--- /dev/null
+From 339865008fb564078a23840c0a7520e696133ee1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 11:58:47 +0100
+Subject: ASoC: tlv320adcx140: fix word length
+
+From: Emil Svendsen <emas@bang-olufsen.dk>
+
+[ Upstream commit 46378ab9fcb796dca46b51e10646f636e2c661f9 ]
+
+The word length is the physical width of the channel slots. So the
+hw_params would misconfigure when format width and physical width
+doesn't match. Like S24_LE which has data width of 24 bits but physical
+width of 32 bits. So if using asymmetric formats you will get a lot of
+noise.
+
+Fixes: 689c7655b50c5 ("ASoC: tlv320adcx140: Add the tlv320adcx140 codec driver family")
+Signed-off-by: Emil Svendsen <emas@bang-olufsen.dk>
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-4-8f7ecec525c8@pengutronix.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tlv320adcx140.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c
+index a6241a0453694..c7a591ee25900 100644
+--- a/sound/soc/codecs/tlv320adcx140.c
++++ b/sound/soc/codecs/tlv320adcx140.c
+@@ -673,7 +673,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream,
+ struct adcx140_priv *adcx140 = snd_soc_component_get_drvdata(component);
+ u8 data = 0;
+
+- switch (params_width(params)) {
++ switch (params_physical_width(params)) {
+ case 16:
+ data = ADCX140_16_BIT_WORD;
+ break;
+@@ -688,7 +688,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream,
+ break;
+ default:
+ dev_err(component->dev, "%s: Unsupported width %d\n",
+- __func__, params_width(params));
++ __func__, params_physical_width(params));
+ return -EINVAL;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From f4428dfbae8cee287fcf7bc4ab5e7efdaeeac8ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jan 2026 20:26:40 +1030
+Subject: btrfs: send: check for inline extents in range_is_hole_in_parent()
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 08b096c1372cd69627f4f559fb47c9fb67a52b39 ]
+
+Before accessing the disk_bytenr field of a file extent item we need
+to check if we are dealing with an inline extent.
+This is because for inline extents their data starts at the offset of
+the disk_bytenr field. So accessing the disk_bytenr
+means we are accessing inline data or in case the inline data is less
+than 8 bytes we can actually cause an invalid
+memory access if this inline extent item is the first item in the leaf
+or access metadata from other items.
+
+Fixes: 82bfb2e7b645 ("Btrfs: incremental send, fix unnecessary hole writes for sparse files")
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index d86b4d13cae48..f144171ed6b7e 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -5892,6 +5892,8 @@ static int range_is_hole_in_parent(struct send_ctx *sctx,
+ extent_end = btrfs_file_extent_end(path);
+ if (extent_end <= start)
+ goto next;
++ if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE)
++ return 0;
+ if (btrfs_file_extent_disk_bytenr(leaf, fi) == 0) {
+ search_start = extent_end;
+ goto next;
+--
+2.51.0
+
--- /dev/null
+From 4f2435c1bcffa5ebd2423f071b02d5b271767757 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Nov 2025 15:30:18 +0800
+Subject: dmaengine: omap-dma: fix dma_pool resource leak in error paths
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit 2e1136acf8a8887c29f52e35a77b537309af321f ]
+
+The dma_pool created by dma_pool_create() is not destroyed when
+dma_async_device_register() or of_dma_controller_register() fails,
+causing a resource leak in the probe error paths.
+
+Add dma_pool_destroy() in both error paths to properly release the
+allocated dma_pool resource.
+
+Fixes: 7bedaa553760 ("dmaengine: add OMAP DMA engine driver")
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Link: https://patch.msgid.link/20251103073018.643-1-vulab@iscas.ac.cn
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/ti/omap-dma.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/dma/ti/omap-dma.c b/drivers/dma/ti/omap-dma.c
+index 268a080587149..6c6a34265b063 100644
+--- a/drivers/dma/ti/omap-dma.c
++++ b/drivers/dma/ti/omap-dma.c
+@@ -1803,6 +1803,8 @@ static int omap_dma_probe(struct platform_device *pdev)
+ if (rc) {
+ pr_warn("OMAP-DMA: failed to register slave DMA engine device: %d\n",
+ rc);
++ if (od->ll123_supported)
++ dma_pool_destroy(od->desc_pool);
+ omap_dma_free(od);
+ return rc;
+ }
+@@ -1818,6 +1820,8 @@ static int omap_dma_probe(struct platform_device *pdev)
+ if (rc) {
+ pr_warn("OMAP-DMA: failed to register DMA controller\n");
+ dma_async_device_unregister(&od->ddev);
++ if (od->ll123_supported)
++ dma_pool_destroy(od->desc_pool);
+ omap_dma_free(od);
+ }
+ }
+--
+2.51.0
+
--- /dev/null
+From 59e2ce65563f3cfd5329dc29a20faaf37e61b295 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Nov 2025 19:54:45 +0530
+Subject: dmaengine: tegra-adma: Fix use-after-free
+
+From: Sheetal <sheetal@nvidia.com>
+
+[ Upstream commit 2efd07a7c36949e6fa36a69183df24d368bf9e96 ]
+
+A use-after-free bug exists in the Tegra ADMA driver when audio streams
+are terminated, particularly during XRUN conditions. The issue occurs
+when the DMA buffer is freed by tegra_adma_terminate_all() before the
+vchan completion tasklet finishes accessing it.
+
+The race condition follows this sequence:
+
+ 1. DMA transfer completes, triggering an interrupt that schedules the
+ completion tasklet (tasklet has not executed yet)
+ 2. Audio playback stops, calling tegra_adma_terminate_all() which
+ frees the DMA buffer memory via kfree()
+ 3. The scheduled tasklet finally executes, calling vchan_complete()
+ which attempts to access the already-freed memory
+
+Since tasklets can execute at any time after being scheduled, there is
+no guarantee that the buffer will remain valid when vchan_complete()
+runs.
+
+Fix this by properly synchronizing the virtual channel completion:
+ - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the
+ descriptors as terminated instead of freeing the descriptor.
+ - Add the callback tegra_adma_synchronize() that calls
+ vchan_synchronize() which kills any pending tasklets and frees any
+ terminated descriptors.
+
+Crash logs:
+[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0
+[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0
+
+[ 337.427562] Call trace:
+[ 337.427564] dump_backtrace+0x0/0x320
+[ 337.427571] show_stack+0x20/0x30
+[ 337.427575] dump_stack_lvl+0x68/0x84
+[ 337.427584] print_address_description.constprop.0+0x74/0x2b8
+[ 337.427590] kasan_report+0x1f4/0x210
+[ 337.427598] __asan_load8+0xa0/0xd0
+[ 337.427603] vchan_complete+0x124/0x3b0
+[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0
+[ 337.427617] tasklet_action+0x30/0x40
+[ 337.427623] __do_softirq+0x1a0/0x5c4
+[ 337.427628] irq_exit+0x110/0x140
+[ 337.427633] handle_domain_irq+0xa4/0xe0
+[ 337.427640] gic_handle_irq+0x64/0x160
+[ 337.427644] call_on_irq_stack+0x20/0x4c
+[ 337.427649] do_interrupt_handler+0x7c/0x90
+[ 337.427654] el1_interrupt+0x30/0x80
+[ 337.427659] el1h_64_irq_handler+0x18/0x30
+[ 337.427663] el1h_64_irq+0x7c/0x80
+[ 337.427667] cpuidle_enter_state+0xe4/0x540
+[ 337.427674] cpuidle_enter+0x54/0x80
+[ 337.427679] do_idle+0x2e0/0x380
+[ 337.427685] cpu_startup_entry+0x2c/0x70
+[ 337.427690] rest_init+0x114/0x130
+[ 337.427695] arch_call_rest_init+0x18/0x24
+[ 337.427702] start_kernel+0x380/0x3b4
+[ 337.427706] __primary_switched+0xc0/0xc8
+
+Fixes: f46b195799b5 ("dmaengine: tegra-adma: Add support for Tegra210 ADMA")
+Signed-off-by: Sheetal <sheetal@nvidia.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Link: https://patch.msgid.link/20251110142445.3842036-1-sheetal@nvidia.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/tegra210-adma.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c
+index d84010c2e4bf1..bcd1deb082615 100644
+--- a/drivers/dma/tegra210-adma.c
++++ b/drivers/dma/tegra210-adma.c
+@@ -344,10 +344,17 @@ static void tegra_adma_stop(struct tegra_adma_chan *tdc)
+ return;
+ }
+
+- kfree(tdc->desc);
++ vchan_terminate_vdesc(&tdc->desc->vd);
+ tdc->desc = NULL;
+ }
+
++static void tegra_adma_synchronize(struct dma_chan *dc)
++{
++ struct tegra_adma_chan *tdc = to_tegra_adma_chan(dc);
++
++ vchan_synchronize(&tdc->vc);
++}
++
+ static void tegra_adma_start(struct tegra_adma_chan *tdc)
+ {
+ struct virt_dma_desc *vd = vchan_next_desc(&tdc->vc);
+@@ -893,6 +900,7 @@ static int tegra_adma_probe(struct platform_device *pdev)
+ tdma->dma_dev.device_config = tegra_adma_slave_config;
+ tdma->dma_dev.device_tx_status = tegra_adma_tx_status;
+ tdma->dma_dev.device_terminate_all = tegra_adma_terminate_all;
++ tdma->dma_dev.device_synchronize = tegra_adma_synchronize;
+ tdma->dma_dev.src_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES);
+ tdma->dma_dev.dst_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES);
+ tdma->dma_dev.directions = BIT(DMA_DEV_TO_MEM) | BIT(DMA_MEM_TO_DEV);
+--
+2.51.0
+
--- /dev/null
+From 34eaa5a53df1b47ff5a3825585c4913a8a51720e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 00:00:06 +0530
+Subject: dmaengine: xilinx_dma: Fix uninitialized addr_width when
+ "xlnx,addrwidth" property is missing
+
+From: Suraj Gupta <suraj.gupta2@amd.com>
+
+[ Upstream commit c0732fe78728718c853ef8e7af5bbb05262acbd1 ]
+
+When device tree lacks optional "xlnx,addrwidth" property, the addr_width
+variable remained uninitialized with garbage values, causing incorrect
+DMA mask configuration and subsequent probe failure. The fix ensures a
+fallback to the default 32-bit address width when this property is missing.
+
+Signed-off-by: Suraj Gupta <suraj.gupta2@amd.com>
+Fixes: b72db4005fe4 ("dmaengine: vdma: Add 64 bit addressing support to the driver")
+Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
+Reviewed-by: Folker Schwesinger <dev@folker-schwesinger.de>
+Link: https://patch.msgid.link/20251021183006.3434495-1-suraj.gupta2@amd.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/xilinx_dma.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
+index 3ecf0109af2ba..12e9ba5b114db 100644
+--- a/drivers/dma/xilinx/xilinx_dma.c
++++ b/drivers/dma/xilinx/xilinx_dma.c
+@@ -128,6 +128,7 @@
+ #define XILINX_MCDMA_MAX_CHANS_PER_DEVICE 0x20
+ #define XILINX_DMA_MAX_CHANS_PER_DEVICE 0x2
+ #define XILINX_CDMA_MAX_CHANS_PER_DEVICE 0x1
++#define XILINX_DMA_DFAULT_ADDRWIDTH 0x20
+
+ #define XILINX_DMA_DMAXR_ALL_IRQ_MASK \
+ (XILINX_DMA_DMASR_FRM_CNT_IRQ | \
+@@ -2996,7 +2997,7 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+ struct device_node *node = pdev->dev.of_node;
+ struct xilinx_dma_device *xdev;
+ struct device_node *child, *np = pdev->dev.of_node;
+- u32 num_frames, addr_width, len_width;
++ u32 num_frames, addr_width = XILINX_DMA_DFAULT_ADDRWIDTH, len_width;
+ int i, err;
+
+ /* Allocate and initialize the DMA engine structure */
+@@ -3065,7 +3066,9 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+
+ err = of_property_read_u32(node, "xlnx,addrwidth", &addr_width);
+ if (err < 0)
+- dev_warn(xdev->dev, "missing xlnx,addrwidth property\n");
++ dev_warn(xdev->dev,
++ "missing xlnx,addrwidth property, using default value %d\n",
++ XILINX_DMA_DFAULT_ADDRWIDTH);
+
+ if (addr_width > 32)
+ xdev->ext_addr = true;
+--
+2.51.0
+
--- /dev/null
+From 2cfbfa927d0e599fb06d55f312356505d9b755be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jan 2026 16:31:09 +0000
+Subject: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 81c734dae203757fb3c9eee6f9896386940776bd ]
+
+Blamed commit did not take care of VLAN encapsulations
+as spotted by syzbot [1].
+
+Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull().
+
+[1]
+ BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
+ BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
+ BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
+ __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
+ INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
+ IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
+ ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729
+ __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860
+ ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903
+ gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1
+ ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438
+ ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489
+ NF_HOOK include/linux/netfilter.h:318 [inline]
+ ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500
+ ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590
+ dst_input include/net/dst.h:474 [inline]
+ ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79
+ NF_HOOK include/linux/netfilter.h:318 [inline]
+ ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311
+ __netif_receive_skb_one_core net/core/dev.c:6139 [inline]
+ __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252
+ netif_receive_skb_internal net/core/dev.c:6338 [inline]
+ netif_receive_skb+0x57/0x630 net/core/dev.c:6397
+ tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485
+ tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953
+ tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0xbe2/0x15d0 fs/read_write.c:686
+ ksys_write fs/read_write.c:738 [inline]
+ __do_sys_write fs/read_write.c:749 [inline]
+ __se_sys_write fs/read_write.c:746 [inline]
+ __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
+ x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:4960 [inline]
+ slab_alloc_node mm/slub.c:5263 [inline]
+ kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315
+ kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586
+ __alloc_skb+0x805/0x1040 net/core/skbuff.c:690
+ alloc_skb include/linux/skbuff.h:1383 [inline]
+ alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712
+ sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995
+ tun_alloc_skb drivers/net/tun.c:1461 [inline]
+ tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794
+ tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0xbe2/0x15d0 fs/read_write.c:686
+ ksys_write fs/read_write.c:738 [inline]
+ __do_sys_write fs/read_write.c:749 [inline]
+ __se_sys_write fs/read_write.c:746 [inline]
+ __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
+ x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+
+Fixes: 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")
+Reported-by: syzbot+d4dda070f833dc5dc89a@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/695e88b2.050a0220.1c677c.036d.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260107163109.4188620-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
+index 6efad8d6653b6..855622a6a304f 100644
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -876,7 +876,7 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb,
+
+ skb_reset_network_header(skb);
+
+- if (!pskb_inet_may_pull(skb)) {
++ if (skb_vlan_inet_prepare(skb, true)) {
+ DEV_STATS_INC(tunnel->dev, rx_length_errors);
+ DEV_STATS_INC(tunnel->dev, rx_errors);
+ goto drop;
+--
+2.51.0
+
--- /dev/null
+From 48a83fa65fbd8b1b0968bba1421d8c14bfc244c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 19:02:14 +0000
+Subject: ipv4: ip_gre: make ipgre_header() robust
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e67c577d89894811ce4dcd1a9ed29d8b63476667 ]
+
+Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust")
+
+Over the years, syzbot found many ways to crash the kernel
+in ipgre_header() [1].
+
+This involves team or bonding drivers ability to dynamically
+change their dev->needed_headroom and/or dev->hard_header_len
+
+In this particular crash mld_newpack() allocated an skb
+with a too small reserve/headroom, and by the time mld_sendpack()
+was called, syzbot managed to attach an ipgre device.
+
+[1]
+skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0
+ kernel BUG at net/core/skbuff.c:213 !
+Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
+CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+Workqueue: mld mld_ifc_work
+ RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213
+Call Trace:
+ <TASK>
+ skb_under_panic net/core/skbuff.c:223 [inline]
+ skb_push+0xc3/0xe0 net/core/skbuff.c:2641
+ ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897
+ dev_hard_header include/linux/netdevice.h:3436 [inline]
+ neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
+ NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
+ mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
+ mld_send_cr net/ipv6/mcast.c:2154 [inline]
+ mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
+ process_one_work kernel/workqueue.c:3257 [inline]
+ process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
+ worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Reported-by: syzbot+7c134e1c3aa3283790b9@syzkaller.appspotmail.com
+Closes: https://www.spinics.net/lists/netdev/msg1147302.html
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260108190214.1667040-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_gre.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index ae0189828aa92..c56848f36298d 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -852,10 +852,17 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
+ const void *daddr, const void *saddr, unsigned int len)
+ {
+ struct ip_tunnel *t = netdev_priv(dev);
+- struct iphdr *iph;
+ struct gre_base_hdr *greh;
++ struct iphdr *iph;
++ int needed;
++
++ needed = t->hlen + sizeof(*iph);
++ if (skb_headroom(skb) < needed &&
++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)),
++ 0, GFP_ATOMIC))
++ return -needed;
+
+- iph = skb_push(skb, t->hlen + sizeof(*iph));
++ iph = skb_push(skb, needed);
+ greh = (struct gre_base_hdr *)(iph+1);
+ greh->flags = gre_tnl_flags_to_gre_flags(t->parms.o_flags);
+ greh->protocol = htons(type);
+--
+2.51.0
+
--- /dev/null
+From a2dea7978eb4c3fccdf13c2fd4e6c08dc3596f61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Apr 2021 11:22:03 +0200
+Subject: macvlan: Add nodst option to macvlan type source
+
+From: Jethro Beekman <kernel@jbeekman.nl>
+
+[ Upstream commit 427f0c8c194b22edcafef1b0a42995ddc5c2227d ]
+
+The default behavior for source MACVLAN is to duplicate packets to
+appropriate type source devices, and then do the normal destination MACVLAN
+flow. This patch adds an option to skip destination MACVLAN processing if
+any matching source MACVLAN device has the option set.
+
+This allows setting up a "catch all" device for source MACVLAN: create one
+or more devices with type source nodst, and one device with e.g. type vepa,
+and incoming traffic will be received on exactly one device.
+
+v2: netdev wants non-standard line length
+
+Signed-off-by: Jethro Beekman <kernel@jbeekman.nl>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 7470a7a63dc1 ("macvlan: fix possible UAF in macvlan_forward_source()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macvlan.c | 19 ++++++++++++++-----
+ include/uapi/linux/if_link.h | 1 +
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
+index 9c77e6ab2b307..9a6d31cdc4ce6 100644
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -421,18 +421,24 @@ static void macvlan_forward_source_one(struct sk_buff *skb,
+ macvlan_count_rx(vlan, len, ret == NET_RX_SUCCESS, false);
+ }
+
+-static void macvlan_forward_source(struct sk_buff *skb,
++static bool macvlan_forward_source(struct sk_buff *skb,
+ struct macvlan_port *port,
+ const unsigned char *addr)
+ {
+ struct macvlan_source_entry *entry;
+ u32 idx = macvlan_eth_hash(addr);
+ struct hlist_head *h = &port->vlan_source_hash[idx];
++ bool consume = false;
+
+ hlist_for_each_entry_rcu(entry, h, hlist) {
+- if (ether_addr_equal_64bits(entry->addr, addr))
++ if (ether_addr_equal_64bits(entry->addr, addr)) {
++ if (entry->vlan->flags & MACVLAN_FLAG_NODST)
++ consume = true;
+ macvlan_forward_source_one(skb, entry->vlan);
++ }
+ }
++
++ return consume;
+ }
+
+ /* called under rcu_read_lock() from netif_receive_skb */
+@@ -461,7 +467,8 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb)
+ return RX_HANDLER_CONSUMED;
+ *pskb = skb;
+ eth = eth_hdr(skb);
+- macvlan_forward_source(skb, port, eth->h_source);
++ if (macvlan_forward_source(skb, port, eth->h_source))
++ return RX_HANDLER_CONSUMED;
+ src = macvlan_hash_lookup(port, eth->h_source);
+ if (src && src->mode != MACVLAN_MODE_VEPA &&
+ src->mode != MACVLAN_MODE_BRIDGE) {
+@@ -480,7 +487,8 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb)
+ return RX_HANDLER_PASS;
+ }
+
+- macvlan_forward_source(skb, port, eth->h_source);
++ if (macvlan_forward_source(skb, port, eth->h_source))
++ return RX_HANDLER_CONSUMED;
+ if (macvlan_passthru(port))
+ vlan = list_first_or_null_rcu(&port->vlans,
+ struct macvlan_dev, list);
+@@ -1283,7 +1291,8 @@ static int macvlan_validate(struct nlattr *tb[], struct nlattr *data[],
+ return 0;
+
+ if (data[IFLA_MACVLAN_FLAGS] &&
+- nla_get_u16(data[IFLA_MACVLAN_FLAGS]) & ~MACVLAN_FLAG_NOPROMISC)
++ nla_get_u16(data[IFLA_MACVLAN_FLAGS]) & ~(MACVLAN_FLAG_NOPROMISC |
++ MACVLAN_FLAG_NODST))
+ return -EINVAL;
+
+ if (data[IFLA_MACVLAN_MODE]) {
+diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
+index 9334f2128bb2e..33c3b684f6de4 100644
+--- a/include/uapi/linux/if_link.h
++++ b/include/uapi/linux/if_link.h
+@@ -609,6 +609,7 @@ enum macvlan_macaddr_mode {
+ };
+
+ #define MACVLAN_FLAG_NOPROMISC 1
++#define MACVLAN_FLAG_NODST 2 /* skip dst macvlan if matching src macvlan */
+
+ /* VRF section */
+ enum {
+--
+2.51.0
+
--- /dev/null
+From 366cd0dc8fef205a09a508a91c9b121aea0ad5e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 13:36:51 +0000
+Subject: macvlan: fix possible UAF in macvlan_forward_source()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7470a7a63dc162f07c26dbf960e41ee1e248d80e ]
+
+Add RCU protection on (struct macvlan_source_entry)->vlan.
+
+Whenever macvlan_hash_del_source() is called, we must clear
+entry->vlan pointer before RCU grace period starts.
+
+This allows macvlan_forward_source() to skip over
+entries queued for freeing.
+
+Note that macvlan_dev are already RCU protected, as they
+are embedded in a standard netdev (netdev_priv(ndev)).
+
+Fixes: 79cf79abce71 ("macvlan: add source mode")
+Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com
+https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260108133651.1130486-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macvlan.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
+index a0d5d0c41b611..ed02451051aee 100644
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -55,7 +55,7 @@ struct macvlan_port {
+
+ struct macvlan_source_entry {
+ struct hlist_node hlist;
+- struct macvlan_dev *vlan;
++ struct macvlan_dev __rcu *vlan;
+ unsigned char addr[6+2] __aligned(sizeof(u16));
+ struct rcu_head rcu;
+ };
+@@ -141,7 +141,7 @@ static struct macvlan_source_entry *macvlan_hash_lookup_source(
+
+ hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) {
+ if (ether_addr_equal_64bits(entry->addr, addr) &&
+- entry->vlan == vlan)
++ rcu_access_pointer(entry->vlan) == vlan)
+ return entry;
+ }
+ return NULL;
+@@ -163,7 +163,7 @@ static int macvlan_hash_add_source(struct macvlan_dev *vlan,
+ return -ENOMEM;
+
+ ether_addr_copy(entry->addr, addr);
+- entry->vlan = vlan;
++ RCU_INIT_POINTER(entry->vlan, vlan);
+ h = &port->vlan_source_hash[macvlan_eth_hash(addr)];
+ hlist_add_head_rcu(&entry->hlist, h);
+ vlan->macaddr_count++;
+@@ -182,6 +182,7 @@ static void macvlan_hash_add(struct macvlan_dev *vlan)
+
+ static void macvlan_hash_del_source(struct macvlan_source_entry *entry)
+ {
++ RCU_INIT_POINTER(entry->vlan, NULL);
+ hlist_del_rcu(&entry->hlist);
+ kfree_rcu(entry, rcu);
+ }
+@@ -380,7 +381,7 @@ static void macvlan_flush_sources(struct macvlan_port *port,
+ int i;
+
+ hash_for_each_safe(port->vlan_source_hash, i, next, entry, hlist)
+- if (entry->vlan == vlan)
++ if (rcu_access_pointer(entry->vlan) == vlan)
+ macvlan_hash_del_source(entry);
+
+ vlan->macaddr_count = 0;
+@@ -423,9 +424,14 @@ static bool macvlan_forward_source(struct sk_buff *skb,
+
+ hlist_for_each_entry_rcu(entry, h, hlist) {
+ if (ether_addr_equal_64bits(entry->addr, addr)) {
+- if (entry->vlan->flags & MACVLAN_FLAG_NODST)
++ struct macvlan_dev *vlan = rcu_dereference(entry->vlan);
++
++ if (!vlan)
++ continue;
++
++ if (vlan->flags & MACVLAN_FLAG_NODST)
+ consume = true;
+- macvlan_forward_source_one(skb, entry->vlan);
++ macvlan_forward_source_one(skb, vlan);
+ }
+ }
+
+@@ -1615,7 +1621,7 @@ static int macvlan_fill_info_macaddr(struct sk_buff *skb,
+ struct macvlan_source_entry *entry;
+
+ hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) {
+- if (entry->vlan != vlan)
++ if (rcu_access_pointer(entry->vlan) != vlan)
+ continue;
+ if (nla_put(skb, IFLA_MACVLAN_MACADDR, ETH_ALEN, entry->addr))
+ return 1;
+--
+2.51.0
+
--- /dev/null
+From fe4852fde658ae44fd28e6374f8fb290473eaedb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Apr 2021 18:14:10 +0200
+Subject: macvlan: Use 'hash' iterators to simplify code
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit bb23ffa1015cb57e0c9ec3c6135275b38d66a780 ]
+
+Use 'hash_for_each_rcu' and 'hash_for_each_safe' instead of hand writing
+them. This saves some lines of code, reduce indentation and improve
+readability.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 7470a7a63dc1 ("macvlan: fix possible UAF in macvlan_forward_source()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macvlan.c | 45 +++++++++++++++++--------------------------
+ 1 file changed, 18 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
+index 9a6d31cdc4ce6..a0d5d0c41b611 100644
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -270,25 +270,22 @@ static void macvlan_broadcast(struct sk_buff *skb,
+ if (skb->protocol == htons(ETH_P_PAUSE))
+ return;
+
+- for (i = 0; i < MACVLAN_HASH_SIZE; i++) {
+- hlist_for_each_entry_rcu(vlan, &port->vlan_hash[i], hlist) {
+- if (vlan->dev == src || !(vlan->mode & mode))
+- continue;
++ hash_for_each_rcu(port->vlan_hash, i, vlan, hlist) {
++ if (vlan->dev == src || !(vlan->mode & mode))
++ continue;
+
+- hash = mc_hash(vlan, eth->h_dest);
+- if (!test_bit(hash, vlan->mc_filter))
+- continue;
++ hash = mc_hash(vlan, eth->h_dest);
++ if (!test_bit(hash, vlan->mc_filter))
++ continue;
+
+- err = NET_RX_DROP;
+- nskb = skb_clone(skb, GFP_ATOMIC);
+- if (likely(nskb))
+- err = macvlan_broadcast_one(
+- nskb, vlan, eth,
++ err = NET_RX_DROP;
++ nskb = skb_clone(skb, GFP_ATOMIC);
++ if (likely(nskb))
++ err = macvlan_broadcast_one(nskb, vlan, eth,
+ mode == MACVLAN_MODE_BRIDGE) ?:
+- netif_rx_ni(nskb);
+- macvlan_count_rx(vlan, skb->len + ETH_HLEN,
+- err == NET_RX_SUCCESS, true);
+- }
++ netif_rx_ni(nskb);
++ macvlan_count_rx(vlan, skb->len + ETH_HLEN,
++ err == NET_RX_SUCCESS, true);
+ }
+ }
+
+@@ -378,20 +375,14 @@ static void macvlan_broadcast_enqueue(struct macvlan_port *port,
+ static void macvlan_flush_sources(struct macvlan_port *port,
+ struct macvlan_dev *vlan)
+ {
++ struct macvlan_source_entry *entry;
++ struct hlist_node *next;
+ int i;
+
+- for (i = 0; i < MACVLAN_HASH_SIZE; i++) {
+- struct hlist_node *h, *n;
+-
+- hlist_for_each_safe(h, n, &port->vlan_source_hash[i]) {
+- struct macvlan_source_entry *entry;
++ hash_for_each_safe(port->vlan_source_hash, i, next, entry, hlist)
++ if (entry->vlan == vlan)
++ macvlan_hash_del_source(entry);
+
+- entry = hlist_entry(h, struct macvlan_source_entry,
+- hlist);
+- if (entry->vlan == vlan)
+- macvlan_hash_del_source(entry);
+- }
+- }
+ vlan->macaddr_count = 0;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From b0c7398035937160337126eac40e3ed1cd10124a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 17:56:56 +0000
+Subject: net/sched: sch_qfq: do not free existing class in qfq_change_class()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 ]
+
+Fixes qfq_change_class() error case.
+
+cl->qdisc and cl should only be freed if a new class and qdisc
+were allocated, or we risk various UAF.
+
+Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Reported-by: syzbot+07f3f38f723c335f106d@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6965351d.050a0220.eaf7.00c5.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260112175656.17605-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index 34a6c4ec9a157..9751de2d95e78 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -532,8 +532,10 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
+ return 0;
+
+ destroy_class:
+- qdisc_put(cl->qdisc);
+- kfree(cl);
++ if (!existing) {
++ qdisc_put(cl->qdisc);
++ kfree(cl);
++ }
+ return err;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 18e5de17d1bc4f733e5f2d30b5a14d41993db3e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Dec 2025 13:57:48 -0500
+Subject: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shivam Kumar <kumar.shivam43666@gmail.com>
+
+[ Upstream commit 32b63acd78f577b332d976aa06b56e70d054cbba ]
+
+Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
+added ttag bounds checking and data_offset
+validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate
+whether the command's data structures (cmd->req.sg and cmd->iov) have
+been properly initialized before processing H2C_DATA PDUs.
+
+The nvmet_tcp_build_pdu_iovec() function dereferences these pointers
+without NULL checks. This can be triggered by sending H2C_DATA PDU
+immediately after the ICREQ/ICRESP handshake, before
+sending a CONNECT command or NVMe write command.
+
+Attack vectors that trigger NULL pointer dereferences:
+1. H2C_DATA PDU sent before CONNECT → both pointers NULL
+2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL
+3. H2C_DATA PDU for uninitialized command slot → both pointers NULL
+
+The fix validates both cmd->req.sg and cmd->iov before calling
+nvmet_tcp_build_pdu_iovec(). Both checks are required because:
+- Uninitialized commands: both NULL
+- READ commands: cmd->req.sg allocated, cmd->iov NULL
+- WRITE commands: both allocated
+
+Fixes: efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Shivam Kumar <kumar.shivam43666@gmail.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/tcp.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
+index d7b368102ad9a..94ed4b5b725c7 100644
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -959,6 +959,18 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len);
+ goto err_proto;
+ }
++ /*
++ * Ensure command data structures are initialized. We must check both
++ * cmd->req.sg and cmd->iov because they can have different NULL states:
++ * - Uninitialized commands: both NULL
++ * - READ commands: cmd->req.sg allocated, cmd->iov NULL
++ * - WRITE commands: both allocated
++ */
++ if (unlikely(!cmd->req.sg || !cmd->iov)) {
++ pr_err("queue %d: H2CData PDU received for invalid command state (ttag %u)\n",
++ queue->idx, data->ttag);
++ goto err_proto;
++ }
+ cmd->pdu_recv = 0;
+ nvmet_tcp_map_pdu_iovec(cmd);
+ queue->cmd = cmd;
+--
+2.51.0
+
--- /dev/null
+From 93a8a40e191b9d60cab5c06d0d8f91f090cf0179 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Dec 2023 16:17:50 +0100
+Subject: nvmet-tcp: remove boilerplate code
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 75011bd0f9c55db523242f9f9a0b0b826165f14b ]
+
+Simplify the nvmet_tcp_handle_h2c_data_pdu() function by removing
+boilerplate code.
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Stable-dep-of: 32b63acd78f5 ("nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/tcp.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
+index 6019eee1f9bdf..d7b368102ad9a 100644
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -933,8 +933,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ if (unlikely(data->ttag >= queue->nr_cmds)) {
+ pr_err("queue %d: received out of bound ttag %u, nr_cmds %u\n",
+ queue->idx, data->ttag, queue->nr_cmds);
+- nvmet_tcp_fatal_error(queue);
+- return -EPROTO;
++ goto err_proto;
+ }
+ cmd = &queue->cmds[data->ttag];
+ } else {
+@@ -945,9 +944,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ pr_err("ttag %u unexpected data offset %u (expected %u)\n",
+ data->ttag, le32_to_cpu(data->data_offset),
+ cmd->rbytes_done);
+- /* FIXME: use path and transport errors */
+- nvmet_tcp_fatal_error(queue);
+- return -EPROTO;
++ goto err_proto;
+ }
+
+ exp_data_len = le32_to_cpu(data->hdr.plen) -
+@@ -960,9 +957,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ cmd->pdu_len == 0 ||
+ cmd->pdu_len > NVMET_TCP_MAXH2CDATA)) {
+ pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len);
+- /* FIXME: use proper transport errors */
+- nvmet_tcp_fatal_error(queue);
+- return -EPROTO;
++ goto err_proto;
+ }
+ cmd->pdu_recv = 0;
+ nvmet_tcp_map_pdu_iovec(cmd);
+@@ -970,6 +965,11 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ queue->rcv_state = NVMET_TCP_RECV_DATA;
+
+ return 0;
++
++err_proto:
++ /* FIXME: use proper transport errors */
++ nvmet_tcp_fatal_error(queue);
++ return -EPROTO;
+ }
+
+ static int nvmet_tcp_done_recv_pdu(struct nvmet_tcp_queue *queue)
+--
+2.51.0
+
--- /dev/null
+From 11a36ee2552c1c640b695806c072ce0d6f1d108b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Dec 2025 12:55:34 +0100
+Subject: phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning
+ (again)
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+
+[ Upstream commit fb21116099bbea1fc59efa9207e63c4be390ab72 ]
+
+"family" is an enum, thus cast of pointer on 64-bit compile test with
+clang W=1 causes:
+
+ phy-bcm-ns-usb3.c:206:17: error: cast to smaller integer type 'enum bcm_ns_family' from 'const void *' [-Werror,-Wvoid-pointer-to-enum-cast]
+
+This was already fixed in commit bd6e74a2f0a0 ("phy: broadcom: ns-usb3:
+fix Wvoid-pointer-to-enum-cast warning") but then got bad in commit
+21bf6fc47a1e ("phy: Use device_get_match_data()").
+
+Note that after various discussions the preferred cast is via "unsigned
+long", not "uintptr_t".
+
+Fixes: 21bf6fc47a1e ("phy: Use device_get_match_data()")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251224115533.154162-2-krzysztof.kozlowski@oss.qualcomm.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/broadcom/phy-bcm-ns-usb3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/broadcom/phy-bcm-ns-usb3.c b/drivers/phy/broadcom/phy-bcm-ns-usb3.c
+index 45b366855e80d..e04a42fe6b654 100644
+--- a/drivers/phy/broadcom/phy-bcm-ns-usb3.c
++++ b/drivers/phy/broadcom/phy-bcm-ns-usb3.c
+@@ -203,7 +203,7 @@ static int bcm_ns_usb3_mdio_probe(struct mdio_device *mdiodev)
+ usb3->dev = dev;
+ usb3->mdiodev = mdiodev;
+
+- usb3->family = (enum bcm_ns_family)device_get_match_data(dev);
++ usb3->family = (unsigned long)device_get_match_data(dev);
+
+ syscon_np = of_parse_phandle(dev->of_node, "usb3-dmp-syscon", 0);
+ err = of_address_to_resource(syscon_np, 0, &res);
+--
+2.51.0
+
--- /dev/null
+From 858a1e7382a0320dafe3465d0094217202b6eb54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Dec 2025 09:53:36 +0300
+Subject: phy: stm32-usphyc: Fix off by one in probe()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit cabd25b57216ddc132efbcc31f972baa03aad15a ]
+
+The "index" variable is used as an index into the usbphyc->phys[] array
+which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys
+then it is one element out of bounds. The "index" comes from the
+device tree so it's data that we trust and it's unlikely to be wrong,
+however it's obviously still worth fixing the bug. Change the > to >=.
+
+Fixes: 94c358da3a05 ("phy: stm32: add support for STM32 USB PHY Controller (USBPHYC)")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Link: https://patch.msgid.link/aTfHcMJK1wFVnvEe@stanley.mountain
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/st/phy-stm32-usbphyc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c
+index 03fc567e9f188..9b1b6e9d819ca 100644
+--- a/drivers/phy/st/phy-stm32-usbphyc.c
++++ b/drivers/phy/st/phy-stm32-usbphyc.c
+@@ -391,7 +391,7 @@ static int stm32_usbphyc_probe(struct platform_device *pdev)
+ }
+
+ ret = of_property_read_u32(child, "reg", &index);
+- if (ret || index > usbphyc->nphys) {
++ if (ret || index >= usbphyc->nphys) {
+ dev_err(&phy->dev, "invalid reg property: %d\n", ret);
+ if (!ret)
+ ret = -EINVAL;
+--
+2.51.0
+
--- /dev/null
+From 891660490936ec259941e16141cf1cacef2ab1ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Dec 2025 07:41:03 +0000
+Subject: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 0c728083654f0066f5e10a1d2b0bd0907af19a58 ]
+
+In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails,
+the function jumps to the out_scratch label without freeing the already
+allocated dsaddrs list, leading to a memory leak.
+
+Fix this by jumping to the out_err_drain_dsaddrs label, which properly
+frees the dsaddrs list before cleaning up other resources.
+
+Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+index 11777d33a85e8..35cac4d3f2e8a 100644
+--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+@@ -103,7 +103,7 @@ nfs4_ff_alloc_deviceid_node(struct nfs_server *server, struct pnfs_device *pdev,
+ sizeof(struct nfs4_ff_ds_version),
+ gfp_flags);
+ if (!ds_versions)
+- goto out_scratch;
++ goto out_err_drain_dsaddrs;
+
+ for (i = 0; i < version_count; i++) {
+ /* 20 = version(4) + minor_version(4) + rsize(4) + wsize(4) +
+--
+2.51.0
+
--- /dev/null
+pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch
+nvmet-tcp-remove-boilerplate-code.patch
+nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch
+btrfs-send-check-for-inline-extents-in-range_is_hole.patch
+ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch
+macvlan-add-nodst-option-to-macvlan-type-source.patch
+macvlan-use-hash-iterators-to-simplify-code.patch
+macvlan-fix-possible-uaf-in-macvlan_forward_source.patch
+ipv4-ip_gre-make-ipgre_header-robust.patch
+vsock-test-add-a-final-full-barrier-after-run-all-te.patch
+net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch
+asoc-tlv320adcx140-fix-word-length.patch
+textsearch-describe-list-member-in-ts_ops-search.patch
+dmaengine-tegra-adma-fix-use-after-free.patch
+dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch
+phy-stm32-usphyc-fix-off-by-one-in-probe.patch
+phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch
+dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch
--- /dev/null
+From 289980f1c1dd8106d6c49aa41989028062a4734c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 08:40:05 +0700
+Subject: textsearch: describe @list member in ts_ops search
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit f26528478bb102c28e7ac0cbfc8ec8185afdafc7 ]
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./include/linux/textsearch.h:49 struct member 'list' not described in 'ts_ops'
+
+Describe @list member to fix it.
+
+Link: https://lkml.kernel.org/r/20251219014006.16328-4-bagasdotme@gmail.com
+Fixes: 2de4ff7bd658 ("[LIB]: Textsearch infrastructure.")
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Cc: Thomas Graf <tgraf@suug.ch>
+Cc: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/textsearch.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/textsearch.h b/include/linux/textsearch.h
+index 13770cfe33ad8..1389959b68422 100644
+--- a/include/linux/textsearch.h
++++ b/include/linux/textsearch.h
+@@ -35,6 +35,7 @@ struct ts_state
+ * @get_pattern: return head of pattern
+ * @get_pattern_len: return length of pattern
+ * @owner: module reference to algorithm
++ * @list: list to search
+ */
+ struct ts_ops
+ {
+--
+2.51.0
+
--- /dev/null
+From bf1553f03d56ec03337ccdb0fe85ff19bbe7433a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 12:44:19 +0100
+Subject: vsock/test: add a final full barrier after run all tests
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit c39a6a277e0e67ffff6a8efcbbf7e7e23ce9e38c ]
+
+If the last test fails, the other side still completes correctly,
+which could lead to false positives.
+
+Let's add a final barrier that ensures that the last test has finished
+correctly on both sides, but also that the two sides agree on the
+number of tests to be performed.
+
+Fixes: 2f65b44e199c ("VSOCK: add full barrier between test cases")
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20260108114419.52747-1-sgarzare@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/vsock/util.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/tools/testing/vsock/util.c b/tools/testing/vsock/util.c
+index 93cbd6f603f97..356acac85d862 100644
+--- a/tools/testing/vsock/util.c
++++ b/tools/testing/vsock/util.c
+@@ -338,6 +338,18 @@ void run_tests(const struct test_case *test_cases,
+
+ printf("ok\n");
+ }
++
++ printf("All tests have been executed. Waiting other peer...");
++ fflush(stdout);
++
++ /*
++ * Final full barrier, to ensure that all tests have been run and
++ * that even the last one has been successful on both sides.
++ */
++ control_writeln("COMPLETED");
++ control_expectln("COMPLETED");
++
++ printf("ok\n");
+ }
+
+ void list_tests(const struct test_case *test_cases)
+--
+2.51.0
+
--- /dev/null
+From 08789012addbee5a1af96d5f0a6476faeb913319 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 11:58:47 +0100
+Subject: ASoC: tlv320adcx140: fix word length
+
+From: Emil Svendsen <emas@bang-olufsen.dk>
+
+[ Upstream commit 46378ab9fcb796dca46b51e10646f636e2c661f9 ]
+
+The word length is the physical width of the channel slots. So the
+hw_params would misconfigure when format width and physical width
+doesn't match. Like S24_LE which has data width of 24 bits but physical
+width of 32 bits. So if using asymmetric formats you will get a lot of
+noise.
+
+Fixes: 689c7655b50c5 ("ASoC: tlv320adcx140: Add the tlv320adcx140 codec driver family")
+Signed-off-by: Emil Svendsen <emas@bang-olufsen.dk>
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-4-8f7ecec525c8@pengutronix.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tlv320adcx140.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c
+index 06d2502b13478..f7fbe3795f98a 100644
+--- a/sound/soc/codecs/tlv320adcx140.c
++++ b/sound/soc/codecs/tlv320adcx140.c
+@@ -673,7 +673,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream,
+ struct adcx140_priv *adcx140 = snd_soc_component_get_drvdata(component);
+ u8 data = 0;
+
+- switch (params_width(params)) {
++ switch (params_physical_width(params)) {
+ case 16:
+ data = ADCX140_16_BIT_WORD;
+ break;
+@@ -688,7 +688,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream,
+ break;
+ default:
+ dev_err(component->dev, "%s: Unsupported width %d\n",
+- __func__, params_width(params));
++ __func__, params_physical_width(params));
+ return -EINVAL;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 3f97e9a5e114017142ccae1a86b3481779f4cc92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jan 2026 20:26:40 +1030
+Subject: btrfs: send: check for inline extents in range_is_hole_in_parent()
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 08b096c1372cd69627f4f559fb47c9fb67a52b39 ]
+
+Before accessing the disk_bytenr field of a file extent item we need
+to check if we are dealing with an inline extent.
+This is because for inline extents their data starts at the offset of
+the disk_bytenr field. So accessing the disk_bytenr
+means we are accessing inline data or in case the inline data is less
+than 8 bytes we can actually cause an invalid
+memory access if this inline extent item is the first item in the leaf
+or access metadata from other items.
+
+Fixes: 82bfb2e7b645 ("Btrfs: incremental send, fix unnecessary hole writes for sparse files")
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index a46076788bd7e..32992b2fdd384 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -5892,6 +5892,8 @@ static int range_is_hole_in_parent(struct send_ctx *sctx,
+ extent_end = btrfs_file_extent_end(path);
+ if (extent_end <= start)
+ goto next;
++ if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE)
++ return 0;
+ if (btrfs_file_extent_disk_bytenr(leaf, fi) == 0) {
+ search_start = extent_end;
+ goto next;
+--
+2.51.0
+
--- /dev/null
+From d4d1cc8455cd8901178c7bc2f09b796c6d2a5dfd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 02:17:32 +0100
+Subject: can: etas_es58x: allow partial RX URB allocation to succeed
+
+From: Szymon Wilczek <swilczek.lx@gmail.com>
+
+[ Upstream commit b1979778e98569c1e78c2c7f16bb24d76541ab00 ]
+
+When es58x_alloc_rx_urbs() fails to allocate the requested number of
+URBs but succeeds in allocating some, it returns an error code.
+This causes es58x_open() to return early, skipping the cleanup label
+'free_urbs', which leads to the anchored URBs being leaked.
+
+As pointed out by maintainer Vincent Mailhol, the driver is designed
+to handle partial URB allocation gracefully. Therefore, partial
+allocation should not be treated as a fatal error.
+
+Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been
+allocated, restoring the intended behavior and preventing the leak
+in es58x_open().
+
+Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces")
+Reported-by: syzbot+e8cb6691a7cf68256cb8@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=e8cb6691a7cf68256cb8
+Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>
+Reviewed-by: Vincent Mailhol <mailhol@kernel.org>
+Link: https://patch.msgid.link/20251223011732.39361-1-swilczek.lx@gmail.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/etas_es58x/es58x_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c
+index a8273ad5dd9e0..bb73680f8dcee 100644
+--- a/drivers/net/can/usb/etas_es58x/es58x_core.c
++++ b/drivers/net/can/usb/etas_es58x/es58x_core.c
+@@ -1743,7 +1743,7 @@ static int es58x_alloc_rx_urbs(struct es58x_device *es58x_dev)
+ dev_dbg(dev, "%s: Allocated %d rx URBs each of size %zu\n",
+ __func__, i, rx_buf_len);
+
+- return ret;
++ return 0;
+ }
+
+ /**
+--
+2.51.0
+
--- /dev/null
+From 251305d75b2e83def8a1e4216ae88f744051e23e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Nov 2025 15:30:18 +0800
+Subject: dmaengine: omap-dma: fix dma_pool resource leak in error paths
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit 2e1136acf8a8887c29f52e35a77b537309af321f ]
+
+The dma_pool created by dma_pool_create() is not destroyed when
+dma_async_device_register() or of_dma_controller_register() fails,
+causing a resource leak in the probe error paths.
+
+Add dma_pool_destroy() in both error paths to properly release the
+allocated dma_pool resource.
+
+Fixes: 7bedaa553760 ("dmaengine: add OMAP DMA engine driver")
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Link: https://patch.msgid.link/20251103073018.643-1-vulab@iscas.ac.cn
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/ti/omap-dma.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/dma/ti/omap-dma.c b/drivers/dma/ti/omap-dma.c
+index 7cb577e6587b1..be47a9b8ac96e 100644
+--- a/drivers/dma/ti/omap-dma.c
++++ b/drivers/dma/ti/omap-dma.c
+@@ -1804,6 +1804,8 @@ static int omap_dma_probe(struct platform_device *pdev)
+ if (rc) {
+ pr_warn("OMAP-DMA: failed to register slave DMA engine device: %d\n",
+ rc);
++ if (od->ll123_supported)
++ dma_pool_destroy(od->desc_pool);
+ omap_dma_free(od);
+ return rc;
+ }
+@@ -1819,6 +1821,8 @@ static int omap_dma_probe(struct platform_device *pdev)
+ if (rc) {
+ pr_warn("OMAP-DMA: failed to register DMA controller\n");
+ dma_async_device_unregister(&od->ddev);
++ if (od->ll123_supported)
++ dma_pool_destroy(od->desc_pool);
+ omap_dma_free(od);
+ }
+ }
+--
+2.51.0
+
--- /dev/null
+From bae45712cc8774302d46761c20bb6e6b14594c8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Nov 2025 19:54:45 +0530
+Subject: dmaengine: tegra-adma: Fix use-after-free
+
+From: Sheetal <sheetal@nvidia.com>
+
+[ Upstream commit 2efd07a7c36949e6fa36a69183df24d368bf9e96 ]
+
+A use-after-free bug exists in the Tegra ADMA driver when audio streams
+are terminated, particularly during XRUN conditions. The issue occurs
+when the DMA buffer is freed by tegra_adma_terminate_all() before the
+vchan completion tasklet finishes accessing it.
+
+The race condition follows this sequence:
+
+ 1. DMA transfer completes, triggering an interrupt that schedules the
+ completion tasklet (tasklet has not executed yet)
+ 2. Audio playback stops, calling tegra_adma_terminate_all() which
+ frees the DMA buffer memory via kfree()
+ 3. The scheduled tasklet finally executes, calling vchan_complete()
+ which attempts to access the already-freed memory
+
+Since tasklets can execute at any time after being scheduled, there is
+no guarantee that the buffer will remain valid when vchan_complete()
+runs.
+
+Fix this by properly synchronizing the virtual channel completion:
+ - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the
+ descriptors as terminated instead of freeing the descriptor.
+ - Add the callback tegra_adma_synchronize() that calls
+ vchan_synchronize() which kills any pending tasklets and frees any
+ terminated descriptors.
+
+Crash logs:
+[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0
+[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0
+
+[ 337.427562] Call trace:
+[ 337.427564] dump_backtrace+0x0/0x320
+[ 337.427571] show_stack+0x20/0x30
+[ 337.427575] dump_stack_lvl+0x68/0x84
+[ 337.427584] print_address_description.constprop.0+0x74/0x2b8
+[ 337.427590] kasan_report+0x1f4/0x210
+[ 337.427598] __asan_load8+0xa0/0xd0
+[ 337.427603] vchan_complete+0x124/0x3b0
+[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0
+[ 337.427617] tasklet_action+0x30/0x40
+[ 337.427623] __do_softirq+0x1a0/0x5c4
+[ 337.427628] irq_exit+0x110/0x140
+[ 337.427633] handle_domain_irq+0xa4/0xe0
+[ 337.427640] gic_handle_irq+0x64/0x160
+[ 337.427644] call_on_irq_stack+0x20/0x4c
+[ 337.427649] do_interrupt_handler+0x7c/0x90
+[ 337.427654] el1_interrupt+0x30/0x80
+[ 337.427659] el1h_64_irq_handler+0x18/0x30
+[ 337.427663] el1h_64_irq+0x7c/0x80
+[ 337.427667] cpuidle_enter_state+0xe4/0x540
+[ 337.427674] cpuidle_enter+0x54/0x80
+[ 337.427679] do_idle+0x2e0/0x380
+[ 337.427685] cpu_startup_entry+0x2c/0x70
+[ 337.427690] rest_init+0x114/0x130
+[ 337.427695] arch_call_rest_init+0x18/0x24
+[ 337.427702] start_kernel+0x380/0x3b4
+[ 337.427706] __primary_switched+0xc0/0xc8
+
+Fixes: f46b195799b5 ("dmaengine: tegra-adma: Add support for Tegra210 ADMA")
+Signed-off-by: Sheetal <sheetal@nvidia.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Link: https://patch.msgid.link/20251110142445.3842036-1-sheetal@nvidia.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/tegra210-adma.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c
+index f4f722eacee2b..94ac5240ab200 100644
+--- a/drivers/dma/tegra210-adma.c
++++ b/drivers/dma/tegra210-adma.c
+@@ -344,10 +344,17 @@ static void tegra_adma_stop(struct tegra_adma_chan *tdc)
+ return;
+ }
+
+- kfree(tdc->desc);
++ vchan_terminate_vdesc(&tdc->desc->vd);
+ tdc->desc = NULL;
+ }
+
++static void tegra_adma_synchronize(struct dma_chan *dc)
++{
++ struct tegra_adma_chan *tdc = to_tegra_adma_chan(dc);
++
++ vchan_synchronize(&tdc->vc);
++}
++
+ static void tegra_adma_start(struct tegra_adma_chan *tdc)
+ {
+ struct virt_dma_desc *vd = vchan_next_desc(&tdc->vc);
+@@ -889,6 +896,7 @@ static int tegra_adma_probe(struct platform_device *pdev)
+ tdma->dma_dev.device_config = tegra_adma_slave_config;
+ tdma->dma_dev.device_tx_status = tegra_adma_tx_status;
+ tdma->dma_dev.device_terminate_all = tegra_adma_terminate_all;
++ tdma->dma_dev.device_synchronize = tegra_adma_synchronize;
+ tdma->dma_dev.src_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES);
+ tdma->dma_dev.dst_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES);
+ tdma->dma_dev.directions = BIT(DMA_DEV_TO_MEM) | BIT(DMA_MEM_TO_DEV);
+--
+2.51.0
+
--- /dev/null
+From dfebe2112bcefb0435d14c42ee55e40593d1ad6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 00:00:06 +0530
+Subject: dmaengine: xilinx_dma: Fix uninitialized addr_width when
+ "xlnx,addrwidth" property is missing
+
+From: Suraj Gupta <suraj.gupta2@amd.com>
+
+[ Upstream commit c0732fe78728718c853ef8e7af5bbb05262acbd1 ]
+
+When device tree lacks optional "xlnx,addrwidth" property, the addr_width
+variable remained uninitialized with garbage values, causing incorrect
+DMA mask configuration and subsequent probe failure. The fix ensures a
+fallback to the default 32-bit address width when this property is missing.
+
+Signed-off-by: Suraj Gupta <suraj.gupta2@amd.com>
+Fixes: b72db4005fe4 ("dmaengine: vdma: Add 64 bit addressing support to the driver")
+Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
+Reviewed-by: Folker Schwesinger <dev@folker-schwesinger.de>
+Link: https://patch.msgid.link/20251021183006.3434495-1-suraj.gupta2@amd.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/xilinx_dma.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
+index 48ac51447baee..ba5850ca39ddd 100644
+--- a/drivers/dma/xilinx/xilinx_dma.c
++++ b/drivers/dma/xilinx/xilinx_dma.c
+@@ -128,6 +128,7 @@
+ #define XILINX_MCDMA_MAX_CHANS_PER_DEVICE 0x20
+ #define XILINX_DMA_MAX_CHANS_PER_DEVICE 0x2
+ #define XILINX_CDMA_MAX_CHANS_PER_DEVICE 0x1
++#define XILINX_DMA_DFAULT_ADDRWIDTH 0x20
+
+ #define XILINX_DMA_DMAXR_ALL_IRQ_MASK \
+ (XILINX_DMA_DMASR_FRM_CNT_IRQ | \
+@@ -3013,7 +3014,7 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+ struct device_node *node = pdev->dev.of_node;
+ struct xilinx_dma_device *xdev;
+ struct device_node *child, *np = pdev->dev.of_node;
+- u32 num_frames, addr_width, len_width;
++ u32 num_frames, addr_width = XILINX_DMA_DFAULT_ADDRWIDTH, len_width;
+ int i, err;
+
+ /* Allocate and initialize the DMA engine structure */
+@@ -3082,7 +3083,9 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+
+ err = of_property_read_u32(node, "xlnx,addrwidth", &addr_width);
+ if (err < 0)
+- dev_warn(xdev->dev, "missing xlnx,addrwidth property\n");
++ dev_warn(xdev->dev,
++ "missing xlnx,addrwidth property, using default value %d\n",
++ XILINX_DMA_DFAULT_ADDRWIDTH);
+
+ if (addr_width > 32)
+ xdev->ext_addr = true;
+--
+2.51.0
+
--- /dev/null
+From ab34518da73823058db234d780807e3ea7629088 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jan 2026 16:31:09 +0000
+Subject: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 81c734dae203757fb3c9eee6f9896386940776bd ]
+
+Blamed commit did not take care of VLAN encapsulations
+as spotted by syzbot [1].
+
+Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull().
+
+[1]
+ BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
+ BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
+ BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
+ __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
+ INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
+ IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
+ ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729
+ __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860
+ ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903
+ gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1
+ ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438
+ ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489
+ NF_HOOK include/linux/netfilter.h:318 [inline]
+ ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500
+ ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590
+ dst_input include/net/dst.h:474 [inline]
+ ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79
+ NF_HOOK include/linux/netfilter.h:318 [inline]
+ ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311
+ __netif_receive_skb_one_core net/core/dev.c:6139 [inline]
+ __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252
+ netif_receive_skb_internal net/core/dev.c:6338 [inline]
+ netif_receive_skb+0x57/0x630 net/core/dev.c:6397
+ tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485
+ tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953
+ tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0xbe2/0x15d0 fs/read_write.c:686
+ ksys_write fs/read_write.c:738 [inline]
+ __do_sys_write fs/read_write.c:749 [inline]
+ __se_sys_write fs/read_write.c:746 [inline]
+ __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
+ x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:4960 [inline]
+ slab_alloc_node mm/slub.c:5263 [inline]
+ kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315
+ kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586
+ __alloc_skb+0x805/0x1040 net/core/skbuff.c:690
+ alloc_skb include/linux/skbuff.h:1383 [inline]
+ alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712
+ sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995
+ tun_alloc_skb drivers/net/tun.c:1461 [inline]
+ tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794
+ tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0xbe2/0x15d0 fs/read_write.c:686
+ ksys_write fs/read_write.c:738 [inline]
+ __do_sys_write fs/read_write.c:749 [inline]
+ __se_sys_write fs/read_write.c:746 [inline]
+ __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
+ x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+
+Fixes: 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")
+Reported-by: syzbot+d4dda070f833dc5dc89a@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/695e88b2.050a0220.1c677c.036d.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260107163109.4188620-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
+index ccdea44438940..553851e3aca14 100644
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -846,7 +846,7 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb,
+
+ skb_reset_network_header(skb);
+
+- if (!pskb_inet_may_pull(skb)) {
++ if (skb_vlan_inet_prepare(skb, true)) {
+ DEV_STATS_INC(tunnel->dev, rx_length_errors);
+ DEV_STATS_INC(tunnel->dev, rx_errors);
+ goto drop;
+--
+2.51.0
+
--- /dev/null
+From 5b7bae5cd1d2f0f806828ed45113d10cebeea99f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 19:02:14 +0000
+Subject: ipv4: ip_gre: make ipgre_header() robust
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e67c577d89894811ce4dcd1a9ed29d8b63476667 ]
+
+Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust")
+
+Over the years, syzbot found many ways to crash the kernel
+in ipgre_header() [1].
+
+This involves team or bonding drivers ability to dynamically
+change their dev->needed_headroom and/or dev->hard_header_len
+
+In this particular crash mld_newpack() allocated an skb
+with a too small reserve/headroom, and by the time mld_sendpack()
+was called, syzbot managed to attach an ipgre device.
+
+[1]
+skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0
+ kernel BUG at net/core/skbuff.c:213 !
+Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
+CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+Workqueue: mld mld_ifc_work
+ RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213
+Call Trace:
+ <TASK>
+ skb_under_panic net/core/skbuff.c:223 [inline]
+ skb_push+0xc3/0xe0 net/core/skbuff.c:2641
+ ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897
+ dev_hard_header include/linux/netdevice.h:3436 [inline]
+ neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
+ NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
+ mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
+ mld_send_cr net/ipv6/mcast.c:2154 [inline]
+ mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
+ process_one_work kernel/workqueue.c:3257 [inline]
+ process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
+ worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Reported-by: syzbot+7c134e1c3aa3283790b9@syzkaller.appspotmail.com
+Closes: https://www.spinics.net/lists/netdev/msg1147302.html
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260108190214.1667040-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_gre.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index eeb48b0bb94cd..2f9f5c583dba1 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -857,10 +857,17 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
+ const void *daddr, const void *saddr, unsigned int len)
+ {
+ struct ip_tunnel *t = netdev_priv(dev);
+- struct iphdr *iph;
+ struct gre_base_hdr *greh;
++ struct iphdr *iph;
++ int needed;
++
++ needed = t->hlen + sizeof(*iph);
++ if (skb_headroom(skb) < needed &&
++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)),
++ 0, GFP_ATOMIC))
++ return -needed;
+
+- iph = skb_push(skb, t->hlen + sizeof(*iph));
++ iph = skb_push(skb, needed);
+ greh = (struct gre_base_hdr *)(iph+1);
+ greh->flags = gre_tnl_flags_to_gre_flags(t->parms.o_flags);
+ greh->protocol = htons(type);
+--
+2.51.0
+
--- /dev/null
+From a8a66261df235ed5f17718fecbac14e7b840a721 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 13:36:51 +0000
+Subject: macvlan: fix possible UAF in macvlan_forward_source()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7470a7a63dc162f07c26dbf960e41ee1e248d80e ]
+
+Add RCU protection on (struct macvlan_source_entry)->vlan.
+
+Whenever macvlan_hash_del_source() is called, we must clear
+entry->vlan pointer before RCU grace period starts.
+
+This allows macvlan_forward_source() to skip over
+entries queued for freeing.
+
+Note that macvlan_dev are already RCU protected, as they
+are embedded in a standard netdev (netdev_priv(ndev)).
