--- /dev/null
+From 316e361b5d2cdeb8d778983794a1c6eadcb26814 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Wed, 22 Oct 2025 15:34:26 +0200
+Subject: dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 316e361b5d2cdeb8d778983794a1c6eadcb26814 upstream.
+
+The "groups" property can hold multiple entries (e.g.
+toshiba/tmpv7708-rm-mbrc.dts file), so allow that by dropping incorrect
+type (pinmux-node.yaml schema already defines that as string-array) and
+adding constraints for items. This fixes dtbs_check warnings like:
+
+ toshiba/tmpv7708-rm-mbrc.dtb: pinctrl@24190000 (toshiba,tmpv7708-pinctrl):
+ pwm-pins:groups: ['pwm0_gpio16_grp', 'pwm1_gpio17_grp', 'pwm2_gpio18_grp', 'pwm3_gpio19_grp'] is too long
+
+Fixes: 1825c1fe0057 ("pinctrl: Add DT bindings for Toshiba Visconti TMPV7700 SoC")
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Acked-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml | 26 +++++-----
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+--- a/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml
++++ b/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml
+@@ -50,18 +50,20 @@ patternProperties:
+ groups:
+ description:
+ Name of the pin group to use for the functions.
+- $ref: /schemas/types.yaml#/definitions/string
+- enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp,
+- i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp,
+- spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp,
+- spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp,
+- uart0_grp, uart1_grp, uart2_grp, uart3_grp,
+- pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp,
+- pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp,
+- pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp,
+- pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp,
+- pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp,
+- pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp]
++ items:
++ enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp,
++ i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp,
++ spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp,
++ spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp,
++ uart0_grp, uart1_grp, uart2_grp, uart3_grp,
++ pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp,
++ pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp,
++ pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp,
++ pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp,
++ pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp,
++ pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp]
++ minItems: 1
++ maxItems: 8
+
+ drive-strength:
+ enum: [2, 4, 6, 8, 16, 24, 32]
--- /dev/null
+From e08969c4d65ac31297fcb4d31d4808c789152f68 Mon Sep 17 00:00:00 2001
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+Date: Tue, 4 Nov 2025 07:03:10 +0000
+Subject: Input: cros_ec_keyb - fix an invalid memory access
+
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+
+commit e08969c4d65ac31297fcb4d31d4808c789152f68 upstream.
+
+If cros_ec_keyb_register_matrix() isn't called (due to
+`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains
+NULL. An invalid memory access is observed in cros_ec_keyb_process()
+when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()
+in such case.
+
+ Unable to handle kernel read from unreadable memory at virtual address 0000000000000028
+ ...
+ x3 : 0000000000000000 x2 : 0000000000000000
+ x1 : 0000000000000000 x0 : 0000000000000000
+ Call trace:
+ input_event
+ cros_ec_keyb_work
+ blocking_notifier_call_chain
+ ec_irq_thread
+
+It's still unknown about why the kernel receives such malformed event,
+in any cases, the kernel shouldn't access `ckdev->idev` and friends if
+the driver doesn't intend to initialize them.
+
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://patch.msgid.link/20251104070310.3212712-1-tzungbi@kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/cros_ec_keyb.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/input/keyboard/cros_ec_keyb.c
++++ b/drivers/input/keyboard/cros_ec_keyb.c
+@@ -261,6 +261,12 @@ static int cros_ec_keyb_work(struct noti
+ case EC_MKBP_EVENT_KEY_MATRIX:
+ pm_wakeup_event(ckdev->dev, 0);
+
++ if (!ckdev->idev) {
++ dev_warn_once(ckdev->dev,
++ "Unexpected key matrix event\n");
++ return NOTIFY_OK;
++ }
++
+ if (ckdev->ec->event_size != ckdev->cols) {
+ dev_err(ckdev->dev,
+ "Discarded incomplete key matrix event.\n");
--- /dev/null
+From c6d99e488117201c63efd747ce17b80687c3f5a9 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 13 Oct 2025 09:15:25 -0700
+Subject: Input: goodix - add support for ACPI ID GDIX1003
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit c6d99e488117201c63efd747ce17b80687c3f5a9 upstream.
