--- /dev/null
+From 61006c540cbdedea83b05577dc7fb7fa18fe1276 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 19 Jan 2026 14:32:07 +0100
+Subject: ALSA: ctxfi: Fix potential OOB access in audio mixer handling
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 61006c540cbdedea83b05577dc7fb7fa18fe1276 upstream.
+
+In the audio mixer handling code of ctxfi driver, the conf field is
+used as a kind of loop index, and it's referred in the index callbacks
+(amixer_index() and sum_index()).
+
+As spotted recently by fuzzers, the current code causes OOB access at
+those functions.
+| UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48
+| index 8 is out of range for type 'unsigned char [8]'
+
+After the analysis, the cause was found to be the lack of the proper
+(re-)initialization of conj field.
+
+This patch addresses those OOB accesses by adding the proper
+initializations of the loop indices.
+
+Reported-by: Salvatore Bonaccorso <carnil@debian.org>
+Tested-by: Karsten Hohmeier <linux@hohmatik.de>
+Closes: https://bugs.debian.org/1121535
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/all/aSk8KJI35H7gFru6@eldamar.lan/
+Link: https://patch.msgid.link/20260119133212.189129-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/ctxfi/ctamixer.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/ctxfi/ctamixer.c
++++ b/sound/pci/ctxfi/ctamixer.c
+@@ -205,6 +205,7 @@ static int amixer_rsc_init(struct amixer
+
+ /* Set amixer specific operations */
+ amixer->rsc.ops = &amixer_basic_rsc_ops;
++ amixer->rsc.conj = 0;
+ amixer->ops = &amixer_ops;
+ amixer->input = NULL;
+ amixer->sum = NULL;
+@@ -367,6 +368,7 @@ static int sum_rsc_init(struct sum *sum,
+ return err;
+
+ sum->rsc.ops = &sum_basic_rsc_ops;
++ sum->rsc.conj = 0;
+
+ return 0;
+ }
--- /dev/null
+From c45385ed624eecc5305ff165e1ac5dfa7548bcd5 Mon Sep 17 00:00:00 2001
+From: Zhang Heng <zhangheng@kylinos.cn>
+Date: Thu, 22 Jan 2026 16:52:40 +0800
+Subject: ALSA: hda/realtek: Add quirk for Samsung 730QED to fix headphone
+
+From: Zhang Heng <zhangheng@kylinos.cn>
+
+commit c45385ed624eecc5305ff165e1ac5dfa7548bcd5 upstream.
+
+After applying this quirk for the ALC256 audio codec, the headphone
+audio path functions normally; otherwise, headphones produce no sound.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=220574
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
+Link: https://patch.msgid.link/20260122085240.3163975-1-zhangheng@kylinos.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -6906,6 +6906,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x144d, 0xc812, "Samsung Notebook Pen S (NT950SBE-X58)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc830, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc832, "Samsung Galaxy Book Flex Alpha (NP730QCJ)", ALC256_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET),
++ SND_PCI_QUIRK(0x144d, 0xc876, "Samsung 730QED (NP730QED-KA2US)", ALC256_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET),
+ SND_PCI_QUIRK(0x144d, 0xca03, "Samsung Galaxy Book2 Pro 360 (NP930QED)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xca06, "Samsung Galaxy Book3 360 (NP730QFG)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET),
+ SND_PCI_QUIRK(0x144d, 0xc868, "Samsung Galaxy Book2 Pro (NP930XED)", ALC298_FIXUP_SAMSUNG_AMP),
--- /dev/null
+From 6f5c69f72e50d51be3a8c028ae7eda42c82902cb Mon Sep 17 00:00:00 2001
+From: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+Date: Fri, 16 Jan 2026 17:27:06 -0800
+Subject: ALSA: scarlett2: Fix buffer overflow in config retrieval
+
+From: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+
+commit 6f5c69f72e50d51be3a8c028ae7eda42c82902cb upstream.
+
+The scarlett2_usb_get_config() function has a logic error in the
+endianness conversion code that can cause buffer overflows when
+count > 1.
+
+The code checks `if (size == 2)` where `size` is the total buffer size in
+bytes, then loops `count` times treating each element as u16 (2 bytes).
+This causes the loop to access `count * 2` bytes when the buffer only
+has `size` bytes allocated.
+
+Fix by checking the element size (config_item->size) instead of the
+total buffer size. This ensures the endianness conversion matches the
+actual element type.
+
+Fixes: ac34df733d2d ("ALSA: usb-audio: scarlett2: Update get_config to do endian conversion")
+Cc: stable@vger.kernel.org
+Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+Link: https://patch.msgid.link/20260117012706.1715574-1-samasth.norway.ananda@oracle.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/mixer_scarlett2.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/mixer_scarlett2.c
++++ b/sound/usb/mixer_scarlett2.c
+@@ -2533,13 +2533,13 @@ static int scarlett2_usb_get_config(
+ err = scarlett2_usb_get(mixer, config_item->offset, buf, size);
+ if (err < 0)
+ return err;
+- if (size == 2) {
++ if (config_item->size == 16) {
+ u16 *buf_16 = buf;
+
+ for (i = 0; i < count; i++, buf_16++)
+ *buf_16 = le16_to_cpu(*(__le16 *)buf_16);
+- } else if (size == 4) {
+- u32 *buf_32 = buf;
++ } else if (config_item->size == 32) {
++ u32 *buf_32 = (u32 *)buf;
+
+ for (i = 0; i < count; i++, buf_32++)
+ *buf_32 = le32_to_cpu(*(__le32 *)buf_32);
--- /dev/null
+From 930e69757b74c3ae083b0c3c7419bfe7f0edc7b2 Mon Sep 17 00:00:00 2001
+From: Berk Cem Goksel <berkcgoksel@gmail.com>
+Date: Tue, 20 Jan 2026 13:28:55 +0300
+Subject: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()
+
+From: Berk Cem Goksel <berkcgoksel@gmail.com>
+
+commit 930e69757b74c3ae083b0c3c7419bfe7f0edc7b2 upstream.
+
+When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees
+mixer->id_elems but the controls already added to the card still
+reference the freed memory. Later when snd_card_register() runs,
+the OSS mixer layer calls their callbacks and hits a use-after-free read.
+
+Call trace:
+ get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411
+ get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241
+ mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381
+ snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887
+ ...
+ snd_card_register+0x4ed/0x6d0 sound/core/init.c:923
+ usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025
+
+Fix by calling snd_ctl_remove() for all mixer controls before freeing
+id_elems. We save the next pointer first because snd_ctl_remove()
+frees the current element.
+
+Fixes: 6639b6c2367f ("[ALSA] usb-audio - add mixer control notifications")
+Cc: stable@vger.kernel.org
+Cc: Andrey Konovalov <andreyknvl@gmail.com>
+Signed-off-by: Berk Cem Goksel <berkcgoksel@gmail.com>
+Link: https://patch.msgid.link/20260120102855.7300-1-berkcgoksel@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/mixer.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2945,10 +2945,23 @@ static int parse_audio_unit(struct mixer
+
+ static void snd_usb_mixer_free(struct usb_mixer_interface *mixer)
+ {
++ struct usb_mixer_elem_list *list, *next;
++ int id;
++
+ /* kill pending URBs */
+ snd_usb_mixer_disconnect(mixer);
+
+- kfree(mixer->id_elems);
++ /* Unregister controls first, snd_ctl_remove() frees the element */
++ if (mixer->id_elems) {
++ for (id = 0; id < MAX_ID_ELEMS; id++) {
++ for (list = mixer->id_elems[id]; list; list = next) {
++ next = list->next_id_elem;
++ if (list->kctl)
++ snd_ctl_remove(mixer->chip->card, list->kctl);
++ }
++ }
++ kfree(mixer->id_elems);
++ }
+ if (mixer->urb) {
+ kfree(mixer->urb->transfer_buffer);
+ usb_free_urb(mixer->urb);
--- /dev/null
+From 128a7494a9f15aad60cc6b7e3546bf481ac54a13 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Tue, 20 Jan 2026 14:51:05 +0000
+Subject: arm64/fpsimd: ptrace: Fix SVE writes on !SME systems
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit 128a7494a9f15aad60cc6b7e3546bf481ac54a13 upstream.
+
+When SVE is supported but SME is not supported, a ptrace write to the
+NT_ARM_SVE regset can place the tracee into an invalid state where
+(non-streaming) SVE register data is stored in FP_STATE_SVE format but
+TIF_SVE is clear. This can result in a later warning from
+fpsimd_restore_current_state(), e.g.
+
+ WARNING: CPU: 0 PID: 7214 at arch/arm64/kernel/fpsimd.c:383 fpsimd_restore_current_state+0x50c/0x748
+
+When this happens, fpsimd_restore_current_state() will set TIF_SVE,
+placing the task into the correct state. This occurs before any other
+check of TIF_SVE can possibly occur, as other checks of TIF_SVE only
+happen while the FPSIMD/SVE/SME state is live. Thus, aside from the
+warning, there is no functional issue.
+
+This bug was introduced during rework to error handling in commit:
+
+ 9f8bf718f2923 ("arm64/fpsimd: ptrace: Gracefully handle errors")
+
+... where the setting of TIF_SVE was moved into a block which is only
+executed when system_supports_sme() is true.
+
+Fix this by removing the system_supports_sme() check. This ensures that
+TIF_SVE is set for (SVE-formatted) writes to NT_ARM_SVE, at the cost of
+unconditionally manipulating the tracee's saved svcr value. The
+manipulation of svcr is benign and inexpensive, and we already do
+similar elsewhere (e.g. during signal handling), so I don't think it's
+worth guarding this with system_supports_sme() checks.
+
+Aside from the above, there is no functional change. The 'type' argument
+to sve_set_common() is only set to ARM64_VEC_SME (in ssve_set())) when
+system_supports_sme(), so the ARM64_VEC_SME case in the switch statement
+is still unreachable when !system_supports_sme(). When
+CONFIG_ARM64_SME=n, the only caller of sve_set_common() is sve_set(),
+and the compiler can constant-fold for the case where type is
+ARM64_VEC_SVE, removing the logic for other cases.
+
+Reported-by: syzbot+d4ab35af21e99d07ce67@syzkaller.appspotmail.com
+Fixes: 9f8bf718f292 ("arm64/fpsimd: ptrace: Gracefully handle errors")
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: <stable@vger.kernel.org>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Will Deacon <will@kernel.org>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/ptrace.c | 26 ++++++++++++--------------
+ 1 file changed, 12 insertions(+), 14 deletions(-)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -942,20 +942,18 @@ static int sve_set_common(struct task_st
+ vq = sve_vq_from_vl(task_get_vl(target, type));
+
+ /* Enter/exit streaming mode */
+- if (system_supports_sme()) {
+- switch (type) {
+- case ARM64_VEC_SVE:
+- target->thread.svcr &= ~SVCR_SM_MASK;
+- set_tsk_thread_flag(target, TIF_SVE);
+- break;
+- case ARM64_VEC_SME:
+- target->thread.svcr |= SVCR_SM_MASK;
+- set_tsk_thread_flag(target, TIF_SME);
+- break;
+- default:
+- WARN_ON_ONCE(1);
+- return -EINVAL;
+- }
++ switch (type) {
++ case ARM64_VEC_SVE:
++ target->thread.svcr &= ~SVCR_SM_MASK;
++ set_tsk_thread_flag(target, TIF_SVE);
++ break;
++ case ARM64_VEC_SME:
++ target->thread.svcr |= SVCR_SM_MASK;
++ set_tsk_thread_flag(target, TIF_SME);
++ break;
++ default:
++ WARN_ON_ONCE(1);
++ return -EINVAL;
+ }
+
+ /* Always zero V regs, FPSR, and FPCR */
--- /dev/null
+From ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Tue, 20 Jan 2026 14:51:06 +0000
+Subject: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4 upstream.
+
+The code to restore a ZA context doesn't attempt to allocate the task's
+sve_state before setting TIF_SME. Consequently, restoring a ZA context
+can place a task into an invalid state where TIF_SME is set but the
+task's sve_state is NULL.
+
+In legitimate but uncommon cases where the ZA signal context was NOT
+created by the kernel in the context of the same task (e.g. if the task
+is saved/restored with something like CRIU), we have no guarantee that
+sve_state had been allocated previously. In these cases, userspace can
+enter streaming mode without trapping while sve_state is NULL, causing a
+later NULL pointer dereference when the kernel attempts to store the
+register state:
+
+| # ./sigreturn-za
+| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+| Mem abort info:
+| ESR = 0x0000000096000046
+| EC = 0x25: DABT (current EL), IL = 32 bits
+| SET = 0, FnV = 0
+| EA = 0, S1PTW = 0
+| FSC = 0x06: level 2 translation fault
+| Data abort info:
+| ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000
+| CM = 0, WnR = 1, TnD = 0, TagAccess = 0
+| GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+| user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00
+| [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000
+| Internal error: Oops: 0000000096000046 [#1] SMP
+| Modules linked in:
+| CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT
+| Hardware name: linux,dummy-virt (DT)
+| pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
+| pc : sve_save_state+0x4/0xf0
+| lr : fpsimd_save_user_state+0xb0/0x1c0
+| sp : ffff80008070bcc0
+| x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658
+| x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000
+| x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40
+| x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000
+| x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c
+| x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020
+| x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0
+| x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48
+| x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000
+| x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440
+| Call trace:
+| sve_save_state+0x4/0xf0 (P)
+| fpsimd_thread_switch+0x48/0x198
+| __switch_to+0x20/0x1c0
+| __schedule+0x36c/0xce0
+| schedule+0x34/0x11c
+| exit_to_user_mode_loop+0x124/0x188
+| el0_interrupt+0xc8/0xd8
+| __el0_irq_handler_common+0x18/0x24
+| el0t_64_irq_handler+0x10/0x1c
+| el0t_64_irq+0x198/0x19c
+| Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800)
+| ---[ end trace 0000000000000000 ]---
+
+Fix this by having restore_za_context() ensure that the task's sve_state
+is allocated, matching what we do when taking an SME trap. Any live
+SVE/SSVE state (which is restored earlier from a separate signal
+context) must be preserved, and hence this is not zeroed.
+
+Fixes: 39782210eb7e ("arm64/sme: Implement ZA signal handling")
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: <stable@vger.kernel.org>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Will Deacon <will@kernel.org>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/signal.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/arm64/kernel/signal.c
++++ b/arch/arm64/kernel/signal.c
+@@ -576,6 +576,10 @@ static int restore_za_context(struct use
+ if (user->za_size < ZA_SIG_CONTEXT_SIZE(vq))
+ return -EINVAL;
+
++ sve_alloc(current, false);
++ if (!current->thread.sve_state)
++ return -ENOMEM;
++
+ sme_alloc(current, true);
+ if (!current->thread.sme_state) {
+ current->thread.svcr &= ~SVCR_ZA_MASK;
--- /dev/null
+From d2907cbe9ea0a54cbe078076f9d089240ee1e2d9 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Tue, 20 Jan 2026 14:51:07 +0000
+Subject: arm64/fpsimd: signal: Fix restoration of SVE context
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit d2907cbe9ea0a54cbe078076f9d089240ee1e2d9 upstream.
+
+When SME is supported, Restoring SVE signal context can go wrong in a
+few ways, including placing the task into an invalid state where the
+kernel may read from out-of-bounds memory (and may potentially take a
+fatal fault) and/or may kill the task with a SIGKILL.
+
+(1) Restoring a context with SVE_SIG_FLAG_SM set can place the task into
+ an invalid state where SVCR.SM is set (and sve_state is non-NULL)
+ but TIF_SME is clear, consequently resuting in out-of-bounds memory
+ reads and/or killing the task with SIGKILL.
+
+ This can only occur in unusual (but legitimate) cases where the SVE
+ signal context has either been modified by userspace or was saved in
+ the context of another task (e.g. as with CRIU), as otherwise the
+ presence of an SVE signal context with SVE_SIG_FLAG_SM implies that
+ TIF_SME is already set.
+
+ While in this state, task_fpsimd_load() will NOT configure SMCR_ELx
+ (leaving some arbitrary value configured in hardware) before
+ restoring SVCR and attempting to restore the streaming mode SVE
+ registers from memory via sve_load_state(). As the value of
+ SMCR_ELx.LEN may be larger than the task's streaming SVE vector
+ length, this may read memory outside of the task's allocated
+ sve_state, reading unrelated data and/or triggering a fault.
+
+ While this can result in secrets being loaded into streaming SVE
+ registers, these values are never exposed. As TIF_SME is clear,
+ fpsimd_bind_task_to_cpu() will configure CPACR_ELx.SMEN to trap EL0
+ accesses to streaming mode SVE registers, so these cannot be
+ accessed directly at EL0. As fpsimd_save_user_state() verifies the
+ live vector length before saving (S)SVE state to memory, no secret
+ values can be saved back to memory (and hence cannot be observed via
+ ptrace, signals, etc).
+
+ When the live vector length doesn't match the expected vector length
+ for the task, fpsimd_save_user_state() will send a fatal SIGKILL
+ signal to the task. Hence the task may be killed after executing
+ userspace for some period of time.
+
+(2) Restoring a context with SVE_SIG_FLAG_SM clear does not clear the
+ task's SVCR.SM. If SVCR.SM was set prior to restoring the context,
+ then the task will be left in streaming mode unexpectedly, and some
+ register state will be combined inconsistently, though the task will
+ be left in legitimate state from the kernel's PoV.
+
+ This can only occur in unusual (but legitimate) cases where ptrace
+ has been used to set SVCR.SM after entry to the sigreturn syscall,
+ as syscall entry clears SVCR.SM.
+
+ In these cases, the the provided SVE register data will be loaded
+ into the task's sve_state using the non-streaming SVE vector length
+ and the FPSIMD registers will be merged into this using the
+ streaming SVE vector length.
+
+Fix (1) by setting TIF_SME when setting SVCR.SM. This also requires
+ensuring that the task's sme_state has been allocated, but as this could
+contain live ZA state, it should not be zeroed. Fix (2) by clearing
+SVCR.SM when restoring a SVE signal context with SVE_SIG_FLAG_SM clear.
+
+For consistency, I've pulled the manipulation of SVCR, TIF_SVE, TIF_SME,
+and fp_type earlier, immediately after the allocation of
+sve_state/sme_state, before the restore of the actual register state.
+This makes it easier to ensure that these are always modified
+consistently, even if a fault is taken while reading the register data
+from the signal context. I do not expect any software to depend on the
+exact state restored when a fault is taken while reading the context.
+
+Fixes: 85ed24dad290 ("arm64/sme: Implement streaming SVE signal handling")
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: <stable@vger.kernel.org>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Will Deacon <will@kernel.org>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/signal.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+--- a/arch/arm64/kernel/signal.c
++++ b/arch/arm64/kernel/signal.c
+@@ -449,12 +449,28 @@ static int restore_sve_fpsimd_context(st
+ if (user->sve_size < SVE_SIG_CONTEXT_SIZE(vq))
+ return -EINVAL;
+
++ if (sm) {
++ sme_alloc(current, false);
++ if (!current->thread.sme_state)
++ return -ENOMEM;
++ }
++
+ sve_alloc(current, true);
+ if (!current->thread.sve_state) {
+ clear_thread_flag(TIF_SVE);
+ return -ENOMEM;
+ }
+
++ if (sm) {
++ current->thread.svcr |= SVCR_SM_MASK;
++ set_thread_flag(TIF_SME);
++ } else {
++ current->thread.svcr &= ~SVCR_SM_MASK;
++ set_thread_flag(TIF_SVE);
++ }
++
++ current->thread.fp_type = FP_STATE_SVE;
++
+ err = __copy_from_user(current->thread.sve_state,
+ (char __user const *)user->sve +
+ SVE_SIG_REGS_OFFSET,
+@@ -462,12 +478,6 @@ static int restore_sve_fpsimd_context(st
+ if (err)
+ return -EFAULT;
+
+- if (flags & SVE_SIG_FLAG_SM)
+- current->thread.svcr |= SVCR_SM_MASK;
+- else
+- set_thread_flag(TIF_SVE);
+- current->thread.fp_type = FP_STATE_SVE;
+-
+ err = read_fpsimd_context(&fpsimd, user);
+ if (err)
+ return err;
--- /dev/null
+From e2f8216ca2d8e61a23cb6ec355616339667e0ba6 Mon Sep 17 00:00:00 2001
+From: Zhaoyang Huang <zhaoyang.huang@unisoc.com>
+Date: Thu, 22 Jan 2026 19:49:25 +0800
+Subject: arm64: Set __nocfi on swsusp_arch_resume()
+
+From: Zhaoyang Huang <zhaoyang.huang@unisoc.com>
+
+commit e2f8216ca2d8e61a23cb6ec355616339667e0ba6 upstream.
+
+A DABT is reported[1] on an android based system when resume from hiberate.
+This happens because swsusp_arch_suspend_exit() is marked with SYM_CODE_*()
+and does not have a CFI hash, but swsusp_arch_resume() will attempt to
+verify the CFI hash when calling a copy of swsusp_arch_suspend_exit().
+
+Given that there's an existing requirement that the entrypoint to
+swsusp_arch_suspend_exit() is the first byte of the .hibernate_exit.text
+section, we cannot fix this by marking swsusp_arch_suspend_exit() with
+SYM_FUNC_*(). The simplest fix for now is to disable the CFI check in
+swsusp_arch_resume().
+
+Mark swsusp_arch_resume() as __nocfi to disable the CFI check.