+
+Fixes: 79cf79abce71 ("macvlan: add source mode")
+Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com
+https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260108133651.1130486-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macvlan.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
+index 6f0b6c924d724..0f863e72714ca 100644
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -56,7 +56,7 @@ struct macvlan_port {
+
+ struct macvlan_source_entry {
+ struct hlist_node hlist;
+- struct macvlan_dev *vlan;
++ struct macvlan_dev __rcu *vlan;
+ unsigned char addr[6+2] __aligned(sizeof(u16));
+ struct rcu_head rcu;
+ };
+@@ -143,7 +143,7 @@ static struct macvlan_source_entry *macvlan_hash_lookup_source(
+
+ hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) {
+ if (ether_addr_equal_64bits(entry->addr, addr) &&
+- entry->vlan == vlan)
++ rcu_access_pointer(entry->vlan) == vlan)
+ return entry;
+ }
+ return NULL;
+@@ -165,7 +165,7 @@ static int macvlan_hash_add_source(struct macvlan_dev *vlan,
+ return -ENOMEM;
+
+ ether_addr_copy(entry->addr, addr);
+- entry->vlan = vlan;
++ RCU_INIT_POINTER(entry->vlan, vlan);
+ h = &port->vlan_source_hash[macvlan_eth_hash(addr)];
+ hlist_add_head_rcu(&entry->hlist, h);
+ vlan->macaddr_count++;
+@@ -184,6 +184,7 @@ static void macvlan_hash_add(struct macvlan_dev *vlan)
+
+ static void macvlan_hash_del_source(struct macvlan_source_entry *entry)
+ {
++ RCU_INIT_POINTER(entry->vlan, NULL);
+ hlist_del_rcu(&entry->hlist);
+ kfree_rcu(entry, rcu);
+ }
+@@ -382,7 +383,7 @@ static void macvlan_flush_sources(struct macvlan_port *port,
+ int i;
+
+ hash_for_each_safe(port->vlan_source_hash, i, next, entry, hlist)
+- if (entry->vlan == vlan)
++ if (rcu_access_pointer(entry->vlan) == vlan)
+ macvlan_hash_del_source(entry);
+
+ vlan->macaddr_count = 0;
+@@ -425,9 +426,14 @@ static bool macvlan_forward_source(struct sk_buff *skb,
+
+ hlist_for_each_entry_rcu(entry, h, hlist) {
+ if (ether_addr_equal_64bits(entry->addr, addr)) {
+- if (entry->vlan->flags & MACVLAN_FLAG_NODST)
++ struct macvlan_dev *vlan = rcu_dereference(entry->vlan);
++
++ if (!vlan)
++ continue;
++
++ if (vlan->flags & MACVLAN_FLAG_NODST)
+ consume = true;
+- macvlan_forward_source_one(skb, entry->vlan);
++ macvlan_forward_source_one(skb, vlan);
+ }
+ }
+
+@@ -1636,7 +1642,7 @@ static int macvlan_fill_info_macaddr(struct sk_buff *skb,
+ struct macvlan_source_entry *entry;
+
+ hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) {
+- if (entry->vlan != vlan)
++ if (rcu_access_pointer(entry->vlan) != vlan)
+ continue;
+ if (nla_put(skb, IFLA_MACVLAN_MACADDR, ETH_ALEN, entry->addr))
+ return 1;
+--
+2.51.0
+
--- /dev/null
+From 45b4556837929938faf4dec3733d74679771c917 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 08:40:07 +0700
+Subject: mm, kfence: describe @slab parameter in __kfence_obj_info()
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit 6cfab50e1440fde19af7c614aacd85e11aa4dcea ]
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./include/linux/kfence.h:220 function parameter 'slab' not described in '__kfence_obj_info'
+
+Fix it by describing @slab parameter.
+
+Link: https://lkml.kernel.org/r/20251219014006.16328-6-bagasdotme@gmail.com
+Fixes: 2dfe63e61cc3 ("mm, kfence: support kmem_dump_obj() for KFENCE objects")
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Acked-by: Marco Elver <elver@google.com>
+Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
+Acked-by: Harry Yoo <harry.yoo@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/kfence.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/kfence.h b/include/linux/kfence.h
+index 3c75209a545e1..a8d9e6ff73629 100644
+--- a/include/linux/kfence.h
++++ b/include/linux/kfence.h
+@@ -208,6 +208,7 @@ struct kmem_obj_info;
+ * __kfence_obj_info() - fill kmem_obj_info struct
+ * @kpp: kmem_obj_info to be filled
+ * @object: the object
++ * @slab: the slab
+ *
+ * Return:
+ * * false - not a KFENCE object
+--
+2.51.0
+
--- /dev/null
+From d0414521b15109e68c1e73ae862989d54b6b43f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 13:26:57 -0800
+Subject: net/mlx5e: Restore destroying state bit after profile cleanup
+
+From: Saeed Mahameed <saeedm@nvidia.com>
+
+[ Upstream commit 5629f8859dca7ef74d7314b60de6a957f23166c0 ]
+
+Profile rollback can fail in mlx5e_netdev_change_profile() and we will
+end up with invalid mlx5e_priv memset to 0, we must maintain the
+'destroying' bit in order to gracefully shutdown even if the
+profile/priv are not valid.
+
+This patch maintains the previous state of the 'destroying' state of
+mlx5e_priv after priv cleanup, to allow the remove flow to cleanup
+common resources from mlx5_core to avoid FW fatal errors as seen below:
+
+$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev
+ Error: mlx5_core: Failed setting eswitch to offloads.
+dmesg: mlx5_core 0000:00:03.0 enp0s3np0: failed to rollback to orig profile, ...
+
+$ devlink dev reload pci/0000:00:03.0
+
+mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)
+mlx5_core 0000:00:03.0: poll_health:803:(pid 519): Fatal error 3 detected
+mlx5_core 0000:00:03.0: firmware version: 28.41.1000
+mlx5_core 0000:00:03.0: 0.000 Gb/s available PCIe bandwidth (Unknown x255 link)
+mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed
+mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed
+mlx5_core 0000:00:03.0: mlx5_health_try_recover:340:(pid 141): handling bad device here
+mlx5_core 0000:00:03.0: mlx5_handle_bad_state:285:(pid 141): Expected to see disabled NIC but it is full driver
+mlx5_core 0000:00:03.0: mlx5_error_sw_reset:236:(pid 141): start
+mlx5_core 0000:00:03.0: NIC IFC still 0 after 4000ms.
+
+Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method")
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260108212657.25090-5-saeed@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 321441e6ad328..ba36e500c1ff1 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -4856,6 +4856,7 @@ int mlx5e_priv_init(struct mlx5e_priv *priv,
+
+ void mlx5e_priv_cleanup(struct mlx5e_priv *priv)
+ {
++ bool destroying = test_bit(MLX5E_STATE_DESTROYING, &priv->state);
+ int i;
+
+ /* bail if change profile failed and also rollback failed */
+@@ -4870,6 +4871,8 @@ void mlx5e_priv_cleanup(struct mlx5e_priv *priv)
+ kvfree(priv->htb.qos_sq_stats);
+
+ memset(priv, 0, sizeof(*priv));
++ if (destroying) /* restore destroying bit, to allow unload */
++ set_bit(MLX5E_STATE_DESTROYING, &priv->state);
+ }
+
+ struct net_device *
+--
+2.51.0
+
--- /dev/null
+From 7b9c99f72cdac6a3aadaa1b72b9aabecf30076c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 17:56:56 +0000
+Subject: net/sched: sch_qfq: do not free existing class in qfq_change_class()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 ]
+
+Fixes qfq_change_class() error case.
+
+cl->qdisc and cl should only be freed if a new class and qdisc
+were allocated, or we risk various UAF.
+
+Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Reported-by: syzbot+07f3f38f723c335f106d@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6965351d.050a0220.eaf7.00c5.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260112175656.17605-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index aa049dd33a74e..d201bcb5edc42 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -532,8 +532,10 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
+ return 0;
+
+ destroy_class:
+- qdisc_put(cl->qdisc);
+- kfree(cl);
++ if (!existing) {
++ qdisc_put(cl->qdisc);
++ kfree(cl);
++ }
+ return err;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 2adca4a92f15dff068468efc208f285ed4ffe992 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 09:32:44 +0000
+Subject: net: update netdev_lock_{type,name}
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit eb74c19fe10872ee1f29a8f90ca5ce943921afe9 ]
+
+Add missing entries in netdev_lock_type[] and netdev_lock_name[] :
+
+CAN, MCTP, RAWIP, CAIF, IP6GRE, 6LOWPAN, NETLINK, VSOCKMON,
+IEEE802154_MONITOR.
+
+Also add a WARN_ONCE() in netdev_lock_pos() to help future bug hunting
+next time a protocol is added without updating these arrays.
+
+Fixes: 1a33e10e4a95 ("net: partially revert dynamic lockdep key changes")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260108093244.830280-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 2f7bd1fe58515..977146a70b8c1 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -426,15 +426,21 @@ static const unsigned short netdev_lock_type[] = {
+ ARPHRD_IEEE1394, ARPHRD_EUI64, ARPHRD_INFINIBAND, ARPHRD_SLIP,
+ ARPHRD_CSLIP, ARPHRD_SLIP6, ARPHRD_CSLIP6, ARPHRD_RSRVD,
+ ARPHRD_ADAPT, ARPHRD_ROSE, ARPHRD_X25, ARPHRD_HWX25,
++ ARPHRD_CAN, ARPHRD_MCTP,
+ ARPHRD_PPP, ARPHRD_CISCO, ARPHRD_LAPB, ARPHRD_DDCMP,
+- ARPHRD_RAWHDLC, ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD,
++ ARPHRD_RAWHDLC, ARPHRD_RAWIP,
++ ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD,
+ ARPHRD_SKIP, ARPHRD_LOOPBACK, ARPHRD_LOCALTLK, ARPHRD_FDDI,
+ ARPHRD_BIF, ARPHRD_SIT, ARPHRD_IPDDP, ARPHRD_IPGRE,
+ ARPHRD_PIMREG, ARPHRD_HIPPI, ARPHRD_ASH, ARPHRD_ECONET,
+ ARPHRD_IRDA, ARPHRD_FCPP, ARPHRD_FCAL, ARPHRD_FCPL,
+ ARPHRD_FCFABRIC, ARPHRD_IEEE80211, ARPHRD_IEEE80211_PRISM,
+- ARPHRD_IEEE80211_RADIOTAP, ARPHRD_PHONET, ARPHRD_PHONET_PIPE,
+- ARPHRD_IEEE802154, ARPHRD_VOID, ARPHRD_NONE};
++ ARPHRD_IEEE80211_RADIOTAP,
++ ARPHRD_IEEE802154, ARPHRD_IEEE802154_MONITOR,
++ ARPHRD_PHONET, ARPHRD_PHONET_PIPE,
++ ARPHRD_CAIF, ARPHRD_IP6GRE, ARPHRD_NETLINK, ARPHRD_6LOWPAN,
++ ARPHRD_VSOCKMON,
++ ARPHRD_VOID, ARPHRD_NONE};
+
+ static const char *const netdev_lock_name[] = {
+ "_xmit_NETROM", "_xmit_ETHER", "_xmit_EETHER", "_xmit_AX25",
+@@ -443,15 +449,21 @@ static const char *const netdev_lock_name[] = {
+ "_xmit_IEEE1394", "_xmit_EUI64", "_xmit_INFINIBAND", "_xmit_SLIP",
+ "_xmit_CSLIP", "_xmit_SLIP6", "_xmit_CSLIP6", "_xmit_RSRVD",
+ "_xmit_ADAPT", "_xmit_ROSE", "_xmit_X25", "_xmit_HWX25",
++ "_xmit_CAN", "_xmit_MCTP",
+ "_xmit_PPP", "_xmit_CISCO", "_xmit_LAPB", "_xmit_DDCMP",
+- "_xmit_RAWHDLC", "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD",
++ "_xmit_RAWHDLC", "_xmit_RAWIP",
++ "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD",
+ "_xmit_SKIP", "_xmit_LOOPBACK", "_xmit_LOCALTLK", "_xmit_FDDI",
+ "_xmit_BIF", "_xmit_SIT", "_xmit_IPDDP", "_xmit_IPGRE",
+ "_xmit_PIMREG", "_xmit_HIPPI", "_xmit_ASH", "_xmit_ECONET",
+ "_xmit_IRDA", "_xmit_FCPP", "_xmit_FCAL", "_xmit_FCPL",
+ "_xmit_FCFABRIC", "_xmit_IEEE80211", "_xmit_IEEE80211_PRISM",
+- "_xmit_IEEE80211_RADIOTAP", "_xmit_PHONET", "_xmit_PHONET_PIPE",
+- "_xmit_IEEE802154", "_xmit_VOID", "_xmit_NONE"};
++ "_xmit_IEEE80211_RADIOTAP",
++ "_xmit_IEEE802154", "_xmit_IEEE802154_MONITOR",
++ "_xmit_PHONET", "_xmit_PHONET_PIPE",
++ "_xmit_CAIF", "_xmit_IP6GRE", "_xmit_NETLINK", "_xmit_6LOWPAN",
++ "_xmit_VSOCKMON",
++ "_xmit_VOID", "_xmit_NONE"};
+
+ static struct lock_class_key netdev_xmit_lock_key[ARRAY_SIZE(netdev_lock_type)];
+ static struct lock_class_key netdev_addr_lock_key[ARRAY_SIZE(netdev_lock_type)];
+@@ -464,6 +476,7 @@ static inline unsigned short netdev_lock_pos(unsigned short dev_type)
+ if (netdev_lock_type[i] == dev_type)
+ return i;
+ /* the last key is used by default */
++ WARN_ONCE(1, "netdev_lock_pos() could not find dev_type=%u\n", dev_type);
+ return ARRAY_SIZE(netdev_lock_type) - 1;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From da97e6437b592d682925a696988a9efe3206dd19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Dec 2025 13:57:48 -0500
+Subject: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shivam Kumar <kumar.shivam43666@gmail.com>
+
+[ Upstream commit 32b63acd78f577b332d976aa06b56e70d054cbba ]
+
+Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
+added ttag bounds checking and data_offset
+validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate
+whether the command's data structures (cmd->req.sg and cmd->iov) have
+been properly initialized before processing H2C_DATA PDUs.
+
+The nvmet_tcp_build_pdu_iovec() function dereferences these pointers
+without NULL checks. This can be triggered by sending H2C_DATA PDU
+immediately after the ICREQ/ICRESP handshake, before
+sending a CONNECT command or NVMe write command.
+
+Attack vectors that trigger NULL pointer dereferences:
+1. H2C_DATA PDU sent before CONNECT → both pointers NULL
+2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL
+3. H2C_DATA PDU for uninitialized command slot → both pointers NULL
+
+The fix validates both cmd->req.sg and cmd->iov before calling
+nvmet_tcp_build_pdu_iovec(). Both checks are required because:
+- Uninitialized commands: both NULL
+- READ commands: cmd->req.sg allocated, cmd->iov NULL
+- WRITE commands: both allocated
+
+Fixes: efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Shivam Kumar <kumar.shivam43666@gmail.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/tcp.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
+index 9610f0981b9ec..051798ef7431c 100644
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -971,6 +971,18 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len);
+ goto err_proto;
+ }
++ /*
++ * Ensure command data structures are initialized. We must check both
++ * cmd->req.sg and cmd->iov because they can have different NULL states:
++ * - Uninitialized commands: both NULL
++ * - READ commands: cmd->req.sg allocated, cmd->iov NULL
++ * - WRITE commands: both allocated
++ */
++ if (unlikely(!cmd->req.sg || !cmd->iov)) {
++ pr_err("queue %d: H2CData PDU received for invalid command state (ttag %u)\n",
++ queue->idx, data->ttag);
++ goto err_proto;
++ }
+ cmd->pdu_recv = 0;
+ nvmet_tcp_map_pdu_iovec(cmd);
+ queue->cmd = cmd;
+--
+2.51.0
+
--- /dev/null
+From ecc7396e22403037b6a737ea1d80a7a7be141bad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Dec 2023 16:17:50 +0100
+Subject: nvmet-tcp: remove boilerplate code
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 75011bd0f9c55db523242f9f9a0b0b826165f14b ]
+
+Simplify the nvmet_tcp_handle_h2c_data_pdu() function by removing
+boilerplate code.
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Stable-dep-of: 32b63acd78f5 ("nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/tcp.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
+index 18127bbc64230..9610f0981b9ec 100644
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -945,8 +945,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ if (unlikely(data->ttag >= queue->nr_cmds)) {
+ pr_err("queue %d: received out of bound ttag %u, nr_cmds %u\n",
+ queue->idx, data->ttag, queue->nr_cmds);
+- nvmet_tcp_fatal_error(queue);
+- return -EPROTO;
++ goto err_proto;
+ }
+ cmd = &queue->cmds[data->ttag];
+ } else {
+@@ -957,9 +956,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ pr_err("ttag %u unexpected data offset %u (expected %u)\n",
+ data->ttag, le32_to_cpu(data->data_offset),
+ cmd->rbytes_done);
+- /* FIXME: use path and transport errors */
+- nvmet_tcp_fatal_error(queue);
+- return -EPROTO;
++ goto err_proto;
+ }
+
+ exp_data_len = le32_to_cpu(data->hdr.plen) -
+@@ -972,9 +969,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ cmd->pdu_len == 0 ||
+ cmd->pdu_len > NVMET_TCP_MAXH2CDATA)) {
+ pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len);
+- /* FIXME: use proper transport errors */
+- nvmet_tcp_fatal_error(queue);
+- return -EPROTO;
++ goto err_proto;
+ }
+ cmd->pdu_recv = 0;
+ nvmet_tcp_map_pdu_iovec(cmd);
+@@ -982,6 +977,11 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ queue->rcv_state = NVMET_TCP_RECV_DATA;
+
+ return 0;
++
++err_proto:
++ /* FIXME: use proper transport errors */
++ nvmet_tcp_fatal_error(queue);
++ return -EPROTO;
+ }
+
+ static int nvmet_tcp_done_recv_pdu(struct nvmet_tcp_queue *queue)
+--
+2.51.0
+
--- /dev/null
+From 6f815ee9591054270de3c0db55ab9240f49d113b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Dec 2025 12:55:34 +0100
+Subject: phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning
+ (again)
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+
+[ Upstream commit fb21116099bbea1fc59efa9207e63c4be390ab72 ]
+
+"family" is an enum, thus cast of pointer on 64-bit compile test with
+clang W=1 causes:
+
+ phy-bcm-ns-usb3.c:206:17: error: cast to smaller integer type 'enum bcm_ns_family' from 'const void *' [-Werror,-Wvoid-pointer-to-enum-cast]
+
+This was already fixed in commit bd6e74a2f0a0 ("phy: broadcom: ns-usb3:
+fix Wvoid-pointer-to-enum-cast warning") but then got bad in commit
+21bf6fc47a1e ("phy: Use device_get_match_data()").
+
+Note that after various discussions the preferred cast is via "unsigned
+long", not "uintptr_t".
+
+Fixes: 21bf6fc47a1e ("phy: Use device_get_match_data()")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251224115533.154162-2-krzysztof.kozlowski@oss.qualcomm.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/broadcom/phy-bcm-ns-usb3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/broadcom/phy-bcm-ns-usb3.c b/drivers/phy/broadcom/phy-bcm-ns-usb3.c
+index a6c5985051b14..c19953ecfee66 100644
+--- a/drivers/phy/broadcom/phy-bcm-ns-usb3.c
++++ b/drivers/phy/broadcom/phy-bcm-ns-usb3.c
+@@ -203,7 +203,7 @@ static int bcm_ns_usb3_mdio_probe(struct mdio_device *mdiodev)
+ usb3->dev = dev;
+ usb3->mdiodev = mdiodev;
+
+- usb3->family = (enum bcm_ns_family)device_get_match_data(dev);
++ usb3->family = (unsigned long)device_get_match_data(dev);
+
+ syscon_np = of_parse_phandle(dev->of_node, "usb3-dmp-syscon", 0);
+ err = of_address_to_resource(syscon_np, 0, &res);
+--
+2.51.0
+
--- /dev/null
+From b660a7f77597afb1e329c927d91515fdfdf88c48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Dec 2025 09:53:36 +0300
+Subject: phy: stm32-usphyc: Fix off by one in probe()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit cabd25b57216ddc132efbcc31f972baa03aad15a ]
+
+The "index" variable is used as an index into the usbphyc->phys[] array
+which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys
+then it is one element out of bounds. The "index" comes from the
+device tree so it's data that we trust and it's unlikely to be wrong,
+however it's obviously still worth fixing the bug. Change the > to >=.
+
+Fixes: 94c358da3a05 ("phy: stm32: add support for STM32 USB PHY Controller (USBPHYC)")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Link: https://patch.msgid.link/aTfHcMJK1wFVnvEe@stanley.mountain
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/st/phy-stm32-usbphyc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c
+index 27f7e2292cf0b..1e3f73cee9efd 100644
+--- a/drivers/phy/st/phy-stm32-usbphyc.c
++++ b/drivers/phy/st/phy-stm32-usbphyc.c
+@@ -530,7 +530,7 @@ static int stm32_usbphyc_probe(struct platform_device *pdev)
+ }
+
+ ret = of_property_read_u32(child, "reg", &index);
+- if (ret || index > usbphyc->nphys) {
++ if (ret || index >= usbphyc->nphys) {
+ dev_err(&phy->dev, "invalid reg property: %d\n", ret);
+ if (!ret)
+ ret = -EINVAL;
+--
+2.51.0
+
--- /dev/null
+From e08aa6dd846643ef751a311c872c7c969a6e0da8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Dec 2025 07:41:03 +0000
+Subject: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 0c728083654f0066f5e10a1d2b0bd0907af19a58 ]
+
+In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails,
+the function jumps to the out_scratch label without freeing the already
+allocated dsaddrs list, leading to a memory leak.
+
+Fix this by jumping to the out_err_drain_dsaddrs label, which properly
+frees the dsaddrs list before cleaning up other resources.
+
+Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+index 11777d33a85e8..35cac4d3f2e8a 100644
+--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+@@ -103,7 +103,7 @@ nfs4_ff_alloc_deviceid_node(struct nfs_server *server, struct pnfs_device *pdev,
+ sizeof(struct nfs4_ff_ds_version),
+ gfp_flags);
+ if (!ds_versions)
+- goto out_scratch;
++ goto out_err_drain_dsaddrs;
+
+ for (i = 0; i < version_count; i++) {
+ /* 20 = version(4) + minor_version(4) + rsize(4) + wsize(4) +
+--
+2.51.0
+
--- /dev/null
+From 61ae8e9de7d512b595f7641d173f73e9bf25143c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 19:37:15 +0200
+Subject: selftests: drv-net: fix RPS mask handling for high CPU numbers
+
+From: Gal Pressman <gal@nvidia.com>
+
+[ Upstream commit cf055f8c000445aa688c53a706ef4f580818eedb ]
+
+The RPS bitmask bounds check uses ~(RPS_MAX_CPUS - 1) which equals ~15 =
+0xfff0, only allowing CPUs 0-3.
+
+Change the mask to ~((1UL << RPS_MAX_CPUS) - 1) = ~0xffff to allow CPUs
+0-15.
+
+Fixes: 5ebfb4cc3048 ("selftests/net: toeplitz test")
+Reviewed-by: Nimrod Oren <noren@nvidia.com>
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20260112173715.384843-3-gal@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/toeplitz.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/toeplitz.c b/tools/testing/selftests/net/toeplitz.c
+index 8ce96028341d5..09771d61ea344 100644
+--- a/tools/testing/selftests/net/toeplitz.c
++++ b/tools/testing/selftests/net/toeplitz.c
+@@ -471,8 +471,8 @@ static void parse_rps_bitmap(const char *arg)
+
+ bitmap = strtoul(arg, NULL, 0);
+
+- if (bitmap & ~(RPS_MAX_CPUS - 1))
+- error(1, 0, "rps bitmap 0x%lx out of bounds 0..%lu",
++ if (bitmap & ~((1UL << RPS_MAX_CPUS) - 1))
++ error(1, 0, "rps bitmap 0x%lx out of bounds, max cpu %lu",
+ bitmap, RPS_MAX_CPUS - 1);
+
+ for (i = 0; i < RPS_MAX_CPUS; i++)
+--
+2.51.0
+
--- /dev/null
+pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch
+can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch
+nvmet-tcp-remove-boilerplate-code.patch
+nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch
+btrfs-send-check-for-inline-extents-in-range_is_hole.patch
+ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch
+net-update-netdev_lock_-type-name.patch
+macvlan-fix-possible-uaf-in-macvlan_forward_source.patch
+ipv4-ip_gre-make-ipgre_header-robust.patch
+vsock-test-add-a-final-full-barrier-after-run-all-te.patch
+net-mlx5e-restore-destroying-state-bit-after-profile.patch
+selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch
+net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch
+asoc-tlv320adcx140-fix-word-length.patch
+textsearch-describe-list-member-in-ts_ops-search.patch
+mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch
+dmaengine-tegra-adma-fix-use-after-free.patch
+dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch
+phy-stm32-usphyc-fix-off-by-one-in-probe.patch
+phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch
+dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch
--- /dev/null
+From 9520b77166c15ec40f59843609bb87d9a454dbea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 08:40:05 +0700
+Subject: textsearch: describe @list member in ts_ops search
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit f26528478bb102c28e7ac0cbfc8ec8185afdafc7 ]
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./include/linux/textsearch.h:49 struct member 'list' not described in 'ts_ops'
+
+Describe @list member to fix it.
+
+Link: https://lkml.kernel.org/r/20251219014006.16328-4-bagasdotme@gmail.com
+Fixes: 2de4ff7bd658 ("[LIB]: Textsearch infrastructure.")
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Cc: Thomas Graf <tgraf@suug.ch>
+Cc: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/textsearch.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/textsearch.h b/include/linux/textsearch.h
+index 6673e4d4ac2e1..4933777404d61 100644
+--- a/include/linux/textsearch.h
++++ b/include/linux/textsearch.h
+@@ -35,6 +35,7 @@ struct ts_state
+ * @get_pattern: return head of pattern
+ * @get_pattern_len: return length of pattern
+ * @owner: module reference to algorithm
++ * @list: list to search
+ */
+ struct ts_ops
+ {
+--
+2.51.0
+
--- /dev/null
+From 8c4d7134163165cbbff6d8c9c89226d009816da7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 12:44:19 +0100
+Subject: vsock/test: add a final full barrier after run all tests
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit c39a6a277e0e67ffff6a8efcbbf7e7e23ce9e38c ]
+
+If the last test fails, the other side still completes correctly,
+which could lead to false positives.
+
+Let's add a final barrier that ensures that the last test has finished
+correctly on both sides, but also that the two sides agree on the
+number of tests to be performed.
+
+Fixes: 2f65b44e199c ("VSOCK: add full barrier between test cases")
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20260108114419.52747-1-sgarzare@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/vsock/util.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/tools/testing/vsock/util.c b/tools/testing/vsock/util.c
+index 2acbb7703c6a0..259d33ae6293b 100644
+--- a/tools/testing/vsock/util.c
++++ b/tools/testing/vsock/util.c
+@@ -360,6 +360,18 @@ void run_tests(const struct test_case *test_cases,
+
+ printf("ok\n");
+ }
++
++ printf("All tests have been executed. Waiting other peer...");
++ fflush(stdout);
++
++ /*
++ * Final full barrier, to ensure that all tests have been run and
++ * that even the last one has been successful on both sides.
++ */
++ control_writeln("COMPLETED");
++ control_expectln("COMPLETED");
++
++ printf("ok\n");
+ }
+
+ void list_tests(const struct test_case *test_cases)
+--
+2.51.0
+
--- /dev/null
+From 4ef201b297a3570064b76561198c63148c3e3847 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 11:58:45 +0100
+Subject: ASoC: tlv320adcx140: fix null pointer
+
+From: Emil Svendsen <emas@bang-olufsen.dk>
+
+[ Upstream commit be7664c81d3129fc313ef62ff275fd3d33cfecd4 ]
+
+The "snd_soc_component" in "adcx140_priv" was only used once but never
+set. It was only used for reaching "dev" which is already present in
+"adcx140_priv".
+
+Fixes: 4e82971f7b55 ("ASoC: tlv320adcx140: Add a new kcontrol")
+Signed-off-by: Emil Svendsen <emas@bang-olufsen.dk>
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-2-8f7ecec525c8@pengutronix.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tlv320adcx140.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c
+index 530f321d08e9c..4405934120e51 100644
+--- a/sound/soc/codecs/tlv320adcx140.c
++++ b/sound/soc/codecs/tlv320adcx140.c
+@@ -24,7 +24,6 @@
+ #include "tlv320adcx140.h"
+
+ struct adcx140_priv {
+- struct snd_soc_component *component;
+ struct regulator *supply_areg;
+ struct gpio_desc *gpio_reset;
+ struct regmap *regmap;
+@@ -702,7 +701,6 @@ static void adcx140_pwr_ctrl(struct adcx140_priv *adcx140, bool power_state)
+ {
+ int pwr_ctrl = 0;
+ int ret = 0;
+- struct snd_soc_component *component = adcx140->component;
+
+ if (power_state)
+ pwr_ctrl = ADCX140_PWR_CFG_ADC_PDZ | ADCX140_PWR_CFG_PLL_PDZ;
+@@ -714,7 +712,7 @@ static void adcx140_pwr_ctrl(struct adcx140_priv *adcx140, bool power_state)
+ ret = regmap_write(adcx140->regmap, ADCX140_PHASE_CALIB,
+ adcx140->phase_calib_on ? 0x00 : 0x40);
+ if (ret)
+- dev_err(component->dev, "%s: register write error %d\n",
++ dev_err(adcx140->dev, "%s: register write error %d\n",
+ __func__, ret);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 35ca40e3aeef39be98c16f8fc6b0f966cc2ee622 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 11:58:47 +0100
+Subject: ASoC: tlv320adcx140: fix word length
+
+From: Emil Svendsen <emas@bang-olufsen.dk>
+
+[ Upstream commit 46378ab9fcb796dca46b51e10646f636e2c661f9 ]
+
+The word length is the physical width of the channel slots. So the
+hw_params would misconfigure when format width and physical width
+doesn't match. Like S24_LE which has data width of 24 bits but physical
+width of 32 bits. So if using asymmetric formats you will get a lot of
+noise.
+
+Fixes: 689c7655b50c5 ("ASoC: tlv320adcx140: Add the tlv320adcx140 codec driver family")
+Signed-off-by: Emil Svendsen <emas@bang-olufsen.dk>
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-4-8f7ecec525c8@pengutronix.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tlv320adcx140.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c
+index 4405934120e51..67eef894d0c2d 100644
+--- a/sound/soc/codecs/tlv320adcx140.c
++++ b/sound/soc/codecs/tlv320adcx140.c
+@@ -728,7 +728,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream,
+ struct adcx140_priv *adcx140 = snd_soc_component_get_drvdata(component);
+ u8 data = 0;
+
+- switch (params_width(params)) {
++ switch (params_physical_width(params)) {
+ case 16:
+ data = ADCX140_16_BIT_WORD;
+ break;
+@@ -743,7 +743,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream,
+ break;
+ default:
+ dev_err(component->dev, "%s: Unsupported width %d\n",
+- __func__, params_width(params));
++ __func__, params_physical_width(params));
+ return -EINVAL;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 1ee7b494ed4876593056b4acb7cc31d9e774eb60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Apr 2025 11:43:45 +0900
+Subject: btrfs: factor out check_removing_space_info() from
+ btrfs_free_block_groups()
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+[ Upstream commit 1cfdbe0d53b27b4b4a4f4cf2a4e430bc65ba2ba5 ]
+
+Factor out check_removing_space_info() from btrfs_free_block_groups(). It
+sanity checks a to-be-removed space_info. There is no functional change.
+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/block-group.c | 49 +++++++++++++++++++++++-------------------
+ 1 file changed, 27 insertions(+), 22 deletions(-)
+
+diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c
+index 3295fb978a35b..797df5ddbcd12 100644
+--- a/fs/btrfs/block-group.c
++++ b/fs/btrfs/block-group.c
+@@ -4145,6 +4145,32 @@ void btrfs_put_block_group_cache(struct btrfs_fs_info *info)
+ }
+ }
+
++static void check_removing_space_info(struct btrfs_space_info *space_info)
++{
++ struct btrfs_fs_info *info = space_info->fs_info;
++
++ /*
++ * Do not hide this behind enospc_debug, this is actually important and
++ * indicates a real bug if this happens.
++ */
++ if (WARN_ON(space_info->bytes_pinned > 0 || space_info->bytes_may_use > 0))
++ btrfs_dump_space_info(info, space_info, 0, 0);
++
++ /*
++ * If there was a failure to cleanup a log tree, very likely due to an
++ * IO failure on a writeback attempt of one or more of its extent
++ * buffers, we could not do proper (and cheap) unaccounting of their
++ * reserved space, so don't warn on bytes_reserved > 0 in that case.
++ */
++ if (!(space_info->flags & BTRFS_BLOCK_GROUP_METADATA) ||
++ !BTRFS_FS_LOG_CLEANUP_ERROR(info)) {
++ if (WARN_ON(space_info->bytes_reserved > 0))
++ btrfs_dump_space_info(info, space_info, 0, 0);
++ }
++
++ WARN_ON(space_info->reclaim_size > 0);
++}
++
+ /*
+ * Must be called only after stopping all workers, since we could have block
+ * group caching kthreads running, and therefore they could race with us if we
+@@ -4235,28 +4261,7 @@ int btrfs_free_block_groups(struct btrfs_fs_info *info)
+ struct btrfs_space_info,
+ list);
+
+- /*
+- * Do not hide this behind enospc_debug, this is actually
+- * important and indicates a real bug if this happens.
+- */
+- if (WARN_ON(space_info->bytes_pinned > 0 ||
+- space_info->bytes_may_use > 0))
+- btrfs_dump_space_info(info, space_info, 0, 0);
+-
+- /*
+- * If there was a failure to cleanup a log tree, very likely due
+- * to an IO failure on a writeback attempt of one or more of its
+- * extent buffers, we could not do proper (and cheap) unaccounting
+- * of their reserved space, so don't warn on bytes_reserved > 0 in
+- * that case.
+- */
+- if (!(space_info->flags & BTRFS_BLOCK_GROUP_METADATA) ||
+- !BTRFS_FS_LOG_CLEANUP_ERROR(info)) {
+- if (WARN_ON(space_info->bytes_reserved > 0))
+- btrfs_dump_space_info(info, space_info, 0, 0);
+- }
+-
+- WARN_ON(space_info->reclaim_size > 0);
++ check_removing_space_info(space_info);
+ list_del(&space_info->list);
+ btrfs_sysfs_remove_space_info(space_info);
+ }
+--
+2.51.0
+
--- /dev/null
+From aa5d737516b0ca5383ebd4e3e8060c463e4f360f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Apr 2025 11:43:43 +0900
+Subject: btrfs: factor out init_space_info() from create_space_info()
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+[ Upstream commit ac5578fef380e68e539a2238ba63dd978a450ef2 ]
+
+Factor out initialization of the space_info struct, which is used in a
+later patch. There is no functional change.
+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/space-info.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
+index 069df2ebd1ca5..88cd37a13c0ee 100644
+--- a/fs/btrfs/space-info.c
++++ b/fs/btrfs/space-info.c
+@@ -219,19 +219,11 @@ void btrfs_update_space_info_chunk_size(struct btrfs_space_info *space_info,
+ WRITE_ONCE(space_info->chunk_size, chunk_size);
+ }
+
+-static int create_space_info(struct btrfs_fs_info *info, u64 flags)
++static void init_space_info(struct btrfs_fs_info *info,
++ struct btrfs_space_info *space_info, u64 flags)
+ {
+-
+- struct btrfs_space_info *space_info;
+- int i;
+- int ret;
+-
+- space_info = kzalloc(sizeof(*space_info), GFP_NOFS);
+- if (!space_info)
+- return -ENOMEM;
+-
+ space_info->fs_info = info;
+- for (i = 0; i < BTRFS_NR_RAID_TYPES; i++)
++ for (int i = 0; i < BTRFS_NR_RAID_TYPES; i++)
+ INIT_LIST_HEAD(&space_info->block_groups[i]);
+ init_rwsem(&space_info->groups_sem);
+ spin_lock_init(&space_info->lock);
+@@ -245,6 +237,19 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
+
+ if (btrfs_is_zoned(info))
+ space_info->bg_reclaim_threshold = BTRFS_DEFAULT_ZONED_RECLAIM_THRESH;
++}
++
++static int create_space_info(struct btrfs_fs_info *info, u64 flags)
++{
++
++ struct btrfs_space_info *space_info;
++ int ret;
++
++ space_info = kzalloc(sizeof(*space_info), GFP_NOFS);
++ if (!space_info)
++ return -ENOMEM;
++
++ init_space_info(info, space_info, flags);
+
+ ret = btrfs_sysfs_add_space_info_type(info, space_info);
+ if (ret)
+--
+2.51.0
+
--- /dev/null
+From 949e71557d66b3eda50b68996876d5f5b845b9e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Jan 2026 19:20:37 +0000
+Subject: btrfs: fix memory leaks in create_space_info() error paths
+
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+
+[ Upstream commit a11224a016d6d1d46a4d9b6573244448a80d4d7f ]
+
+In create_space_info(), the 'space_info' object is allocated at the
+beginning of the function. However, there are two error paths where the
+function returns an error code without freeing the allocated memory:
+
+1. When create_space_info_sub_group() fails in zoned mode.
+2. When btrfs_sysfs_add_space_info_type() fails.
+
+In both cases, 'space_info' has not yet been added to the
+fs_info->space_info list, resulting in a memory leak. Fix this by
+adding an error handling label to kfree(space_info) before returning.
+
+Fixes: 2be12ef79fe9 ("btrfs: Separate space_info create/update")
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/space-info.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
+index 15c578f49caab..230e086ddee8e 100644
+--- a/fs/btrfs/space-info.c
++++ b/fs/btrfs/space-info.c
+@@ -285,18 +285,22 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
+ BTRFS_SUB_GROUP_DATA_RELOC,
+ 0);
+ if (ret)
+- return ret;
++ goto out_free;
+ }
+
+ ret = btrfs_sysfs_add_space_info_type(info, space_info);
+ if (ret)
+- return ret;
++ goto out_free;
+
+ list_add(&space_info->list, &info->space_info);
+ if (flags & BTRFS_BLOCK_GROUP_DATA)
+ info->data_sinfo = space_info;
+
+ return ret;
++
++out_free:
++ kfree(space_info);
++ return ret;
+ }
+
+ int btrfs_init_space_info(struct btrfs_fs_info *fs_info)
+--
+2.51.0
+
--- /dev/null
+From cce046a5184993ae379e14748f33f0fe04aaad58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Apr 2025 11:43:48 +0900
+Subject: btrfs: introduce btrfs_space_info sub-group
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+[ Upstream commit f92ee31e031c7819126d2febdda0c3e91f5d2eb9 ]
+
+Current code assumes we have only one space_info for each block group type
+(DATA, METADATA, and SYSTEM). We sometime need multiple space infos to
+manage special block groups.
+
+One example is handling the data relocation block group for the zoned mode.
+That block group is dedicated for writing relocated data and we cannot
+allocate any regular extent from that block group, which is implemented in
+the zoned extent allocator. This block group still belongs to the normal
+data space_info. So, when all the normal data block groups are full and
+there is some free space in the dedicated block group, the space_info
+looks to have some free space, while it cannot allocate normal extent
+anymore. That results in a strange ENOSPC error. We need to have a
+space_info for the relocation data block group to represent the situation
+properly.
+
+Adds a basic infrastructure for having a "sub-group" of a space_info:
+creation and removing. A sub-group space_info belongs to one of the
+primary space_infos and has the same flags as its parent.
+
+This commit first introduces the relocation data sub-space_info, and the
+next commit will introduce tree-log sub-space_info. In the future, it could
+be useful to implement tiered storage for btrfs e.g. by implementing a
+sub-group space_info for block groups resides on a fast storage.
+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/block-group.c | 11 +++++++++++
+ fs/btrfs/space-info.c | 44 +++++++++++++++++++++++++++++++++++++++---
+ fs/btrfs/space-info.h | 9 +++++++++
+ fs/btrfs/sysfs.c | 18 ++++++++++++++---
+ 4 files changed, 76 insertions(+), 6 deletions(-)
+
+diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c
+index 797df5ddbcd12..2338d42b8f4e6 100644
+--- a/fs/btrfs/block-group.c
++++ b/fs/btrfs/block-group.c
+@@ -4149,6 +4149,17 @@ static void check_removing_space_info(struct btrfs_space_info *space_info)
+ {
+ struct btrfs_fs_info *info = space_info->fs_info;
+
++ if (space_info->subgroup_id == BTRFS_SUB_GROUP_PRIMARY) {
++ /* This is a top space_info, proceed with its children first. */
++ for (int i = 0; i < BTRFS_SPACE_INFO_SUB_GROUP_MAX; i++) {
++ if (space_info->sub_group[i]) {
++ check_removing_space_info(space_info->sub_group[i]);
++ kfree(space_info->sub_group[i]);
++ space_info->sub_group[i] = NULL;
++ }
++ }
++ }
++
+ /*
+ * Do not hide this behind enospc_debug, this is actually important and
+ * indicates a real bug if this happens.
+diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
+index 88cd37a13c0ee..15c578f49caab 100644
+--- a/fs/btrfs/space-info.c
++++ b/fs/btrfs/space-info.c
+@@ -234,16 +234,44 @@ static void init_space_info(struct btrfs_fs_info *info,
+ INIT_LIST_HEAD(&space_info->priority_tickets);
+ space_info->clamp = 1;
+ btrfs_update_space_info_chunk_size(space_info, calc_chunk_size(info, flags));
++ space_info->subgroup_id = BTRFS_SUB_GROUP_PRIMARY;
+
+ if (btrfs_is_zoned(info))
+ space_info->bg_reclaim_threshold = BTRFS_DEFAULT_ZONED_RECLAIM_THRESH;
+ }
+
++static int create_space_info_sub_group(struct btrfs_space_info *parent, u64 flags,
++ enum btrfs_space_info_sub_group id, int index)
++{
++ struct btrfs_fs_info *fs_info = parent->fs_info;
++ struct btrfs_space_info *sub_group;
++ int ret;
++
++ ASSERT(parent->subgroup_id == BTRFS_SUB_GROUP_PRIMARY);
++ ASSERT(id != BTRFS_SUB_GROUP_PRIMARY);
++
++ sub_group = kzalloc(sizeof(*sub_group), GFP_NOFS);
++ if (!sub_group)
++ return -ENOMEM;
++
++ init_space_info(fs_info, sub_group, flags);
++ parent->sub_group[index] = sub_group;
++ sub_group->parent = parent;
++ sub_group->subgroup_id = id;
++
++ ret = btrfs_sysfs_add_space_info_type(fs_info, sub_group);
++ if (ret) {
++ kfree(sub_group);
++ parent->sub_group[index] = NULL;
++ }
++ return ret;
++}
++
+ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
+ {
+
+ struct btrfs_space_info *space_info;
+- int ret;
++ int ret = 0;
+
+ space_info = kzalloc(sizeof(*space_info), GFP_NOFS);
+ if (!space_info)
+@@ -251,6 +279,15 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
+
+ init_space_info(info, space_info, flags);
+
++ if (btrfs_is_zoned(info)) {
++ if (flags & BTRFS_BLOCK_GROUP_DATA)
++ ret = create_space_info_sub_group(space_info, flags,
++ BTRFS_SUB_GROUP_DATA_RELOC,
++ 0);
++ if (ret)
++ return ret;
++ }
++
+ ret = btrfs_sysfs_add_space_info_type(info, space_info);
+ if (ret)
+ return ret;
+@@ -511,8 +548,9 @@ static void __btrfs_dump_space_info(struct btrfs_fs_info *fs_info,
+ lockdep_assert_held(&info->lock);
+
+ /* The free space could be negative in case of overcommit */
+- btrfs_info(fs_info, "space_info %s has %lld free, is %sfull",
+- flag_str,
++ btrfs_info(fs_info,
++ "space_info %s (sub-group id %d) has %lld free, is %sfull",
++ flag_str, info->subgroup_id,
+ (s64)(info->total_bytes - btrfs_space_info_used(info, true)),
+ info->full ? "" : "not ");
+ btrfs_info(fs_info,
+diff --git a/fs/btrfs/space-info.h b/fs/btrfs/space-info.h
+index d6b34f2738b53..dc69138f3de17 100644
+--- a/fs/btrfs/space-info.h
++++ b/fs/btrfs/space-info.h
+@@ -64,8 +64,17 @@ enum btrfs_flush_state {
+ COMMIT_TRANS = 11,
+ };
+
++enum btrfs_space_info_sub_group {
++ BTRFS_SUB_GROUP_PRIMARY,
++ BTRFS_SUB_GROUP_DATA_RELOC,
++};
++
++#define BTRFS_SPACE_INFO_SUB_GROUP_MAX 1
+ struct btrfs_space_info {
+ struct btrfs_fs_info *fs_info;
++ struct btrfs_space_info *parent;
++ struct btrfs_space_info *sub_group[BTRFS_SPACE_INFO_SUB_GROUP_MAX];
++ int subgroup_id;
+ spinlock_t lock;
+
+ u64 total_bytes; /* total bytes in the space,
+diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c
+index 44a94ac21e2fa..693ae78705684 100644
+--- a/fs/btrfs/sysfs.c
++++ b/fs/btrfs/sysfs.c
+@@ -1585,16 +1585,28 @@ void btrfs_sysfs_remove_space_info(struct btrfs_space_info *space_info)
+ kobject_put(&space_info->kobj);
+ }
+
+-static const char *alloc_name(u64 flags)
++static const char *alloc_name(struct btrfs_space_info *space_info)
+ {
++ u64 flags = space_info->flags;
++
+ switch (flags) {
+ case BTRFS_BLOCK_GROUP_METADATA | BTRFS_BLOCK_GROUP_DATA:
+ return "mixed";
+ case BTRFS_BLOCK_GROUP_METADATA:
++ ASSERT(space_info->subgroup_id == BTRFS_SUB_GROUP_PRIMARY);
+ return "metadata";
+ case BTRFS_BLOCK_GROUP_DATA:
+- return "data";
++ switch (space_info->subgroup_id) {
++ case BTRFS_SUB_GROUP_PRIMARY:
++ return "data";
++ case BTRFS_SUB_GROUP_DATA_RELOC:
++ return "data-reloc";
++ default:
++ WARN_ON_ONCE(1);
++ return "data (unknown sub-group)";
++ }
+ case BTRFS_BLOCK_GROUP_SYSTEM:
++ ASSERT(space_info->subgroup_id == BTRFS_SUB_GROUP_PRIMARY);
+ return "system";
+ default:
+ WARN_ON(1);
+@@ -1613,7 +1625,7 @@ int btrfs_sysfs_add_space_info_type(struct btrfs_fs_info *fs_info,
+
+ ret = kobject_init_and_add(&space_info->kobj, &space_info_ktype,
+ fs_info->space_info_kobj, "%s",
+- alloc_name(space_info->flags));
++ alloc_name(space_info));
+ if (ret) {
+ kobject_put(&space_info->kobj);
+ return ret;
+--
+2.51.0
+
--- /dev/null
+From a99f4affd7f06d93b2e02994488456e18649cb8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Sep 2022 11:06:35 -0400
+Subject: btrfs: move flush related definitions to space-info.h
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit f1e5c6185ca166cde0c7c2eeeab5d233ef315140 ]
+
+This code is used in space-info.c, move the definitions to space-info.h.
+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.h | 59 ----------------------------------------
+ fs/btrfs/delayed-inode.c | 1 +
+ fs/btrfs/inode-item.c | 1 +
+ fs/btrfs/props.c | 1 +
+ fs/btrfs/relocation.c | 1 +
+ fs/btrfs/space-info.h | 59 ++++++++++++++++++++++++++++++++++++++++
+ 6 files changed, 63 insertions(+), 59 deletions(-)
+
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index da8986e0c4222..bd84a8b774a68 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -2925,65 +2925,6 @@ int btrfs_inc_extent_ref(struct btrfs_trans_handle *trans,
+
+ void btrfs_clear_space_info_full(struct btrfs_fs_info *info);
+
+-/*
+- * Different levels for to flush space when doing space reservations.
+- *
+- * The higher the level, the more methods we try to reclaim space.
+- */
+-enum btrfs_reserve_flush_enum {
+- /* If we are in the transaction, we can't flush anything.*/
+- BTRFS_RESERVE_NO_FLUSH,
+-
+- /*
+- * Flush space by:
+- * - Running delayed inode items
+- * - Allocating a new chunk
+- */
+- BTRFS_RESERVE_FLUSH_LIMIT,
+-
+- /*
+- * Flush space by:
+- * - Running delayed inode items
+- * - Running delayed refs
+- * - Running delalloc and waiting for ordered extents
+- * - Allocating a new chunk
+- */
+- BTRFS_RESERVE_FLUSH_EVICT,
+-
+- /*
+- * Flush space by above mentioned methods and by:
+- * - Running delayed iputs
+- * - Committing transaction
+- *
+- * Can be interrupted by a fatal signal.
+- */
+- BTRFS_RESERVE_FLUSH_DATA,
+- BTRFS_RESERVE_FLUSH_FREE_SPACE_INODE,
+- BTRFS_RESERVE_FLUSH_ALL,
+-
+- /*
+- * Pretty much the same as FLUSH_ALL, but can also steal space from
+- * global rsv.
+- *
+- * Can be interrupted by a fatal signal.
+- */
+- BTRFS_RESERVE_FLUSH_ALL_STEAL,
+-};
+-
+-enum btrfs_flush_state {
+- FLUSH_DELAYED_ITEMS_NR = 1,
+- FLUSH_DELAYED_ITEMS = 2,
+- FLUSH_DELAYED_REFS_NR = 3,
+- FLUSH_DELAYED_REFS = 4,
+- FLUSH_DELALLOC = 5,
+- FLUSH_DELALLOC_WAIT = 6,
+- FLUSH_DELALLOC_FULL = 7,
+- ALLOC_CHUNK = 8,
+- ALLOC_CHUNK_FORCE = 9,
+- RUN_DELAYED_IPUTS = 10,
+- COMMIT_TRANS = 11,
+-};
+-
+ int btrfs_subvolume_reserve_metadata(struct btrfs_root *root,
+ struct btrfs_block_rsv *rsv,
+ int nitems, bool use_global_rsv);
+diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
+index 052112d0daa74..214168868ac08 100644
+--- a/fs/btrfs/delayed-inode.c
++++ b/fs/btrfs/delayed-inode.c
+@@ -14,6 +14,7 @@
+ #include "qgroup.h"
+ #include "locking.h"
+ #include "inode-item.h"
++#include "space-info.h"
+
+ #define BTRFS_DELAYED_WRITEBACK 512
+ #define BTRFS_DELAYED_BACKGROUND 128
+diff --git a/fs/btrfs/inode-item.c b/fs/btrfs/inode-item.c
+index 5add022d3534f..ce5c51ffdc0d0 100644
+--- a/fs/btrfs/inode-item.c
++++ b/fs/btrfs/inode-item.c
+@@ -8,6 +8,7 @@
+ #include "disk-io.h"
+ #include "transaction.h"
+ #include "print-tree.h"
++#include "space-info.h"
+
+ struct btrfs_inode_ref *btrfs_find_name_in_backref(struct extent_buffer *leaf,
+ int slot,
+diff --git a/fs/btrfs/props.c b/fs/btrfs/props.c
+index 055a631276ce1..07f62e3ba6a51 100644
+--- a/fs/btrfs/props.c
++++ b/fs/btrfs/props.c
+@@ -10,6 +10,7 @@
+ #include "ctree.h"
+ #include "xattr.h"
+ #include "compression.h"
++#include "space-info.h"
+
+ #define BTRFS_PROP_HANDLERS_HT_BITS 8
+ static DEFINE_HASHTABLE(prop_handlers_ht, BTRFS_PROP_HANDLERS_HT_BITS);
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index 3fdf5519336f9..795df859cdbfc 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -27,6 +27,7 @@
+ #include "subpage.h"
+ #include "zoned.h"
+ #include "inode-item.h"
++#include "space-info.h"
+
+ /*
+ * Relocation overview
+diff --git a/fs/btrfs/space-info.h b/fs/btrfs/space-info.h
+index 99ce3225dd59d..fea2f93674e7c 100644
+--- a/fs/btrfs/space-info.h
++++ b/fs/btrfs/space-info.h
+@@ -5,6 +5,65 @@
+
+ #include "volumes.h"
+
++/*
++ * Different levels for to flush space when doing space reservations.
++ *
++ * The higher the level, the more methods we try to reclaim space.
++ */
++enum btrfs_reserve_flush_enum {
++ /* If we are in the transaction, we can't flush anything.*/
++ BTRFS_RESERVE_NO_FLUSH,
++
++ /*
++ * Flush space by:
++ * - Running delayed inode items
++ * - Allocating a new chunk
++ */
++ BTRFS_RESERVE_FLUSH_LIMIT,
++
++ /*
++ * Flush space by:
++ * - Running delayed inode items
++ * - Running delayed refs
++ * - Running delalloc and waiting for ordered extents
++ * - Allocating a new chunk
++ */
++ BTRFS_RESERVE_FLUSH_EVICT,
++
++ /*
++ * Flush space by above mentioned methods and by:
++ * - Running delayed iputs
++ * - Committing transaction
++ *
++ * Can be interrupted by a fatal signal.
++ */
++ BTRFS_RESERVE_FLUSH_DATA,
++ BTRFS_RESERVE_FLUSH_FREE_SPACE_INODE,
++ BTRFS_RESERVE_FLUSH_ALL,
++
++ /*
++ * Pretty much the same as FLUSH_ALL, but can also steal space from
++ * global rsv.
++ *
++ * Can be interrupted by a fatal signal.
++ */
++ BTRFS_RESERVE_FLUSH_ALL_STEAL,
++};
++
++enum btrfs_flush_state {
++ FLUSH_DELAYED_ITEMS_NR = 1,
++ FLUSH_DELAYED_ITEMS = 2,
++ FLUSH_DELAYED_REFS_NR = 3,
++ FLUSH_DELAYED_REFS = 4,
++ FLUSH_DELALLOC = 5,
++ FLUSH_DELALLOC_WAIT = 6,
++ FLUSH_DELALLOC_FULL = 7,
++ ALLOC_CHUNK = 8,
++ ALLOC_CHUNK_FORCE = 9,
++ RUN_DELAYED_IPUTS = 10,
++ COMMIT_TRANS = 11,
++};
++
+ struct btrfs_space_info {
+ spinlock_t lock;
+
+--
+2.51.0
+
--- /dev/null
+From 490ad73c778c85ee344947164934a2bb2913f757 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jan 2026 20:26:40 +1030
+Subject: btrfs: send: check for inline extents in range_is_hole_in_parent()
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 08b096c1372cd69627f4f559fb47c9fb67a52b39 ]
+
+Before accessing the disk_bytenr field of a file extent item we need
+to check if we are dealing with an inline extent.
+This is because for inline extents their data starts at the offset of
+the disk_bytenr field. So accessing the disk_bytenr
+means we are accessing inline data or in case the inline data is less
+than 8 bytes we can actually cause an invalid
+memory access if this inline extent item is the first item in the leaf
+or access metadata from other items.
+
+Fixes: 82bfb2e7b645 ("Btrfs: incremental send, fix unnecessary hole writes for sparse files")
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index f5a9f6689c460..486d4fcc597b2 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -6289,6 +6289,8 @@ static int range_is_hole_in_parent(struct send_ctx *sctx,
+ extent_end = btrfs_file_extent_end(path);
+ if (extent_end <= start)
+ goto next;
++ if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE)
++ return 0;
+ if (btrfs_file_extent_disk_bytenr(leaf, fi) == 0) {
+ search_start = extent_end;
+ goto next;
+--
+2.51.0
+
--- /dev/null
+From 28f74803c4677d31e42bc2bca3065d1dca65776b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Feb 2024 11:52:57 -0800
+Subject: btrfs: store fs_info in space_info
+
+From: Boris Burkov <boris@bur.io>
+
+[ Upstream commit 42f620aec182f62ee72e3fce41cb3353951b3508 ]
+
+This is handy when computing space_info dynamic reclaim thresholds where
+we do not have access to a block group. We could add it to the various
+functions as a parameter, but it seems reasonable for space_info to have
+an fs_info pointer.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Boris Burkov <boris@bur.io>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/space-info.c | 1 +
+ fs/btrfs/space-info.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
+index bede72f3dffc3..069df2ebd1ca5 100644
+--- a/fs/btrfs/space-info.c
++++ b/fs/btrfs/space-info.c
+@@ -230,6 +230,7 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
+ if (!space_info)
+ return -ENOMEM;
+
++ space_info->fs_info = info;
+ for (i = 0; i < BTRFS_NR_RAID_TYPES; i++)
+ INIT_LIST_HEAD(&space_info->block_groups[i]);
+ init_rwsem(&space_info->groups_sem);
+diff --git a/fs/btrfs/space-info.h b/fs/btrfs/space-info.h
+index fea2f93674e7c..d6b34f2738b53 100644
+--- a/fs/btrfs/space-info.h
++++ b/fs/btrfs/space-info.h
+@@ -65,6 +65,7 @@ enum btrfs_flush_state {
+ };
+
+ struct btrfs_space_info {
++ struct btrfs_fs_info *fs_info;
+ spinlock_t lock;
+
+ u64 total_bytes; /* total bytes in the space,
+--
+2.51.0
+
--- /dev/null
+From 12d75396c09cd3f0f8936228418426dbc0cf9ee2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 02:17:32 +0100
+Subject: can: etas_es58x: allow partial RX URB allocation to succeed
+
+From: Szymon Wilczek <swilczek.lx@gmail.com>
+
+[ Upstream commit b1979778e98569c1e78c2c7f16bb24d76541ab00 ]
+
+When es58x_alloc_rx_urbs() fails to allocate the requested number of
+URBs but succeeds in allocating some, it returns an error code.
+This causes es58x_open() to return early, skipping the cleanup label
+'free_urbs', which leads to the anchored URBs being leaked.
+
+As pointed out by maintainer Vincent Mailhol, the driver is designed
+to handle partial URB allocation gracefully. Therefore, partial
+allocation should not be treated as a fatal error.
+
+Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been
+allocated, restoring the intended behavior and preventing the leak
+in es58x_open().
+
+Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces")
+Reported-by: syzbot+e8cb6691a7cf68256cb8@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=e8cb6691a7cf68256cb8
+Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>
+Reviewed-by: Vincent Mailhol <mailhol@kernel.org>
+Link: https://patch.msgid.link/20251223011732.39361-1-swilczek.lx@gmail.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/etas_es58x/es58x_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c
+index 41bea531234db..6995fbce829ad 100644
+--- a/drivers/net/can/usb/etas_es58x/es58x_core.c
++++ b/drivers/net/can/usb/etas_es58x/es58x_core.c
+@@ -1735,7 +1735,7 @@ static int es58x_alloc_rx_urbs(struct es58x_device *es58x_dev)
+ dev_dbg(dev, "%s: Allocated %d rx URBs each of size %u\n",
+ __func__, i, rx_buf_len);
+
+- return ret;
++ return 0;
+ }
+
+ /**
+--
+2.51.0
+
--- /dev/null
+From db709298cd30a6836ee1b638b06abd8b47a0e754 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Nov 2025 15:30:18 +0800
+Subject: dmaengine: omap-dma: fix dma_pool resource leak in error paths
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit 2e1136acf8a8887c29f52e35a77b537309af321f ]
+
+The dma_pool created by dma_pool_create() is not destroyed when
+dma_async_device_register() or of_dma_controller_register() fails,
+causing a resource leak in the probe error paths.
+
+Add dma_pool_destroy() in both error paths to properly release the
+allocated dma_pool resource.
+
+Fixes: 7bedaa553760 ("dmaengine: add OMAP DMA engine driver")
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Link: https://patch.msgid.link/20251103073018.643-1-vulab@iscas.ac.cn
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/ti/omap-dma.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/dma/ti/omap-dma.c b/drivers/dma/ti/omap-dma.c
+index 27f5019bdc1ed..7755a79b429f4 100644
+--- a/drivers/dma/ti/omap-dma.c
++++ b/drivers/dma/ti/omap-dma.c
+@@ -1811,6 +1811,8 @@ static int omap_dma_probe(struct platform_device *pdev)
+ if (rc) {
+ pr_warn("OMAP-DMA: failed to register slave DMA engine device: %d\n",
+ rc);
++ if (od->ll123_supported)
++ dma_pool_destroy(od->desc_pool);
+ omap_dma_free(od);
+ return rc;
+ }
+@@ -1826,6 +1828,8 @@ static int omap_dma_probe(struct platform_device *pdev)
+ if (rc) {
+ pr_warn("OMAP-DMA: failed to register DMA controller\n");
+ dma_async_device_unregister(&od->ddev);
++ if (od->ll123_supported)
++ dma_pool_destroy(od->desc_pool);
+ omap_dma_free(od);
+ }
+ }
+--
+2.51.0
+
--- /dev/null
+From 9b8ffe19179e7223e7e7c547c949170908edfb38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Nov 2025 19:54:45 +0530
+Subject: dmaengine: tegra-adma: Fix use-after-free
+
+From: Sheetal <sheetal@nvidia.com>
+
+[ Upstream commit 2efd07a7c36949e6fa36a69183df24d368bf9e96 ]
+
+A use-after-free bug exists in the Tegra ADMA driver when audio streams
+are terminated, particularly during XRUN conditions. The issue occurs
+when the DMA buffer is freed by tegra_adma_terminate_all() before the
+vchan completion tasklet finishes accessing it.
+
+The race condition follows this sequence:
+
+ 1. DMA transfer completes, triggering an interrupt that schedules the
+ completion tasklet (tasklet has not executed yet)
+ 2. Audio playback stops, calling tegra_adma_terminate_all() which
+ frees the DMA buffer memory via kfree()
+ 3. The scheduled tasklet finally executes, calling vchan_complete()
+ which attempts to access the already-freed memory
+
+Since tasklets can execute at any time after being scheduled, there is
+no guarantee that the buffer will remain valid when vchan_complete()
+runs.
+
+Fix this by properly synchronizing the virtual channel completion:
+ - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the
+ descriptors as terminated instead of freeing the descriptor.
+ - Add the callback tegra_adma_synchronize() that calls
+ vchan_synchronize() which kills any pending tasklets and frees any
+ terminated descriptors.