+
+Some newer devices use an ACPI hardware ID of GDIX1003 for their Goodix
+touchscreen controller, instead of GDIX1001 / GDIX1002. Add GDIX1003
+to the goodix_acpi_match[] table.
+
+Reported-by: Weikang Guo <guoweikang.kernel@gmail.com>
+Closes: https://lore.kernel.org/linux-input/20250225024409.1467040-1-guoweikang.kernel@gmail.com/
+Tested-by: Weikang Guo <guoweikang.kernel@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20251013121022.44333-1-hansg@kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/goodix.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/touchscreen/goodix.c
++++ b/drivers/input/touchscreen/goodix.c
+@@ -1519,6 +1519,7 @@ MODULE_DEVICE_TABLE(i2c, goodix_ts_id);
+ static const struct acpi_device_id goodix_acpi_match[] = {
+ { "GDIX1001", 0 },
+ { "GDIX1002", 0 },
++ { "GDIX1003", 0 },
+ { "GDX9110", 0 },
+ { }
+ };
--- /dev/null
+From d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Sat, 1 Nov 2025 16:25:27 +0300
+Subject: Input: imx_sc_key - fix memory corruption on unload
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4 upstream.
+
+This is supposed to be "priv" but we accidentally pass "&priv" which is
+an address in the stack and so it will lead to memory corruption when
+the imx_sc_key_action() function is called. Remove the &.
+
+Fixes: 768062fd1284 ("Input: imx_sc_key - use devm_add_action_or_reset() to handle all cleanups")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/aQYKR75r2VMFJutT@stanley.mountain
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/imx_sc_key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/keyboard/imx_sc_key.c
++++ b/drivers/input/keyboard/imx_sc_key.c
+@@ -158,7 +158,7 @@ static int imx_sc_key_probe(struct platf
+ return error;
+ }
+
+- error = devm_add_action_or_reset(&pdev->dev, imx_sc_key_action, &priv);
++ error = devm_add_action_or_reset(&pdev->dev, imx_sc_key_action, priv);
+ if (error)
+ return error;
+
--- /dev/null
+From 69aeb507312306f73495598a055293fa749d454e Mon Sep 17 00:00:00 2001
+From: Seungjin Bae <eeodqql09@gmail.com>
+Date: Fri, 17 Oct 2025 15:36:31 -0700
+Subject: Input: pegasus-notetaker - fix potential out-of-bounds access
+
+From: Seungjin Bae <eeodqql09@gmail.com>
+
+commit 69aeb507312306f73495598a055293fa749d454e upstream.
+
+In the pegasus_notetaker driver, the pegasus_probe() function allocates
+the URB transfer buffer using the wMaxPacketSize value from
+the endpoint descriptor. An attacker can use a malicious USB descriptor
+to force the allocation of a very small buffer.
+
+Subsequently, if the device sends an interrupt packet with a specific
+pattern (e.g., where the first byte is 0x80 or 0x42),
+the pegasus_parse_packet() function parses the packet without checking
+the allocated buffer size. This leads to an out-of-bounds memory access.
+
+Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver")
+Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
+Link: https://lore.kernel.org/r/20251007214131.3737115-2-eeodqql09@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/tablet/pegasus_notetaker.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/input/tablet/pegasus_notetaker.c
++++ b/drivers/input/tablet/pegasus_notetaker.c
+@@ -63,6 +63,9 @@
+ #define BUTTON_PRESSED 0xb5
+ #define COMMAND_VERSION 0xa9
+
++/* 1 Status + 1 Color + 2 X + 2 Y = 6 bytes */
++#define NOTETAKER_PACKET_SIZE 6
++
+ /* in xy data packet */
+ #define BATTERY_NO_REPORT 0x40
+ #define BATTERY_LOW 0x41
+@@ -303,6 +306,12 @@ static int pegasus_probe(struct usb_inte
+ }
+
+ pegasus->data_len = usb_maxpacket(dev, pipe);
++ if (pegasus->data_len < NOTETAKER_PACKET_SIZE) {
++ dev_err(&intf->dev, "packet size is too small (%d)\n",
++ pegasus->data_len);
++ error = -EINVAL;
++ goto err_free_mem;
++ }
+
+ pegasus->data = usb_alloc_coherent(dev, pegasus->data_len, GFP_KERNEL,
+ &pegasus->data_dma);
--- /dev/null
+From a6b533adfc05ba15360631e019d3e18275080275 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Thu, 20 Nov 2025 14:42:05 +0800
+Subject: LoongArch: Don't panic if no valid cache info for PCI
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit a6b533adfc05ba15360631e019d3e18275080275 upstream.