+
+[1]
+[ 22.991934][ T1] Unable to handle kernel paging request at virtual address 0000000109170ffc
+[ 22.991934][ T1] Mem abort info:
+[ 22.991934][ T1] ESR = 0x0000000096000007
+[ 22.991934][ T1] EC = 0x25: DABT (current EL), IL = 32 bits
+[ 22.991934][ T1] SET = 0, FnV = 0
+[ 22.991934][ T1] EA = 0, S1PTW = 0
+[ 22.991934][ T1] FSC = 0x07: level 3 translation fault
+[ 22.991934][ T1] Data abort info:
+[ 22.991934][ T1] ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000
+[ 22.991934][ T1] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+[ 22.991934][ T1] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+[ 22.991934][ T1] [0000000109170ffc] user address but active_mm is swapper
+[ 22.991934][ T1] Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP
+[ 22.991934][ T1] Dumping ftrace buffer:
+[ 22.991934][ T1] (ftrace buffer empty)
+[ 22.991934][ T1] Modules linked in:
+[ 22.991934][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.98-android15-8-g0b1d2aee7fc3-dirty-4k #1 688c7060a825a3ac418fe53881730b355915a419
+[ 22.991934][ T1] Hardware name: Unisoc UMS9360-base Board (DT)
+[ 22.991934][ T1] pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 22.991934][ T1] pc : swsusp_arch_resume+0x2ac/0x344
+[ 22.991934][ T1] lr : swsusp_arch_resume+0x294/0x344
+[ 22.991934][ T1] sp : ffffffc08006b960
+[ 22.991934][ T1] x29: ffffffc08006b9c0 x28: 0000000000000000 x27: 0000000000000000
+[ 22.991934][ T1] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000820
+[ 22.991934][ T1] x23: ffffffd0817e3000 x22: ffffffd0817e3000 x21: 0000000000000000
+[ 22.991934][ T1] x20: ffffff8089171000 x19: ffffffd08252c8c8 x18: ffffffc080061058
+[ 22.991934][ T1] x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 0000000000000004
+[ 22.991934][ T1] x14: ffffff8178c88000 x13: 0000000000000006 x12: 0000000000000000
+[ 22.991934][ T1] x11: 0000000000000015 x10: 0000000000000001 x9 : ffffffd082533000
+[ 22.991934][ T1] x8 : 0000000109171000 x7 : 205b5d3433393139 x6 : 392e32322020205b
+[ 22.991934][ T1] x5 : 000000010916f000 x4 : 000000008164b000 x3 : ffffff808a4e0530
+[ 22.991934][ T1] x2 : ffffffd08058e784 x1 : 0000000082326000 x0 : 000000010a283000
+[ 22.991934][ T1] Call trace:
+[ 22.991934][ T1] swsusp_arch_resume+0x2ac/0x344
+[ 22.991934][ T1] hibernation_restore+0x158/0x18c
+[ 22.991934][ T1] load_image_and_restore+0xb0/0xec
+[ 22.991934][ T1] software_resume+0xf4/0x19c
+[ 22.991934][ T1] software_resume_initcall+0x34/0x78
+[ 22.991934][ T1] do_one_initcall+0xe8/0x370
+[ 22.991934][ T1] do_initcall_level+0xc8/0x19c
+[ 22.991934][ T1] do_initcalls+0x70/0xc0
+[ 22.991934][ T1] do_basic_setup+0x1c/0x28
+[ 22.991934][ T1] kernel_init_freeable+0xe0/0x148
+[ 22.991934][ T1] kernel_init+0x20/0x1a8
+[ 22.991934][ T1] ret_from_fork+0x10/0x20
+[ 22.991934][ T1] Code: a9400a61 f94013e0 f9438923 f9400a64 (b85fc110)
+
+Co-developed-by: Jeson Gao <jeson.gao@unisoc.com>
+Signed-off-by: Jeson Gao <jeson.gao@unisoc.com>
+Signed-off-by: Zhaoyang Huang <zhaoyang.huang@unisoc.com>
+Acked-by: Will Deacon <will@kernel.org>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Cc: <stable@vger.kernel.org>
+[catalin.marinas@arm.com: commit log updated by Mark Rutland]
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/hibernate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/hibernate.c
++++ b/arch/arm64/kernel/hibernate.c
+@@ -402,7 +402,7 @@ int swsusp_arch_suspend(void)
+ * Memory allocated by get_safe_page() will be dealt with by the hibernate code,
+ * we don't need to free it here.
+ */
+-int swsusp_arch_resume(void)
++int __nocfi swsusp_arch_resume(void)
+ {
+ int rc;
+ void *zero_page;
--- /dev/null
+From 0ce73a0eb5a27070957b67fd74059b6da89cc516 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Sat, 10 Jan 2026 12:52:27 +0100
+Subject: can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 0ce73a0eb5a27070957b67fd74059b6da89cc516 upstream.
+
+Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
+gs_usb_receive_bulk_callback(): fix URB memory leak").
+
+In ems_usb_open(), the URBs for USB-in transfers are allocated, added to
+the dev->rx_submitted anchor and submitted. In the complete callback
+ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
+ems_usb_close() the URBs are freed by calling
+usb_kill_anchored_urbs(&dev->rx_submitted).
+
+However, this does not take into account that the USB framework unanchors
+the URB before the complete function is called. This means that once an
+in-URB has been completed, it is no longer anchored and is ultimately not
+released in ems_usb_close().
+
+Fix the memory leak by anchoring the URB in the
+ems_usb_read_bulk_callback() to the dev->rx_submitted anchor.
+
+Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-1-4b8cb2915571@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/ems_usb.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/ems_usb.c
++++ b/drivers/net/can/usb/ems_usb.c
+@@ -486,11 +486,17 @@ resubmit_urb:
+ urb->transfer_buffer, RX_BUFFER_SIZE,
+ ems_usb_read_bulk_callback, dev);
+
++ usb_anchor_urb(urb, &dev->rx_submitted);
++
+ retval = usb_submit_urb(urb, GFP_ATOMIC);
++ if (!retval)
++ return;
++
++ usb_unanchor_urb(urb);
+
+ if (retval == -ENODEV)
+ netif_device_detach(netdev);
+- else if (retval)
++ else
+ netdev_err(netdev,
+ "failed resubmitting read bulk urb: %d\n", retval);
+ }
--- /dev/null
+From 5a4391bdc6c8357242f62f22069c865b792406b3 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Sat, 10 Jan 2026 12:52:27 +0100
+Subject: can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 5a4391bdc6c8357242f62f22069c865b792406b3 upstream.
+
+Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
+gs_usb_receive_bulk_callback(): fix URB memory leak").
+
+In esd_usb_open(), the URBs for USB-in transfers are allocated, added to
+the dev->rx_submitted anchor and submitted. In the complete callback
+esd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
+esd_usb_close() the URBs are freed by calling
+usb_kill_anchored_urbs(&dev->rx_submitted).
+
+However, this does not take into account that the USB framework unanchors
+the URB before the complete function is called. This means that once an
+in-URB has been completed, it is no longer anchored and is ultimately not
+released in esd_usb_close().
+
+Fix the memory leak by anchoring the URB in the
+esd_usb_read_bulk_callback() to the dev->rx_submitted anchor.
+
+Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-2-4b8cb2915571@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/esd_usb.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/esd_usb.c
++++ b/drivers/net/can/usb/esd_usb.c
+@@ -541,13 +541,20 @@ resubmit_urb:
+ urb->transfer_buffer, ESD_USB_RX_BUFFER_SIZE,
+ esd_usb_read_bulk_callback, dev);
+
++ usb_anchor_urb(urb, &dev->rx_submitted);
++
+ err = usb_submit_urb(urb, GFP_ATOMIC);
++ if (!err)
++ return;
++
++ usb_unanchor_urb(urb);
++
+ if (err == -ENODEV) {
+ for (i = 0; i < dev->net_count; i++) {
+ if (dev->nets[i])
+ netif_device_detach(dev->nets[i]->netdev);
+ }
+- } else if (err) {
++ } else {
+ dev_err(dev->udev->dev.parent,
+ "failed resubmitting read bulk urb: %pe\n", ERR_PTR(err));
+ }
--- /dev/null
+From 248e8e1a125fa875158df521b30f2cc7e27eeeaa Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Sat, 10 Jan 2026 12:52:27 +0100
+Subject: can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 248e8e1a125fa875158df521b30f2cc7e27eeeaa upstream.
+
+Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
+gs_usb_receive_bulk_callback(): fix URB memory leak").
+
+In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the
+URBs for USB-in transfers are allocated, added to the dev->rx_submitted
+anchor and submitted. In the complete callback
+kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
+kvaser_usb_remove_interfaces() the URBs are freed by calling
+usb_kill_anchored_urbs(&dev->rx_submitted).
+
+However, this does not take into account that the USB framework unanchors
+the URB before the complete function is called. This means that once an
+in-URB has been completed, it is no longer anchored and is ultimately not
+released in usb_kill_anchored_urbs().
+
+Fix the memory leak by anchoring the URB in the
+kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor.
+
+Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-3-4b8cb2915571@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+@@ -361,7 +361,14 @@ resubmit_urb:
+ urb->transfer_buffer, KVASER_USB_RX_BUFFER_SIZE,
+ kvaser_usb_read_bulk_callback, dev);
+
++ usb_anchor_urb(urb, &dev->rx_submitted);
++
+ err = usb_submit_urb(urb, GFP_ATOMIC);
++ if (!err)
++ return;
++
++ usb_unanchor_urb(urb);
++
+ if (err == -ENODEV) {
+ for (i = 0; i < dev->nchannels; i++) {
+ struct kvaser_usb_net_priv *priv;
+@@ -372,7 +379,7 @@ resubmit_urb:
+
+ netif_device_detach(priv->netdev);
+ }
+- } else if (err) {
++ } else {
+ dev_err(&dev->intf->dev,
+ "Failed resubmitting read bulk urb: %d\n", err);
+ }
--- /dev/null
+From 710a7529fb13c5a470258ff5508ed3c498d54729 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Sat, 10 Jan 2026 12:52:27 +0100
+Subject: can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 710a7529fb13c5a470258ff5508ed3c498d54729 upstream.
+
+Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
+gs_usb_receive_bulk_callback(): fix URB memory leak").
+
+In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are
+allocated, added to the priv->rx_submitted anchor and submitted. In the
+complete callback mcba_usb_read_bulk_callback(), the URBs are processed and
+resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by
+calling usb_kill_anchored_urbs(&priv->rx_submitted).
+
+However, this does not take into account that the USB framework unanchors
+the URB before the complete function is called. This means that once an
+in-URB has been completed, it is no longer anchored and is ultimately not
+released in usb_kill_anchored_urbs().
+
+Fix the memory leak by anchoring the URB in the
+mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor.
+
+Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-4-4b8cb2915571@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/mcba_usb.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/mcba_usb.c
++++ b/drivers/net/can/usb/mcba_usb.c
+@@ -608,11 +608,17 @@ resubmit_urb:
+ urb->transfer_buffer, MCBA_USB_RX_BUFF_SIZE,
+ mcba_usb_read_bulk_callback, priv);
+
++ usb_anchor_urb(urb, &priv->rx_submitted);
++
+ retval = usb_submit_urb(urb, GFP_ATOMIC);
++ if (!retval)
++ return;
++
++ usb_unanchor_urb(urb);
+
+ if (retval == -ENODEV)
+ netif_device_detach(netdev);
+- else if (retval)
++ else
+ netdev_err(netdev, "failed resubmitting read bulk urb: %d\n",
+ retval);
+ }
--- /dev/null
+From f7a980b3b8f80fe367f679da376cf76e800f9480 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Sat, 10 Jan 2026 12:52:27 +0100
+Subject: can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit f7a980b3b8f80fe367f679da376cf76e800f9480 upstream.
+
+Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
+gs_usb_receive_bulk_callback(): fix URB memory leak").
+
+In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are
+allocated, added to the priv->rx_submitted anchor and submitted. In the
+complete callback usb_8dev_read_bulk_callback(), the URBs are processed and
+resubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by
+calling usb_kill_anchored_urbs(&priv->rx_submitted).
+
+However, this does not take into account that the USB framework unanchors
+the URB before the complete function is called. This means that once an
+in-URB has been completed, it is no longer anchored and is ultimately not
+released in usb_kill_anchored_urbs().
+
+Fix the memory leak by anchoring the URB in the
+usb_8dev_read_bulk_callback() to the priv->rx_submitted anchor.
+
+Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-5-4b8cb2915571@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/usb_8dev.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/usb_8dev.c
++++ b/drivers/net/can/usb/usb_8dev.c
+@@ -541,11 +541,17 @@ resubmit_urb:
+ urb->transfer_buffer, RX_BUFFER_SIZE,
+ usb_8dev_read_bulk_callback, priv);
+
++ usb_anchor_urb(urb, &priv->rx_submitted);
++
+ retval = usb_submit_urb(urb, GFP_ATOMIC);
++ if (!retval)
++ return;
++
++ usb_unanchor_urb(urb);
+
+ if (retval == -ENODEV)
+ netif_device_detach(netdev);
+- else if (retval)
++ else
+ netdev_err(netdev,
+ "failed resubmitting read bulk urb: %d\n", retval);
+ }
--- /dev/null
+From 10343253328e0dbdb465bff709a2619a08fe01ad Mon Sep 17 00:00:00 2001
+From: Likun Gao <Likun.Gao@amd.com>
+Date: Mon, 15 Dec 2025 11:33:58 +0800
+Subject: drm/amdgpu: remove frame cntl for gfx v12
+
+From: Likun Gao <Likun.Gao@amd.com>
+
+commit 10343253328e0dbdb465bff709a2619a08fe01ad upstream.
+
+Remove emit_frame_cntl function for gfx v12, which is not support.
+
+Signed-off-by: Likun Gao <Likun.Gao@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 5aaa5058dec5bfdcb24c42fe17ad91565a3037ca)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c
+@@ -278,7 +278,6 @@ static void gfx_v12_0_select_se_sh(struc
+ u32 sh_num, u32 instance, int xcc_id);
+ static u32 gfx_v12_0_get_wgp_active_bitmap_per_sh(struct amdgpu_device *adev);
+
+-static void gfx_v12_0_ring_emit_frame_cntl(struct amdgpu_ring *ring, bool start, bool secure);
+ static void gfx_v12_0_ring_emit_wreg(struct amdgpu_ring *ring, uint32_t reg,
+ uint32_t val);
+ static int gfx_v12_0_wait_for_rlc_autoload_complete(struct amdgpu_device *adev);
+@@ -4633,16 +4632,6 @@ static int gfx_v12_0_ring_preempt_ib(str
+ return r;
+ }
+
+-static void gfx_v12_0_ring_emit_frame_cntl(struct amdgpu_ring *ring,
+- bool start,
+- bool secure)
+-{
+- uint32_t v = secure ? FRAME_TMZ : 0;
+-
+- amdgpu_ring_write(ring, PACKET3(PACKET3_FRAME_CONTROL, 0));
+- amdgpu_ring_write(ring, v | FRAME_CMD(start ? 0 : 1));
+-}
+-
+ static void gfx_v12_0_ring_emit_rreg(struct amdgpu_ring *ring, uint32_t reg,
+ uint32_t reg_val_offs)
+ {
+@@ -5519,7 +5508,6 @@ static const struct amdgpu_ring_funcs gf
+ .emit_cntxcntl = gfx_v12_0_ring_emit_cntxcntl,
+ .init_cond_exec = gfx_v12_0_ring_emit_init_cond_exec,
+ .preempt_ib = gfx_v12_0_ring_preempt_ib,
+- .emit_frame_cntl = gfx_v12_0_ring_emit_frame_cntl,
+ .emit_wreg = gfx_v12_0_ring_emit_wreg,
+ .emit_reg_wait = gfx_v12_0_ring_emit_reg_wait,
+ .emit_reg_write_reg_wait = gfx_v12_0_ring_emit_reg_write_reg_wait,
--- /dev/null
+From 1a0f69e3c28477b97d3609569b7e8feb4b6162e8 Mon Sep 17 00:00:00 2001
+From: Osama Abdelkader <osama.abdelkader@gmail.com>
+Date: Fri, 2 Jan 2026 16:55:52 +0100
+Subject: drm/bridge: synopsys: dw-dp: fix error paths of dw_dp_bind
+
+From: Osama Abdelkader <osama.abdelkader@gmail.com>
+
+commit 1a0f69e3c28477b97d3609569b7e8feb4b6162e8 upstream.
+
+Fix several issues in dw_dp_bind() error handling:
+
+1. Missing return after drm_bridge_attach() failure - the function
+ continued execution instead of returning an error.
+
+2. Resource leak: drm_dp_aux_register() is not a devm function, so
+ drm_dp_aux_unregister() must be called on all error paths after
+ aux registration succeeds. This affects errors from:
+ - drm_bridge_attach()
+ - phy_init()
+ - devm_add_action_or_reset()
+ - platform_get_irq()
+ - devm_request_threaded_irq()
+
+3. Bug fix: platform_get_irq() returns the IRQ number or a negative
+ error code, but the error path was returning ERR_PTR(ret) instead
+ of ERR_PTR(dp->irq).
+
+Use a goto label for cleanup to ensure consistent error handling.
+
+Fixes: 86eecc3a9c2e ("drm/bridge: synopsys: Add DW DPTX Controller support library")
+Cc: stable@vger.kernel.org
+
+Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
+Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com>
+Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Link: https://patch.msgid.link/20260102155553.13243-1-osama.abdelkader@gmail.com
+Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/synopsys/dw-dp.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/bridge/synopsys/dw-dp.c
++++ b/drivers/gpu/drm/bridge/synopsys/dw-dp.c
+@@ -2060,33 +2060,41 @@ struct dw_dp *dw_dp_bind(struct device *
+ }
+
+ ret = drm_bridge_attach(encoder, bridge, NULL, DRM_BRIDGE_ATTACH_NO_CONNECTOR);
+- if (ret)
++ if (ret) {
+ dev_err_probe(dev, ret, "Failed to attach bridge\n");
++ goto unregister_aux;
++ }
+
+ dw_dp_init_hw(dp);
+
+ ret = phy_init(dp->phy);
+ if (ret) {
+ dev_err_probe(dev, ret, "phy init failed\n");
+- return ERR_PTR(ret);
++ goto unregister_aux;
+ }
+
+ ret = devm_add_action_or_reset(dev, dw_dp_phy_exit, dp);
+ if (ret)
+- return ERR_PTR(ret);
++ goto unregister_aux;
+
+ dp->irq = platform_get_irq(pdev, 0);
+- if (dp->irq < 0)
+- return ERR_PTR(ret);
++ if (dp->irq < 0) {
++ ret = dp->irq;
++ goto unregister_aux;
++ }
+
+ ret = devm_request_threaded_irq(dev, dp->irq, NULL, dw_dp_irq,
+ IRQF_ONESHOT, dev_name(dev), dp);
+ if (ret) {
+ dev_err_probe(dev, ret, "failed to request irq\n");
+- return ERR_PTR(ret);
++ goto unregister_aux;
+ }
+
+ return dp;
++
++unregister_aux:
++ drm_dp_aux_unregister(&dp->aux);
++ return ERR_PTR(ret);
+ }
+ EXPORT_SYMBOL_GPL(dw_dp_bind);
+
--- /dev/null
+From 604826acb3f53c6648a7ee99a3914ead680ab7fb Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Wed, 21 Jan 2026 14:13:10 -0500
+Subject: drm/nouveau/disp: Set drm_mode_config_funcs.atomic_(check|commit)
+
+From: Lyude Paul <lyude@redhat.com>
+
+commit 604826acb3f53c6648a7ee99a3914ead680ab7fb upstream.
+
+Apparently we never actually filled these in, despite the fact that we do
+in fact technically support atomic modesetting.
+
+Since not having these filled in causes us to potentially forget to disable
+fbdev and friends during suspend/resume, let's fix it.
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Dave Airlie <airlied@redhat.com>
+Link: https://patch.msgid.link/20260121191320.210342-1-lyude@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_display.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_display.c
++++ b/drivers/gpu/drm/nouveau/nouveau_display.c
+@@ -351,6 +351,8 @@ nouveau_user_framebuffer_create(struct d
+
+ static const struct drm_mode_config_funcs nouveau_mode_config_funcs = {
+ .fb_create = nouveau_user_framebuffer_create,
++ .atomic_commit = drm_atomic_helper_commit,
++ .atomic_check = drm_atomic_helper_check,
+ };
+
+
--- /dev/null
+From ca9e5115e870b9a531deb02752055a8a587904e3 Mon Sep 17 00:00:00 2001
+From: Matthew Brost <matthew.brost@intel.com>
+Date: Wed, 7 Jan 2026 12:57:32 -0800
+Subject: drm/xe: Adjust page count tracepoints in shrinker
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Brost <matthew.brost@intel.com>
+
+commit ca9e5115e870b9a531deb02752055a8a587904e3 upstream.
+
+Page accounting can change via the shrinker without calling
+xe_ttm_tt_unpopulate(), which normally updates page count tracepoints
+through update_global_total_pages. Add a call to
+update_global_total_pages when the shrinker successfully shrinks a BO.
+
+v2:
+ - Don't adjust global accounting when pinning (Stuart)
+
+Cc: stable@vger.kernel.org
+Fixes: ce3d39fae3d3 ("drm/xe/bo: add GPU memory trace points")
+Signed-off-by: Matthew Brost <matthew.brost@intel.com>
+Reviewed-by: Stuart Summers <stuart.summers@intel.com>
+Link: https://patch.msgid.link/20260107205732.2267541-1-matthew.brost@intel.com
+(cherry picked from commit cc54eabdfbf0c5b6638edc50002cfafac1f1e18b)
+Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_bo.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/xe/xe_bo.c
++++ b/drivers/gpu/drm/xe/xe_bo.c
+@@ -1008,6 +1008,7 @@ static long xe_bo_shrink_purge(struct tt
+ unsigned long *scanned)
+ {
+ struct xe_device *xe = ttm_to_xe_device(bo->bdev);
++ struct ttm_tt *tt = bo->ttm;
+ long lret;
+
+ /* Fake move to system, without copying data. */
+@@ -1032,8 +1033,10 @@ static long xe_bo_shrink_purge(struct tt
+ .writeback = false,
+ .allow_move = false});
+
+- if (lret > 0)
++ if (lret > 0) {
+ xe_ttm_tt_account_subtract(xe, bo->ttm);
++ update_global_total_pages(bo->bdev, -(long)tt->num_pages);
++ }
+
+ return lret;
+ }
+@@ -1119,8 +1122,10 @@ long xe_bo_shrink(struct ttm_operation_c
+ if (needs_rpm)
+ xe_pm_runtime_put(xe);
+
+- if (lret > 0)
++ if (lret > 0) {
+ xe_ttm_tt_account_subtract(xe, tt);
++ update_global_total_pages(bo->bdev, -(long)tt->num_pages);
++ }
+
+ out_unref:
+ xe_bo_put(xe_bo);
--- /dev/null
+From 6f287b1c8d0e255e94e54116ebbe126515f5c911 Mon Sep 17 00:00:00 2001
+From: Marco Crivellari <marco.crivellari@suse.com>
+Date: Thu, 8 Jan 2026 19:01:48 +0100
+Subject: drm/xe: fix WQ_MEM_RECLAIM passed as max_active to alloc_workqueue()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marco Crivellari <marco.crivellari@suse.com>
+
+commit 6f287b1c8d0e255e94e54116ebbe126515f5c911 upstream.
