.patch
+arm64-dts-imx8qm-mek-fix-mux-controller-select-enable-gpios-polarity.patch
+arm-dts-nxp-imx6ul-correct-sai3-interrupt-line.patch
+atm-fore200e-fix-possible-data-race-in-fore200e_open.patch
+bluetooth-btusb-mediatek-avoid-btusb_mtk_claim_iso_intf-null-deref.patch
+can-rcar_canfd-fix-can-fd-mode-as-default.patch
+can-sja1000-fix-max-irq-loop-handling.patch
+can-sun4i_can-sun4i_can_interrupt-fix-max-irq-loop-handling.patch
+ceph-fix-crash-in-process_v2_sparse_read-for-encrypted-directories.patch
+counter-microchip-tcb-capture-allow-shared-irq-for-multi-channel-tcbs.patch
+dm-verity-fix-unreliable-memory-allocation.patch
+drivers-usb-dwc3-fix-pci-parent-check.patch
+drm-fbcon-vga_switcheroo-avoid-race-condition-in-fbcon-setup.patch
+smb-client-fix-memory-leak-in-cifs_construct_tcon.patch
+thunderbolt-add-support-for-intel-wildcat-lake.patch
+slimbus-ngd-fix-reference-count-leak-in-qcom_slim_ngd_notify_slaves.patch
+nvmem-layouts-fix-nvmem_layout_bus_uevent.patch
+pmdomain-tegra-add-genpd_flag_no_stay_on-flag.patch
+r8169-fix-rtl8127-hang-on-suspend-shutdown.patch
+regulator-rtq2208-correct-buck-group2-phase-mapping-logic.patch
+regulator-rtq2208-correct-ldo2-logic-judgment-bits.patch
+io_uring-net-ensure-vectored-buffer-node-import-is-tied-to-notification.patch
+firmware-stratix10-svc-fix-bug-in-saving-controller-data.patch
+iommufd-driver-fix-counter-initialization-for-counted_by-annotation.patch
+mm-huge_memory-fix-null-pointer-deference-when-splitting-folio.patch
+mm-memfd-fix-information-leak-in-hugetlb-folios.patch
+mmc-sdhci-of-dwcmshc-promote-the-th1520-reset-handling-to-ip-level.patch
+mptcp-clear-scheduled-subflows-on-retransmit.patch
+mptcp-initialise-rcv_mss-before-calling-tcp_send_active_reset-in-mptcp_do_fastclose.patch
+serial-8250-fix-8250_rsa-symbol-loop.patch
+serial-amba-pl011-prefer-dma_mapping_error-over-explicit-address-checking.patch
--- /dev/null
+From 96cf8500934e0ce2a6c486f1dbc3b1fff12f7a5e Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Mon, 27 Oct 2025 14:06:01 +0800
+Subject: slimbus: ngd: Fix reference count leak in qcom_slim_ngd_notify_slaves
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 96cf8500934e0ce2a6c486f1dbc3b1fff12f7a5e upstream.
+
+The function qcom_slim_ngd_notify_slaves() calls of_slim_get_device() which
+internally uses device_find_child() to obtain a device reference.
+According to the device_find_child() documentation,
+the caller must drop the reference with put_device() after use.
+
+Found via static analysis and this is similar to commit 4e65bda8273c
+("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()")
+
+Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251027060601.33228-1-linmq006@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/slimbus/qcom-ngd-ctrl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/slimbus/qcom-ngd-ctrl.c
++++ b/drivers/slimbus/qcom-ngd-ctrl.c
+@@ -1241,6 +1241,7 @@ static void qcom_slim_ngd_notify_slaves(
+
+ if (slim_get_logical_addr(sbdev))
+ dev_err(ctrl->dev, "Failed to get logical address\n");
++ put_device(&sbdev->dev);
+ }
+ }
+
--- /dev/null
+From 3184b6a5a24ec9ee74087b2a550476f386df7dc2 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.org>
+Date: Mon, 24 Nov 2025 17:00:36 -0300
+Subject: smb: client: fix memory leak in cifs_construct_tcon()
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+commit 3184b6a5a24ec9ee74087b2a550476f386df7dc2 upstream.
+
+When having a multiuser mount with domain= specified and using
+cifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname,
+so it needs to be freed before leaving cifs_construct_tcon().