+
+If there is no valid cache info detected (may happen in virtual machine)
+for pci_dfl_cache_line_size, kernel shouldn't panic. Because in the PCI
+core it will be evaluated to (L1_CACHE_BYTES >> 2).
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/pci/pci.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/loongarch/pci/pci.c
++++ b/arch/loongarch/pci/pci.c
+@@ -51,11 +51,11 @@ static int __init pcibios_init(void)
+ */
+ lsize = cpu_last_level_cache_line_size();
+
+- BUG_ON(!lsize);
++ if (lsize) {
++ pci_dfl_cache_line_size = lsize >> 2;
+
+- pci_dfl_cache_line_size = lsize >> 2;
+-
+- pr_debug("PCI: pci_cache_line_size set to %d bytes\n", lsize);
++ pr_debug("PCI: pci_cache_line_size set to %d bytes\n", lsize);
++ }
+
+ return 0;
+ }
--- /dev/null
+From ebd729fef31620e0bf74cbf8a4c7fda73a2a4e7e Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Mon, 20 Oct 2025 02:11:49 +0100
+Subject: MIPS: Malta: Fix !EVA SOC-it PCI MMIO
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit ebd729fef31620e0bf74cbf8a4c7fda73a2a4e7e upstream.
+
+Fix a regression that has caused accesses to the PCI MMIO window to
+complete unclaimed in non-EVA configurations with the SOC-it family of
+system controllers, preventing PCI devices from working that use MMIO.
+
+In the non-EVA case PHYS_OFFSET is set to 0, meaning that PCI_BAR0 is
+set with an empty mask (and PCI_HEAD4 matches addresses starting from 0
+accordingly). Consequently all addresses are matched for incoming DMA
+accesses from PCI. This seems to confuse the system controller's logic
+and outgoing bus cycles targeting the PCI MMIO window seem not to make
+it to the intended devices.
+
+This happens as well when a wider mask is used with PCI_BAR0, such as
+0x80000000 or 0xe0000000, that makes addresses match that overlap with
+the PCI MMIO window, which starts at 0x10000000 in our configuration.
+
+Set the mask in PCI_BAR0 to 0xf0000000 for non-EVA then, covering the
+non-EVA maximum 256 MiB of RAM, which is what YAMON does and which used
+to work correctly up to the offending commit. Set PCI_P2SCMSKL to match
+PCI_BAR0 as required by the system controller's specification, and match
+PCI_P2SCMAPL to PCI_HEAD4 for identity mapping.
+
+Verified with:
+
+Core board type/revision = 0x0d (Core74K) / 0x01
+System controller/revision = MIPS SOC-it 101 OCP / 1.3 SDR-FW-4:1
+Processor Company ID/options = 0x01 (MIPS Technologies, Inc.) / 0x1c
+Processor ID/revision = 0x97 (MIPS 74Kf) / 0x4c
+
+for non-EVA and with:
+
+Core board type/revision = 0x0c (CoreFPGA-5) / 0x00
+System controller/revision = MIPS ROC-it2 / 0.0 FW-1:1 (CLK_unknown) GIC
+Processor Company ID/options = 0x01 (MIPS Technologies, Inc.) / 0x00
+Processor ID/revision = 0xa0 (MIPS interAptiv UP) / 0x20
+
+for EVA/non-EVA, fixing:
+
+defxx 0000:00:12.0: assign IRQ: got 10
+defxx: v1.12 2021/03/10 Lawrence V. Stefani and others
+0000:00:12.0: Could not read adapter factory MAC address!
+
+vs:
+
+defxx 0000:00:12.0: assign IRQ: got 10
+defxx: v1.12 2021/03/10 Lawrence V. Stefani and others
+0000:00:12.0: DEFPA at MMIO addr = 0x10142000, IRQ = 10, Hardware addr = 00-00-f8-xx-xx-xx
+0000:00:12.0: registered as fddi0
+
+for non-EVA and causing no change for EVA.