+
+Workqueue xe-ggtt-wq has been allocated using WQ_MEM_RECLAIM, but
+the flag has been passed as 3rd parameter (max_active) instead
+of 2nd (flags) creating the workqueue as per-cpu with max_active = 8
+(the WQ_MEM_RECLAIM value).
+
+So change this by set WQ_MEM_RECLAIM as the 2nd parameter with a
+default max_active.
+
+Fixes: 60df57e496e4 ("drm/xe: Mark GGTT work queue with WQ_MEM_RECLAIM")
+Cc: stable@vger.kernel.org
+Signed-off-by: Marco Crivellari <marco.crivellari@suse.com>
+Reviewed-by: Matthew Brost <matthew.brost@intel.com>
+Signed-off-by: Matthew Brost <matthew.brost@intel.com>
+Link: https://patch.msgid.link/20260108180148.423062-1-marco.crivellari@suse.com
+(cherry picked from commit aa39abc08e77d66ebb0c8c9ec4cc8d38ded34dc9)
+Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_ggtt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/xe/xe_ggtt.c
++++ b/drivers/gpu/drm/xe/xe_ggtt.c
+@@ -291,7 +291,7 @@ int xe_ggtt_init_early(struct xe_ggtt *g
+ else
+ ggtt->pt_ops = &xelp_pt_ops;
+
+- ggtt->wq = alloc_workqueue("xe-ggtt-wq", 0, WQ_MEM_RECLAIM);
++ ggtt->wq = alloc_workqueue("xe-ggtt-wq", WQ_MEM_RECLAIM, 0);
+ if (!ggtt->wq)
+ return -ENOMEM;
+
--- /dev/null
+From faff6846474e99295a139997f93ef6db222b5cee Mon Sep 17 00:00:00 2001
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+Date: Fri, 16 Jan 2026 08:10:18 +0000
+Subject: gpio: cdev: Correct return code on memory allocation failure
+
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+
+commit faff6846474e99295a139997f93ef6db222b5cee upstream.
+
+-ENOMEM is a more appropriate return code for memory allocation
+failures. Correct it.
+
+Cc: stable@vger.kernel.org
+Fixes: 20bddcb40b2b ("gpiolib: cdev: replace locking wrappers for gpio_device with guards")
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://lore.kernel.org/r/20260116081036.352286-6-tzungbi@kernel.org
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib-cdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpiolib-cdev.c
++++ b/drivers/gpio/gpiolib-cdev.c
+@@ -2720,7 +2720,7 @@ static int gpio_chrdev_open(struct inode
+
+ cdev = kzalloc(sizeof(*cdev), GFP_KERNEL);
+ if (!cdev)
+- return -ENODEV;
++ return -ENOMEM;
+
+ cdev->watched_lines = bitmap_zalloc(gdev->ngpio, GFP_KERNEL);
+ if (!cdev->watched_lines)
--- /dev/null
+From 8a8c942cad4cd12f739a8bb60cac77fd173c4e07 Mon Sep 17 00:00:00 2001
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+Date: Tue, 20 Jan 2026 09:26:50 +0000
+Subject: gpio: cdev: Fix resource leaks on errors in gpiolib_cdev_register()
+
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+
+commit 8a8c942cad4cd12f739a8bb60cac77fd173c4e07 upstream.
+
+On error handling paths, gpiolib_cdev_register() doesn't free the
+allocated resources which results leaks. Fix it.
+
+Cc: stable@vger.kernel.org
+Fixes: 7b9b77a8bba9 ("gpiolib: add a per-gpio_device line state notification workqueue")
+Fixes: d83cee3d2bb1 ("gpio: protect the pointer to gpio_chip in gpio_device with SRCU")
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://lore.kernel.org/r/20260120092650.2305319-1-tzungbi@kernel.org
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib-cdev.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpio/gpiolib-cdev.c
++++ b/drivers/gpio/gpiolib-cdev.c
+@@ -2821,13 +2821,18 @@ int gpiolib_cdev_register(struct gpio_de
+ return -ENOMEM;
+
+ ret = cdev_device_add(&gdev->chrdev, &gdev->dev);
+- if (ret)
++ if (ret) {
++ destroy_workqueue(gdev->line_state_wq);
+ return ret;
++ }
+
+ guard(srcu)(&gdev->srcu);
+ gc = srcu_dereference(gdev->chip, &gdev->srcu);
+- if (!gc)
++ if (!gc) {
++ cdev_device_del(&gdev->chrdev, &gdev->dev);
++ destroy_workqueue(gdev->line_state_wq);
+ return -ENODEV;
++ }
+
+ gpiochip_dbg(gc, "added GPIO chardev (%d:%d)\n", MAJOR(devt), gdev->id);
+
--- /dev/null
+From 70b3c280533167749a8f740acaa8ef720f78f984 Mon Sep 17 00:00:00 2001
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+Date: Tue, 20 Jan 2026 03:08:56 +0000
+Subject: gpio: cdev: Fix resource leaks on errors in lineinfo_changed_notify()
+
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+
+commit 70b3c280533167749a8f740acaa8ef720f78f984 upstream.
+
+On error handling paths, lineinfo_changed_notify() doesn't free the
+allocated resources which results leaks. Fix it.
+
+Cc: stable@vger.kernel.org
+Fixes: d4cd0902c156 ("gpio: cdev: make sure the cdev fd is still active before emitting events")
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://lore.kernel.org/r/20260120030857.2144847-1-tzungbi@kernel.org
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib-cdev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpio/gpiolib-cdev.c
++++ b/drivers/gpio/gpiolib-cdev.c
+@@ -2573,6 +2573,7 @@ static int lineinfo_changed_notify(struc
+ ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
+ if (!ctx) {
+ pr_err("Failed to allocate memory for line info notification\n");
++ fput(fp);
+ return NOTIFY_DONE;
+ }
+
--- /dev/null
+From 4ff39d6de4bf359ec6d5cd2be34b36d077dd0a07 Mon Sep 17 00:00:00 2001
+From: Francesco Lavra <flavra@baylibre.com>
+Date: Fri, 28 Nov 2025 18:21:38 +0100
+Subject: iio: accel: adxl380: fix handling of unavailable "INT1" interrupt
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Francesco Lavra <flavra@baylibre.com>
+
+commit 4ff39d6de4bf359ec6d5cd2be34b36d077dd0a07 upstream.
+
+fwnode_irq_get_byname() returns a negative value on failure; if a negative
+value is returned, use it as `err` argument for dev_err_probe().
+While at it, add a missing trailing newline to the dev_err_probe() error
+message.
+
+Fixes: df36de13677a ("iio: accel: add ADXL380 driver")
+Signed-off-by: Francesco Lavra <flavra@baylibre.com>
+Reviewed-by: Andy Shevchenko <andy@kernel.org>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/accel/adxl380.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/accel/adxl380.c
++++ b/drivers/iio/accel/adxl380.c
+@@ -1728,9 +1728,9 @@ static int adxl380_config_irq(struct iio
+ st->int_map[1] = ADXL380_INT0_MAP1_REG;
+ } else {
+ st->irq = fwnode_irq_get_byname(dev_fwnode(st->dev), "INT1");
+- if (st->irq > 0)
+- return dev_err_probe(st->dev, -ENODEV,
+- "no interrupt name specified");
++ if (st->irq < 0)
++ return dev_err_probe(st->dev, st->irq,
++ "no interrupt name specified\n");
+ st->int_map[0] = ADXL380_INT1_MAP0_REG;
+ st->int_map[1] = ADXL380_INT1_MAP1_REG;
+ }
--- /dev/null
+From b8f15d1df2e73322e2112de21a4a7f3553c7fb60 Mon Sep 17 00:00:00 2001
+From: Markus Koeniger <markus.koeniger@liebherr.com>
+Date: Wed, 7 Jan 2026 16:32:18 +0100
+Subject: iio: accel: iis328dq: fix gain values
+
+From: Markus Koeniger <markus.koeniger@liebherr.com>
+
+commit b8f15d1df2e73322e2112de21a4a7f3553c7fb60 upstream.
+
+The sensors IIS328DQ and H3LIS331DL share one configuration but
+H3LIS331DL has different gain parameters, configs therefore
+need to be split up.
+The gain parameters for the IIS328DQ are 0.98, 1.95 and 3.91,
+depending on the selected measurement range.
+
+See sensor manuals, chapter 2.1 "mechanical characteristics",
+parameter "Sensitivity".
+
+Datasheet: https://www.st.com/resource/en/datasheet/iis328dq.pdf
+Datasheet: https://www.st.com/resource/en/datasheet/h3lis331dl.pdf
+Fixes: 46e33707fe95 ("iio: accel: add support for IIS328DQ variant")
+Reviewed-by: Dimitri Fedrau <dimitri.fedrau@liebherr.com>
+Signed-off-by: Markus Koeniger <markus.koeniger@liebherr.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/accel/st_accel_core.c | 72 +++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 71 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/accel/st_accel_core.c
++++ b/drivers/iio/accel/st_accel_core.c
+@@ -517,7 +517,6 @@ static const struct st_sensor_settings s
+ .wai_addr = ST_SENSORS_DEFAULT_WAI_ADDRESS,
+ .sensors_supported = {
+ [0] = H3LIS331DL_ACCEL_DEV_NAME,
+- [1] = IIS328DQ_ACCEL_DEV_NAME,
+ },
+ .ch = (struct iio_chan_spec *)st_accel_12bit_channels,
+ .odr = {
+@@ -561,6 +560,77 @@ static const struct st_sensor_settings s
+ },
+ },
+ },
++ .bdu = {
++ .addr = 0x23,
++ .mask = 0x80,
++ },
++ .drdy_irq = {
++ .int1 = {
++ .addr = 0x22,
++ .mask = 0x02,
++ },
++ .int2 = {
++ .addr = 0x22,
++ .mask = 0x10,
++ },
++ .addr_ihl = 0x22,
++ .mask_ihl = 0x80,
++ },
++ .sim = {
++ .addr = 0x23,
++ .value = BIT(0),
++ },
++ .multi_read_bit = true,
++ .bootime = 2,
++ },
++ {
++ .wai = 0x32,
++ .wai_addr = ST_SENSORS_DEFAULT_WAI_ADDRESS,
++ .sensors_supported = {
++ [0] = IIS328DQ_ACCEL_DEV_NAME,
++ },
++ .ch = (struct iio_chan_spec *)st_accel_12bit_channels,
++ .odr = {
++ .addr = 0x20,
++ .mask = 0x18,
++ .odr_avl = {
++ { .hz = 50, .value = 0x00, },
++ { .hz = 100, .value = 0x01, },
++ { .hz = 400, .value = 0x02, },
++ { .hz = 1000, .value = 0x03, },
++ },
++ },
++ .pw = {
++ .addr = 0x20,
++ .mask = 0x20,
++ .value_on = ST_SENSORS_DEFAULT_POWER_ON_VALUE,
++ .value_off = ST_SENSORS_DEFAULT_POWER_OFF_VALUE,
++ },
++ .enable_axis = {
++ .addr = ST_SENSORS_DEFAULT_AXIS_ADDR,
++ .mask = ST_SENSORS_DEFAULT_AXIS_MASK,
++ },
++ .fs = {
++ .addr = 0x23,
++ .mask = 0x30,
++ .fs_avl = {
++ [0] = {
++ .num = ST_ACCEL_FS_AVL_100G,
++ .value = 0x00,
++ .gain = IIO_G_TO_M_S_2(980),
++ },
++ [1] = {
++ .num = ST_ACCEL_FS_AVL_200G,
++ .value = 0x01,
++ .gain = IIO_G_TO_M_S_2(1950),
++ },
++ [2] = {
++ .num = ST_ACCEL_FS_AVL_400G,
++ .value = 0x03,
++ .gain = IIO_G_TO_M_S_2(3910),
++ },
++ },
++ },
+ .bdu = {
+ .addr = 0x23,
+ .mask = 0x80,
--- /dev/null
+From 92452b1760ff2d1d411414965d4d06f75e1bda9a Mon Sep 17 00:00:00 2001
+From: Tomas Melin <tomas.melin@vaisala.com>
+Date: Wed, 3 Dec 2025 09:28:11 +0000
+Subject: iio: adc: ad9467: fix ad9434 vref mask
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tomas Melin <tomas.melin@vaisala.com>
+
+commit 92452b1760ff2d1d411414965d4d06f75e1bda9a upstream.
+
+The mask setting is 5 bits wide for the ad9434
+(ref. data sheet register 0x18 FLEX_VREF). Apparently the settings
+from ad9265 were copied by mistake when support for the device was added
+to the driver.
+
+Fixes: 4606d0f4b05f ("iio: adc: ad9467: add support for AD9434 high-speed ADC")
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Signed-off-by: Tomas Melin <tomas.melin@vaisala.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad9467.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/ad9467.c
++++ b/drivers/iio/adc/ad9467.c
+@@ -95,7 +95,7 @@
+
+ #define CHIPID_AD9434 0x6A
+ #define AD9434_DEF_OUTPUT_MODE 0x00
+-#define AD9434_REG_VREF_MASK 0xC0
++#define AD9434_REG_VREF_MASK GENMASK(4, 0)
+
+ /*
+ * Analog Devices AD9467 16-Bit, 200/250 MSPS ADC
--- /dev/null
+From dbdb442218cd9d613adeab31a88ac973f22c4873 Mon Sep 17 00:00:00 2001
+From: Pei Xiao <xiaopei01@kylinos.cn>
+Date: Wed, 29 Oct 2025 10:40:16 +0800
+Subject: iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver
+
+From: Pei Xiao <xiaopei01@kylinos.cn>
+
+commit dbdb442218cd9d613adeab31a88ac973f22c4873 upstream.
+
+at91_adc_interrupt can call at91_adc_touch_data_handler function
+to start the work by schedule_work(&st->touch_st.workq).
+
+If we remove the module which will call at91_adc_remove to
+make cleanup, it will free indio_dev through iio_device_unregister but
+quite a bit later. While the work mentioned above will be used. The
+sequence of operations that may lead to a UAF bug is as follows:
+
+CPU0 CPU1
+
+ | at91_adc_workq_handler
+at91_adc_remove |
+iio_device_unregister(indio_dev) |
+//free indio_dev a bit later |
+ | iio_push_to_buffers(indio_dev)
+ | //use indio_dev
+
+Fix it by ensuring that the work is canceled before proceeding with
+the cleanup in at91_adc_remove.
+
+Fixes: 23ec2774f1cc ("iio: adc: at91-sama5d2_adc: add support for position and pressure channels")
+Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/at91-sama5d2_adc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/adc/at91-sama5d2_adc.c
++++ b/drivers/iio/adc/at91-sama5d2_adc.c
+@@ -2481,6 +2481,7 @@ static void at91_adc_remove(struct platf
+ struct at91_adc_state *st = iio_priv(indio_dev);
+
+ iio_device_unregister(indio_dev);
++ cancel_work_sync(&st->touch_st.workq);
+
+ at91_adc_dma_disable(st);
+
--- /dev/null
+From ea6b4feba85e996e840e0b661bc42793df6eb701 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 19 Dec 2025 12:05:45 +0100
+Subject: iio: adc: exynos_adc: fix OF populate on driver rebind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ea6b4feba85e996e840e0b661bc42793df6eb701 upstream.
+
+Since commit c6e126de43e7 ("of: Keep track of populated platform
+devices") child devices will not be created by of_platform_populate()
+if the devices had previously been deregistered individually so that the
+OF_POPULATED flag is still set in the corresponding OF nodes.
+
+Switch to using of_platform_depopulate() instead of open coding so that
+the child devices are created if the driver is rebound.
+
+Fixes: c6e126de43e7 ("of: Keep track of populated platform devices")
+Cc: stable@vger.kernel.org # 3.16
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/exynos_adc.c | 15 ++-------------
+ 1 file changed, 2 insertions(+), 13 deletions(-)
+
+--- a/drivers/iio/adc/exynos_adc.c
++++ b/drivers/iio/adc/exynos_adc.c
+@@ -540,15 +540,6 @@ static const struct iio_chan_spec exynos
+ ADC_CHANNEL(9, "adc9"),
+ };
+
+-static int exynos_adc_remove_devices(struct device *dev, void *c)
+-{
+- struct platform_device *pdev = to_platform_device(dev);
+-
+- platform_device_unregister(pdev);
+-
+- return 0;
+-}
+-
+ static int exynos_adc_probe(struct platform_device *pdev)
+ {
+ struct exynos_adc *info = NULL;
+@@ -660,8 +651,7 @@ static int exynos_adc_probe(struct platf
+ return 0;
+
+ err_of_populate:
+- device_for_each_child(&indio_dev->dev, NULL,
+- exynos_adc_remove_devices);
++ of_platform_depopulate(&indio_dev->dev);
+ iio_device_unregister(indio_dev);
+ err_irq:
+ free_irq(info->irq, info);
+@@ -681,8 +671,7 @@ static void exynos_adc_remove(struct pla
+ struct iio_dev *indio_dev = platform_get_drvdata(pdev);
+ struct exynos_adc *info = iio_priv(indio_dev);
+
+- device_for_each_child(&indio_dev->dev, NULL,
+- exynos_adc_remove_devices);
++ of_platform_depopulate(&indio_dev->dev);
+ iio_device_unregister(indio_dev);
+ free_irq(info->irq, info);
+ if (info->data->exit_hw)
--- /dev/null
+From da934ef0fdff5ba21e82ec3ab3f95fe73137b0c9 Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Tue, 2 Dec 2025 19:13:06 +0100
+Subject: iio: adc: pac1934: Fix clamped value in pac1934_reg_snapshot
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit da934ef0fdff5ba21e82ec3ab3f95fe73137b0c9 upstream.
+
+The local variable 'curr_energy' was never clamped to
+PAC_193X_MIN_POWER_ACC or PAC_193X_MAX_POWER_ACC because the return
+value of clamp() was not used. Fix this by assigning the clamped value
+back to 'curr_energy'.
+
+Cc: stable@vger.kernel.org
+Fixes: 0fb528c8255b ("iio: adc: adding support for PAC193x")
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/pac1934.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/adc/pac1934.c
++++ b/drivers/iio/adc/pac1934.c
+@@ -665,9 +665,9 @@ static int pac1934_reg_snapshot(struct p
+ /* add the power_acc field */
+ curr_energy += inc;
+
+- clamp(curr_energy, PAC_193X_MIN_POWER_ACC, PAC_193X_MAX_POWER_ACC);
+-
+- reg_data->energy_sec_acc[cnt] = curr_energy;
++ reg_data->energy_sec_acc[cnt] = clamp(curr_energy,
++ PAC_193X_MIN_POWER_ACC,
++ PAC_193X_MAX_POWER_ACC);
+ }
+
+ offset_reg_data_p += PAC1934_VPOWER_ACC_REG_LEN;
--- /dev/null
+From 81d5a5366d3c20203fb9d7345e1aa46d668445a2 Mon Sep 17 00:00:00 2001
+From: Fiona Klute <fiona.klute@gmx.de>
+Date: Sat, 13 Dec 2025 17:32:26 +0100
+Subject: iio: chemical: scd4x: fix reported channel endianness
+
+From: Fiona Klute <fiona.klute@gmx.de>
+
+commit 81d5a5366d3c20203fb9d7345e1aa46d668445a2 upstream.
+
+The driver converts values read from the sensor from BE to CPU
+endianness in scd4x_read_meas(). The result is then pushed into the
+buffer in scd4x_trigger_handler(), so on LE architectures parsing the
+buffer using the reported BE type gave wrong results.
+
+scd4x_read_raw() which provides sysfs *_raw values is not affected, it
+used the values returned by scd4x_read_meas() without further
+conversion.
+
+Fixes: 49d22b695cbb6 ("drivers: iio: chemical: Add support for Sensirion SCD4x CO2 sensor")
+Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/chemical/scd4x.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/chemical/scd4x.c
++++ b/drivers/iio/chemical/scd4x.c
+@@ -584,7 +584,7 @@ static const struct iio_chan_spec scd4x_
+ .sign = 'u',
+ .realbits = 16,
+ .storagebits = 16,
+- .endianness = IIO_BE,
++ .endianness = IIO_CPU,
+ },
+ },
+ {
+@@ -599,7 +599,7 @@ static const struct iio_chan_spec scd4x_
+ .sign = 'u',
+ .realbits = 16,
+ .storagebits = 16,
+- .endianness = IIO_BE,
++ .endianness = IIO_CPU,
+ },
+ },
+ {
+@@ -612,7 +612,7 @@ static const struct iio_chan_spec scd4x_
+ .sign = 'u',
+ .realbits = 16,
+ .storagebits = 16,
+- .endianness = IIO_BE,
++ .endianness = IIO_CPU,
+ },
+ },
+ };
--- /dev/null
+From 978d28136c53df38f8f0b747191930e2f95e9084 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Wed, 7 Jan 2026 22:35:50 +0800
+Subject: iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 978d28136c53df38f8f0b747191930e2f95e9084 upstream.
+
+When simple_write_to_buffer() succeeds, it returns the number of bytes
+actually copied to the buffer. The code incorrectly uses 'count'
+as the index for null termination instead of the actual bytes copied.
+If count exceeds the buffer size, this leads to out-of-bounds write.
+Add a check for the count and use the return value as the index.