+
+Crash logs:
+[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0
+[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0
+
+[ 337.427562] Call trace:
+[ 337.427564] dump_backtrace+0x0/0x320
+[ 337.427571] show_stack+0x20/0x30
+[ 337.427575] dump_stack_lvl+0x68/0x84
+[ 337.427584] print_address_description.constprop.0+0x74/0x2b8
+[ 337.427590] kasan_report+0x1f4/0x210
+[ 337.427598] __asan_load8+0xa0/0xd0
+[ 337.427603] vchan_complete+0x124/0x3b0
+[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0
+[ 337.427617] tasklet_action+0x30/0x40
+[ 337.427623] __do_softirq+0x1a0/0x5c4
+[ 337.427628] irq_exit+0x110/0x140
+[ 337.427633] handle_domain_irq+0xa4/0xe0
+[ 337.427640] gic_handle_irq+0x64/0x160
+[ 337.427644] call_on_irq_stack+0x20/0x4c
+[ 337.427649] do_interrupt_handler+0x7c/0x90
+[ 337.427654] el1_interrupt+0x30/0x80
+[ 337.427659] el1h_64_irq_handler+0x18/0x30
+[ 337.427663] el1h_64_irq+0x7c/0x80
+[ 337.427667] cpuidle_enter_state+0xe4/0x540
+[ 337.427674] cpuidle_enter+0x54/0x80
+[ 337.427679] do_idle+0x2e0/0x380
+[ 337.427685] cpu_startup_entry+0x2c/0x70
+[ 337.427690] rest_init+0x114/0x130
+[ 337.427695] arch_call_rest_init+0x18/0x24
+[ 337.427702] start_kernel+0x380/0x3b4
+[ 337.427706] __primary_switched+0xc0/0xc8
+
+Fixes: f46b195799b5 ("dmaengine: tegra-adma: Add support for Tegra210 ADMA")
+Signed-off-by: Sheetal <sheetal@nvidia.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Link: https://patch.msgid.link/20251110142445.3842036-1-sheetal@nvidia.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/tegra210-adma.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c
+index 79da93cc77b64..db79e92f5e611 100644
+--- a/drivers/dma/tegra210-adma.c
++++ b/drivers/dma/tegra210-adma.c
+@@ -341,10 +341,17 @@ static void tegra_adma_stop(struct tegra_adma_chan *tdc)
+ return;
+ }
+
+- kfree(tdc->desc);
++ vchan_terminate_vdesc(&tdc->desc->vd);
+ tdc->desc = NULL;
+ }
+
++static void tegra_adma_synchronize(struct dma_chan *dc)
++{
++ struct tegra_adma_chan *tdc = to_tegra_adma_chan(dc);
++
++ vchan_synchronize(&tdc->vc);
++}
++
+ static void tegra_adma_start(struct tegra_adma_chan *tdc)
+ {
+ struct virt_dma_desc *vd = vchan_next_desc(&tdc->vc);
+@@ -910,6 +917,7 @@ static int tegra_adma_probe(struct platform_device *pdev)
+ tdma->dma_dev.device_config = tegra_adma_slave_config;
+ tdma->dma_dev.device_tx_status = tegra_adma_tx_status;
+ tdma->dma_dev.device_terminate_all = tegra_adma_terminate_all;
++ tdma->dma_dev.device_synchronize = tegra_adma_synchronize;
+ tdma->dma_dev.src_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES);
+ tdma->dma_dev.dst_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES);
+ tdma->dma_dev.directions = BIT(DMA_DEV_TO_MEM) | BIT(DMA_MEM_TO_DEV);
+--
+2.51.0
+
--- /dev/null
+From 4b5f786c1791ac4c123a7edba4de8e02c345e8cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 00:00:06 +0530
+Subject: dmaengine: xilinx_dma: Fix uninitialized addr_width when
+ "xlnx,addrwidth" property is missing
+
+From: Suraj Gupta <suraj.gupta2@amd.com>
+
+[ Upstream commit c0732fe78728718c853ef8e7af5bbb05262acbd1 ]
+
+When device tree lacks optional "xlnx,addrwidth" property, the addr_width
+variable remained uninitialized with garbage values, causing incorrect
+DMA mask configuration and subsequent probe failure. The fix ensures a
+fallback to the default 32-bit address width when this property is missing.
+
+Signed-off-by: Suraj Gupta <suraj.gupta2@amd.com>
+Fixes: b72db4005fe4 ("dmaengine: vdma: Add 64 bit addressing support to the driver")
+Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
+Reviewed-by: Folker Schwesinger <dev@folker-schwesinger.de>
+Link: https://patch.msgid.link/20251021183006.3434495-1-suraj.gupta2@amd.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/xilinx_dma.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
+index e2175651f9795..8402dc3d3a352 100644
+--- a/drivers/dma/xilinx/xilinx_dma.c
++++ b/drivers/dma/xilinx/xilinx_dma.c
+@@ -128,6 +128,7 @@
+ #define XILINX_MCDMA_MAX_CHANS_PER_DEVICE 0x20
+ #define XILINX_DMA_MAX_CHANS_PER_DEVICE 0x2
+ #define XILINX_CDMA_MAX_CHANS_PER_DEVICE 0x1
++#define XILINX_DMA_DFAULT_ADDRWIDTH 0x20
+
+ #define XILINX_DMA_DMAXR_ALL_IRQ_MASK \
+ (XILINX_DMA_DMASR_FRM_CNT_IRQ | \
+@@ -3016,7 +3017,7 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+ struct device_node *node = pdev->dev.of_node;
+ struct xilinx_dma_device *xdev;
+ struct device_node *child, *np = pdev->dev.of_node;
+- u32 num_frames, addr_width, len_width;
++ u32 num_frames, addr_width = XILINX_DMA_DFAULT_ADDRWIDTH, len_width;
+ int i, err;
+
+ /* Allocate and initialize the DMA engine structure */
+@@ -3085,7 +3086,9 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+
+ err = of_property_read_u32(node, "xlnx,addrwidth", &addr_width);
+ if (err < 0)
+- dev_warn(xdev->dev, "missing xlnx,addrwidth property\n");
++ dev_warn(xdev->dev,
++ "missing xlnx,addrwidth property, using default value %d\n",
++ XILINX_DMA_DFAULT_ADDRWIDTH);
+
+ if (addr_width > 32)
+ xdev->ext_addr = true;
+--
+2.51.0
+
--- /dev/null
+From 79f5b429cb643726d438575067ece32d53e1a1ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jun 2023 04:30:06 -0700
+Subject: hv_netvsc: Allocate rx indirection table size dynamically
+
+From: Shradha Gupta <shradhagupta@linux.microsoft.com>
+
+[ Upstream commit 4cab498f33f7adaa01ad15909c0f34a81e5a0b0a ]
+
+Allocate the size of rx indirection table dynamically in netvsc
+from the value of size provided by OID_GEN_RECEIVE_SCALE_CAPABILITIES
+query instead of using a constant value of ITAB_NUM.
+
+Signed-off-by: Shradha Gupta <shradhagupta@linux.microsoft.com>
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Tested-on: Ubuntu22 (azure VM, SKU size: Standard_F72s_v2)
+Testcases:
+1. ethtool -x eth0 output
+2. LISA testcase:PERF-NETWORK-TCP-THROUGHPUT-MULTICONNECTION-NTTTCP-Synthetic
+3. LISA testcase:PERF-NETWORK-TCP-THROUGHPUT-MULTICONNECTION-NTTTCP-SRIOV
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: d23564955811 ("net: hv_netvsc: reject RSS hash key programming without RX indirection table")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hyperv/hyperv_net.h | 5 ++++-
+ drivers/net/hyperv/netvsc_drv.c | 10 ++++++----
+ drivers/net/hyperv/rndis_filter.c | 29 +++++++++++++++++++++++++----
+ 3 files changed, 35 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h
+index ea9cb1ac4bbe1..97952229a7b77 100644
+--- a/drivers/net/hyperv/hyperv_net.h
++++ b/drivers/net/hyperv/hyperv_net.h
+@@ -74,6 +74,7 @@ struct ndis_recv_scale_cap { /* NDIS_RECEIVE_SCALE_CAPABILITIES */
+ #define NDIS_RSS_HASH_SECRET_KEY_MAX_SIZE_REVISION_2 40
+
+ #define ITAB_NUM 128
++#define ITAB_NUM_MAX 256
+
+ struct ndis_recv_scale_param { /* NDIS_RECEIVE_SCALE_PARAMETERS */
+ struct ndis_obj_header hdr;
+@@ -1045,7 +1046,9 @@ struct net_device_context {
+
+ u32 tx_table[VRSS_SEND_TAB_SIZE];
+
+- u16 rx_table[ITAB_NUM];
++ u16 *rx_table;
++
++ u32 rx_table_sz;
+
+ /* Ethtool settings */
+ u8 duplex;
+diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
+index 7433fe7699432..68dfe77a6bbfe 100644
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -1717,7 +1717,9 @@ static u32 netvsc_get_rxfh_key_size(struct net_device *dev)
+
+ static u32 netvsc_rss_indir_size(struct net_device *dev)
+ {
+- return ITAB_NUM;
++ struct net_device_context *ndc = netdev_priv(dev);
++
++ return ndc->rx_table_sz;
+ }
+
+ static int netvsc_get_rxfh(struct net_device *dev, u32 *indir, u8 *key,
+@@ -1736,7 +1738,7 @@ static int netvsc_get_rxfh(struct net_device *dev, u32 *indir, u8 *key,
+
+ rndis_dev = ndev->extension;
+ if (indir) {
+- for (i = 0; i < ITAB_NUM; i++)
++ for (i = 0; i < ndc->rx_table_sz; i++)
+ indir[i] = ndc->rx_table[i];
+ }
+
+@@ -1762,11 +1764,11 @@ static int netvsc_set_rxfh(struct net_device *dev, const u32 *indir,
+
+ rndis_dev = ndev->extension;
+ if (indir) {
+- for (i = 0; i < ITAB_NUM; i++)
++ for (i = 0; i < ndc->rx_table_sz; i++)
+ if (indir[i] >= ndev->num_chn)
+ return -EINVAL;
+
+- for (i = 0; i < ITAB_NUM; i++)
++ for (i = 0; i < ndc->rx_table_sz; i++)
+ ndc->rx_table[i] = indir[i];
+ }
+
+diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
+index bb656ea097731..09144f0ec2aa4 100644
+--- a/drivers/net/hyperv/rndis_filter.c
++++ b/drivers/net/hyperv/rndis_filter.c
+@@ -21,6 +21,7 @@
+ #include <linux/rtnetlink.h>
+ #include <linux/ucs2_string.h>
+ #include <linux/string.h>
++#include <linux/slab.h>
+
+ #include "hyperv_net.h"
+ #include "netvsc_trace.h"
+@@ -913,7 +914,7 @@ static int rndis_set_rss_param_msg(struct rndis_device *rdev,
+ struct rndis_set_request *set;
+ struct rndis_set_complete *set_complete;
+ u32 extlen = sizeof(struct ndis_recv_scale_param) +
+- 4 * ITAB_NUM + NETVSC_HASH_KEYLEN;
++ 4 * ndc->rx_table_sz + NETVSC_HASH_KEYLEN;
+ struct ndis_recv_scale_param *rssp;
+ u32 *itab;
+ u8 *keyp;
+@@ -939,7 +940,7 @@ static int rndis_set_rss_param_msg(struct rndis_device *rdev,
+ rssp->hashinfo = NDIS_HASH_FUNC_TOEPLITZ | NDIS_HASH_IPV4 |
+ NDIS_HASH_TCP_IPV4 | NDIS_HASH_IPV6 |
+ NDIS_HASH_TCP_IPV6;
+- rssp->indirect_tabsize = 4*ITAB_NUM;
++ rssp->indirect_tabsize = 4 * ndc->rx_table_sz;
+ rssp->indirect_taboffset = sizeof(struct ndis_recv_scale_param);
+ rssp->hashkey_size = NETVSC_HASH_KEYLEN;
+ rssp->hashkey_offset = rssp->indirect_taboffset +
+@@ -947,7 +948,7 @@ static int rndis_set_rss_param_msg(struct rndis_device *rdev,
+
+ /* Set indirection table entries */
+ itab = (u32 *)(rssp + 1);
+- for (i = 0; i < ITAB_NUM; i++)
++ for (i = 0; i < ndc->rx_table_sz; i++)
+ itab[i] = ndc->rx_table[i];
+
+ /* Set hask key values */
+@@ -1534,6 +1535,18 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev,
+ if (ret || rsscap.num_recv_que < 2)
+ goto out;
+
++ if (rsscap.num_indirect_tabent &&
++ rsscap.num_indirect_tabent <= ITAB_NUM_MAX)
++ ndc->rx_table_sz = rsscap.num_indirect_tabent;
++ else
++ ndc->rx_table_sz = ITAB_NUM;
++
++ ndc->rx_table = kcalloc(ndc->rx_table_sz, sizeof(u16), GFP_KERNEL);
++ if (!ndc->rx_table) {
++ ret = -ENOMEM;
++ goto err_dev_remv;
++ }
++
+ /* This guarantees that num_possible_rss_qs <= num_online_cpus */
+ num_possible_rss_qs = min_t(u32, num_online_cpus(),
+ rsscap.num_recv_que);
+@@ -1544,7 +1557,7 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev,
+ net_device->num_chn = min(net_device->max_chn, device_info->num_chn);
+
+ if (!netif_is_rxfh_configured(net)) {
+- for (i = 0; i < ITAB_NUM; i++)
++ for (i = 0; i < ndc->rx_table_sz; i++)
+ ndc->rx_table[i] = ethtool_rxfh_indir_default(
+ i, net_device->num_chn);
+ }
+@@ -1582,11 +1595,19 @@ void rndis_filter_device_remove(struct hv_device *dev,
+ struct netvsc_device *net_dev)
+ {
+ struct rndis_device *rndis_dev = net_dev->extension;
++ struct net_device *net = hv_get_drvdata(dev);
++ struct net_device_context *ndc;
++
++ ndc = netdev_priv(net);
+
+ /* Halt and release the rndis device */
+ rndis_filter_halt_device(net_dev, rndis_dev);
+
+ netvsc_device_remove(dev);
++
++ ndc->rx_table_sz = 0;
++ kfree(ndc->rx_table);
++ ndc->rx_table = NULL;
+ }
+
+ int rndis_filter_open(struct netvsc_device *nvdev)
+--
+2.51.0
+
--- /dev/null
+From fd73284b7d4f7c2cfcfdddc827da7e6a24f7a974 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jan 2026 16:31:09 +0000
+Subject: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 81c734dae203757fb3c9eee6f9896386940776bd ]
+
+Blamed commit did not take care of VLAN encapsulations
+as spotted by syzbot [1].
+
+Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull().
+
+[1]
+ BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
+ BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
+ BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
+ __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
+ INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
+ IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
+ ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729
+ __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860
+ ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903
+ gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1
+ ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438
+ ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489
+ NF_HOOK include/linux/netfilter.h:318 [inline]
+ ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500
+ ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590
+ dst_input include/net/dst.h:474 [inline]
+ ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79
+ NF_HOOK include/linux/netfilter.h:318 [inline]
+ ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311
+ __netif_receive_skb_one_core net/core/dev.c:6139 [inline]
+ __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252
+ netif_receive_skb_internal net/core/dev.c:6338 [inline]
+ netif_receive_skb+0x57/0x630 net/core/dev.c:6397
+ tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485
+ tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953
+ tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0xbe2/0x15d0 fs/read_write.c:686
+ ksys_write fs/read_write.c:738 [inline]
+ __do_sys_write fs/read_write.c:749 [inline]
+ __se_sys_write fs/read_write.c:746 [inline]
+ __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
+ x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:4960 [inline]
+ slab_alloc_node mm/slub.c:5263 [inline]
+ kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315
+ kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586
+ __alloc_skb+0x805/0x1040 net/core/skbuff.c:690
+ alloc_skb include/linux/skbuff.h:1383 [inline]
+ alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712
+ sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995
+ tun_alloc_skb drivers/net/tun.c:1461 [inline]
+ tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794
+ tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0xbe2/0x15d0 fs/read_write.c:686
+ ksys_write fs/read_write.c:738 [inline]
+ __do_sys_write fs/read_write.c:749 [inline]
+ __se_sys_write fs/read_write.c:746 [inline]
+ __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
+ x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+
+Fixes: 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")
+Reported-by: syzbot+d4dda070f833dc5dc89a@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/695e88b2.050a0220.1c677c.036d.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260107163109.4188620-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
+index dfca22c6d345d..8ce36fcc3dd5b 100644
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -844,7 +844,7 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb,
+
+ skb_reset_network_header(skb);
+
+- if (!pskb_inet_may_pull(skb)) {
++ if (skb_vlan_inet_prepare(skb, true)) {
+ DEV_STATS_INC(tunnel->dev, rx_length_errors);
+ DEV_STATS_INC(tunnel->dev, rx_errors);
+ goto drop;
+--
+2.51.0
+
--- /dev/null
+From 73f5a3728cf43ebdcad08f123ddb30783ed4a93a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 19:02:14 +0000
+Subject: ipv4: ip_gre: make ipgre_header() robust
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e67c577d89894811ce4dcd1a9ed29d8b63476667 ]
+
+Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust")
+
+Over the years, syzbot found many ways to crash the kernel
+in ipgre_header() [1].
+
+This involves team or bonding drivers ability to dynamically
+change their dev->needed_headroom and/or dev->hard_header_len
+
+In this particular crash mld_newpack() allocated an skb
+with a too small reserve/headroom, and by the time mld_sendpack()
+was called, syzbot managed to attach an ipgre device.
+
+[1]
+skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0
+ kernel BUG at net/core/skbuff.c:213 !
+Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
+CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+Workqueue: mld mld_ifc_work
+ RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213
+Call Trace:
+ <TASK>
+ skb_under_panic net/core/skbuff.c:223 [inline]
+ skb_push+0xc3/0xe0 net/core/skbuff.c:2641
+ ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897
+ dev_hard_header include/linux/netdevice.h:3436 [inline]
+ neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
+ NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
+ mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
+ mld_send_cr net/ipv6/mcast.c:2154 [inline]
+ mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
+ process_one_work kernel/workqueue.c:3257 [inline]
+ process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
+ worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Reported-by: syzbot+7c134e1c3aa3283790b9@syzkaller.appspotmail.com
+Closes: https://www.spinics.net/lists/netdev/msg1147302.html
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260108190214.1667040-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_gre.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index 2c311ed84a3b3..b90241aff93c3 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -854,10 +854,17 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
+ const void *daddr, const void *saddr, unsigned int len)
+ {
+ struct ip_tunnel *t = netdev_priv(dev);
+- struct iphdr *iph;
+ struct gre_base_hdr *greh;
++ struct iphdr *iph;
++ int needed;
++
++ needed = t->hlen + sizeof(*iph);
++ if (skb_headroom(skb) < needed &&
++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)),
++ 0, GFP_ATOMIC))
++ return -needed;
+
+- iph = skb_push(skb, t->hlen + sizeof(*iph));
++ iph = skb_push(skb, needed);
+ greh = (struct gre_base_hdr *)(iph+1);
+ greh->flags = gre_tnl_flags_to_gre_flags(t->parms.o_flags);
+ greh->protocol = htons(type);
+--
+2.51.0
+
--- /dev/null
+From fe1e75806a4dee523026318ef9a49897d86187d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 01:05:08 +0000
+Subject: ipv6: Fix use-after-free in inet6_addr_del().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit ddf96c393a33aef4887e2e406c76c2f8cda1419c ]
+
+syzbot reported use-after-free of inet6_ifaddr in
+inet6_addr_del(). [0]
+
+The cited commit accidentally moved ipv6_del_addr() for
+mngtmpaddr before reading its ifp->flags for temporary
+addresses in inet6_addr_del().
+
+Let's move ipv6_del_addr() down to fix the UAF.
+
+[0]:
+BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117
+Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593
+
+CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xcd/0x630 mm/kasan/report.c:482
+ kasan_report+0xe0/0x110 mm/kasan/report.c:595
+ inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117
+ addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181
+ inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582
+ sock_do_ioctl+0x118/0x280 net/socket.c:1254
+ sock_ioctl+0x227/0x6b0 net/socket.c:1375
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:597 [inline]
+ __se_sys_ioctl fs/ioctl.c:583 [inline]
+ __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f164cf8f749
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749
+RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003
+RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288
+ </TASK>
+
+Allocated by task 9593:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:77
+ poison_kmalloc_redzone mm/kasan/common.c:397 [inline]
+ __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414
+ kmalloc_noprof include/linux/slab.h:957 [inline]
+ kzalloc_noprof include/linux/slab.h:1094 [inline]
+ ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120
+ inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050
+ addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160
+ inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580
+ sock_do_ioctl+0x118/0x280 net/socket.c:1254
+ sock_ioctl+0x227/0x6b0 net/socket.c:1375
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:597 [inline]
+ __se_sys_ioctl fs/ioctl.c:583 [inline]
+ __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Freed by task 6099:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:77
+ kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584
+ poison_slab_object mm/kasan/common.c:252 [inline]
+ __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284
+ kasan_slab_free include/linux/kasan.h:234 [inline]
+ slab_free_hook mm/slub.c:2540 [inline]
+ slab_free_freelist_hook mm/slub.c:2569 [inline]
+ slab_free_bulk mm/slub.c:6696 [inline]
+ kmem_cache_free_bulk mm/slub.c:7383 [inline]
+ kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362
+ kfree_bulk include/linux/slab.h:830 [inline]
+ kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523
+ kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline]
+ kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801
+ process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
+ process_scheduled_works kernel/workqueue.c:3340 [inline]
+ worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
+ kthread+0x3c5/0x780 kernel/kthread.c:463
+ ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+Fixes: 00b5b7aab9e42 ("net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged")
+Reported-by: syzbot+72e610f4f1a930ca9d8a@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/696598e9.050a0220.3be5c5.0009.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260113010538.2019411-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/addrconf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 03961f8080757..d6a33452dd369 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -3068,12 +3068,12 @@ static int inet6_addr_del(struct net *net, int ifindex, u32 ifa_flags,
+ in6_ifa_hold(ifp);
+ read_unlock_bh(&idev->lock);
+
+- ipv6_del_addr(ifp);
+-
+ if (!(ifp->flags & IFA_F_TEMPORARY) &&
+ (ifp->flags & IFA_F_MANAGETEMPADDR))
+ delete_tempaddrs(idev, ifp);
+
++ ipv6_del_addr(ifp);
++
+ addrconf_verify_rtnl(net);
+ if (ipv6_addr_is_multicast(pfx)) {
+ ipv6_mc_config(net->ipv6.mc_autojoin_sk,
+--
+2.51.0
+
--- /dev/null
+From 5fc02041557ade2dae7d125188e3b793f5323afb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 13:36:51 +0000
+Subject: macvlan: fix possible UAF in macvlan_forward_source()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7470a7a63dc162f07c26dbf960e41ee1e248d80e ]
+
+Add RCU protection on (struct macvlan_source_entry)->vlan.
+
+Whenever macvlan_hash_del_source() is called, we must clear
+entry->vlan pointer before RCU grace period starts.
+
+This allows macvlan_forward_source() to skip over
+entries queued for freeing.
+
+Note that macvlan_dev are already RCU protected, as they
+are embedded in a standard netdev (netdev_priv(ndev)).
+
+Fixes: 79cf79abce71 ("macvlan: add source mode")
+Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com
+https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260108133651.1130486-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macvlan.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
+index 012830d12fde6..428b139822cf6 100644
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -56,7 +56,7 @@ struct macvlan_port {
+
+ struct macvlan_source_entry {
+ struct hlist_node hlist;
+- struct macvlan_dev *vlan;
++ struct macvlan_dev __rcu *vlan;
+ unsigned char addr[6+2] __aligned(sizeof(u16));
+ struct rcu_head rcu;
+ };
+@@ -143,7 +143,7 @@ static struct macvlan_source_entry *macvlan_hash_lookup_source(
+
+ hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) {
+ if (ether_addr_equal_64bits(entry->addr, addr) &&
+- entry->vlan == vlan)
++ rcu_access_pointer(entry->vlan) == vlan)
+ return entry;
+ }
+ return NULL;
+@@ -165,7 +165,7 @@ static int macvlan_hash_add_source(struct macvlan_dev *vlan,
+ return -ENOMEM;
+
+ ether_addr_copy(entry->addr, addr);
+- entry->vlan = vlan;
++ RCU_INIT_POINTER(entry->vlan, vlan);
+ h = &port->vlan_source_hash[macvlan_eth_hash(addr)];
+ hlist_add_head_rcu(&entry->hlist, h);
+ vlan->macaddr_count++;
+@@ -184,6 +184,7 @@ static void macvlan_hash_add(struct macvlan_dev *vlan)
+
+ static void macvlan_hash_del_source(struct macvlan_source_entry *entry)
+ {
++ RCU_INIT_POINTER(entry->vlan, NULL);
+ hlist_del_rcu(&entry->hlist);
+ kfree_rcu(entry, rcu);
+ }
+@@ -382,7 +383,7 @@ static void macvlan_flush_sources(struct macvlan_port *port,
+ int i;
+
+ hash_for_each_safe(port->vlan_source_hash, i, next, entry, hlist)
+- if (entry->vlan == vlan)
++ if (rcu_access_pointer(entry->vlan) == vlan)
+ macvlan_hash_del_source(entry);
+
+ vlan->macaddr_count = 0;
+@@ -425,9 +426,14 @@ static bool macvlan_forward_source(struct sk_buff *skb,
+
+ hlist_for_each_entry_rcu(entry, h, hlist) {
+ if (ether_addr_equal_64bits(entry->addr, addr)) {
+- if (entry->vlan->flags & MACVLAN_FLAG_NODST)
++ struct macvlan_dev *vlan = rcu_dereference(entry->vlan);
++
++ if (!vlan)
++ continue;
++
++ if (vlan->flags & MACVLAN_FLAG_NODST)
+ consume = true;
+- macvlan_forward_source_one(skb, entry->vlan);
++ macvlan_forward_source_one(skb, vlan);
+ }
+ }
+
+@@ -1648,7 +1654,7 @@ static int macvlan_fill_info_macaddr(struct sk_buff *skb,
+ struct macvlan_source_entry *entry;
+
+ hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) {
+- if (entry->vlan != vlan)
++ if (rcu_access_pointer(entry->vlan) != vlan)
+ continue;
+ if (nla_put(skb, IFLA_MACVLAN_MACADDR, ETH_ALEN, entry->addr))
+ return 1;
+--
+2.51.0
+
--- /dev/null
+From f745ea972c620de5fa7f2ad7288a1d8c6a49f51d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 08:40:07 +0700
+Subject: mm, kfence: describe @slab parameter in __kfence_obj_info()
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit 6cfab50e1440fde19af7c614aacd85e11aa4dcea ]
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./include/linux/kfence.h:220 function parameter 'slab' not described in '__kfence_obj_info'
+
+Fix it by describing @slab parameter.
+
+Link: https://lkml.kernel.org/r/20251219014006.16328-6-bagasdotme@gmail.com
+Fixes: 2dfe63e61cc3 ("mm, kfence: support kmem_dump_obj() for KFENCE objects")
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Acked-by: Marco Elver <elver@google.com>
+Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
+Acked-by: Harry Yoo <harry.yoo@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/kfence.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/kfence.h b/include/linux/kfence.h
+index 726857a4b6805..d5258c63ffd7c 100644
+--- a/include/linux/kfence.h
++++ b/include/linux/kfence.h
+@@ -210,6 +210,7 @@ struct kmem_obj_info;
+ * __kfence_obj_info() - fill kmem_obj_info struct
+ * @kpp: kmem_obj_info to be filled
+ * @object: the object
++ * @slab: the slab
+ *
+ * Return:
+ * * false - not a KFENCE object
+--
+2.51.0
+
--- /dev/null
+From 041018e08c94f34d791aa059c2a0939f06ec1ab9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 02:01:33 -0800
+Subject: net: hv_netvsc: reject RSS hash key programming without RX
+ indirection table
+
+From: Aditya Garg <gargaditya@linux.microsoft.com>
+
+[ Upstream commit d23564955811da493f34412d7de60fa268c8cb50 ]
+
+RSS configuration requires a valid RX indirection table. When the device
+reports a single receive queue, rndis_filter_device_add() does not
+allocate an indirection table, accepting RSS hash key updates in this
+state leads to a hang.
+
+Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return
+-EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device
+capabilities and prevents incorrect behavior.
+
+Fixes: 962f3fee83a4 ("netvsc: add ethtool ops to get/set RSS key")
+Signed-off-by: Aditya Garg <gargaditya@linux.microsoft.com>
+Reviewed-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Link: https://patch.msgid.link/1768212093-1594-1-git-send-email-gargaditya@linux.microsoft.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
+index 68dfe77a6bbfe..20c584f46ec01 100644
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -1762,6 +1762,9 @@ static int netvsc_set_rxfh(struct net_device *dev, const u32 *indir,
+ if (hfunc != ETH_RSS_HASH_NO_CHANGE && hfunc != ETH_RSS_HASH_TOP)
+ return -EOPNOTSUPP;
+
++ if (!ndc->rx_table_sz)
++ return -EOPNOTSUPP;
++
+ rndis_dev = ndev->extension;
+ if (indir) {
+ for (i = 0; i < ndc->rx_table_sz; i++)
+--
+2.51.0
+
--- /dev/null
+From 4a84098b73fe408b67259ed0926bc33f9f193e86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 13:26:57 -0800
+Subject: net/mlx5e: Restore destroying state bit after profile cleanup
+
+From: Saeed Mahameed <saeedm@nvidia.com>
+
+[ Upstream commit 5629f8859dca7ef74d7314b60de6a957f23166c0 ]
+
+Profile rollback can fail in mlx5e_netdev_change_profile() and we will
+end up with invalid mlx5e_priv memset to 0, we must maintain the
+'destroying' bit in order to gracefully shutdown even if the
+profile/priv are not valid.
+
+This patch maintains the previous state of the 'destroying' state of
+mlx5e_priv after priv cleanup, to allow the remove flow to cleanup
+common resources from mlx5_core to avoid FW fatal errors as seen below:
+
+$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev
+ Error: mlx5_core: Failed setting eswitch to offloads.
+dmesg: mlx5_core 0000:00:03.0 enp0s3np0: failed to rollback to orig profile, ...
+
+$ devlink dev reload pci/0000:00:03.0
+
+mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)
+mlx5_core 0000:00:03.0: poll_health:803:(pid 519): Fatal error 3 detected
+mlx5_core 0000:00:03.0: firmware version: 28.41.1000
+mlx5_core 0000:00:03.0: 0.000 Gb/s available PCIe bandwidth (Unknown x255 link)
+mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed
+mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed
+mlx5_core 0000:00:03.0: mlx5_health_try_recover:340:(pid 141): handling bad device here
+mlx5_core 0000:00:03.0: mlx5_handle_bad_state:285:(pid 141): Expected to see disabled NIC but it is full driver
+mlx5_core 0000:00:03.0: mlx5_error_sw_reset:236:(pid 141): start
+mlx5_core 0000:00:03.0: NIC IFC still 0 after 4000ms.
+
+Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method")
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260108212657.25090-5-saeed@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 0c1f89196f6c1..73011870e5ff6 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -5566,6 +5566,7 @@ int mlx5e_priv_init(struct mlx5e_priv *priv,
+
+ void mlx5e_priv_cleanup(struct mlx5e_priv *priv)
+ {
++ bool destroying = test_bit(MLX5E_STATE_DESTROYING, &priv->state);
+ int i;
+
+ /* bail if change profile failed and also rollback failed */
+@@ -5591,6 +5592,8 @@ void mlx5e_priv_cleanup(struct mlx5e_priv *priv)
+ }
+
+ memset(priv, 0, sizeof(*priv));
++ if (destroying) /* restore destroying bit, to allow unload */
++ set_bit(MLX5E_STATE_DESTROYING, &priv->state);
+ }
+
+ static unsigned int mlx5e_get_max_num_txqs(struct mlx5_core_dev *mdev,
+--
+2.51.0
+
--- /dev/null
+From 697d3e3285239b3291d0a0f9b93d8f0c8a493c67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 17:56:56 +0000
+Subject: net/sched: sch_qfq: do not free existing class in qfq_change_class()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 ]
+
+Fixes qfq_change_class() error case.
+
+cl->qdisc and cl should only be freed if a new class and qdisc
+were allocated, or we risk various UAF.
+
+Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Reported-by: syzbot+07f3f38f723c335f106d@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6965351d.050a0220.eaf7.00c5.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260112175656.17605-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index 80a7173843b90..0047f35504348 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -533,8 +533,10 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
+ return 0;
+
+ destroy_class:
+- qdisc_put(cl->qdisc);
+- kfree(cl);
++ if (!existing) {
++ qdisc_put(cl->qdisc);
++ kfree(cl);
++ }
+ return err;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From e37f43822f5dce5893fa8fea7bdeb5bb24bd16c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 09:32:44 +0000
+Subject: net: update netdev_lock_{type,name}
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit eb74c19fe10872ee1f29a8f90ca5ce943921afe9 ]
+
+Add missing entries in netdev_lock_type[] and netdev_lock_name[] :
+
+CAN, MCTP, RAWIP, CAIF, IP6GRE, 6LOWPAN, NETLINK, VSOCKMON,
+IEEE802154_MONITOR.
+
+Also add a WARN_ONCE() in netdev_lock_pos() to help future bug hunting
+next time a protocol is added without updating these arrays.
+
+Fixes: 1a33e10e4a95 ("net: partially revert dynamic lockdep key changes")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260108093244.830280-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 114fc8bc37f8b..69bb7ac73d047 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -449,15 +449,21 @@ static const unsigned short netdev_lock_type[] = {
+ ARPHRD_IEEE1394, ARPHRD_EUI64, ARPHRD_INFINIBAND, ARPHRD_SLIP,
+ ARPHRD_CSLIP, ARPHRD_SLIP6, ARPHRD_CSLIP6, ARPHRD_RSRVD,
+ ARPHRD_ADAPT, ARPHRD_ROSE, ARPHRD_X25, ARPHRD_HWX25,
++ ARPHRD_CAN, ARPHRD_MCTP,
+ ARPHRD_PPP, ARPHRD_CISCO, ARPHRD_LAPB, ARPHRD_DDCMP,
+- ARPHRD_RAWHDLC, ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD,
++ ARPHRD_RAWHDLC, ARPHRD_RAWIP,
++ ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD,
+ ARPHRD_SKIP, ARPHRD_LOOPBACK, ARPHRD_LOCALTLK, ARPHRD_FDDI,
+ ARPHRD_BIF, ARPHRD_SIT, ARPHRD_IPDDP, ARPHRD_IPGRE,
+ ARPHRD_PIMREG, ARPHRD_HIPPI, ARPHRD_ASH, ARPHRD_ECONET,
+ ARPHRD_IRDA, ARPHRD_FCPP, ARPHRD_FCAL, ARPHRD_FCPL,
+ ARPHRD_FCFABRIC, ARPHRD_IEEE80211, ARPHRD_IEEE80211_PRISM,
+- ARPHRD_IEEE80211_RADIOTAP, ARPHRD_PHONET, ARPHRD_PHONET_PIPE,
+- ARPHRD_IEEE802154, ARPHRD_VOID, ARPHRD_NONE};
++ ARPHRD_IEEE80211_RADIOTAP,
++ ARPHRD_IEEE802154, ARPHRD_IEEE802154_MONITOR,
++ ARPHRD_PHONET, ARPHRD_PHONET_PIPE,
++ ARPHRD_CAIF, ARPHRD_IP6GRE, ARPHRD_NETLINK, ARPHRD_6LOWPAN,
++ ARPHRD_VSOCKMON,
++ ARPHRD_VOID, ARPHRD_NONE};
+
+ static const char *const netdev_lock_name[] = {
+ "_xmit_NETROM", "_xmit_ETHER", "_xmit_EETHER", "_xmit_AX25",
+@@ -466,15 +472,21 @@ static const char *const netdev_lock_name[] = {
+ "_xmit_IEEE1394", "_xmit_EUI64", "_xmit_INFINIBAND", "_xmit_SLIP",
+ "_xmit_CSLIP", "_xmit_SLIP6", "_xmit_CSLIP6", "_xmit_RSRVD",
+ "_xmit_ADAPT", "_xmit_ROSE", "_xmit_X25", "_xmit_HWX25",
++ "_xmit_CAN", "_xmit_MCTP",
+ "_xmit_PPP", "_xmit_CISCO", "_xmit_LAPB", "_xmit_DDCMP",
+- "_xmit_RAWHDLC", "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD",
++ "_xmit_RAWHDLC", "_xmit_RAWIP",
++ "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD",
+ "_xmit_SKIP", "_xmit_LOOPBACK", "_xmit_LOCALTLK", "_xmit_FDDI",
+ "_xmit_BIF", "_xmit_SIT", "_xmit_IPDDP", "_xmit_IPGRE",
+ "_xmit_PIMREG", "_xmit_HIPPI", "_xmit_ASH", "_xmit_ECONET",
+ "_xmit_IRDA", "_xmit_FCPP", "_xmit_FCAL", "_xmit_FCPL",
+ "_xmit_FCFABRIC", "_xmit_IEEE80211", "_xmit_IEEE80211_PRISM",
+- "_xmit_IEEE80211_RADIOTAP", "_xmit_PHONET", "_xmit_PHONET_PIPE",
+- "_xmit_IEEE802154", "_xmit_VOID", "_xmit_NONE"};
++ "_xmit_IEEE80211_RADIOTAP",
++ "_xmit_IEEE802154", "_xmit_IEEE802154_MONITOR",
++ "_xmit_PHONET", "_xmit_PHONET_PIPE",
++ "_xmit_CAIF", "_xmit_IP6GRE", "_xmit_NETLINK", "_xmit_6LOWPAN",
++ "_xmit_VSOCKMON",
++ "_xmit_VOID", "_xmit_NONE"};
+
+ static struct lock_class_key netdev_xmit_lock_key[ARRAY_SIZE(netdev_lock_type)];
+ static struct lock_class_key netdev_addr_lock_key[ARRAY_SIZE(netdev_lock_type)];
+@@ -487,6 +499,7 @@ static inline unsigned short netdev_lock_pos(unsigned short dev_type)
+ if (netdev_lock_type[i] == dev_type)
+ return i;
+ /* the last key is used by default */
++ WARN_ONCE(1, "netdev_lock_pos() could not find dev_type=%u\n", dev_type);
+ return ARRAY_SIZE(netdev_lock_type) - 1;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 3dcd04adfbc192fc09f552f709c0006deb22c822 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Dec 2025 13:57:48 -0500
+Subject: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shivam Kumar <kumar.shivam43666@gmail.com>
+
+[ Upstream commit 32b63acd78f577b332d976aa06b56e70d054cbba ]
+
+Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
+added ttag bounds checking and data_offset
+validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate
+whether the command's data structures (cmd->req.sg and cmd->iov) have
+been properly initialized before processing H2C_DATA PDUs.
+
+The nvmet_tcp_build_pdu_iovec() function dereferences these pointers
+without NULL checks. This can be triggered by sending H2C_DATA PDU
+immediately after the ICREQ/ICRESP handshake, before
+sending a CONNECT command or NVMe write command.
+
+Attack vectors that trigger NULL pointer dereferences:
+1. H2C_DATA PDU sent before CONNECT → both pointers NULL
+2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL
+3. H2C_DATA PDU for uninitialized command slot → both pointers NULL
+
+The fix validates both cmd->req.sg and cmd->iov before calling
+nvmet_tcp_build_pdu_iovec(). Both checks are required because:
+- Uninitialized commands: both NULL
+- READ commands: cmd->req.sg allocated, cmd->iov NULL
+- WRITE commands: both allocated
+
+Fixes: efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Shivam Kumar <kumar.shivam43666@gmail.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/tcp.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
+index 8fc626ddc1275..7fae0103a515b 100644
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -956,6 +956,18 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len);
+ goto err_proto;
+ }
++ /*
++ * Ensure command data structures are initialized. We must check both
++ * cmd->req.sg and cmd->iov because they can have different NULL states:
++ * - Uninitialized commands: both NULL
++ * - READ commands: cmd->req.sg allocated, cmd->iov NULL
++ * - WRITE commands: both allocated
++ */
++ if (unlikely(!cmd->req.sg || !cmd->iov)) {
++ pr_err("queue %d: H2CData PDU received for invalid command state (ttag %u)\n",
++ queue->idx, data->ttag);
++ goto err_proto;
++ }
+ cmd->pdu_recv = 0;
+ nvmet_tcp_build_pdu_iovec(cmd);
+ queue->cmd = cmd;
+--
+2.51.0
+
--- /dev/null
+From 3ee4ea396c9f194220654cb3e06b99c27dc891e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Dec 2023 16:17:50 +0100
+Subject: nvmet-tcp: remove boilerplate code
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 75011bd0f9c55db523242f9f9a0b0b826165f14b ]
+
+Simplify the nvmet_tcp_handle_h2c_data_pdu() function by removing
+boilerplate code.
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Stable-dep-of: 32b63acd78f5 ("nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/tcp.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
+index eee052dbf80c1..8fc626ddc1275 100644
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -930,8 +930,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ if (unlikely(data->ttag >= queue->nr_cmds)) {
+ pr_err("queue %d: received out of bound ttag %u, nr_cmds %u\n",
+ queue->idx, data->ttag, queue->nr_cmds);
+- nvmet_tcp_fatal_error(queue);
+- return -EPROTO;
++ goto err_proto;
+ }
+ cmd = &queue->cmds[data->ttag];
+ } else {
+@@ -942,9 +941,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ pr_err("ttag %u unexpected data offset %u (expected %u)\n",
+ data->ttag, le32_to_cpu(data->data_offset),
+ cmd->rbytes_done);
+- /* FIXME: use path and transport errors */
+- nvmet_tcp_fatal_error(queue);
+- return -EPROTO;
++ goto err_proto;
+ }
+
+ exp_data_len = le32_to_cpu(data->hdr.plen) -
+@@ -957,9 +954,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ cmd->pdu_len == 0 ||
+ cmd->pdu_len > NVMET_TCP_MAXH2CDATA)) {
+ pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len);
+- /* FIXME: use proper transport errors */
+- nvmet_tcp_fatal_error(queue);
+- return -EPROTO;
++ goto err_proto;
+ }
+ cmd->pdu_recv = 0;
+ nvmet_tcp_build_pdu_iovec(cmd);
+@@ -967,6 +962,11 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ queue->rcv_state = NVMET_TCP_RECV_DATA;
+
+ return 0;
++
++err_proto:
++ /* FIXME: use proper transport errors */
++ nvmet_tcp_fatal_error(queue);
++ return -EPROTO;
+ }
+
+ static int nvmet_tcp_done_recv_pdu(struct nvmet_tcp_queue *queue)
+--
+2.51.0
+
--- /dev/null
+From f19c0124005f1cd56af4b22cebafa2ac4b5dce1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Dec 2025 12:55:34 +0100
+Subject: phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning
+ (again)
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+
+[ Upstream commit fb21116099bbea1fc59efa9207e63c4be390ab72 ]
+
+"family" is an enum, thus cast of pointer on 64-bit compile test with
+clang W=1 causes:
+
+ phy-bcm-ns-usb3.c:206:17: error: cast to smaller integer type 'enum bcm_ns_family' from 'const void *' [-Werror,-Wvoid-pointer-to-enum-cast]
+
+This was already fixed in commit bd6e74a2f0a0 ("phy: broadcom: ns-usb3:
+fix Wvoid-pointer-to-enum-cast warning") but then got bad in commit
+21bf6fc47a1e ("phy: Use device_get_match_data()").
+
+Note that after various discussions the preferred cast is via "unsigned
+long", not "uintptr_t".
+
+Fixes: 21bf6fc47a1e ("phy: Use device_get_match_data()")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251224115533.154162-2-krzysztof.kozlowski@oss.qualcomm.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/broadcom/phy-bcm-ns-usb3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/broadcom/phy-bcm-ns-usb3.c b/drivers/phy/broadcom/phy-bcm-ns-usb3.c
+index 2c8b1b7dda5bd..5c2710597df2c 100644
+--- a/drivers/phy/broadcom/phy-bcm-ns-usb3.c
++++ b/drivers/phy/broadcom/phy-bcm-ns-usb3.c
+@@ -203,7 +203,7 @@ static int bcm_ns_usb3_mdio_probe(struct mdio_device *mdiodev)
+ usb3->dev = dev;
+ usb3->mdiodev = mdiodev;
+
+- usb3->family = (enum bcm_ns_family)device_get_match_data(dev);
++ usb3->family = (unsigned long)device_get_match_data(dev);
+
+ syscon_np = of_parse_phandle(dev->of_node, "usb3-dmp-syscon", 0);
+ err = of_address_to_resource(syscon_np, 0, &res);
+--
+2.51.0
+
--- /dev/null
+From 7f6ffc218b7025fbffbe3040d54c4c0d9355bfd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Dec 2025 09:53:36 +0300
+Subject: phy: stm32-usphyc: Fix off by one in probe()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit cabd25b57216ddc132efbcc31f972baa03aad15a ]
+
+The "index" variable is used as an index into the usbphyc->phys[] array
+which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys
+then it is one element out of bounds. The "index" comes from the
+device tree so it's data that we trust and it's unlikely to be wrong,
+however it's obviously still worth fixing the bug. Change the > to >=.
+
+Fixes: 94c358da3a05 ("phy: stm32: add support for STM32 USB PHY Controller (USBPHYC)")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Link: https://patch.msgid.link/aTfHcMJK1wFVnvEe@stanley.mountain
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/st/phy-stm32-usbphyc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c
+index 5bb9647b078f1..c2947159e8b41 100644
+--- a/drivers/phy/st/phy-stm32-usbphyc.c
++++ b/drivers/phy/st/phy-stm32-usbphyc.c
+@@ -708,7 +708,7 @@ static int stm32_usbphyc_probe(struct platform_device *pdev)
+ }
+
+ ret = of_property_read_u32(child, "reg", &index);
+- if (ret || index > usbphyc->nphys) {
++ if (ret || index >= usbphyc->nphys) {
+ dev_err(&phy->dev, "invalid reg property: %d\n", ret);
+ if (!ret)
+ ret = -EINVAL;
+--
+2.51.0
+
--- /dev/null
+From dc9a7992068ef3955a597a9d6f4606898aa8d67a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Dec 2025 07:41:03 +0000
+Subject: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 0c728083654f0066f5e10a1d2b0bd0907af19a58 ]
+
+In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails,
+the function jumps to the out_scratch label without freeing the already
+allocated dsaddrs list, leading to a memory leak.
+
+Fix this by jumping to the out_err_drain_dsaddrs label, which properly
+frees the dsaddrs list before cleaning up other resources.
+
+Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+index 95d5dca671456..ed18e9e87c25f 100644
+--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+@@ -103,7 +103,7 @@ nfs4_ff_alloc_deviceid_node(struct nfs_server *server, struct pnfs_device *pdev,
+ sizeof(struct nfs4_ff_ds_version),
+ gfp_flags);
+ if (!ds_versions)
+- goto out_scratch;
++ goto out_err_drain_dsaddrs;
+
+ for (i = 0; i < version_count; i++) {
+ /* 20 = version(4) + minor_version(4) + rsize(4) + wsize(4) +
+--
+2.51.0
+
--- /dev/null
+From 3e7a47d5303d9aa2e9c51d76d58d1f6734c77956 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 19:37:15 +0200
+Subject: selftests: drv-net: fix RPS mask handling for high CPU numbers
+
+From: Gal Pressman <gal@nvidia.com>
+
+[ Upstream commit cf055f8c000445aa688c53a706ef4f580818eedb ]
+
+The RPS bitmask bounds check uses ~(RPS_MAX_CPUS - 1) which equals ~15 =
+0xfff0, only allowing CPUs 0-3.
+
+Change the mask to ~((1UL << RPS_MAX_CPUS) - 1) = ~0xffff to allow CPUs
+0-15.
+
+Fixes: 5ebfb4cc3048 ("selftests/net: toeplitz test")
+Reviewed-by: Nimrod Oren <noren@nvidia.com>
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20260112173715.384843-3-gal@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/toeplitz.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/toeplitz.c b/tools/testing/selftests/net/toeplitz.c
+index 9ba03164d73a6..5099157f01b9a 100644
+--- a/tools/testing/selftests/net/toeplitz.c
++++ b/tools/testing/selftests/net/toeplitz.c
+@@ -473,8 +473,8 @@ static void parse_rps_bitmap(const char *arg)
+
+ bitmap = strtoul(arg, NULL, 0);
+
+- if (bitmap & ~(RPS_MAX_CPUS - 1))
+- error(1, 0, "rps bitmap 0x%lx out of bounds 0..%lu",
++ if (bitmap & ~((1UL << RPS_MAX_CPUS) - 1))
++ error(1, 0, "rps bitmap 0x%lx out of bounds, max cpu %lu",
+ bitmap, RPS_MAX_CPUS - 1);
+
+ for (i = 0; i < RPS_MAX_CPUS; i++)
+--
+2.51.0
+
firmware-imx-scu-irq-set-mu_resource_id-before-get-handle.patch
efi-cper-fix-cper_bits_to_str-buffer-handling-and-return-value.patch
revert-gfs2-fix-use-of-bio_chain.patch
+xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch
+pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch
+can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch
+nvmet-tcp-remove-boilerplate-code.patch
+nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch
+btrfs-send-check-for-inline-extents-in-range_is_hole.patch
+ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch
+net-update-netdev_lock_-type-name.patch
+macvlan-fix-possible-uaf-in-macvlan_forward_source.patch
+ipv4-ip_gre-make-ipgre_header-robust.patch
+vsock-test-add-a-final-full-barrier-after-run-all-te.patch
+net-mlx5e-restore-destroying-state-bit-after-profile.patch
+btrfs-move-flush-related-definitions-to-space-info.h.patch
+btrfs-store-fs_info-in-space_info.patch
+btrfs-factor-out-init_space_info-from-create_space_i.patch
+btrfs-factor-out-check_removing_space_info-from-btrf.patch
+btrfs-introduce-btrfs_space_info-sub-group.patch
+btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch
+hv_netvsc-allocate-rx-indirection-table-size-dynamic.patch
+net-hv_netvsc-reject-rss-hash-key-programming-withou.patch
+ipv6-fix-use-after-free-in-inet6_addr_del.patch
+selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch
+net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch
+asoc-tlv320adcx140-fix-null-pointer.patch
+asoc-tlv320adcx140-fix-word-length.patch
+textsearch-describe-list-member-in-ts_ops-search.patch
+mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch
+dmaengine-tegra-adma-fix-use-after-free.patch
+dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch
+phy-stm32-usphyc-fix-off-by-one-in-probe.patch
+phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch
+dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch
--- /dev/null
+From ff499d5be736992e2c7c5755063007d7d0829007 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 08:40:05 +0700
+Subject: textsearch: describe @list member in ts_ops search
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit f26528478bb102c28e7ac0cbfc8ec8185afdafc7 ]
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./include/linux/textsearch.h:49 struct member 'list' not described in 'ts_ops'
+
+Describe @list member to fix it.
+
+Link: https://lkml.kernel.org/r/20251219014006.16328-4-bagasdotme@gmail.com
+Fixes: 2de4ff7bd658 ("[LIB]: Textsearch infrastructure.")
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Cc: Thomas Graf <tgraf@suug.ch>
+Cc: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/textsearch.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/textsearch.h b/include/linux/textsearch.h
+index 6673e4d4ac2e1..4933777404d61 100644
+--- a/include/linux/textsearch.h
++++ b/include/linux/textsearch.h
+@@ -35,6 +35,7 @@ struct ts_state
+ * @get_pattern: return head of pattern
+ * @get_pattern_len: return length of pattern
+ * @owner: module reference to algorithm
++ * @list: list to search
+ */
+ struct ts_ops
+ {
+--
+2.51.0
+
--- /dev/null
+From e9e9713d6ff1253833ed6e60715591995deed32e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 12:44:19 +0100
+Subject: vsock/test: add a final full barrier after run all tests
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit c39a6a277e0e67ffff6a8efcbbf7e7e23ce9e38c ]
+
+If the last test fails, the other side still completes correctly,
+which could lead to false positives.
+
+Let's add a final barrier that ensures that the last test has finished
+correctly on both sides, but also that the two sides agree on the
+number of tests to be performed.
+
+Fixes: 2f65b44e199c ("VSOCK: add full barrier between test cases")
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20260108114419.52747-1-sgarzare@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/vsock/util.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/tools/testing/vsock/util.c b/tools/testing/vsock/util.c
+index 2acbb7703c6a0..259d33ae6293b 100644
+--- a/tools/testing/vsock/util.c
++++ b/tools/testing/vsock/util.c
+@@ -360,6 +360,18 @@ void run_tests(const struct test_case *test_cases,
+
+ printf("ok\n");
+ }
++
++ printf("All tests have been executed. Waiting other peer...");
++ fflush(stdout);
++
++ /*
++ * Final full barrier, to ensure that all tests have been run and
++ * that even the last one has been successful on both sides.
++ */
++ control_writeln("COMPLETED");
++ control_expectln("COMPLETED");
++
++ printf("ok\n");
+ }
+
+ void list_tests(const struct test_case *test_cases)
+--
+2.51.0
+
--- /dev/null
+From 4d749cb49f104f1772df45c207fcc0dc65a7ff7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 05:56:09 +0200
+Subject: xfrm: Fix inner mode lookup in tunnel mode GSO segmentation
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 3d5221af9c7711b7aec8da1298c8fc393ef6183d ]
+
+Commit 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner
+protocol") attempted to fix GSO segmentation by reading the inner
+protocol from XFRM_MODE_SKB_CB(skb)->protocol. This was incorrect
+because the field holds the inner L4 protocol (TCP/UDP) instead of the
+required tunnel protocol. Also, the memory location (shared by
+XFRM_SKB_CB(skb) which could be overwritten by xfrm_replay_overflow())
+is prone to corruption. This combination caused the kernel to select
+the wrong inner mode and get the wrong address family.
+
+The correct value is in xfrm_offload(skb)->proto, which is set from
+the outer tunnel header's protocol field by esp[4|6]_gso_encap(). It
+is initialized by xfrm[4|6]_tunnel_encap_add() to either IPPROTO_IPIP
+or IPPROTO_IPV6, using xfrm_af2proto() and correctly reflects the
+inner packet's address family.
+
+Fixes: 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner protocol")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/esp4_offload.c | 4 ++--
+ net/ipv6/esp6_offload.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
+index cbfc8b5b15bd2..8d6a40054eaab 100644
+--- a/net/ipv4/esp4_offload.c
++++ b/net/ipv4/esp4_offload.c
+@@ -110,8 +110,8 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x,
+ struct sk_buff *skb,
+ netdev_features_t features)
+ {
+- const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
+- XFRM_MODE_SKB_CB(skb)->protocol);
++ struct xfrm_offload *xo = xfrm_offload(skb);
++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto);
+ __be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6)
+ : htons(ETH_P_IP);
+
+diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
+index 65d628e500059..460cf1dab9da2 100644
+--- a/net/ipv6/esp6_offload.c
++++ b/net/ipv6/esp6_offload.c
+@@ -145,8 +145,8 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x,
+ struct sk_buff *skb,
+ netdev_features_t features)
+ {
+- const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
+- XFRM_MODE_SKB_CB(skb)->protocol);
++ struct xfrm_offload *xo = xfrm_offload(skb);
++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto);
+ __be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP)
+ : htons(ETH_P_IPV6);
+
+--
+2.51.0
+
--- /dev/null
+From 3ba2c88466dfec43966aea75f9e62a22841778ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 13:09:54 +0000
+Subject: ALSA: hda/cirrus_scodec_test: Fix incorrect setup of gpiochip
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit c5e96e54eca3876d4ce8857e2e22adbe9f44f4a2 ]
+
+Set gpiochip parent to the struct device of the dummy GPIO driver
+so that the software node will be associated with the GPIO chip.
+
+The recent commit e5d527be7e698 ("gpio: swnode: don't use the
+swnode's name as the key for GPIO lookup") broke cirrus_scodec_test,
+because the software node no longer gets associated with the GPIO
+driver by name.
+
+Instead, setting struct gpio_chip.parent to the owning struct device
+will find the node using a normal fwnode lookup.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2144833e7b414 ("ALSA: hda: cirrus_scodec: Add KUnit test")
+Link: https://patch.msgid.link/20260113130954.574670-1-rf@opensource.cirrus.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/cirrus_scodec_test.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/cirrus_scodec_test.c b/sound/pci/hda/cirrus_scodec_test.c
+index e925ebe21ccba..140b2a6be8dca 100644
+--- a/sound/pci/hda/cirrus_scodec_test.c
++++ b/sound/pci/hda/cirrus_scodec_test.c
+@@ -92,6 +92,7 @@ static int cirrus_scodec_test_gpio_probe(struct platform_device *pdev)
+
+ /* GPIO core modifies our struct gpio_chip so use a copy */
+ gpio_priv->chip = cirrus_scodec_test_gpio_chip;
++ gpio_priv->chip.parent = &pdev->dev;
+ ret = devm_gpiochip_add_data(&pdev->dev, &gpio_priv->chip, gpio_priv);
+ if (ret)
+ return dev_err_probe(&pdev->dev, ret, "Failed to add gpiochip\n");
+--
+2.51.0
+
--- /dev/null
+From 0b2d5704804cc4aabb61a3b1741eaf7c8b9b3a35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 19:55:18 -0700
+Subject: ASoC: sdw_utils: cs42l43: Enable Headphone pin for LINEOUT jack type
+
+From: Cole Leavitt <cole@unwrap.rs>
+
+[ Upstream commit 390caeed0897fcac75f3c414dbdd85d593183d9c ]
+
+The CS42L43 codec's load detection can return different impedance values
+that map to either HEADPHONE or LINEOUT jack types. However, the
+soc_jack_pins array only maps SND_JACK_HEADPHONE to the "Headphone" DAPM
+pin, not SND_JACK_LINEOUT.
+
+When headphones are detected with an impedance that maps to LINEOUT
+(such as impedance value 0x2), the driver reports SND_JACK_LINEOUT.
+Since this doesn't match the jack pin mask, the "Headphone" DAPM pin
+is not activated, and no audio is routed to the headphone outputs.
+
+Fix by adding SND_JACK_LINEOUT to the Headphone pin mask, so that both
+headphone and line-out detection properly enable the headphone output
+path.
+
+This fixes no audio output on devices like the Lenovo ThinkPad P16 Gen 3
+where headphones are detected with LINEOUT impedance.
+
+Fixes: d74bad3b7452 ("ASoC: intel: sof_sdw_cs42l43: Create separate jacks for hp and mic")
+Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Cole Leavitt <cole@unwrap.rs>
+Link: https://patch.msgid.link/20260114025518.28519-1-cole@unwrap.rs
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sdw_utils/soc_sdw_cs42l43.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sdw_utils/soc_sdw_cs42l43.c b/sound/soc/sdw_utils/soc_sdw_cs42l43.c
+index 2dc7787234c36..dacd050439439 100644
+--- a/sound/soc/sdw_utils/soc_sdw_cs42l43.c
++++ b/sound/soc/sdw_utils/soc_sdw_cs42l43.c
+@@ -44,7 +44,7 @@ static const struct snd_soc_dapm_route cs42l43_dmic_map[] = {
+ static struct snd_soc_jack_pin soc_jack_pins[] = {
+ {
+ .pin = "Headphone",
+- .mask = SND_JACK_HEADPHONE,
++ .mask = SND_JACK_HEADPHONE | SND_JACK_LINEOUT,
+ },
+ {
+ .pin = "Headset Mic",
+--
+2.51.0
+
--- /dev/null
+From 8755569bfcbf15eb2f9425e59be6846da82ecf23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 11:58:45 +0100
+Subject: ASoC: tlv320adcx140: fix null pointer
+
+From: Emil Svendsen <emas@bang-olufsen.dk>
+
+[ Upstream commit be7664c81d3129fc313ef62ff275fd3d33cfecd4 ]
+
+The "snd_soc_component" in "adcx140_priv" was only used once but never
+set. It was only used for reaching "dev" which is already present in
+"adcx140_priv".
+
+Fixes: 4e82971f7b55 ("ASoC: tlv320adcx140: Add a new kcontrol")
+Signed-off-by: Emil Svendsen <emas@bang-olufsen.dk>
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-2-8f7ecec525c8@pengutronix.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tlv320adcx140.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c
+index d594bf166c0e7..ccfec4c0c159a 100644
+--- a/sound/soc/codecs/tlv320adcx140.c
++++ b/sound/soc/codecs/tlv320adcx140.c
+@@ -23,7 +23,6 @@
+ #include "tlv320adcx140.h"
+
+ struct adcx140_priv {
+- struct snd_soc_component *component;
+ struct regulator *supply_areg;
+ struct gpio_desc *gpio_reset;
+ struct regmap *regmap;
+@@ -701,7 +700,6 @@ static void adcx140_pwr_ctrl(struct adcx140_priv *adcx140, bool power_state)
+ {
+ int pwr_ctrl = 0;
+ int ret = 0;
+- struct snd_soc_component *component = adcx140->component;
+
+ if (power_state)
+ pwr_ctrl = ADCX140_PWR_CFG_ADC_PDZ | ADCX140_PWR_CFG_PLL_PDZ;
+@@ -713,7 +711,7 @@ static void adcx140_pwr_ctrl(struct adcx140_priv *adcx140, bool power_state)
+ ret = regmap_write(adcx140->regmap, ADCX140_PHASE_CALIB,
+ adcx140->phase_calib_on ? 0x00 : 0x40);
+ if (ret)
+- dev_err(component->dev, "%s: register write error %d\n",
++ dev_err(adcx140->dev, "%s: register write error %d\n",
+ __func__, ret);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From fb019175b06904e8a4d8252c0925e33c62140d66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 11:58:47 +0100
+Subject: ASoC: tlv320adcx140: fix word length
+
+From: Emil Svendsen <emas@bang-olufsen.dk>
+
+[ Upstream commit 46378ab9fcb796dca46b51e10646f636e2c661f9 ]
+
+The word length is the physical width of the channel slots. So the
+hw_params would misconfigure when format width and physical width
+doesn't match. Like S24_LE which has data width of 24 bits but physical
+width of 32 bits. So if using asymmetric formats you will get a lot of
+noise.
+
+Fixes: 689c7655b50c5 ("ASoC: tlv320adcx140: Add the tlv320adcx140 codec driver family")
+Signed-off-by: Emil Svendsen <emas@bang-olufsen.dk>
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-4-8f7ecec525c8@pengutronix.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tlv320adcx140.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c
+index ccfec4c0c159a..62d936c2838c9 100644
+--- a/sound/soc/codecs/tlv320adcx140.c
++++ b/sound/soc/codecs/tlv320adcx140.c
+@@ -727,7 +727,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream,
+ struct adcx140_priv *adcx140 = snd_soc_component_get_drvdata(component);
+ u8 data = 0;
+
+- switch (params_width(params)) {
++ switch (params_physical_width(params)) {
+ case 16:
+ data = ADCX140_16_BIT_WORD;
+ break;
+@@ -742,7 +742,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream,
+ break;
+ default:
+ dev_err(component->dev, "%s: Unsupported width %d\n",
+- __func__, params_width(params));
++ __func__, params_physical_width(params));
+ return -EINVAL;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 39c8976a52974e8e6afdb0bd7af78a99c88cfd82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Apr 2025 11:43:45 +0900
+Subject: btrfs: factor out check_removing_space_info() from
+ btrfs_free_block_groups()
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+[ Upstream commit 1cfdbe0d53b27b4b4a4f4cf2a4e430bc65ba2ba5 ]
+
+Factor out check_removing_space_info() from btrfs_free_block_groups(). It
+sanity checks a to-be-removed space_info. There is no functional change.