+
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Fixes: 422dd256642b ("MIPS: Malta: Allow PCI devices DMA to lower 2GB physical")
+Cc: stable@vger.kernel.org # v4.9+
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mti-malta/malta-init.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/arch/mips/mti-malta/malta-init.c
++++ b/arch/mips/mti-malta/malta-init.c
+@@ -241,16 +241,22 @@ mips_pci_controller:
+ #endif
+
+ /*
+- * Setup the Malta max (2GB) memory for PCI DMA in host bridge
+- * in transparent addressing mode.
++ * Set up memory mapping in host bridge for PCI DMA masters,
++ * in transparent addressing mode. For EVA use the Malta
++ * maximum of 2 GiB memory in the alias space at 0x80000000
++ * as per PHYS_OFFSET. Otherwise use 256 MiB of memory in
++ * the regular space, avoiding mapping the PCI MMIO window
++ * for DMA as it seems to confuse the system controller's
++ * logic, causing PCI MMIO to stop working.
+ */
+- mask = PHYS_OFFSET | PCI_BASE_ADDRESS_MEM_PREFETCH;
+- MSC_WRITE(MSC01_PCI_BAR0, mask);
+- MSC_WRITE(MSC01_PCI_HEAD4, mask);
++ mask = PHYS_OFFSET ? PHYS_OFFSET : 0xf0000000;
++ MSC_WRITE(MSC01_PCI_BAR0,
++ mask | PCI_BASE_ADDRESS_MEM_PREFETCH);
++ MSC_WRITE(MSC01_PCI_HEAD4,
++ PHYS_OFFSET | PCI_BASE_ADDRESS_MEM_PREFETCH);
+
+- mask &= MSC01_PCI_BAR0_SIZE_MSK;
+ MSC_WRITE(MSC01_PCI_P2SCMSKL, mask);
+- MSC_WRITE(MSC01_PCI_P2SCMAPL, mask);
++ MSC_WRITE(MSC01_PCI_P2SCMAPL, PHYS_OFFSET);
+
+ /* Don't handle target retries indefinitely. */
+ if ((data & MSC01_PCI_CFG_MAXRTRY_MSK) ==
--- /dev/null
+From ec33b59542d96830e3c89845ff833cf7b25ef172 Mon Sep 17 00:00:00 2001
+From: Vlastimil Babka <vbabka@suse.cz>
+Date: Thu, 13 Nov 2025 19:54:35 +0100
+Subject: mm/mempool: fix poisoning order>0 pages with HIGHMEM
+
+From: Vlastimil Babka <vbabka@suse.cz>
+
+commit ec33b59542d96830e3c89845ff833cf7b25ef172 upstream.
+
+The kernel test has reported:
+
+ BUG: unable to handle page fault for address: fffba000
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ *pde = 03171067 *pte = 00000000
+ Oops: Oops: 0002 [#1]
+ CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca
+ Tainted: [T]=RANDSTRUCT
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+ EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17)
+ Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 <f3> aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56
+ EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b
+ ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8
+ DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287
+ CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690
+ Call Trace:
+ poison_element (mm/mempool.c:83 mm/mempool.c:102)
+ mempool_init_node (mm/mempool.c:142 mm/mempool.c:226)
+ mempool_init_noprof (mm/mempool.c:250 (discriminator 1))
+ ? mempool_alloc_pages (mm/mempool.c:640)
+ bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8))
+ ? mempool_alloc_pages (mm/mempool.c:640)
+ do_one_initcall (init/main.c:1283)
+
+Christoph found out this is due to the poisoning code not dealing
+properly with CONFIG_HIGHMEM because only the first page is mapped but
+then the whole potentially high-order page is accessed.
+
+We could give up on HIGHMEM here, but it's straightforward to fix this
+with a loop that's mapping, poisoning or checking and unmapping
+individual pages.