+
+The bug was validated using a demo module that mirrors the original
+code and was tested under QEMU.
+
+Pattern of the bug:
+- A fixed 64-byte stack buffer is filled using count.
+- If count > 64, the code still does buf[count] = '\0', causing an
+- out-of-bounds write on the stack.
+
+Steps for reproduce:
+- Opens the device node.
+- Writes 128 bytes of A to it.
+- This overflows the 64-byte stack buffer and KASAN reports the OOB.
+
+Found via static analysis. This is similar to the
+commit da9374819eb3 ("iio: backend: fix out-of-bound write")
+
+Fixes: b1c5d68ea66e ("iio: dac: ad3552r-hs: add support for internal ramp")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/dac/ad3552r-hs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/dac/ad3552r-hs.c
++++ b/drivers/iio/dac/ad3552r-hs.c
+@@ -549,12 +549,15 @@ static ssize_t ad3552r_hs_write_data_sou
+
+ guard(mutex)(&st->lock);
+
++ if (count >= sizeof(buf))
++ return -ENOSPC;
++
+ ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf,
+ count);
+ if (ret < 0)
+ return ret;
+
+- buf[count] = '\0';
++ buf[ret] = '\0';
+
+ ret = match_string(dbgfs_attr_source, ARRAY_SIZE(dbgfs_attr_source),
+ buf);
--- /dev/null
+From 441ac29923c9172bc5e4b2c4f52ae756192f5715 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?K=C3=BCbrich=2C=20Andreas?=
+ <andreas.kuebrich@spektra-dresden.de>
+Date: Mon, 17 Nov 2025 12:35:13 +0000
+Subject: iio: dac: ad5686: add AD5695R to ad5686_chip_info_tbl
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kübrich, Andreas <andreas.kuebrich@spektra-dresden.de>
+
+commit 441ac29923c9172bc5e4b2c4f52ae756192f5715 upstream.
+
+The chip info for this variant (I2C, four channels, 14 bit, internal
+reference) seems to have been left out due to oversight, so
+ad5686_chip_info_tbl[ID_AD5695R] is all zeroes. Initialisation of an
+AD5695R still succeeds, but the resulting IIO device has no channels and no
+/dev/iio:device* node.
+
+Add the missing chip info to the table.
+
+Fixes: 4177381b4401 ("iio:dac:ad5686: Add AD5671R/75R/94/94R/95R/96/96R support")
+Signed-off-by: Andreas Kübrich <andreas.kuebrich@spektra-dresden.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/dac/ad5686.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/iio/dac/ad5686.c
++++ b/drivers/iio/dac/ad5686.c
+@@ -434,6 +434,12 @@ static const struct ad5686_chip_info ad5
+ .num_channels = 4,
+ .regmap_type = AD5686_REGMAP,
+ },
++ [ID_AD5695R] = {
++ .channels = ad5685r_channels,
++ .int_vref_mv = 2500,
++ .num_channels = 4,
++ .regmap_type = AD5686_REGMAP,
++ },
+ [ID_AD5696] = {
+ .channels = ad5686_channels,
+ .num_channels = 4,
--- /dev/null
+From 95fc36a234da24bbc5f476f8104a5a15f99ed3e3 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 8 Dec 2025 16:35:23 +0100
+Subject: intel_th: fix device leak on output open()
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 95fc36a234da24bbc5f476f8104a5a15f99ed3e3 upstream.
+
+Make sure to drop the reference taken when looking up the th device
+during output device open() on errors and on close().
+
+Note that a recent commit fixed the leak in a couple of open() error
+paths but not all of them, and the reference is still leaking on
+successful open().
+
+Fixes: 39f4034693b7 ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices")
+Fixes: 6d5925b667e4 ("intel_th: Fix error handling in intel_th_output_open")
+Cc: stable@vger.kernel.org # 4.4: 6d5925b667e4
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ma Ke <make24@iscas.ac.cn>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20251208153524.68637-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/intel_th/core.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/drivers/hwtracing/intel_th/core.c
++++ b/drivers/hwtracing/intel_th/core.c
+@@ -810,9 +810,12 @@ static int intel_th_output_open(struct i
+ int err;
+
+ dev = bus_find_device_by_devt(&intel_th_bus, inode->i_rdev);
+- if (!dev || !dev->driver) {
++ if (!dev)
++ return -ENODEV;
++
++ if (!dev->driver) {
+ err = -ENODEV;
+- goto out_no_device;
++ goto out_put_device;
+ }
+
+ thdrv = to_intel_th_driver(dev->driver);
+@@ -836,12 +839,22 @@ static int intel_th_output_open(struct i
+
+ out_put_device:
+ put_device(dev);
+-out_no_device:
++
+ return err;
+ }
+
++static int intel_th_output_release(struct inode *inode, struct file *file)
++{
++ struct intel_th_device *thdev = file->private_data;
++
++ put_device(&thdev->dev);
++
++ return 0;
++}
++
+ static const struct file_operations intel_th_output_fops = {
+ .open = intel_th_output_open,
++ .release = intel_th_output_release,
+ .llseek = noop_llseek,
+ };
+
--- /dev/null
+From 374e7af67d9d9d6103c2cfc8eb32abfecf3a2fd8 Mon Sep 17 00:00:00 2001
+From: Chaitanya Kulkarni <ckulkarnilinux@gmail.com>
+Date: Fri, 19 Dec 2025 15:28:58 -0800
+Subject: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path
+
+From: Chaitanya Kulkarni <ckulkarnilinux@gmail.com>
+
+commit 374e7af67d9d9d6103c2cfc8eb32abfecf3a2fd8 upstream.
+
+__arm_lpae_unmap() returns size_t but was returning -ENOENT (negative
+error code) when encountering an unmapped PTE. Since size_t is unsigned,
+-ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE
+on 64-bit systems).
+
+This corrupted value propagates through the call chain:
+ __arm_lpae_unmap() returns -ENOENT as size_t
+ -> arm_lpae_unmap_pages() returns it
+ -> __iommu_unmap() adds it to iova address
+ -> iommu_pgsize() triggers BUG_ON due to corrupted iova
+
+This can cause IOVA address overflow in __iommu_unmap() loop and
+trigger BUG_ON in iommu_pgsize() from invalid address alignment.
+
+Fix by returning 0 instead of -ENOENT. The WARN_ON already signals
+the error condition, and returning 0 (meaning "nothing unmapped")
+is the correct semantic for size_t return type. This matches the
+behavior of other io-pgtable implementations (io-pgtable-arm-v7s,
+io-pgtable-dart) which return 0 on error conditions.
+
+Fixes: 3318f7b5cefb ("iommu/io-pgtable-arm: Add quirk to quiet WARN_ON()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Chaitanya Kulkarni <ckulkarnilinux@gmail.com>
+Acked-by: Will Deacon <will@kernel.org>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/io-pgtable-arm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/io-pgtable-arm.c
++++ b/drivers/iommu/io-pgtable-arm.c
+@@ -639,7 +639,7 @@ static size_t __arm_lpae_unmap(struct ar
+ pte = READ_ONCE(*ptep);
+ if (!pte) {
+ WARN_ON(!(data->iop.cfg.quirks & IO_PGTABLE_QUIRK_NO_WARN));
+- return -ENOENT;
++ return 0;
+ }
+
+ /* If the size matches this level, we're in the right place */
--- /dev/null
+From 8d76a7d89c12d08382b66e2f21f20d0627d14859 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 19 Jan 2026 21:15:12 +0100
+Subject: irqchip/gic-v3-its: Avoid truncating memory addresses
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 8d76a7d89c12d08382b66e2f21f20d0627d14859 upstream.
+
+On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem
+allocations to be backed by addresses physical memory above the 32-bit
+address limit, as found while experimenting with larger VMSPLIT
+configurations.
+
+This caused the qemu virt model to crash in the GICv3 driver, which
+allocates the 'itt' object using GFP_KERNEL. Since all memory below
+the 4GB physical address limit is in ZONE_DMA in this configuration,
+kmalloc() defaults to higher addresses for ZONE_NORMAL, and the
+ITS driver stores the physical address in a 32-bit 'unsigned long'
+variable.
+
+Change the itt_addr variable to the correct phys_addr_t type instead,
+along with all other variables in this driver that hold a physical
+address.
+
+The gicv5 driver correctly uses u64 variables, while all other irqchip
+drivers don't call virt_to_phys or similar interfaces. It's expected that
+other device drivers have similar issues, but fixing this one is
+sufficient for booting a virtio based guest.
+
+Fixes: cc2d3216f53c ("irqchip: GICv3: ITS command queue")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260119201603.2713066-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -709,7 +709,7 @@ static struct its_collection *its_build_
+ struct its_cmd_block *cmd,
+ struct its_cmd_desc *desc)
+ {
+- unsigned long itt_addr;
++ phys_addr_t itt_addr;
+ u8 size = ilog2(desc->its_mapd_cmd.dev->nr_ites);
+
+ itt_addr = virt_to_phys(desc->its_mapd_cmd.dev->itt);
+@@ -879,7 +879,7 @@ static struct its_vpe *its_build_vmapp_c
+ struct its_cmd_desc *desc)
+ {
+ struct its_vpe *vpe = valid_vpe(its, desc->its_vmapp_cmd.vpe);
+- unsigned long vpt_addr, vconf_addr;
++ phys_addr_t vpt_addr, vconf_addr;
+ u64 target;
+ bool alloc;
+
+@@ -2477,10 +2477,10 @@ retry_baser:
+ baser->psz = psz;
+ tmp = indirect ? GITS_LVL1_ENTRY_SIZE : esz;
+
+- pr_info("ITS@%pa: allocated %d %s @%lx (%s, esz %d, psz %dK, shr %d)\n",
++ pr_info("ITS@%pa: allocated %d %s @%llx (%s, esz %d, psz %dK, shr %d)\n",
+ &its->phys_base, (int)(PAGE_ORDER_TO_SIZE(order) / (int)tmp),
+ its_base_type_string[type],
+- (unsigned long)virt_to_phys(base),
++ (u64)virt_to_phys(base),
+ indirect ? "indirect" : "flat", (int)esz,
+ psz / SZ_1K, (int)shr >> GITS_BASER_SHAREABILITY_SHIFT);
+
--- /dev/null
+From 98e3e2b561bc88f4dd218d1c05890672874692f6 Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Fri, 9 Jan 2026 11:38:39 +0100
+Subject: ksmbd: smbd: fix dma_unmap_sg() nents
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit 98e3e2b561bc88f4dd218d1c05890672874692f6 upstream.
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/transport_rdma.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/fs/smb/server/transport_rdma.c
++++ b/fs/smb/server/transport_rdma.c
+@@ -1251,14 +1251,12 @@ static int get_sg_list(void *buf, int si
+
+ static int get_mapped_sg_list(struct ib_device *device, void *buf, int size,
+ struct scatterlist *sg_list, int nentries,
+- enum dma_data_direction dir)
++ enum dma_data_direction dir, int *npages)
+ {
+- int npages;
+-
+- npages = get_sg_list(buf, size, sg_list, nentries);
+- if (npages < 0)
++ *npages = get_sg_list(buf, size, sg_list, nentries);
++ if (*npages < 0)
+ return -EINVAL;
+- return ib_dma_map_sg(device, sg_list, npages, dir);
++ return ib_dma_map_sg(device, sg_list, *npages, dir);
+ }
+
+ static int post_sendmsg(struct smbdirect_socket *sc,
+@@ -1329,12 +1327,13 @@ static int smb_direct_post_send_data(str
+ for (i = 0; i < niov; i++) {
+ struct ib_sge *sge;
+ int sg_cnt;
++ int npages;
+
+ sg_init_table(sg, SMBDIRECT_SEND_IO_MAX_SGE - 1);
+ sg_cnt = get_mapped_sg_list(sc->ib.dev,
+ iov[i].iov_base, iov[i].iov_len,
+ sg, SMBDIRECT_SEND_IO_MAX_SGE - 1,
+- DMA_TO_DEVICE);
++ DMA_TO_DEVICE, &npages);
+ if (sg_cnt <= 0) {
+ pr_err("failed to map buffer\n");
+ ret = -ENOMEM;
+@@ -1342,7 +1341,7 @@ static int smb_direct_post_send_data(str
+ } else if (sg_cnt + msg->num_sge > SMBDIRECT_SEND_IO_MAX_SGE) {
+ pr_err("buffer not fitted into sges\n");
+ ret = -E2BIG;
+- ib_dma_unmap_sg(sc->ib.dev, sg, sg_cnt,
++ ib_dma_unmap_sg(sc->ib.dev, sg, npages,
+ DMA_TO_DEVICE);
+ goto err;
+ }
--- /dev/null
+From d1883cefd31752f0504b94c3bcfa1f6d511d6e87 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <johannes.goede@oss.qualcomm.com>
+Date: Thu, 11 Dec 2025 17:37:27 +0100
+Subject: leds: led-class: Only Add LED to leds_list when it is fully ready
+
+From: Hans de Goede <johannes.goede@oss.qualcomm.com>
+
+commit d1883cefd31752f0504b94c3bcfa1f6d511d6e87 upstream.
+
+Before this change the LED was added to leds_list before led_init_core()
+gets called adding it the list before led_classdev.set_brightness_work gets
+initialized.
+
+This leaves a window where led_trigger_register() of a LED's default
+trigger will call led_trigger_set() which calls led_set_brightness()
+which in turn will end up queueing the *uninitialized*
+led_classdev.set_brightness_work.
+
+This race gets hit by the lenovo-thinkpad-t14s EC driver which registers
+2 LEDs with a default trigger provided by snd_ctl_led.ko in quick
+succession. The first led_classdev_register() causes an async modprobe of
+snd_ctl_led to run and that async modprobe manages to exactly hit
+the window where the second LED is on the leds_list without led_init_core()
+being called for it, resulting in:
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390
+ Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025
+ ...
+ Call trace:
+ __flush_work+0x344/0x390 (P)
+ flush_work+0x2c/0x50
+ led_trigger_set+0x1c8/0x340
+ led_trigger_register+0x17c/0x1c0
+ led_trigger_register_simple+0x84/0xe8
+ snd_ctl_led_init+0x40/0xf88 [snd_ctl_led]
+ do_one_initcall+0x5c/0x318
+ do_init_module+0x9c/0x2b8
+ load_module+0x7e0/0x998
+
+Close the race window by moving the adding of the LED to leds_list to
+after the led_init_core() call.
+
+Cc: stable@vger.kernel.org
+Fixes: d23a22a74fde ("leds: delay led_set_brightness if stopping soft-blink")
+Signed-off-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
+Reviewed-by: Sebastian Reichel <sre@kernel.org>
+Link: https://patch.msgid.link/20251211163727.366441-1-johannes.goede@oss.qualcomm.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/leds/led-class.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/leds/led-class.c
++++ b/drivers/leds/led-class.c
+@@ -560,11 +560,6 @@ int led_classdev_register_ext(struct dev
+ #ifdef CONFIG_LEDS_BRIGHTNESS_HW_CHANGED
+ led_cdev->brightness_hw_changed = -1;
+ #endif
+- /* add to the list of leds */
+- down_write(&leds_list_lock);
+- list_add_tail(&led_cdev->node, &leds_list);
+- up_write(&leds_list_lock);
+-
+ if (!led_cdev->max_brightness)
+ led_cdev->max_brightness = LED_FULL;
+
+@@ -574,6 +569,11 @@ int led_classdev_register_ext(struct dev
+
+ led_init_core(led_cdev);
+
++ /* add to the list of leds */
++ down_write(&leds_list_lock);
++ list_add_tail(&led_cdev->node, &leds_list);
++ up_write(&leds_list_lock);
++
+ #ifdef CONFIG_LEDS_TRIGGERS
+ led_trigger_set_default(led_cdev);
+ #endif
--- /dev/null
+From 06d5a7afe1d0b47102936d8fba568572c2b4b941 Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Sun, 11 Jan 2026 16:51:25 +0200
+Subject: mei: trace: treat reg parameter as string
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit 06d5a7afe1d0b47102936d8fba568572c2b4b941 upstream.
+
+The commit
+afd2627f727b ("tracing: Check "%s" dereference via the field and not the TP_printk format")
+forbids to emit event with a plain char* without a wrapper.
+
+The reg parameter always passed as static string and wrapper
+is not strictly required, contrary to dev parameter.
+Use the string wrapper anyway to check sanity of the reg parameters,
+store it value independently and prevent internal kernel data leaks.
+
+Since some code refactoring has taken place, explicit backporting may
+be needed for kernels older than 6.10.
+
+Cc: stable@vger.kernel.org # v6.11+
+Fixes: a0a927d06d79 ("mei: me: add io register tracing")
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Link: https://patch.msgid.link/20260111145125.1754912-1-alexander.usyskin@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/mei-trace.h | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/misc/mei/mei-trace.h
++++ b/drivers/misc/mei/mei-trace.h
+@@ -21,18 +21,18 @@ TRACE_EVENT(mei_reg_read,
+ TP_ARGS(dev, reg, offs, val),
+ TP_STRUCT__entry(
+ __string(dev, dev_name(dev))
+- __field(const char *, reg)
++ __string(reg, reg)
+ __field(u32, offs)
+ __field(u32, val)
+ ),
+ TP_fast_assign(
+ __assign_str(dev);
+- __entry->reg = reg;
++ __assign_str(reg);
+ __entry->offs = offs;
+ __entry->val = val;
+ ),
+ TP_printk("[%s] read %s:[%#x] = %#x",
+- __get_str(dev), __entry->reg, __entry->offs, __entry->val)
++ __get_str(dev), __get_str(reg), __entry->offs, __entry->val)
+ );
+
+ TRACE_EVENT(mei_reg_write,
+@@ -40,18 +40,18 @@ TRACE_EVENT(mei_reg_write,
+ TP_ARGS(dev, reg, offs, val),
+ TP_STRUCT__entry(
+ __string(dev, dev_name(dev))
+- __field(const char *, reg)
++ __string(reg, reg)
+ __field(u32, offs)
+ __field(u32, val)
+ ),
+ TP_fast_assign(
+ __assign_str(dev);
+- __entry->reg = reg;
++ __assign_str(reg);
+ __entry->offs = offs;
+ __entry->val = val;
+ ),
+ TP_printk("[%s] write %s[%#x] = %#x",
+- __get_str(dev), __entry->reg, __entry->offs, __entry->val)
++ __get_str(dev), __get_str(reg), __entry->offs, __entry->val)
+ );
+
+ TRACE_EVENT(mei_pci_cfg_read,
+@@ -59,18 +59,18 @@ TRACE_EVENT(mei_pci_cfg_read,
+ TP_ARGS(dev, reg, offs, val),
+ TP_STRUCT__entry(
+ __string(dev, dev_name(dev))
+- __field(const char *, reg)
++ __string(reg, reg)
+ __field(u32, offs)
+ __field(u32, val)
+ ),
+ TP_fast_assign(
+ __assign_str(dev);
+- __entry->reg = reg;
++ __assign_str(reg);
+ __entry->offs = offs;
+ __entry->val = val;
+ ),
+ TP_printk("[%s] pci cfg read %s:[%#x] = %#x",
+- __get_str(dev), __entry->reg, __entry->offs, __entry->val)
++ __get_str(dev), __get_str(reg), __entry->offs, __entry->val)
+ );
+
+ #endif /* _MEI_TRACE_H_ */
--- /dev/null
+From b7880cb166ab62c2409046b2347261abf701530e Mon Sep 17 00:00:00 2001
+From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Date: Fri, 9 Jan 2026 04:13:42 +0000
+Subject: migrate: correct lock ordering for hugetlb file folios
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+commit b7880cb166ab62c2409046b2347261abf701530e upstream.
+
+Syzbot has found a deadlock (analyzed by Lance Yang):
+
+1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).
+2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire
+folio_lock.
+
+migrate_pages()
+ -> migrate_hugetlbs()
+ -> unmap_and_move_huge_page() <- Takes folio_lock!
+ -> remove_migration_ptes()
+ -> __rmap_walk_file()
+ -> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)!
+
+hugetlbfs_fallocate()
+ -> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)!
+ -> hugetlbfs_zero_partial_page()
+ -> filemap_lock_hugetlb_folio()
+ -> filemap_lock_folio()
+ -> __filemap_get_folio <- Waits for folio_lock!
+
+The migration path is the one taking locks in the wrong order according to
+the documentation at the top of mm/rmap.c. So expand the scope of the
+existing i_mmap_lock to cover the calls to remove_migration_ptes() too.
+
+This is (mostly) how it used to be after commit c0d0381ade79. That was
+removed by 336bf30eb765 for both file & anon hugetlb pages when it should
+only have been removed for anon hugetlb pages.