+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/block-group.c | 49 +++++++++++++++++++++++-------------------
+ 1 file changed, 27 insertions(+), 22 deletions(-)
+
+diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c
+index 83a196521670b..8dce7046940c4 100644
+--- a/fs/btrfs/block-group.c
++++ b/fs/btrfs/block-group.c
+@@ -4416,6 +4416,32 @@ void btrfs_put_block_group_cache(struct btrfs_fs_info *info)
+ }
+ }
+
++static void check_removing_space_info(struct btrfs_space_info *space_info)
++{
++ struct btrfs_fs_info *info = space_info->fs_info;
++
++ /*
++ * Do not hide this behind enospc_debug, this is actually important and
++ * indicates a real bug if this happens.
++ */
++ if (WARN_ON(space_info->bytes_pinned > 0 || space_info->bytes_may_use > 0))
++ btrfs_dump_space_info(info, space_info, 0, 0);
++
++ /*
++ * If there was a failure to cleanup a log tree, very likely due to an
++ * IO failure on a writeback attempt of one or more of its extent
++ * buffers, we could not do proper (and cheap) unaccounting of their
++ * reserved space, so don't warn on bytes_reserved > 0 in that case.
++ */
++ if (!(space_info->flags & BTRFS_BLOCK_GROUP_METADATA) ||
++ !BTRFS_FS_LOG_CLEANUP_ERROR(info)) {
++ if (WARN_ON(space_info->bytes_reserved > 0))
++ btrfs_dump_space_info(info, space_info, 0, 0);
++ }
++
++ WARN_ON(space_info->reclaim_size > 0);
++}
++
+ /*
+ * Must be called only after stopping all workers, since we could have block
+ * group caching kthreads running, and therefore they could race with us if we
+@@ -4517,28 +4543,7 @@ int btrfs_free_block_groups(struct btrfs_fs_info *info)
+ struct btrfs_space_info,
+ list);
+
+- /*
+- * Do not hide this behind enospc_debug, this is actually
+- * important and indicates a real bug if this happens.
+- */
+- if (WARN_ON(space_info->bytes_pinned > 0 ||
+- space_info->bytes_may_use > 0))
+- btrfs_dump_space_info(info, space_info, 0, 0);
+-
+- /*
+- * If there was a failure to cleanup a log tree, very likely due
+- * to an IO failure on a writeback attempt of one or more of its
+- * extent buffers, we could not do proper (and cheap) unaccounting
+- * of their reserved space, so don't warn on bytes_reserved > 0 in
+- * that case.
+- */
+- if (!(space_info->flags & BTRFS_BLOCK_GROUP_METADATA) ||
+- !BTRFS_FS_LOG_CLEANUP_ERROR(info)) {
+- if (WARN_ON(space_info->bytes_reserved > 0))
+- btrfs_dump_space_info(info, space_info, 0, 0);
+- }
+-
+- WARN_ON(space_info->reclaim_size > 0);
++ check_removing_space_info(space_info);
+ list_del(&space_info->list);
+ btrfs_sysfs_remove_space_info(space_info);
+ }
+--
+2.51.0
+
--- /dev/null
+From 132218b6addbfa7358ab1952861584b77fe65cbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Apr 2025 11:43:43 +0900
+Subject: btrfs: factor out init_space_info() from create_space_info()
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+[ Upstream commit ac5578fef380e68e539a2238ba63dd978a450ef2 ]
+
+Factor out initialization of the space_info struct, which is used in a
+later patch. There is no functional change.
+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/space-info.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
+index d5a9cd8a4fd8d..6497398fb4e2e 100644
+--- a/fs/btrfs/space-info.c
++++ b/fs/btrfs/space-info.c
+@@ -225,19 +225,11 @@ void btrfs_update_space_info_chunk_size(struct btrfs_space_info *space_info,
+ WRITE_ONCE(space_info->chunk_size, chunk_size);
+ }
+
+-static int create_space_info(struct btrfs_fs_info *info, u64 flags)
++static void init_space_info(struct btrfs_fs_info *info,
++ struct btrfs_space_info *space_info, u64 flags)
+ {
+-
+- struct btrfs_space_info *space_info;
+- int i;
+- int ret;
+-
+- space_info = kzalloc(sizeof(*space_info), GFP_NOFS);
+- if (!space_info)
+- return -ENOMEM;
+-
+ space_info->fs_info = info;
+- for (i = 0; i < BTRFS_NR_RAID_TYPES; i++)
++ for (int i = 0; i < BTRFS_NR_RAID_TYPES; i++)
+ INIT_LIST_HEAD(&space_info->block_groups[i]);
+ init_rwsem(&space_info->groups_sem);
+ spin_lock_init(&space_info->lock);
+@@ -251,6 +243,19 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
+
+ if (btrfs_is_zoned(info))
+ space_info->bg_reclaim_threshold = BTRFS_DEFAULT_ZONED_RECLAIM_THRESH;
++}
++
++static int create_space_info(struct btrfs_fs_info *info, u64 flags)
++{
++
++ struct btrfs_space_info *space_info;
++ int ret;
++
++ space_info = kzalloc(sizeof(*space_info), GFP_NOFS);
++ if (!space_info)
++ return -ENOMEM;
++
++ init_space_info(info, space_info, flags);
+
+ ret = btrfs_sysfs_add_space_info_type(info, space_info);
+ if (ret)
+--
+2.51.0
+
--- /dev/null
+From 74a7e28e4ace62ab39839d9a9a0489fc6a6ec712 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Jan 2026 19:20:37 +0000
+Subject: btrfs: fix memory leaks in create_space_info() error paths
+
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+
+[ Upstream commit a11224a016d6d1d46a4d9b6573244448a80d4d7f ]
+
+In create_space_info(), the 'space_info' object is allocated at the
+beginning of the function. However, there are two error paths where the
+function returns an error code without freeing the allocated memory:
+
+1. When create_space_info_sub_group() fails in zoned mode.
+2. When btrfs_sysfs_add_space_info_type() fails.
+
+In both cases, 'space_info' has not yet been added to the
+fs_info->space_info list, resulting in a memory leak. Fix this by
+adding an error handling label to kfree(space_info) before returning.
+
+Fixes: 2be12ef79fe9 ("btrfs: Separate space_info create/update")
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/space-info.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
+index 9d47678875b76..b2c90696b86b2 100644
+--- a/fs/btrfs/space-info.c
++++ b/fs/btrfs/space-info.c
+@@ -291,18 +291,22 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
+ BTRFS_SUB_GROUP_DATA_RELOC,
+ 0);
+ if (ret)
+- return ret;
++ goto out_free;
+ }
+
+ ret = btrfs_sysfs_add_space_info_type(info, space_info);
+ if (ret)
+- return ret;
++ goto out_free;
+
+ list_add(&space_info->list, &info->space_info);
+ if (flags & BTRFS_BLOCK_GROUP_DATA)
+ info->data_sinfo = space_info;
+
+ return ret;
++
++out_free:
++ kfree(space_info);
++ return ret;
+ }
+
+ int btrfs_init_space_info(struct btrfs_fs_info *fs_info)
+--
+2.51.0
+
--- /dev/null
+From 11089e1726271eb473a4d59d923ea79f22916345 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Apr 2025 11:43:48 +0900
+Subject: btrfs: introduce btrfs_space_info sub-group
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+[ Upstream commit f92ee31e031c7819126d2febdda0c3e91f5d2eb9 ]
+
+Current code assumes we have only one space_info for each block group type
+(DATA, METADATA, and SYSTEM). We sometime need multiple space infos to
+manage special block groups.
+
+One example is handling the data relocation block group for the zoned mode.
+That block group is dedicated for writing relocated data and we cannot
+allocate any regular extent from that block group, which is implemented in
+the zoned extent allocator. This block group still belongs to the normal
+data space_info. So, when all the normal data block groups are full and
+there is some free space in the dedicated block group, the space_info
+looks to have some free space, while it cannot allocate normal extent
+anymore. That results in a strange ENOSPC error. We need to have a
+space_info for the relocation data block group to represent the situation
+properly.
+
+Adds a basic infrastructure for having a "sub-group" of a space_info:
+creation and removing. A sub-group space_info belongs to one of the
+primary space_infos and has the same flags as its parent.
+
+This commit first introduces the relocation data sub-space_info, and the
+next commit will introduce tree-log sub-space_info. In the future, it could
+be useful to implement tiered storage for btrfs e.g. by implementing a
+sub-group space_info for block groups resides on a fast storage.
+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/block-group.c | 11 +++++++++++
+ fs/btrfs/space-info.c | 44 +++++++++++++++++++++++++++++++++++++++---
+ fs/btrfs/space-info.h | 9 +++++++++
+ fs/btrfs/sysfs.c | 18 ++++++++++++++---
+ 4 files changed, 76 insertions(+), 6 deletions(-)
+
+diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c
+index 8dce7046940c4..c3aec02bf199e 100644
+--- a/fs/btrfs/block-group.c
++++ b/fs/btrfs/block-group.c
+@@ -4420,6 +4420,17 @@ static void check_removing_space_info(struct btrfs_space_info *space_info)
+ {
+ struct btrfs_fs_info *info = space_info->fs_info;
+
++ if (space_info->subgroup_id == BTRFS_SUB_GROUP_PRIMARY) {
++ /* This is a top space_info, proceed with its children first. */
++ for (int i = 0; i < BTRFS_SPACE_INFO_SUB_GROUP_MAX; i++) {
++ if (space_info->sub_group[i]) {
++ check_removing_space_info(space_info->sub_group[i]);
++ kfree(space_info->sub_group[i]);
++ space_info->sub_group[i] = NULL;
++ }
++ }
++ }
++
+ /*
+ * Do not hide this behind enospc_debug, this is actually important and
+ * indicates a real bug if this happens.
+diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
+index 6497398fb4e2e..9d47678875b76 100644
+--- a/fs/btrfs/space-info.c
++++ b/fs/btrfs/space-info.c
+@@ -240,16 +240,44 @@ static void init_space_info(struct btrfs_fs_info *info,
+ INIT_LIST_HEAD(&space_info->priority_tickets);
+ space_info->clamp = 1;
+ btrfs_update_space_info_chunk_size(space_info, calc_chunk_size(info, flags));
++ space_info->subgroup_id = BTRFS_SUB_GROUP_PRIMARY;
+
+ if (btrfs_is_zoned(info))
+ space_info->bg_reclaim_threshold = BTRFS_DEFAULT_ZONED_RECLAIM_THRESH;
+ }
+
++static int create_space_info_sub_group(struct btrfs_space_info *parent, u64 flags,
++ enum btrfs_space_info_sub_group id, int index)
++{
++ struct btrfs_fs_info *fs_info = parent->fs_info;
++ struct btrfs_space_info *sub_group;
++ int ret;
++
++ ASSERT(parent->subgroup_id == BTRFS_SUB_GROUP_PRIMARY);
++ ASSERT(id != BTRFS_SUB_GROUP_PRIMARY);
++
++ sub_group = kzalloc(sizeof(*sub_group), GFP_NOFS);
++ if (!sub_group)
++ return -ENOMEM;
++
++ init_space_info(fs_info, sub_group, flags);
++ parent->sub_group[index] = sub_group;
++ sub_group->parent = parent;
++ sub_group->subgroup_id = id;
++
++ ret = btrfs_sysfs_add_space_info_type(fs_info, sub_group);
++ if (ret) {
++ kfree(sub_group);
++ parent->sub_group[index] = NULL;
++ }
++ return ret;
++}
++
+ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
+ {
+
+ struct btrfs_space_info *space_info;
+- int ret;
++ int ret = 0;
+
+ space_info = kzalloc(sizeof(*space_info), GFP_NOFS);
+ if (!space_info)
+@@ -257,6 +285,15 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
+
+ init_space_info(info, space_info, flags);
+
++ if (btrfs_is_zoned(info)) {
++ if (flags & BTRFS_BLOCK_GROUP_DATA)
++ ret = create_space_info_sub_group(space_info, flags,
++ BTRFS_SUB_GROUP_DATA_RELOC,
++ 0);
++ if (ret)
++ return ret;
++ }
++
+ ret = btrfs_sysfs_add_space_info_type(info, space_info);
+ if (ret)
+ return ret;
+@@ -554,8 +591,9 @@ static void __btrfs_dump_space_info(const struct btrfs_fs_info *fs_info,
+ lockdep_assert_held(&info->lock);
+
+ /* The free space could be negative in case of overcommit */
+- btrfs_info(fs_info, "space_info %s has %lld free, is %sfull",
+- flag_str,
++ btrfs_info(fs_info,
++ "space_info %s (sub-group id %d) has %lld free, is %sfull",
++ flag_str, info->subgroup_id,
+ (s64)(info->total_bytes - btrfs_space_info_used(info, true)),
+ info->full ? "" : "not ");
+ btrfs_info(fs_info,
+diff --git a/fs/btrfs/space-info.h b/fs/btrfs/space-info.h
+index efbecc0c5258d..12c337b473870 100644
+--- a/fs/btrfs/space-info.h
++++ b/fs/btrfs/space-info.h
+@@ -93,8 +93,17 @@ enum btrfs_flush_state {
+ COMMIT_TRANS = 11,
+ };
+
++enum btrfs_space_info_sub_group {
++ BTRFS_SUB_GROUP_PRIMARY,
++ BTRFS_SUB_GROUP_DATA_RELOC,
++};
++
++#define BTRFS_SPACE_INFO_SUB_GROUP_MAX 1
+ struct btrfs_space_info {
+ struct btrfs_fs_info *fs_info;
++ struct btrfs_space_info *parent;
++ struct btrfs_space_info *sub_group[BTRFS_SPACE_INFO_SUB_GROUP_MAX];
++ int subgroup_id;
+ spinlock_t lock;
+
+ u64 total_bytes; /* total bytes in the space,
+diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c
+index 5912d50577666..ea13e3eee7d90 100644
+--- a/fs/btrfs/sysfs.c
++++ b/fs/btrfs/sysfs.c
+@@ -1792,16 +1792,28 @@ void btrfs_sysfs_remove_space_info(struct btrfs_space_info *space_info)
+ kobject_put(&space_info->kobj);
+ }
+
+-static const char *alloc_name(u64 flags)
++static const char *alloc_name(struct btrfs_space_info *space_info)
+ {
++ u64 flags = space_info->flags;
++
+ switch (flags) {
+ case BTRFS_BLOCK_GROUP_METADATA | BTRFS_BLOCK_GROUP_DATA:
+ return "mixed";
+ case BTRFS_BLOCK_GROUP_METADATA:
++ ASSERT(space_info->subgroup_id == BTRFS_SUB_GROUP_PRIMARY);
+ return "metadata";
+ case BTRFS_BLOCK_GROUP_DATA:
+- return "data";
++ switch (space_info->subgroup_id) {
++ case BTRFS_SUB_GROUP_PRIMARY:
++ return "data";
++ case BTRFS_SUB_GROUP_DATA_RELOC:
++ return "data-reloc";
++ default:
++ WARN_ON_ONCE(1);
++ return "data (unknown sub-group)";
++ }
+ case BTRFS_BLOCK_GROUP_SYSTEM:
++ ASSERT(space_info->subgroup_id == BTRFS_SUB_GROUP_PRIMARY);
+ return "system";
+ default:
+ WARN_ON(1);
+@@ -1820,7 +1832,7 @@ int btrfs_sysfs_add_space_info_type(struct btrfs_fs_info *fs_info,
+
+ ret = kobject_init_and_add(&space_info->kobj, &space_info_ktype,
+ fs_info->space_info_kobj, "%s",
+- alloc_name(space_info->flags));
++ alloc_name(space_info));
+ if (ret) {
+ kobject_put(&space_info->kobj);
+ return ret;
+--
+2.51.0
+
--- /dev/null
+From c40c9c2f31cc6e48e98e0e3eff5b099d10f84935 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jan 2026 20:26:40 +1030
+Subject: btrfs: send: check for inline extents in range_is_hole_in_parent()
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 08b096c1372cd69627f4f559fb47c9fb67a52b39 ]
+
+Before accessing the disk_bytenr field of a file extent item we need
+to check if we are dealing with an inline extent.
+This is because for inline extents their data starts at the offset of
+the disk_bytenr field. So accessing the disk_bytenr
+means we are accessing inline data or in case the inline data is less
+than 8 bytes we can actually cause an invalid
+memory access if this inline extent item is the first item in the leaf
+or access metadata from other items.
+
+Fixes: 82bfb2e7b645 ("Btrfs: incremental send, fix unnecessary hole writes for sparse files")
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index 41b7cbd070254..2fa577d4a232d 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -6550,6 +6550,8 @@ static int range_is_hole_in_parent(struct send_ctx *sctx,
+ extent_end = btrfs_file_extent_end(path);
+ if (extent_end <= start)
+ goto next;
++ if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE)
++ return 0;
+ if (btrfs_file_extent_disk_bytenr(leaf, fi) == 0) {
+ search_start = extent_end;
+ goto next;
+--
+2.51.0
+
--- /dev/null
+From f746832ab50b726d16918cf87fb23f2672cf1606 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 02:17:32 +0100
+Subject: can: etas_es58x: allow partial RX URB allocation to succeed
+
+From: Szymon Wilczek <swilczek.lx@gmail.com>
+
+[ Upstream commit b1979778e98569c1e78c2c7f16bb24d76541ab00 ]
+
+When es58x_alloc_rx_urbs() fails to allocate the requested number of
+URBs but succeeds in allocating some, it returns an error code.
+This causes es58x_open() to return early, skipping the cleanup label
+'free_urbs', which leads to the anchored URBs being leaked.
+
+As pointed out by maintainer Vincent Mailhol, the driver is designed
+to handle partial URB allocation gracefully. Therefore, partial
+allocation should not be treated as a fatal error.
+
+Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been
+allocated, restoring the intended behavior and preventing the leak
+in es58x_open().
+
+Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces")
+Reported-by: syzbot+e8cb6691a7cf68256cb8@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=e8cb6691a7cf68256cb8
+Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>
+Reviewed-by: Vincent Mailhol <mailhol@kernel.org>
+Link: https://patch.msgid.link/20251223011732.39361-1-swilczek.lx@gmail.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/etas_es58x/es58x_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c
+index 4fc9bed0d2e1e..d483cb7cfbcd5 100644
+--- a/drivers/net/can/usb/etas_es58x/es58x_core.c
++++ b/drivers/net/can/usb/etas_es58x/es58x_core.c
+@@ -1736,7 +1736,7 @@ static int es58x_alloc_rx_urbs(struct es58x_device *es58x_dev)
+ dev_dbg(dev, "%s: Allocated %d rx URBs each of size %u\n",
+ __func__, i, rx_buf_len);
+
+- return ret;
++ return 0;
+ }
+
+ /**
+--
+2.51.0
+
--- /dev/null
+From dde3463ae0e297cd9fbda1b0f63d336f80a706d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Nov 2025 15:30:18 +0800
+Subject: dmaengine: omap-dma: fix dma_pool resource leak in error paths
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit 2e1136acf8a8887c29f52e35a77b537309af321f ]
+
+The dma_pool created by dma_pool_create() is not destroyed when
+dma_async_device_register() or of_dma_controller_register() fails,
+causing a resource leak in the probe error paths.
+
+Add dma_pool_destroy() in both error paths to properly release the
+allocated dma_pool resource.
+
+Fixes: 7bedaa553760 ("dmaengine: add OMAP DMA engine driver")
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Link: https://patch.msgid.link/20251103073018.643-1-vulab@iscas.ac.cn
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/ti/omap-dma.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/dma/ti/omap-dma.c b/drivers/dma/ti/omap-dma.c
+index 6ab9bfbdc4809..d0c2fd5c62074 100644
+--- a/drivers/dma/ti/omap-dma.c
++++ b/drivers/dma/ti/omap-dma.c
+@@ -1808,6 +1808,8 @@ static int omap_dma_probe(struct platform_device *pdev)
+ if (rc) {
+ pr_warn("OMAP-DMA: failed to register slave DMA engine device: %d\n",
+ rc);
++ if (od->ll123_supported)
++ dma_pool_destroy(od->desc_pool);
+ omap_dma_free(od);
+ return rc;
+ }
+@@ -1823,6 +1825,8 @@ static int omap_dma_probe(struct platform_device *pdev)
+ if (rc) {
+ pr_warn("OMAP-DMA: failed to register DMA controller\n");
+ dma_async_device_unregister(&od->ddev);
++ if (od->ll123_supported)
++ dma_pool_destroy(od->desc_pool);
+ omap_dma_free(od);
+ }
+ }
+--
+2.51.0
+
--- /dev/null
+From e737c3ca594789a5662441fbe7e4c6650ee2628b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Nov 2025 19:54:45 +0530
+Subject: dmaengine: tegra-adma: Fix use-after-free
+
+From: Sheetal <sheetal@nvidia.com>
+
+[ Upstream commit 2efd07a7c36949e6fa36a69183df24d368bf9e96 ]
+
+A use-after-free bug exists in the Tegra ADMA driver when audio streams
+are terminated, particularly during XRUN conditions. The issue occurs
+when the DMA buffer is freed by tegra_adma_terminate_all() before the
+vchan completion tasklet finishes accessing it.
+
+The race condition follows this sequence:
+
+ 1. DMA transfer completes, triggering an interrupt that schedules the
+ completion tasklet (tasklet has not executed yet)
+ 2. Audio playback stops, calling tegra_adma_terminate_all() which
+ frees the DMA buffer memory via kfree()
+ 3. The scheduled tasklet finally executes, calling vchan_complete()
+ which attempts to access the already-freed memory
+
+Since tasklets can execute at any time after being scheduled, there is
+no guarantee that the buffer will remain valid when vchan_complete()
+runs.
+
+Fix this by properly synchronizing the virtual channel completion:
+ - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the
+ descriptors as terminated instead of freeing the descriptor.
+ - Add the callback tegra_adma_synchronize() that calls
+ vchan_synchronize() which kills any pending tasklets and frees any
+ terminated descriptors.
+
+Crash logs:
+[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0
+[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0
+
+[ 337.427562] Call trace:
+[ 337.427564] dump_backtrace+0x0/0x320
+[ 337.427571] show_stack+0x20/0x30
+[ 337.427575] dump_stack_lvl+0x68/0x84
+[ 337.427584] print_address_description.constprop.0+0x74/0x2b8
+[ 337.427590] kasan_report+0x1f4/0x210
+[ 337.427598] __asan_load8+0xa0/0xd0
+[ 337.427603] vchan_complete+0x124/0x3b0
+[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0
+[ 337.427617] tasklet_action+0x30/0x40
+[ 337.427623] __do_softirq+0x1a0/0x5c4
+[ 337.427628] irq_exit+0x110/0x140
+[ 337.427633] handle_domain_irq+0xa4/0xe0
+[ 337.427640] gic_handle_irq+0x64/0x160
+[ 337.427644] call_on_irq_stack+0x20/0x4c
+[ 337.427649] do_interrupt_handler+0x7c/0x90
+[ 337.427654] el1_interrupt+0x30/0x80
+[ 337.427659] el1h_64_irq_handler+0x18/0x30
+[ 337.427663] el1h_64_irq+0x7c/0x80
+[ 337.427667] cpuidle_enter_state+0xe4/0x540
+[ 337.427674] cpuidle_enter+0x54/0x80
+[ 337.427679] do_idle+0x2e0/0x380
+[ 337.427685] cpu_startup_entry+0x2c/0x70
+[ 337.427690] rest_init+0x114/0x130
+[ 337.427695] arch_call_rest_init+0x18/0x24
+[ 337.427702] start_kernel+0x380/0x3b4
+[ 337.427706] __primary_switched+0xc0/0xc8
+
+Fixes: f46b195799b5 ("dmaengine: tegra-adma: Add support for Tegra210 ADMA")
+Signed-off-by: Sheetal <sheetal@nvidia.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Link: https://patch.msgid.link/20251110142445.3842036-1-sheetal@nvidia.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/tegra210-adma.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c
+index 24ad7077c53ba..55e9dcca55390 100644
+--- a/drivers/dma/tegra210-adma.c
++++ b/drivers/dma/tegra210-adma.c
+@@ -343,10 +343,17 @@ static void tegra_adma_stop(struct tegra_adma_chan *tdc)
+ return;
+ }
+
+- kfree(tdc->desc);
++ vchan_terminate_vdesc(&tdc->desc->vd);
+ tdc->desc = NULL;
+ }
+
++static void tegra_adma_synchronize(struct dma_chan *dc)
++{
++ struct tegra_adma_chan *tdc = to_tegra_adma_chan(dc);
++
++ vchan_synchronize(&tdc->vc);
++}
++
+ static void tegra_adma_start(struct tegra_adma_chan *tdc)
+ {
+ struct virt_dma_desc *vd = vchan_next_desc(&tdc->vc);
+@@ -938,6 +945,7 @@ static int tegra_adma_probe(struct platform_device *pdev)
+ tdma->dma_dev.device_config = tegra_adma_slave_config;
+ tdma->dma_dev.device_tx_status = tegra_adma_tx_status;
+ tdma->dma_dev.device_terminate_all = tegra_adma_terminate_all;
++ tdma->dma_dev.device_synchronize = tegra_adma_synchronize;
+ tdma->dma_dev.src_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES);
+ tdma->dma_dev.dst_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES);
+ tdma->dma_dev.directions = BIT(DMA_DEV_TO_MEM) | BIT(DMA_MEM_TO_DEV);
+--
+2.51.0
+
--- /dev/null
+From fac0e78ad7cd38129e2700314c555003155e507f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 17:48:49 +0200
+Subject: dmaengine: xilinx: xdma: Fix regmap max_register
+
+From: Anthony Brandon <anthony@amarulasolutions.com>
+
+[ Upstream commit c7d436a6c1a274c1ac28d5fb3b8eb8f03b6d0e10 ]
+
+The max_register field is assigned the size of the register memory
+region instead of the offset of the last register.
+The result is that reading from the regmap via debugfs can cause
+a segmentation fault:
+
+tail /sys/kernel/debug/regmap/xdma.1.auto/registers
+Unable to handle kernel paging request at virtual address ffff800082f70000
+Mem abort info:
+ ESR = 0x0000000096000007
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x07: level 3 translation fault
+[...]
+Call trace:
+ regmap_mmio_read32le+0x10/0x30
+ _regmap_bus_reg_read+0x74/0xc0
+ _regmap_read+0x68/0x198
+ regmap_read+0x54/0x88
+ regmap_read_debugfs+0x140/0x380
+ regmap_map_read_file+0x30/0x48
+ full_proxy_read+0x68/0xc8
+ vfs_read+0xcc/0x310
+ ksys_read+0x7c/0x120
+ __arm64_sys_read+0x24/0x40
+ invoke_syscall.constprop.0+0x64/0x108
+ do_el0_svc+0xb0/0xd8
+ el0_svc+0x38/0x130
+ el0t_64_sync_handler+0x120/0x138
+ el0t_64_sync+0x194/0x198
+Code: aa1e03e9 d503201f f9400000 8b214000 (b9400000)
+---[ end trace 0000000000000000 ]---
+note: tail[1217] exited with irqs disabled
+note: tail[1217] exited with preempt_count 1
+Segmentation fault
+
+Fixes: 17ce252266c7 ("dmaengine: xilinx: xdma: Add xilinx xdma driver")
+Reviewed-by: Lizhi Hou <lizhi.hou@amd.com>
+Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
+Reviewed-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Anthony Brandon <anthony@amarulasolutions.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/xdma-regs.h | 1 +
+ drivers/dma/xilinx/xdma.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/xilinx/xdma-regs.h b/drivers/dma/xilinx/xdma-regs.h
+index 6ad08878e9386..70bca92621aa4 100644
+--- a/drivers/dma/xilinx/xdma-regs.h
++++ b/drivers/dma/xilinx/xdma-regs.h
+@@ -9,6 +9,7 @@
+
+ /* The length of register space exposed to host */
+ #define XDMA_REG_SPACE_LEN 65536
++#define XDMA_MAX_REG_OFFSET (XDMA_REG_SPACE_LEN - 4)
+
+ /*
+ * maximum number of DMA channels for each direction:
+diff --git a/drivers/dma/xilinx/xdma.c b/drivers/dma/xilinx/xdma.c
+index 718842fdaf98e..2726c7154fcef 100644
+--- a/drivers/dma/xilinx/xdma.c
++++ b/drivers/dma/xilinx/xdma.c
+@@ -38,7 +38,7 @@ static const struct regmap_config xdma_regmap_config = {
+ .reg_bits = 32,
+ .val_bits = 32,
+ .reg_stride = 4,
+- .max_register = XDMA_REG_SPACE_LEN,
++ .max_register = XDMA_MAX_REG_OFFSET,
+ };
+
+ /**
+--
+2.51.0
+
--- /dev/null
+From bf98764610883dae8db0bcd17c9aedc5024abf2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 00:00:06 +0530
+Subject: dmaengine: xilinx_dma: Fix uninitialized addr_width when
+ "xlnx,addrwidth" property is missing
+
+From: Suraj Gupta <suraj.gupta2@amd.com>
+
+[ Upstream commit c0732fe78728718c853ef8e7af5bbb05262acbd1 ]
+
+When device tree lacks optional "xlnx,addrwidth" property, the addr_width
+variable remained uninitialized with garbage values, causing incorrect
+DMA mask configuration and subsequent probe failure. The fix ensures a
+fallback to the default 32-bit address width when this property is missing.
+
+Signed-off-by: Suraj Gupta <suraj.gupta2@amd.com>
+Fixes: b72db4005fe4 ("dmaengine: vdma: Add 64 bit addressing support to the driver")
+Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
+Reviewed-by: Folker Schwesinger <dev@folker-schwesinger.de>
+Link: https://patch.msgid.link/20251021183006.3434495-1-suraj.gupta2@amd.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/xilinx_dma.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
+index aa59b62cd83fb..3ad37e9b924a7 100644
+--- a/drivers/dma/xilinx/xilinx_dma.c
++++ b/drivers/dma/xilinx/xilinx_dma.c
+@@ -130,6 +130,7 @@
+ #define XILINX_MCDMA_MAX_CHANS_PER_DEVICE 0x20
+ #define XILINX_DMA_MAX_CHANS_PER_DEVICE 0x2
+ #define XILINX_CDMA_MAX_CHANS_PER_DEVICE 0x1
++#define XILINX_DMA_DFAULT_ADDRWIDTH 0x20
+
+ #define XILINX_DMA_DMAXR_ALL_IRQ_MASK \
+ (XILINX_DMA_DMASR_FRM_CNT_IRQ | \
+@@ -3063,7 +3064,7 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+ struct device_node *node = pdev->dev.of_node;
+ struct xilinx_dma_device *xdev;
+ struct device_node *child, *np = pdev->dev.of_node;
+- u32 num_frames, addr_width, len_width;
++ u32 num_frames, addr_width = XILINX_DMA_DFAULT_ADDRWIDTH, len_width;
+ int i, err;
+
+ /* Allocate and initialize the DMA engine structure */
+@@ -3137,7 +3138,9 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+
+ err = of_property_read_u32(node, "xlnx,addrwidth", &addr_width);
+ if (err < 0)
+- dev_warn(xdev->dev, "missing xlnx,addrwidth property\n");
++ dev_warn(xdev->dev,
++ "missing xlnx,addrwidth property, using default value %d\n",
++ XILINX_DMA_DFAULT_ADDRWIDTH);
+
+ if (addr_width > 32)
+ xdev->ext_addr = true;
+--
+2.51.0
+
--- /dev/null
+From c39362b22dcd8f81a2ad279f2bdee48bc1a53ddc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jan 2026 14:42:40 +0800
+Subject: drm/amd/pm: fix smu overdrive data type wrong issue on smu 14.0.2
+
+From: Yang Wang <kevinyang.wang@amd.com>
+
+[ Upstream commit 90dbc0bc2aa60021615969841fed06790c992bde ]
+
+resolving the issue of incorrect type definitions potentially causing calculation errors.
+
+Fixes: 54f7f3ca982a ("drm/amdgpu/swm14: Update power limit logic")
+Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit e3a03d0ae16d6b56e893cce8e52b44140e1ed985)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
+index d0aed85db18cc..f34cef26b382c 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
+@@ -1672,8 +1672,9 @@ static int smu_v14_0_2_get_power_limit(struct smu_context *smu,
+ table_context->power_play_table;
+ PPTable_t *pptable = table_context->driver_pptable;
+ CustomSkuTable_t *skutable = &pptable->CustomSkuTable;
+- uint32_t power_limit, od_percent_upper = 0, od_percent_lower = 0;
++ int16_t od_percent_upper = 0, od_percent_lower = 0;
+ uint32_t msg_limit = pptable->SkuTable.MsgLimits.Power[PPT_THROTTLER_PPT0][POWER_SOURCE_AC];
++ uint32_t power_limit;
+
+ if (smu_v14_0_get_current_power_limit(smu, &power_limit))
+ power_limit = smu->adev->pm.ac_power ?
+--
+2.51.0
+
--- /dev/null
+From 9de050d671c9fe2a3aa270dfab08ba10db8528d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jan 2026 09:20:59 -0600
+Subject: drm/vmwgfx: Merge vmw_bo_release and vmw_bo_free functions
+
+From: Ian Forbes <ian.forbes@broadcom.com>
+
+[ Upstream commit 37a0cff4551c14aca4cfa6ef3f2f0e0f61d66825 ]
+
+Some of the warnings need to be reordered between these two functions
+in order to be correct. This has happened multiple times.
+Merging them solves this problem once and for all.
+
+Fixes: d6667f0ddf46 ("drm/vmwgfx: Fix handling of dumb buffers")
+Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
+Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
+Link: https://patch.msgid.link/20260107152059.3048329-1-ian.forbes@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 22 ++++++++--------------
+ 1 file changed, 8 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
+index e8e49f13cfa2c..86834005de713 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
+@@ -32,9 +32,15 @@
+
+ #include <drm/ttm/ttm_placement.h>
+
+-static void vmw_bo_release(struct vmw_bo *vbo)
++/**
++ * vmw_bo_free - vmw_bo destructor
++ *
++ * @bo: Pointer to the embedded struct ttm_buffer_object
++ */
++static void vmw_bo_free(struct ttm_buffer_object *bo)
+ {
+ struct vmw_resource *res;
++ struct vmw_bo *vbo = to_vmw_bo(&bo->base);
+
+ WARN_ON(vbo->tbo.base.funcs &&
+ kref_read(&vbo->tbo.base.refcount) != 0);
+@@ -63,20 +69,8 @@ static void vmw_bo_release(struct vmw_bo *vbo)
+ }
+ vmw_surface_unreference(&vbo->dumb_surface);
+ }
+- drm_gem_object_release(&vbo->tbo.base);
+-}
+-
+-/**
+- * vmw_bo_free - vmw_bo destructor
+- *
+- * @bo: Pointer to the embedded struct ttm_buffer_object
+- */
+-static void vmw_bo_free(struct ttm_buffer_object *bo)
+-{
+- struct vmw_bo *vbo = to_vmw_bo(&bo->base);
+-
+ WARN_ON(!RB_EMPTY_ROOT(&vbo->res_tree));
+- vmw_bo_release(vbo);
++ drm_gem_object_release(&vbo->tbo.base);
+ WARN_ON(vbo->dirty);
+ kfree(vbo);
+ }
+--
+2.51.0
+
--- /dev/null
+From 9707ac30d666e98a705e338750f8e832186a7d02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Oct 2025 19:07:42 +0100
+Subject: i2c: qcom-geni: make sure I2C hub controllers can't use SE DMA
+
+From: Neil Armstrong <neil.armstrong@linaro.org>
+
+[ Upstream commit c0c50e3743e467ec4752c638e10e97f89c8644e2 ]
+
+The I2C Hub controller is a simpler GENI I2C variant that doesn't
+support DMA at all, add a no_dma flag to make sure it nevers selects
+the SE DMA mode with mappable 32bytes long transfers.
+
+Fixes: cacd9643eca7 ("i2c: qcom-geni: add support for I2C Master Hub variant")
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Mukesh Kumar Savaliya <mukesh.savaliya@oss.qualcomm.com>>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-qcom-geni.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-qcom-geni.c b/drivers/i2c/busses/i2c-qcom-geni.c
+index 212336f724a69..96b024dc3f20f 100644
+--- a/drivers/i2c/busses/i2c-qcom-geni.c
++++ b/drivers/i2c/busses/i2c-qcom-geni.c
+@@ -97,6 +97,7 @@ struct geni_i2c_dev {
+ dma_addr_t dma_addr;
+ struct dma_chan *tx_c;
+ struct dma_chan *rx_c;
++ bool no_dma;
+ bool gpi_mode;
+ bool abort_done;
+ };
+@@ -411,7 +412,7 @@ static int geni_i2c_rx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg,
+ size_t len = msg->len;
+ struct i2c_msg *cur;
+
+- dma_buf = i2c_get_dma_safe_msg_buf(msg, 32);
++ dma_buf = gi2c->no_dma ? NULL : i2c_get_dma_safe_msg_buf(msg, 32);
+ if (dma_buf)
+ geni_se_select_mode(se, GENI_SE_DMA);
+ else
+@@ -450,7 +451,7 @@ static int geni_i2c_tx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg,
+ size_t len = msg->len;
+ struct i2c_msg *cur;
+
+- dma_buf = i2c_get_dma_safe_msg_buf(msg, 32);
++ dma_buf = gi2c->no_dma ? NULL : i2c_get_dma_safe_msg_buf(msg, 32);
+ if (dma_buf)
+ geni_se_select_mode(se, GENI_SE_DMA);
+ else
+@@ -865,10 +866,12 @@ static int geni_i2c_probe(struct platform_device *pdev)
+ return -ENXIO;
+ }
+
+- if (desc && desc->no_dma_support)
++ if (desc && desc->no_dma_support) {
+ fifo_disable = false;
+- else
++ gi2c->no_dma = true;
++ } else {
+ fifo_disable = readl_relaxed(gi2c->se.base + GENI_IF_DISABLE_RO) & FIFO_IF_DISABLE;
++ }
+
+ if (fifo_disable) {
+ /* FIFO is disabled, so we can only use GPI DMA */
+--
+2.51.0
+
--- /dev/null
+From 135f2e49c0d865d112d3bafd11679f4a64d6654e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jan 2026 16:31:09 +0000
+Subject: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 81c734dae203757fb3c9eee6f9896386940776bd ]
+
+Blamed commit did not take care of VLAN encapsulations
+as spotted by syzbot [1].
+
+Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull().
+
+[1]
+ BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
+ BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
+ BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
+ __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
+ INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
+ IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
+ ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729
+ __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860
+ ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903
+ gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1
+ ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438
+ ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489
+ NF_HOOK include/linux/netfilter.h:318 [inline]
+ ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500
+ ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590
+ dst_input include/net/dst.h:474 [inline]
+ ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79
+ NF_HOOK include/linux/netfilter.h:318 [inline]
+ ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311
+ __netif_receive_skb_one_core net/core/dev.c:6139 [inline]
+ __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252
+ netif_receive_skb_internal net/core/dev.c:6338 [inline]
+ netif_receive_skb+0x57/0x630 net/core/dev.c:6397
+ tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485
+ tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953
+ tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0xbe2/0x15d0 fs/read_write.c:686
+ ksys_write fs/read_write.c:738 [inline]
+ __do_sys_write fs/read_write.c:749 [inline]
+ __se_sys_write fs/read_write.c:746 [inline]
+ __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
+ x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:4960 [inline]
+ slab_alloc_node mm/slub.c:5263 [inline]
+ kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315
+ kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586
+ __alloc_skb+0x805/0x1040 net/core/skbuff.c:690
+ alloc_skb include/linux/skbuff.h:1383 [inline]
+ alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712
+ sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995
+ tun_alloc_skb drivers/net/tun.c:1461 [inline]
+ tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794
+ tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0xbe2/0x15d0 fs/read_write.c:686
+ ksys_write fs/read_write.c:738 [inline]
+ __do_sys_write fs/read_write.c:749 [inline]
+ __se_sys_write fs/read_write.c:746 [inline]
+ __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
+ x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+
+Fixes: 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")
+Reported-by: syzbot+d4dda070f833dc5dc89a@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/695e88b2.050a0220.1c677c.036d.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260107163109.4188620-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
+index 6450ecf0d0a74..9f1b66bb513c7 100644
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -844,7 +844,7 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb,
+
+ skb_reset_network_header(skb);
+
+- if (!pskb_inet_may_pull(skb)) {
++ if (skb_vlan_inet_prepare(skb, true)) {
+ DEV_STATS_INC(tunnel->dev, rx_length_errors);
+ DEV_STATS_INC(tunnel->dev, rx_errors);
+ goto drop;
+--
+2.51.0
+
--- /dev/null
+From c1f071ac1316f4f00d8fe1d6bc5efe84d43d3245 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 19:02:14 +0000
+Subject: ipv4: ip_gre: make ipgre_header() robust
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e67c577d89894811ce4dcd1a9ed29d8b63476667 ]
+
+Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust")
+
+Over the years, syzbot found many ways to crash the kernel
+in ipgre_header() [1].
+
+This involves team or bonding drivers ability to dynamically
+change their dev->needed_headroom and/or dev->hard_header_len
+
+In this particular crash mld_newpack() allocated an skb
+with a too small reserve/headroom, and by the time mld_sendpack()
+was called, syzbot managed to attach an ipgre device.
+
+[1]
+skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0
+ kernel BUG at net/core/skbuff.c:213 !
+Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
+CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+Workqueue: mld mld_ifc_work
+ RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213
+Call Trace:
+ <TASK>
+ skb_under_panic net/core/skbuff.c:223 [inline]
+ skb_push+0xc3/0xe0 net/core/skbuff.c:2641
+ ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897
+ dev_hard_header include/linux/netdevice.h:3436 [inline]
+ neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
+ NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
+ mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
+ mld_send_cr net/ipv6/mcast.c:2154 [inline]
+ mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
+ process_one_work kernel/workqueue.c:3257 [inline]
+ process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
+ worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Reported-by: syzbot+7c134e1c3aa3283790b9@syzkaller.appspotmail.com
+Closes: https://www.spinics.net/lists/netdev/msg1147302.html
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260108190214.1667040-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_gre.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index 9667f27740258..be85dbe74ac8c 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -889,10 +889,17 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
+ const void *daddr, const void *saddr, unsigned int len)
+ {
+ struct ip_tunnel *t = netdev_priv(dev);
+- struct iphdr *iph;
+ struct gre_base_hdr *greh;
++ struct iphdr *iph;
++ int needed;
++
++ needed = t->hlen + sizeof(*iph);
++ if (skb_headroom(skb) < needed &&
++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)),
++ 0, GFP_ATOMIC))
++ return -needed;
+
+- iph = skb_push(skb, t->hlen + sizeof(*iph));
++ iph = skb_push(skb, needed);
+ greh = (struct gre_base_hdr *)(iph+1);
+ greh->flags = gre_tnl_flags_to_gre_flags(t->parms.o_flags);
+ greh->protocol = htons(type);
+--
+2.51.0
+
--- /dev/null
+From ee1176c1b8b5be253eff33bc4ce7b027c93083d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 01:05:08 +0000
+Subject: ipv6: Fix use-after-free in inet6_addr_del().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit ddf96c393a33aef4887e2e406c76c2f8cda1419c ]
+
+syzbot reported use-after-free of inet6_ifaddr in
+inet6_addr_del(). [0]
+
+The cited commit accidentally moved ipv6_del_addr() for
+mngtmpaddr before reading its ifp->flags for temporary
+addresses in inet6_addr_del().
+
+Let's move ipv6_del_addr() down to fix the UAF.
+
+[0]:
+BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117
+Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593
+
+CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xcd/0x630 mm/kasan/report.c:482
+ kasan_report+0xe0/0x110 mm/kasan/report.c:595
+ inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117
+ addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181
+ inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582
+ sock_do_ioctl+0x118/0x280 net/socket.c:1254
+ sock_ioctl+0x227/0x6b0 net/socket.c:1375
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:597 [inline]
+ __se_sys_ioctl fs/ioctl.c:583 [inline]
+ __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f164cf8f749
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749
+RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003
+RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288
+ </TASK>
+
+Allocated by task 9593:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:77
+ poison_kmalloc_redzone mm/kasan/common.c:397 [inline]
+ __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414
+ kmalloc_noprof include/linux/slab.h:957 [inline]
+ kzalloc_noprof include/linux/slab.h:1094 [inline]
+ ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120
+ inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050
+ addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160
+ inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580
+ sock_do_ioctl+0x118/0x280 net/socket.c:1254
+ sock_ioctl+0x227/0x6b0 net/socket.c:1375
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:597 [inline]
+ __se_sys_ioctl fs/ioctl.c:583 [inline]
+ __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Freed by task 6099:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:77
+ kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584
+ poison_slab_object mm/kasan/common.c:252 [inline]
+ __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284
+ kasan_slab_free include/linux/kasan.h:234 [inline]
+ slab_free_hook mm/slub.c:2540 [inline]
+ slab_free_freelist_hook mm/slub.c:2569 [inline]
+ slab_free_bulk mm/slub.c:6696 [inline]
+ kmem_cache_free_bulk mm/slub.c:7383 [inline]
+ kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362
+ kfree_bulk include/linux/slab.h:830 [inline]
+ kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523
+ kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline]
+ kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801
+ process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
+ process_scheduled_works kernel/workqueue.c:3340 [inline]
+ worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
+ kthread+0x3c5/0x780 kernel/kthread.c:463
+ ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+Fixes: 00b5b7aab9e42 ("net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged")
+Reported-by: syzbot+72e610f4f1a930ca9d8a@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/696598e9.050a0220.3be5c5.0009.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260113010538.2019411-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/addrconf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 228cf72e52503..e57a2b1841616 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -3141,12 +3141,12 @@ static int inet6_addr_del(struct net *net, int ifindex, u32 ifa_flags,
+ in6_ifa_hold(ifp);
+ read_unlock_bh(&idev->lock);
+
+- ipv6_del_addr(ifp);
+-
+ if (!(ifp->flags & IFA_F_TEMPORARY) &&
+ (ifp->flags & IFA_F_MANAGETEMPADDR))
+ delete_tempaddrs(idev, ifp);
+
++ ipv6_del_addr(ifp);
++
+ addrconf_verify_rtnl(net);
+ if (ipv6_addr_is_multicast(pfx)) {
+ ipv6_mc_config(net->ipv6.mc_autojoin_sk,
+--
+2.51.0
+
--- /dev/null
+From 7d656fafd59cffa4e59d9287a09378465c68e790 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 13:36:51 +0000
+Subject: macvlan: fix possible UAF in macvlan_forward_source()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7470a7a63dc162f07c26dbf960e41ee1e248d80e ]
+
+Add RCU protection on (struct macvlan_source_entry)->vlan.
+
+Whenever macvlan_hash_del_source() is called, we must clear
+entry->vlan pointer before RCU grace period starts.
+
+This allows macvlan_forward_source() to skip over
+entries queued for freeing.
+
+Note that macvlan_dev are already RCU protected, as they
+are embedded in a standard netdev (netdev_priv(ndev)).
+
+Fixes: 79cf79abce71 ("macvlan: add source mode")
+Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com
+https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260108133651.1130486-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macvlan.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
+index cf18e66de142c..ee59b57dfb53a 100644
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -58,7 +58,7 @@ struct macvlan_port {
+
+ struct macvlan_source_entry {
+ struct hlist_node hlist;
+- struct macvlan_dev *vlan;
++ struct macvlan_dev __rcu *vlan;
+ unsigned char addr[6+2] __aligned(sizeof(u16));
+ struct rcu_head rcu;
+ };
+@@ -145,7 +145,7 @@ static struct macvlan_source_entry *macvlan_hash_lookup_source(
+
+ hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) {
+ if (ether_addr_equal_64bits(entry->addr, addr) &&
+- entry->vlan == vlan)
++ rcu_access_pointer(entry->vlan) == vlan)
+ return entry;
+ }
+ return NULL;
+@@ -167,7 +167,7 @@ static int macvlan_hash_add_source(struct macvlan_dev *vlan,
+ return -ENOMEM;
+
+ ether_addr_copy(entry->addr, addr);
+- entry->vlan = vlan;
++ RCU_INIT_POINTER(entry->vlan, vlan);
+ h = &port->vlan_source_hash[macvlan_eth_hash(addr)];
+ hlist_add_head_rcu(&entry->hlist, h);
+ vlan->macaddr_count++;
+@@ -186,6 +186,7 @@ static void macvlan_hash_add(struct macvlan_dev *vlan)
+
+ static void macvlan_hash_del_source(struct macvlan_source_entry *entry)
+ {
++ RCU_INIT_POINTER(entry->vlan, NULL);
+ hlist_del_rcu(&entry->hlist);
+ kfree_rcu(entry, rcu);
+ }
+@@ -389,7 +390,7 @@ static void macvlan_flush_sources(struct macvlan_port *port,
+ int i;
+
+ hash_for_each_safe(port->vlan_source_hash, i, next, entry, hlist)
+- if (entry->vlan == vlan)
++ if (rcu_access_pointer(entry->vlan) == vlan)
+ macvlan_hash_del_source(entry);
+
+ vlan->macaddr_count = 0;
+@@ -432,9 +433,14 @@ static bool macvlan_forward_source(struct sk_buff *skb,
+
+ hlist_for_each_entry_rcu(entry, h, hlist) {
+ if (ether_addr_equal_64bits(entry->addr, addr)) {
+- if (entry->vlan->flags & MACVLAN_FLAG_NODST)
++ struct macvlan_dev *vlan = rcu_dereference(entry->vlan);
++
++ if (!vlan)
++ continue;
++
++ if (vlan->flags & MACVLAN_FLAG_NODST)
+ consume = true;
+- macvlan_forward_source_one(skb, entry->vlan);
++ macvlan_forward_source_one(skb, vlan);
+ }
+ }
+
+@@ -1676,7 +1682,7 @@ static int macvlan_fill_info_macaddr(struct sk_buff *skb,
+ struct macvlan_source_entry *entry;
+
+ hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) {
+- if (entry->vlan != vlan)
++ if (rcu_access_pointer(entry->vlan) != vlan)
+ continue;
+ if (nla_put(skb, IFLA_MACVLAN_MACADDR, ETH_ALEN, entry->addr))
+ return 1;
+--
+2.51.0
+
--- /dev/null
+From 713c6d9d2eac2e6f7aafd5645a50f7bad2a15872 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 08:40:04 +0700
+Subject: mm: describe @flags parameter in memalloc_flags_save()
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit e2fb7836b01747815f8bb94981c35f2688afb120 ]
+
+Patch series "mm kernel-doc fixes".
+
+Here are kernel-doc fixes for mm subsystem. I'm also including textsearch
+fix since there's currently no maintainer for include/linux/textsearch.h
+(get_maintainer.pl only shows LKML).
+
+This patch (of 4):
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./include/linux/sched/mm.h:332 function parameter 'flags' not described in 'memalloc_flags_save'
+
+Describe @flags to fix it.
+
+Link: https://lkml.kernel.org/r/20251219014006.16328-2-bagasdotme@gmail.com
+Link: https://lkml.kernel.org/r/20251219014006.16328-3-bagasdotme@gmail.com
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Fixes: 3f6d5e6a468d ("mm: introduce memalloc_flags_{save,restore}")
+Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
+Acked-by: Harry Yoo <harry.yoo@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sched/mm.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/sched/mm.h b/include/linux/sched/mm.h
+index 928a626725e69..ddcaaa499a044 100644
+--- a/include/linux/sched/mm.h
++++ b/include/linux/sched/mm.h
+@@ -323,6 +323,7 @@ static inline void might_alloc(gfp_t gfp_mask)
+
+ /**
+ * memalloc_flags_save - Add a PF_* flag to current->flags, save old value
++ * @flags: Flags to add.
+ *
+ * This allows PF_* flags to be conveniently added, irrespective of current
+ * value, and then the old version restored with memalloc_flags_restore().
+--
+2.51.0
+
--- /dev/null
+From 7b641a42c5e77f6e6766075d8c657a16689c9c9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 08:40:07 +0700
+Subject: mm, kfence: describe @slab parameter in __kfence_obj_info()
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit 6cfab50e1440fde19af7c614aacd85e11aa4dcea ]
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./include/linux/kfence.h:220 function parameter 'slab' not described in '__kfence_obj_info'
+
+Fix it by describing @slab parameter.
+
+Link: https://lkml.kernel.org/r/20251219014006.16328-6-bagasdotme@gmail.com
+Fixes: 2dfe63e61cc3 ("mm, kfence: support kmem_dump_obj() for KFENCE objects")
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Acked-by: Marco Elver <elver@google.com>
+Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
+Acked-by: Harry Yoo <harry.yoo@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/kfence.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/kfence.h b/include/linux/kfence.h
+index 0ad1ddbb8b996..e5822f6e7f279 100644
+--- a/include/linux/kfence.h
++++ b/include/linux/kfence.h
+@@ -211,6 +211,7 @@ struct kmem_obj_info;
+ * __kfence_obj_info() - fill kmem_obj_info struct
+ * @kpp: kmem_obj_info to be filled
+ * @object: the object
++ * @slab: the slab
+ *
+ * Return:
+ * * false - not a KFENCE object
+--
+2.51.0
+
--- /dev/null
+From 7276775f90a7f0883d4f6e38989234b1ddef4807 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 09:38:06 +0000
+Subject: net: bridge: annotate data-races around fdb->{updated,used}
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b25a0b4a2193407aa72a4cd1df66a7ed07dd4f1e ]
+
+fdb->updated and fdb->used are read and written locklessly.
+
+Add READ_ONCE()/WRITE_ONCE() annotations.
+
+Fixes: 31cbc39b6344 ("net: bridge: add option to allow activity notifications for any fdb entries")
+Reported-by: syzbot+bfab43087ad57222ce96@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/695e3d74.050a0220.1c677c.035f.GAE@google.com/
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20260108093806.834459-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c | 28 ++++++++++++++++------------
+ net/bridge/br_input.c | 4 ++--
+ 2 files changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index 642b8ccaae8ea..9dd405b64fcc9 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -70,7 +70,7 @@ static inline int has_expired(const struct net_bridge *br,
+ {
+ return !test_bit(BR_FDB_STATIC, &fdb->flags) &&
+ !test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags) &&
+- time_before_eq(fdb->updated + hold_time(br), jiffies);
++ time_before_eq(READ_ONCE(fdb->updated) + hold_time(br), jiffies);
+ }
+
+ static void fdb_rcu_free(struct rcu_head *head)
+@@ -133,9 +133,9 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br,
+ if (nla_put_u32(skb, NDA_FLAGS_EXT, ext_flags))
+ goto nla_put_failure;
+
+- ci.ndm_used = jiffies_to_clock_t(now - fdb->used);
++ ci.ndm_used = jiffies_to_clock_t(now - READ_ONCE(fdb->used));
+ ci.ndm_confirmed = 0;
+- ci.ndm_updated = jiffies_to_clock_t(now - fdb->updated);
++ ci.ndm_updated = jiffies_to_clock_t(now - READ_ONCE(fdb->updated));
+ ci.ndm_refcnt = 0;
+ if (nla_put(skb, NDA_CACHEINFO, sizeof(ci), &ci))
+ goto nla_put_failure;
+@@ -552,7 +552,7 @@ void br_fdb_cleanup(struct work_struct *work)
+ */
+ rcu_read_lock();
+ hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) {
+- unsigned long this_timer = f->updated + delay;
++ unsigned long this_timer = READ_ONCE(f->updated) + delay;
+
+ if (test_bit(BR_FDB_STATIC, &f->flags) ||
+ test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &f->flags)) {
+@@ -829,6 +829,7 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
+ {
+ struct net_bridge_fdb_entry *f;
+ struct __fdb_entry *fe = buf;
++ unsigned long delta;
+ int num = 0;
+
+ memset(buf, 0, maxnum*sizeof(struct __fdb_entry));
+@@ -858,8 +859,11 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
+ fe->port_hi = f->dst->port_no >> 8;
+
+ fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags);
+- if (!test_bit(BR_FDB_STATIC, &f->flags))
+- fe->ageing_timer_value = jiffies_delta_to_clock_t(jiffies - f->updated);
++ if (!test_bit(BR_FDB_STATIC, &f->flags)) {
++ delta = jiffies - READ_ONCE(f->updated);
++ fe->ageing_timer_value =
++ jiffies_delta_to_clock_t(delta);
++ }
+ ++fe;
+ ++num;
+ }
+@@ -907,8 +911,8 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
+ unsigned long now = jiffies;
+ bool fdb_modified = false;
+
+- if (now != fdb->updated) {
+- fdb->updated = now;
++ if (now != READ_ONCE(fdb->updated)) {
++ WRITE_ONCE(fdb->updated, now);
+ fdb_modified = __fdb_mark_active(fdb);
+ }
+
+@@ -1146,10 +1150,10 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+ if (fdb_handle_notify(fdb, notify))
+ modified = true;
+
+- fdb->used = jiffies;
++ WRITE_ONCE(fdb->used, jiffies);
+ if (modified) {
+ if (refresh)
+- fdb->updated = jiffies;
++ WRITE_ONCE(fdb->updated, jiffies);
+ fdb_notify(br, fdb, RTM_NEWNEIGH, true);
+ }
+
+@@ -1462,7 +1466,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+ goto err_unlock;
+ }
+
+- fdb->updated = jiffies;
++ WRITE_ONCE(fdb->updated, jiffies);
+
+ if (READ_ONCE(fdb->dst) != p) {
+ WRITE_ONCE(fdb->dst, p);
+@@ -1471,7 +1475,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+
+ if (test_and_set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) {
+ /* Refresh entry */
+- fdb->used = jiffies;
++ WRITE_ONCE(fdb->used, jiffies);
+ } else {
+ modified = true;
+ }
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+index 2eb2bb6643885..8c26605c4cc1e 100644
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -207,8 +207,8 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
+ if (test_bit(BR_FDB_LOCAL, &dst->flags))
+ return br_pass_frame_up(skb, false);
+
+- if (now != dst->used)
+- dst->used = now;
++ if (now != READ_ONCE(dst->used))
++ WRITE_ONCE(dst->used, now);
+ br_forward(dst->dst, skb, local_rcv, false);
+ } else {
+ if (!mcast_hit)
+--
+2.51.0
+
--- /dev/null
+From 6eebcf6d9bf65b890546fc514db40c66e96b4cc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 02:01:33 -0800
+Subject: net: hv_netvsc: reject RSS hash key programming without RX
+ indirection table
+
+From: Aditya Garg <gargaditya@linux.microsoft.com>
+
+[ Upstream commit d23564955811da493f34412d7de60fa268c8cb50 ]
+
+RSS configuration requires a valid RX indirection table. When the device
+reports a single receive queue, rndis_filter_device_add() does not
+allocate an indirection table, accepting RSS hash key updates in this
+state leads to a hang.
+
+Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return
+-EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device
+capabilities and prevents incorrect behavior.
+
+Fixes: 962f3fee83a4 ("netvsc: add ethtool ops to get/set RSS key")
+Signed-off-by: Aditya Garg <gargaditya@linux.microsoft.com>
+Reviewed-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Link: https://patch.msgid.link/1768212093-1594-1-git-send-email-gargaditya@linux.microsoft.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
+index d6fe8b5184a99..5f612528aa53a 100644
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -1765,6 +1765,9 @@ static int netvsc_set_rxfh(struct net_device *dev,
+ rxfh->hfunc != ETH_RSS_HASH_TOP)
+ return -EOPNOTSUPP;
+
++ if (!ndc->rx_table_sz)
++ return -EOPNOTSUPP;
++
+ rndis_dev = ndev->extension;
+ if (rxfh->indir) {
+ for (i = 0; i < ndc->rx_table_sz; i++)
+--
+2.51.0
+
--- /dev/null
+From 50bcef8a1afb9a4fcb28e9dd27bbd580a4749f04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 13:26:55 -0800
+Subject: net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv
+
+From: Saeed Mahameed <saeedm@nvidia.com>
+
+[ Upstream commit 123eda2e5b1638e298e3a66bb1e64a8da92de5e1 ]
+
+mlx5e_priv is an unstable structure that can be memset(0) if profile
+attaching fails, mlx5e_priv in mlx5e_dev devlink private is used to
+reference the netdev and mdev associated with that struct. Instead,
+store netdev directly into mlx5e_dev and get mdev from the containing
+mlx5_adev aux device structure.
+
+This fixes a kernel oops in mlx5e_remove when switchdev mode fails due
+to change profile failure.
+
+$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev
+Error: mlx5_core: Failed setting eswitch to offloads.