+
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202511111411.9ebfa1ba-lkp@intel.com
+Analyzed-by: Christoph Hellwig <hch@lst.de>
+Fixes: bdfedb76f4f5 ("mm, mempool: poison elements backed by slab allocator")
+Cc: stable@vger.kernel.org
+Tested-by: kernel test robot <oliver.sang@intel.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://patch.msgid.link/20251113-mempool-poison-v1-1-233b3ef984c3@suse.cz
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mempool.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+--- a/mm/mempool.c
++++ b/mm/mempool.c
+@@ -68,10 +68,20 @@ static void check_element(mempool_t *poo
+ } else if (pool->free == mempool_free_pages) {
+ /* Mempools backed by page allocator */
+ int order = (int)(long)pool->pool_data;
+- void *addr = kmap_local_page((struct page *)element);
+
+- __check_element(pool, addr, 1UL << (PAGE_SHIFT + order));
+- kunmap_local(addr);
++#ifdef CONFIG_HIGHMEM
++ for (int i = 0; i < (1 << order); i++) {
++ struct page *page = (struct page *)element;
++ void *addr = kmap_local_page(page + i);
++
++ __check_element(pool, addr, PAGE_SIZE);
++ kunmap_local(addr);
++ }
++#else
++ void *addr = page_address((struct page *)element);
++
++ __check_element(pool, addr, PAGE_SIZE << order);
++#endif
+ }
+ }
+
+@@ -97,10 +107,20 @@ static void poison_element(mempool_t *po
+ } else if (pool->alloc == mempool_alloc_pages) {
+ /* Mempools backed by page allocator */
+ int order = (int)(long)pool->pool_data;
+- void *addr = kmap_local_page((struct page *)element);
+
+- __poison_element(addr, 1UL << (PAGE_SHIFT + order));
+- kunmap_local(addr);
++#ifdef CONFIG_HIGHMEM
++ for (int i = 0; i < (1 << order); i++) {
++ struct page *page = (struct page *)element;
++ void *addr = kmap_local_page(page + i);
++
++ __poison_element(addr, PAGE_SIZE);
++ kunmap_local(addr);
++ }
++#else
++ void *addr = page_address((struct page *)element);
++
++ __poison_element(addr, PAGE_SIZE << order);
++#endif
+ }
+ }
+ #else /* CONFIG_SLUB_DEBUG_ON */
--- /dev/null
+From 035bca3f017ee9dea3a5a756e77a6f7138cc6eea Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 13 Nov 2025 10:39:24 +0000
+Subject: mptcp: fix race condition in mptcp_schedule_work()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 035bca3f017ee9dea3a5a756e77a6f7138cc6eea upstream.
+
+syzbot reported use-after-free in mptcp_schedule_work() [1]
+
+Issue here is that mptcp_schedule_work() schedules a work,
+then gets a refcount on sk->sk_refcnt if the work was scheduled.
+This refcount will be released by mptcp_worker().
+
+[A] if (schedule_work(...)) {
+[B] sock_hold(sk);
+ return true;
+ }
+
+Problem is that mptcp_worker() can run immediately and complete before [B]
+
+We need instead :
+
+ sock_hold(sk);
+ if (schedule_work(...))
+ return true;
+ sock_put(sk);
+
+[1]
+refcount_t: addition on 0; use-after-free.
+ WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25
+Call Trace:
+ <TASK>
+ __refcount_add include/linux/refcount.h:-1 [inline]
+ __refcount_inc include/linux/refcount.h:366 [inline]
+ refcount_inc include/linux/refcount.h:383 [inline]
+ sock_hold include/net/sock.h:816 [inline]
+ mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943
+ mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316
+ call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
+ expire_timers kernel/time/timer.c:1798 [inline]
+ __run_timers kernel/time/timer.c:2372 [inline]
+ __run_timer_base+0x648/0x970 kernel/time/timer.c:2384
+ run_timer_base kernel/time/timer.c:2393 [inline]
+ run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
+ handle_softirqs+0x22f/0x710 kernel/softirq.c:622
+ __do_softirq kernel/softirq.c:656 [inline]
+ run_ktimerd+0xcf/0x190 kernel/softirq.c:1138
+ smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+
+Cc: stable@vger.kernel.org
+Fixes: 3b1d6210a957 ("mptcp: implement and use MPTCP-level retransmission")
+Reported-by: syzbot+355158e7e301548a1424@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6915b46f.050a0220.3565dc.0028.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251113103924.3737425-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -963,14 +963,19 @@ static void mptcp_reset_rtx_timer(struct
+
+ bool mptcp_schedule_work(struct sock *sk)
+ {
+- if (inet_sk_state_load(sk) != TCP_CLOSE &&
+- schedule_work(&mptcp_sk(sk)->work)) {
+- /* each subflow already holds a reference to the sk, and the
+- * workqueue is invoked by a subflow, so sk can't go away here.