+
+Link: https://lkml.kernel.org/r/20260109041345.3863089-2-willy@infradead.org
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Fixes: 336bf30eb765 ("hugetlbfs: fix anon huge page migration race")
+Reported-by: syzbot+2d9c96466c978346b55f@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/all/68e9715a.050a0220.1186a4.000d.GAE@google.com
+Debugged-by: Lance Yang <lance.yang@linux.dev>
+Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
+Acked-by: Zi Yan <ziy@nvidia.com>
+Cc: Alistair Popple <apopple@nvidia.com>
+Cc: Byungchul Park <byungchul@sk.com>
+Cc: Gregory Price <gourry@gourry.net>
+Cc: Jann Horn <jannh@google.com>
+Cc: Joshua Hahn <joshua.hahnjy@gmail.com>
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: Matthew Brost <matthew.brost@intel.com>
+Cc: Rakie Kim <rakie.kim@sk.com>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Ying Huang <ying.huang@linux.alibaba.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/migrate.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/mm/migrate.c
++++ b/mm/migrate.c
+@@ -1450,6 +1450,7 @@ static int unmap_and_move_huge_page(new_
+ int page_was_mapped = 0;
+ struct anon_vma *anon_vma = NULL;
+ struct address_space *mapping = NULL;
++ enum ttu_flags ttu = 0;
+
+ if (folio_ref_count(src) == 1) {
+ /* page was freed from under us. So we are done. */
+@@ -1490,8 +1491,6 @@ static int unmap_and_move_huge_page(new_
+ goto put_anon;
+
+ if (folio_mapped(src)) {
+- enum ttu_flags ttu = 0;
+-
+ if (!folio_test_anon(src)) {
+ /*
+ * In shared mappings, try_to_unmap could potentially
+@@ -1508,16 +1507,17 @@ static int unmap_and_move_huge_page(new_
+
+ try_to_migrate(src, ttu);
+ page_was_mapped = 1;
+-
+- if (ttu & TTU_RMAP_LOCKED)
+- i_mmap_unlock_write(mapping);
+ }
+
+ if (!folio_mapped(src))
+ rc = move_to_new_folio(dst, src, mode);
+
+ if (page_was_mapped)
+- remove_migration_ptes(src, !rc ? dst : src, 0);
++ remove_migration_ptes(src, !rc ? dst : src,
++ ttu ? RMP_LOCKED : 0);
++
++ if (ttu & TTU_RMAP_LOCKED)
++ i_mmap_unlock_write(mapping);
+
+ unlock_put_anon:
+ folio_unlock(dst);
--- /dev/null
+From 122610220134b32c742cc056eaf64f7017ac8cd9 Mon Sep 17 00:00:00 2001
+From: Matthew Schwartz <matthew.schwartz@linux.dev>
+Date: Mon, 29 Dec 2025 12:45:26 -0800
+Subject: mmc: rtsx_pci_sdmmc: implement sdmmc_card_busy function
+
+From: Matthew Schwartz <matthew.schwartz@linux.dev>
+
+commit 122610220134b32c742cc056eaf64f7017ac8cd9 upstream.
+
+rtsx_pci_sdmmc does not have an sdmmc_card_busy function, so any voltage
+switches cause a kernel warning, "mmc0: cannot verify signal voltage
+switch."
+
+Copy the sdmmc_card_busy function from rtsx_pci_usb to rtsx_pci_sdmmc to
+fix this.
+
+Fixes: ff984e57d36e ("mmc: Add realtek pcie sdmmc host driver")
+Signed-off-by: Matthew Schwartz <matthew.schwartz@linux.dev>
+Tested-by: Ricky WU <ricky_wu@realtek.com>
+Reviewed-by: Ricky WU <ricky_wu@realtek.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/rtsx_pci_sdmmc.c | 41 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+--- a/drivers/mmc/host/rtsx_pci_sdmmc.c
++++ b/drivers/mmc/host/rtsx_pci_sdmmc.c
+@@ -1306,6 +1306,46 @@ out:
+ return err;
+ }
+
++static int sdmmc_card_busy(struct mmc_host *mmc)
++{
++ struct realtek_pci_sdmmc *host = mmc_priv(mmc);
++ struct rtsx_pcr *pcr = host->pcr;
++ int err;
++ u8 stat;
++ u8 mask = SD_DAT3_STATUS | SD_DAT2_STATUS | SD_DAT1_STATUS
++ | SD_DAT0_STATUS;
++
++ mutex_lock(&pcr->pcr_mutex);
++
++ rtsx_pci_start_run(pcr);
++
++ err = rtsx_pci_write_register(pcr, SD_BUS_STAT,
++ SD_CLK_TOGGLE_EN | SD_CLK_FORCE_STOP,
++ SD_CLK_TOGGLE_EN);
++ if (err)
++ goto out;
++
++ mdelay(1);
++
++ err = rtsx_pci_read_register(pcr, SD_BUS_STAT, &stat);
++ if (err)
++ goto out;
++
++ err = rtsx_pci_write_register(pcr, SD_BUS_STAT,
++ SD_CLK_TOGGLE_EN | SD_CLK_FORCE_STOP, 0);
++out:
++ mutex_unlock(&pcr->pcr_mutex);
++
++ if (err)
++ return err;
++
++ /* check if any pin between dat[0:3] is low */
++ if ((stat & mask) != mask)
++ return 1;
++ else
++ return 0;
++}
++
+ static int sdmmc_execute_tuning(struct mmc_host *mmc, u32 opcode)
+ {
+ struct realtek_pci_sdmmc *host = mmc_priv(mmc);
+@@ -1418,6 +1458,7 @@ static const struct mmc_host_ops realtek
+ .get_ro = sdmmc_get_ro,
+ .get_cd = sdmmc_get_cd,
+ .start_signal_voltage_switch = sdmmc_switch_voltage,
++ .card_busy = sdmmc_card_busy,
+ .execute_tuning = sdmmc_execute_tuning,
+ .init_sd_express = sdmmc_init_sd_express,
+ };
--- /dev/null
+From 3009738a855cf938bbfc9078bec725031ae623a4 Mon Sep 17 00:00:00 2001
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Mon, 22 Dec 2025 15:11:25 +0800
+Subject: mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+commit 3009738a855cf938bbfc9078bec725031ae623a4 upstream.
+
+When operating in HS200 or HS400 timing modes, reducing the clock frequency
+below 52MHz will lead to link broken as the Rockchip DWC MSHC controller
+requires maintaining a minimum clock of 52MHz in these modes.
+
+Add a check to prevent illegal clock reduction through debugfs:
+
+root@debian:/# echo 50000000 > /sys/kernel/debug/mmc0/clock
+root@debian:/# [ 30.090146] mmc0: running CQE recovery
+mmc0: cqhci: Failed to halt
+mmc0: cqhci: spurious TCN for tag 0
+WARNING: drivers/mmc/host/cqhci-core.c:797 at cqhci_irq+0x254/0x818, CPU#1: kworker/1:0H/24
+Modules linked in:
+CPU: 1 UID: 0 PID: 24 Comm: kworker/1:0H Not tainted 6.19.0-rc1-00001-g09db0998649d-dirty #204 PREEMPT
+Hardware name: Rockchip RK3588 EVB1 V10 Board (DT)
+Workqueue: kblockd blk_mq_run_work_fn
+pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : cqhci_irq+0x254/0x818
+lr : cqhci_irq+0x254/0x818
+...
+
+Fixes: c6f361cba51c ("mmc: sdhci-of-dwcmshc: add support for rk3588")
+Cc: Sebastian Reichel <sebastian.reichel@collabora.com>
+Cc: Yifeng Zhao <yifeng.zhao@rock-chips.com>
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-of-dwcmshc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-of-dwcmshc.c
++++ b/drivers/mmc/host/sdhci-of-dwcmshc.c
+@@ -608,6 +608,13 @@ static void dwcmshc_rk3568_set_clock(str
+ sdhci_writel(host, extra, reg);
+
+ if (clock <= 52000000) {
++ if (host->mmc->ios.timing == MMC_TIMING_MMC_HS200 ||
++ host->mmc->ios.timing == MMC_TIMING_MMC_HS400) {
++ dev_err(mmc_dev(host->mmc),
++ "Can't reduce the clock below 52MHz in HS200/HS400 mode");
++ return;
++ }
++
+ /*
+ * Disable DLL and reset both of sample and drive clock.
+ * The bypass bit and start bit need to be set if DLL is not locked.
--- /dev/null
+From ca1bb3fedf26a08ed31974131bc0064d4fe33649 Mon Sep 17 00:00:00 2001
+From: Clemens Gruber <mail@clemensgruber.at>
+Date: Wed, 21 Jan 2026 09:37:51 +0100
+Subject: net: fec: account for VLAN header in frame length calculations
+
+From: Clemens Gruber <mail@clemensgruber.at>
+
+commit ca1bb3fedf26a08ed31974131bc0064d4fe33649 upstream.
+
+The MAX_FL (maximum frame length) and related calculations used ETH_HLEN,
+which does not account for the 4-byte VLAN tag in tagged frames. This
+caused the hardware to reject valid VLAN frames as oversized, resulting
+in RX errors and dropped packets.
+
+Use VLAN_ETH_HLEN instead of ETH_HLEN in the MAX_FL register setup,
+cut-through mode threshold, buffer allocation, and max_mtu calculation.
+
+Cc: stable@kernel.org # v6.18+
+Fixes: 62b5bb7be7bc ("net: fec: update MAX_FL based on the current MTU")
+Fixes: d466c16026e9 ("net: fec: enable the Jumbo frame support for i.MX8QM")
+Fixes: 59e9bf037d75 ("net: fec: add change_mtu to support dynamic buffer allocation")
+Fixes: ec2a1681ed4f ("net: fec: use a member variable for maximum buffer size")
+Signed-off-by: Clemens Gruber <mail@clemensgruber.at>
+Reviewed-by: Wei Fang <wei.fang@nxp.com>
+Link: https://patch.msgid.link/20260121083751.66997-1-mail@clemensgruber.at
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -1151,7 +1151,7 @@ fec_restart(struct net_device *ndev)
+ u32 rcntl = FEC_RCR_MII;
+
+ if (OPT_ARCH_HAS_MAX_FL)
+- rcntl |= (fep->netdev->mtu + ETH_HLEN + ETH_FCS_LEN) << 16;
++ rcntl |= (fep->netdev->mtu + VLAN_ETH_HLEN + ETH_FCS_LEN) << 16;
+
+ if (fep->bufdesc_ex)
+ fec_ptp_save_state(fep);
+@@ -1286,12 +1286,13 @@ fec_restart(struct net_device *ndev)
+
+ /* When Jumbo Frame is enabled, the FIFO may not be large enough
+ * to hold an entire frame. In such cases, if the MTU exceeds
+- * (PKT_MAXBUF_SIZE - ETH_HLEN - ETH_FCS_LEN), configure the interface
+- * to operate in cut-through mode, triggered by the FIFO threshold.
++ * (PKT_MAXBUF_SIZE - VLAN_ETH_HLEN - ETH_FCS_LEN), configure
++ * the interface to operate in cut-through mode, triggered by
++ * the FIFO threshold.
+ * Otherwise, enable the ENET store-and-forward mode.
+ */
+ if ((fep->quirks & FEC_QUIRK_JUMBO_FRAME) &&
+- (ndev->mtu > (PKT_MAXBUF_SIZE - ETH_HLEN - ETH_FCS_LEN)))
++ (ndev->mtu > (PKT_MAXBUF_SIZE - VLAN_ETH_HLEN - ETH_FCS_LEN)))
+ writel(0xF, fep->hwp + FEC_X_WMRK);
+ else
+ writel(FEC_TXWMRK_STRFWD, fep->hwp + FEC_X_WMRK);
+@@ -4052,7 +4053,7 @@ static int fec_change_mtu(struct net_dev
+ if (netif_running(ndev))
+ return -EBUSY;
+
+- order = get_order(new_mtu + ETH_HLEN + ETH_FCS_LEN
++ order = get_order(new_mtu + VLAN_ETH_HLEN + ETH_FCS_LEN
+ + FEC_DRV_RESERVE_SPACE);
+ fep->rx_frame_size = (PAGE_SIZE << order) - FEC_DRV_RESERVE_SPACE;
+ fep->pagepool_order = order;
+@@ -4609,7 +4610,7 @@ fec_probe(struct platform_device *pdev)
+ else
+ fep->max_buf_size = PKT_MAXBUF_SIZE;
+
+- ndev->max_mtu = fep->max_buf_size - ETH_HLEN - ETH_FCS_LEN;
++ ndev->max_mtu = fep->max_buf_size - VLAN_ETH_HLEN - ETH_FCS_LEN;
+
+ ret = register_netdev(ndev);
+ if (ret)
--- /dev/null
+From a92a6c50e35b75a8021265507f3c2a9084df0b94 Mon Sep 17 00:00:00 2001
+From: Hamza Mahfooz <someguy@effective-light.com>
+Date: Tue, 13 Jan 2026 18:29:57 -0500
+Subject: net: sfp: add potron quirk to the H-COM SPP425H-GAB4 SFP+ Stick
+
+From: Hamza Mahfooz <someguy@effective-light.com>
+
+commit a92a6c50e35b75a8021265507f3c2a9084df0b94 upstream.
+
+This is another one of those XGSPON ONU sticks that's using the
+X-ONU-SFPP internally, thus it also requires the potron quirk to avoid tx
+faults. So, add an entry for it in sfp_quirks[].
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hamza Mahfooz <someguy@effective-light.com>
+Link: https://patch.msgid.link/20260113232957.609642-1-someguy@effective-light.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/sfp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/phy/sfp.c
++++ b/drivers/net/phy/sfp.c
+@@ -519,6 +519,8 @@ static const struct sfp_quirk sfp_quirks
+
+ SFP_QUIRK_F("HALNy", "HL-GSFP", sfp_fixup_halny_gsfp),
+
++ SFP_QUIRK_F("H-COM", "SPP425H-GAB4", sfp_fixup_potron),
++
+ // HG MXPD-483II-F 2.5G supports 2500Base-X, but incorrectly reports
+ // 2600MBd in their EERPOM
+ SFP_QUIRK_S("HG GENUINE", "MXPD-483II", sfp_quirk_2500basex),
--- /dev/null
+From 3d778e65b4f44c6af4901d83020bb8a0a010f39e Mon Sep 17 00:00:00 2001
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+Date: Mon, 19 Jan 2026 14:59:35 +0800
+Subject: net: txgbe: remove the redundant data return in SW-FW mailbox
+
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+
+commit 3d778e65b4f44c6af4901d83020bb8a0a010f39e upstream.
+
+For these two firmware mailbox commands, in txgbe_test_hostif() and
+txgbe_set_phy_link_hostif(), there is no need to read data from the
+buffer.
+
+Under the current setting, OEM firmware will cause the driver to fail to
+probe. Because OEM firmware returns more link information, with a larger
+OEM structure txgbe_hic_ephy_getlink. However, the current driver does
+not support the OEM function. So just fix it in the way that does not
+involve reading the returned data.
+
+Fixes: d84a3ff9aae8 ("net: txgbe: Restrict the use of mismatched FW versions")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
+Link: https://patch.msgid.link/2914AB0BC6158DDA+20260119065935.6015-1-jiawenwu@trustnetic.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c
++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c
+@@ -65,7 +65,7 @@ int txgbe_test_hostif(struct wx *wx)
+ buffer.hdr.cmd_or_resp.cmd_resv = FW_CEM_CMD_RESERVED;
+
+ return wx_host_interface_command(wx, (u32 *)&buffer, sizeof(buffer),
+- WX_HI_COMMAND_TIMEOUT, true);
++ WX_HI_COMMAND_TIMEOUT, false);
+ }
+
+ static int txgbe_identify_sfp_hostif(struct wx *wx, struct txgbe_hic_i2c_read *buffer)
+@@ -103,7 +103,7 @@ static int txgbe_set_phy_link_hostif(str
+ buffer.duplex = duplex;
+
+ return wx_host_interface_command(wx, (u32 *)&buffer, sizeof(buffer),
+- WX_HI_COMMAND_TIMEOUT, true);
++ WX_HI_COMMAND_TIMEOUT, false);
+ }
+
+ static void txgbe_get_link_capabilities(struct wx *wx)
--- /dev/null
+From ba1096c315283ee3292765f6aea4cca15816c4f7 Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Mon, 19 Jan 2026 15:33:59 +0900
+Subject: netrom: fix double-free in nr_route_frame()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit ba1096c315283ee3292765f6aea4cca15816c4f7 upstream.
+
+In nr_route_frame(), old_skb is immediately freed without checking if
+nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL,
+the caller function will free old_skb again, causing a double-free bug.
+
+Therefore, to prevent this, we need to modify it to check whether
+nr_neigh->ax25 is NULL before freeing old_skb.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: syzbot+999115c3bf275797dc27@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0029.GAE@google.com/
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Link: https://patch.msgid.link/20260119063359.10604-1-aha310510@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netrom/nr_route.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/net/netrom/nr_route.c
++++ b/net/netrom/nr_route.c
+@@ -752,7 +752,7 @@ int nr_route_frame(struct sk_buff *skb,
+ unsigned char *dptr;
+ ax25_cb *ax25s;
+ int ret;
+- struct sk_buff *skbn;
++ struct sk_buff *nskb, *oskb;
+
+ /*
+ * Reject malformed packets early. Check that it contains at least 2
+@@ -811,14 +811,16 @@ int nr_route_frame(struct sk_buff *skb,
+ /* We are going to change the netrom headers so we should get our
+ own skb, we also did not know until now how much header space
+ we had to reserve... - RXQ */
+- if ((skbn=skb_copy_expand(skb, dev->hard_header_len, 0, GFP_ATOMIC)) == NULL) {
++ nskb = skb_copy_expand(skb, dev->hard_header_len, 0, GFP_ATOMIC);
++
++ if (!nskb) {
+ nr_node_unlock(nr_node);
+ nr_node_put(nr_node);
+ dev_put(dev);
+ return 0;
+ }
+- kfree_skb(skb);
+- skb=skbn;
++ oskb = skb;
++ skb = nskb;
+ skb->data[14]--;
+
+ dptr = skb_push(skb, 1);
+@@ -837,6 +839,9 @@ int nr_route_frame(struct sk_buff *skb,
+ nr_node_unlock(nr_node);
+ nr_node_put(nr_node);
+
++ if (ret)
++ kfree_skb(oskb);
++
+ return ret;
+ }
+
--- /dev/null
+From d998b0e5afffa90d0f03770bad31083767079858 Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Wed, 14 Jan 2026 13:31:06 +0100
+Subject: octeontx2: Fix otx2_dma_map_page() error return code
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit d998b0e5afffa90d0f03770bad31083767079858 upstream.
+
+0 is a valid DMA address [1] so using it as the error value can lead to
+errors. The error value of dma_map_XXX() functions is DMA_MAPPING_ERROR
+which is ~0. The callers of otx2_dma_map_page() use dma_mapping_error()
+to test the return value of otx2_dma_map_page(). This means that they
+would not detect an error in otx2_dma_map_page().
+
+Make otx2_dma_map_page() return the raw value of dma_map_page_attrs().
+
+[1] https://lore.kernel.org/all/f977f68b-cec5-4ab7-b4bd-2cf6aca46267@intel.com
+
+Fixes: caa2da34fd25 ("octeontx2-pf: Initialize and config queues")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20260114123107.42387-2-fourier.thomas@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h
+@@ -934,13 +934,8 @@ static inline dma_addr_t otx2_dma_map_pa
+ size_t offset, size_t size,
+ enum dma_data_direction dir)
+ {
+- dma_addr_t iova;
+-
+- iova = dma_map_page_attrs(pfvf->dev, page,
++ return dma_map_page_attrs(pfvf->dev, page,
+ offset, size, dir, DMA_ATTR_SKIP_CPU_SYNC);
+- if (unlikely(dma_mapping_error(pfvf->dev, iova)))
+- return (dma_addr_t)NULL;
+- return iova;
+ }
+
+ static inline void otx2_dma_unmap_page(struct otx2_nic *pfvf,
--- /dev/null
+From 81122fba08fa3ccafab6ed272a5c6f2203923a7e Mon Sep 17 00:00:00 2001
+From: Weigang He <geoffreyhe2@gmail.com>
+Date: Sat, 17 Jan 2026 09:12:38 +0000
+Subject: of: fix reference count leak in of_alias_scan()
+
+From: Weigang He <geoffreyhe2@gmail.com>
+
+commit 81122fba08fa3ccafab6ed272a5c6f2203923a7e upstream.
+
+of_find_node_by_path() returns a device_node with its refcount
+incremented. When kstrtoint() fails or dt_alloc() fails, the function
+continues to the next iteration without calling of_node_put(), causing
+a reference count leak.
+
+Add of_node_put(np) before continue on both error paths to properly
+release the device_node reference.
+
+Fixes: 611cad720148 ("dt: add of_alias_scan and of_alias_get_id")
+Cc: stable@vger.kernel.org
+Signed-off-by: Weigang He <geoffreyhe2@gmail.com>
+Link: https://patch.msgid.link/20260117091238.481243-1-geoffreyhe2@gmail.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/base.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -1895,13 +1895,17 @@ void of_alias_scan(void * (*dt_alloc)(u6
+ end--;
+ len = end - start;
+
+- if (kstrtoint(end, 10, &id) < 0)
++ if (kstrtoint(end, 10, &id) < 0) {
++ of_node_put(np);
+ continue;
++ }
+
+ /* Allocate an alias_prop with enough space for the stem */
+ ap = dt_alloc(sizeof(*ap) + len + 1, __alignof__(*ap));
+- if (!ap)
++ if (!ap) {
++ of_node_put(np);
+ continue;
++ }
+ memset(ap, 0, sizeof(*ap) + len + 1);
+ ap->alias = start;
+ of_alias_add(ap, np, id, start, len);
--- /dev/null
+From 48e6a9c4a20870e09f85ff1a3628275d6bce31c0 Mon Sep 17 00:00:00 2001
+From: "Rob Herring (Arm)" <robh@kernel.org>
+Date: Tue, 13 Jan 2026 19:51:58 -0600
+Subject: of: platform: Use default match table for /firmware
+
+From: Rob Herring (Arm) <robh@kernel.org>
+
+commit 48e6a9c4a20870e09f85ff1a3628275d6bce31c0 upstream.
+
+Calling of_platform_populate() without a match table will only populate
+the immediate child nodes under /firmware. This is usually fine, but in
+the case of something like a "simple-mfd" node such as
+"raspberrypi,bcm2835-firmware", those child nodes will not be populated.
+And subsequent calls won't work either because the /firmware node is
+marked as processed already.
+
+Switch the call to of_platform_default_populate() to solve this problem.
+It should be a nop for existing cases.
+
+Fixes: 3aa0582fdb82 ("of: platform: populate /firmware/ node from of_platform_default_populate_init()")
+Cc: stable@vger.kernel.org
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Link: https://patch.msgid.link/20260114015158.692170-2-robh@kernel.org
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/platform.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/of/platform.c
++++ b/drivers/of/platform.c
+@@ -569,7 +569,7 @@ static int __init of_platform_default_po
+
+ node = of_find_node_by_path("/firmware");
+ if (node) {
+- of_platform_populate(node, NULL, NULL, NULL);
++ of_platform_default_populate(node, NULL, NULL);
+ of_node_put(node);
+ }
+
--- /dev/null
+From 90f3c123247e9564f2ecf861946ec41ceaf5e198 Mon Sep 17 00:00:00 2001
+From: Gal Pressman <gal@nvidia.com>
+Date: Tue, 6 Jan 2026 18:33:21 +0200
+Subject: panic: only warn about deprecated panic_print on write access
+
+From: Gal Pressman <gal@nvidia.com>
+
+commit 90f3c123247e9564f2ecf861946ec41ceaf5e198 upstream.