+dmesg:
+workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
+mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
+mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12
+workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
+mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
+mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
+
+$ devlink dev reload pci/0000:00:03.0 ==> oops
+
+BUG: kernel NULL pointer dereference, address: 0000000000000520
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+PGD 0 P4D 0
+Oops: Oops: 0000 [#1] SMP NOPTI
+CPU: 3 UID: 0 PID: 521 Comm: devlink Not tainted 6.18.0-rc5+ #117 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
+RIP: 0010:mlx5e_remove+0x68/0x130
+RSP: 0018:ffffc900034838f0 EFLAGS: 00010246
+RAX: ffff88810283c380 RBX: ffff888101874400 RCX: ffffffff826ffc45
+RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
+RBP: ffff888102d789c0 R08: ffff8881007137f0 R09: ffff888100264e10
+R10: ffffc90003483898 R11: ffffc900034838a0 R12: ffff888100d261a0
+R13: ffff888100d261a0 R14: ffff8881018749a0 R15: ffff888101874400
+FS: 00007f8565fea740(0000) GS:ffff88856a759000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000520 CR3: 000000010b11a004 CR4: 0000000000370ef0
+Call Trace:
+ <TASK>
+ device_release_driver_internal+0x19c/0x200
+ bus_remove_device+0xc6/0x130
+ device_del+0x160/0x3d0
+ ? devl_param_driverinit_value_get+0x2d/0x90
+ mlx5_detach_device+0x89/0xe0
+ mlx5_unload_one_devl_locked+0x3a/0x70
+ mlx5_devlink_reload_down+0xc8/0x220
+ devlink_reload+0x7d/0x260
+ devlink_nl_reload_doit+0x45b/0x5a0
+ genl_family_rcv_msg_doit+0xe8/0x140
+
+Fixes: ee75f1fc44dd ("net/mlx5e: Create separate devlink instance for ethernet auxiliary device")
+Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method")
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Link: https://patch.msgid.link/20260108212657.25090-3-saeed@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 4ef8512e1427 ("net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 +-
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 20 ++++++++++---------
+ 2 files changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+index 7c0420deb270c..084c68479f734 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+@@ -946,7 +946,7 @@ struct mlx5e_priv {
+ };
+
+ struct mlx5e_dev {
+- struct mlx5e_priv *priv;
++ struct net_device *netdev;
+ struct devlink_port dl_port;
+ };
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index af70025b129b7..4e2f985273a39 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -6323,8 +6323,8 @@ static int _mlx5e_resume(struct auxiliary_device *adev)
+ {
+ struct mlx5_adev *edev = container_of(adev, struct mlx5_adev, adev);
+ struct mlx5e_dev *mlx5e_dev = auxiliary_get_drvdata(adev);
+- struct mlx5e_priv *priv = mlx5e_dev->priv;
+- struct net_device *netdev = priv->netdev;
++ struct mlx5e_priv *priv = netdev_priv(mlx5e_dev->netdev);
++ struct net_device *netdev = mlx5e_dev->netdev;
+ struct mlx5_core_dev *mdev = edev->mdev;
+ struct mlx5_core_dev *pos, *to;
+ int err, i;
+@@ -6370,10 +6370,11 @@ static int mlx5e_resume(struct auxiliary_device *adev)
+
+ static int _mlx5e_suspend(struct auxiliary_device *adev, bool pre_netdev_reg)
+ {
++ struct mlx5_adev *edev = container_of(adev, struct mlx5_adev, adev);
+ struct mlx5e_dev *mlx5e_dev = auxiliary_get_drvdata(adev);
+- struct mlx5e_priv *priv = mlx5e_dev->priv;
+- struct net_device *netdev = priv->netdev;
+- struct mlx5_core_dev *mdev = priv->mdev;
++ struct mlx5e_priv *priv = netdev_priv(mlx5e_dev->netdev);
++ struct net_device *netdev = mlx5e_dev->netdev;
++ struct mlx5_core_dev *mdev = edev->mdev;
+ struct mlx5_core_dev *pos;
+ int i;
+
+@@ -6434,11 +6435,11 @@ static int _mlx5e_probe(struct auxiliary_device *adev)
+ goto err_devlink_port_unregister;
+ }
+ SET_NETDEV_DEVLINK_PORT(netdev, &mlx5e_dev->dl_port);
++ mlx5e_dev->netdev = netdev;
+
+ mlx5e_build_nic_netdev(netdev);
+
+ priv = netdev_priv(netdev);
+- mlx5e_dev->priv = priv;
+
+ priv->profile = profile;
+ priv->ppriv = NULL;
+@@ -6501,7 +6502,8 @@ static void _mlx5e_remove(struct auxiliary_device *adev)
+ {
+ struct mlx5_adev *edev = container_of(adev, struct mlx5_adev, adev);
+ struct mlx5e_dev *mlx5e_dev = auxiliary_get_drvdata(adev);
+- struct mlx5e_priv *priv = mlx5e_dev->priv;
++ struct net_device *netdev = mlx5e_dev->netdev;
++ struct mlx5e_priv *priv = netdev_priv(netdev);
+ struct mlx5_core_dev *mdev = edev->mdev;
+
+ mlx5_core_uplink_netdev_set(mdev, NULL);
+@@ -6510,8 +6512,8 @@ static void _mlx5e_remove(struct auxiliary_device *adev)
+ * if it's from legacy mode. If from switchdev mode, it
+ * is already unregistered before changing to NIC profile.
+ */
+- if (priv->netdev->reg_state == NETREG_REGISTERED) {
+- unregister_netdev(priv->netdev);
++ if (netdev->reg_state == NETREG_REGISTERED) {
++ unregister_netdev(netdev);
+ _mlx5e_suspend(adev, false);
+ } else {
+ struct mlx5_core_dev *pos;
+--
+2.51.0
+
--- /dev/null
+From def160ec1a755ae8664a4b14221148e5f6f67228 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 13:26:54 -0800
+Subject: net/mlx5e: Fix crash on profile change rollback failure
+
+From: Saeed Mahameed <saeedm@nvidia.com>
+
+[ Upstream commit 4dadc4077e3f77d6d31e199a925fc7a705e7adeb ]
+
+mlx5e_netdev_change_profile can fail to attach a new profile and can
+fail to rollback to old profile, in such case, we could end up with a
+dangling netdev with a fully reset netdev_priv. A retry to change
+profile, e.g. another attempt to call mlx5e_netdev_change_profile via
+switchdev mode change, will crash trying to access the now NULL
+priv->mdev.
+
+This fix allows mlx5e_netdev_change_profile() to handle previous
+failures and an empty priv, by not assuming priv is valid.
+
+Pass netdev and mdev to all flows requiring
+mlx5e_netdev_change_profile() and avoid passing priv.
+In mlx5e_netdev_change_profile() check if current priv is valid, and if
+not, just attach the new profile without trying to access the old one.
+
+This fixes the following oops, when enabling switchdev mode for the 2nd
+time after first time failure:
+
+ ## Enabling switchdev mode first time:
+
+mlx5_core 0012:03:00.1: E-Switch: Supported tc chains and prios offload
+workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
+mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
+mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12
+workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
+mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
+mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
+ ^^^^^^^^
+mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)
+
+ ## retry: Enabling switchdev mode 2nd time:
+
+mlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload
+BUG: kernel NULL pointer dereference, address: 0000000000000038
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+PGD 0 P4D 0
+Oops: Oops: 0000 [#1] SMP NOPTI
+CPU: 13 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc4+ #91 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
+RIP: 0010:mlx5e_detach_netdev+0x3c/0x90
+Code: 50 00 00 f0 80 4f 78 02 48 8b bf e8 07 00 00 48 85 ff 74 16 48 8b 73 78 48 d1 ee 83 e6 01 83 f6 01 40 0f b6 f6 e8 c4 42 00 00 <48> 8b 45 38 48 85 c0 74 08 48 89 df e8 cc 47 40 1e 48 8b bb f0 07
+RSP: 0018:ffffc90000673890 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: ffff8881036a89c0 RCX: 0000000000000000
+RDX: ffff888113f63800 RSI: ffffffff822fe720 RDI: 0000000000000000
+RBP: 0000000000000000 R08: 0000000000002dcd R09: 0000000000000000
+R10: ffffc900006738e8 R11: 00000000ffffffff R12: 0000000000000000
+R13: 0000000000000000 R14: ffff8881036a89c0 R15: 0000000000000000
+FS: 00007fdfb8384740(0000) GS:ffff88856a9d6000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000038 CR3: 0000000112ae0005 CR4: 0000000000370ef0
+Call Trace:
+ <TASK>
+ mlx5e_netdev_change_profile+0x45/0xb0
+ mlx5e_vport_rep_load+0x27b/0x2d0
+ mlx5_esw_offloads_rep_load+0x72/0xf0
+ esw_offloads_enable+0x5d0/0x970
+ mlx5_eswitch_enable_locked+0x349/0x430
+ ? is_mp_supported+0x57/0xb0
+ mlx5_devlink_eswitch_mode_set+0x26b/0x430
+ devlink_nl_eswitch_set_doit+0x6f/0xf0
+ genl_family_rcv_msg_doit+0xe8/0x140
+ genl_rcv_msg+0x18b/0x290
+ ? __pfx_devlink_nl_pre_doit+0x10/0x10
+ ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10
+ ? __pfx_devlink_nl_post_doit+0x10/0x10
+ ? __pfx_genl_rcv_msg+0x10/0x10
+ netlink_rcv_skb+0x52/0x100
+ genl_rcv+0x28/0x40
+ netlink_unicast+0x282/0x3e0
+ ? __alloc_skb+0xd6/0x190
+ netlink_sendmsg+0x1f7/0x430
+ __sys_sendto+0x213/0x220
+ ? __sys_recvmsg+0x6a/0xd0
+ __x64_sys_sendto+0x24/0x30
+ do_syscall_64+0x50/0x1f0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+RIP: 0033:0x7fdfb8495047
+
+Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method")
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260108212657.25090-2-saeed@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en.h | 9 ++--
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 48 +++++++++++++------
+ .../net/ethernet/mellanox/mlx5/core/en_rep.c | 11 ++---
+ 3 files changed, 44 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+index f2952a6b0db73..7c0420deb270c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+@@ -1221,9 +1221,12 @@ mlx5e_create_netdev(struct mlx5_core_dev *mdev, const struct mlx5e_profile *prof
+ int mlx5e_attach_netdev(struct mlx5e_priv *priv);
+ void mlx5e_detach_netdev(struct mlx5e_priv *priv);
+ void mlx5e_destroy_netdev(struct mlx5e_priv *priv);
+-int mlx5e_netdev_change_profile(struct mlx5e_priv *priv,
+- const struct mlx5e_profile *new_profile, void *new_ppriv);
+-void mlx5e_netdev_attach_nic_profile(struct mlx5e_priv *priv);
++int mlx5e_netdev_change_profile(struct net_device *netdev,
++ struct mlx5_core_dev *mdev,
++ const struct mlx5e_profile *new_profile,
++ void *new_ppriv);
++void mlx5e_netdev_attach_nic_profile(struct net_device *netdev,
++ struct mlx5_core_dev *mdev);
+ void mlx5e_set_netdev_mtu_boundaries(struct mlx5e_priv *priv);
+ void mlx5e_build_nic_params(struct mlx5e_priv *priv, struct mlx5e_xsk *xsk, u16 mtu);
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 7e04a17fa3b82..af70025b129b7 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -6252,19 +6252,28 @@ mlx5e_netdev_attach_profile(struct net_device *netdev, struct mlx5_core_dev *mde
+ return err;
+ }
+
+-int mlx5e_netdev_change_profile(struct mlx5e_priv *priv,
+- const struct mlx5e_profile *new_profile, void *new_ppriv)
++int mlx5e_netdev_change_profile(struct net_device *netdev,
++ struct mlx5_core_dev *mdev,
++ const struct mlx5e_profile *new_profile,
++ void *new_ppriv)
+ {
+- const struct mlx5e_profile *orig_profile = priv->profile;
+- struct net_device *netdev = priv->netdev;
+- struct mlx5_core_dev *mdev = priv->mdev;
+- void *orig_ppriv = priv->ppriv;
++ struct mlx5e_priv *priv = netdev_priv(netdev);
++ const struct mlx5e_profile *orig_profile;
+ int err, rollback_err;
++ void *orig_ppriv;
+
+- /* cleanup old profile */
+- mlx5e_detach_netdev(priv);
+- priv->profile->cleanup(priv);
+- mlx5e_priv_cleanup(priv);
++ orig_profile = priv->profile;
++ orig_ppriv = priv->ppriv;
++
++ /* NULL could happen if previous change_profile failed to rollback */
++ if (priv->profile) {
++ WARN_ON_ONCE(priv->mdev != mdev);
++ /* cleanup old profile */
++ mlx5e_detach_netdev(priv);
++ priv->profile->cleanup(priv);
++ mlx5e_priv_cleanup(priv);
++ }
++ /* priv members are not valid from this point ... */
+
+ if (mdev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) {
+ mlx5e_netdev_init_profile(netdev, mdev, new_profile, new_ppriv);
+@@ -6281,16 +6290,25 @@ int mlx5e_netdev_change_profile(struct mlx5e_priv *priv,
+ return 0;
+
+ rollback:
++ if (!orig_profile) {
++ netdev_warn(netdev, "no original profile to rollback to\n");
++ priv->profile = NULL;
++ return err;
++ }
++
+ rollback_err = mlx5e_netdev_attach_profile(netdev, mdev, orig_profile, orig_ppriv);
+- if (rollback_err)
+- netdev_err(netdev, "%s: failed to rollback to orig profile, %d\n",
+- __func__, rollback_err);
++ if (rollback_err) {
++ netdev_err(netdev, "failed to rollback to orig profile, %d\n",
++ rollback_err);
++ priv->profile = NULL;
++ }
+ return err;
+ }
+
+-void mlx5e_netdev_attach_nic_profile(struct mlx5e_priv *priv)
++void mlx5e_netdev_attach_nic_profile(struct net_device *netdev,
++ struct mlx5_core_dev *mdev)
+ {
+- mlx5e_netdev_change_profile(priv, &mlx5e_nic_profile, NULL);
++ mlx5e_netdev_change_profile(netdev, mdev, &mlx5e_nic_profile, NULL);
+ }
+
+ void mlx5e_destroy_netdev(struct mlx5e_priv *priv)
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+index b561358474c4f..b461954b974c6 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -1499,17 +1499,16 @@ mlx5e_vport_uplink_rep_load(struct mlx5_core_dev *dev, struct mlx5_eswitch_rep *
+ {
+ struct mlx5e_rep_priv *rpriv = mlx5e_rep_to_rep_priv(rep);
+ struct net_device *netdev;
+- struct mlx5e_priv *priv;
+ int err;
+
+ netdev = mlx5_uplink_netdev_get(dev);
+ if (!netdev)
+ return 0;
+
+- priv = netdev_priv(netdev);
+- rpriv->netdev = priv->netdev;
+- err = mlx5e_netdev_change_profile(priv, &mlx5e_uplink_rep_profile,
+- rpriv);
++ /* must not use netdev_priv(netdev), it might not be initialized yet */
++ rpriv->netdev = netdev;
++ err = mlx5e_netdev_change_profile(netdev, dev,
++ &mlx5e_uplink_rep_profile, rpriv);
+ mlx5_uplink_netdev_put(dev, netdev);
+ return err;
+ }
+@@ -1537,7 +1536,7 @@ mlx5e_vport_uplink_rep_unload(struct mlx5e_rep_priv *rpriv)
+ if (!(priv->mdev->priv.flags & MLX5_PRIV_FLAGS_SWITCH_LEGACY))
+ unregister_netdev(netdev);
+
+- mlx5e_netdev_attach_nic_profile(priv);
++ mlx5e_netdev_attach_nic_profile(netdev, priv->mdev);
+ }
+
+ static int
+--
+2.51.0
+
--- /dev/null
+From 826bbea43f9cbd4af1dd896e291f843271a9e1cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 13:26:56 -0800
+Subject: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv
+
+From: Saeed Mahameed <saeedm@nvidia.com>
+
+[ Upstream commit 4ef8512e1427111f7ba92b4a847d181ff0aeec42 ]
+
+mlx5e_priv is an unstable structure that can be memset(0) if profile
+attaching fails.
+
+Pass netdev to mlx5e_destroy_netdev() to guarantee it will work on a
+valid netdev.
+
+On mlx5e_remove: Check validity of priv->profile, before attempting
+to cleanup any resources that might be not there.
+
+This fixes a kernel oops in mlx5e_remove when switchdev mode fails due
+to change profile failure.
+
+$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev
+Error: mlx5_core: Failed setting eswitch to offloads.
+dmesg:
+workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
+mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
+mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12
+workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
+mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
+mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
+
+$ devlink dev reload pci/0000:00:03.0 ==> oops
+
+BUG: kernel NULL pointer dereference, address: 0000000000000370
+PGD 0 P4D 0
+Oops: Oops: 0000 [#1] SMP NOPTI
+CPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
+RIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100
+RSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286
+RAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45
+RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0
+RBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10
+R10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0
+R13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400
+FS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0
+Call Trace:
+ <TASK>
+ mlx5e_remove+0x57/0x110
+ device_release_driver_internal+0x19c/0x200
+ bus_remove_device+0xc6/0x130
+ device_del+0x160/0x3d0
+ ? devl_param_driverinit_value_get+0x2d/0x90
+ mlx5_detach_device+0x89/0xe0
+ mlx5_unload_one_devl_locked+0x3a/0x70
+ mlx5_devlink_reload_down+0xc8/0x220
+ devlink_reload+0x7d/0x260
+ devlink_nl_reload_doit+0x45b/0x5a0
+ genl_family_rcv_msg_doit+0xe8/0x140
+
+Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method")
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Reviewed-by: Shay Drori <shayd@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260108212657.25090-4-saeed@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 +-
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 15 +++++++++------
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 4 ++--
+ 3 files changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+index 084c68479f734..8245a149cdf85 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+@@ -1220,7 +1220,7 @@ struct net_device *
+ mlx5e_create_netdev(struct mlx5_core_dev *mdev, const struct mlx5e_profile *profile);
+ int mlx5e_attach_netdev(struct mlx5e_priv *priv);
+ void mlx5e_detach_netdev(struct mlx5e_priv *priv);
+-void mlx5e_destroy_netdev(struct mlx5e_priv *priv);
++void mlx5e_destroy_netdev(struct net_device *netdev);
+ int mlx5e_netdev_change_profile(struct net_device *netdev,
+ struct mlx5_core_dev *mdev,
+ const struct mlx5e_profile *new_profile,
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 4e2f985273a39..5085bc8965dff 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -6311,11 +6311,12 @@ void mlx5e_netdev_attach_nic_profile(struct net_device *netdev,
+ mlx5e_netdev_change_profile(netdev, mdev, &mlx5e_nic_profile, NULL);
+ }
+
+-void mlx5e_destroy_netdev(struct mlx5e_priv *priv)
++void mlx5e_destroy_netdev(struct net_device *netdev)
+ {
+- struct net_device *netdev = priv->netdev;
++ struct mlx5e_priv *priv = netdev_priv(netdev);
+
+- mlx5e_priv_cleanup(priv);
++ if (priv->profile)
++ mlx5e_priv_cleanup(priv);
+ free_netdev(netdev);
+ }
+
+@@ -6472,7 +6473,7 @@ static int _mlx5e_probe(struct auxiliary_device *adev)
+ err_profile_cleanup:
+ profile->cleanup(priv);
+ err_destroy_netdev:
+- mlx5e_destroy_netdev(priv);
++ mlx5e_destroy_netdev(netdev);
+ err_devlink_port_unregister:
+ mlx5e_devlink_port_unregister(mlx5e_dev);
+ err_devlink_unregister:
+@@ -6507,7 +6508,9 @@ static void _mlx5e_remove(struct auxiliary_device *adev)
+ struct mlx5_core_dev *mdev = edev->mdev;
+
+ mlx5_core_uplink_netdev_set(mdev, NULL);
+- mlx5e_dcbnl_delete_app(priv);
++
++ if (priv->profile)
++ mlx5e_dcbnl_delete_app(priv);
+ /* When unload driver, the netdev is in registered state
+ * if it's from legacy mode. If from switchdev mode, it
+ * is already unregistered before changing to NIC profile.
+@@ -6528,7 +6531,7 @@ static void _mlx5e_remove(struct auxiliary_device *adev)
+ /* Avoid cleanup if profile rollback failed. */
+ if (priv->profile)
+ priv->profile->cleanup(priv);
+- mlx5e_destroy_netdev(priv);
++ mlx5e_destroy_netdev(netdev);
+ mlx5e_devlink_port_unregister(mlx5e_dev);
+ mlx5e_destroy_devlink(mlx5e_dev);
+ }
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+index b461954b974c6..763b264721af1 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -1602,7 +1602,7 @@ mlx5e_vport_vf_rep_load(struct mlx5_core_dev *dev, struct mlx5_eswitch_rep *rep)
+ priv->profile->cleanup(priv);
+
+ err_destroy_netdev:
+- mlx5e_destroy_netdev(netdev_priv(netdev));
++ mlx5e_destroy_netdev(netdev);
+ return err;
+ }
+
+@@ -1657,7 +1657,7 @@ mlx5e_vport_rep_unload(struct mlx5_eswitch_rep *rep)
+ mlx5e_rep_vnic_reporter_destroy(priv);
+ mlx5e_detach_netdev(priv);
+ priv->profile->cleanup(priv);
+- mlx5e_destroy_netdev(priv);
++ mlx5e_destroy_netdev(netdev);
+ free_ppriv:
+ kvfree(ppriv); /* mlx5e_rep_priv */
+ }
+--
+2.51.0
+
--- /dev/null
+From 8c0990cdac9c743e14cc590c25db1d33f4e778ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 13:26:57 -0800
+Subject: net/mlx5e: Restore destroying state bit after profile cleanup
+
+From: Saeed Mahameed <saeedm@nvidia.com>
+
+[ Upstream commit 5629f8859dca7ef74d7314b60de6a957f23166c0 ]
+
+Profile rollback can fail in mlx5e_netdev_change_profile() and we will
+end up with invalid mlx5e_priv memset to 0, we must maintain the
+'destroying' bit in order to gracefully shutdown even if the
+profile/priv are not valid.
+
+This patch maintains the previous state of the 'destroying' state of
+mlx5e_priv after priv cleanup, to allow the remove flow to cleanup
+common resources from mlx5_core to avoid FW fatal errors as seen below:
+
+$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev
+ Error: mlx5_core: Failed setting eswitch to offloads.
+dmesg: mlx5_core 0000:00:03.0 enp0s3np0: failed to rollback to orig profile, ...
+
+$ devlink dev reload pci/0000:00:03.0
+
+mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)
+mlx5_core 0000:00:03.0: poll_health:803:(pid 519): Fatal error 3 detected
+mlx5_core 0000:00:03.0: firmware version: 28.41.1000
+mlx5_core 0000:00:03.0: 0.000 Gb/s available PCIe bandwidth (Unknown x255 link)
+mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed
+mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed
+mlx5_core 0000:00:03.0: mlx5_health_try_recover:340:(pid 141): handling bad device here
+mlx5_core 0000:00:03.0: mlx5_handle_bad_state:285:(pid 141): Expected to see disabled NIC but it is full driver
+mlx5_core 0000:00:03.0: mlx5_error_sw_reset:236:(pid 141): start
+mlx5_core 0000:00:03.0: NIC IFC still 0 after 4000ms.
+
+Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method")
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260108212657.25090-5-saeed@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 5085bc8965dff..5736ed61e6eba 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -6000,6 +6000,7 @@ int mlx5e_priv_init(struct mlx5e_priv *priv,
+
+ void mlx5e_priv_cleanup(struct mlx5e_priv *priv)
+ {
++ bool destroying = test_bit(MLX5E_STATE_DESTROYING, &priv->state);
+ int i;
+
+ /* bail if change profile failed and also rollback failed */
+@@ -6026,6 +6027,8 @@ void mlx5e_priv_cleanup(struct mlx5e_priv *priv)
+ }
+
+ memset(priv, 0, sizeof(*priv));
++ if (destroying) /* restore destroying bit, to allow unload */
++ set_bit(MLX5E_STATE_DESTROYING, &priv->state);
+ }
+
+ static unsigned int mlx5e_get_max_num_txqs(struct mlx5_core_dev *mdev,
+--
+2.51.0
+
--- /dev/null
+From 86e84db3b43e89b0fe7b64732b6ccf731dcdcc41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jan 2026 00:42:57 +0800
+Subject: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback
+
+From: Kery Qi <qikeyu2017@gmail.com>
+
+[ Upstream commit f93fc5d12d69012788f82151bee55fce937e1432 ]
+
+octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to
+ioq_vector. If request_irq() fails part-way, the rollback loop calls
+free_irq() with dev_id set to 'oct', which does not match the original
+dev_id and may leave the irqaction registered.
+
+This can keep IRQ handlers alive while ioq_vector is later freed during
+unwind/teardown, leading to a use-after-free or crash when an interrupt
+fires.
+
+Fix the error path to free IRQs with the same ioq_vector dev_id used
+during request_irq().
+
+Fixes: 1cd3b407977c ("octeon_ep_vf: add Tx/Rx processing and interrupt support")
+Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
+Link: https://patch.msgid.link/20260108164256.1749-2-qikeyu2017@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c
+index ccb69bc5c9529..b9430c4a33a32 100644
+--- a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c
++++ b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c
+@@ -220,7 +220,7 @@ static int octep_vf_request_irqs(struct octep_vf_device *oct)
+ ioq_irq_err:
+ while (i) {
+ --i;
+- free_irq(oct->msix_entries[i].vector, oct);
++ free_irq(oct->msix_entries[i].vector, oct->ioq_vector[i]);
+ }
+ return -1;
+ }
+--
+2.51.0
+
--- /dev/null
+From 7e103bc11882acc672661d4af7f5cbc1a15df98e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 17:56:56 +0000
+Subject: net/sched: sch_qfq: do not free existing class in qfq_change_class()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 ]
+
+Fixes qfq_change_class() error case.
+
+cl->qdisc and cl should only be freed if a new class and qdisc
+were allocated, or we risk various UAF.
+
+Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Reported-by: syzbot+07f3f38f723c335f106d@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6965351d.050a0220.eaf7.00c5.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260112175656.17605-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index 998030d6ce2dd..d8dabc1a620bd 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -532,8 +532,10 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
+ return 0;
+
+ destroy_class:
+- qdisc_put(cl->qdisc);
+- kfree(cl);
++ if (!existing) {
++ qdisc_put(cl->qdisc);
++ kfree(cl);
++ }
+ return err;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From d0fb3322fd902e4f09457f6a09a2b2e37636d978 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 09:32:44 +0000
+Subject: net: update netdev_lock_{type,name}
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit eb74c19fe10872ee1f29a8f90ca5ce943921afe9 ]
+
+Add missing entries in netdev_lock_type[] and netdev_lock_name[] :
+
+CAN, MCTP, RAWIP, CAIF, IP6GRE, 6LOWPAN, NETLINK, VSOCKMON,
+IEEE802154_MONITOR.
+
+Also add a WARN_ONCE() in netdev_lock_pos() to help future bug hunting
+next time a protocol is added without updating these arrays.
+
+Fixes: 1a33e10e4a95 ("net: partially revert dynamic lockdep key changes")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260108093244.830280-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index cfd32bd02a698..1d276a26a360d 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -474,15 +474,21 @@ static const unsigned short netdev_lock_type[] = {
+ ARPHRD_IEEE1394, ARPHRD_EUI64, ARPHRD_INFINIBAND, ARPHRD_SLIP,
+ ARPHRD_CSLIP, ARPHRD_SLIP6, ARPHRD_CSLIP6, ARPHRD_RSRVD,
+ ARPHRD_ADAPT, ARPHRD_ROSE, ARPHRD_X25, ARPHRD_HWX25,
++ ARPHRD_CAN, ARPHRD_MCTP,
+ ARPHRD_PPP, ARPHRD_CISCO, ARPHRD_LAPB, ARPHRD_DDCMP,
+- ARPHRD_RAWHDLC, ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD,
++ ARPHRD_RAWHDLC, ARPHRD_RAWIP,
++ ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD,
+ ARPHRD_SKIP, ARPHRD_LOOPBACK, ARPHRD_LOCALTLK, ARPHRD_FDDI,
+ ARPHRD_BIF, ARPHRD_SIT, ARPHRD_IPDDP, ARPHRD_IPGRE,
+ ARPHRD_PIMREG, ARPHRD_HIPPI, ARPHRD_ASH, ARPHRD_ECONET,
+ ARPHRD_IRDA, ARPHRD_FCPP, ARPHRD_FCAL, ARPHRD_FCPL,
+ ARPHRD_FCFABRIC, ARPHRD_IEEE80211, ARPHRD_IEEE80211_PRISM,
+- ARPHRD_IEEE80211_RADIOTAP, ARPHRD_PHONET, ARPHRD_PHONET_PIPE,
+- ARPHRD_IEEE802154, ARPHRD_VOID, ARPHRD_NONE};
++ ARPHRD_IEEE80211_RADIOTAP,
++ ARPHRD_IEEE802154, ARPHRD_IEEE802154_MONITOR,
++ ARPHRD_PHONET, ARPHRD_PHONET_PIPE,
++ ARPHRD_CAIF, ARPHRD_IP6GRE, ARPHRD_NETLINK, ARPHRD_6LOWPAN,
++ ARPHRD_VSOCKMON,
++ ARPHRD_VOID, ARPHRD_NONE};
+
+ static const char *const netdev_lock_name[] = {
+ "_xmit_NETROM", "_xmit_ETHER", "_xmit_EETHER", "_xmit_AX25",
+@@ -491,15 +497,21 @@ static const char *const netdev_lock_name[] = {
+ "_xmit_IEEE1394", "_xmit_EUI64", "_xmit_INFINIBAND", "_xmit_SLIP",
+ "_xmit_CSLIP", "_xmit_SLIP6", "_xmit_CSLIP6", "_xmit_RSRVD",
+ "_xmit_ADAPT", "_xmit_ROSE", "_xmit_X25", "_xmit_HWX25",
++ "_xmit_CAN", "_xmit_MCTP",
+ "_xmit_PPP", "_xmit_CISCO", "_xmit_LAPB", "_xmit_DDCMP",
+- "_xmit_RAWHDLC", "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD",
++ "_xmit_RAWHDLC", "_xmit_RAWIP",
++ "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD",
+ "_xmit_SKIP", "_xmit_LOOPBACK", "_xmit_LOCALTLK", "_xmit_FDDI",
+ "_xmit_BIF", "_xmit_SIT", "_xmit_IPDDP", "_xmit_IPGRE",
+ "_xmit_PIMREG", "_xmit_HIPPI", "_xmit_ASH", "_xmit_ECONET",
+ "_xmit_IRDA", "_xmit_FCPP", "_xmit_FCAL", "_xmit_FCPL",
+ "_xmit_FCFABRIC", "_xmit_IEEE80211", "_xmit_IEEE80211_PRISM",
+- "_xmit_IEEE80211_RADIOTAP", "_xmit_PHONET", "_xmit_PHONET_PIPE",
+- "_xmit_IEEE802154", "_xmit_VOID", "_xmit_NONE"};
++ "_xmit_IEEE80211_RADIOTAP",
++ "_xmit_IEEE802154", "_xmit_IEEE802154_MONITOR",
++ "_xmit_PHONET", "_xmit_PHONET_PIPE",
++ "_xmit_CAIF", "_xmit_IP6GRE", "_xmit_NETLINK", "_xmit_6LOWPAN",
++ "_xmit_VSOCKMON",
++ "_xmit_VOID", "_xmit_NONE"};
+
+ static struct lock_class_key netdev_xmit_lock_key[ARRAY_SIZE(netdev_lock_type)];
+ static struct lock_class_key netdev_addr_lock_key[ARRAY_SIZE(netdev_lock_type)];
+@@ -512,6 +524,7 @@ static inline unsigned short netdev_lock_pos(unsigned short dev_type)
+ if (netdev_lock_type[i] == dev_type)
+ return i;
+ /* the last key is used by default */
++ WARN_ONCE(1, "netdev_lock_pos() could not find dev_type=%u\n", dev_type);
+ return ARRAY_SIZE(netdev_lock_type) - 1;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From dc839798cda2082a37fff918a76ef602ca3dcf83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Dec 2025 11:42:31 -0500
+Subject: NFS: Fix a deadlock involving nfs_release_folio()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit cce0be6eb4971456b703aaeafd571650d314bcca ]
+
+Wang Zhaolong reports a deadlock involving NFSv4.1 state recovery
+waiting on kthreadd, which is attempting to reclaim memory by calling
+nfs_release_folio(). The latter cannot make progress due to state
+recovery being needed.
+
+It seems that the only safe thing to do here is to kick off a writeback
+of the folio, without waiting for completion, or else kicking off an
+asynchronous commit.
+
+Reported-by: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+Fixes: 96780ca55e3c ("NFS: fix up nfs_release_folio() to try to release the page")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/file.c | 3 ++-
+ fs/nfs/nfstrace.h | 3 +++
+ fs/nfs/write.c | 33 +++++++++++++++++++++++++++++++++
+ include/linux/nfs_fs.h | 1 +
+ 4 files changed, 39 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/file.c b/fs/nfs/file.c
+index a16a619fb8c33..7d1840cea4444 100644
+--- a/fs/nfs/file.c
++++ b/fs/nfs/file.c
+@@ -461,7 +461,8 @@ static bool nfs_release_folio(struct folio *folio, gfp_t gfp)
+ if ((current_gfp_context(gfp) & GFP_KERNEL) != GFP_KERNEL ||
+ current_is_kswapd() || current_is_kcompactd())
+ return false;
+- if (nfs_wb_folio(folio->mapping->host, folio) < 0)
++ if (nfs_wb_folio_reclaim(folio->mapping->host, folio) < 0 ||
++ folio_test_private(folio))
+ return false;
+ }
+ return nfs_fscache_release_folio(folio, gfp);
+diff --git a/fs/nfs/nfstrace.h b/fs/nfs/nfstrace.h
+index 1eab98c277fab..2989b6f284ff4 100644
+--- a/fs/nfs/nfstrace.h
++++ b/fs/nfs/nfstrace.h
+@@ -1039,6 +1039,9 @@ DECLARE_EVENT_CLASS(nfs_folio_event_done,
+ DEFINE_NFS_FOLIO_EVENT(nfs_aop_readpage);
+ DEFINE_NFS_FOLIO_EVENT_DONE(nfs_aop_readpage_done);
+
++DEFINE_NFS_FOLIO_EVENT(nfs_writeback_folio_reclaim);
++DEFINE_NFS_FOLIO_EVENT_DONE(nfs_writeback_folio_reclaim_done);
++
+ DEFINE_NFS_FOLIO_EVENT(nfs_writeback_folio);
+ DEFINE_NFS_FOLIO_EVENT_DONE(nfs_writeback_folio_done);
+
+diff --git a/fs/nfs/write.c b/fs/nfs/write.c
+index 88d0e5168093a..48a8866220d1a 100644
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -2065,6 +2065,39 @@ int nfs_wb_folio_cancel(struct inode *inode, struct folio *folio)
+ return ret;
+ }
+
++/**
++ * nfs_wb_folio_reclaim - Write back all requests on one page
++ * @inode: pointer to page
++ * @folio: pointer to folio
++ *
++ * Assumes that the folio has been locked by the caller
++ */
++int nfs_wb_folio_reclaim(struct inode *inode, struct folio *folio)
++{
++ loff_t range_start = folio_pos(folio);
++ size_t len = folio_size(folio);
++ struct writeback_control wbc = {
++ .sync_mode = WB_SYNC_ALL,
++ .nr_to_write = 0,
++ .range_start = range_start,
++ .range_end = range_start + len - 1,
++ .for_sync = 1,
++ };
++ int ret;
++
++ if (folio_test_writeback(folio))
++ return -EBUSY;
++ if (folio_clear_dirty_for_io(folio)) {
++ trace_nfs_writeback_folio_reclaim(inode, range_start, len);
++ ret = nfs_writepage_locked(folio, &wbc);
++ trace_nfs_writeback_folio_reclaim_done(inode, range_start, len,
++ ret);
++ return ret;
++ }
++ nfs_commit_inode(inode, 0);
++ return 0;
++}
++
+ /**
+ * nfs_wb_folio - Write back all requests on one page
+ * @inode: pointer to page
+diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
+index 039898d70954f..8d2cf10294a42 100644
+--- a/include/linux/nfs_fs.h
++++ b/include/linux/nfs_fs.h
+@@ -610,6 +610,7 @@ extern int nfs_update_folio(struct file *file, struct folio *folio,
+ extern int nfs_sync_inode(struct inode *inode);
+ extern int nfs_wb_all(struct inode *inode);
+ extern int nfs_wb_folio(struct inode *inode, struct folio *folio);
++extern int nfs_wb_folio_reclaim(struct inode *inode, struct folio *folio);
+ int nfs_wb_folio_cancel(struct inode *inode, struct folio *folio);
+ extern int nfs_commit_inode(struct inode *, int);
+ extern struct nfs_commit_data *nfs_commitdata_alloc(void);
+--
+2.51.0
+
--- /dev/null
+From 60b0205c3f0cef96d7ee6ec02e884f707d190dbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Dec 2025 13:57:48 -0500
+Subject: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shivam Kumar <kumar.shivam43666@gmail.com>
+
+[ Upstream commit 32b63acd78f577b332d976aa06b56e70d054cbba ]
+
+Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
+added ttag bounds checking and data_offset
+validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate
+whether the command's data structures (cmd->req.sg and cmd->iov) have
+been properly initialized before processing H2C_DATA PDUs.
+
+The nvmet_tcp_build_pdu_iovec() function dereferences these pointers
+without NULL checks. This can be triggered by sending H2C_DATA PDU
+immediately after the ICREQ/ICRESP handshake, before
+sending a CONNECT command or NVMe write command.
+
+Attack vectors that trigger NULL pointer dereferences:
+1. H2C_DATA PDU sent before CONNECT → both pointers NULL
+2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL
+3. H2C_DATA PDU for uninitialized command slot → both pointers NULL
+
+The fix validates both cmd->req.sg and cmd->iov before calling
+nvmet_tcp_build_pdu_iovec(). Both checks are required because:
+- Uninitialized commands: both NULL
+- READ commands: cmd->req.sg allocated, cmd->iov NULL
+- WRITE commands: both allocated
+
+Fixes: efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Shivam Kumar <kumar.shivam43666@gmail.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/tcp.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
+index 6268b18d24569..94fab721f8cd7 100644
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -1021,6 +1021,18 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len);
+ goto err_proto;
+ }
++ /*
++ * Ensure command data structures are initialized. We must check both
++ * cmd->req.sg and cmd->iov because they can have different NULL states:
++ * - Uninitialized commands: both NULL
++ * - READ commands: cmd->req.sg allocated, cmd->iov NULL
++ * - WRITE commands: both allocated
++ */
++ if (unlikely(!cmd->req.sg || !cmd->iov)) {
++ pr_err("queue %d: H2CData PDU received for invalid command state (ttag %u)\n",
++ queue->idx, data->ttag);
++ goto err_proto;
++ }
+ cmd->pdu_recv = 0;
+ nvmet_tcp_build_pdu_iovec(cmd);
+ queue->cmd = cmd;
+--
+2.51.0
+
--- /dev/null
+From 2558901f60b27759f4b847b55e7c955b02395f25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Dec 2025 12:55:34 +0100
+Subject: phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning
+ (again)
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+
+[ Upstream commit fb21116099bbea1fc59efa9207e63c4be390ab72 ]
+
+"family" is an enum, thus cast of pointer on 64-bit compile test with
+clang W=1 causes:
+
+ phy-bcm-ns-usb3.c:206:17: error: cast to smaller integer type 'enum bcm_ns_family' from 'const void *' [-Werror,-Wvoid-pointer-to-enum-cast]
+
+This was already fixed in commit bd6e74a2f0a0 ("phy: broadcom: ns-usb3:
+fix Wvoid-pointer-to-enum-cast warning") but then got bad in commit
+21bf6fc47a1e ("phy: Use device_get_match_data()").
+
+Note that after various discussions the preferred cast is via "unsigned
+long", not "uintptr_t".
+
+Fixes: 21bf6fc47a1e ("phy: Use device_get_match_data()")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251224115533.154162-2-krzysztof.kozlowski@oss.qualcomm.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/broadcom/phy-bcm-ns-usb3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/broadcom/phy-bcm-ns-usb3.c b/drivers/phy/broadcom/phy-bcm-ns-usb3.c
+index 9f995e156f755..6e56498d0644b 100644
+--- a/drivers/phy/broadcom/phy-bcm-ns-usb3.c
++++ b/drivers/phy/broadcom/phy-bcm-ns-usb3.c
+@@ -203,7 +203,7 @@ static int bcm_ns_usb3_mdio_probe(struct mdio_device *mdiodev)
+ usb3->dev = dev;
+ usb3->mdiodev = mdiodev;
+
+- usb3->family = (enum bcm_ns_family)device_get_match_data(dev);
++ usb3->family = (unsigned long)device_get_match_data(dev);
+
+ syscon_np = of_parse_phandle(dev->of_node, "usb3-dmp-syscon", 0);
+ err = of_address_to_resource(syscon_np, 0, &res);
+--
+2.51.0
+
--- /dev/null
+From 31da01179913fe2fcc6f18677d97735c4afb5b74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 10:51:12 +0200
+Subject: phy: drop probe registration printks
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 95463cbb4fe6489921fb8c72890113dca54ce83f ]
+
+Drivers should generally be quiet on successful probe, but this is not
+followed by some PHY drivers, for example:
+
+ snps-eusb2-hsphy 88e1000.phy: Registered Snps-eUSB2 phy
+ qcom-eusb2-repeater c432000.spmi:pmic@7:phy@fd00: Registered Qcom-eUSB2 repeater
+ qcom-eusb2-repeater c432000.spmi:pmic@a:phy@fd00: Registered Qcom-eUSB2 repeater
+ qcom-eusb2-repeater c432000.spmi:pmic@b:phy@fd00: Registered Qcom-eUSB2 repeater
+ snps-eusb2-hsphy fd3000.phy: Registered Snps-eUSB2 phy
+ snps-eusb2-hsphy fd9000.phy: Registered Snps-eUSB2 phy
+ snps-eusb2-hsphy fde000.phy: Registered Snps-eUSB2 phy
+ snps-eusb2-hsphy 88e0000.phy: Registered Snps-eUSB2 phy
+ snps-eusb2-hsphy 88e2000.phy: Registered Snps-eUSB2 phy
+
+Drop (or demote to debug level) unnecessary registration info messages
+to make boot logs a little less noisy.
+
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20250523085112.11287-1-johan+linaro@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Stable-dep-of: 1ca52c0983c3 ("phy: qcom-qusb2: Fix NULL pointer dereference on early suspend")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/broadcom/phy-bcm-ns2-pcie.c | 2 --
+ drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c | 1 -
+ drivers/phy/broadcom/phy-bcm-sr-pcie.c | 2 --
+ drivers/phy/broadcom/phy-brcm-sata.c | 2 +-
+ drivers/phy/marvell/phy-pxa-usb.c | 1 -
+ drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c | 2 --
+ drivers/phy/qualcomm/phy-qcom-m31.c | 2 --
+ drivers/phy/qualcomm/phy-qcom-qusb2.c | 4 +---
+ drivers/phy/qualcomm/phy-qcom-snps-eusb2.c | 2 --
+ drivers/phy/st/phy-stih407-usb.c | 2 --
+ drivers/phy/st/phy-stm32-usbphyc.c | 4 ++--
+ drivers/phy/ti/phy-twl4030-usb.c | 1 -
+ 12 files changed, 4 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/phy/broadcom/phy-bcm-ns2-pcie.c b/drivers/phy/broadcom/phy-bcm-ns2-pcie.c
+index 2eaa41f8fc70c..67a6ae5ecba02 100644
+--- a/drivers/phy/broadcom/phy-bcm-ns2-pcie.c
++++ b/drivers/phy/broadcom/phy-bcm-ns2-pcie.c
+@@ -61,8 +61,6 @@ static int ns2_pci_phy_probe(struct mdio_device *mdiodev)
+ return PTR_ERR(provider);
+ }
+
+- dev_info(dev, "%s PHY registered\n", dev_name(dev));
+-
+ return 0;
+ }
+
+diff --git a/drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c b/drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c
+index 36ad02c33ac55..8473fa5745296 100644
+--- a/drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c
++++ b/drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c
+@@ -395,7 +395,6 @@ static int ns2_drd_phy_probe(struct platform_device *pdev)
+
+ platform_set_drvdata(pdev, driver);
+
+- dev_info(dev, "Registered NS2 DRD Phy device\n");
+ queue_delayed_work(system_power_efficient_wq, &driver->wq_extcon,
+ driver->debounce_jiffies);
+
+diff --git a/drivers/phy/broadcom/phy-bcm-sr-pcie.c b/drivers/phy/broadcom/phy-bcm-sr-pcie.c
+index ff9b3862bf7af..706e1d83b4cee 100644
+--- a/drivers/phy/broadcom/phy-bcm-sr-pcie.c
++++ b/drivers/phy/broadcom/phy-bcm-sr-pcie.c
+@@ -277,8 +277,6 @@ static int sr_pcie_phy_probe(struct platform_device *pdev)
+ return PTR_ERR(provider);
+ }
+
+- dev_info(dev, "Stingray PCIe PHY driver initialized\n");
+-
+ return 0;
+ }
+
+diff --git a/drivers/phy/broadcom/phy-brcm-sata.c b/drivers/phy/broadcom/phy-brcm-sata.c
+index 228100357054d..d52dd065e8622 100644
+--- a/drivers/phy/broadcom/phy-brcm-sata.c
++++ b/drivers/phy/broadcom/phy-brcm-sata.c
+@@ -832,7 +832,7 @@ static int brcm_sata_phy_probe(struct platform_device *pdev)
+ return PTR_ERR(provider);
+ }
+
+- dev_info(dev, "registered %d port(s)\n", count);
++ dev_dbg(dev, "registered %d port(s)\n", count);
+
+ return 0;
+ }
+diff --git a/drivers/phy/marvell/phy-pxa-usb.c b/drivers/phy/marvell/phy-pxa-usb.c
+index 6c98eb9608e9c..c0bb71f80c042 100644
+--- a/drivers/phy/marvell/phy-pxa-usb.c
++++ b/drivers/phy/marvell/phy-pxa-usb.c
+@@ -325,7 +325,6 @@ static int pxa_usb_phy_probe(struct platform_device *pdev)
+ phy_create_lookup(pxa_usb_phy->phy, "usb", "mv-otg");
+ }
+
+- dev_info(dev, "Marvell PXA USB PHY");
+ return 0;
+ }
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c b/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c
+index c173c6244d9e5..3b68d20142e01 100644
+--- a/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c
++++ b/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c
+@@ -241,8 +241,6 @@ static int eusb2_repeater_probe(struct platform_device *pdev)
+ if (IS_ERR(phy_provider))
+ return PTR_ERR(phy_provider);
+
+- dev_info(dev, "Registered Qcom-eUSB2 repeater\n");
+-
+ return 0;
+ }
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-m31.c b/drivers/phy/qualcomm/phy-qcom-m31.c
+index 8b0f8a3a059c2..168ea980fda03 100644
+--- a/drivers/phy/qualcomm/phy-qcom-m31.c
++++ b/drivers/phy/qualcomm/phy-qcom-m31.c
+@@ -311,8 +311,6 @@ static int m31usb_phy_probe(struct platform_device *pdev)
+ phy_set_drvdata(qphy->phy, qphy);
+
+ phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate);
+- if (!IS_ERR(phy_provider))
+- dev_info(dev, "Registered M31 USB phy\n");
+
+ return PTR_ERR_OR_ZERO(phy_provider);
+ }
+diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c
+index c52655a383cef..531c3860c3160 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c
++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c
+@@ -1084,9 +1084,7 @@ static int qusb2_phy_probe(struct platform_device *pdev)
+ phy_set_drvdata(generic_phy, qphy);
+
+ phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate);
+- if (!IS_ERR(phy_provider))
+- dev_info(dev, "Registered Qcom-QUSB2 phy\n");
+- else
++ if (IS_ERR(phy_provider))
+ pm_runtime_disable(dev);
+
+ return PTR_ERR_OR_ZERO(phy_provider);
+diff --git a/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c b/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c
+index e1b175f481b4e..4a1dfef5ff8ff 100644
+--- a/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c
++++ b/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c
+@@ -418,8 +418,6 @@ static int snps_eusb2_hsphy_probe(struct platform_device *pdev)
+ if (IS_ERR(phy_provider))
+ return PTR_ERR(phy_provider);
+
+- dev_info(dev, "Registered Snps-eUSB2 phy\n");
+-
+ return 0;
+ }
+
+diff --git a/drivers/phy/st/phy-stih407-usb.c b/drivers/phy/st/phy-stih407-usb.c
+index a4ae2cca7f637..02e6117709dca 100644
+--- a/drivers/phy/st/phy-stih407-usb.c
++++ b/drivers/phy/st/phy-stih407-usb.c
+@@ -149,8 +149,6 @@ static int stih407_usb2_picophy_probe(struct platform_device *pdev)
+ if (IS_ERR(phy_provider))
+ return PTR_ERR(phy_provider);
+
+- dev_info(dev, "STiH407 USB Generic picoPHY driver probed!");
+-
+ return 0;
+ }
+
+diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c
+index 9dbe60dcf3190..dbf23ae38255a 100644
+--- a/drivers/phy/st/phy-stm32-usbphyc.c
++++ b/drivers/phy/st/phy-stm32-usbphyc.c
+@@ -757,8 +757,8 @@ static int stm32_usbphyc_probe(struct platform_device *pdev)
+ }
+
+ version = readl_relaxed(usbphyc->base + STM32_USBPHYC_VERSION);
+- dev_info(dev, "registered rev:%lu.%lu\n",
+- FIELD_GET(MAJREV, version), FIELD_GET(MINREV, version));
++ dev_dbg(dev, "registered rev: %lu.%lu\n",
++ FIELD_GET(MAJREV, version), FIELD_GET(MINREV, version));
+
+ return 0;
+
+diff --git a/drivers/phy/ti/phy-twl4030-usb.c b/drivers/phy/ti/phy-twl4030-usb.c
+index 6b265992d988f..e5918d3b486cc 100644
+--- a/drivers/phy/ti/phy-twl4030-usb.c
++++ b/drivers/phy/ti/phy-twl4030-usb.c
+@@ -784,7 +784,6 @@ static int twl4030_usb_probe(struct platform_device *pdev)
+ pm_runtime_mark_last_busy(&pdev->dev);
+ pm_runtime_put_autosuspend(twl->dev);
+
+- dev_info(&pdev->dev, "Initialized TWL4030 USB module\n");
+ return 0;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From f751b913f2de094958e765a3056927a89a0b65ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 17:09:12 +0100
+Subject: phy: fsl-imx8mq-usb: Clear the PCS_TX_SWING_FULL field before using
+ it
+
+From: Stefano Radaelli <stefano.radaelli21@gmail.com>
+
+[ Upstream commit 8becf9179a4b45104a1701010ed666b55bf4b3a6 ]
+
+Clear the PCS_TX_SWING_FULL field mask before setting the new value
+in PHY_CTRL5 register. Without clearing the mask first, the OR operation
+could leave previously set bits, resulting in incorrect register
+configuration.
+
+Fixes: 63c85ad0cd81 ("phy: fsl-imx8mp-usb: add support for phy tuning")
+Suggested-by: Leonid Segal <leonids@variscite.com>
+Acked-by: Pierluigi Passaro <pierluigi.p@variscite.com>
+Signed-off-by: Stefano Radaelli <stefano.r@variscite.com>
+Reviewed-by: Xu Yang <xu.yang_2@nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Reviewed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Link: https://patch.msgid.link/20251219160912.561431-1-stefano.r@variscite.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/freescale/phy-fsl-imx8mq-usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c
+index f914f016b3d2c..043063699e064 100644
+--- a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c
++++ b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c
+@@ -206,6 +206,7 @@ static void imx8m_phy_tune(struct imx8mq_usb_phy *imx_phy)
+
+ if (imx_phy->pcs_tx_swing_full != PHY_TUNE_DEFAULT) {
+ value = readl(imx_phy->base + PHY_CTRL5);
++ value &= ~PHY_CTRL5_PCS_TX_SWING_FULL_MASK;
+ value |= FIELD_PREP(PHY_CTRL5_PCS_TX_SWING_FULL_MASK,
+ imx_phy->pcs_tx_swing_full);
+ writel(value, imx_phy->base + PHY_CTRL5);
+--
+2.51.0
+
--- /dev/null
+From b3a17815ec087e4acc1b46f69427c8560ae1f097 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 May 2025 17:45:21 +0300
+Subject: phy: phy-snps-eusb2: refactor constructs names
+
+From: Ivaylo Ivanov <ivo.ivanov.ivanov1@gmail.com>
+
+[ Upstream commit 93dbe9b5b3a265c7e5466c7b6ada439b01577de5 ]
+
+As the driver now resides outside the phy subdirectory under a different
+name, refactor all definitions, structures and functions to explicitly
+specify what code is Qualcomm-specific and what is not.