+- */
+- sock_hold(sk);
++ if (inet_sk_state_load(sk) == TCP_CLOSE)
++ return false;
++
++ /* Get a reference on this socket, mptcp_worker() will release it.
++ * As mptcp_worker() might complete before us, we can not avoid
++ * a sock_hold()/sock_put() if schedule_work() returns false.
++ */
++ sock_hold(sk);
++
++ if (schedule_work(&mptcp_sk(sk)->work))
+ return true;
+- }
++
++ sock_put(sk);
+ return false;
+ }
+
--- /dev/null
+From 949f1fd2225baefbea2995afa807dba5cbdb6bd3 Mon Sep 17 00:00:00 2001
+From: Nam Cao <namcao@linutronix.de>
+Date: Mon, 17 Nov 2025 08:42:31 +0000
+Subject: nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot
+
+From: Nam Cao <namcao@linutronix.de>
+
+commit 949f1fd2225baefbea2995afa807dba5cbdb6bd3 upstream.
+
+nvkm_falcon_fw::boot is allocated, but no one frees it. This causes a
+kmemleak warning.
+
+Make sure this data is deallocated.
+
+Fixes: 2541626cfb79 ("drm/nouveau/acr: use common falcon HS FW code for ACR FWs")
+Signed-off-by: Nam Cao <namcao@linutronix.de>
+Cc: stable@vger.kernel.org
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Link: https://patch.msgid.link/20251117084231.2910561-1-namcao@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c
++++ b/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c
+@@ -159,6 +159,8 @@ nvkm_falcon_fw_dtor(struct nvkm_falcon_f
+ nvkm_memory_unref(&fw->inst);
+ nvkm_falcon_fw_dtor_sigs(fw);
+ nvkm_firmware_dtor(&fw->fw);
++ kfree(fw->boot);
++ fw->boot = NULL;
+ }
+
+ static const struct nvkm_firmware_func
--- /dev/null
+From 0a2c5495b6d1ecb0fa18ef6631450f391a888256 Mon Sep 17 00:00:00 2001
+From: "Ewan D. Milne" <emilne@redhat.com>
+Date: Mon, 10 Nov 2025 16:20:01 -0500
+Subject: nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()
+
+From: Ewan D. Milne <emilne@redhat.com>
+
+commit 0a2c5495b6d1ecb0fa18ef6631450f391a888256 upstream.
+
+nvme_fc_delete_assocation() waits for pending I/O to complete before
+returning, and an error can cause ->ioerr_work to be queued after
+cancel_work_sync() had been called. Move the call to cancel_work_sync() to
+be after nvme_fc_delete_association() to ensure ->ioerr_work is not running
+when the nvme_fc_ctrl object is freed. Otherwise the following can occur:
+
+[ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL
+[ 1135.917705] ------------[ cut here ]------------
+[ 1135.922336] kernel BUG at lib/list_debug.c:52!