+
+The panic_print_deprecated() warning is being triggered on both read and
+write operations to the panic_print parameter.
+
+This causes spurious warnings when users run 'sysctl -a' to list all
+sysctl values, since that command reads /proc/sys/kernel/panic_print and
+triggers the deprecation notice.
+
+Modify the handlers to only emit the deprecation warning when the
+parameter is actually being set:
+
+ - sysctl_panic_print_handler(): check 'write' flag before warning.
+ - panic_print_get(): remove the deprecation call entirely.
+
+This way, users are only warned when they actively try to use the
+deprecated parameter, not when passively querying system state.
+
+Link: https://lkml.kernel.org/r/20260106163321.83586-1-gal@nvidia.com
+Fixes: ee13240cd78b ("panic: add note that panic_print sysctl interface is deprecated")
+Fixes: 2683df6539cb ("panic: add note that 'panic_print' parameter is deprecated")
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Reviewed-by: Mark Bloch <mbloch@nvidia.com>
+Reviewed-by: Nimrod Oren <noren@nvidia.com>
+Cc: Feng Tang <feng.tang@linux.alibaba.com>
+Cc: Joel Granados <joel.granados@kernel.org>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/panic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/panic.c
++++ b/kernel/panic.c
+@@ -131,7 +131,8 @@ static int proc_taint(const struct ctl_t
+ static int sysctl_panic_print_handler(const struct ctl_table *table, int write,
+ void *buffer, size_t *lenp, loff_t *ppos)
+ {
+- panic_print_deprecated();
++ if (write)
++ panic_print_deprecated();
+ return proc_doulongvec_minmax(table, write, buffer, lenp, ppos);
+ }
+
+@@ -1010,7 +1011,6 @@ static int panic_print_set(const char *v
+
+ static int panic_print_get(char *val, const struct kernel_param *kp)
+ {
+- panic_print_deprecated();
+ return param_get_ulong(val, kp);
+ }
+
--- /dev/null
+From 91dcfae0ff2b9b9ab03c1ec95babaceefbffb9f4 Mon Sep 17 00:00:00 2001
+From: Fernand Sieber <sieberf@amazon.com>
+Date: Thu, 11 Dec 2025 20:36:04 +0200
+Subject: perf/x86/intel: Do not enable BTS for guests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fernand Sieber <sieberf@amazon.com>
+
+commit 91dcfae0ff2b9b9ab03c1ec95babaceefbffb9f4 upstream.
+
+By default when users program perf to sample branch instructions
+(PERF_COUNT_HW_BRANCH_INSTRUCTIONS) with a sample period of 1, perf
+interprets this as a special case and enables BTS (Branch Trace Store)
+as an optimization to avoid taking an interrupt on every branch.
+
+Since BTS doesn't virtualize, this optimization doesn't make sense when
+the request originates from a guest. Add an additional check that
+prevents this optimization for virtualized events (exclude_host).
+
+Reported-by: Jan H. Schönherr <jschoenh@amazon.de>
+Suggested-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Fernand Sieber <sieberf@amazon.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20251211183604.868641-1-sieberf@amazon.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/perf_event.h | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/events/perf_event.h
++++ b/arch/x86/events/perf_event.h
+@@ -1558,13 +1558,22 @@ static inline bool intel_pmu_has_bts_per
+ struct hw_perf_event *hwc = &event->hw;
+ unsigned int hw_event, bts_event;
+
+- if (event->attr.freq)
++ /*
++ * Only use BTS for fixed rate period==1 events.
++ */
++ if (event->attr.freq || period != 1)
++ return false;
++
++ /*
++ * BTS doesn't virtualize.
++ */
++ if (event->attr.exclude_host)
+ return false;
+
+ hw_event = hwc->config & INTEL_ARCH_EVENT_MASK;
+ bts_event = x86_pmu.event_map(PERF_COUNT_HW_BRANCH_INSTRUCTIONS);
+
+- return hw_event == bts_event && period == 1;
++ return hw_event == bts_event;
+ }
+
+ static inline bool intel_pmu_has_bts(struct perf_event *event)
--- /dev/null
+From 467d4afc6caa64b84a6db1634f8091e931f4a7cb Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Thu, 15 Jan 2026 14:31:12 -0600
+Subject: platform/x86: hp-bioscfg: Fix automatic module loading
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 467d4afc6caa64b84a6db1634f8091e931f4a7cb upstream.
+
+hp-bioscfg has a MODULE_DEVICE_TABLE with a GUID in it that looks
+plausible, but the module doesn't automatically load on applicable
+systems.
+
+This is because the GUID has some lower case characters and so it
+doesn't match the modalias during boot. Update the GUIDs to be all
+uppercase.
+
+Cc: stable@vger.kernel.org
+Fixes: 5f94f181ca25 ("platform/x86: hp-bioscfg: bioscfg-h")
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://patch.msgid.link/20260115203725.828434-4-mario.limonciello@amd.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/hp/hp-bioscfg/bioscfg.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.h
++++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.h
+@@ -57,14 +57,14 @@ enum mechanism_values {
+
+ #define PASSWD_MECHANISM_TYPES "password"
+
+-#define HP_WMI_BIOS_GUID "5FB7F034-2C63-45e9-BE91-3D44E2C707E4"
++#define HP_WMI_BIOS_GUID "5FB7F034-2C63-45E9-BE91-3D44E2C707E4"
+
+-#define HP_WMI_BIOS_STRING_GUID "988D08E3-68F4-4c35-AF3E-6A1B8106F83C"
++#define HP_WMI_BIOS_STRING_GUID "988D08E3-68F4-4C35-AF3E-6A1B8106F83C"
+ #define HP_WMI_BIOS_INTEGER_GUID "8232DE3D-663D-4327-A8F4-E293ADB9BF05"
+ #define HP_WMI_BIOS_ENUMERATION_GUID "2D114B49-2DFB-4130-B8FE-4A3C09E75133"
+ #define HP_WMI_BIOS_ORDERED_LIST_GUID "14EA9746-CE1F-4098-A0E0-7045CB4DA745"
+ #define HP_WMI_BIOS_PASSWORD_GUID "322F2028-0F84-4901-988E-015176049E2D"
+-#define HP_WMI_SET_BIOS_SETTING_GUID "1F4C91EB-DC5C-460b-951D-C7CB9B4B8D5E"
++#define HP_WMI_SET_BIOS_SETTING_GUID "1F4C91EB-DC5C-460B-951D-C7CB9B4B8D5E"
+
+ enum hp_wmi_spm_commandtype {
+ HPWMI_SECUREPLATFORM_GET_STATE = 0x10,
--- /dev/null
+From 3de49966499634454fd59e0e6fecd50baab7febd Mon Sep 17 00:00:00 2001
+From: Ming Qian <ming.qian@oss.nxp.com>
+Date: Fri, 5 Dec 2025 09:54:25 +0800
+Subject: pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu
+
+From: Ming Qian <ming.qian@oss.nxp.com>
+
+commit 3de49966499634454fd59e0e6fecd50baab7febd upstream.
+
+For i.MX8MQ platform, the ADB in the VPUMIX domain has no separate reset
+and clock enable bits, but is ungated and reset together with the VPUs.
+So we can't reset G1 or G2 separately, it may led to the system hang.
+Remove rst_mask and clk_mask of imx8mq_vpu_blk_ctl_domain_data.
+Let imx8mq_vpu_power_notifier() do really vpu reset.
+
+Fixes: 608d7c325e85 ("soc: imx: imx8m-blk-ctrl: add i.MX8MQ VPU blk-ctrl")
+Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
+Reviewed-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pmdomain/imx/imx8m-blk-ctrl.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/pmdomain/imx/imx8m-blk-ctrl.c
++++ b/drivers/pmdomain/imx/imx8m-blk-ctrl.c
+@@ -846,22 +846,25 @@ static int imx8mq_vpu_power_notifier(str
+ return NOTIFY_OK;
+ }
+
++/*
++ * For i.MX8MQ, the ADB in the VPUMIX domain has no separate reset and clock
++ * enable bits, but is ungated and reset together with the VPUs.
++ * Resetting G1 or G2 separately may led to system hang.
++ * Remove the rst_mask and clk_mask from the domain data of G1 and G2,
++ * Let imx8mq_vpu_power_notifier() do really vpu reset.
++ */
+ static const struct imx8m_blk_ctrl_domain_data imx8mq_vpu_blk_ctl_domain_data[] = {
+ [IMX8MQ_VPUBLK_PD_G1] = {
+ .name = "vpublk-g1",
+ .clk_names = (const char *[]){ "g1", },
+ .num_clks = 1,
+ .gpc_name = "g1",
+- .rst_mask = BIT(1),
+- .clk_mask = BIT(1),
+ },
+ [IMX8MQ_VPUBLK_PD_G2] = {
+ .name = "vpublk-g2",
+ .clk_names = (const char *[]){ "g2", },
+ .num_clks = 1,
+ .gpc_name = "g2",
+- .rst_mask = BIT(0),
+- .clk_mask = BIT(0),
+ },
+ };
+
--- /dev/null
+From 861d21c43c98478eef70e68e31d4ff86400c6ef7 Mon Sep 17 00:00:00 2001
+From: Frank Zhang <rmxpzlb@gmail.com>
+Date: Tue, 16 Dec 2025 13:52:47 +0800
+Subject: pmdomain:rockchip: Fix init genpd as GENPD_STATE_ON before regulator ready
+
+From: Frank Zhang <rmxpzlb@gmail.com>
+
+commit 861d21c43c98478eef70e68e31d4ff86400c6ef7 upstream.
+
+RK3588_PD_NPU initialize as GENPD_STATE_ON before regulator ready.
+rknn_iommu initlized success and suspend RK3588_PD_NPU. When rocket
+driver register, it will resume rknn_iommu.
+
+If regulator is still not ready at this point, rknn_iommu resume fail,
+pm runtime status will be error: -EPROBE_DEFER.
+
+This patch set pmdomain to off if it need regulator during probe,
+consumer device can power on pmdomain after regulator ready.
+
+Signed-off-by: Frank Zhang <rmxpzlb@gmail.com>
+Tested-by: Chaoyi Chen <chaoyi.chen@rock-chips.com>
+Tested-by: Quentin Schulz <quentin.schulz@cherry.de>
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Fixes: db6df2e3fc16 ("pmdomain: rockchip: add regulator support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pmdomain/rockchip/pm-domains.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/pmdomain/rockchip/pm-domains.c
++++ b/drivers/pmdomain/rockchip/pm-domains.c
+@@ -861,6 +861,16 @@ static int rockchip_pm_add_one_domain(st
+ pd->genpd.name = pd->info->name;
+ else
+ pd->genpd.name = kbasename(node->full_name);
++
++ /*
++ * power domain's needing a regulator should default to off, since
++ * the regulator state is unknown at probe time. Also the regulator
++ * state cannot be checked, since that usually requires IP needing
++ * (a different) power domain.
++ */
++ if (pd->info->need_regulator)
++ rockchip_pd_power(pd, false);
++
+ pd->genpd.power_off = rockchip_pd_power_off;
+ pd->genpd.power_on = rockchip_pd_power_on;
+ pd->genpd.attach_dev = rockchip_pd_attach_dev;
--- /dev/null
+From 33d19f621641de1b6ec6fe1bb2ac68a7d2c61f6a Mon Sep 17 00:00:00 2001
+From: Alexandre Courbot <acourbot@nvidia.com>
+Date: Mon, 8 Dec 2025 11:47:00 +0900
+Subject: rust: io: always inline functions using build_assert with arguments
+
+From: Alexandre Courbot <acourbot@nvidia.com>
+
+commit 33d19f621641de1b6ec6fe1bb2ac68a7d2c61f6a upstream.
+
+`build_assert` relies on the compiler to optimize out its error path.
+Functions using it with its arguments must thus always be inlined,
+otherwise the error path of `build_assert` might not be optimized out,
+triggering a build error.
+
+Cc: stable@vger.kernel.org
+Fixes: ce30d94e6855 ("rust: add `io::{Io, IoRaw}` base types")
+Reviewed-by: Daniel Almeida <daniel.almeida@collabora.com>
+Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
+Tested-by: Timur Tabi <ttabi@nvidia.com>
+Link: https://patch.msgid.link/20251208-io-build-assert-v3-2-98aded02c1ea@nvidia.com
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ rust/kernel/io.rs | 9 ++++++---
+ rust/kernel/io/resource.rs | 2 ++
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+--- a/rust/kernel/io.rs
++++ b/rust/kernel/io.rs
+@@ -140,7 +140,8 @@ macro_rules! define_read {
+ /// Bound checks are performed on compile time, hence if the offset is not known at compile
+ /// time, the build will fail.
+ $(#[$attr])*
+- #[inline]
++ // Always inline to optimize out error path of `io_addr_assert`.
++ #[inline(always)]
+ pub fn $name(&self, offset: usize) -> $type_name {
+ let addr = self.io_addr_assert::<$type_name>(offset);
+
+@@ -169,7 +170,8 @@ macro_rules! define_write {
+ /// Bound checks are performed on compile time, hence if the offset is not known at compile
+ /// time, the build will fail.
+ $(#[$attr])*
+- #[inline]
++ // Always inline to optimize out error path of `io_addr_assert`.
++ #[inline(always)]
+ pub fn $name(&self, value: $type_name, offset: usize) {
+ let addr = self.io_addr_assert::<$type_name>(offset);
+
+@@ -237,7 +239,8 @@ impl<const SIZE: usize> Io<SIZE> {
+ self.addr().checked_add(offset).ok_or(EINVAL)
+ }
+
+- #[inline]
++ // Always inline to optimize out error path of `build_assert`.
++ #[inline(always)]
+ fn io_addr_assert<U>(&self, offset: usize) -> usize {
+ build_assert!(Self::offset_valid::<U>(offset, SIZE));
+
+--- a/rust/kernel/io/resource.rs
++++ b/rust/kernel/io/resource.rs
+@@ -222,6 +222,8 @@ impl Flags {
+ /// Resource represents a memory region that must be ioremaped using `ioremap_np`.
+ pub const IORESOURCE_MEM_NONPOSTED: Flags = Flags::new(bindings::IORESOURCE_MEM_NONPOSTED);
+
++ // Always inline to optimize out error path of `build_assert`.
++ #[inline(always)]
+ const fn new(value: u32) -> Self {
+ crate::build_assert!(value as u64 <= c_ulong::MAX as u64);
+ Flags(value as c_ulong)
--- /dev/null
+From 5d9c4c272ba06055d19e05c2a02e16e58acc8943 Mon Sep 17 00:00:00 2001
+From: Alexandre Courbot <acourbot@nvidia.com>
+Date: Mon, 8 Dec 2025 11:47:04 +0900
+Subject: rust: irq: always inline functions using build_assert with arguments
+
+From: Alexandre Courbot <acourbot@nvidia.com>
+
+commit 5d9c4c272ba06055d19e05c2a02e16e58acc8943 upstream.
+
+`build_assert` relies on the compiler to optimize out its error path.
+Functions using it with its arguments must thus always be inlined,
+otherwise the error path of `build_assert` might not be optimized out,
+triggering a build error.
+
+Cc: stable@vger.kernel.org
+Fixes: 746680ec6696 ("rust: irq: add flags module")
+Reviewed-by: Daniel Almeida <daniel.almeida@collabora.com>
+Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
+Link: https://patch.msgid.link/20251208-io-build-assert-v3-6-98aded02c1ea@nvidia.com
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ rust/kernel/irq/flags.rs | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/rust/kernel/irq/flags.rs b/rust/kernel/irq/flags.rs
+index adfde96ec47c..d26e25af06ee 100644
+--- a/rust/kernel/irq/flags.rs
++++ b/rust/kernel/irq/flags.rs
+@@ -96,6 +96,8 @@ pub(crate) fn into_inner(self) -> c_ulong {
+ self.0
+ }
+
++ // Always inline to optimize out error path of `build_assert`.
++ #[inline(always)]
+ const fn new(value: u32) -> Self {
+ build_assert!(value as u64 <= c_ulong::MAX as u64);
+ Self(value as c_ulong)
+--
+2.52.0
+
--- /dev/null
+From 5d5fe8bcd331f1e34e0943ec7c18432edfcf0e8b Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 20 Jan 2026 10:13:05 +0000
+Subject: rxrpc: Fix data-race warning and potential load/store tearing
+
+From: David Howells <dhowells@redhat.com>
+
+commit 5d5fe8bcd331f1e34e0943ec7c18432edfcf0e8b upstream.
+
+Fix the following:
+
+ BUG: KCSAN: data-race in rxrpc_peer_keepalive_worker / rxrpc_send_data_packet
+
+which is reporting an issue with the reads and writes to ->last_tx_at in:
+
+ conn->peer->last_tx_at = ktime_get_seconds();
+
+and:
+
+ keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME;
+
+The lockless accesses to these to values aren't actually a problem as the
+read only needs an approximate time of last transmission for the purposes
+of deciding whether or not the transmission of a keepalive packet is
+warranted yet.
+
+Also, as ->last_tx_at is a 64-bit value, tearing can occur on a 32-bit
+arch.
+
+Fix both of these by switching to an unsigned int for ->last_tx_at and only
+storing the LSW of the time64_t. It can then be reconstructed at need
+provided no more than 68 years has elapsed since the last transmission.
+
+Fixes: ace45bec6d77 ("rxrpc: Fix firewall route keepalive")
+Reported-by: syzbot+6182afad5045e6703b3d@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/695e7cfb.050a0220.1c677c.036b.GAE@google.com/
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+cc: stable@kernel.org
+Link: https://patch.msgid.link/1107124.1768903985@warthog.procyon.org.uk
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/ar-internal.h | 9 ++++++++-
+ net/rxrpc/conn_event.c | 2 +-
+ net/rxrpc/output.c | 14 +++++++-------
+ net/rxrpc/peer_event.c | 17 ++++++++++++++++-
+ net/rxrpc/proc.c | 4 ++--
+ net/rxrpc/rxgk.c | 2 +-
+ net/rxrpc/rxkad.c | 2 +-
+ 7 files changed, 36 insertions(+), 14 deletions(-)
+
+--- a/net/rxrpc/ar-internal.h
++++ b/net/rxrpc/ar-internal.h
+@@ -387,7 +387,7 @@ struct rxrpc_peer {
+ struct rb_root service_conns; /* Service connections */
+ struct list_head keepalive_link; /* Link in net->peer_keepalive[] */
+ unsigned long app_data; /* Application data (e.g. afs_server) */
+- time64_t last_tx_at; /* Last time packet sent here */
++ unsigned int last_tx_at; /* Last time packet sent here (time64_t LSW) */
+ seqlock_t service_conn_lock;
+ spinlock_t lock; /* access lock */
+ int debug_id; /* debug ID for printks */
+@@ -1379,6 +1379,13 @@ void rxrpc_peer_keepalive_worker(struct
+ void rxrpc_input_probe_for_pmtud(struct rxrpc_connection *conn, rxrpc_serial_t acked_serial,
+ bool sendmsg_fail);
+
++/* Update the last transmission time on a peer for keepalive purposes. */
++static inline void rxrpc_peer_mark_tx(struct rxrpc_peer *peer)
++{
++ /* To avoid tearing on 32-bit systems, we only keep the LSW. */
++ WRITE_ONCE(peer->last_tx_at, ktime_get_seconds());
++}
++
+ /*
+ * peer_object.c
+ */
+--- a/net/rxrpc/conn_event.c
++++ b/net/rxrpc/conn_event.c
+@@ -194,7 +194,7 @@ void rxrpc_conn_retransmit_call(struct r
+ }
+
+ ret = kernel_sendmsg(conn->local->socket, &msg, iov, ioc, len);
+- conn->peer->last_tx_at = ktime_get_seconds();
++ rxrpc_peer_mark_tx(conn->peer);
+ if (ret < 0)
+ trace_rxrpc_tx_fail(chan->call_debug_id, serial, ret,
+ rxrpc_tx_point_call_final_resend);
+--- a/net/rxrpc/output.c
++++ b/net/rxrpc/output.c
+@@ -275,7 +275,7 @@ static void rxrpc_send_ack_packet(struct
+ rxrpc_local_dont_fragment(conn->local, why == rxrpc_propose_ack_ping_for_mtu_probe);
+
+ ret = do_udp_sendmsg(conn->local->socket, &msg, len);
+- call->peer->last_tx_at = ktime_get_seconds();
++ rxrpc_peer_mark_tx(call->peer);
+ if (ret < 0) {
+ trace_rxrpc_tx_fail(call->debug_id, serial, ret,
+ rxrpc_tx_point_call_ack);
+@@ -411,7 +411,7 @@ int rxrpc_send_abort_packet(struct rxrpc
+
+ iov_iter_kvec(&msg.msg_iter, WRITE, iov, 1, sizeof(pkt));
+ ret = do_udp_sendmsg(conn->local->socket, &msg, sizeof(pkt));
+- conn->peer->last_tx_at = ktime_get_seconds();
++ rxrpc_peer_mark_tx(conn->peer);
+ if (ret < 0)
+ trace_rxrpc_tx_fail(call->debug_id, serial, ret,
+ rxrpc_tx_point_call_abort);
+@@ -698,7 +698,7 @@ void rxrpc_send_data_packet(struct rxrpc
+ ret = 0;
+ trace_rxrpc_tx_data(call, txb->seq, txb->serial, txb->flags,
+ rxrpc_txdata_inject_loss);
+- conn->peer->last_tx_at = ktime_get_seconds();
++ rxrpc_peer_mark_tx(conn->peer);
+ goto done;
+ }
+ }
+@@ -711,7 +711,7 @@ void rxrpc_send_data_packet(struct rxrpc
+ */
+ rxrpc_inc_stat(call->rxnet, stat_tx_data_send);
+ ret = do_udp_sendmsg(conn->local->socket, &msg, len);
+- conn->peer->last_tx_at = ktime_get_seconds();
++ rxrpc_peer_mark_tx(conn->peer);
+
+ if (ret == -EMSGSIZE) {
+ rxrpc_inc_stat(call->rxnet, stat_tx_data_send_msgsize);
+@@ -797,7 +797,7 @@ void rxrpc_send_conn_abort(struct rxrpc_
+
+ trace_rxrpc_tx_packet(conn->debug_id, &whdr, rxrpc_tx_point_conn_abort);
+
+- conn->peer->last_tx_at = ktime_get_seconds();
++ rxrpc_peer_mark_tx(conn->peer);
+ }
+
+ /*
+@@ -917,7 +917,7 @@ void rxrpc_send_keepalive(struct rxrpc_p
+ trace_rxrpc_tx_packet(peer->debug_id, &whdr,
+ rxrpc_tx_point_version_keepalive);
+
+- peer->last_tx_at = ktime_get_seconds();
++ rxrpc_peer_mark_tx(peer);
+ _leave("");
+ }
+
+@@ -973,7 +973,7 @@ void rxrpc_send_response(struct rxrpc_co
+ if (ret < 0)
+ goto fail;
+
+- conn->peer->last_tx_at = ktime_get_seconds();
++ rxrpc_peer_mark_tx(conn->peer);
+ return;
+
+ fail:
+--- a/net/rxrpc/peer_event.c
++++ b/net/rxrpc/peer_event.c
+@@ -238,6 +238,21 @@ static void rxrpc_distribute_error(struc
+ }
+
+ /*
++ * Reconstruct the last transmission time. The difference calculated should be
++ * valid provided no more than ~68 years elapsed since the last transmission.