+
+Signed-off-by: Ivaylo Ivanov <ivo.ivanov.ivanov1@gmail.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250504144527.1723980-5-ivo.ivanov.ivanov1@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Stable-dep-of: 1ca52c0983c3 ("phy: qcom-qusb2: Fix NULL pointer dereference on early suspend")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-snps-eusb2.c | 256 ++++++++++-----------
+ 1 file changed, 128 insertions(+), 128 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c b/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c
+index 1484691a41d59..e1b175f481b4e 100644
+--- a/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c
++++ b/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c
+@@ -13,15 +13,15 @@
+ #include <linux/regulator/consumer.h>
+ #include <linux/reset.h>
+
+-#define USB_PHY_UTMI_CTRL0 (0x3c)
++#define QCOM_USB_PHY_UTMI_CTRL0 (0x3c)
+ #define SLEEPM BIT(0)
+ #define OPMODE_MASK GENMASK(4, 3)
+ #define OPMODE_NONDRIVING BIT(3)
+
+-#define USB_PHY_UTMI_CTRL5 (0x50)
++#define QCOM_USB_PHY_UTMI_CTRL5 (0x50)
+ #define POR BIT(1)
+
+-#define USB_PHY_HS_PHY_CTRL_COMMON0 (0x54)
++#define QCOM_USB_PHY_HS_PHY_CTRL_COMMON0 (0x54)
+ #define PHY_ENABLE BIT(0)
+ #define SIDDQ_SEL BIT(1)
+ #define SIDDQ BIT(2)
+@@ -30,15 +30,15 @@
+ #define FSEL_19_2_MHZ_VAL (0x0)
+ #define FSEL_38_4_MHZ_VAL (0x4)
+
+-#define USB_PHY_CFG_CTRL_1 (0x58)
++#define QCOM_USB_PHY_CFG_CTRL_1 (0x58)
+ #define PHY_CFG_PLL_CPBIAS_CNTRL_MASK GENMASK(7, 1)
+
+-#define USB_PHY_CFG_CTRL_2 (0x5c)
++#define QCOM_USB_PHY_CFG_CTRL_2 (0x5c)
+ #define PHY_CFG_PLL_FB_DIV_7_0_MASK GENMASK(7, 0)
+ #define DIV_7_0_19_2_MHZ_VAL (0x90)
+ #define DIV_7_0_38_4_MHZ_VAL (0xc8)
+
+-#define USB_PHY_CFG_CTRL_3 (0x60)
++#define QCOM_USB_PHY_CFG_CTRL_3 (0x60)
+ #define PHY_CFG_PLL_FB_DIV_11_8_MASK GENMASK(3, 0)
+ #define DIV_11_8_19_2_MHZ_VAL (0x1)
+ #define DIV_11_8_38_4_MHZ_VAL (0x0)
+@@ -46,73 +46,73 @@
+ #define PHY_CFG_PLL_REF_DIV GENMASK(7, 4)
+ #define PLL_REF_DIV_VAL (0x0)
+
+-#define USB_PHY_HS_PHY_CTRL2 (0x64)
++#define QCOM_USB_PHY_HS_PHY_CTRL2 (0x64)
+ #define VBUSVLDEXT0 BIT(0)
+ #define USB2_SUSPEND_N BIT(2)
+ #define USB2_SUSPEND_N_SEL BIT(3)
+ #define VBUS_DET_EXT_SEL BIT(4)
+
+-#define USB_PHY_CFG_CTRL_4 (0x68)
++#define QCOM_USB_PHY_CFG_CTRL_4 (0x68)
+ #define PHY_CFG_PLL_GMP_CNTRL_MASK GENMASK(1, 0)
+ #define PHY_CFG_PLL_INT_CNTRL_MASK GENMASK(7, 2)
+
+-#define USB_PHY_CFG_CTRL_5 (0x6c)
++#define QCOM_USB_PHY_CFG_CTRL_5 (0x6c)
+ #define PHY_CFG_PLL_PROP_CNTRL_MASK GENMASK(4, 0)
+ #define PHY_CFG_PLL_VREF_TUNE_MASK GENMASK(7, 6)
+
+-#define USB_PHY_CFG_CTRL_6 (0x70)
++#define QCOM_USB_PHY_CFG_CTRL_6 (0x70)
+ #define PHY_CFG_PLL_VCO_CNTRL_MASK GENMASK(2, 0)
+
+-#define USB_PHY_CFG_CTRL_7 (0x74)
++#define QCOM_USB_PHY_CFG_CTRL_7 (0x74)
+
+-#define USB_PHY_CFG_CTRL_8 (0x78)
++#define QCOM_USB_PHY_CFG_CTRL_8 (0x78)
+ #define PHY_CFG_TX_FSLS_VREF_TUNE_MASK GENMASK(1, 0)
+ #define PHY_CFG_TX_FSLS_VREG_BYPASS BIT(2)
+ #define PHY_CFG_TX_HS_VREF_TUNE_MASK GENMASK(5, 3)
+ #define PHY_CFG_TX_HS_XV_TUNE_MASK GENMASK(7, 6)
+
+-#define USB_PHY_CFG_CTRL_9 (0x7c)
++#define QCOM_USB_PHY_CFG_CTRL_9 (0x7c)
+ #define PHY_CFG_TX_PREEMP_TUNE_MASK GENMASK(2, 0)
+ #define PHY_CFG_TX_RES_TUNE_MASK GENMASK(4, 3)
+ #define PHY_CFG_TX_RISE_TUNE_MASK GENMASK(6, 5)
+ #define PHY_CFG_RCAL_BYPASS BIT(7)
+
+-#define USB_PHY_CFG_CTRL_10 (0x80)
++#define QCOM_USB_PHY_CFG_CTRL_10 (0x80)
+
+-#define USB_PHY_CFG0 (0x94)
++#define QCOM_USB_PHY_CFG0 (0x94)
+ #define DATAPATH_CTRL_OVERRIDE_EN BIT(0)
+ #define CMN_CTRL_OVERRIDE_EN BIT(1)
+
+-#define UTMI_PHY_CMN_CTRL0 (0x98)
++#define QCOM_UTMI_PHY_CMN_CTRL0 (0x98)
+ #define TESTBURNIN BIT(6)
+
+-#define USB_PHY_FSEL_SEL (0xb8)
++#define QCOM_USB_PHY_FSEL_SEL (0xb8)
+ #define FSEL_SEL BIT(0)
+
+-#define USB_PHY_APB_ACCESS_CMD (0x130)
++#define QCOM_USB_PHY_APB_ACCESS_CMD (0x130)
+ #define RW_ACCESS BIT(0)
+ #define APB_START_CMD BIT(1)
+ #define APB_LOGIC_RESET BIT(2)
+
+-#define USB_PHY_APB_ACCESS_STATUS (0x134)
++#define QCOM_USB_PHY_APB_ACCESS_STATUS (0x134)
+ #define ACCESS_DONE BIT(0)
+ #define TIMED_OUT BIT(1)
+ #define ACCESS_ERROR BIT(2)
+ #define ACCESS_IN_PROGRESS BIT(3)
+
+-#define USB_PHY_APB_ADDRESS (0x138)
++#define QCOM_USB_PHY_APB_ADDRESS (0x138)
+ #define APB_REG_ADDR_MASK GENMASK(7, 0)
+
+-#define USB_PHY_APB_WRDATA_LSB (0x13c)
++#define QCOM_USB_PHY_APB_WRDATA_LSB (0x13c)
+ #define APB_REG_WRDATA_7_0_MASK GENMASK(3, 0)
+
+-#define USB_PHY_APB_WRDATA_MSB (0x140)
++#define QCOM_USB_PHY_APB_WRDATA_MSB (0x140)
+ #define APB_REG_WRDATA_15_8_MASK GENMASK(7, 4)
+
+-#define USB_PHY_APB_RDDATA_LSB (0x144)
++#define QCOM_USB_PHY_APB_RDDATA_LSB (0x144)
+ #define APB_REG_RDDATA_7_0_MASK GENMASK(3, 0)
+
+-#define USB_PHY_APB_RDDATA_MSB (0x148)
++#define QCOM_USB_PHY_APB_RDDATA_MSB (0x148)
+ #define APB_REG_RDDATA_15_8_MASK GENMASK(7, 4)
+
+ static const char * const eusb2_hsphy_vreg_names[] = {
+@@ -121,7 +121,7 @@ static const char * const eusb2_hsphy_vreg_names[] = {
+
+ #define EUSB2_NUM_VREGS ARRAY_SIZE(eusb2_hsphy_vreg_names)
+
+-struct qcom_snps_eusb2_hsphy {
++struct snps_eusb2_hsphy {
+ struct phy *phy;
+ void __iomem *base;
+
+@@ -135,17 +135,17 @@ struct qcom_snps_eusb2_hsphy {
+ struct phy *repeater;
+ };
+
+-static int qcom_snps_eusb2_hsphy_set_mode(struct phy *p, enum phy_mode mode, int submode)
++static int snps_eusb2_hsphy_set_mode(struct phy *p, enum phy_mode mode, int submode)
+ {
+- struct qcom_snps_eusb2_hsphy *phy = phy_get_drvdata(p);
++ struct snps_eusb2_hsphy *phy = phy_get_drvdata(p);
+
+ phy->mode = mode;
+
+ return phy_set_mode_ext(phy->repeater, mode, submode);
+ }
+
+-static void qcom_snps_eusb2_hsphy_write_mask(void __iomem *base, u32 offset,
+- u32 mask, u32 val)
++static void snps_eusb2_hsphy_write_mask(void __iomem *base, u32 offset,
++ u32 mask, u32 val)
+ {
+ u32 reg;
+
+@@ -158,65 +158,65 @@ static void qcom_snps_eusb2_hsphy_write_mask(void __iomem *base, u32 offset,
+ readl_relaxed(base + offset);
+ }
+
+-static void qcom_eusb2_default_parameters(struct qcom_snps_eusb2_hsphy *phy)
++static void qcom_eusb2_default_parameters(struct snps_eusb2_hsphy *phy)
+ {
+ /* default parameters: tx pre-emphasis */
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_9,
+- PHY_CFG_TX_PREEMP_TUNE_MASK,
+- FIELD_PREP(PHY_CFG_TX_PREEMP_TUNE_MASK, 0));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_9,
++ PHY_CFG_TX_PREEMP_TUNE_MASK,
++ FIELD_PREP(PHY_CFG_TX_PREEMP_TUNE_MASK, 0));
+
+ /* tx rise/fall time */
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_9,
+- PHY_CFG_TX_RISE_TUNE_MASK,
+- FIELD_PREP(PHY_CFG_TX_RISE_TUNE_MASK, 0x2));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_9,
++ PHY_CFG_TX_RISE_TUNE_MASK,
++ FIELD_PREP(PHY_CFG_TX_RISE_TUNE_MASK, 0x2));
+
+ /* source impedance adjustment */
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_9,
+- PHY_CFG_TX_RES_TUNE_MASK,
+- FIELD_PREP(PHY_CFG_TX_RES_TUNE_MASK, 0x1));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_9,
++ PHY_CFG_TX_RES_TUNE_MASK,
++ FIELD_PREP(PHY_CFG_TX_RES_TUNE_MASK, 0x1));
+
+ /* dc voltage level adjustement */
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_8,
+- PHY_CFG_TX_HS_VREF_TUNE_MASK,
+- FIELD_PREP(PHY_CFG_TX_HS_VREF_TUNE_MASK, 0x3));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_8,
++ PHY_CFG_TX_HS_VREF_TUNE_MASK,
++ FIELD_PREP(PHY_CFG_TX_HS_VREF_TUNE_MASK, 0x3));
+
+ /* transmitter HS crossover adjustement */
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_8,
+- PHY_CFG_TX_HS_XV_TUNE_MASK,
+- FIELD_PREP(PHY_CFG_TX_HS_XV_TUNE_MASK, 0x0));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_8,
++ PHY_CFG_TX_HS_XV_TUNE_MASK,
++ FIELD_PREP(PHY_CFG_TX_HS_XV_TUNE_MASK, 0x0));
+ }
+
+-static int qcom_eusb2_ref_clk_init(struct qcom_snps_eusb2_hsphy *phy)
++static int qcom_eusb2_ref_clk_init(struct snps_eusb2_hsphy *phy)
+ {
+ unsigned long ref_clk_freq = clk_get_rate(phy->ref_clk);
+
+ switch (ref_clk_freq) {
+ case 19200000:
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0,
+- FSEL_MASK,
+- FIELD_PREP(FSEL_MASK, FSEL_19_2_MHZ_VAL));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0,
++ FSEL_MASK,
++ FIELD_PREP(FSEL_MASK, FSEL_19_2_MHZ_VAL));
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_2,
+- PHY_CFG_PLL_FB_DIV_7_0_MASK,
+- DIV_7_0_19_2_MHZ_VAL);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_2,
++ PHY_CFG_PLL_FB_DIV_7_0_MASK,
++ DIV_7_0_19_2_MHZ_VAL);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_3,
+- PHY_CFG_PLL_FB_DIV_11_8_MASK,
+- DIV_11_8_19_2_MHZ_VAL);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_3,
++ PHY_CFG_PLL_FB_DIV_11_8_MASK,
++ DIV_11_8_19_2_MHZ_VAL);
+ break;
+
+ case 38400000:
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0,
+- FSEL_MASK,
+- FIELD_PREP(FSEL_MASK, FSEL_38_4_MHZ_VAL));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0,
++ FSEL_MASK,
++ FIELD_PREP(FSEL_MASK, FSEL_38_4_MHZ_VAL));
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_2,
+- PHY_CFG_PLL_FB_DIV_7_0_MASK,
+- DIV_7_0_38_4_MHZ_VAL);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_2,
++ PHY_CFG_PLL_FB_DIV_7_0_MASK,
++ DIV_7_0_38_4_MHZ_VAL);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_3,
+- PHY_CFG_PLL_FB_DIV_11_8_MASK,
+- DIV_11_8_38_4_MHZ_VAL);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_3,
++ PHY_CFG_PLL_FB_DIV_11_8_MASK,
++ DIV_11_8_38_4_MHZ_VAL);
+ break;
+
+ default:
+@@ -224,15 +224,15 @@ static int qcom_eusb2_ref_clk_init(struct qcom_snps_eusb2_hsphy *phy)
+ return -EINVAL;
+ }
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_3,
+- PHY_CFG_PLL_REF_DIV, PLL_REF_DIV_VAL);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_3,
++ PHY_CFG_PLL_REF_DIV, PLL_REF_DIV_VAL);
+
+ return 0;
+ }
+
+-static int qcom_snps_eusb2_hsphy_init(struct phy *p)
++static int snps_eusb2_hsphy_init(struct phy *p)
+ {
+- struct qcom_snps_eusb2_hsphy *phy = phy_get_drvdata(p);
++ struct snps_eusb2_hsphy *phy = phy_get_drvdata(p);
+ int ret;
+
+ ret = regulator_bulk_enable(ARRAY_SIZE(phy->vregs), phy->vregs);
+@@ -265,73 +265,73 @@ static int qcom_snps_eusb2_hsphy_init(struct phy *p)
+ goto disable_ref_clk;
+ }
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG0,
+- CMN_CTRL_OVERRIDE_EN, CMN_CTRL_OVERRIDE_EN);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG0,
++ CMN_CTRL_OVERRIDE_EN, CMN_CTRL_OVERRIDE_EN);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_UTMI_CTRL5, POR, POR);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_UTMI_CTRL5, POR, POR);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0,
+- PHY_ENABLE | RETENABLEN, PHY_ENABLE | RETENABLEN);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0,
++ PHY_ENABLE | RETENABLEN, PHY_ENABLE | RETENABLEN);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_APB_ACCESS_CMD,
+- APB_LOGIC_RESET, APB_LOGIC_RESET);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_APB_ACCESS_CMD,
++ APB_LOGIC_RESET, APB_LOGIC_RESET);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, UTMI_PHY_CMN_CTRL0, TESTBURNIN, 0);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_UTMI_PHY_CMN_CTRL0, TESTBURNIN, 0);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_FSEL_SEL,
+- FSEL_SEL, FSEL_SEL);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_FSEL_SEL,
++ FSEL_SEL, FSEL_SEL);
+
+ /* update ref_clk related registers */
+ ret = qcom_eusb2_ref_clk_init(phy);
+ if (ret)
+- goto disable_ref_clk;
++ return ret;
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_1,
+- PHY_CFG_PLL_CPBIAS_CNTRL_MASK,
+- FIELD_PREP(PHY_CFG_PLL_CPBIAS_CNTRL_MASK, 0x1));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_1,
++ PHY_CFG_PLL_CPBIAS_CNTRL_MASK,
++ FIELD_PREP(PHY_CFG_PLL_CPBIAS_CNTRL_MASK, 0x1));
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_4,
+- PHY_CFG_PLL_INT_CNTRL_MASK,
+- FIELD_PREP(PHY_CFG_PLL_INT_CNTRL_MASK, 0x8));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_4,
++ PHY_CFG_PLL_INT_CNTRL_MASK,
++ FIELD_PREP(PHY_CFG_PLL_INT_CNTRL_MASK, 0x8));
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_4,
+- PHY_CFG_PLL_GMP_CNTRL_MASK,
+- FIELD_PREP(PHY_CFG_PLL_GMP_CNTRL_MASK, 0x1));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_4,
++ PHY_CFG_PLL_GMP_CNTRL_MASK,
++ FIELD_PREP(PHY_CFG_PLL_GMP_CNTRL_MASK, 0x1));
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_5,
+- PHY_CFG_PLL_PROP_CNTRL_MASK,
+- FIELD_PREP(PHY_CFG_PLL_PROP_CNTRL_MASK, 0x10));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_5,
++ PHY_CFG_PLL_PROP_CNTRL_MASK,
++ FIELD_PREP(PHY_CFG_PLL_PROP_CNTRL_MASK, 0x10));
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_6,
+- PHY_CFG_PLL_VCO_CNTRL_MASK,
+- FIELD_PREP(PHY_CFG_PLL_VCO_CNTRL_MASK, 0x0));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_6,
++ PHY_CFG_PLL_VCO_CNTRL_MASK,
++ FIELD_PREP(PHY_CFG_PLL_VCO_CNTRL_MASK, 0x0));
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_5,
+- PHY_CFG_PLL_VREF_TUNE_MASK,
+- FIELD_PREP(PHY_CFG_PLL_VREF_TUNE_MASK, 0x1));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_5,
++ PHY_CFG_PLL_VREF_TUNE_MASK,
++ FIELD_PREP(PHY_CFG_PLL_VREF_TUNE_MASK, 0x1));
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL2,
+- VBUS_DET_EXT_SEL, VBUS_DET_EXT_SEL);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL2,
++ VBUS_DET_EXT_SEL, VBUS_DET_EXT_SEL);
+
+ /* set default parameters */
+ qcom_eusb2_default_parameters(phy);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL2,
+- USB2_SUSPEND_N_SEL | USB2_SUSPEND_N,
+- USB2_SUSPEND_N_SEL | USB2_SUSPEND_N);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL2,
++ USB2_SUSPEND_N_SEL | USB2_SUSPEND_N,
++ USB2_SUSPEND_N_SEL | USB2_SUSPEND_N);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_UTMI_CTRL0, SLEEPM, SLEEPM);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_UTMI_CTRL0, SLEEPM, SLEEPM);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0,
+- SIDDQ_SEL, SIDDQ_SEL);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0,
++ SIDDQ_SEL, SIDDQ_SEL);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0,
+- SIDDQ, 0);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0,
++ SIDDQ, 0);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_UTMI_CTRL5, POR, 0);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_UTMI_CTRL5, POR, 0);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL2,
+- USB2_SUSPEND_N_SEL, 0);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL2,
++ USB2_SUSPEND_N_SEL, 0);
+
+ return 0;
+
+@@ -344,9 +344,9 @@ static int qcom_snps_eusb2_hsphy_init(struct phy *p)
+ return ret;
+ }
+
+-static int qcom_snps_eusb2_hsphy_exit(struct phy *p)
++static int snps_eusb2_hsphy_exit(struct phy *p)
+ {
+- struct qcom_snps_eusb2_hsphy *phy = phy_get_drvdata(p);
++ struct snps_eusb2_hsphy *phy = phy_get_drvdata(p);
+
+ clk_disable_unprepare(phy->ref_clk);
+
+@@ -357,18 +357,18 @@ static int qcom_snps_eusb2_hsphy_exit(struct phy *p)
+ return 0;
+ }
+
+-static const struct phy_ops qcom_snps_eusb2_hsphy_ops = {
+- .init = qcom_snps_eusb2_hsphy_init,
+- .exit = qcom_snps_eusb2_hsphy_exit,
+- .set_mode = qcom_snps_eusb2_hsphy_set_mode,
++static const struct phy_ops snps_eusb2_hsphy_ops = {
++ .init = snps_eusb2_hsphy_init,
++ .exit = snps_eusb2_hsphy_exit,
++ .set_mode = snps_eusb2_hsphy_set_mode,
+ .owner = THIS_MODULE,
+ };
+
+-static int qcom_snps_eusb2_hsphy_probe(struct platform_device *pdev)
++static int snps_eusb2_hsphy_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+ struct device_node *np = dev->of_node;
+- struct qcom_snps_eusb2_hsphy *phy;
++ struct snps_eusb2_hsphy *phy;
+ struct phy_provider *phy_provider;
+ struct phy *generic_phy;
+ int ret, i;
+@@ -405,7 +405,7 @@ static int qcom_snps_eusb2_hsphy_probe(struct platform_device *pdev)
+ return dev_err_probe(dev, PTR_ERR(phy->repeater),
+ "failed to get repeater\n");
+
+- generic_phy = devm_phy_create(dev, NULL, &qcom_snps_eusb2_hsphy_ops);
++ generic_phy = devm_phy_create(dev, NULL, &snps_eusb2_hsphy_ops);
+ if (IS_ERR(generic_phy)) {
+ dev_err(dev, "failed to create phy %d\n", ret);
+ return PTR_ERR(generic_phy);
+@@ -418,25 +418,25 @@ static int qcom_snps_eusb2_hsphy_probe(struct platform_device *pdev)
+ if (IS_ERR(phy_provider))
+ return PTR_ERR(phy_provider);
+
+- dev_info(dev, "Registered Qcom-eUSB2 phy\n");
++ dev_info(dev, "Registered Snps-eUSB2 phy\n");
+
+ return 0;
+ }
+
+-static const struct of_device_id qcom_snps_eusb2_hsphy_of_match_table[] = {
++static const struct of_device_id snps_eusb2_hsphy_of_match_table[] = {
+ { .compatible = "qcom,sm8550-snps-eusb2-phy", },
+ { },
+ };
+-MODULE_DEVICE_TABLE(of, qcom_snps_eusb2_hsphy_of_match_table);
++MODULE_DEVICE_TABLE(of, snps_eusb2_hsphy_of_match_table);
+
+-static struct platform_driver qcom_snps_eusb2_hsphy_driver = {
+- .probe = qcom_snps_eusb2_hsphy_probe,
++static struct platform_driver snps_eusb2_hsphy_driver = {
++ .probe = snps_eusb2_hsphy_probe,
+ .driver = {
+- .name = "qcom-snps-eusb2-hsphy",
+- .of_match_table = qcom_snps_eusb2_hsphy_of_match_table,
++ .name = "snps-eusb2-hsphy",
++ .of_match_table = snps_eusb2_hsphy_of_match_table,
+ },
+ };
+
+-module_platform_driver(qcom_snps_eusb2_hsphy_driver);
+-MODULE_DESCRIPTION("Qualcomm SNPS eUSB2 HS PHY driver");
++module_platform_driver(snps_eusb2_hsphy_driver);
++MODULE_DESCRIPTION("Synopsys eUSB2 HS PHY driver");
+ MODULE_LICENSE("GPL");
+--
+2.51.0
+
--- /dev/null
+From a61d79b384438a86b1cfbbff85c9d2e985a2237c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 09:56:40 +0100
+Subject: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend
+
+From: Loic Poulain <loic.poulain@oss.qualcomm.com>
+
+[ Upstream commit 1ca52c0983c34fca506921791202ed5bdafd5306 ]
+
+Enabling runtime PM before attaching the QPHY instance as driver data
+can lead to a NULL pointer dereference in runtime PM callbacks that
+expect valid driver data. There is a small window where the suspend
+callback may run after PM runtime enabling and before runtime forbid.
+This causes a sporadic crash during boot:
+
+```
+Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1
+[...]
+CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT
+Workqueue: pm pm_runtime_work
+pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2]
+lr : pm_generic_runtime_suspend+0x2c/0x44
+[...]
+```
+
+Attach the QPHY instance as driver data before enabling runtime PM to
+prevent NULL pointer dereference in runtime PM callbacks.
+
+Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a
+short window where an unnecessary runtime suspend can occur.
+
+Use the devres-managed version to ensure PM runtime is symmetrically
+disabled during driver removal for proper cleanup.
+
+Fixes: 891a96f65ac3 ("phy: qcom-qusb2: Add support for runtime PM")
+Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251219085640.114473-1-loic.poulain@oss.qualcomm.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qusb2.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c
+index 531c3860c3160..d3c26a39873f7 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c
++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c
+@@ -1063,29 +1063,29 @@ static int qusb2_phy_probe(struct platform_device *pdev)
+ or->hsdisc_trim.override = true;
+ }
+
+- pm_runtime_set_active(dev);
+- pm_runtime_enable(dev);
++ dev_set_drvdata(dev, qphy);
++
+ /*
+- * Prevent runtime pm from being ON by default. Users can enable
+- * it using power/control in sysfs.
++ * Enable runtime PM support, but forbid it by default.
++ * Users can allow it again via the power/control attribute in sysfs.
+ */
++ pm_runtime_set_active(dev);
+ pm_runtime_forbid(dev);
++ ret = devm_pm_runtime_enable(dev);
++ if (ret)
++ return ret;
+
+ generic_phy = devm_phy_create(dev, NULL, &qusb2_phy_gen_ops);
+ if (IS_ERR(generic_phy)) {
+ ret = PTR_ERR(generic_phy);
+ dev_err(dev, "failed to create phy, %d\n", ret);
+- pm_runtime_disable(dev);
+ return ret;
+ }
+ qphy->phy = generic_phy;
+
+- dev_set_drvdata(dev, qphy);
+ phy_set_drvdata(generic_phy, qphy);
+
+ phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate);
+- if (IS_ERR(phy_provider))
+- pm_runtime_disable(dev);
+
+ return PTR_ERR_OR_ZERO(phy_provider);
+ }
+--
+2.51.0
+
--- /dev/null
+From 27f286196a4687cb5c5ecc299a97107763df28fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Dec 2025 09:53:36 +0300
+Subject: phy: stm32-usphyc: Fix off by one in probe()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit cabd25b57216ddc132efbcc31f972baa03aad15a ]
+
+The "index" variable is used as an index into the usbphyc->phys[] array
+which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys
+then it is one element out of bounds. The "index" comes from the
+device tree so it's data that we trust and it's unlikely to be wrong,
+however it's obviously still worth fixing the bug. Change the > to >=.
+
+Fixes: 94c358da3a05 ("phy: stm32: add support for STM32 USB PHY Controller (USBPHYC)")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Link: https://patch.msgid.link/aTfHcMJK1wFVnvEe@stanley.mountain
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/st/phy-stm32-usbphyc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c
+index dbf23ae38255a..797d45747406d 100644
+--- a/drivers/phy/st/phy-stm32-usbphyc.c
++++ b/drivers/phy/st/phy-stm32-usbphyc.c
+@@ -712,7 +712,7 @@ static int stm32_usbphyc_probe(struct platform_device *pdev)
+ }
+
+ ret = of_property_read_u32(child, "reg", &index);
+- if (ret || index > usbphyc->nphys) {
++ if (ret || index >= usbphyc->nphys) {
+ dev_err(&phy->dev, "invalid reg property: %d\n", ret);
+ if (!ret)
+ ret = -EINVAL;
+--
+2.51.0
+
--- /dev/null
+From 46200edffaa534a67897163ee87994de862f9c4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 18:57:34 +0800
+Subject: phy: ti: da8xx-usb: Handle devm_pm_runtime_enable() errors
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit 08aa19de72110df8ac10c9e67349dd884eeed41d ]
+
+devm_pm_runtime_enable() can fail due to memory allocation. The current
+code ignores its return value after calling pm_runtime_set_active(),
+leaving the device in an inconsistent state if runtime PM initialization
+fails.
+
+Check the return value of devm_pm_runtime_enable() and return on
+failure. Also move the declaration of 'ret' to the function scope
+to support this check.
+
+Fixes: ee8e41b5044f ("phy: ti: phy-da8xx-usb: Add runtime PM support")
+Suggested-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patch.msgid.link/20251124105734.1027-1-vulab@iscas.ac.cn
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/ti/phy-da8xx-usb.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/phy/ti/phy-da8xx-usb.c b/drivers/phy/ti/phy-da8xx-usb.c
+index 68aa595b6ad8d..256f5238153a5 100644
+--- a/drivers/phy/ti/phy-da8xx-usb.c
++++ b/drivers/phy/ti/phy-da8xx-usb.c
+@@ -180,6 +180,7 @@ static int da8xx_usb_phy_probe(struct platform_device *pdev)
+ struct da8xx_usb_phy_platform_data *pdata = dev->platform_data;
+ struct device_node *node = dev->of_node;
+ struct da8xx_usb_phy *d_phy;
++ int ret;
+
+ d_phy = devm_kzalloc(dev, sizeof(*d_phy), GFP_KERNEL);
+ if (!d_phy)
+@@ -233,8 +234,6 @@ static int da8xx_usb_phy_probe(struct platform_device *pdev)
+ return PTR_ERR(d_phy->phy_provider);
+ }
+ } else {
+- int ret;
+-
+ ret = phy_create_lookup(d_phy->usb11_phy, "usb-phy",
+ "ohci-da8xx");
+ if (ret)
+@@ -249,7 +248,9 @@ static int da8xx_usb_phy_probe(struct platform_device *pdev)
+ PHY_INIT_BITS, PHY_INIT_BITS);
+
+ pm_runtime_set_active(dev);
+- devm_pm_runtime_enable(dev);
++ ret = devm_pm_runtime_enable(dev);
++ if (ret)
++ return ret;
+ /*
+ * Prevent runtime pm from being ON by default. Users can enable
+ * it using power/control in sysfs.
+--
+2.51.0
+
--- /dev/null
+From 327a007d00e323864e42c31a0c924f0e567b45ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Dec 2025 14:15:34 +0800
+Subject: PM: EM: Fix incorrect description of the cost field in struct
+ em_perf_state
+
+From: Yaxiong Tian <tianyaxiong@kylinos.cn>
+
+[ Upstream commit 54b603f2db6b95495bc33a8f2bde80f044baff9a ]
+
+Due to commit 1b600da51073 ("PM: EM: Optimize em_cpu_energy() and remove
+division"), the logic for energy consumption calculation has been modified.
+The actual calculation of cost is 10 * power * max_frequency / frequency
+instead of power * max_frequency / frequency.
+
+Therefore, the comment for cost has been updated to reflect the correct
+content.
+
+Fixes: 1b600da51073 ("PM: EM: Optimize em_cpu_energy() and remove division")
+Signed-off-by: Yaxiong Tian <tianyaxiong@kylinos.cn>
+Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
+[ rjw: Added Fixes: tag ]
+Link: https://patch.msgid.link/20251230061534.816894-1-tianyaxiong@kylinos.cn
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/energy_model.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/energy_model.h b/include/linux/energy_model.h
+index 34498652f7802..09ce3dc4eab5c 100644
+--- a/include/linux/energy_model.h
++++ b/include/linux/energy_model.h
+@@ -18,7 +18,7 @@
+ * @power: The power consumed at this level (by 1 CPU or by a registered
+ * device). It can be a total power: static and dynamic.
+ * @cost: The cost coefficient associated with this level, used during
+- * energy calculation. Equal to: power * max_frequency / frequency
++ * energy calculation. Equal to: 10 * power * max_frequency / frequency
+ * @flags: see "em_perf_state flags" description below.
+ */
+ struct em_perf_state {
+--
+2.51.0
+
--- /dev/null
+From 26f1679412357d2c50643cc0b3ca6aedd6d2cd07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Dec 2025 08:45:26 +0000
+Subject: pnfs/blocklayout: Fix memory leak in bl_parse_scsi()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 5a74af51c3a6f4cd22c128b0c1c019f68fa90011 ]
+
+In bl_parse_scsi(), if the block device length is zero, the function
+returns immediately without releasing the file reference obtained via
+bl_open_path(), leading to a memory leak.
+
+Fix this by jumping to the out_blkdev_put label to ensure the file
+reference is properly released.
+
+Fixes: d76c769c8db4c ("pnfs/blocklayout: Don't add zero-length pnfs_block_dev")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/blocklayout/dev.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfs/blocklayout/dev.c b/fs/nfs/blocklayout/dev.c
+index 44306ac22353b..22d4529c61933 100644
+--- a/fs/nfs/blocklayout/dev.c
++++ b/fs/nfs/blocklayout/dev.c
+@@ -417,8 +417,10 @@ bl_parse_scsi(struct nfs_server *server, struct pnfs_block_dev *d,
+ d->map = bl_map_simple;
+ d->pr_key = v->scsi.pr_key;
+
+- if (d->len == 0)
+- return -ENODEV;
++ if (d->len == 0) {
++ error = -ENODEV;
++ goto out_blkdev_put;
++ }
+
+ ops = bdev->bd_disk->fops->pr_ops;
+ if (!ops) {
+--
+2.51.0
+
--- /dev/null
+From 89ee3777125d2000e8d2ae8b63da61cd03154a1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Dec 2025 14:45:00 -0500
+Subject: pNFS: Fix a deadlock when returning a delegation during open()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 857bf9056291a16785ae3be1d291026b2437fc48 ]
+
+Ben Coddington reports seeing a hang in the following stack trace:
+ 0 [ffffd0b50e1774e0] __schedule at ffffffff9ca05415
+ 1 [ffffd0b50e177548] schedule at ffffffff9ca05717
+ 2 [ffffd0b50e177558] bit_wait at ffffffff9ca061e1
+ 3 [ffffd0b50e177568] __wait_on_bit at ffffffff9ca05cfb
+ 4 [ffffd0b50e1775c8] out_of_line_wait_on_bit at ffffffff9ca05ea5
+ 5 [ffffd0b50e177618] pnfs_roc at ffffffffc154207b [nfsv4]
+ 6 [ffffd0b50e1776b8] _nfs4_proc_delegreturn at ffffffffc1506586 [nfsv4]
+ 7 [ffffd0b50e177788] nfs4_proc_delegreturn at ffffffffc1507480 [nfsv4]
+ 8 [ffffd0b50e1777f8] nfs_do_return_delegation at ffffffffc1523e41 [nfsv4]
+ 9 [ffffd0b50e177838] nfs_inode_set_delegation at ffffffffc1524a75 [nfsv4]
+ 10 [ffffd0b50e177888] nfs4_process_delegation at ffffffffc14f41dd [nfsv4]
+ 11 [ffffd0b50e1778a0] _nfs4_opendata_to_nfs4_state at ffffffffc1503edf [nfsv4]
+ 12 [ffffd0b50e1778c0] _nfs4_open_and_get_state at ffffffffc1504e56 [nfsv4]
+ 13 [ffffd0b50e177978] _nfs4_do_open at ffffffffc15051b8 [nfsv4]
+ 14 [ffffd0b50e1779f8] nfs4_do_open at ffffffffc150559c [nfsv4]
+ 15 [ffffd0b50e177a80] nfs4_atomic_open at ffffffffc15057fb [nfsv4]
+ 16 [ffffd0b50e177ad0] nfs4_file_open at ffffffffc15219be [nfsv4]
+ 17 [ffffd0b50e177b78] do_dentry_open at ffffffff9c09e6ea
+ 18 [ffffd0b50e177ba8] vfs_open at ffffffff9c0a082e
+ 19 [ffffd0b50e177bd0] dentry_open at ffffffff9c0a0935
+
+The issue is that the delegreturn is being asked to wait for a layout
+return that cannot complete because a state recovery was initiated. The
+state recovery cannot complete until the open() finishes processing the
+delegations it was given.
+
+The solution is to propagate the existing flags that indicate a
+non-blocking call to the function pnfs_roc(), so that it knows not to
+wait in this situation.
+
+Reported-by: Benjamin Coddington <bcodding@hammerspace.com>
+Fixes: 29ade5db1293 ("pNFS: Wait on outstanding layoutreturns to complete in pnfs_roc()")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 6 ++---
+ fs/nfs/pnfs.c | 58 +++++++++++++++++++++++++++++++++--------------
+ fs/nfs/pnfs.h | 17 ++++++--------
+ 3 files changed, 51 insertions(+), 30 deletions(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 89f779f16f0dc..c76acd537be05 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3868,8 +3868,8 @@ int nfs4_do_close(struct nfs4_state *state, gfp_t gfp_mask, int wait)
+ calldata->res.seqid = calldata->arg.seqid;
+ calldata->res.server = server;
+ calldata->res.lr_ret = -NFS4ERR_NOMATCHING_LAYOUT;
+- calldata->lr.roc = pnfs_roc(state->inode,
+- &calldata->lr.arg, &calldata->lr.res, msg.rpc_cred);
++ calldata->lr.roc = pnfs_roc(state->inode, &calldata->lr.arg,
++ &calldata->lr.res, msg.rpc_cred, wait);
+ if (calldata->lr.roc) {
+ calldata->arg.lr_args = &calldata->lr.arg;
+ calldata->res.lr_res = &calldata->lr.res;
+@@ -6895,7 +6895,7 @@ static int _nfs4_proc_delegreturn(struct inode *inode, const struct cred *cred,
+ data->inode = nfs_igrab_and_active(inode);
+ if (data->inode || issync) {
+ data->lr.roc = pnfs_roc(inode, &data->lr.arg, &data->lr.res,
+- cred);
++ cred, issync);
+ if (data->lr.roc) {
+ data->args.lr_args = &data->lr.arg;
+ data->res.lr_res = &data->lr.res;
+diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
+index 7a742bcff687b..16981d0389c4c 100644
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1546,10 +1546,9 @@ static int pnfs_layout_return_on_reboot(struct pnfs_layout_hdr *lo)
+ PNFS_FL_LAYOUTRETURN_PRIVILEGED);
+ }
+
+-bool pnfs_roc(struct inode *ino,
+- struct nfs4_layoutreturn_args *args,
+- struct nfs4_layoutreturn_res *res,
+- const struct cred *cred)
++bool pnfs_roc(struct inode *ino, struct nfs4_layoutreturn_args *args,
++ struct nfs4_layoutreturn_res *res, const struct cred *cred,
++ bool sync)
+ {
+ struct nfs_inode *nfsi = NFS_I(ino);
+ struct nfs_open_context *ctx;
+@@ -1560,7 +1559,7 @@ bool pnfs_roc(struct inode *ino,
+ nfs4_stateid stateid;
+ enum pnfs_iomode iomode = 0;
+ bool layoutreturn = false, roc = false;
+- bool skip_read = false;
++ bool skip_read;
+
+ if (!nfs_have_layout(ino))
+ return false;
+@@ -1573,20 +1572,14 @@ bool pnfs_roc(struct inode *ino,
+ lo = NULL;
+ goto out_noroc;
+ }
+- pnfs_get_layout_hdr(lo);
+- if (test_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags)) {
+- spin_unlock(&ino->i_lock);
+- rcu_read_unlock();
+- wait_on_bit(&lo->plh_flags, NFS_LAYOUT_RETURN,
+- TASK_UNINTERRUPTIBLE);
+- pnfs_put_layout_hdr(lo);
+- goto retry;
+- }
+
+ /* no roc if we hold a delegation */
++ skip_read = false;
+ if (nfs4_check_delegation(ino, FMODE_READ)) {
+- if (nfs4_check_delegation(ino, FMODE_WRITE))
++ if (nfs4_check_delegation(ino, FMODE_WRITE)) {
++ lo = NULL;
+ goto out_noroc;
++ }
+ skip_read = true;
+ }
+
+@@ -1595,12 +1588,43 @@ bool pnfs_roc(struct inode *ino,
+ if (state == NULL)
+ continue;
+ /* Don't return layout if there is open file state */
+- if (state->state & FMODE_WRITE)
++ if (state->state & FMODE_WRITE) {
++ lo = NULL;
+ goto out_noroc;
++ }
+ if (state->state & FMODE_READ)
+ skip_read = true;
+ }
+
++ if (skip_read) {
++ bool writes = false;
++
++ list_for_each_entry(lseg, &lo->plh_segs, pls_list) {
++ if (lseg->pls_range.iomode != IOMODE_READ) {
++ writes = true;
++ break;
++ }
++ }
++ if (!writes) {
++ lo = NULL;
++ goto out_noroc;
++ }
++ }
++
++ pnfs_get_layout_hdr(lo);
++ if (test_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags)) {
++ if (!sync) {
++ pnfs_set_plh_return_info(
++ lo, skip_read ? IOMODE_RW : IOMODE_ANY, 0);
++ goto out_noroc;
++ }
++ spin_unlock(&ino->i_lock);
++ rcu_read_unlock();
++ wait_on_bit(&lo->plh_flags, NFS_LAYOUT_RETURN,
++ TASK_UNINTERRUPTIBLE);
++ pnfs_put_layout_hdr(lo);
++ goto retry;
++ }
+
+ list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list) {
+ if (skip_read && lseg->pls_range.iomode == IOMODE_READ)
+@@ -1640,7 +1664,7 @@ bool pnfs_roc(struct inode *ino,
+ out_noroc:
+ spin_unlock(&ino->i_lock);
+ rcu_read_unlock();
+- pnfs_layoutcommit_inode(ino, true);
++ pnfs_layoutcommit_inode(ino, sync);
+ if (roc) {
+ struct pnfs_layoutdriver_type *ld = NFS_SERVER(ino)->pnfs_curr_ld;
+ if (ld->prepare_layoutreturn)
+diff --git a/fs/nfs/pnfs.h b/fs/nfs/pnfs.h
+index 91ff877185c8a..3db8f13d8fe4e 100644
+--- a/fs/nfs/pnfs.h
++++ b/fs/nfs/pnfs.h
+@@ -303,10 +303,9 @@ int pnfs_mark_matching_lsegs_return(struct pnfs_layout_hdr *lo,
+ u32 seq);
+ int pnfs_mark_layout_stateid_invalid(struct pnfs_layout_hdr *lo,
+ struct list_head *lseg_list);
+-bool pnfs_roc(struct inode *ino,
+- struct nfs4_layoutreturn_args *args,
+- struct nfs4_layoutreturn_res *res,
+- const struct cred *cred);
++bool pnfs_roc(struct inode *ino, struct nfs4_layoutreturn_args *args,
++ struct nfs4_layoutreturn_res *res, const struct cred *cred,
++ bool sync);
+ int pnfs_roc_done(struct rpc_task *task, struct nfs4_layoutreturn_args **argpp,
+ struct nfs4_layoutreturn_res **respp, int *ret);
+ void pnfs_roc_release(struct nfs4_layoutreturn_args *args,
+@@ -773,12 +772,10 @@ pnfs_layoutcommit_outstanding(struct inode *inode)
+ return false;
+ }
+
+-
+-static inline bool
+-pnfs_roc(struct inode *ino,
+- struct nfs4_layoutreturn_args *args,
+- struct nfs4_layoutreturn_res *res,
+- const struct cred *cred)
++static inline bool pnfs_roc(struct inode *ino,
++ struct nfs4_layoutreturn_args *args,
++ struct nfs4_layoutreturn_res *res,
++ const struct cred *cred, bool sync)
+ {
+ return false;
+ }
+--
+2.51.0
+
--- /dev/null
+From b8ab82b5c93667068f8666d00b2c806b9ed58209 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Dec 2025 07:41:03 +0000
+Subject: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 0c728083654f0066f5e10a1d2b0bd0907af19a58 ]
+
+In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails,
+the function jumps to the out_scratch label without freeing the already
+allocated dsaddrs list, leading to a memory leak.
+
+Fix this by jumping to the out_err_drain_dsaddrs label, which properly
+frees the dsaddrs list before cleaning up other resources.
+
+Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+index ef535baeefb60..5ab9ac32f858e 100644
+--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+@@ -103,7 +103,7 @@ nfs4_ff_alloc_deviceid_node(struct nfs_server *server, struct pnfs_device *pdev,
+ sizeof(struct nfs4_ff_ds_version),
+ gfp_flags);
+ if (!ds_versions)
+- goto out_scratch;
++ goto out_err_drain_dsaddrs;
+
+ for (i = 0; i < version_count; i++) {
+ /* 20 = version(4) + minor_version(4) + rsize(4) + wsize(4) +
+--
+2.51.0
+
--- /dev/null
+From a70d9b6ad80f7fca7b714ff28935290e1b1332e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 19:37:15 +0200
+Subject: selftests: drv-net: fix RPS mask handling for high CPU numbers
+
+From: Gal Pressman <gal@nvidia.com>
+
+[ Upstream commit cf055f8c000445aa688c53a706ef4f580818eedb ]
+
+The RPS bitmask bounds check uses ~(RPS_MAX_CPUS - 1) which equals ~15 =
+0xfff0, only allowing CPUs 0-3.
+
+Change the mask to ~((1UL << RPS_MAX_CPUS) - 1) = ~0xffff to allow CPUs
+0-15.
+
+Fixes: 5ebfb4cc3048 ("selftests/net: toeplitz test")
+Reviewed-by: Nimrod Oren <noren@nvidia.com>
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20260112173715.384843-3-gal@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/toeplitz.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/toeplitz.c b/tools/testing/selftests/net/toeplitz.c
+index 9ba03164d73a6..5099157f01b9a 100644
+--- a/tools/testing/selftests/net/toeplitz.c
++++ b/tools/testing/selftests/net/toeplitz.c
+@@ -473,8 +473,8 @@ static void parse_rps_bitmap(const char *arg)
+
+ bitmap = strtoul(arg, NULL, 0);
+
+- if (bitmap & ~(RPS_MAX_CPUS - 1))
+- error(1, 0, "rps bitmap 0x%lx out of bounds 0..%lu",
++ if (bitmap & ~((1UL << RPS_MAX_CPUS) - 1))
++ error(1, 0, "rps bitmap 0x%lx out of bounds, max cpu %lu",
+ bitmap, RPS_MAX_CPUS - 1);
+
+ for (i = 0; i < RPS_MAX_CPUS; i++)
+--
+2.51.0
+
--- /dev/null
+From 95b634e9dd3bfa3486087e3afc8fe98e251fd3dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Oct 2025 20:07:24 +0100
+Subject: selftests/landlock: Fix TCP bind(AF_UNSPEC) test case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthieu Buffet <matthieu@buffet.re>
+
+[ Upstream commit bd09d9a05cf04028f639e209b416bacaeffd4909 ]
+
+The nominal error code for bind(AF_UNSPEC) on an IPv6 socket
+is -EAFNOSUPPORT, not -EINVAL. -EINVAL is only returned when
+the supplied address struct is too short, which happens to be
+the case in current selftests because they treat AF_UNSPEC
+like IPv4 sockets do: as an alias for AF_INET (which is a
+16-byte struct instead of the 24 bytes required by IPv6
+sockets).
+
+Make the union large enough for any address (by adding struct
+sockaddr_storage to the union), and make AF_UNSPEC addresses
+large enough for any family.
+
+Test for -EAFNOSUPPORT instead, and add a dedicated test case
+for truncated inputs with -EINVAL.
+
+Fixes: a549d055a22e ("selftests/landlock: Add network tests")
+Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
+Link: https://lore.kernel.org/r/20251027190726.626244-2-matthieu@buffet.re
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/landlock/common.h | 1 +
+ tools/testing/selftests/landlock/net_test.c | 16 +++++++++++++++-
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/landlock/common.h b/tools/testing/selftests/landlock/common.h
+index 60afc1ce11bcd..8be801c45f9b9 100644
+--- a/tools/testing/selftests/landlock/common.h
++++ b/tools/testing/selftests/landlock/common.h
+@@ -249,6 +249,7 @@ struct service_fixture {
+ struct sockaddr_un unix_addr;
+ socklen_t unix_addr_len;
+ };
++ struct sockaddr_storage _largest;
+ };
+ };
+
+diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c
+index 376079d70d3fc..c3642c17b251d 100644
+--- a/tools/testing/selftests/landlock/net_test.c
++++ b/tools/testing/selftests/landlock/net_test.c
+@@ -120,6 +120,10 @@ static socklen_t get_addrlen(const struct service_fixture *const srv,
+ {
+ switch (srv->protocol.domain) {
+ case AF_UNSPEC:
++ if (minimal)
++ return sizeof(sa_family_t);
++ return sizeof(struct sockaddr_storage);
++
+ case AF_INET:
+ return sizeof(srv->ipv4_addr);
+
+@@ -757,6 +761,11 @@ TEST_F(protocol, bind_unspec)
+ bind_fd = socket_variant(&self->srv0);
+ ASSERT_LE(0, bind_fd);
+
++ /* Tries to bind with too small addrlen. */
++ EXPECT_EQ(-EINVAL, bind_variant_addrlen(
++ bind_fd, &self->unspec_any0,
++ get_addrlen(&self->unspec_any0, true) - 1));
++
+ /* Allowed bind on AF_UNSPEC/INADDR_ANY. */
+ ret = bind_variant(bind_fd, &self->unspec_any0);
+ if (variant->prot.domain == AF_INET) {
+@@ -765,6 +774,8 @@ TEST_F(protocol, bind_unspec)
+ TH_LOG("Failed to bind to unspec/any socket: %s",
+ strerror(errno));
+ }
++ } else if (variant->prot.domain == AF_INET6) {
++ EXPECT_EQ(-EAFNOSUPPORT, ret);
+ } else {
+ EXPECT_EQ(-EINVAL, ret);
+ }
+@@ -791,6 +802,8 @@ TEST_F(protocol, bind_unspec)
+ } else {
+ EXPECT_EQ(0, ret);
+ }
++ } else if (variant->prot.domain == AF_INET6) {
++ EXPECT_EQ(-EAFNOSUPPORT, ret);
+ } else {
+ EXPECT_EQ(-EINVAL, ret);
+ }
+@@ -800,7 +813,8 @@ TEST_F(protocol, bind_unspec)
+ bind_fd = socket_variant(&self->srv0);
+ ASSERT_LE(0, bind_fd);
+ ret = bind_variant(bind_fd, &self->unspec_srv0);
+- if (variant->prot.domain == AF_INET) {
++ if (variant->prot.domain == AF_INET ||
++ variant->prot.domain == AF_INET6) {
+ EXPECT_EQ(-EAFNOSUPPORT, ret);
+ } else {
+ EXPECT_EQ(-EINVAL, ret)
+--
+2.51.0
+
--- /dev/null
+From b658c50054f669a011ec84788db8835f91d24cd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jan 2026 14:40:58 +0100
+Subject: selftests/landlock: Properly close a file descriptor
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Günther Noack <gnoack3000@gmail.com>
+
+[ Upstream commit 15e8d739fda1084d81f7d3813e9600eba6e0f134 ]
+
+Add a missing close(srv_fd) call, and use EXPECT_EQ() to check the
+result.
+
+Signed-off-by: Günther Noack <gnoack3000@gmail.com>
+Fixes: f83d51a5bdfe ("selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets")
+Link: https://lore.kernel.org/r/20260101134102.25938-2-gnoack3000@gmail.com
+[mic: Use EXPECT_EQ() and update commit message]
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/landlock/fs_test.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
+index 01bb59938dd7a..c781014e6a5c6 100644
+--- a/tools/testing/selftests/landlock/fs_test.c
++++ b/tools/testing/selftests/landlock/fs_test.c
+@@ -4189,7 +4189,8 @@ TEST_F_FORK(layout1, named_unix_domain_socket_ioctl)
+ /* FIONREAD and other IOCTLs should not be forbidden. */
+ EXPECT_EQ(0, test_fionread_ioctl(cli_fd));
+
+- ASSERT_EQ(0, close(cli_fd));
++ EXPECT_EQ(0, close(cli_fd));
++ EXPECT_EQ(0, close(srv_fd));
+ }
+
+ /* clang-format off */
+--
+2.51.0
+
--- /dev/null
+From 8be63e9474104e11bb65b56529a9a0358c15b9cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Dec 2025 01:36:31 +0100
+Subject: selftests/landlock: Remove invalid unix socket bind()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthieu Buffet <matthieu@buffet.re>
+
+[ Upstream commit e1a57c33590a50a6639798e60a597af4a23b0340 ]
+
+Remove bind() call on a client socket that doesn't make sense.
+Since strlen(cli_un.sun_path) returns a random value depending on stack
+garbage, that many uninitialized bytes are read from the stack as an
+unix socket address. This creates random test failures due to the bind
+address being invalid or already in use if the same stack value comes up
+twice.
+
+Fixes: f83d51a5bdfe ("selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets")
+Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
+Reviewed-by: Günther Noack <gnoack@google.com>
+Link: https://lore.kernel.org/r/20251201003631.190817-1-matthieu@buffet.re
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/landlock/fs_test.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
+index 97d360eae4f69..01bb59938dd7a 100644
+--- a/tools/testing/selftests/landlock/fs_test.c
++++ b/tools/testing/selftests/landlock/fs_test.c
+@@ -4179,9 +4179,6 @@ TEST_F_FORK(layout1, named_unix_domain_socket_ioctl)
+ cli_fd = socket(AF_UNIX, SOCK_STREAM, 0);
+ ASSERT_LE(0, cli_fd);
+
+- size = offsetof(struct sockaddr_un, sun_path) + strlen(cli_un.sun_path);
+- ASSERT_EQ(0, bind(cli_fd, (struct sockaddr *)&cli_un, size));
+-
+ bzero(&cli_un, sizeof(cli_un));
+ cli_un.sun_family = AF_UNIX;
+ strncpy(cli_un.sun_path, path, sizeof(cli_un.sun_path));
+--
+2.51.0
+
revert-gfs2-fix-use-of-bio_chain.patch
x86-fpu-clear-xstate_bv-in-guest-xsave-state-whenever-xfd-1.patch
asoc-codecs-wsa884x-fix-codec-initialisation.patch
+xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch
+xfrm-set-ipv4-no_pmtu_disc-flag-only-on-output-sa-wh.patch
+pnfs-fix-a-deadlock-when-returning-a-delegation-duri.patch
+nfs-fix-a-deadlock-involving-nfs_release_folio.patch
+pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch
+pnfs-blocklayout-fix-memory-leak-in-bl_parse_scsi.patch
+drm-vmwgfx-merge-vmw_bo_release-and-vmw_bo_free-func.patch
+pm-em-fix-incorrect-description-of-the-cost-field-in.patch
+can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch
+nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch
+btrfs-send-check-for-inline-extents-in-range_is_hole.patch
+net-bridge-annotate-data-races-around-fdb-updated-us.patch
+ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch
+net-update-netdev_lock_-type-name.patch
+macvlan-fix-possible-uaf-in-macvlan_forward_source.patch
+ipv4-ip_gre-make-ipgre_header-robust.patch
+vsock-test-add-a-final-full-barrier-after-run-all-te.patch
+net-mlx5e-fix-crash-on-profile-change-rollback-failu.patch
+net-mlx5e-don-t-store-mlx5e_priv-in-mlx5e_dev-devlin.patch
+net-mlx5e-pass-netdev-to-mlx5e_destroy_netdev-instea.patch
+net-mlx5e-restore-destroying-state-bit-after-profile.patch
+btrfs-factor-out-init_space_info-from-create_space_i.patch
+btrfs-factor-out-check_removing_space_info-from-btrf.patch
+btrfs-introduce-btrfs_space_info-sub-group.patch
+btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch
+net-octeon_ep_vf-fix-free_irq-dev_id-mismatch-in-irq.patch
+alsa-hda-cirrus_scodec_test-fix-incorrect-setup-of-g.patch
+net-hv_netvsc-reject-rss-hash-key-programming-withou.patch
+ipv6-fix-use-after-free-in-inet6_addr_del.patch
+selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch
+net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch
+asoc-sdw_utils-cs42l43-enable-headphone-pin-for-line.patch
+asoc-tlv320adcx140-fix-null-pointer.patch
+asoc-tlv320adcx140-fix-word-length.patch
+drm-amd-pm-fix-smu-overdrive-data-type-wrong-issue-o.patch
+mm-describe-flags-parameter-in-memalloc_flags_save.patch
+textsearch-describe-list-member-in-ts_ops-search.patch
+mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch
+dmaengine-xilinx-xdma-fix-regmap-max_register.patch
+dmaengine-tegra-adma-fix-use-after-free.patch
+dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch
+phy-fsl-imx8mq-usb-clear-the-pcs_tx_swing_full-field.patch
+phy-phy-snps-eusb2-refactor-constructs-names.patch
+phy-drop-probe-registration-printks.patch
+phy-qcom-qusb2-fix-null-pointer-dereference-on-early.patch
+phy-stm32-usphyc-fix-off-by-one-in-probe.patch
+phy-ti-da8xx-usb-handle-devm_pm_runtime_enable-error.patch
+selftests-landlock-fix-tcp-bind-af_unspec-test-case.patch
+selftests-landlock-remove-invalid-unix-socket-bind.patch
+phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch
+selftests-landlock-properly-close-a-file-descriptor.patch
+dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch
+i2c-qcom-geni-make-sure-i2c-hub-controllers-can-t-us.patch
--- /dev/null
+From 6a66fe5bb10b0aa6e9c9351164e225b05e0f5f08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 08:40:05 +0700
+Subject: textsearch: describe @list member in ts_ops search
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit f26528478bb102c28e7ac0cbfc8ec8185afdafc7 ]
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./include/linux/textsearch.h:49 struct member 'list' not described in 'ts_ops'
+
+Describe @list member to fix it.
+
+Link: https://lkml.kernel.org/r/20251219014006.16328-4-bagasdotme@gmail.com
+Fixes: 2de4ff7bd658 ("[LIB]: Textsearch infrastructure.")
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Cc: Thomas Graf <tgraf@suug.ch>
+Cc: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/textsearch.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/textsearch.h b/include/linux/textsearch.h
+index 6673e4d4ac2e1..4933777404d61 100644
+--- a/include/linux/textsearch.h
++++ b/include/linux/textsearch.h
+@@ -35,6 +35,7 @@ struct ts_state
+ * @get_pattern: return head of pattern
+ * @get_pattern_len: return length of pattern
+ * @owner: module reference to algorithm
++ * @list: list to search
+ */
+ struct ts_ops
+ {
+--
+2.51.0
+
--- /dev/null
+From 8f7d17dd04d6eec0628fa250b3303f1682af0937 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 12:44:19 +0100
+Subject: vsock/test: add a final full barrier after run all tests
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit c39a6a277e0e67ffff6a8efcbbf7e7e23ce9e38c ]
+
+If the last test fails, the other side still completes correctly,
+which could lead to false positives.
+
+Let's add a final barrier that ensures that the last test has finished
+correctly on both sides, but also that the two sides agree on the
+number of tests to be performed.
+
+Fixes: 2f65b44e199c ("VSOCK: add full barrier between test cases")
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20260108114419.52747-1-sgarzare@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/vsock/util.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/tools/testing/vsock/util.c b/tools/testing/vsock/util.c
+index a3d448a075e3a..8a899a9fc9a98 100644
+--- a/tools/testing/vsock/util.c
++++ b/tools/testing/vsock/util.c
+@@ -472,6 +472,18 @@ void run_tests(const struct test_case *test_cases,
+
+ printf("ok\n");
+ }
++
++ printf("All tests have been executed. Waiting other peer...");
++ fflush(stdout);
++
++ /*
++ * Final full barrier, to ensure that all tests have been run and
++ * that even the last one has been successful on both sides.
++ */
++ control_writeln("COMPLETED");
++ control_expectln("COMPLETED");
++
++ printf("ok\n");
+ }
+
+ void list_tests(const struct test_case *test_cases)
+--
+2.51.0
+
--- /dev/null
+From 0567af2d454faaca416ee83f174ac772cc81885d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 05:56:09 +0200
+Subject: xfrm: Fix inner mode lookup in tunnel mode GSO segmentation
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 3d5221af9c7711b7aec8da1298c8fc393ef6183d ]
+
+Commit 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner
+protocol") attempted to fix GSO segmentation by reading the inner
+protocol from XFRM_MODE_SKB_CB(skb)->protocol. This was incorrect
+because the field holds the inner L4 protocol (TCP/UDP) instead of the
+required tunnel protocol. Also, the memory location (shared by
+XFRM_SKB_CB(skb) which could be overwritten by xfrm_replay_overflow())
+is prone to corruption. This combination caused the kernel to select
+the wrong inner mode and get the wrong address family.
+
+The correct value is in xfrm_offload(skb)->proto, which is set from
+the outer tunnel header's protocol field by esp[4|6]_gso_encap(). It
+is initialized by xfrm[4|6]_tunnel_encap_add() to either IPPROTO_IPIP
+or IPPROTO_IPV6, using xfrm_af2proto() and correctly reflects the
+inner packet's address family.
+
+Fixes: 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner protocol")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/esp4_offload.c | 4 ++--
+ net/ipv6/esp6_offload.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
+index 05828d4cb6cdb..abd77162f5e75 100644
+--- a/net/ipv4/esp4_offload.c
++++ b/net/ipv4/esp4_offload.c
+@@ -122,8 +122,8 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x,
+ struct sk_buff *skb,
+ netdev_features_t features)
+ {
+- const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
+- XFRM_MODE_SKB_CB(skb)->protocol);
++ struct xfrm_offload *xo = xfrm_offload(skb);
++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto);
+ __be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6)
+ : htons(ETH_P_IP);
+
+diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
+index 22410243ebe88..22895521a57d0 100644
+--- a/net/ipv6/esp6_offload.c
++++ b/net/ipv6/esp6_offload.c
+@@ -158,8 +158,8 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x,
+ struct sk_buff *skb,
+ netdev_features_t features)
+ {
+- const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
+- XFRM_MODE_SKB_CB(skb)->protocol);
++ struct xfrm_offload *xo = xfrm_offload(skb);
++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto);
+ __be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP)
+ : htons(ETH_P_IPV6);
+
+--
+2.51.0
+
--- /dev/null
+From aca319d58c4572642e0bc202ec8041e63d507509 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 11:30:27 +0100
+Subject: xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is
+ set
+
+From: Antony Antony <antony.antony@secunet.com>
+
+[ Upstream commit c196def07bbc6e8306d7a274433913444b0db20a ]
+
+The XFRM_STATE_NOPMTUDISC flag is only meaningful for output SAs, but
+it was being applied regardless of the SA direction when the sysctl
+ip_no_pmtu_disc is enabled. This can unintentionally affect input SAs.
+
+Limit setting XFRM_STATE_NOPMTUDISC to output SAs when the SA direction
+is configured.
+
+Closes: https://github.com/strongswan/strongswan/issues/2946
+Fixes: a4a87fa4e96c ("xfrm: Add Direction to the SA in or out")
+Signed-off-by: Antony Antony <antony.antony@secunet.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index b9bac68364527..c927560a77316 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -3058,6 +3058,7 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload,
+ int err;
+
+ if (family == AF_INET &&
++ (!x->dir || x->dir == XFRM_SA_DIR_OUT) &&
+ READ_ONCE(xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc))
+ x->props.flags |= XFRM_STATE_NOPMTUDISC;
+
+--
+2.51.0
+
--- /dev/null
+From 6db319d852b5e7d08c7b0a558a2ef73d7a445147 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 13:09:54 +0000
+Subject: ALSA: hda/cirrus_scodec_test: Fix incorrect setup of gpiochip
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit c5e96e54eca3876d4ce8857e2e22adbe9f44f4a2 ]
+
+Set gpiochip parent to the struct device of the dummy GPIO driver
+so that the software node will be associated with the GPIO chip.
+
+The recent commit e5d527be7e698 ("gpio: swnode: don't use the
+swnode's name as the key for GPIO lookup") broke cirrus_scodec_test,
+because the software node no longer gets associated with the GPIO
+driver by name.
+
+Instead, setting struct gpio_chip.parent to the owning struct device
+will find the node using a normal fwnode lookup.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2144833e7b414 ("ALSA: hda: cirrus_scodec: Add KUnit test")
+Link: https://patch.msgid.link/20260113130954.574670-1-rf@opensource.cirrus.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/side-codecs/cirrus_scodec_test.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/side-codecs/cirrus_scodec_test.c b/sound/hda/codecs/side-codecs/cirrus_scodec_test.c
+index 3cca750857b68..159ac80a93144 100644
+--- a/sound/hda/codecs/side-codecs/cirrus_scodec_test.c
++++ b/sound/hda/codecs/side-codecs/cirrus_scodec_test.c
+@@ -103,6 +103,7 @@ static int cirrus_scodec_test_gpio_probe(struct platform_device *pdev)
+
+ /* GPIO core modifies our struct gpio_chip so use a copy */
+ gpio_priv->chip = cirrus_scodec_test_gpio_chip;
++ gpio_priv->chip.parent = &pdev->dev;
+ ret = devm_gpiochip_add_data(&pdev->dev, &gpio_priv->chip, gpio_priv);
+ if (ret)
+ return dev_err_probe(&pdev->dev, ret, "Failed to add gpiochip\n");
+--
+2.51.0
+
--- /dev/null
+From db344b335832ba758b004045781ca8215d5d75ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 13:40:56 +0000
+Subject: ALSA: hda/cirrus_scodec_test: Fix test suite name
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 6a0243c4020636482797acfd48d7d9b0ea2f2a20 ]
+
+Change the test suite name string to "snd-hda-cirrus-scodec-test".
+
+It was incorrectly named "snd-hda-scodec-cs35l56-test", a leftover
+from when the code under test was actually in the cs35l56 driver.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2144833e7b414 ("ALSA: hda: cirrus_scodec: Add KUnit test")
+Link: https://patch.msgid.link/20260113134056.619051-1-rf@opensource.cirrus.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/side-codecs/cirrus_scodec_test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/hda/codecs/side-codecs/cirrus_scodec_test.c b/sound/hda/codecs/side-codecs/cirrus_scodec_test.c
+index 159ac80a93144..dc35932b6b22f 100644
+--- a/sound/hda/codecs/side-codecs/cirrus_scodec_test.c
++++ b/sound/hda/codecs/side-codecs/cirrus_scodec_test.c
+@@ -320,7 +320,7 @@ static struct kunit_case cirrus_scodec_test_cases[] = {
+ };
+
+ static struct kunit_suite cirrus_scodec_test_suite = {
+- .name = "snd-hda-scodec-cs35l56-test",
++ .name = "snd-hda-cirrus-scodec-test",
+ .init = cirrus_scodec_test_case_init,
+ .test_cases = cirrus_scodec_test_cases,
+ };
+--
+2.51.0
+
--- /dev/null
+From 10c5405fd300572fca13269451084d93b1ea8c76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 19:55:18 -0700
+Subject: ASoC: sdw_utils: cs42l43: Enable Headphone pin for LINEOUT jack type
+
+From: Cole Leavitt <cole@unwrap.rs>
+
+[ Upstream commit 390caeed0897fcac75f3c414dbdd85d593183d9c ]
+
+The CS42L43 codec's load detection can return different impedance values
+that map to either HEADPHONE or LINEOUT jack types. However, the
+soc_jack_pins array only maps SND_JACK_HEADPHONE to the "Headphone" DAPM
+pin, not SND_JACK_LINEOUT.
+
+When headphones are detected with an impedance that maps to LINEOUT
+(such as impedance value 0x2), the driver reports SND_JACK_LINEOUT.
+Since this doesn't match the jack pin mask, the "Headphone" DAPM pin
+is not activated, and no audio is routed to the headphone outputs.
+
+Fix by adding SND_JACK_LINEOUT to the Headphone pin mask, so that both
+headphone and line-out detection properly enable the headphone output
+path.
+
+This fixes no audio output on devices like the Lenovo ThinkPad P16 Gen 3
+where headphones are detected with LINEOUT impedance.
+
+Fixes: d74bad3b7452 ("ASoC: intel: sof_sdw_cs42l43: Create separate jacks for hp and mic")
+Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Cole Leavitt <cole@unwrap.rs>
+Link: https://patch.msgid.link/20260114025518.28519-1-cole@unwrap.rs
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sdw_utils/soc_sdw_cs42l43.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sdw_utils/soc_sdw_cs42l43.c b/sound/soc/sdw_utils/soc_sdw_cs42l43.c
+index b415d45d520d0..3e8e2e3bdf7c5 100644
+--- a/sound/soc/sdw_utils/soc_sdw_cs42l43.c
++++ b/sound/soc/sdw_utils/soc_sdw_cs42l43.c
+@@ -44,7 +44,7 @@ static const struct snd_soc_dapm_route cs42l43_dmic_map[] = {
+ static struct snd_soc_jack_pin soc_jack_pins[] = {
+ {
+ .pin = "Headphone",
+- .mask = SND_JACK_HEADPHONE,
++ .mask = SND_JACK_HEADPHONE | SND_JACK_LINEOUT,
+ },
+ {
+ .pin = "Headset Mic",
+--
+2.51.0
+
--- /dev/null
+From 9a0cfb6a5b1299d170c37d760866853d149a9001 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 11:58:45 +0100
+Subject: ASoC: tlv320adcx140: fix null pointer
+
+From: Emil Svendsen <emas@bang-olufsen.dk>
+
+[ Upstream commit be7664c81d3129fc313ef62ff275fd3d33cfecd4 ]
+
+The "snd_soc_component" in "adcx140_priv" was only used once but never
+set. It was only used for reaching "dev" which is already present in
+"adcx140_priv".
+
+Fixes: 4e82971f7b55 ("ASoC: tlv320adcx140: Add a new kcontrol")
+Signed-off-by: Emil Svendsen <emas@bang-olufsen.dk>
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-2-8f7ecec525c8@pengutronix.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tlv320adcx140.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c
+index d594bf166c0e7..ccfec4c0c159a 100644
+--- a/sound/soc/codecs/tlv320adcx140.c
++++ b/sound/soc/codecs/tlv320adcx140.c
+@@ -23,7 +23,6 @@
+ #include "tlv320adcx140.h"
+
+ struct adcx140_priv {
+- struct snd_soc_component *component;
+ struct regulator *supply_areg;
+ struct gpio_desc *gpio_reset;
+ struct regmap *regmap;
+@@ -701,7 +700,6 @@ static void adcx140_pwr_ctrl(struct adcx140_priv *adcx140, bool power_state)
+ {
+ int pwr_ctrl = 0;
+ int ret = 0;
+- struct snd_soc_component *component = adcx140->component;
+
+ if (power_state)
+ pwr_ctrl = ADCX140_PWR_CFG_ADC_PDZ | ADCX140_PWR_CFG_PLL_PDZ;
+@@ -713,7 +711,7 @@ static void adcx140_pwr_ctrl(struct adcx140_priv *adcx140, bool power_state)
+ ret = regmap_write(adcx140->regmap, ADCX140_PHASE_CALIB,
+ adcx140->phase_calib_on ? 0x00 : 0x40);
+ if (ret)
+- dev_err(component->dev, "%s: register write error %d\n",
++ dev_err(adcx140->dev, "%s: register write error %d\n",
+ __func__, ret);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 5a3357b2a5f53c44fb9fb15b13213b97e20485f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 11:58:47 +0100
+Subject: ASoC: tlv320adcx140: fix word length
+
+From: Emil Svendsen <emas@bang-olufsen.dk>
+
+[ Upstream commit 46378ab9fcb796dca46b51e10646f636e2c661f9 ]
+
+The word length is the physical width of the channel slots. So the
+hw_params would misconfigure when format width and physical width
+doesn't match. Like S24_LE which has data width of 24 bits but physical
+width of 32 bits. So if using asymmetric formats you will get a lot of
+noise.
+
+Fixes: 689c7655b50c5 ("ASoC: tlv320adcx140: Add the tlv320adcx140 codec driver family")
+Signed-off-by: Emil Svendsen <emas@bang-olufsen.dk>
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-4-8f7ecec525c8@pengutronix.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tlv320adcx140.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c
+index ccfec4c0c159a..62d936c2838c9 100644
+--- a/sound/soc/codecs/tlv320adcx140.c
++++ b/sound/soc/codecs/tlv320adcx140.c
+@@ -727,7 +727,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream,
+ struct adcx140_priv *adcx140 = snd_soc_component_get_drvdata(component);
+ u8 data = 0;
+
+- switch (params_width(params)) {
++ switch (params_physical_width(params)) {
+ case 16:
+ data = ADCX140_16_BIT_WORD;
+ break;
+@@ -742,7 +742,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream,
+ break;
+ default:
+ dev_err(component->dev, "%s: Unsupported width %d\n",
+- __func__, params_width(params));
++ __func__, params_physical_width(params));
+ return -EINVAL;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From eca93dba351323767e350574a8ca659fb8e5c162 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 10:22:10 -0700
+Subject: block: zero non-PI portion of auto integrity buffer
+
+From: Caleb Sander Mateos <csander@purestorage.com>
+
+[ Upstream commit ca22c566b89164f6e670af56ecc45f47ef3df819 ]
+
+The auto-generated integrity buffer for writes needs to be fully
+initialized before being passed to the underlying block device,
+otherwise the uninitialized memory can be read back by userspace or
+anyone with physical access to the storage device. If protection
+information is generated, that portion of the integrity buffer is
+already initialized. The integrity data is also zeroed if PI generation
+is disabled via sysfs or the PI tuple size is 0. However, this misses
+the case where PI is generated and the PI tuple size is nonzero, but the
+metadata size is larger than the PI tuple. In this case, the remainder
+("opaque") of the metadata is left uninitialized.