+[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI
+[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)
+[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025
+[ 1135.950969] Workqueue: 0x0 (nvme-wq)
+[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b
+[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046
+[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000
+[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0
+[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08
+[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100
+[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0
+[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000
+[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0
+[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
+[ 1136.055910] PKRU: 55555554
+[ 1136.058623] Call Trace:
+[ 1136.061074] <TASK>
+[ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0
+[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0
+[ 1136.071898] ? move_linked_works+0x4a/0xa0
+[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.081744] ? __die_body.cold+0x8/0x12
+[ 1136.085584] ? die+0x2e/0x50
+[ 1136.088469] ? do_trap+0xca/0x110
+[ 1136.091789] ? do_error_trap+0x65/0x80
+[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.101289] ? exc_invalid_op+0x50/0x70
+[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20
+[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.120806] move_linked_works+0x4a/0xa0
+[ 1136.124733] worker_thread+0x216/0x3a0
+[ 1136.128485] ? __pfx_worker_thread+0x10/0x10
+[ 1136.132758] kthread+0xfa/0x240
+[ 1136.135904] ? __pfx_kthread+0x10/0x10
+[ 1136.139657] ret_from_fork+0x31/0x50
+[ 1136.143236] ? __pfx_kthread+0x10/0x10
+[ 1136.146988] ret_from_fork_asm+0x1a/0x30
+[ 1136.150915] </TASK>
+
+Fixes: 19fce0470f05 ("nvme-fc: avoid calling _nvme_fc_abort_outstanding_ios from interrupt context")
+Cc: stable@vger.kernel.org
+Tested-by: Marco Patalano <mpatalan@redhat.com>
+Reviewed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/fc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -3247,7 +3247,6 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nc
+ {
+ struct nvme_fc_ctrl *ctrl = to_fc_ctrl(nctrl);
+
+- cancel_work_sync(&ctrl->ioerr_work);
+ cancel_delayed_work_sync(&ctrl->connect_work);
+
+ /*
+@@ -3255,6 +3254,7 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nc
+ * waiting for io to terminate
+ */
+ nvme_fc_delete_association(ctrl);
++ cancel_work_sync(&ctrl->ioerr_work);
+
+ if (ctrl->ctrl.tagset)
+ nvme_remove_io_tag_set(&ctrl->ctrl);
--- /dev/null
+From ea3442efabd0aa3930c5bab73c3901ef38ef6ac3 Mon Sep 17 00:00:00 2001
+From: "Ewan D. Milne" <emilne@redhat.com>
+Date: Mon, 10 Nov 2025 16:20:00 -0500
+Subject: nvme: nvme-fc: move tagset removal to nvme_fc_delete_ctrl()
+
+From: Ewan D. Milne <emilne@redhat.com>
+
+commit ea3442efabd0aa3930c5bab73c3901ef38ef6ac3 upstream.
+
+Now target is removed from nvme_fc_ctrl_free() which is the ctrl->ref
+release handler. And even admin queue is unquiesced there, this way
+is definitely wrong because the ctr->ref is grabbed when submitting
+command.
+
+And Marco observed that nvme_fc_ctrl_free() can be called from request
+completion code path, and trigger kernel warning since request completes
+from softirq context.
+
+Fix the issue by moveing target removal into nvme_fc_delete_ctrl(),
+which is also aligned with nvme-tcp and nvme-rdma.
+
+Patch originally proposed by Ming Lei, then modified to move the tagset
+removal down to after nvme_fc_delete_association() after further testing.
+
+Cc: Marco Patalano <mpatalan@redhat.com>
+Cc: Ewan Milne <emilne@redhat.com>
+Cc: James Smart <james.smart@broadcom.com>
+Cc: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Cc: stable@vger.kernel.org
+Tested-by: Marco Patalano <mpatalan@redhat.com>
+Reviewed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/fc.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -2349,17 +2349,11 @@ nvme_fc_ctrl_free(struct kref *ref)
+ container_of(ref, struct nvme_fc_ctrl, ref);
+ unsigned long flags;
+
+- if (ctrl->ctrl.tagset)
+- nvme_remove_io_tag_set(&ctrl->ctrl);
+-
+ /* remove from rport list */
+ spin_lock_irqsave(&ctrl->rport->lock, flags);
+ list_del(&ctrl->ctrl_list);
+ spin_unlock_irqrestore(&ctrl->rport->lock, flags);
+
+- nvme_unquiesce_admin_queue(&ctrl->ctrl);
+- nvme_remove_admin_tag_set(&ctrl->ctrl);
+-
+ kfree(ctrl->queues);
+
+ put_device(ctrl->dev);
+@@ -3255,11 +3249,18 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nc
+
+ cancel_work_sync(&ctrl->ioerr_work);
+ cancel_delayed_work_sync(&ctrl->connect_work);
++
+ /*
+ * kill the association on the link side. this will block
+ * waiting for io to terminate
+ */
+ nvme_fc_delete_association(ctrl);
++
++ if (ctrl->ctrl.tagset)
++ nvme_remove_io_tag_set(&ctrl->ctrl);
++
++ nvme_unquiesce_admin_queue(&ctrl->ctrl);
++ nvme_remove_admin_tag_set(&ctrl->ctrl);
+ }
+
+ static void
--- /dev/null
+From 90449f2d1e1f020835cba5417234636937dd657e Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Thu, 13 Nov 2025 10:16:43 -0800
+Subject: scsi: sg: Do not sleep in atomic context
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 90449f2d1e1f020835cba5417234636937dd657e upstream.