++ */
++static time64_t rxrpc_peer_get_tx_mark(const struct rxrpc_peer *peer, time64_t base)
++{
++ s32 last_tx_at = READ_ONCE(peer->last_tx_at);
++ s32 base_lsw = base;
++ s32 diff = last_tx_at - base_lsw;
++
++ diff = clamp(diff, -RXRPC_KEEPALIVE_TIME, RXRPC_KEEPALIVE_TIME);
++
++ return diff + base;
++}
++
++/*
+ * Perform keep-alive pings.
+ */
+ static void rxrpc_peer_keepalive_dispatch(struct rxrpc_net *rxnet,
+@@ -265,7 +280,7 @@ static void rxrpc_peer_keepalive_dispatc
+ spin_unlock_bh(&rxnet->peer_hash_lock);
+
+ if (use) {
+- keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME;
++ keepalive_at = rxrpc_peer_get_tx_mark(peer, base) + RXRPC_KEEPALIVE_TIME;
+ slot = keepalive_at - base;
+ _debug("%02x peer %u t=%d {%pISp}",
+ cursor, peer->debug_id, slot, &peer->srx.transport);
+--- a/net/rxrpc/proc.c
++++ b/net/rxrpc/proc.c
+@@ -296,13 +296,13 @@ static int rxrpc_peer_seq_show(struct se
+
+ now = ktime_get_seconds();
+ seq_printf(seq,
+- "UDP %-47.47s %-47.47s %3u %4u %5u %6llus %8d %8d\n",
++ "UDP %-47.47s %-47.47s %3u %4u %5u %6ds %8d %8d\n",
+ lbuff,
+ rbuff,
+ refcount_read(&peer->ref),
+ peer->cong_ssthresh,
+ peer->max_data,
+- now - peer->last_tx_at,
++ (s32)now - (s32)READ_ONCE(peer->last_tx_at),
+ READ_ONCE(peer->recent_srtt_us),
+ READ_ONCE(peer->recent_rto_us));
+
+--- a/net/rxrpc/rxgk.c
++++ b/net/rxrpc/rxgk.c
+@@ -678,7 +678,7 @@ static int rxgk_issue_challenge(struct r
+
+ ret = do_udp_sendmsg(conn->local->socket, &msg, len);
+ if (ret > 0)
+- conn->peer->last_tx_at = ktime_get_seconds();
++ rxrpc_peer_mark_tx(conn->peer);
+ __free_page(page);
+
+ if (ret < 0) {
+--- a/net/rxrpc/rxkad.c
++++ b/net/rxrpc/rxkad.c
+@@ -694,7 +694,7 @@ static int rxkad_issue_challenge(struct
+ return -EAGAIN;
+ }
+
+- conn->peer->last_tx_at = ktime_get_seconds();
++ rxrpc_peer_mark_tx(conn->peer);
+ trace_rxrpc_tx_packet(conn->debug_id, &whdr,
+ rxrpc_tx_point_rxkad_challenge);
+ _leave(" = 0");
--- /dev/null
+From 3317785a8803db629efc759d811d0f589d3a0b2d Mon Sep 17 00:00:00 2001
+From: Harald Freudenberger <freude@linux.ibm.com>
+Date: Mon, 19 Jan 2026 10:37:28 +0100
+Subject: s390/ap: Fix wrong APQN fill calculation
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+commit 3317785a8803db629efc759d811d0f589d3a0b2d upstream.
+
+The upper limit of the firmware queue fill state for each APQN
+is reported by the hwinfo.qd field. This field shows the
+numbers 0-7 for 1-8 queue spaces available. But the exploiting
+code assumed the real boundary is stored there and thus stoppes
+queuing in messages one tick too early.
+
+Correct the limit calculation and thus offer a boost
+of 12.5% performance for high traffic on one APQN.
+
+Fixes: d4c53ae8e4948 ("s390/ap: store TAPQ hwinfo in struct ap_card")
+Cc: stable@vger.kernel.org
+Reported-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/crypto/ap_card.c | 2 +-
+ drivers/s390/crypto/ap_queue.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/s390/crypto/ap_card.c
++++ b/drivers/s390/crypto/ap_card.c
+@@ -44,7 +44,7 @@ static ssize_t depth_show(struct device
+ {
+ struct ap_card *ac = to_ap_card(dev);
+
+- return sysfs_emit(buf, "%d\n", ac->hwinfo.qd);
++ return sysfs_emit(buf, "%d\n", ac->hwinfo.qd + 1);
+ }
+
+ static DEVICE_ATTR_RO(depth);
+--- a/drivers/s390/crypto/ap_queue.c
++++ b/drivers/s390/crypto/ap_queue.c
+@@ -269,7 +269,7 @@ static enum ap_sm_wait ap_sm_write(struc
+ list_move_tail(&ap_msg->list, &aq->pendingq);
+ aq->requestq_count--;
+ aq->pendingq_count++;
+- if (aq->queue_count < aq->card->hwinfo.qd) {
++ if (aq->queue_count < aq->card->hwinfo.qd + 1) {
+ aq->sm_state = AP_SM_STATE_WORKING;
+ return AP_SM_WAIT_AGAIN;
+ }
--- /dev/null
+From ddc6cbef3ef10359b5640b4ee810a520edc73586 Mon Sep 17 00:00:00 2001
+From: Alexander Egorenkov <egorenar@linux.ibm.com>
+Date: Wed, 21 Jan 2026 14:59:50 +0100
+Subject: s390/boot/vmlinux.lds.S: Ensure bzImage ends with SecureBoot trailer
+
+From: Alexander Egorenkov <egorenar@linux.ibm.com>
+
+commit ddc6cbef3ef10359b5640b4ee810a520edc73586 upstream.
+
+Since commit 3e86e4d74c04 ("kbuild: keep .modinfo section in
+vmlinux.unstripped") the .modinfo section which has SHF_ALLOC ends up
+in bzImage after the SecureBoot trailer. This breaks SecureBoot because
+the bootloader can no longer find the SecureBoot trailer with kernel's
+signature at the expected location in bzImage. To fix the bug,
+move discarded sections before the ELF_DETAILS macro and discard
+the .modinfo section which is not needed by the decompressor.
+
+Fixes: 3e86e4d74c04 ("kbuild: keep .modinfo section in vmlinux.unstripped")
+Cc: stable@vger.kernel.org
+Suggested-by: Vasily Gorbik <gor@linux.ibm.com>
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Tested-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Alexander Egorenkov <egorenar@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/boot/vmlinux.lds.S | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/arch/s390/boot/vmlinux.lds.S
++++ b/arch/s390/boot/vmlinux.lds.S
+@@ -137,6 +137,15 @@ SECTIONS
+ }
+ _end = .;
+
++ /* Sections to be discarded */
++ /DISCARD/ : {
++ COMMON_DISCARDS
++ *(.eh_frame)
++ *(*__ksymtab*)
++ *(___kcrctab*)
++ *(.modinfo)
++ }
++
+ DWARF_DEBUG
+ ELF_DETAILS
+
+@@ -161,12 +170,4 @@ SECTIONS
+ *(.rela.*) *(.rela_*)
+ }
+ ASSERT(SIZEOF(.rela.dyn) == 0, "Unexpected run-time relocations (.rela) detected!")
+-
+- /* Sections to be discarded */
+- /DISCARD/ : {
+- COMMON_DISCARDS
+- *(.eh_frame)
+- *(*__ksymtab*)
+- *(___kcrctab*)
+- }
+ }
octeontx2-af-add-proper-checks-for-fwdata.patch
x86-make-page-fault-handling-disable-interrupts-prop.patch
keys-trusted_keys-fix-handle-passed-to-tpm_buf_appen.patch
+leds-led-class-only-add-led-to-leds_list-when-it-is-fully-ready.patch
+panic-only-warn-about-deprecated-panic_print-on-write-access.patch
+of-fix-reference-count-leak-in-of_alias_scan.patch
+of-platform-use-default-match-table-for-firmware.patch
+migrate-correct-lock-ordering-for-hugetlb-file-folios.patch
+iio-accel-adxl380-fix-handling-of-unavailable-int1-interrupt.patch
+iio-accel-iis328dq-fix-gain-values.patch
+iio-adc-ad9467-fix-ad9434-vref-mask.patch
+iio-adc-at91-sama5d2_adc-fix-potential-use-after-free-in-sama5d2_adc-driver.patch
+iio-adc-exynos_adc-fix-of-populate-on-driver-rebind.patch
+iio-adc-pac1934-fix-clamped-value-in-pac1934_reg_snapshot.patch
+iio-chemical-scd4x-fix-reported-channel-endianness.patch
+iio-dac-ad3552r-hs-fix-out-of-bound-write-in-ad3552r_hs_write_data_source.patch
+iio-dac-ad5686-add-ad5695r-to-ad5686_chip_info_tbl.patch
+alsa-ctxfi-fix-potential-oob-access-in-audio-mixer-handling.patch
+alsa-hda-realtek-add-quirk-for-samsung-730qed-to-fix-headphone.patch
+alsa-scarlett2-fix-buffer-overflow-in-config-retrieval.patch
+alsa-usb-audio-fix-use-after-free-in-snd_usb_mixer_free.patch
+mmc-rtsx_pci_sdmmc-implement-sdmmc_card_busy-function.patch
+mmc-sdhci-of-dwcmshc-prevent-illegal-clock-reduction-in-hs200-hs400-mode.patch
+iommu-io-pgtable-arm-fix-size_t-signedness-bug-in-unmap-path.patch
+drm-nouveau-disp-set-drm_mode_config_funcs.atomic_-check-commit.patch
+wifi-ath10k-fix-dma_free_coherent-pointer.patch
+wifi-ath12k-fix-dma_free_coherent-pointer.patch
+wifi-mwifiex-fix-a-loop-in-mwifiex_update_ampdu_rxwinsize.patch
+wifi-rsi-fix-memory-corruption-due-to-not-set-vif-driver-data-size.patch
+arm64-fpsimd-ptrace-fix-sve-writes-on-sme-systems.patch
+arm64-fpsimd-signal-allocate-ssve-storage-when-restoring-za.patch
+arm64-fpsimd-signal-fix-restoration-of-sve-context.patch
+arm64-set-__nocfi-on-swsusp_arch_resume.patch
+ksmbd-smbd-fix-dma_unmap_sg-nents.patch
+octeontx2-fix-otx2_dma_map_page-error-return-code.patch
+slimbus-core-fix-runtime-pm-imbalance-on-report-present.patch
+slimbus-core-fix-device-reference-leak-on-report-present.patch
+tracing-fix-crash-on-synthetic-stacktrace-field-usage.patch
+intel_th-fix-device-leak-on-output-open.patch
+mei-trace-treat-reg-parameter-as-string.patch
+s390-ap-fix-wrong-apqn-fill-calculation.patch
+s390-boot-vmlinux.lds.s-ensure-bzimage-ends-with-secureboot-trailer.patch
+uacce-fix-cdev-handling-in-the-cleanup-path.patch
+uacce-fix-isolate-sysfs-check-condition.patch
+uacce-implement-mremap-in-uacce_vm_ops-to-return-eperm.patch
+uacce-ensure-safe-queue-release-with-state-management.patch
+netrom-fix-double-free-in-nr_route_frame.patch
+platform-x86-hp-bioscfg-fix-automatic-module-loading.patch
+pmdomain-imx8m-blk-ctrl-remove-separate-rst-and-clk-mask-for-8mq-vpu.patch
+pmdomain-rockchip-fix-init-genpd-as-genpd_state_on-before-regulator-ready.patch
+rust-io-always-inline-functions-using-build_assert-with-arguments.patch
+rust-irq-always-inline-functions-using-build_assert-with-arguments.patch
+rxrpc-fix-data-race-warning-and-potential-load-store-tearing.patch
+perf-x86-intel-do-not-enable-bts-for-guests.patch
+irqchip-gic-v3-its-avoid-truncating-memory-addresses.patch
+net-fec-account-for-vlan-header-in-frame-length-calculations.patch
+net-sfp-add-potron-quirk-to-the-h-com-spp425h-gab4-sfp-stick.patch
+net-txgbe-remove-the-redundant-data-return-in-sw-fw-mailbox.patch
+can-ems_usb-ems_usb_read_bulk_callback-fix-urb-memory-leak.patch
+can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch
+can-kvaser_usb-kvaser_usb_read_bulk_callback-fix-urb-memory-leak.patch
+can-mcba_usb-mcba_usb_read_bulk_callback-fix-urb-memory-leak.patch
+can-usb_8dev-usb_8dev_read_bulk_callback-fix-urb-memory-leak.patch
+drm-amdgpu-remove-frame-cntl-for-gfx-v12.patch
+drm-bridge-synopsys-dw-dp-fix-error-paths-of-dw_dp_bind.patch
+drm-xe-adjust-page-count-tracepoints-in-shrinker.patch
+drm-xe-fix-wq_mem_reclaim-passed-as-max_active-to-alloc_workqueue.patch
+gpio-cdev-correct-return-code-on-memory-allocation-failure.patch
+gpio-cdev-fix-resource-leaks-on-errors-in-lineinfo_changed_notify.patch
+gpio-cdev-fix-resource-leaks-on-errors-in-gpiolib_cdev_register.patch
--- /dev/null
+From 9391380eb91ea5ac792aae9273535c8da5b9aa01 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 26 Nov 2025 15:53:26 +0100
+Subject: slimbus: core: fix device reference leak on report present
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 9391380eb91ea5ac792aae9273535c8da5b9aa01 upstream.
+
+Slimbus devices can be allocated dynamically upon reception of
+report-present messages.
+
+Make sure to drop the reference taken when looking up already registered
+devices.
+
+Note that this requires taking an extra reference in case the device has
+not yet been registered and has to be allocated.
+
+Fixes: 46a2bb5a7f7e ("slimbus: core: Add slim controllers support")
+Cc: stable@vger.kernel.org # 4.16
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20251126145329.5022-4-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/slimbus/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/slimbus/core.c
++++ b/drivers/slimbus/core.c
+@@ -379,6 +379,8 @@ struct slim_device *slim_get_device(stru
+ sbdev = slim_alloc_device(ctrl, e_addr, NULL);
+ if (!sbdev)
+ return ERR_PTR(-ENOMEM);
++
++ get_device(&sbdev->dev);
+ }
+
+ return sbdev;
+@@ -505,6 +507,7 @@ int slim_device_report_present(struct sl
+ ret = slim_device_alloc_laddr(sbdev, true);
+ }
+
++ put_device(&sbdev->dev);
+ out_put_rpm:
+ pm_runtime_mark_last_busy(ctrl->dev);
+ pm_runtime_put_autosuspend(ctrl->dev);
--- /dev/null
+From 0eb4ff6596114aabba1070a66afa2c2f5593739f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 26 Nov 2025 15:53:25 +0100
+Subject: slimbus: core: fix runtime PM imbalance on report present
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 0eb4ff6596114aabba1070a66afa2c2f5593739f upstream.
+
+Make sure to balance the runtime PM usage count in case slimbus device
+or address allocation fails on report present, which would otherwise
+prevent the controller from suspending.
+
+Fixes: 4b14e62ad3c9 ("slimbus: Add support for 'clock-pause' feature")
+Cc: stable@vger.kernel.org # 4.16
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20251126145329.5022-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/slimbus/core.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/drivers/slimbus/core.c
++++ b/drivers/slimbus/core.c
+@@ -489,21 +489,23 @@ int slim_device_report_present(struct sl
+ if (ctrl->sched.clk_state != SLIM_CLK_ACTIVE) {
+ dev_err(ctrl->dev, "slim ctrl not active,state:%d, ret:%d\n",
+ ctrl->sched.clk_state, ret);
+- goto slimbus_not_active;
++ goto out_put_rpm;
+ }
+
+ sbdev = slim_get_device(ctrl, e_addr);
+- if (IS_ERR(sbdev))
+- return -ENODEV;
++ if (IS_ERR(sbdev)) {
++ ret = -ENODEV;
++ goto out_put_rpm;
++ }
+
+ if (sbdev->is_laddr_valid) {
+ *laddr = sbdev->laddr;
+- return 0;
++ ret = 0;
++ } else {
++ ret = slim_device_alloc_laddr(sbdev, true);
+ }
+
+- ret = slim_device_alloc_laddr(sbdev, true);
+-
+-slimbus_not_active:
++out_put_rpm:
+ pm_runtime_mark_last_busy(ctrl->dev);
+ pm_runtime_put_autosuspend(ctrl->dev);
+ return ret;
--- /dev/null
+From 90f9f5d64cae4e72defd96a2a22760173cb3c9ec Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Thu, 22 Jan 2026 19:48:24 -0500
+Subject: tracing: Fix crash on synthetic stacktrace field usage
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 90f9f5d64cae4e72defd96a2a22760173cb3c9ec upstream.
+
+When creating a synthetic event based on an existing synthetic event that
+had a stacktrace field and the new synthetic event used that field a
+kernel crash occurred:
+
+ ~# cd /sys/kernel/tracing
+ ~# echo 's:stack unsigned long stack[];' > dynamic_events
+ ~# echo 'hist:keys=prev_pid:s0=common_stacktrace if prev_state & 3' >> events/sched/sched_switch/trigger
+ ~# echo 'hist:keys=next_pid:s1=$s0:onmatch(sched.sched_switch).trace(stack,$s1)' >> events/sched/sched_switch/trigger
+
+The above creates a synthetic event that takes a stacktrace when a task
+schedules out in a non-running state and passes that stacktrace to the
+sched_switch event when that task schedules back in. It triggers the
+"stack" synthetic event that has a stacktrace as its field (called "stack").
+
+ ~# echo 's:syscall_stack s64 id; unsigned long stack[];' >> dynamic_events
+ ~# echo 'hist:keys=common_pid:s2=stack' >> events/synthetic/stack/trigger
+ ~# echo 'hist:keys=common_pid:s3=$s2,i0=id:onmatch(synthetic.stack).trace(syscall_stack,$i0,$s3)' >> events/raw_syscalls/sys_exit/trigger
+
+The above makes another synthetic event called "syscall_stack" that
+attaches the first synthetic event (stack) to the sys_exit trace event and
+records the stacktrace from the stack event with the id of the system call
+that is exiting.
+
+When enabling this event (or using it in a historgram):
+
+ ~# echo 1 > events/synthetic/syscall_stack/enable
+
+Produces a kernel crash!
+
+ BUG: unable to handle page fault for address: 0000000000400010
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: Oops: 0000 [#1] SMP PTI
+ CPU: 6 UID: 0 PID: 1257 Comm: bash Not tainted 6.16.3+deb14-amd64 #1 PREEMPT(lazy) Debian 6.16.3-1
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+ RIP: 0010:trace_event_raw_event_synth+0x90/0x380
+ Code: c5 00 00 00 00 85 d2 0f 84 e1 00 00 00 31 db eb 34 0f 1f 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 <49> 8b 04 24 48 83 c3 01 8d 0c c5 08 00 00 00 01 cd 41 3b 5d 40 0f
+ RSP: 0018:ffffd2670388f958 EFLAGS: 00010202
+ RAX: ffff8ba1065cc100 RBX: 0000000000000000 RCX: 0000000000000000
+ RDX: 0000000000000001 RSI: fffff266ffda7b90 RDI: ffffd2670388f9b0
+ RBP: 0000000000000010 R08: ffff8ba104e76000 R09: ffffd2670388fa50
+ R10: ffff8ba102dd42e0 R11: ffffffff9a908970 R12: 0000000000400010
+ R13: ffff8ba10a246400 R14: ffff8ba10a710220 R15: fffff266ffda7b90
+ FS: 00007fa3bc63f740(0000) GS:ffff8ba2e0f48000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000400010 CR3: 0000000107f9e003 CR4: 0000000000172ef0
+ Call Trace:
+ <TASK>
+ ? __tracing_map_insert+0x208/0x3a0
+ action_trace+0x67/0x70
+ event_hist_trigger+0x633/0x6d0
+ event_triggers_call+0x82/0x130
+ trace_event_buffer_commit+0x19d/0x250
+ trace_event_raw_event_sys_exit+0x62/0xb0
+ syscall_exit_work+0x9d/0x140
+ do_syscall_64+0x20a/0x2f0
+ ? trace_event_raw_event_sched_switch+0x12b/0x170
+ ? save_fpregs_to_fpstate+0x3e/0x90
+ ? _raw_spin_unlock+0xe/0x30
+ ? finish_task_switch.isra.0+0x97/0x2c0
+ ? __rseq_handle_notify_resume+0xad/0x4c0
+ ? __schedule+0x4b8/0xd00
+ ? restore_fpregs_from_fpstate+0x3c/0x90
+ ? switch_fpu_return+0x5b/0xe0
+ ? do_syscall_64+0x1ef/0x2f0
+ ? do_fault+0x2e9/0x540
+ ? __handle_mm_fault+0x7d1/0xf70
+ ? count_memcg_events+0x167/0x1d0
+ ? handle_mm_fault+0x1d7/0x2e0
+ ? do_user_addr_fault+0x2c3/0x7f0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+The reason is that the stacktrace field is not labeled as such, and is
+treated as a normal field and not as a dynamic event that it is.