+Generalize the BLK_INTEGRITY_CSUM_NONE check to cover any case when the
+metadata is larger than just the PI tuple.
+
+Signed-off-by: Caleb Sander Mateos <csander@purestorage.com>
+Fixes: c546d6f43833 ("block: only zero non-PI metadata tuples in bio_integrity_prep")
+Reviewed-by: Anuj Gupta <anuj20.g@samsung.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bio-integrity-auto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/bio-integrity-auto.c b/block/bio-integrity-auto.c
+index 687952f63bbbf..b8b7587be9679 100644
+--- a/block/bio-integrity-auto.c
++++ b/block/bio-integrity-auto.c
+@@ -142,7 +142,7 @@ bool bio_integrity_prep(struct bio *bio)
+ return true;
+ set_flags = false;
+ gfp |= __GFP_ZERO;
+- } else if (bi->csum_type == BLK_INTEGRITY_CSUM_NONE)
++ } else if (bi->metadata_size > bi->pi_tuple_size)
+ gfp |= __GFP_ZERO;
+ break;
+ default:
+--
+2.51.0
+
--- /dev/null
+From d290e5779642d0544bad78026fafd10aab19ede4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 10:43:09 +0800
+Subject: Bluetooth: hci_sync: enable PA Sync Lost event
+
+From: Yang Li <yang.li@amlogic.com>
+
+[ Upstream commit ab749bfe6a1fc233213f2d00facea5233139d509 ]
+
+Enable the PA Sync Lost event mask to ensure PA sync loss is properly
+reported and handled.
+
+Fixes: 485e0626e587 ("Bluetooth: hci_event: Fix not handling PA Sync Lost event")
+Signed-off-by: Yang Li <yang.li@amlogic.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 6e76798ec786b..f5896c023a9fa 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -4402,6 +4402,7 @@ static int hci_le_set_event_mask_sync(struct hci_dev *hdev)
+ if (bis_capable(hdev)) {
+ events[1] |= 0x20; /* LE PA Report */
+ events[1] |= 0x40; /* LE PA Sync Established */
++ events[1] |= 0x80; /* LE PA Sync Lost */
+ events[3] |= 0x04; /* LE Create BIG Complete */
+ events[3] |= 0x08; /* LE Terminate BIG Complete */
+ events[3] |= 0x10; /* LE BIG Sync Established */
+--
+2.51.0
+
--- /dev/null
+From a91bc7e5733820305048fd6a785502faa52b731c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Jan 2026 19:20:37 +0000
+Subject: btrfs: fix memory leaks in create_space_info() error paths
+
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+
+[ Upstream commit a11224a016d6d1d46a4d9b6573244448a80d4d7f ]
+
+In create_space_info(), the 'space_info' object is allocated at the
+beginning of the function. However, there are two error paths where the
+function returns an error code without freeing the allocated memory:
+
+1. When create_space_info_sub_group() fails in zoned mode.
+2. When btrfs_sysfs_add_space_info_type() fails.
+
+In both cases, 'space_info' has not yet been added to the
+fs_info->space_info list, resulting in a memory leak. Fix this by
+adding an error handling label to kfree(space_info) before returning.
+
+Fixes: 2be12ef79fe9 ("btrfs: Separate space_info create/update")
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/space-info.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
+index 85c466c85910a..a6f94e9f55915 100644
+--- a/fs/btrfs/space-info.c
++++ b/fs/btrfs/space-info.c
+@@ -305,18 +305,22 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
+ 0);
+
+ if (ret)
+- return ret;
++ goto out_free;
+ }
+
+ ret = btrfs_sysfs_add_space_info_type(info, space_info);
+ if (ret)
+- return ret;
++ goto out_free;
+
+ list_add(&space_info->list, &info->space_info);
+ if (flags & BTRFS_BLOCK_GROUP_DATA)
+ info->data_sinfo = space_info;
+
+ return ret;
++
++out_free:
++ kfree(space_info);
++ return ret;
+ }
+
+ int btrfs_init_space_info(struct btrfs_fs_info *fs_info)
+--
+2.51.0
+
--- /dev/null
+From e3069bed77b28a84e0ee8197ac1c3f5fca03d6fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 11:26:02 +0000
+Subject: btrfs: release path before iget_failed() in btrfs_read_locked_inode()
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 1e1f2055ad5a7a5d548789b334a4473a7665c418 ]
+
+In btrfs_read_locked_inode() if we fail to lookup the inode, we jump to
+the 'out' label with a path that has a read locked leaf and then we call
+iget_failed(). This can result in a ABBA deadlock, since iget_failed()
+triggers inode eviction and that causes the release of the delayed inode,
+which must lock the delayed inode's mutex, and a task updating a delayed
+inode starts by taking the node's mutex and then modifying the inode's
+subvolume btree.
+
+Syzbot reported the following lockdep splat for this:
+
+ ======================================================
+ WARNING: possible circular locking dependency detected
+ syzkaller #0 Not tainted
+ ------------------------------------------------------
+ btrfs-cleaner/8725 is trying to acquire lock:
+ ffff0000d6826a48 (&delayed_node->mutex){+.+.}-{4:4}, at: __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290
+
+ but task is already holding lock:
+ ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #1 (btrfs-tree-00){++++}-{4:4}:
+ __lock_release kernel/locking/lockdep.c:5574 [inline]
+ lock_release+0x198/0x39c kernel/locking/lockdep.c:5889
+ up_read+0x24/0x3c kernel/locking/rwsem.c:1632
+ btrfs_tree_read_unlock+0xdc/0x298 fs/btrfs/locking.c:169
+ btrfs_tree_unlock_rw fs/btrfs/locking.h:218 [inline]
+ btrfs_search_slot+0xa6c/0x223c fs/btrfs/ctree.c:2133
+ btrfs_lookup_inode+0xd8/0x38c fs/btrfs/inode-item.c:395
+ __btrfs_update_delayed_inode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032
+ btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1118 [inline]
+ __btrfs_commit_inode_delayed_items+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141
+ __btrfs_run_delayed_items+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176
+ btrfs_run_delayed_items_nr+0x28/0x38 fs/btrfs/delayed-inode.c:1219
+ flush_space+0x26c/0xb68 fs/btrfs/space-info.c:828
+ do_async_reclaim_metadata_space+0x110/0x364 fs/btrfs/space-info.c:1158
+ btrfs_async_reclaim_metadata_space+0x90/0xd8 fs/btrfs/space-info.c:1226
+ process_one_work+0x7e8/0x155c kernel/workqueue.c:3263
+ process_scheduled_works kernel/workqueue.c:3346 [inline]
+ worker_thread+0x958/0xed8 kernel/workqueue.c:3427
+ kthread+0x5fc/0x75c kernel/kthread.c:463
+ ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844
+
+ -> #0 (&delayed_node->mutex){+.+.}-{4:4}:
+ check_prev_add kernel/locking/lockdep.c:3165 [inline]
+ check_prevs_add kernel/locking/lockdep.c:3284 [inline]
+ validate_chain kernel/locking/lockdep.c:3908 [inline]
+ __lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237
+ lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868
+ __mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598
+ __mutex_lock kernel/locking/mutex.c:760 [inline]
+ mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812
+ __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290
+ btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline]
+ btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326
+ btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587
+ evict+0x414/0x928 fs/inode.c:810
+ iput_final fs/inode.c:1914 [inline]
+ iput+0x95c/0xad4 fs/inode.c:1966
+ iget_failed+0xec/0x134 fs/bad_inode.c:248
+ btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101
+ btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837
+ btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline]
+ btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrfs/defrag.c:309
+ cleaner_kthread+0x21c/0x418 fs/btrfs/disk-io.c:1516
+ kthread+0x5fc/0x75c kernel/kthread.c:463
+ ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844
+
+ other info that might help us debug this:
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ rlock(btrfs-tree-00);
+ lock(&delayed_node->mutex);
+ lock(btrfs-tree-00);
+ lock(&delayed_node->mutex);
+
+ *** DEADLOCK ***
+
+ 1 lock held by btrfs-cleaner/8725:
+ #0: ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145
+
+ stack backtrace:
+ CPU: 0 UID: 0 PID: 8725 Comm: btrfs-cleaner Not tainted syzkaller #0 PREEMPT
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
+ Call trace:
+ show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
+ __dump_stack+0x30/0x40 lib/dump_stack.c:94
+ dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
+ dump_stack+0x1c/0x28 lib/dump_stack.c:129
+ print_circular_bug+0x324/0x32c kernel/locking/lockdep.c:2043
+ check_noncircular+0x154/0x174 kernel/locking/lockdep.c:2175
+ check_prev_add kernel/locking/lockdep.c:3165 [inline]
+ check_prevs_add kernel/locking/lockdep.c:3284 [inline]
+ validate_chain kernel/locking/lockdep.c:3908 [inline]
+ __lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237
+ lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868
+ __mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598
+ __mutex_lock kernel/locking/mutex.c:760 [inline]
+ mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812
+ __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290
+ btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline]
+ btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326
+ btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587
+ evict+0x414/0x928 fs/inode.c:810
+ iput_final fs/inode.c:1914 [inline]
+ iput+0x95c/0xad4 fs/inode.c:1966
+ iget_failed+0xec/0x134 fs/bad_inode.c:248
+ btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101
+ btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837
+ btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline]
+ btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrfs/defrag.c:309
+ cleaner_kthread+0x21c/0x418 fs/btrfs/disk-io.c:1516
+ kthread+0x5fc/0x75c kernel/kthread.c:463
+ ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844
+
+Fix this by releasing the path before calling iget_failed().
+
+Reported-by: syzbot+c1c6edb02bea1da754d8@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/linux-btrfs/694530c2.a70a0220.207337.010d.GAE@google.com/
+Fixes: 69673992b1ae ("btrfs: push cleanup into btrfs_read_locked_inode()")
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 27a562bad6e87..1af9b05328ce8 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -4108,6 +4108,15 @@ static int btrfs_read_locked_inode(struct btrfs_inode *inode, struct btrfs_path
+
+ return 0;
+ out:
++ /*
++ * We may have a read locked leaf and iget_failed() triggers inode
++ * eviction which needs to release the delayed inode and that needs
++ * to lock the delayed inode's mutex. This can cause a ABBA deadlock
++ * with a task running delayed items, as that require first locking
++ * the delayed inode's mutex and then modifying its subvolume btree.
++ * So release the path before iget_failed().
++ */
++ btrfs_release_path(path);
+ iget_failed(vfs_inode);
+ return ret;
+ }
+--
+2.51.0
+
--- /dev/null
+From a658b467a7318130ecc2f28276a197ebd4402b7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jan 2026 20:26:40 +1030
+Subject: btrfs: send: check for inline extents in range_is_hole_in_parent()
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 08b096c1372cd69627f4f559fb47c9fb67a52b39 ]
+
+Before accessing the disk_bytenr field of a file extent item we need
+to check if we are dealing with an inline extent.
+This is because for inline extents their data starts at the offset of
+the disk_bytenr field. So accessing the disk_bytenr
+means we are accessing inline data or in case the inline data is less
+than 8 bytes we can actually cause an invalid
+memory access if this inline extent item is the first item in the leaf
+or access metadata from other items.
+
+Fixes: 82bfb2e7b645 ("Btrfs: incremental send, fix unnecessary hole writes for sparse files")
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index 96a030d28e091..9012ce7a742f4 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -6399,6 +6399,8 @@ static int range_is_hole_in_parent(struct send_ctx *sctx,
+ extent_end = btrfs_file_extent_end(path);
+ if (extent_end <= start)
+ goto next;
++ if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE)
++ return 0;
+ if (btrfs_file_extent_disk_bytenr(leaf, fi) == 0) {
+ search_start = extent_end;
+ goto next;
+--
+2.51.0
+
--- /dev/null
+From 8ee486ae08b35cc73abb3243e23ad921cc436dc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 02:17:32 +0100
+Subject: can: etas_es58x: allow partial RX URB allocation to succeed
+
+From: Szymon Wilczek <swilczek.lx@gmail.com>
+
+[ Upstream commit b1979778e98569c1e78c2c7f16bb24d76541ab00 ]
+
+When es58x_alloc_rx_urbs() fails to allocate the requested number of
+URBs but succeeds in allocating some, it returns an error code.
+This causes es58x_open() to return early, skipping the cleanup label
+'free_urbs', which leads to the anchored URBs being leaked.
+
+As pointed out by maintainer Vincent Mailhol, the driver is designed
+to handle partial URB allocation gracefully. Therefore, partial
+allocation should not be treated as a fatal error.
+
+Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been
+allocated, restoring the intended behavior and preventing the leak
+in es58x_open().
+
+Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces")
+Reported-by: syzbot+e8cb6691a7cf68256cb8@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=e8cb6691a7cf68256cb8
+Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>
+Reviewed-by: Vincent Mailhol <mailhol@kernel.org>
+Link: https://patch.msgid.link/20251223011732.39361-1-swilczek.lx@gmail.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/etas_es58x/es58x_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c
+index adc91873c083f..6eeba9baa1317 100644
+--- a/drivers/net/can/usb/etas_es58x/es58x_core.c
++++ b/drivers/net/can/usb/etas_es58x/es58x_core.c
+@@ -1736,7 +1736,7 @@ static int es58x_alloc_rx_urbs(struct es58x_device *es58x_dev)
+ dev_dbg(dev, "%s: Allocated %d rx URBs each of size %u\n",
+ __func__, i, rx_buf_len);
+
+- return ret;
++ return 0;
+ }
+
+ /**
+--
+2.51.0
+
--- /dev/null
+From 0cb37efea4eee23b477ac643b5625cbe3753ace6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 20:05:26 +0800
+Subject: cxl/hdm: Fix potential infinite loop in __cxl_dpa_reserve()
+
+From: Li Ming <ming.li@zohomail.com>
+
+[ Upstream commit d4026a44626490dc4eca4dd2c4d0816338fa179b ]
+
+In __cxl_dpa_reserve(), it will check if the new resource range is
+included in one of paritions of the cxl memory device.
+cxlds->nr_paritions is used to represent how many partitions information
+the cxl memory device has. In the loop, if driver cannot find a
+partition including the new resource range, it will be an infinite loop.
+
+[ dj: Removed incorrect fixes tag ]
+
+Fixes: 991d98f17d31 ("cxl: Make cxl_dpa_alloc() DPA partition number agnostic")
+Signed-off-by: Li Ming <ming.li@zohomail.com>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Link: https://patch.msgid.link/20260112120526.530232-1-ming.li@zohomail.com
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cxl/core/hdm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cxl/core/hdm.c b/drivers/cxl/core/hdm.c
+index d3a094ca01ad9..20dd638108062 100644
+--- a/drivers/cxl/core/hdm.c
++++ b/drivers/cxl/core/hdm.c
+@@ -403,7 +403,7 @@ static int __cxl_dpa_reserve(struct cxl_endpoint_decoder *cxled,
+ * is not set.
+ */
+ if (cxled->part < 0)
+- for (int i = 0; cxlds->nr_partitions; i++)
++ for (int i = 0; i < cxlds->nr_partitions; i++)
+ if (resource_contains(&cxlds->part[i].res, res)) {
+ cxled->part = i;
+ break;
+--
+2.51.0
+
--- /dev/null
+From 6d5c8c5a4c63e633a41281138bc56e0e7ef0c1e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 11:13:23 +0100
+Subject: cxl/port: Fix target list setup for multiple decoders sharing the
+ same dport
+
+From: Robert Richter <rrichter@amd.com>
+
+[ Upstream commit 3e8aaacdad4f66641f87ab441fe644b45f8ebdff ]
+
+If a switch port has more than one decoder that is using the same
+downstream port, the enumeration of the target lists may fail with:
+
+ # dmesg | grep target.list
+ update_decoder_targets: cxl decoder1.0: dport3 found in target list, index 3
+ update_decoder_targets: cxl decoder1.0: dport2 found in target list, index 2
+ update_decoder_targets: cxl decoder1.0: dport0 found in target list, index 0
+ update_decoder_targets: cxl decoder2.0: dport3 found in target list, index 1
+ update_decoder_targets: cxl decoder4.0: dport3 found in target list, index 1
+ cxl_mem mem6: failed to find endpoint12:0000:00:01.4 in target list of decoder2.1
+ cxl_mem mem8: failed to find endpoint13:0000:20:01.4 in target list of decoder4.1
+
+The case, that the same downstream port can be used in multiple target
+lists, is allowed and possible.
+
+Fix the update of the target list. Enumerate all children of the
+switch port and do not stop the iteration after the first matching
+target was found.
+
+With the fix applied:
+
+ # dmesg | grep target.list
+ update_decoder_targets: cxl decoder1.0: dport2 found in target list, index 2
+ update_decoder_targets: cxl decoder1.0: dport0 found in target list, index 0
+ update_decoder_targets: cxl decoder1.0: dport3 found in target list, index 3
+ update_decoder_targets: cxl decoder2.0: dport3 found in target list, index 1
+ update_decoder_targets: cxl decoder2.1: dport3 found in target list, index 1
+ update_decoder_targets: cxl decoder4.0: dport3 found in target list, index 1
+ update_decoder_targets: cxl decoder4.1: dport3 found in target list, index 1
+
+Analyzing the conditions when this happens:
+
+1) A dport is shared by multiple decoders.
+
+2) The decoders have interleaving configured (ways > 1).
+
+The configuration above has the following hierarchy details (fixed
+version):
+
+ root0
+ |_
+ | |
+ | decoder0.1
+ | ways: 2
+ | target_list: 0,1
+ |_______________________________________
+ | |
+ | dport0 | dport1
+ | |
+ port2 port4
+ | |
+ |___________________ |_____________________
+ | | | | | |
+ | decoder2.0 decoder2.1 | decoder4.0 decoder4.1
+ | ways: 2 ways: 2 | ways: 2 ways: 2
+ | target_list: 2,3 target_list: 2,3 | target_list: 2,3 target_list: 2,3
+ |___________________ |___________________
+ | | | |
+ | dport2 | dport3 | dport2 | dport3
+ | | | |
+ endpoint7 endpoint12 endpoint9 endpoint13
+ |_ |_ |_ |_
+ | | | | | | | |
+ | decoder7.0 | decoder12.0 | decoder9.0 | decoder13.0
+ | decoder7.2 | decoder12.2 | decoder9.2 | decoder13.2
+ | | | |
+ mem3 mem5 mem6 mem8
+
+Note: Device numbers vary for every boot.
+
+Current kernel fails to enumerate endpoint12 and endpoint13 as the
+target list is not updated for the second decoder.
+
+Fixes: 4f06d81e7c6a ("cxl: Defer dport allocation for switch ports")
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Reviewed-by: Alison Schofield <alison.schofield@intel.com>
+Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
+Signed-off-by: Robert Richter <rrichter@amd.com>
+Link: https://patch.msgid.link/20260108101324.509667-1-rrichter@amd.com
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cxl/core/port.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cxl/core/port.c b/drivers/cxl/core/port.c
+index 8128fd2b5b317..804e4a48540f6 100644
+--- a/drivers/cxl/core/port.c
++++ b/drivers/cxl/core/port.c
+@@ -1591,7 +1591,7 @@ static int update_decoder_targets(struct device *dev, void *data)
+ cxlsd->target[i] = dport;
+ dev_dbg(dev, "dport%d found in target list, index %d\n",
+ dport->port_id, i);
+- return 1;
++ return 0;
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 62dba1dd845c71cdbcbeb5ea54a22eccc75b6817 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Sep 2025 22:27:27 +0800
+Subject: dmaengine: mmp_pdma: fix DMA mask handling
+
+From: Guodong Xu <guodong@riscstar.com>
+
+[ Upstream commit 49400b701eca849c1b53717b1f5d779a8d066ec0 ]
+
+The driver's existing logic for setting the DMA mask for "marvell,pdma-1.0"
+was flawed. It incorrectly relied on pdev->dev->coherent_dma_mask instead
+of declaring the hardware's fixed addressing capability. A cleaner and
+more correct approach is to define the mask directly based on the hardware
+limitations.
+
+The MMP/PXA PDMA controller is a 32-bit DMA engine. This is supported by
+datasheets and various dtsi files for PXA25x, PXA27x, PXA3xx, and MMP2,
+all of which are 32-bit systems.
+
+This patch simplifies the driver's logic by replacing the 'u64 dma_mask'
+field with a simpler 'u32 dma_width' to store the addressing capability
+in bits. The complex if/else block in probe() is then replaced with a
+single, clear call to dma_set_mask_and_coherent(). This sets a fixed
+32-bit DMA mask for "marvell,pdma-1.0" and a 64-bit mask for
+"spacemit,k1-pdma," matching each device's hardware capabilities.
+
+Finally, this change also works around a specific build error encountered
+with clang-20 on x86_64 allyesconfig. The shift-count-overflow error is
+caused by a known clang compiler issue where the DMA_BIT_MASK(n) macro's
+ternary operator is not correctly evaluated in static initializers. By
+moving the macro's evaluation into the probe() function, the driver avoids
+this compiler bug.
+
+Fixes: 5cfe585d8624 ("dmaengine: mmp_pdma: Add SpacemiT K1 PDMA support with 64-bit addressing")
+Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Closes: https://lore.kernel.org/lkml/CA+G9fYsPcMfW-e_0_TRqu4cnwqOqYF3aJOeKUYk6Z4qRStdFvg@mail.gmail.com
+Suggested-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Guodong Xu <guodong@riscstar.com>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Tested-by: Nathan Chancellor <nathan@kernel.org> # build
+Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/mmp_pdma.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/dma/mmp_pdma.c b/drivers/dma/mmp_pdma.c
+index d07229a748868..86661eb3cde1f 100644
+--- a/drivers/dma/mmp_pdma.c
++++ b/drivers/dma/mmp_pdma.c
+@@ -152,8 +152,8 @@ struct mmp_pdma_phy {
+ *
+ * Controller Configuration:
+ * @run_bits: Control bits in DCSR register for channel start/stop
+- * @dma_mask: DMA addressing capability of controller. 0 to use OF/platform
+- * settings, or explicit mask like DMA_BIT_MASK(32/64)
++ * @dma_width: DMA addressing width in bits (32 or 64). Determines the
++ * DMA mask capability of the controller hardware.
+ */
+ struct mmp_pdma_ops {
+ /* Hardware Register Operations */
+@@ -173,7 +173,7 @@ struct mmp_pdma_ops {
+
+ /* Controller Configuration */
+ u32 run_bits;
+- u64 dma_mask;
++ u32 dma_width;
+ };
+
+ struct mmp_pdma_device {
+@@ -1172,7 +1172,7 @@ static const struct mmp_pdma_ops marvell_pdma_v1_ops = {
+ .get_desc_src_addr = get_desc_src_addr_32,
+ .get_desc_dst_addr = get_desc_dst_addr_32,
+ .run_bits = (DCSR_RUN),
+- .dma_mask = 0, /* let OF/platform set DMA mask */
++ .dma_width = 32,
+ };
+
+ static const struct mmp_pdma_ops spacemit_k1_pdma_ops = {
+@@ -1185,7 +1185,7 @@ static const struct mmp_pdma_ops spacemit_k1_pdma_ops = {
+ .get_desc_src_addr = get_desc_src_addr_64,
+ .get_desc_dst_addr = get_desc_dst_addr_64,
+ .run_bits = (DCSR_RUN | DCSR_LPAEEN),
+- .dma_mask = DMA_BIT_MASK(64), /* force 64-bit DMA addr capability */
++ .dma_width = 64,
+ };
+
+ static const struct of_device_id mmp_pdma_dt_ids[] = {
+@@ -1314,13 +1314,9 @@ static int mmp_pdma_probe(struct platform_device *op)
+ pdev->device.directions = BIT(DMA_MEM_TO_DEV) | BIT(DMA_DEV_TO_MEM);
+ pdev->device.residue_granularity = DMA_RESIDUE_GRANULARITY_DESCRIPTOR;
+
+- /* Set DMA mask based on ops->dma_mask, or OF/platform */
+- if (pdev->ops->dma_mask)
+- dma_set_mask(pdev->dev, pdev->ops->dma_mask);
+- else if (pdev->dev->coherent_dma_mask)
+- dma_set_mask(pdev->dev, pdev->dev->coherent_dma_mask);
+- else
+- dma_set_mask(pdev->dev, DMA_BIT_MASK(64));
++ /* Set DMA mask based on controller hardware capabilities */
++ dma_set_mask_and_coherent(pdev->dev,
++ DMA_BIT_MASK(pdev->ops->dma_width));
+
+ ret = dma_async_device_register(&pdev->device);
+ if (ret) {
+--
+2.51.0
+
--- /dev/null
+From a88ef02bc732144972eeace0c6556c2abe3909ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Nov 2025 15:30:18 +0800
+Subject: dmaengine: omap-dma: fix dma_pool resource leak in error paths
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit 2e1136acf8a8887c29f52e35a77b537309af321f ]
+
+The dma_pool created by dma_pool_create() is not destroyed when
+dma_async_device_register() or of_dma_controller_register() fails,
+causing a resource leak in the probe error paths.
+
+Add dma_pool_destroy() in both error paths to properly release the
+allocated dma_pool resource.
+
+Fixes: 7bedaa553760 ("dmaengine: add OMAP DMA engine driver")
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Link: https://patch.msgid.link/20251103073018.643-1-vulab@iscas.ac.cn
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/ti/omap-dma.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/dma/ti/omap-dma.c b/drivers/dma/ti/omap-dma.c
+index 8c023c6e623a5..73ed4b7946304 100644
+--- a/drivers/dma/ti/omap-dma.c
++++ b/drivers/dma/ti/omap-dma.c
+@@ -1808,6 +1808,8 @@ static int omap_dma_probe(struct platform_device *pdev)
+ if (rc) {
+ pr_warn("OMAP-DMA: failed to register slave DMA engine device: %d\n",
+ rc);
++ if (od->ll123_supported)
++ dma_pool_destroy(od->desc_pool);
+ omap_dma_free(od);
+ return rc;
+ }
+@@ -1823,6 +1825,8 @@ static int omap_dma_probe(struct platform_device *pdev)
+ if (rc) {
+ pr_warn("OMAP-DMA: failed to register DMA controller\n");
+ dma_async_device_unregister(&od->ddev);
++ if (od->ll123_supported)
++ dma_pool_destroy(od->desc_pool);
+ omap_dma_free(od);
+ }
+ }
+--
+2.51.0
+
--- /dev/null
+From 2c44dea761eed0944c308c61710d14a15bc1c01a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Nov 2025 19:54:45 +0530
+Subject: dmaengine: tegra-adma: Fix use-after-free
+
+From: Sheetal <sheetal@nvidia.com>
+
+[ Upstream commit 2efd07a7c36949e6fa36a69183df24d368bf9e96 ]
+
+A use-after-free bug exists in the Tegra ADMA driver when audio streams
+are terminated, particularly during XRUN conditions. The issue occurs
+when the DMA buffer is freed by tegra_adma_terminate_all() before the
+vchan completion tasklet finishes accessing it.
+
+The race condition follows this sequence:
+
+ 1. DMA transfer completes, triggering an interrupt that schedules the
+ completion tasklet (tasklet has not executed yet)
+ 2. Audio playback stops, calling tegra_adma_terminate_all() which
+ frees the DMA buffer memory via kfree()
+ 3. The scheduled tasklet finally executes, calling vchan_complete()
+ which attempts to access the already-freed memory
+
+Since tasklets can execute at any time after being scheduled, there is
+no guarantee that the buffer will remain valid when vchan_complete()
+runs.
+
+Fix this by properly synchronizing the virtual channel completion:
+ - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the
+ descriptors as terminated instead of freeing the descriptor.
+ - Add the callback tegra_adma_synchronize() that calls
+ vchan_synchronize() which kills any pending tasklets and frees any
+ terminated descriptors.
+
+Crash logs:
+[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0
+[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0
+
+[ 337.427562] Call trace:
+[ 337.427564] dump_backtrace+0x0/0x320
+[ 337.427571] show_stack+0x20/0x30
+[ 337.427575] dump_stack_lvl+0x68/0x84
+[ 337.427584] print_address_description.constprop.0+0x74/0x2b8
+[ 337.427590] kasan_report+0x1f4/0x210
+[ 337.427598] __asan_load8+0xa0/0xd0
+[ 337.427603] vchan_complete+0x124/0x3b0
+[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0
+[ 337.427617] tasklet_action+0x30/0x40
+[ 337.427623] __do_softirq+0x1a0/0x5c4
+[ 337.427628] irq_exit+0x110/0x140
+[ 337.427633] handle_domain_irq+0xa4/0xe0
+[ 337.427640] gic_handle_irq+0x64/0x160
+[ 337.427644] call_on_irq_stack+0x20/0x4c
+[ 337.427649] do_interrupt_handler+0x7c/0x90
+[ 337.427654] el1_interrupt+0x30/0x80
+[ 337.427659] el1h_64_irq_handler+0x18/0x30
+[ 337.427663] el1h_64_irq+0x7c/0x80
+[ 337.427667] cpuidle_enter_state+0xe4/0x540
+[ 337.427674] cpuidle_enter+0x54/0x80
+[ 337.427679] do_idle+0x2e0/0x380
+[ 337.427685] cpu_startup_entry+0x2c/0x70
+[ 337.427690] rest_init+0x114/0x130
+[ 337.427695] arch_call_rest_init+0x18/0x24
+[ 337.427702] start_kernel+0x380/0x3b4
+[ 337.427706] __primary_switched+0xc0/0xc8
+
+Fixes: f46b195799b5 ("dmaengine: tegra-adma: Add support for Tegra210 ADMA")
+Signed-off-by: Sheetal <sheetal@nvidia.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Link: https://patch.msgid.link/20251110142445.3842036-1-sheetal@nvidia.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/tegra210-adma.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c
+index fad896ff29a2d..812f64569e6d8 100644
+--- a/drivers/dma/tegra210-adma.c
++++ b/drivers/dma/tegra210-adma.c
+@@ -429,10 +429,17 @@ static void tegra_adma_stop(struct tegra_adma_chan *tdc)
+ return;
+ }
+
+- kfree(tdc->desc);
++ vchan_terminate_vdesc(&tdc->desc->vd);
+ tdc->desc = NULL;
+ }
+
++static void tegra_adma_synchronize(struct dma_chan *dc)
++{
++ struct tegra_adma_chan *tdc = to_tegra_adma_chan(dc);
++
++ vchan_synchronize(&tdc->vc);
++}
++
+ static void tegra_adma_start(struct tegra_adma_chan *tdc)
+ {
+ struct virt_dma_desc *vd = vchan_next_desc(&tdc->vc);
+@@ -1155,6 +1162,7 @@ static int tegra_adma_probe(struct platform_device *pdev)
+ tdma->dma_dev.device_config = tegra_adma_slave_config;
+ tdma->dma_dev.device_tx_status = tegra_adma_tx_status;
+ tdma->dma_dev.device_terminate_all = tegra_adma_terminate_all;
++ tdma->dma_dev.device_synchronize = tegra_adma_synchronize;
+ tdma->dma_dev.src_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES);
+ tdma->dma_dev.dst_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES);
+ tdma->dma_dev.directions = BIT(DMA_DEV_TO_MEM) | BIT(DMA_MEM_TO_DEV);
+--
+2.51.0
+
--- /dev/null
+From 664e7ac05f45daea74da0fb26b8ce378e2181bdb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 17:48:49 +0200
+Subject: dmaengine: xilinx: xdma: Fix regmap max_register
+
+From: Anthony Brandon <anthony@amarulasolutions.com>
+
+[ Upstream commit c7d436a6c1a274c1ac28d5fb3b8eb8f03b6d0e10 ]
+
+The max_register field is assigned the size of the register memory
+region instead of the offset of the last register.
+The result is that reading from the regmap via debugfs can cause
+a segmentation fault:
+
+tail /sys/kernel/debug/regmap/xdma.1.auto/registers
+Unable to handle kernel paging request at virtual address ffff800082f70000
+Mem abort info:
+ ESR = 0x0000000096000007
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x07: level 3 translation fault
+[...]
+Call trace:
+ regmap_mmio_read32le+0x10/0x30
+ _regmap_bus_reg_read+0x74/0xc0
+ _regmap_read+0x68/0x198
+ regmap_read+0x54/0x88
+ regmap_read_debugfs+0x140/0x380
+ regmap_map_read_file+0x30/0x48
+ full_proxy_read+0x68/0xc8
+ vfs_read+0xcc/0x310
+ ksys_read+0x7c/0x120
+ __arm64_sys_read+0x24/0x40
+ invoke_syscall.constprop.0+0x64/0x108
+ do_el0_svc+0xb0/0xd8
+ el0_svc+0x38/0x130
+ el0t_64_sync_handler+0x120/0x138
+ el0t_64_sync+0x194/0x198
+Code: aa1e03e9 d503201f f9400000 8b214000 (b9400000)
+---[ end trace 0000000000000000 ]---
+note: tail[1217] exited with irqs disabled
+note: tail[1217] exited with preempt_count 1
+Segmentation fault
+
+Fixes: 17ce252266c7 ("dmaengine: xilinx: xdma: Add xilinx xdma driver")
+Reviewed-by: Lizhi Hou <lizhi.hou@amd.com>
+Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
+Reviewed-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Anthony Brandon <anthony@amarulasolutions.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/xdma-regs.h | 1 +
+ drivers/dma/xilinx/xdma.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/xilinx/xdma-regs.h b/drivers/dma/xilinx/xdma-regs.h
+index 6ad08878e9386..70bca92621aa4 100644
+--- a/drivers/dma/xilinx/xdma-regs.h
++++ b/drivers/dma/xilinx/xdma-regs.h
+@@ -9,6 +9,7 @@
+
+ /* The length of register space exposed to host */
+ #define XDMA_REG_SPACE_LEN 65536
++#define XDMA_MAX_REG_OFFSET (XDMA_REG_SPACE_LEN - 4)
+
+ /*
+ * maximum number of DMA channels for each direction:
+diff --git a/drivers/dma/xilinx/xdma.c b/drivers/dma/xilinx/xdma.c
+index 0d88b1a670e14..5ecf8223c112e 100644
+--- a/drivers/dma/xilinx/xdma.c
++++ b/drivers/dma/xilinx/xdma.c
+@@ -38,7 +38,7 @@ static const struct regmap_config xdma_regmap_config = {
+ .reg_bits = 32,
+ .val_bits = 32,
+ .reg_stride = 4,
+- .max_register = XDMA_REG_SPACE_LEN,
++ .max_register = XDMA_MAX_REG_OFFSET,
+ };
+
+ /**
+--
+2.51.0
+
--- /dev/null
+From a27d857a73fd224bbd87933bfa477daa6a1fb7f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 00:00:06 +0530
+Subject: dmaengine: xilinx_dma: Fix uninitialized addr_width when
+ "xlnx,addrwidth" property is missing
+
+From: Suraj Gupta <suraj.gupta2@amd.com>
+
+[ Upstream commit c0732fe78728718c853ef8e7af5bbb05262acbd1 ]
+
+When device tree lacks optional "xlnx,addrwidth" property, the addr_width
+variable remained uninitialized with garbage values, causing incorrect
+DMA mask configuration and subsequent probe failure. The fix ensures a
+fallback to the default 32-bit address width when this property is missing.
+
+Signed-off-by: Suraj Gupta <suraj.gupta2@amd.com>
+Fixes: b72db4005fe4 ("dmaengine: vdma: Add 64 bit addressing support to the driver")
+Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
+Reviewed-by: Folker Schwesinger <dev@folker-schwesinger.de>
+Link: https://patch.msgid.link/20251021183006.3434495-1-suraj.gupta2@amd.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/xilinx_dma.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
+index fabff602065f6..89a8254d9cdc6 100644
+--- a/drivers/dma/xilinx/xilinx_dma.c
++++ b/drivers/dma/xilinx/xilinx_dma.c
+@@ -131,6 +131,7 @@
+ #define XILINX_MCDMA_MAX_CHANS_PER_DEVICE 0x20
+ #define XILINX_DMA_MAX_CHANS_PER_DEVICE 0x2
+ #define XILINX_CDMA_MAX_CHANS_PER_DEVICE 0x1
++#define XILINX_DMA_DFAULT_ADDRWIDTH 0x20
+
+ #define XILINX_DMA_DMAXR_ALL_IRQ_MASK \
+ (XILINX_DMA_DMASR_FRM_CNT_IRQ | \
+@@ -3159,7 +3160,7 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+ struct device_node *node = pdev->dev.of_node;
+ struct xilinx_dma_device *xdev;
+ struct device_node *child, *np = pdev->dev.of_node;
+- u32 num_frames, addr_width, len_width;
++ u32 num_frames, addr_width = XILINX_DMA_DFAULT_ADDRWIDTH, len_width;
+ int i, err;
+
+ /* Allocate and initialize the DMA engine structure */
+@@ -3235,7 +3236,9 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+
+ err = of_property_read_u32(node, "xlnx,addrwidth", &addr_width);
+ if (err < 0)
+- dev_warn(xdev->dev, "missing xlnx,addrwidth property\n");
++ dev_warn(xdev->dev,
++ "missing xlnx,addrwidth property, using default value %d\n",
++ XILINX_DMA_DFAULT_ADDRWIDTH);
+
+ if (addr_width > 32)
+ xdev->ext_addr = true;
+--
+2.51.0
+
--- /dev/null
+From c1cbf7644efabf96b90826ae965c1155a653aaac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Jan 2026 13:18:04 -0600
+Subject: drivers/dax: add some missing kerneldoc comment fields for struct
+ dev_dax
+
+From: John Groves <John@Groves.net>
+
+[ Upstream commit 3e8e590fd65d0572584ab7bba89a35e6d19931f1 ]
+
+Add the missing @align and @memmap_on_memory fields to kerneldoc comment
+header for struct dev_dax.
+
+Also, some other fields were followed by '-' and others by ':'. Fix all
+to be ':' for actual kerneldoc compliance.
+
+Link: https://lkml.kernel.org/r/20260110191804.5739-1-john@groves.net
+Fixes: 33cf94d71766 ("device-dax: make align a per-device property")
+Fixes: 4eca0ef49af9 ("dax/kmem: allow kmem to add memory with memmap_on_memory")
+Signed-off-by: John Groves <john@groves.net>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Joao Martins <joao.m.martins@oracle.com>
+Cc: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dax/dax-private.h | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/dax/dax-private.h b/drivers/dax/dax-private.h
+index 0867115aeef2e..c6ae27c982f43 100644
+--- a/drivers/dax/dax-private.h
++++ b/drivers/dax/dax-private.h
+@@ -67,14 +67,16 @@ struct dev_dax_range {
+ /**
+ * struct dev_dax - instance data for a subdivision of a dax region, and
+ * data while the device is activated in the driver.
+- * @region - parent region
+- * @dax_dev - core dax functionality
++ * @region: parent region
++ * @dax_dev: core dax functionality
++ * @align: alignment of this instance
+ * @target_node: effective numa node if dev_dax memory range is onlined
+ * @dyn_id: is this a dynamic or statically created instance
+ * @id: ida allocated id when the dax_region is not static
+ * @ida: mapping id allocator
+- * @dev - device core
+- * @pgmap - pgmap for memmap setup / lifetime (driver owned)
++ * @dev: device core
++ * @pgmap: pgmap for memmap setup / lifetime (driver owned)
++ * @memmap_on_memory: allow kmem to put the memmap in the memory
+ * @nr_range: size of @ranges
+ * @ranges: range tuples of memory used
+ */
+--
+2.51.0
+
--- /dev/null
+From 4f32188314279e42a63e2aaa58f965c095bf087b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Dec 2025 08:59:16 -0600
+Subject: drm/amd/display: Show link name in PSR status message
+
+From: Mario Limonciello (AMD) <superm1@kernel.org>
+
+[ Upstream commit 0a1253ba5096f531eaaef40caa4c069da6ad48ae ]
+
+[Why]
+The PSR message was moved in commit 4321742c394e ("drm/amd/display:
+Move PSR support message into amdgpu_dm"). This message however shows
+for every single link without showing which link is which. This can
+send a confusing message to the user.
+
+[How]
+Add link name into the message.
+
+Fixes: 4321742c394e ("drm/amd/display: Move PSR support message into amdgpu_dm")
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
+Signed-off-by: Matthew Stewart <matthew.stewart2@amd.com>
+Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 99f77f6229c0766b980ae05affcf9f742d97de6a)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 7fe40bbba2658..f4381d44864f1 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -5545,7 +5545,8 @@ static int amdgpu_dm_initialize_drm_device(struct amdgpu_device *adev)
+
+ if (psr_feature_enabled) {
+ amdgpu_dm_set_psr_caps(link);
+- drm_info(adev_to_drm(adev), "PSR support %d, DC PSR ver %d, sink PSR ver %d DPCD caps 0x%x su_y_granularity %d\n",
++ drm_info(adev_to_drm(adev), "%s: PSR support %d, DC PSR ver %d, sink PSR ver %d DPCD caps 0x%x su_y_granularity %d\n",
++ aconnector->base.name,
+ link->psr_settings.psr_feature_enabled,
+ link->psr_settings.psr_version,
+ link->dpcd_caps.psr_info.psr_version,
+--
+2.51.0
+
--- /dev/null
+From 244665f2104799a262cc8e6e2415a36819444eb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jan 2026 14:42:40 +0800
+Subject: drm/amd/pm: fix smu overdrive data type wrong issue on smu 14.0.2
+
+From: Yang Wang <kevinyang.wang@amd.com>
+
+[ Upstream commit 90dbc0bc2aa60021615969841fed06790c992bde ]
+
+resolving the issue of incorrect type definitions potentially causing calculation errors.
+
+Fixes: 54f7f3ca982a ("drm/amdgpu/swm14: Update power limit logic")
+Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit e3a03d0ae16d6b56e893cce8e52b44140e1ed985)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
+index 086501cc5213b..e735da7ab6126 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
+@@ -1701,8 +1701,9 @@ static int smu_v14_0_2_get_power_limit(struct smu_context *smu,
+ table_context->power_play_table;
+ PPTable_t *pptable = table_context->driver_pptable;
+ CustomSkuTable_t *skutable = &pptable->CustomSkuTable;
+- uint32_t power_limit, od_percent_upper = 0, od_percent_lower = 0;
++ int16_t od_percent_upper = 0, od_percent_lower = 0;
+ uint32_t msg_limit = pptable->SkuTable.MsgLimits.Power[PPT_THROTTLER_PPT0][POWER_SOURCE_AC];
++ uint32_t power_limit;
+
+ if (smu_v14_0_get_current_power_limit(smu, &power_limit))
+ power_limit = smu->adev->pm.ac_power ?
+--
+2.51.0
+
--- /dev/null
+From e5303c6e7b3d543406ca69b080450f4cac830a88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jan 2026 10:37:12 +0800
+Subject: drm/amdgpu: fix drm panic null pointer when driver not support atomic
+
+From: Lu Yao <yaolu@kylinos.cn>
+
+[ Upstream commit 9cb6278b44c38899961b36d303d7b18b38be2a6e ]
+
+When driver not support atomic, fb using plane->fb rather than
+plane->state->fb.
+
+Fixes: fe151ed7af54 ("drm/amdgpu: add generic display panic helper code")
+Signed-off-by: Lu Yao <yaolu@kylinos.cn>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 2f2a72de673513247cd6fae14e53f6c40c5841ef)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
+index 51bab32fd8c6f..2f416d12e2e7e 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
+@@ -1824,7 +1824,12 @@ int amdgpu_display_get_scanout_buffer(struct drm_plane *plane,
+ struct drm_scanout_buffer *sb)
+ {
+ struct amdgpu_bo *abo;
+- struct drm_framebuffer *fb = plane->state->fb;
++ struct drm_framebuffer *fb;
++
++ if (drm_drv_uses_atomic_modeset(plane->dev))
++ fb = plane->state->fb;
++ else
++ fb = plane->fb;
+
+ if (!fb)
+ return -EINVAL;
+--
+2.51.0
+
--- /dev/null
+From adef375ff138b3e719ee70f387c94503ad6ac20b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 16:14:53 +0530
+Subject: drm/amdgpu/userq: Fix fence reference leak on queue teardown v2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+[ Upstream commit b2426a211dba6432e32a2e70e9183c6e134475c6 ]
+
+The user mode queue keeps a pointer to the most recent fence in
+userq->last_fence. This pointer holds an extra dma_fence reference.
+
+When the queue is destroyed, we free the fence driver and its xarray,
+but we forgot to drop the last_fence reference.
+
+Because of the missing dma_fence_put(), the last fence object can stay
+alive when the driver unloads. This leaves an allocated object in the
+amdgpu_userq_fence slab cache and triggers
+
+This is visible during driver unload as:
+
+ BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown()
+ kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects
+ Call Trace:
+ kmem_cache_destroy
+ amdgpu_userq_fence_slab_fini
+ amdgpu_exit
+ __do_sys_delete_module
+
+Fix this by putting userq->last_fence and clearing the pointer during
+amdgpu_userq_fence_driver_free().
+
+This makes sure the fence reference is released and the slab cache is
+empty when the module exits.
+
+v2: Update to only release userq->last_fence with dma_fence_put()
+ (Christian)
+
+Fixes: edc762a51c71 ("drm/amdgpu/userq: move some code around")
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: Christian König <christian.koenig@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
+index 4d0096d0baa9d..53fe10931fab0 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
+@@ -141,6 +141,8 @@ static void amdgpu_userq_walk_and_drop_fence_drv(struct xarray *xa)
+ void
+ amdgpu_userq_fence_driver_free(struct amdgpu_usermode_queue *userq)
+ {
++ dma_fence_put(userq->last_fence);
++
+ amdgpu_userq_walk_and_drop_fence_drv(&userq->fence_drv_xa);
+ xa_destroy(&userq->fence_drv_xa);
+ /* Drop the fence_drv reference held by user queue */
+--
+2.51.0
+
--- /dev/null
+From eb4543198341c39f004d99495ddd6d177f8f0031 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Jan 2026 16:53:18 -0500
+Subject: drm/amdkfd: No need to suspend whole MES to evict process
+
+From: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
+
+[ Upstream commit 18dbcfb46f692e665c3fe3eee804e56c4eae53d6 ]
+
+Each queue of the process is individually removed and there is not need
+to suspend whole mes. Suspending mes stops kernel mode queues also
+causing unnecessary timeouts when running mixed work loads
+
+Fixes: 079ae5118e1f ("drm/amdkfd: fix suspend/resume all calls in mes based eviction path")
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4765
+Signed-off-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 3fd20580b96a6e9da65b94ac3b58ee288239b731)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 12 +-----------
+ 1 file changed, 1 insertion(+), 11 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+index 6e7bc983fc0b6..36fb3db16572a 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+@@ -1209,14 +1209,8 @@ static int evict_process_queues_cpsch(struct device_queue_manager *dqm,
+ pr_debug_ratelimited("Evicting process pid %d queues\n",
+ pdd->process->lead_thread->pid);
+
+- if (dqm->dev->kfd->shared_resources.enable_mes) {
++ if (dqm->dev->kfd->shared_resources.enable_mes)
+ pdd->last_evict_timestamp = get_jiffies_64();
+- retval = suspend_all_queues_mes(dqm);
+- if (retval) {
+- dev_err(dev, "Suspending all queues failed");
+- goto out;
+- }
+- }
+
+ /* Mark all queues as evicted. Deactivate all active queues on
+ * the qpd.
+@@ -1246,10 +1240,6 @@ static int evict_process_queues_cpsch(struct device_queue_manager *dqm,
+ KFD_UNMAP_QUEUES_FILTER_ALL_QUEUES :
+ KFD_UNMAP_QUEUES_FILTER_DYNAMIC_QUEUES, 0,
+ USE_DEFAULT_GRACE_PERIOD);
+- } else {
+- retval = resume_all_queues_mes(dqm);
+- if (retval)
+- dev_err(dev, "Resuming all queues failed");
+ }
+
+ out:
+--
+2.51.0
+
--- /dev/null
+From 36ffbe0a161928093369245b53a5b915033d4962 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 18:00:57 +0200
+Subject: drm/bridge: dw-hdmi-qp: Fix spurious IRQ on resume
+
+From: Sebastian Reichel <sebastian.reichel@collabora.com>
+
+[ Upstream commit 14adddc65340f2034751c95616861c0e888e2bb1 ]
+
+After resume from suspend to RAM, the following splash is generated if
+the HDMI driver is probed (independent of a connected cable):
+
+[ 1194.484052] irq 80: nobody cared (try booting with the "irqpoll" option)
+[ 1194.484074] CPU: 0 UID: 0 PID: 627 Comm: rtcwake Not tainted 6.17.0-rc7-g96f1a11414b3 #1 PREEMPT
+[ 1194.484082] Hardware name: Rockchip RK3576 EVB V10 Board (DT)
+[ 1194.484085] Call trace:
+[ 1194.484087] ... (stripped)
+[ 1194.484283] handlers:
+[ 1194.484285] [<00000000bc363dcb>] dw_hdmi_qp_main_hardirq [dw_hdmi_qp]
+[ 1194.484302] Disabling IRQ #80
+
+Apparently the HDMI IP is losing part of its state while the system
+is suspended and generates spurious interrupts during resume. The
+bug has not yet been noticed, as system suspend does not yet work
+properly on upstream kernel with either the Rockchip RK3588 or RK3576
+platform.
+
+Fixes: 128a9bf8ace2 ("drm/rockchip: Add basic RK3588 HDMI output support")
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Reviewed-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patch.msgid.link/20251014-rockchip-hdmi-suspend-fix-v1-1-983fcbf44839@collabora.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c | 9 +++++++++
+ drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c | 12 +++++++++++-
+ include/drm/bridge/dw_hdmi_qp.h | 1 +
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c
+index 39332c57f2c54..c85eb340e5a35 100644
+--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c
++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c
+@@ -143,6 +143,7 @@ struct dw_hdmi_qp {
+ } phy;
+
+ struct regmap *regm;
++ int main_irq;
+
+ unsigned long tmds_char_rate;
+ };
+@@ -1068,6 +1069,7 @@ struct dw_hdmi_qp *dw_hdmi_qp_bind(struct platform_device *pdev,
+
+ dw_hdmi_qp_init_hw(hdmi);
+
++ hdmi->main_irq = plat_data->main_irq;
+ ret = devm_request_threaded_irq(dev, plat_data->main_irq,
+ dw_hdmi_qp_main_hardirq, NULL,
+ IRQF_SHARED, dev_name(dev), hdmi);
+@@ -1106,9 +1108,16 @@ struct dw_hdmi_qp *dw_hdmi_qp_bind(struct platform_device *pdev,
+ }
+ EXPORT_SYMBOL_GPL(dw_hdmi_qp_bind);
+
++void dw_hdmi_qp_suspend(struct device *dev, struct dw_hdmi_qp *hdmi)
++{
++ disable_irq(hdmi->main_irq);
++}
++EXPORT_SYMBOL_GPL(dw_hdmi_qp_suspend);
++
+ void dw_hdmi_qp_resume(struct device *dev, struct dw_hdmi_qp *hdmi)
+ {
+ dw_hdmi_qp_init_hw(hdmi);
++ enable_irq(hdmi->main_irq);
+ }
+ EXPORT_SYMBOL_GPL(dw_hdmi_qp_resume);
+
+diff --git a/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c b/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c
+index ed6e8f036f4b3..9ac45e7bc987a 100644
+--- a/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c
++++ b/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c
+@@ -597,6 +597,15 @@ static void dw_hdmi_qp_rockchip_remove(struct platform_device *pdev)
+ component_del(&pdev->dev, &dw_hdmi_qp_rockchip_ops);
+ }
+
++static int __maybe_unused dw_hdmi_qp_rockchip_suspend(struct device *dev)
++{
++ struct rockchip_hdmi_qp *hdmi = dev_get_drvdata(dev);
++
++ dw_hdmi_qp_suspend(dev, hdmi->hdmi);
++
++ return 0;
++}
++
+ static int __maybe_unused dw_hdmi_qp_rockchip_resume(struct device *dev)
+ {
+ struct rockchip_hdmi_qp *hdmi = dev_get_drvdata(dev);
+@@ -612,7 +621,8 @@ static int __maybe_unused dw_hdmi_qp_rockchip_resume(struct device *dev)
+ }
+
+ static const struct dev_pm_ops dw_hdmi_qp_rockchip_pm = {
+- SET_SYSTEM_SLEEP_PM_OPS(NULL, dw_hdmi_qp_rockchip_resume)
++ SET_SYSTEM_SLEEP_PM_OPS(dw_hdmi_qp_rockchip_suspend,
++ dw_hdmi_qp_rockchip_resume)
+ };
+
+ struct platform_driver dw_hdmi_qp_rockchip_pltfm_driver = {
+diff --git a/include/drm/bridge/dw_hdmi_qp.h b/include/drm/bridge/dw_hdmi_qp.h
+index e9be6d507ad9c..8955450663e53 100644
+--- a/include/drm/bridge/dw_hdmi_qp.h
++++ b/include/drm/bridge/dw_hdmi_qp.h
+@@ -28,5 +28,6 @@ struct dw_hdmi_qp_plat_data {
+ struct dw_hdmi_qp *dw_hdmi_qp_bind(struct platform_device *pdev,
+ struct drm_encoder *encoder,
+ const struct dw_hdmi_qp_plat_data *plat_data);
++void dw_hdmi_qp_suspend(struct device *dev, struct dw_hdmi_qp *hdmi);
+ void dw_hdmi_qp_resume(struct device *dev, struct dw_hdmi_qp *hdmi);
+ #endif /* __DW_HDMI_QP__ */
+--
+2.51.0
+
--- /dev/null
+From 740d14dc3be17f41142fd8a7b683a4293581d23a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jul 2025 14:41:13 +0800
+Subject: drm/rockchip: vop2: Add delay between poll registers
+
+From: Andy Yan <andy.yan@rock-chips.com>
+
+[ Upstream commit 9fae82450d8a5f9c8fa016cd15186e975609b2ac ]
+
+According to the implementation of read_poll_timeout_atomic, if the
+delay time is 0, it will only use a simple loop based on timeout_us to
+decrement the count. Therefore, the final timeout time will differ
+significantly from the set timeout time. So, here we set a specific
+delay time to ensure that the calculation of the timeout duration
+is accurate.
+
+Fixes: 3e89a8c68354 ("drm/rockchip: vop2: Fix the update of LAYER/PORT select registers when there are multi display output on rk3588/rk3568")
+Signed-off-by: Andy Yan <andy.yan@rock-chips.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patch.msgid.link/20250718064120.8811-1-andyshrk@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_vop2_reg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c b/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c
+index cd8380f0eddc8..855386a6a9f5c 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c
++++ b/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c
+@@ -2104,7 +2104,7 @@ static void rk3568_vop2_wait_for_port_mux_done(struct vop2 *vop2)
+ * Spin until the previous port_mux figuration is done.
+ */
+ ret = readx_poll_timeout_atomic(rk3568_vop2_read_port_mux, vop2, port_mux_sel,
+- port_mux_sel == vop2->old_port_sel, 0, 50 * 1000);
++ port_mux_sel == vop2->old_port_sel, 10, 50 * 1000);
+ if (ret)
+ DRM_DEV_ERROR(vop2->dev, "wait port_mux done timeout: 0x%x--0x%x\n",
+ port_mux_sel, vop2->old_port_sel);
+@@ -2124,7 +2124,7 @@ static void rk3568_vop2_wait_for_layer_cfg_done(struct vop2 *vop2, u32 cfg)
+ * Spin until the previous layer configuration is done.
+ */
+ ret = readx_poll_timeout_atomic(rk3568_vop2_read_layer_cfg, vop2, atv_layer_cfg,
+- atv_layer_cfg == cfg, 0, 50 * 1000);
++ atv_layer_cfg == cfg, 10, 50 * 1000);
+ if (ret)
+ DRM_DEV_ERROR(vop2->dev, "wait layer cfg done timeout: 0x%x--0x%x\n",
+ atv_layer_cfg, cfg);
+--
+2.51.0
+
--- /dev/null
+From 09560dbe2fdb16621fe3de84bb3f932ce6a7d078 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jul 2025 14:41:14 +0800
+Subject: drm/rockchip: vop2: Only wait for changed layer cfg done when there
+ is pending cfgdone bits
+
+From: Andy Yan <andy.yan@rock-chips.com>
+
+[ Upstream commit 7f6721b767e219343cfe9a894f5bd869ff5b9d3a ]
+
+The write of cfgdone bits always done at .atomic_flush.
+When userspace makes plane zpos changes of two crtc within one commit,
+at the .atomic_begin stage, crtcN will never receive the "layer change
+cfg done" event of crtcM because crtcM has not yet written "cfgdone".
+So only wait when there is pending cfgdone bits to avoid long timeout.
+
+Fixes: 3e89a8c68354 ("drm/rockchip: vop2: Fix the update of LAYER/PORT select registers when there are multi display output on rk3588/rk3568")
+Signed-off-by: Andy Yan <andy.yan@rock-chips.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patch.msgid.link/20250718064120.8811-2-andyshrk@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_vop2_reg.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c b/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c
+index 855386a6a9f5c..f3950e8476a75 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c
++++ b/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c
+@@ -2144,6 +2144,7 @@ static void rk3568_vop2_setup_layer_mixer(struct vop2_video_port *vp)
+ u8 layer_sel_id;
+ unsigned int ofs;
+ u32 ovl_ctrl;
++ u32 cfg_done;
+ int i;
+ struct vop2_video_port *vp0 = &vop2->vps[0];
+ struct vop2_video_port *vp1 = &vop2->vps[1];
+@@ -2298,8 +2299,16 @@ static void rk3568_vop2_setup_layer_mixer(struct vop2_video_port *vp)
+ rk3568_vop2_wait_for_port_mux_done(vop2);
+ }
+
+- if (layer_sel != old_layer_sel && atv_layer_sel != old_layer_sel)
+- rk3568_vop2_wait_for_layer_cfg_done(vop2, vop2->old_layer_sel);
++ if (layer_sel != old_layer_sel && atv_layer_sel != old_layer_sel) {
++ cfg_done = vop2_readl(vop2, RK3568_REG_CFG_DONE);
++ cfg_done &= (BIT(vop2->data->nr_vps) - 1);
++ cfg_done &= ~BIT(vp->id);
++ /*
++ * Changes of other VPs' overlays have not taken effect
++ */
++ if (cfg_done)
++ rk3568_vop2_wait_for_layer_cfg_done(vop2, vop2->old_layer_sel);
++ }
+
+ vop2_writel(vop2, RK3568_OVL_LAYER_SEL, layer_sel);
+ mutex_unlock(&vop2->ovl_lock);
+--
+2.51.0
+
--- /dev/null
+From e739984d2b5490587cf37e91c153d18dbfd2393a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Nov 2025 14:37:03 -0600
+Subject: drm/vmwgfx: Fix KMS with 3D on HW version 10
+
+From: Ian Forbes <ian.forbes@broadcom.com>
+
+[ Upstream commit d9186faeae6efb7d0841a5e8eb213ff4c7966614 ]
+
+HW version 10 does not have GB Surfaces so there is no backing buffer for
+surface backed FBs. This would result in a nullptr dereference and crash
+the driver causing a black screen.
+
+Fixes: 965544150d1c ("drm/vmwgfx: Refactor cursor handling")
+Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
+Reviewed-by: Zack Rusin <zack.rusin@broadcom.com>
+Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
+Link: https://patch.msgid.link/20251114203703.1946616-1-ian.forbes@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+index 54ea1b513950a..535d844191e7a 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+@@ -763,13 +763,15 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev,
+ return ERR_PTR(ret);
+ }
+
+- ttm_bo_reserve(&bo->tbo, false, false, NULL);
+- ret = vmw_bo_dirty_add(bo);
+- if (!ret && surface && surface->res.func->dirty_alloc) {
+- surface->res.coherent = true;
+- ret = surface->res.func->dirty_alloc(&surface->res);
++ if (bo) {
++ ttm_bo_reserve(&bo->tbo, false, false, NULL);
++ ret = vmw_bo_dirty_add(bo);
++ if (!ret && surface && surface->res.func->dirty_alloc) {
++ surface->res.coherent = true;
++ ret = surface->res.func->dirty_alloc(&surface->res);
++ }
++ ttm_bo_unreserve(&bo->tbo);
+ }
+- ttm_bo_unreserve(&bo->tbo);
+
+ return &vfb->base;
+ }
+--
+2.51.0
+
--- /dev/null
+From 7af5e46694e58918445daf8535f96730de70dacb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jan 2026 09:20:59 -0600
+Subject: drm/vmwgfx: Merge vmw_bo_release and vmw_bo_free functions
+
+From: Ian Forbes <ian.forbes@broadcom.com>
+
+[ Upstream commit 37a0cff4551c14aca4cfa6ef3f2f0e0f61d66825 ]
+
+Some of the warnings need to be reordered between these two functions
+in order to be correct. This has happened multiple times.
+Merging them solves this problem once and for all.
+
+Fixes: d6667f0ddf46 ("drm/vmwgfx: Fix handling of dumb buffers")
+Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
+Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
+Link: https://patch.msgid.link/20260107152059.3048329-1-ian.forbes@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 22 ++++++++--------------
+ 1 file changed, 8 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
+index f031a312c7835..b22887e8c8815 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
+@@ -32,9 +32,15 @@
+
+ #include <drm/ttm/ttm_placement.h>
+
+-static void vmw_bo_release(struct vmw_bo *vbo)
++/**
++ * vmw_bo_free - vmw_bo destructor
++ *
++ * @bo: Pointer to the embedded struct ttm_buffer_object
++ */
++static void vmw_bo_free(struct ttm_buffer_object *bo)
+ {
+ struct vmw_resource *res;
++ struct vmw_bo *vbo = to_vmw_bo(&bo->base);
+
+ WARN_ON(kref_read(&vbo->tbo.base.refcount) != 0);
+ vmw_bo_unmap(vbo);
+@@ -62,20 +68,8 @@ static void vmw_bo_release(struct vmw_bo *vbo)
+ }
+ vmw_surface_unreference(&vbo->dumb_surface);
+ }
+- drm_gem_object_release(&vbo->tbo.base);
+-}
+-
+-/**
+- * vmw_bo_free - vmw_bo destructor
+- *
+- * @bo: Pointer to the embedded struct ttm_buffer_object
+- */
+-static void vmw_bo_free(struct ttm_buffer_object *bo)
+-{
+- struct vmw_bo *vbo = to_vmw_bo(&bo->base);
+-
+ WARN_ON(!RB_EMPTY_ROOT(&vbo->res_tree));
+- vmw_bo_release(vbo);
++ drm_gem_object_release(&vbo->tbo.base);
+ WARN_ON(vbo->dirty);
+ kfree(vbo);
+ }
+--
+2.51.0
+
--- /dev/null
+From d06d5ddc5ab1e6fdab76087e1ed55ae2c561d3e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 10:38:25 +0000
+Subject: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9a6f0c4d5796ab89b5a28a890ce542344d58bd69 ]
+
+syzbot was able to crash the kernel in rt6_uncached_list_flush_dev()
+in an interesting way [1]
+
+Crash happens in list_del_init()/INIT_LIST_HEAD() while writing
+list->prev, while the prior write on list->next went well.