+
+sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may
+sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead
+of disabled.
+
+Reported-by: syzbot+c01f8e6e73f20459912e@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-scsi/691560c4.a70a0220.3124cb.001a.GAE@google.com/
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: stable@vger.kernel.org
+Fixes: 97d27b0dd015 ("scsi: sg: close race condition in sg_remove_sfp_usercontext()")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20251113181643.1108973-1-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sg.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -2210,9 +2210,17 @@ sg_remove_sfp_usercontext(struct work_st
+ write_lock_irqsave(&sfp->rq_list_lock, iflags);
+ while (!list_empty(&sfp->rq_list)) {
+ srp = list_first_entry(&sfp->rq_list, Sg_request, entry);
+- sg_finish_rem_req(srp);
+ list_del(&srp->entry);
++ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
++
++ sg_finish_rem_req(srp);
++ /*
++ * sg_rq_end_io() uses srp->parentfp. Hence, only clear
++ * srp->parentfp after blk_mq_free_request() has been called.
++ */
+ srp->parentfp = NULL;
++
++ write_lock_irqsave(&sfp->rq_list_lock, iflags);
+ }
+ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
+
--- /dev/null
+From e6965188f84a7883e6a0d3448e86b0cf29b24dfc Mon Sep 17 00:00:00 2001
+From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+Date: Wed, 5 Nov 2025 11:25:46 -0800
+Subject: scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
+
+From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+
+commit e6965188f84a7883e6a0d3448e86b0cf29b24dfc upstream.
+
+If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we
+attempt to dereference it in tcm_loop_tpg_address_show() we will get a
+segfault, see below for an example. So, check tl_hba->sh before
+dereferencing it.
+
+ Unable to allocate struct scsi_host
+ BUG: kernel NULL pointer dereference, address: 0000000000000194
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1
+ Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024
+ RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop]
+...
+ Call Trace:
+ <TASK>
+ configfs_read_iter+0x12d/0x1d0 [configfs]
+ vfs_read+0x1b5/0x300
+ ksys_read+0x6f/0xf0
+...
+
+Cc: stable@vger.kernel.org
+Fixes: 2628b352c3d4 ("tcm_loop: Show address of tpg in configfs")
+Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Reviewed-by: Allen Pais <apais@linux.microsoft.com>
+Link: https://patch.msgid.link/1762370746-6304-1-git-send-email-hamzamahfooz@linux.microsoft.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/loopback/tcm_loop.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/target/loopback/tcm_loop.c
++++ b/drivers/target/loopback/tcm_loop.c
+@@ -893,6 +893,9 @@ static ssize_t tcm_loop_tpg_address_show
+ struct tcm_loop_tpg, tl_se_tpg);
+ struct tcm_loop_hba *tl_hba = tl_tpg->tl_hba;
+
++ if (!tl_hba->sh)
++ return -ENODEV;
++
+ return snprintf(page, PAGE_SIZE, "%d:0:%d\n",
+ tl_hba->sh->host_no, tl_tpg->tl_tpgt);
+ }
be2net-pass-wrb_params-in-case-of-os2bmc.patch
net-dsa-microchip-lan937x-fix-rgmii-delay-tuning.patch
revert-drm-tegra-dsi-clear-enable-register-if-powered-by-bootloader.patch
+input-cros_ec_keyb-fix-an-invalid-memory-access.patch
+input-goodix-add-support-for-acpi-id-gdix1003.patch
+input-imx_sc_key-fix-memory-corruption-on-unload.patch
+input-pegasus-notetaker-fix-potential-out-of-bounds-access.patch
+mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch
+nouveau-firmware-add-missing-kfree-of-nvkm_falcon_fw-boot.patch
+nvme-nvme-fc-move-tagset-removal-to-nvme_fc_delete_ctrl.patch
+nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch
+scsi-sg-do-not-sleep-in-atomic-context.patch
+scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch
+mips-malta-fix-eva-soc-it-pci-mmio.patch
+dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch
+loongarch-don-t-panic-if-no-valid-cache-info-for-pci.patch
+mptcp-fix-race-condition-in-mptcp_schedule_work.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