+
+In trace_event_raw_event_synth() the event is field is still treated as a
+dynamic array, but the retrieval of the data is considered a normal field,
+and the reference is just the meta data:
+
+// Meta data is retrieved instead of a dynamic array
+ str_val = (char *)(long)var_ref_vals[val_idx];
+
+// Then when it tries to process it:
+ len = *((unsigned long *)str_val) + 1;
+
+It triggers a kernel page fault.
+
+To fix this, first when defining the fields of the first synthetic event,
+set the filter type to FILTER_STACKTRACE. This is used later by the second
+synthetic event to know that this field is a stacktrace. When creating
+the field of the new synthetic event, have it use this FILTER_STACKTRACE
+to know to create a stacktrace field to copy the stacktrace into.
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Tom Zanussi <zanussi@kernel.org>
+Link: https://patch.msgid.link/20260122194824.6905a38e@gandalf.local.home
+Fixes: 00cf3d672a9d ("tracing: Allow synthetic events to pass around stacktraces")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events_hist.c | 9 +++++++++
+ kernel/trace/trace_events_synth.c | 8 +++++++-
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_events_hist.c
++++ b/kernel/trace/trace_events_hist.c
+@@ -2057,6 +2057,15 @@ static struct hist_field *create_hist_fi
+ hist_field->fn_num = HIST_FIELD_FN_RELDYNSTRING;
+ else
+ hist_field->fn_num = HIST_FIELD_FN_PSTRING;
++ } else if (field->filter_type == FILTER_STACKTRACE) {
++ flags |= HIST_FIELD_FL_STACKTRACE;
++
++ hist_field->size = MAX_FILTER_STR_VAL;
++ hist_field->type = kstrdup_const(field->type, GFP_KERNEL);
++ if (!hist_field->type)
++ goto free;
++
++ hist_field->fn_num = HIST_FIELD_FN_STACK;
+ } else {
+ hist_field->size = field->size;
+ hist_field->is_signed = field->is_signed;
+--- a/kernel/trace/trace_events_synth.c
++++ b/kernel/trace/trace_events_synth.c
+@@ -130,7 +130,9 @@ static int synth_event_define_fields(str
+ struct synth_event *event = call->data;
+ unsigned int i, size, n_u64;
+ char *name, *type;
++ int filter_type;
+ bool is_signed;
++ bool is_stack;
+ int ret = 0;
+
+ for (i = 0, n_u64 = 0; i < event->n_fields; i++) {
+@@ -138,8 +140,12 @@ static int synth_event_define_fields(str
+ is_signed = event->fields[i]->is_signed;
+ type = event->fields[i]->type;
+ name = event->fields[i]->name;
++ is_stack = event->fields[i]->is_stack;
++
++ filter_type = is_stack ? FILTER_STACKTRACE : FILTER_OTHER;
++
+ ret = trace_define_field(call, type, name, offset, size,
+- is_signed, FILTER_OTHER);
++ is_signed, filter_type);
+ if (ret)
+ break;
+
--- /dev/null
+From 26c08dabe5475d99a13f353d8dd70e518de45663 Mon Sep 17 00:00:00 2001
+From: Chenghai Huang <huangchenghai2@huawei.com>
+Date: Tue, 2 Dec 2025 14:12:56 +0800
+Subject: uacce: ensure safe queue release with state management
+
+From: Chenghai Huang <huangchenghai2@huawei.com>
+
+commit 26c08dabe5475d99a13f353d8dd70e518de45663 upstream.
+
+Directly calling `put_queue` carries risks since it cannot
+guarantee that resources of `uacce_queue` have been fully released
+beforehand. So adding a `stop_queue` operation for the
+UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to
+the final resource release ensures safety.
+
+Queue states are defined as follows:
+- UACCE_Q_ZOMBIE: Initial state
+- UACCE_Q_INIT: After opening `uacce`
+- UACCE_Q_STARTED: After `start` is issued via `ioctl`
+
+When executing `poweroff -f` in virt while accelerator are still
+working, `uacce_fops_release` and `uacce_remove` may execute
+concurrently. This can cause `uacce_put_queue` within
+`uacce_fops_release` to access a NULL `ops` pointer. Therefore, add
+state checks to prevent accessing freed pointers.
+
+Fixes: 015d239ac014 ("uacce: add uacce driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
+Signed-off-by: Yang Shen <shenyang39@huawei.com>
+Acked-by: Zhangfei Gao <zhangfei.gao@linaro.org>
+Link: https://patch.msgid.link/20251202061256.4158641-5-huangchenghai2@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/uacce/uacce.c | 28 +++++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+--- a/drivers/misc/uacce/uacce.c
++++ b/drivers/misc/uacce/uacce.c
+@@ -40,20 +40,34 @@ static int uacce_start_queue(struct uacc
+ return 0;
+ }
+
+-static int uacce_put_queue(struct uacce_queue *q)
++static int uacce_stop_queue(struct uacce_queue *q)
+ {
+ struct uacce_device *uacce = q->uacce;
+
+- if ((q->state == UACCE_Q_STARTED) && uacce->ops->stop_queue)
++ if (q->state != UACCE_Q_STARTED)
++ return 0;
++
++ if (uacce->ops->stop_queue)
+ uacce->ops->stop_queue(q);
+
+- if ((q->state == UACCE_Q_INIT || q->state == UACCE_Q_STARTED) &&
+- uacce->ops->put_queue)
++ q->state = UACCE_Q_INIT;
++
++ return 0;
++}
++
++static void uacce_put_queue(struct uacce_queue *q)
++{
++ struct uacce_device *uacce = q->uacce;
++
++ uacce_stop_queue(q);
++
++ if (q->state != UACCE_Q_INIT)
++ return;
++
++ if (uacce->ops->put_queue)
+ uacce->ops->put_queue(q);
+
+ q->state = UACCE_Q_ZOMBIE;
+-
+- return 0;
+ }
+
+ static long uacce_fops_unl_ioctl(struct file *filep,
+@@ -80,7 +94,7 @@ static long uacce_fops_unl_ioctl(struct
+ ret = uacce_start_queue(q);
+ break;
+ case UACCE_CMD_PUT_Q:
+- ret = uacce_put_queue(q);
++ ret = uacce_stop_queue(q);
+ break;
+ default:
+ if (uacce->ops->ioctl)
--- /dev/null
+From a3bece3678f6c88db1f44c602b2a63e84b4040ac Mon Sep 17 00:00:00 2001
+From: Wenkai Lin <linwenkai6@hisilicon.com>
+Date: Tue, 2 Dec 2025 14:12:53 +0800
+Subject: uacce: fix cdev handling in the cleanup path
+
+From: Wenkai Lin <linwenkai6@hisilicon.com>
+
+commit a3bece3678f6c88db1f44c602b2a63e84b4040ac upstream.
+
+When cdev_device_add fails, it internally releases the cdev memory,
+and if cdev_device_del is then executed, it will cause a hang error.
+To fix it, we check the return value of cdev_device_add() and clear
+uacce->cdev to avoid calling cdev_device_del in the uacce_remove.
+
+Fixes: 015d239ac014 ("uacce: add uacce driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Wenkai Lin <linwenkai6@hisilicon.com>
+Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
+Acked-by: Zhangfei Gao <zhangfei.gao@linaro.org>
+Link: https://patch.msgid.link/20251202061256.4158641-2-huangchenghai2@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/uacce/uacce.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/uacce/uacce.c
++++ b/drivers/misc/uacce/uacce.c
+@@ -519,6 +519,8 @@ EXPORT_SYMBOL_GPL(uacce_alloc);
+ */
+ int uacce_register(struct uacce_device *uacce)
+ {
++ int ret;
++
+ if (!uacce)
+ return -ENODEV;
+
+@@ -529,7 +531,11 @@ int uacce_register(struct uacce_device *
+ uacce->cdev->ops = &uacce_fops;
+ uacce->cdev->owner = THIS_MODULE;
+
+- return cdev_device_add(uacce->cdev, &uacce->dev);
++ ret = cdev_device_add(uacce->cdev, &uacce->dev);
++ if (ret)
++ uacce->cdev = NULL;
++
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(uacce_register);
+
--- /dev/null
+From 98eec349259b1fd876f350b1c600403bcef8f85d Mon Sep 17 00:00:00 2001
+From: Chenghai Huang <huangchenghai2@huawei.com>
+Date: Tue, 2 Dec 2025 14:12:54 +0800
+Subject: uacce: fix isolate sysfs check condition
+
+From: Chenghai Huang <huangchenghai2@huawei.com>
+
+commit 98eec349259b1fd876f350b1c600403bcef8f85d upstream.
+
+uacce supports the device isolation feature. If the driver
+implements the isolate_err_threshold_read and
+isolate_err_threshold_write callback functions, uacce will create
+sysfs files now. Users can read and configure the isolation policy
+through sysfs. Currently, sysfs files are created as long as either
+isolate_err_threshold_read or isolate_err_threshold_write callback
+functions are present.
+
+However, accessing a non-existent callback function may cause the
+system to crash. Therefore, intercept the creation of sysfs if
+neither read nor write exists; create sysfs if either is supported,
+but intercept unsupported operations at the call site.
+
+Fixes: e3e289fbc0b5 ("uacce: supports device isolation feature")
+Cc: stable@vger.kernel.org
+Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
+Acked-by: Zhangfei Gao <zhangfei.gao@linaro.org>
+Link: https://patch.msgid.link/20251202061256.4158641-3-huangchenghai2@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/uacce/uacce.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/misc/uacce/uacce.c
++++ b/drivers/misc/uacce/uacce.c
+@@ -382,6 +382,9 @@ static ssize_t isolate_strategy_show(str
+ struct uacce_device *uacce = to_uacce_device(dev);
+ u32 val;
+
++ if (!uacce->ops->isolate_err_threshold_read)
++ return -ENOENT;
++
+ val = uacce->ops->isolate_err_threshold_read(uacce);
+
+ return sysfs_emit(buf, "%u\n", val);
+@@ -394,6 +397,9 @@ static ssize_t isolate_strategy_store(st
+ unsigned long val;
+ int ret;
+
++ if (!uacce->ops->isolate_err_threshold_write)
++ return -ENOENT;
++
+ if (kstrtoul(buf, 0, &val) < 0)
+ return -EINVAL;
+
--- /dev/null
+From 02695347be532b628f22488300d40c4eba48b9b7 Mon Sep 17 00:00:00 2001
+From: Yang Shen <shenyang39@huawei.com>
+Date: Tue, 2 Dec 2025 14:12:55 +0800
+Subject: uacce: implement mremap in uacce_vm_ops to return -EPERM
+
+From: Yang Shen <shenyang39@huawei.com>
+
+commit 02695347be532b628f22488300d40c4eba48b9b7 upstream.
+
+The current uacce_vm_ops does not support the mremap operation of
+vm_operations_struct. Implement .mremap to return -EPERM to remind
+users.
+
+The reason we need to explicitly disable mremap is that when the
+driver does not implement .mremap, it uses the default mremap
+method. This could lead to a risk scenario:
+
+An application might first mmap address p1, then mremap to p2,
+followed by munmap(p1), and finally munmap(p2). Since the default
+mremap copies the original vma's vm_private_data (i.e., q) to the
+new vma, both munmap operations would trigger vma_close, causing
+q->qfr to be freed twice(qfr will be set to null here, so repeated
+release is ok).
+
+Fixes: 015d239ac014 ("uacce: add uacce driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yang Shen <shenyang39@huawei.com>
+Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
+Acked-by: Zhangfei Gao <zhangfei.gao@linaro.org>
+Link: https://patch.msgid.link/20251202061256.4158641-4-huangchenghai2@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/uacce/uacce.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/misc/uacce/uacce.c
++++ b/drivers/misc/uacce/uacce.c
+@@ -214,8 +214,14 @@ static void uacce_vma_close(struct vm_ar
+ }
+ }
+
++static int uacce_vma_mremap(struct vm_area_struct *area)
++{
++ return -EPERM;
++}
++
+ static const struct vm_operations_struct uacce_vm_ops = {
+ .close = uacce_vma_close,
++ .mremap = uacce_vma_mremap,
+ };
+
+ static int uacce_fops_mmap(struct file *filep, struct vm_area_struct *vma)
--- /dev/null
+From 9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Mon, 5 Jan 2026 22:04:38 +0100
+Subject: wifi: ath10k: fix dma_free_coherent() pointer
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit 9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f upstream.
+
+dma_alloc_coherent() allocates a DMA mapped buffer and stores the
+addresses in XXX_unaligned fields. Those should be reused when freeing
+the buffer rather than the aligned addresses.
+
+Fixes: 2a1e1ad3fd37 ("ath10k: Add support for 64 bit ce descriptor")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260105210439.20131-2-fourier.thomas@gmail.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/ce.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/ce.c
++++ b/drivers/net/wireless/ath/ath10k/ce.c
+@@ -1727,8 +1727,8 @@ static void _ath10k_ce_free_pipe(struct
+ (ce_state->src_ring->nentries *
+ sizeof(struct ce_desc) +
+ CE_DESC_RING_ALIGN),
+- ce_state->src_ring->base_addr_owner_space,
+- ce_state->src_ring->base_addr_ce_space);
++ ce_state->src_ring->base_addr_owner_space_unaligned,
++ ce_state->src_ring->base_addr_ce_space_unaligned);
+ kfree(ce_state->src_ring);
+ }
+
+@@ -1737,8 +1737,8 @@ static void _ath10k_ce_free_pipe(struct
+ (ce_state->dest_ring->nentries *
+ sizeof(struct ce_desc) +
+ CE_DESC_RING_ALIGN),
+- ce_state->dest_ring->base_addr_owner_space,
+- ce_state->dest_ring->base_addr_ce_space);
++ ce_state->dest_ring->base_addr_owner_space_unaligned,
++ ce_state->dest_ring->base_addr_ce_space_unaligned);
+ kfree(ce_state->dest_ring);
+ }
+
+@@ -1758,8 +1758,8 @@ static void _ath10k_ce_free_pipe_64(stru
+ (ce_state->src_ring->nentries *
+ sizeof(struct ce_desc_64) +
+ CE_DESC_RING_ALIGN),
+- ce_state->src_ring->base_addr_owner_space,
+- ce_state->src_ring->base_addr_ce_space);
++ ce_state->src_ring->base_addr_owner_space_unaligned,
++ ce_state->src_ring->base_addr_ce_space_unaligned);
+ kfree(ce_state->src_ring);
+ }
+
+@@ -1768,8 +1768,8 @@ static void _ath10k_ce_free_pipe_64(stru
+ (ce_state->dest_ring->nentries *
+ sizeof(struct ce_desc_64) +
+ CE_DESC_RING_ALIGN),
+- ce_state->dest_ring->base_addr_owner_space,
+- ce_state->dest_ring->base_addr_ce_space);
++ ce_state->dest_ring->base_addr_owner_space_unaligned,
++ ce_state->dest_ring->base_addr_ce_space_unaligned);
+ kfree(ce_state->dest_ring);
+ }
+
--- /dev/null
+From bb97131fbf9b708dd9616ac2bdc793ad102b5c48 Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Tue, 6 Jan 2026 09:49:04 +0100
+Subject: wifi: ath12k: fix dma_free_coherent() pointer
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit bb97131fbf9b708dd9616ac2bdc793ad102b5c48 upstream.
+
+dma_alloc_coherent() allocates a DMA mapped buffer and stores the
+addresses in XXX_unaligned fields. Those should be reused when freeing
+the buffer rather than the aligned addresses.
+
+Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260106084905.18622-2-fourier.thomas@gmail.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath12k/ce.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath12k/ce.c
++++ b/drivers/net/wireless/ath/ath12k/ce.c
+@@ -984,8 +984,8 @@ void ath12k_ce_free_pipes(struct ath12k_
+ dma_free_coherent(ab->dev,
+ pipe->src_ring->nentries * desc_sz +
+ CE_DESC_RING_ALIGN,
+- pipe->src_ring->base_addr_owner_space,
+- pipe->src_ring->base_addr_ce_space);
++ pipe->src_ring->base_addr_owner_space_unaligned,
++ pipe->src_ring->base_addr_ce_space_unaligned);
+ kfree(pipe->src_ring);
+ pipe->src_ring = NULL;
+ }
+@@ -995,8 +995,8 @@ void ath12k_ce_free_pipes(struct ath12k_
+ dma_free_coherent(ab->dev,
+ pipe->dest_ring->nentries * desc_sz +
+ CE_DESC_RING_ALIGN,
+- pipe->dest_ring->base_addr_owner_space,
+- pipe->dest_ring->base_addr_ce_space);
++ pipe->dest_ring->base_addr_owner_space_unaligned,
++ pipe->dest_ring->base_addr_ce_space_unaligned);
+ kfree(pipe->dest_ring);
+ pipe->dest_ring = NULL;
+ }
+@@ -1007,8 +1007,8 @@ void ath12k_ce_free_pipes(struct ath12k_
+ dma_free_coherent(ab->dev,
+ pipe->status_ring->nentries * desc_sz +
+ CE_DESC_RING_ALIGN,
+- pipe->status_ring->base_addr_owner_space,
+- pipe->status_ring->base_addr_ce_space);
++ pipe->status_ring->base_addr_owner_space_unaligned,
++ pipe->status_ring->base_addr_ce_space_unaligned);
+ kfree(pipe->status_ring);
+ pipe->status_ring = NULL;
+ }
--- /dev/null
+From 2120f3a3738a65730c81bf10447b1ff776078915 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Thu, 8 Jan 2026 23:00:24 +0300
+Subject: wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 2120f3a3738a65730c81bf10447b1ff776078915 upstream.
+
+The "i" iterator variable is used to count two different things but
+unfortunately we can't store two different numbers in the same variable.
+Use "i" for the outside loop and "j" for the inside loop.
+
+Cc: stable@vger.kernel.org
+Fixes: d219b7eb3792 ("mwifiex: handle BT coex event to adjust Rx BA window size")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Jeff Chen <jeff.chen_1@nxp.com>
+Link: https://patch.msgid.link/aWAM2MGUWRP0zWUd@stanley.mountain
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
++++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
+@@ -825,7 +825,7 @@ void mwifiex_update_rxreor_flags(struct
+ static void mwifiex_update_ampdu_rxwinsize(struct mwifiex_adapter *adapter,
+ bool coex_flag)
+ {
+- u8 i;
++ u8 i, j;
+ u32 rx_win_size;
+ struct mwifiex_private *priv;
+
+@@ -863,8 +863,8 @@ static void mwifiex_update_ampdu_rxwinsi
+ if (rx_win_size != priv->add_ba_param.rx_win_size) {
+ if (!priv->media_connected)
+ continue;
+- for (i = 0; i < MAX_NUM_TID; i++)
+- mwifiex_11n_delba(priv, i);
++ for (j = 0; j < MAX_NUM_TID; j++)
++ mwifiex_11n_delba(priv, j);
+ }
+ }
+ }
--- /dev/null
+From 4f431d88ea8093afc7ba55edf4652978c5a68f33 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@nabladev.com>
+Date: Sat, 10 Jan 2026 00:56:29 +0100
+Subject: wifi: rsi: Fix memory corruption due to not set vif driver data size
+
+From: Marek Vasut <marex@nabladev.com>
+
+commit 4f431d88ea8093afc7ba55edf4652978c5a68f33 upstream.
+
+The struct ieee80211_vif contains trailing space for vif driver data,
+when struct ieee80211_vif is allocated, the total memory size that is
+allocated is sizeof(struct ieee80211_vif) + size of vif driver data.
+The size of vif driver data is set by each WiFi driver as needed.
+
+The RSI911x driver does not set vif driver data size, no trailing space
+for vif driver data is therefore allocated past struct ieee80211_vif .
+The RSI911x driver does however use the vif driver data to store its
+vif driver data structure "struct vif_priv". An access to vif->drv_priv
+leads to access out of struct ieee80211_vif bounds and corruption of
+some memory.
+
+In case of the failure observed locally, rsi_mac80211_add_interface()
+would write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv;
+vif_info->vap_id = vap_idx. This write corrupts struct fq_tin member
+struct list_head new_flows . The flow = list_first_entry(head, struct
+fq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus
+address, which when accessed causes a crash.
+
+The trigger is very simple, boot the machine with init=/bin/sh , mount
+devtmpfs, sysfs, procfs, and then do "ip link set wlan0 up", "sleep 1",
+"ip link set wlan0 down" and the crash occurs.
+
+Fix this by setting the correct size of vif driver data, which is the
+size of "struct vif_priv", so that memory is allocated and the driver
+can store its driver data in it, instead of corrupting memory around
+it.
+
+Cc: stable@vger.kernel.org
+Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver")
+Signed-off-by: Marek Vasut <marex@nabladev.com>
+Link: https://patch.msgid.link/20260109235817.150330-1-marex@nabladev.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/rsi/rsi_91x_mac80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c
++++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c
+@@ -2035,6 +2035,7 @@ int rsi_mac80211_attach(struct rsi_commo
+
+ hw->queues = MAX_HW_QUEUES;
+ hw->extra_tx_headroom = RSI_NEEDED_HEADROOM;
++ hw->vif_data_size = sizeof(struct vif_priv);
+
+ hw->max_rates = 1;
+ hw->max_rate_tries = MAX_RETRIES;
projects / thirdparty / kernel / stable-queue.git / commitdiff