+
+This fixes the following memory leak reported by kmemleak:
+
+ mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,...
+ su - testuser
+ cifscreds add -d ZELDA -u testuser
+ ...
+ ls /mnt/1
+ ...
+ umount /mnt
+ echo scan > /sys/kernel/debug/kmemleak
+ cat /sys/kernel/debug/kmemleak
+ unreferenced object 0xffff8881203c3f08 (size 8):
+ comm "ls", pid 5060, jiffies 4307222943
+ hex dump (first 8 bytes):
+ 5a 45 4c 44 41 00 cc cc ZELDA...
+ backtrace (crc d109a8cf):
+ __kmalloc_node_track_caller_noprof+0x572/0x710
+ kstrdup+0x3a/0x70
+ cifs_sb_tlink+0x1209/0x1770 [cifs]
+ cifs_get_fattr+0xe1/0xf50 [cifs]
+ cifs_get_inode_info+0xb5/0x240 [cifs]
+ cifs_revalidate_dentry_attr+0x2d1/0x470 [cifs]
+ cifs_getattr+0x28e/0x450 [cifs]
+ vfs_getattr_nosec+0x126/0x180
+ vfs_statx+0xf6/0x220
+ do_statx+0xab/0x110
+ __x64_sys_statx+0xd5/0x130
+ do_syscall_64+0xbb/0x380
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: f2aee329a68f ("cifs: set domainName when a domain-key is used in multiuser")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Reviewed-by: David Howells <dhowells@redhat.com>
+Cc: Jay Shin <jaeshin@redhat.com>
+Cc: stable@vger.kernel.org
+Cc: linux-cifs@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/connect.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -4455,6 +4455,7 @@ cifs_construct_tcon(struct cifs_sb_info
+
+ out:
+ kfree(ctx->username);
++ kfree(ctx->domainname);
+ kfree_sensitive(ctx->password);
+ kfree(origin_fullpath);
+ kfree(ctx);
--- /dev/null
+From 3575254546a27210a4b661ea37fbbfb836c0815d Mon Sep 17 00:00:00 2001
+From: Alan Borzeszkowski <alan.borzeszkowski@linux.intel.com>
+Date: Thu, 14 Nov 2024 10:55:44 +0100
+Subject: thunderbolt: Add support for Intel Wildcat Lake
+
+From: Alan Borzeszkowski <alan.borzeszkowski@linux.intel.com>
+
+commit 3575254546a27210a4b661ea37fbbfb836c0815d upstream.
+
+Intel Wildcat Lake derives its Thunderbolt/USB4 controller from Lunar
+Lake platform. Add Wildcat Lake PCI ID to the driver list of supported
+devices.
+
+Signed-off-by: Alan Borzeszkowski <alan.borzeszkowski@linux.intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thunderbolt/nhi.c | 2 ++
+ drivers/thunderbolt/nhi.h | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/thunderbolt/nhi.c
++++ b/drivers/thunderbolt/nhi.c
+@@ -1528,6 +1528,8 @@ static struct pci_device_id nhi_ids[] =
+ .driver_data = (kernel_ulong_t)&icl_nhi_ops },
+ { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_PTL_P_NHI1),
+ .driver_data = (kernel_ulong_t)&icl_nhi_ops },
++ { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_WCL_NHI0),
++ .driver_data = (kernel_ulong_t)&icl_nhi_ops },
+ { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HOST_80G_NHI) },
+ { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HOST_40G_NHI) },
+
+--- a/drivers/thunderbolt/nhi.h
++++ b/drivers/thunderbolt/nhi.h
+@@ -75,6 +75,7 @@ extern const struct tb_nhi_ops icl_nhi_o
+ #define PCI_DEVICE_ID_INTEL_TITAN_RIDGE_DD_BRIDGE 0x15ef
+ #define PCI_DEVICE_ID_INTEL_ADL_NHI0 0x463e
+ #define PCI_DEVICE_ID_INTEL_ADL_NHI1 0x466d
++#define PCI_DEVICE_ID_INTEL_WCL_NHI0 0x4d33
+ #define PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HOST_80G_NHI 0x5781
+ #define PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HOST_40G_NHI 0x5784
+ #define PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HUB_80G_BRIDGE 0x5786
projects / thirdparty / kernel / stable-queue.git / commitdiff