+
+static inline void INIT_LIST_HEAD(struct list_head *list)
+{
+ WRITE_ONCE(list->next, list); // This went well
+ WRITE_ONCE(list->prev, list); // Crash, @list has been freed.
+}
+
+Issue here is that rt6_uncached_list_del() did not attempt to lock
+ul->lock, as list_empty(&rt->dst.rt_uncached) returned
+true because the WRITE_ONCE(list->next, list) happened on the other CPU.
+
+We might use list_del_init_careful() and list_empty_careful(),
+or make sure rt6_uncached_list_del() always grabs the spinlock
+whenever rt->dst.rt_uncached_list has been set.
+
+A similar fix is neeed for IPv4.
+
+[1]
+
+ BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline]
+ BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline]
+ BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]
+ BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020
+Write of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450
+
+CPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)}
+Tainted: [L]=SOFTLOCKUP
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+Workqueue: netns cleanup_net
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ INIT_LIST_HEAD include/linux/list.h:46 [inline]
+ list_del_init include/linux/list.h:296 [inline]
+ rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]
+ rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020
+ addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853
+ addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1
+ notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85
+ call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]
+ call_netdevice_notifiers net/core/dev.c:2282 [inline]
+ netif_close_many+0x29c/0x410 net/core/dev.c:1785
+ unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353
+ ops_exit_rtnl_list net/core/net_namespace.c:187 [inline]
+ ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248
+ cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696
+ process_one_work kernel/workqueue.c:3257 [inline]
+ process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
+ worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+ </TASK>
+
+Allocated by task 803:
+ kasan_save_stack mm/kasan/common.c:57 [inline]
+ kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
+ unpoison_slab_object mm/kasan/common.c:340 [inline]
+ __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366
+ kasan_slab_alloc include/linux/kasan.h:253 [inline]
+ slab_post_alloc_hook mm/slub.c:4953 [inline]
+ slab_alloc_node mm/slub.c:5263 [inline]
+ kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270
+ dst_alloc+0x105/0x170 net/core/dst.c:89
+ ip6_dst_alloc net/ipv6/route.c:342 [inline]
+ icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333
+ mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844
+ mld_send_cr net/ipv6/mcast.c:2154 [inline]
+ mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
+ process_one_work kernel/workqueue.c:3257 [inline]
+ process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
+ worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+Freed by task 20:
+ kasan_save_stack mm/kasan/common.c:57 [inline]
+ kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
+ kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
+ poison_slab_object mm/kasan/common.c:253 [inline]
+ __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
+ kasan_slab_free include/linux/kasan.h:235 [inline]
+ slab_free_hook mm/slub.c:2540 [inline]
+ slab_free mm/slub.c:6670 [inline]
+ kmem_cache_free+0x18f/0x8d0 mm/slub.c:6781
+ dst_destroy+0x235/0x350 net/core/dst.c:121
+ rcu_do_batch kernel/rcu/tree.c:2605 [inline]
+ rcu_core kernel/rcu/tree.c:2857 [inline]
+ rcu_cpu_kthread+0xba5/0x1af0 kernel/rcu/tree.c:2945
+ smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+Last potentially related work creation:
+ kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57
+ kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556
+ __call_rcu_common kernel/rcu/tree.c:3119 [inline]
+ call_rcu+0xee/0x890 kernel/rcu/tree.c:3239
+ refdst_drop include/net/dst.h:266 [inline]
+ skb_dst_drop include/net/dst.h:278 [inline]
+ skb_release_head_state+0x71/0x360 net/core/skbuff.c:1156
+ skb_release_all net/core/skbuff.c:1180 [inline]
+ __kfree_skb net/core/skbuff.c:1196 [inline]
+ sk_skb_reason_drop+0xe9/0x170 net/core/skbuff.c:1234
+ kfree_skb_reason include/linux/skbuff.h:1322 [inline]
+ tcf_kfree_skb_list include/net/sch_generic.h:1127 [inline]
+ __dev_xmit_skb net/core/dev.c:4260 [inline]
+ __dev_queue_xmit+0x26aa/0x3210 net/core/dev.c:4785
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
+ NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
+ mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
+ mld_send_cr net/ipv6/mcast.c:2154 [inline]
+ mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
+ process_one_work kernel/workqueue.c:3257 [inline]
+ process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
+ worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+The buggy address belongs to the object at ffff8880294cfa00
+ which belongs to the cache ip6_dst_cache of size 232
+The buggy address is located 120 bytes inside of
+ freed 232-byte region [ffff8880294cfa00, ffff8880294cfae8)
+
+The buggy address belongs to the physical page:
+page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x294cf
+memcg:ffff88803536b781
+flags: 0x80000000000000(node=0|zone=1)
+page_type: f5(slab)
+raw: 0080000000000000 ffff88802ff1c8c0 ffffea0000bf2bc0 dead000000000006
+raw: 0000000000000000 00000000800c000c 00000000f5000000 ffff88803536b781
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 9, tgid 9 (kworker/0:0), ts 91119585830, free_ts 91088628818
+ set_page_owner include/linux/page_owner.h:32 [inline]
+ post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857
+ prep_new_page mm/page_alloc.c:1865 [inline]
+ get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3915
+ __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
+ alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486
+ alloc_slab_page mm/slub.c:3075 [inline]
+ allocate_slab+0x86/0x3b0 mm/slub.c:3248
+ new_slab mm/slub.c:3302 [inline]
+ ___slab_alloc+0xb10/0x13e0 mm/slub.c:4656
+ __slab_alloc+0xc6/0x1f0 mm/slub.c:4779
+ __slab_alloc_node mm/slub.c:4855 [inline]
+ slab_alloc_node mm/slub.c:5251 [inline]
+ kmem_cache_alloc_noprof+0x101/0x6c0 mm/slub.c:5270
+ dst_alloc+0x105/0x170 net/core/dst.c:89
+ ip6_dst_alloc net/ipv6/route.c:342 [inline]
+ icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333
+ mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844
+ mld_send_cr net/ipv6/mcast.c:2154 [inline]
+ mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
+ process_one_work kernel/workqueue.c:3257 [inline]
+ process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
+ worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
+page last free pid 5859 tgid 5859 stack trace:
+ reset_page_owner include/linux/page_owner.h:25 [inline]
+ free_pages_prepare mm/page_alloc.c:1406 [inline]
+ __free_frozen_pages+0xfe1/0x1170 mm/page_alloc.c:2943
+ discard_slab mm/slub.c:3346 [inline]
+ __put_partials+0x149/0x170 mm/slub.c:3886
+ __slab_free+0x2af/0x330 mm/slub.c:5952
+ qlink_free mm/kasan/quarantine.c:163 [inline]
+ qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
+ kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
+ __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
+ kasan_slab_alloc include/linux/kasan.h:253 [inline]
+ slab_post_alloc_hook mm/slub.c:4953 [inline]
+ slab_alloc_node mm/slub.c:5263 [inline]
+ kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270
+ getname_flags+0xb8/0x540 fs/namei.c:146
+ getname include/linux/fs.h:2498 [inline]
+ do_sys_openat2+0xbc/0x200 fs/open.c:1426
+ do_sys_open fs/open.c:1436 [inline]
+ __do_sys_openat fs/open.c:1452 [inline]
+ __se_sys_openat fs/open.c:1447 [inline]
+ __x64_sys_openat+0x138/0x170 fs/open.c:1447
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
+
+Fixes: 8d0b94afdca8 ("ipv6: Keep track of DST_NOCACHE routes in case of iface down/unregister")
+Fixes: 78df76a065ae ("ipv4: take rt_uncached_lock only if needed")
+Reported-by: syzbot+179fc225724092b8b2b2@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6964cdf2.050a0220.eaf7.009d.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20260112103825.3810713-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dst.c | 1 +
+ net/ipv4/route.c | 4 ++--
+ net/ipv6/route.c | 4 ++--
+ 3 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/net/core/dst.c b/net/core/dst.c
+index e9d35f49c9e78..1dae26c51ebec 100644
+--- a/net/core/dst.c
++++ b/net/core/dst.c
+@@ -68,6 +68,7 @@ void dst_init(struct dst_entry *dst, struct dst_ops *ops,
+ dst->lwtstate = NULL;
+ rcuref_init(&dst->__rcuref, 1);
+ INIT_LIST_HEAD(&dst->rt_uncached);
++ dst->rt_uncached_list = NULL;
+ dst->__use = 0;
+ dst->lastuse = jiffies;
+ dst->flags = flags;
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index b549d6a573073..11d990703d31a 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1537,9 +1537,9 @@ void rt_add_uncached_list(struct rtable *rt)
+
+ void rt_del_uncached_list(struct rtable *rt)
+ {
+- if (!list_empty(&rt->dst.rt_uncached)) {
+- struct uncached_list *ul = rt->dst.rt_uncached_list;
++ struct uncached_list *ul = rt->dst.rt_uncached_list;
+
++ if (ul) {
+ spin_lock_bh(&ul->lock);
+ list_del_init(&rt->dst.rt_uncached);
+ spin_unlock_bh(&ul->lock);
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index a3e051dc66ee0..e3a260a5564ba 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -148,9 +148,9 @@ void rt6_uncached_list_add(struct rt6_info *rt)
+
+ void rt6_uncached_list_del(struct rt6_info *rt)
+ {
+- if (!list_empty(&rt->dst.rt_uncached)) {
+- struct uncached_list *ul = rt->dst.rt_uncached_list;
++ struct uncached_list *ul = rt->dst.rt_uncached_list;
+
++ if (ul) {
+ spin_lock_bh(&ul->lock);
+ list_del_init(&rt->dst.rt_uncached);
+ spin_unlock_bh(&ul->lock);
+--
+2.51.0
+
--- /dev/null
+From fb553ddd20056ed96dba427448adf58199d16764 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 11:00:30 +0800
+Subject: i2c: imx-lpi2c: change to PIO mode in system-wide suspend/resume
+ progress
+
+From: Carlos Song <carlos.song@nxp.com>
+
+[ Upstream commit f2a3f51365bf672dab4b58d1e8954926a9196b44 ]
+
+EDMA resumes early and suspends late in the system power transition
+sequence, while LPI2C enters the NOIRQ stage for both suspend and resume.
+This means LPI2C resources become available before EDMA is fully resumed.
+Once IRQs are enabled, a slave device may immediately trigger an LPI2C
+transfer. If the transfer length meets DMA requirements, the driver will
+attempt to use EDMA even though EDMA may still be unavailable.
+
+This timing gap can lead to transfer failures. To prevent this, force
+LPI2C to use PIO mode during system-wide suspend and resume transitions.
+This reduces dependency on EDMA and avoids using an unready DMA resource.
+
+Fixes: a09c8b3f9047 ("i2c: imx-lpi2c: add eDMA mode support for LPI2C")
+Signed-off-by: Carlos Song <carlos.song@nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-imx-lpi2c.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/i2c/busses/i2c-imx-lpi2c.c b/drivers/i2c/busses/i2c-imx-lpi2c.c
+index 2a0962a0b4417..d882126c1778c 100644
+--- a/drivers/i2c/busses/i2c-imx-lpi2c.c
++++ b/drivers/i2c/busses/i2c-imx-lpi2c.c
+@@ -592,6 +592,13 @@ static bool is_use_dma(struct lpi2c_imx_struct *lpi2c_imx, struct i2c_msg *msg)
+ if (!lpi2c_imx->can_use_dma)
+ return false;
+
++ /*
++ * A system-wide suspend or resume transition is in progress. LPI2C should use PIO to
++ * transfer data to avoid issue caused by no ready DMA HW resource.
++ */
++ if (pm_suspend_in_progress())
++ return false;
++
+ /*
+ * When the length of data is less than I2C_DMA_THRESHOLD,
+ * cpu mode is used directly to avoid low performance.
+--
+2.51.0
+
--- /dev/null
+From 65a9c428e0e22b1fbe6d8524dbc194d57d4e335b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Oct 2025 19:07:42 +0100
+Subject: i2c: qcom-geni: make sure I2C hub controllers can't use SE DMA
+
+From: Neil Armstrong <neil.armstrong@linaro.org>
+
+[ Upstream commit c0c50e3743e467ec4752c638e10e97f89c8644e2 ]
+
+The I2C Hub controller is a simpler GENI I2C variant that doesn't
+support DMA at all, add a no_dma flag to make sure it nevers selects
+the SE DMA mode with mappable 32bytes long transfers.
+
+Fixes: cacd9643eca7 ("i2c: qcom-geni: add support for I2C Master Hub variant")
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Mukesh Kumar Savaliya <mukesh.savaliya@oss.qualcomm.com>>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-qcom-geni.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-qcom-geni.c b/drivers/i2c/busses/i2c-qcom-geni.c
+index 43fdd89b8bebc..bfb352b04902c 100644
+--- a/drivers/i2c/busses/i2c-qcom-geni.c
++++ b/drivers/i2c/busses/i2c-qcom-geni.c
+@@ -97,6 +97,7 @@ struct geni_i2c_dev {
+ dma_addr_t dma_addr;
+ struct dma_chan *tx_c;
+ struct dma_chan *rx_c;
++ bool no_dma;
+ bool gpi_mode;
+ bool abort_done;
+ };
+@@ -425,7 +426,7 @@ static int geni_i2c_rx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg,
+ size_t len = msg->len;
+ struct i2c_msg *cur;
+
+- dma_buf = i2c_get_dma_safe_msg_buf(msg, 32);
++ dma_buf = gi2c->no_dma ? NULL : i2c_get_dma_safe_msg_buf(msg, 32);
+ if (dma_buf)
+ geni_se_select_mode(se, GENI_SE_DMA);
+ else
+@@ -464,7 +465,7 @@ static int geni_i2c_tx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg,
+ size_t len = msg->len;
+ struct i2c_msg *cur;
+
+- dma_buf = i2c_get_dma_safe_msg_buf(msg, 32);
++ dma_buf = gi2c->no_dma ? NULL : i2c_get_dma_safe_msg_buf(msg, 32);
+ if (dma_buf)
+ geni_se_select_mode(se, GENI_SE_DMA);
+ else
+@@ -880,10 +881,12 @@ static int geni_i2c_probe(struct platform_device *pdev)
+ goto err_resources;
+ }
+
+- if (desc && desc->no_dma_support)
++ if (desc && desc->no_dma_support) {
+ fifo_disable = false;
+- else
++ gi2c->no_dma = true;
++ } else {
+ fifo_disable = readl_relaxed(gi2c->se.base + GENI_IF_DISABLE_RO) & FIFO_IF_DISABLE;
++ }
+
+ if (fifo_disable) {
+ /* FIFO is disabled, so we can only use GPI DMA */
+--
+2.51.0
+
--- /dev/null
+From 5c5b923c2f0a8daf456a3de259ced97d32510c16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jan 2026 16:31:09 +0000
+Subject: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 81c734dae203757fb3c9eee6f9896386940776bd ]
+
+Blamed commit did not take care of VLAN encapsulations
+as spotted by syzbot [1].
+
+Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull().
+
+[1]
+ BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
+ BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
+ BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
+ __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
+ INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
+ IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
+ ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729
+ __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860
+ ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903
+ gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1
+ ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438
+ ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489
+ NF_HOOK include/linux/netfilter.h:318 [inline]
+ ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500
+ ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590
+ dst_input include/net/dst.h:474 [inline]
+ ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79
+ NF_HOOK include/linux/netfilter.h:318 [inline]
+ ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311
+ __netif_receive_skb_one_core net/core/dev.c:6139 [inline]
+ __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252
+ netif_receive_skb_internal net/core/dev.c:6338 [inline]
+ netif_receive_skb+0x57/0x630 net/core/dev.c:6397
+ tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485
+ tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953
+ tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0xbe2/0x15d0 fs/read_write.c:686
+ ksys_write fs/read_write.c:738 [inline]
+ __do_sys_write fs/read_write.c:749 [inline]
+ __se_sys_write fs/read_write.c:746 [inline]
+ __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
+ x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:4960 [inline]
+ slab_alloc_node mm/slub.c:5263 [inline]
+ kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315
+ kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586
+ __alloc_skb+0x805/0x1040 net/core/skbuff.c:690
+ alloc_skb include/linux/skbuff.h:1383 [inline]
+ alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712
+ sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995
+ tun_alloc_skb drivers/net/tun.c:1461 [inline]
+ tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794
+ tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0xbe2/0x15d0 fs/read_write.c:686
+ ksys_write fs/read_write.c:738 [inline]
+ __do_sys_write fs/read_write.c:749 [inline]
+ __se_sys_write fs/read_write.c:746 [inline]
+ __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
+ x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+
+Fixes: 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")
+Reported-by: syzbot+d4dda070f833dc5dc89a@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/695e88b2.050a0220.1c677c.036d.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260107163109.4188620-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
+index 6405072050e0e..c1f39735a2367 100644
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -844,7 +844,7 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb,
+
+ skb_reset_network_header(skb);
+
+- if (!pskb_inet_may_pull(skb)) {
++ if (skb_vlan_inet_prepare(skb, true)) {
+ DEV_STATS_INC(tunnel->dev, rx_length_errors);
+ DEV_STATS_INC(tunnel->dev, rx_errors);
+ goto drop;
+--
+2.51.0
+
--- /dev/null
+From 1ef4263ff3ab282ccd61b6d14426f9af251f73c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 19:02:14 +0000
+Subject: ipv4: ip_gre: make ipgre_header() robust
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e67c577d89894811ce4dcd1a9ed29d8b63476667 ]
+
+Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust")
+
+Over the years, syzbot found many ways to crash the kernel
+in ipgre_header() [1].
+
+This involves team or bonding drivers ability to dynamically
+change their dev->needed_headroom and/or dev->hard_header_len
+
+In this particular crash mld_newpack() allocated an skb
+with a too small reserve/headroom, and by the time mld_sendpack()
+was called, syzbot managed to attach an ipgre device.
+
+[1]
+skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0
+ kernel BUG at net/core/skbuff.c:213 !
+Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
+CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+Workqueue: mld mld_ifc_work
+ RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213
+Call Trace:
+ <TASK>
+ skb_under_panic net/core/skbuff.c:223 [inline]
+ skb_push+0xc3/0xe0 net/core/skbuff.c:2641
+ ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897
+ dev_hard_header include/linux/netdevice.h:3436 [inline]
+ neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
+ NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
+ mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
+ mld_send_cr net/ipv6/mcast.c:2154 [inline]
+ mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
+ process_one_work kernel/workqueue.c:3257 [inline]
+ process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
+ worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Reported-by: syzbot+7c134e1c3aa3283790b9@syzkaller.appspotmail.com
+Closes: https://www.spinics.net/lists/netdev/msg1147302.html
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260108190214.1667040-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_gre.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index 8178c44a3cdd4..e13244729ad8d 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -891,10 +891,17 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
+ const void *daddr, const void *saddr, unsigned int len)
+ {
+ struct ip_tunnel *t = netdev_priv(dev);
+- struct iphdr *iph;
+ struct gre_base_hdr *greh;
++ struct iphdr *iph;
++ int needed;
++
++ needed = t->hlen + sizeof(*iph);
++ if (skb_headroom(skb) < needed &&
++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)),
++ 0, GFP_ATOMIC))
++ return -needed;
+
+- iph = skb_push(skb, t->hlen + sizeof(*iph));
++ iph = skb_push(skb, needed);
+ greh = (struct gre_base_hdr *)(iph+1);
+ greh->flags = gre_tnl_flags_to_gre_flags(t->parms.o_flags);
+ greh->protocol = htons(type);
+--
+2.51.0
+
--- /dev/null
+From 2fccc0ee7eeb8f7f6d40004d0b964e41f7e8a129 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jan 2026 17:24:26 +0000
+Subject: ipv4: ip_tunnel: spread netdev_lockdep_set_classes()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 872ac785e7680dac9ec7f8c5ccd4f667f49d6997 ]
+
+Inspired by yet another syzbot report.
+
+IPv6 tunnels call netdev_lockdep_set_classes() for each tunnel type,
+while IPv4 currently centralizes netdev_lockdep_set_classes() call from
+ip_tunnel_init().
+
+Make ip_tunnel_init() a macro, so that we have different lockdep
+classes per tunnel type.
+
+Fixes: 0bef512012b1 ("net: add netdev_lockdep_set_classes() to virtual drivers")
+Reported-by: syzbot+1240b33467289f5ab50b@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/695d439f.050a0220.1c677c.0347.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260106172426.1760721-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip_tunnels.h | 13 ++++++++++++-
+ net/ipv4/ip_tunnel.c | 5 ++---
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
+index ecae35512b9b4..4021e6a73e32b 100644
+--- a/include/net/ip_tunnels.h
++++ b/include/net/ip_tunnels.h
+@@ -19,6 +19,7 @@
+ #include <net/rtnetlink.h>
+ #include <net/lwtunnel.h>
+ #include <net/dst_cache.h>
++#include <net/netdev_lock.h>
+
+ #if IS_ENABLED(CONFIG_IPV6)
+ #include <net/ipv6.h>
+@@ -372,7 +373,17 @@ static inline void ip_tunnel_init_flow(struct flowi4 *fl4,
+ fl4->flowi4_flags = flow_flags;
+ }
+
+-int ip_tunnel_init(struct net_device *dev);
++int __ip_tunnel_init(struct net_device *dev);
++#define ip_tunnel_init(DEV) \
++({ \
++ struct net_device *__dev = (DEV); \
++ int __res = __ip_tunnel_init(__dev); \
++ \
++ if (!__res) \
++ netdev_lockdep_set_classes(__dev);\
++ __res; \
++})
++
+ void ip_tunnel_uninit(struct net_device *dev);
+ void ip_tunnel_dellink(struct net_device *dev, struct list_head *head);
+ struct net *ip_tunnel_get_link_net(const struct net_device *dev);
+diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
+index 158a30ae7c5f2..50d0f5fe4e4c6 100644
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -1281,7 +1281,7 @@ int ip_tunnel_changelink(struct net_device *dev, struct nlattr *tb[],
+ }
+ EXPORT_SYMBOL_GPL(ip_tunnel_changelink);
+
+-int ip_tunnel_init(struct net_device *dev)
++int __ip_tunnel_init(struct net_device *dev)
+ {
+ struct ip_tunnel *tunnel = netdev_priv(dev);
+ struct iphdr *iph = &tunnel->parms.iph;
+@@ -1308,10 +1308,9 @@ int ip_tunnel_init(struct net_device *dev)
+
+ if (tunnel->collect_md)
+ netif_keep_dst(dev);
+- netdev_lockdep_set_classes(dev);
+ return 0;
+ }
+-EXPORT_SYMBOL_GPL(ip_tunnel_init);
++EXPORT_SYMBOL_GPL(__ip_tunnel_init);
+
+ void ip_tunnel_uninit(struct net_device *dev)
+ {
+--
+2.51.0
+
--- /dev/null
+From 3cb2e995f30d07952308bf251ed0932e3d9f5e12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 01:05:08 +0000
+Subject: ipv6: Fix use-after-free in inet6_addr_del().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit ddf96c393a33aef4887e2e406c76c2f8cda1419c ]
+
+syzbot reported use-after-free of inet6_ifaddr in
+inet6_addr_del(). [0]
+
+The cited commit accidentally moved ipv6_del_addr() for
+mngtmpaddr before reading its ifp->flags for temporary
+addresses in inet6_addr_del().
+
+Let's move ipv6_del_addr() down to fix the UAF.
+
+[0]:
+BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117
+Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593
+
+CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xcd/0x630 mm/kasan/report.c:482
+ kasan_report+0xe0/0x110 mm/kasan/report.c:595
+ inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117
+ addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181
+ inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582
+ sock_do_ioctl+0x118/0x280 net/socket.c:1254
+ sock_ioctl+0x227/0x6b0 net/socket.c:1375
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:597 [inline]
+ __se_sys_ioctl fs/ioctl.c:583 [inline]
+ __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f164cf8f749
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749
+RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003
+RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288
+ </TASK>
+
+Allocated by task 9593:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:77
+ poison_kmalloc_redzone mm/kasan/common.c:397 [inline]
+ __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414
+ kmalloc_noprof include/linux/slab.h:957 [inline]
+ kzalloc_noprof include/linux/slab.h:1094 [inline]
+ ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120
+ inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050
+ addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160
+ inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580
+ sock_do_ioctl+0x118/0x280 net/socket.c:1254
+ sock_ioctl+0x227/0x6b0 net/socket.c:1375
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:597 [inline]
+ __se_sys_ioctl fs/ioctl.c:583 [inline]
+ __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Freed by task 6099:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:77
+ kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584
+ poison_slab_object mm/kasan/common.c:252 [inline]
+ __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284
+ kasan_slab_free include/linux/kasan.h:234 [inline]
+ slab_free_hook mm/slub.c:2540 [inline]
+ slab_free_freelist_hook mm/slub.c:2569 [inline]
+ slab_free_bulk mm/slub.c:6696 [inline]
+ kmem_cache_free_bulk mm/slub.c:7383 [inline]
+ kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362
+ kfree_bulk include/linux/slab.h:830 [inline]
+ kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523
+ kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline]
+ kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801
+ process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
+ process_scheduled_works kernel/workqueue.c:3340 [inline]
+ worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
+ kthread+0x3c5/0x780 kernel/kthread.c:463
+ ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+Fixes: 00b5b7aab9e42 ("net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged")
+Reported-by: syzbot+72e610f4f1a930ca9d8a@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/696598e9.050a0220.3be5c5.0009.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260113010538.2019411-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/addrconf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 40e9c336f6c55..cad5e4ab8c3db 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -3112,12 +3112,12 @@ static int inet6_addr_del(struct net *net, int ifindex, u32 ifa_flags,
+ in6_ifa_hold(ifp);
+ read_unlock_bh(&idev->lock);
+
+- ipv6_del_addr(ifp);
+-
+ if (!(ifp->flags & IFA_F_TEMPORARY) &&
+ (ifp->flags & IFA_F_MANAGETEMPADDR))
+ delete_tempaddrs(idev, ifp);
+
++ ipv6_del_addr(ifp);
++
+ addrconf_verify_rtnl(net);
+ if (ipv6_addr_is_multicast(pfx)) {
+ ipv6_mc_config(net->ipv6.mc_autojoin_sk,
+--
+2.51.0
+
--- /dev/null
+From b0b0f0a417cec3a60914bab05452163a9acb5424 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Oct 2025 20:07:26 +0100
+Subject: landlock: Fix TCP handling of short AF_UNSPEC addresses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthieu Buffet <matthieu@buffet.re>
+
+[ Upstream commit e4d82cbce2258f454634307fdabf33aa46b61ab0 ]
+
+current_check_access_socket() treats AF_UNSPEC addresses as
+AF_INET ones, and only later adds special case handling to
+allow connect(AF_UNSPEC), and on IPv4 sockets
+bind(AF_UNSPEC+INADDR_ANY).
+This would be fine except AF_UNSPEC addresses can be as
+short as a bare AF_UNSPEC sa_family_t field, and nothing
+more. The AF_INET code path incorrectly enforces a length of
+sizeof(struct sockaddr_in) instead.
+
+Move AF_UNSPEC edge case handling up inside the switch-case,
+before the address is (potentially incorrectly) treated as
+AF_INET.
+
+Fixes: fff69fb03dde ("landlock: Support network rules with TCP bind and connect")
+Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
+Link: https://lore.kernel.org/r/20251027190726.626244-4-matthieu@buffet.re
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/landlock/net.c | 118 +++++++++++++++++++++++-----------------
+ 1 file changed, 67 insertions(+), 51 deletions(-)
+
+diff --git a/security/landlock/net.c b/security/landlock/net.c
+index 1f3915a90a808..e6367e30e5b0e 100644
+--- a/security/landlock/net.c
++++ b/security/landlock/net.c
+@@ -71,6 +71,61 @@ static int current_check_access_socket(struct socket *const sock,
+
+ switch (address->sa_family) {
+ case AF_UNSPEC:
++ if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) {
++ /*
++ * Connecting to an address with AF_UNSPEC dissolves
++ * the TCP association, which have the same effect as
++ * closing the connection while retaining the socket
++ * object (i.e., the file descriptor). As for dropping
++ * privileges, closing connections is always allowed.
++ *
++ * For a TCP access control system, this request is
++ * legitimate. Let the network stack handle potential
++ * inconsistencies and return -EINVAL if needed.
++ */
++ return 0;
++ } else if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
++ /*
++ * Binding to an AF_UNSPEC address is treated
++ * differently by IPv4 and IPv6 sockets. The socket's
++ * family may change under our feet due to
++ * setsockopt(IPV6_ADDRFORM), but that's ok: we either
++ * reject entirely or require
++ * %LANDLOCK_ACCESS_NET_BIND_TCP for the given port, so
++ * it cannot be used to bypass the policy.
++ *
++ * IPv4 sockets map AF_UNSPEC to AF_INET for
++ * retrocompatibility for bind accesses, only if the
++ * address is INADDR_ANY (cf. __inet_bind). IPv6
++ * sockets always reject it.
++ *
++ * Checking the address is required to not wrongfully
++ * return -EACCES instead of -EAFNOSUPPORT or -EINVAL.
++ * We could return 0 and let the network stack handle
++ * these checks, but it is safer to return a proper
++ * error and test consistency thanks to kselftest.
++ */
++ if (sock->sk->__sk_common.skc_family == AF_INET) {
++ const struct sockaddr_in *const sockaddr =
++ (struct sockaddr_in *)address;
++
++ if (addrlen < sizeof(struct sockaddr_in))
++ return -EINVAL;
++
++ if (sockaddr->sin_addr.s_addr !=
++ htonl(INADDR_ANY))
++ return -EAFNOSUPPORT;
++ } else {
++ if (addrlen < SIN6_LEN_RFC2133)
++ return -EINVAL;
++ else
++ return -EAFNOSUPPORT;
++ }
++ } else {
++ WARN_ON_ONCE(1);
++ }
++ /* Only for bind(AF_UNSPEC+INADDR_ANY) on IPv4 socket. */
++ fallthrough;
+ case AF_INET: {
+ const struct sockaddr_in *addr4;
+
+@@ -119,57 +174,18 @@ static int current_check_access_socket(struct socket *const sock,
+ return 0;
+ }
+
+- /* Specific AF_UNSPEC handling. */
+- if (address->sa_family == AF_UNSPEC) {
+- /*
+- * Connecting to an address with AF_UNSPEC dissolves the TCP
+- * association, which have the same effect as closing the
+- * connection while retaining the socket object (i.e., the file
+- * descriptor). As for dropping privileges, closing
+- * connections is always allowed.
+- *
+- * For a TCP access control system, this request is legitimate.
+- * Let the network stack handle potential inconsistencies and
+- * return -EINVAL if needed.
+- */
+- if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP)
+- return 0;
+-
+- /*
+- * For compatibility reason, accept AF_UNSPEC for bind
+- * accesses (mapped to AF_INET) only if the address is
+- * INADDR_ANY (cf. __inet_bind). Checking the address is
+- * required to not wrongfully return -EACCES instead of
+- * -EAFNOSUPPORT.
+- *
+- * We could return 0 and let the network stack handle these
+- * checks, but it is safer to return a proper error and test
+- * consistency thanks to kselftest.
+- */
+- if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
+- /* addrlen has already been checked for AF_UNSPEC. */
+- const struct sockaddr_in *const sockaddr =
+- (struct sockaddr_in *)address;
+-
+- if (sock->sk->__sk_common.skc_family != AF_INET)
+- return -EINVAL;
+-
+- if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY))
+- return -EAFNOSUPPORT;
+- }
+- } else {
+- /*
+- * Checks sa_family consistency to not wrongfully return
+- * -EACCES instead of -EINVAL. Valid sa_family changes are
+- * only (from AF_INET or AF_INET6) to AF_UNSPEC.
+- *
+- * We could return 0 and let the network stack handle this
+- * check, but it is safer to return a proper error and test
+- * consistency thanks to kselftest.
+- */
+- if (address->sa_family != sock->sk->__sk_common.skc_family)
+- return -EINVAL;
+- }
++ /*
++ * Checks sa_family consistency to not wrongfully return
++ * -EACCES instead of -EINVAL. Valid sa_family changes are
++ * only (from AF_INET or AF_INET6) to AF_UNSPEC.
++ *
++ * We could return 0 and let the network stack handle this
++ * check, but it is safer to return a proper error and test
++ * consistency thanks to kselftest.
++ */
++ if (address->sa_family != sock->sk->__sk_common.skc_family &&
++ address->sa_family != AF_UNSPEC)
++ return -EINVAL;
+
+ id.key.data = (__force uintptr_t)port;
+ BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
+--
+2.51.0
+
--- /dev/null
+From 841d2a8622ad548e7a2906eba0f15a05acaf1646 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Dec 2025 17:11:06 +0000
+Subject: landlock: Fix wrong type usage
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tingmao Wang <m@maowtm.org>
+
+[ Upstream commit 29fbfa46e4287c596bdc77e2c599e3a1bbf8bb67 ]
+
+I think, based on my best understanding, that this type is likely a typo
+(even though in the end both are u16)
+
+Signed-off-by: Tingmao Wang <m@maowtm.org>
+Fixes: 2fc80c69df82 ("landlock: Log file-related denials")
+Reviewed-by: Günther Noack <gnoack@google.com>
+Link: https://lore.kernel.org/r/7339ad7b47f998affd84ca629a334a71f913616d.1765040503.git.m@maowtm.org
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/landlock/audit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/landlock/audit.c b/security/landlock/audit.c
+index c52d079cdb77b..e899995f1fd59 100644
+--- a/security/landlock/audit.c
++++ b/security/landlock/audit.c
+@@ -191,7 +191,7 @@ static size_t get_denied_layer(const struct landlock_ruleset *const domain,
+ long youngest_layer = -1;
+
+ for_each_set_bit(access_bit, &access_req, layer_masks_size) {
+- const access_mask_t mask = (*layer_masks)[access_bit];
++ const layer_mask_t mask = (*layer_masks)[access_bit];
+ long layer;
+
+ if (!mask)
+--
+2.51.0
+
--- /dev/null
+From 331b3586607bf149e33fb22e786488903bf93855 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 13:36:51 +0000
+Subject: macvlan: fix possible UAF in macvlan_forward_source()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7470a7a63dc162f07c26dbf960e41ee1e248d80e ]
+
+Add RCU protection on (struct macvlan_source_entry)->vlan.
+
+Whenever macvlan_hash_del_source() is called, we must clear
+entry->vlan pointer before RCU grace period starts.
+
+This allows macvlan_forward_source() to skip over
+entries queued for freeing.
+
+Note that macvlan_dev are already RCU protected, as they
+are embedded in a standard netdev (netdev_priv(ndev)).
+
+Fixes: 79cf79abce71 ("macvlan: add source mode")
+Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com
+https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260108133651.1130486-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macvlan.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
+index 7966545512cfe..b4df7e184791d 100644
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -59,7 +59,7 @@ struct macvlan_port {
+
+ struct macvlan_source_entry {
+ struct hlist_node hlist;
+- struct macvlan_dev *vlan;
++ struct macvlan_dev __rcu *vlan;
+ unsigned char addr[6+2] __aligned(sizeof(u16));
+ struct rcu_head rcu;
+ };
+@@ -146,7 +146,7 @@ static struct macvlan_source_entry *macvlan_hash_lookup_source(
+
+ hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) {
+ if (ether_addr_equal_64bits(entry->addr, addr) &&
+- entry->vlan == vlan)
++ rcu_access_pointer(entry->vlan) == vlan)
+ return entry;
+ }
+ return NULL;
+@@ -168,7 +168,7 @@ static int macvlan_hash_add_source(struct macvlan_dev *vlan,
+ return -ENOMEM;
+
+ ether_addr_copy(entry->addr, addr);
+- entry->vlan = vlan;
++ RCU_INIT_POINTER(entry->vlan, vlan);
+ h = &port->vlan_source_hash[macvlan_eth_hash(addr)];
+ hlist_add_head_rcu(&entry->hlist, h);
+ vlan->macaddr_count++;
+@@ -187,6 +187,7 @@ static void macvlan_hash_add(struct macvlan_dev *vlan)
+
+ static void macvlan_hash_del_source(struct macvlan_source_entry *entry)
+ {
++ RCU_INIT_POINTER(entry->vlan, NULL);
+ hlist_del_rcu(&entry->hlist);
+ kfree_rcu(entry, rcu);
+ }
+@@ -390,7 +391,7 @@ static void macvlan_flush_sources(struct macvlan_port *port,
+ int i;
+
+ hash_for_each_safe(port->vlan_source_hash, i, next, entry, hlist)
+- if (entry->vlan == vlan)
++ if (rcu_access_pointer(entry->vlan) == vlan)
+ macvlan_hash_del_source(entry);
+
+ vlan->macaddr_count = 0;
+@@ -433,9 +434,14 @@ static bool macvlan_forward_source(struct sk_buff *skb,
+
+ hlist_for_each_entry_rcu(entry, h, hlist) {
+ if (ether_addr_equal_64bits(entry->addr, addr)) {
+- if (entry->vlan->flags & MACVLAN_FLAG_NODST)
++ struct macvlan_dev *vlan = rcu_dereference(entry->vlan);
++
++ if (!vlan)
++ continue;
++
++ if (vlan->flags & MACVLAN_FLAG_NODST)
+ consume = true;
+- macvlan_forward_source_one(skb, entry->vlan);
++ macvlan_forward_source_one(skb, vlan);
+ }
+ }
+
+@@ -1680,7 +1686,7 @@ static int macvlan_fill_info_macaddr(struct sk_buff *skb,
+ struct macvlan_source_entry *entry;
+
+ hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) {
+- if (entry->vlan != vlan)
++ if (rcu_access_pointer(entry->vlan) != vlan)
+ continue;
+ if (nla_put(skb, IFLA_MACVLAN_MACADDR, ETH_ALEN, entry->addr))
+ return 1;
+--
+2.51.0
+
--- /dev/null
+From cebbcbbcfd756f29a3a5b246189cfc87a4d37fca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Dec 2025 12:57:01 +0200
+Subject: mips: fix HIGHMEM initialization
+
+From: Mike Rapoport (Microsoft) <rppt@kernel.org>
+
+[ Upstream commit f171b55f1441294344b86edfeaa575ea9673fd23 ]
+
+Commit 6faea3422e3b ("arch, mm: streamline HIGHMEM freeing") overzealously
+removed mem_init_free_highmem() function that beside freeing high memory
+pages checked for CPU support for high memory as a prerequisite.
+
+Partially restore mem_init_free_highmem() with a new highmem_init() name
+and make it discard high memory in case there is no CPU support for it.
+
+Link: https://lkml.kernel.org/r/20251231105701.519711-1-rppt@kernel.org
+Fixes: 6faea3422e3b ("arch, mm: streamline HIGHMEM freeing")
+Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
+Reported-by: Markus Stockhausen <markus.stockhausen@gmx.de>
+Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Cc: Hauke Mehrtens <hauke@hauke-m.de>
+Cc: Jonas Jelonek <jelonek.jonas@gmail.com>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Thomas Gleinxer <tglx@linutronix.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/mm/init.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/arch/mips/mm/init.c b/arch/mips/mm/init.c
+index a673d3d68254b..8986048f9b110 100644
+--- a/arch/mips/mm/init.c
++++ b/arch/mips/mm/init.c
+@@ -425,6 +425,28 @@ void __init paging_init(void)
+ static struct kcore_list kcore_kseg0;
+ #endif
+
++static inline void __init highmem_init(void)
++{
++#ifdef CONFIG_HIGHMEM
++ unsigned long tmp;
++
++ /*
++ * If CPU cannot support HIGHMEM discard the memory above highstart_pfn
++ */
++ if (cpu_has_dc_aliases) {
++ memblock_remove(PFN_PHYS(highstart_pfn), -1);
++ return;
++ }
++
++ for (tmp = highstart_pfn; tmp < highend_pfn; tmp++) {
++ struct page *page = pfn_to_page(tmp);
++
++ if (!memblock_is_memory(PFN_PHYS(tmp)))
++ SetPageReserved(page);
++ }
++#endif
++}
++
+ void __init arch_mm_preinit(void)
+ {
+ /*
+@@ -435,6 +457,7 @@ void __init arch_mm_preinit(void)
+
+ maar_init();
+ setup_zero_pages(); /* Setup zeroed pages. */
++ highmem_init();
+
+ #ifdef CONFIG_64BIT
+ if ((unsigned long) &_text > (unsigned long) CKSEG0)
+--
+2.51.0
+
--- /dev/null
+From 5777265df7bdf433c91f533ac92b05c8dfab1d4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 08:40:04 +0700
+Subject: mm: describe @flags parameter in memalloc_flags_save()
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit e2fb7836b01747815f8bb94981c35f2688afb120 ]
+
+Patch series "mm kernel-doc fixes".
+
+Here are kernel-doc fixes for mm subsystem. I'm also including textsearch
+fix since there's currently no maintainer for include/linux/textsearch.h
+(get_maintainer.pl only shows LKML).
+
+This patch (of 4):
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./include/linux/sched/mm.h:332 function parameter 'flags' not described in 'memalloc_flags_save'
+
+Describe @flags to fix it.
+
+Link: https://lkml.kernel.org/r/20251219014006.16328-2-bagasdotme@gmail.com
+Link: https://lkml.kernel.org/r/20251219014006.16328-3-bagasdotme@gmail.com
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Fixes: 3f6d5e6a468d ("mm: introduce memalloc_flags_{save,restore}")
+Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
+Acked-by: Harry Yoo <harry.yoo@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sched/mm.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/sched/mm.h b/include/linux/sched/mm.h
+index 0232d983b7153..a3094379b5790 100644
+--- a/include/linux/sched/mm.h
++++ b/include/linux/sched/mm.h
+@@ -323,6 +323,7 @@ static inline void might_alloc(gfp_t gfp_mask)
+
+ /**
+ * memalloc_flags_save - Add a PF_* flag to current->flags, save old value
++ * @flags: Flags to add.
+ *
+ * This allows PF_* flags to be conveniently added, irrespective of current
+ * value, and then the old version restored with memalloc_flags_restore().
+--
+2.51.0
+
--- /dev/null
+From 60f4b124ba6d65ba052577049824c7d74d59cc4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 08:40:07 +0700
+Subject: mm, kfence: describe @slab parameter in __kfence_obj_info()
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit 6cfab50e1440fde19af7c614aacd85e11aa4dcea ]
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./include/linux/kfence.h:220 function parameter 'slab' not described in '__kfence_obj_info'
+
+Fix it by describing @slab parameter.
+
+Link: https://lkml.kernel.org/r/20251219014006.16328-6-bagasdotme@gmail.com
+Fixes: 2dfe63e61cc3 ("mm, kfence: support kmem_dump_obj() for KFENCE objects")
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Acked-by: Marco Elver <elver@google.com>
+Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
+Acked-by: Harry Yoo <harry.yoo@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/kfence.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/kfence.h b/include/linux/kfence.h
+index 0ad1ddbb8b996..e5822f6e7f279 100644
+--- a/include/linux/kfence.h
++++ b/include/linux/kfence.h
+@@ -211,6 +211,7 @@ struct kmem_obj_info;
+ * __kfence_obj_info() - fill kmem_obj_info struct
+ * @kpp: kmem_obj_info to be filled
+ * @object: the object
++ * @slab: the slab
+ *
+ * Return:
+ * * false - not a KFENCE object
+--
+2.51.0
+
--- /dev/null
+From ca71951876aad81e00e6fd5c37ea443fe49a9c86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jan 2026 10:29:06 +0100
+Subject: net: airoha: Fix typo in airoha_ppe_setup_tc_block_cb definition
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit dfdf774656205515b2d6ad94fce63c7ccbe92d91 ]
+
+Fix Typo in airoha_ppe_dev_setup_tc_block_cb routine definition when
+CONFIG_NET_AIROHA is not enabled.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202601090517.Fj6v501r-lkp@intel.com/
+Fixes: f45fc18b6de04 ("net: airoha: Add airoha_ppe_dev struct definition")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://patch.msgid.link/20260109-airoha_ppe_dev_setup_tc_block_cb-typo-v1-1-282e8834a9f9@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/soc/airoha/airoha_offload.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/soc/airoha/airoha_offload.h b/include/linux/soc/airoha/airoha_offload.h
+index 1a33f846afafa..0e82f1f4d36c4 100644
+--- a/include/linux/soc/airoha/airoha_offload.h
++++ b/include/linux/soc/airoha/airoha_offload.h
+@@ -51,8 +51,8 @@ static inline void airoha_ppe_put_dev(struct airoha_ppe_dev *dev)
+ {
+ }
+
+-static inline int airoha_ppe_setup_tc_block_cb(struct airoha_ppe_dev *dev,
+- void *type_data)
++static inline int airoha_ppe_dev_setup_tc_block_cb(struct airoha_ppe_dev *dev,
++ void *type_data)
+ {
+ return -EOPNOTSUPP;
+ }
+--
+2.51.0
+
--- /dev/null
+From 3cc8222d7aaf76db55b4c8599446f0b22b29b893 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 09:38:06 +0000
+Subject: net: bridge: annotate data-races around fdb->{updated,used}
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b25a0b4a2193407aa72a4cd1df66a7ed07dd4f1e ]
+
+fdb->updated and fdb->used are read and written locklessly.
+
+Add READ_ONCE()/WRITE_ONCE() annotations.
+
+Fixes: 31cbc39b6344 ("net: bridge: add option to allow activity notifications for any fdb entries")
+Reported-by: syzbot+bfab43087ad57222ce96@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/695e3d74.050a0220.1c677c.035f.GAE@google.com/
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20260108093806.834459-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c | 28 ++++++++++++++++------------
+ net/bridge/br_input.c | 4 ++--
+ 2 files changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index 58d22e2b85fc3..0501ffcb8a3dd 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -70,7 +70,7 @@ static inline int has_expired(const struct net_bridge *br,
+ {
+ return !test_bit(BR_FDB_STATIC, &fdb->flags) &&
+ !test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags) &&
+- time_before_eq(fdb->updated + hold_time(br), jiffies);
++ time_before_eq(READ_ONCE(fdb->updated) + hold_time(br), jiffies);
+ }
+
+ static int fdb_to_nud(const struct net_bridge *br,
+@@ -126,9 +126,9 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br,
+ if (nla_put_u32(skb, NDA_FLAGS_EXT, ext_flags))
+ goto nla_put_failure;
+
+- ci.ndm_used = jiffies_to_clock_t(now - fdb->used);
++ ci.ndm_used = jiffies_to_clock_t(now - READ_ONCE(fdb->used));
+ ci.ndm_confirmed = 0;
+- ci.ndm_updated = jiffies_to_clock_t(now - fdb->updated);
++ ci.ndm_updated = jiffies_to_clock_t(now - READ_ONCE(fdb->updated));
+ ci.ndm_refcnt = 0;
+ if (nla_put(skb, NDA_CACHEINFO, sizeof(ci), &ci))
+ goto nla_put_failure;
+@@ -551,7 +551,7 @@ void br_fdb_cleanup(struct work_struct *work)
+ */
+ rcu_read_lock();
+ hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) {
+- unsigned long this_timer = f->updated + delay;
++ unsigned long this_timer = READ_ONCE(f->updated) + delay;
+
+ if (test_bit(BR_FDB_STATIC, &f->flags) ||
+ test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &f->flags)) {
+@@ -924,6 +924,7 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
+ {
+ struct net_bridge_fdb_entry *f;
+ struct __fdb_entry *fe = buf;
++ unsigned long delta;
+ int num = 0;
+
+ memset(buf, 0, maxnum*sizeof(struct __fdb_entry));
+@@ -953,8 +954,11 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
+ fe->port_hi = f->dst->port_no >> 8;
+
+ fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags);
+- if (!test_bit(BR_FDB_STATIC, &f->flags))
+- fe->ageing_timer_value = jiffies_delta_to_clock_t(jiffies - f->updated);
++ if (!test_bit(BR_FDB_STATIC, &f->flags)) {
++ delta = jiffies - READ_ONCE(f->updated);
++ fe->ageing_timer_value =
++ jiffies_delta_to_clock_t(delta);
++ }
+ ++fe;
+ ++num;
+ }
+@@ -1002,8 +1006,8 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
+ unsigned long now = jiffies;
+ bool fdb_modified = false;
+
+- if (now != fdb->updated) {
+- fdb->updated = now;
++ if (now != READ_ONCE(fdb->updated)) {
++ WRITE_ONCE(fdb->updated, now);
+ fdb_modified = __fdb_mark_active(fdb);
+ }
+
+@@ -1242,10 +1246,10 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+ if (fdb_handle_notify(fdb, notify))
+ modified = true;
+
+- fdb->used = jiffies;
++ WRITE_ONCE(fdb->used, jiffies);
+ if (modified) {
+ if (refresh)
+- fdb->updated = jiffies;
++ WRITE_ONCE(fdb->updated, jiffies);
+ fdb_notify(br, fdb, RTM_NEWNEIGH, true);
+ }
+
+@@ -1556,7 +1560,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+ goto err_unlock;
+ }
+
+- fdb->updated = jiffies;
++ WRITE_ONCE(fdb->updated, jiffies);
+
+ if (READ_ONCE(fdb->dst) != p) {
+ WRITE_ONCE(fdb->dst, p);
+@@ -1565,7 +1569,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+
+ if (test_and_set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) {
+ /* Refresh entry */
+- fdb->used = jiffies;
++ WRITE_ONCE(fdb->used, jiffies);
+ } else {
+ modified = true;
+ }
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+index 777fa869c1a14..e355a15bf5ab1 100644
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -221,8 +221,8 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
+ if (test_bit(BR_FDB_LOCAL, &dst->flags))
+ return br_pass_frame_up(skb, false);
+
+- if (now != dst->used)
+- dst->used = now;
++ if (now != READ_ONCE(dst->used))
++ WRITE_ONCE(dst->used, now);
+ br_forward(dst->dst, skb, local_rcv, false);
+ } else {
+ if (!mcast_hit)
+--
+2.51.0
+
--- /dev/null
+From 7576fbbfe0c6fee8876cd07f240f717ee0e108d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 02:01:33 -0800
+Subject: net: hv_netvsc: reject RSS hash key programming without RX
+ indirection table
+
+From: Aditya Garg <gargaditya@linux.microsoft.com>
+
+[ Upstream commit d23564955811da493f34412d7de60fa268c8cb50 ]
+
+RSS configuration requires a valid RX indirection table. When the device
+reports a single receive queue, rndis_filter_device_add() does not
+allocate an indirection table, accepting RSS hash key updates in this
+state leads to a hang.
+
+Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return
+-EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device
+capabilities and prevents incorrect behavior.
+
+Fixes: 962f3fee83a4 ("netvsc: add ethtool ops to get/set RSS key")
+Signed-off-by: Aditya Garg <gargaditya@linux.microsoft.com>
+Reviewed-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Link: https://patch.msgid.link/1768212093-1594-1-git-send-email-gargaditya@linux.microsoft.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
+index 39c892e46cb01..25a358524a096 100644
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -1757,6 +1757,9 @@ static int netvsc_set_rxfh(struct net_device *dev,
+ rxfh->hfunc != ETH_RSS_HASH_TOP)
+ return -EOPNOTSUPP;
+
++ if (!ndc->rx_table_sz)
++ return -EOPNOTSUPP;
++
+ rndis_dev = ndev->extension;
+ if (rxfh->indir) {
+ for (i = 0; i < ndc->rx_table_sz; i++)
+--
+2.51.0
+
--- /dev/null
+From 937dbba5960728d0c9a88771e9921003d0e9bd04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 13:26:55 -0800
+Subject: net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv
+
+From: Saeed Mahameed <saeedm@nvidia.com>
+
+[ Upstream commit 123eda2e5b1638e298e3a66bb1e64a8da92de5e1 ]
+
+mlx5e_priv is an unstable structure that can be memset(0) if profile
+attaching fails, mlx5e_priv in mlx5e_dev devlink private is used to
+reference the netdev and mdev associated with that struct. Instead,
+store netdev directly into mlx5e_dev and get mdev from the containing
+mlx5_adev aux device structure.
+
+This fixes a kernel oops in mlx5e_remove when switchdev mode fails due
+to change profile failure.
+
+$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev
+Error: mlx5_core: Failed setting eswitch to offloads.
+dmesg:
+workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
+mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
+mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12
+workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
+mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
+mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
+
+$ devlink dev reload pci/0000:00:03.0 ==> oops
+
+BUG: kernel NULL pointer dereference, address: 0000000000000520
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+PGD 0 P4D 0
+Oops: Oops: 0000 [#1] SMP NOPTI
+CPU: 3 UID: 0 PID: 521 Comm: devlink Not tainted 6.18.0-rc5+ #117 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
+RIP: 0010:mlx5e_remove+0x68/0x130
+RSP: 0018:ffffc900034838f0 EFLAGS: 00010246
+RAX: ffff88810283c380 RBX: ffff888101874400 RCX: ffffffff826ffc45
+RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
+RBP: ffff888102d789c0 R08: ffff8881007137f0 R09: ffff888100264e10
+R10: ffffc90003483898 R11: ffffc900034838a0 R12: ffff888100d261a0
+R13: ffff888100d261a0 R14: ffff8881018749a0 R15: ffff888101874400
+FS: 00007f8565fea740(0000) GS:ffff88856a759000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000520 CR3: 000000010b11a004 CR4: 0000000000370ef0
+Call Trace:
+ <TASK>
+ device_release_driver_internal+0x19c/0x200
+ bus_remove_device+0xc6/0x130
+ device_del+0x160/0x3d0
+ ? devl_param_driverinit_value_get+0x2d/0x90
+ mlx5_detach_device+0x89/0xe0
+ mlx5_unload_one_devl_locked+0x3a/0x70
+ mlx5_devlink_reload_down+0xc8/0x220
+ devlink_reload+0x7d/0x260
+ devlink_nl_reload_doit+0x45b/0x5a0
+ genl_family_rcv_msg_doit+0xe8/0x140
+
+Fixes: ee75f1fc44dd ("net/mlx5e: Create separate devlink instance for ethernet auxiliary device")
+Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method")
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Link: https://patch.msgid.link/20260108212657.25090-3-saeed@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 +-
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 20 ++++++++++---------
+ 2 files changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+index cfdbeb21b61cf..bc1b343f89a25 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+@@ -963,7 +963,7 @@ struct mlx5e_priv {
+ };
+
+ struct mlx5e_dev {
+- struct mlx5e_priv *priv;
++ struct net_device *netdev;
+ struct devlink_port dl_port;
+ };
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 3850c267dfc02..dcf1cd3488709 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -6635,8 +6635,8 @@ static int _mlx5e_resume(struct auxiliary_device *adev)
+ {
+ struct mlx5_adev *edev = container_of(adev, struct mlx5_adev, adev);
+ struct mlx5e_dev *mlx5e_dev = auxiliary_get_drvdata(adev);
+- struct mlx5e_priv *priv = mlx5e_dev->priv;
+- struct net_device *netdev = priv->netdev;
++ struct mlx5e_priv *priv = netdev_priv(mlx5e_dev->netdev);
++ struct net_device *netdev = mlx5e_dev->netdev;
+ struct mlx5_core_dev *mdev = edev->mdev;
+ struct mlx5_core_dev *pos, *to;
+ int err, i;
+@@ -6682,10 +6682,11 @@ static int mlx5e_resume(struct auxiliary_device *adev)
+
+ static int _mlx5e_suspend(struct auxiliary_device *adev, bool pre_netdev_reg)
+ {
++ struct mlx5_adev *edev = container_of(adev, struct mlx5_adev, adev);
+ struct mlx5e_dev *mlx5e_dev = auxiliary_get_drvdata(adev);
+- struct mlx5e_priv *priv = mlx5e_dev->priv;
+- struct net_device *netdev = priv->netdev;
+- struct mlx5_core_dev *mdev = priv->mdev;
++ struct mlx5e_priv *priv = netdev_priv(mlx5e_dev->netdev);
++ struct net_device *netdev = mlx5e_dev->netdev;
++ struct mlx5_core_dev *mdev = edev->mdev;
+ struct mlx5_core_dev *pos;
+ int i;
+
+@@ -6746,11 +6747,11 @@ static int _mlx5e_probe(struct auxiliary_device *adev)
+ goto err_devlink_port_unregister;
+ }
+ SET_NETDEV_DEVLINK_PORT(netdev, &mlx5e_dev->dl_port);
++ mlx5e_dev->netdev = netdev;
+
+ mlx5e_build_nic_netdev(netdev);
+
+ priv = netdev_priv(netdev);
+- mlx5e_dev->priv = priv;
+
+ priv->profile = profile;
+ priv->ppriv = NULL;
+@@ -6813,7 +6814,8 @@ static void _mlx5e_remove(struct auxiliary_device *adev)
+ {
+ struct mlx5_adev *edev = container_of(adev, struct mlx5_adev, adev);
+ struct mlx5e_dev *mlx5e_dev = auxiliary_get_drvdata(adev);
+- struct mlx5e_priv *priv = mlx5e_dev->priv;
++ struct net_device *netdev = mlx5e_dev->netdev;
++ struct mlx5e_priv *priv = netdev_priv(netdev);
+ struct mlx5_core_dev *mdev = edev->mdev;
+
+ mlx5_core_uplink_netdev_set(mdev, NULL);
+@@ -6822,8 +6824,8 @@ static void _mlx5e_remove(struct auxiliary_device *adev)
+ * if it's from legacy mode. If from switchdev mode, it
+ * is already unregistered before changing to NIC profile.
+ */
+- if (priv->netdev->reg_state == NETREG_REGISTERED) {
+- unregister_netdev(priv->netdev);
++ if (netdev->reg_state == NETREG_REGISTERED) {
++ unregister_netdev(netdev);
+ _mlx5e_suspend(adev, false);
+ } else {
+ struct mlx5_core_dev *pos;
+--
+2.51.0
+
--- /dev/null
+From 1d0e6b364087e8fa75f6f8c897eb324a20cdd128 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 13:26:54 -0800
+Subject: net/mlx5e: Fix crash on profile change rollback failure
+
+From: Saeed Mahameed <saeedm@nvidia.com>
+
+[ Upstream commit 4dadc4077e3f77d6d31e199a925fc7a705e7adeb ]
+
+mlx5e_netdev_change_profile can fail to attach a new profile and can
+fail to rollback to old profile, in such case, we could end up with a
+dangling netdev with a fully reset netdev_priv. A retry to change
+profile, e.g. another attempt to call mlx5e_netdev_change_profile via
+switchdev mode change, will crash trying to access the now NULL
+priv->mdev.
+
+This fix allows mlx5e_netdev_change_profile() to handle previous
+failures and an empty priv, by not assuming priv is valid.
+
+Pass netdev and mdev to all flows requiring
+mlx5e_netdev_change_profile() and avoid passing priv.
+In mlx5e_netdev_change_profile() check if current priv is valid, and if
+not, just attach the new profile without trying to access the old one.
+
+This fixes the following oops, when enabling switchdev mode for the 2nd
+time after first time failure:
+
+ ## Enabling switchdev mode first time:
+
+mlx5_core 0012:03:00.1: E-Switch: Supported tc chains and prios offload
+workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
+mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
+mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12
+workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
+mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
+mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
+ ^^^^^^^^
+mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)
+
+ ## retry: Enabling switchdev mode 2nd time:
+
+mlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload
+BUG: kernel NULL pointer dereference, address: 0000000000000038
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+PGD 0 P4D 0
+Oops: Oops: 0000 [#1] SMP NOPTI
+CPU: 13 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc4+ #91 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
+RIP: 0010:mlx5e_detach_netdev+0x3c/0x90
+Code: 50 00 00 f0 80 4f 78 02 48 8b bf e8 07 00 00 48 85 ff 74 16 48 8b 73 78 48 d1 ee 83 e6 01 83 f6 01 40 0f b6 f6 e8 c4 42 00 00 <48> 8b 45 38 48 85 c0 74 08 48 89 df e8 cc 47 40 1e 48 8b bb f0 07
+RSP: 0018:ffffc90000673890 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: ffff8881036a89c0 RCX: 0000000000000000
+RDX: ffff888113f63800 RSI: ffffffff822fe720 RDI: 0000000000000000
+RBP: 0000000000000000 R08: 0000000000002dcd R09: 0000000000000000
+R10: ffffc900006738e8 R11: 00000000ffffffff R12: 0000000000000000
+R13: 0000000000000000 R14: ffff8881036a89c0 R15: 0000000000000000
+FS: 00007fdfb8384740(0000) GS:ffff88856a9d6000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000038 CR3: 0000000112ae0005 CR4: 0000000000370ef0
+Call Trace:
+ <TASK>
+ mlx5e_netdev_change_profile+0x45/0xb0
+ mlx5e_vport_rep_load+0x27b/0x2d0
+ mlx5_esw_offloads_rep_load+0x72/0xf0
+ esw_offloads_enable+0x5d0/0x970
+ mlx5_eswitch_enable_locked+0x349/0x430
+ ? is_mp_supported+0x57/0xb0
+ mlx5_devlink_eswitch_mode_set+0x26b/0x430
+ devlink_nl_eswitch_set_doit+0x6f/0xf0
+ genl_family_rcv_msg_doit+0xe8/0x140
+ genl_rcv_msg+0x18b/0x290
+ ? __pfx_devlink_nl_pre_doit+0x10/0x10
+ ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10
+ ? __pfx_devlink_nl_post_doit+0x10/0x10
+ ? __pfx_genl_rcv_msg+0x10/0x10
+ netlink_rcv_skb+0x52/0x100
+ genl_rcv+0x28/0x40
+ netlink_unicast+0x282/0x3e0
+ ? __alloc_skb+0xd6/0x190
+ netlink_sendmsg+0x1f7/0x430
+ __sys_sendto+0x213/0x220
+ ? __sys_recvmsg+0x6a/0xd0
+ __x64_sys_sendto+0x24/0x30
+ do_syscall_64+0x50/0x1f0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+RIP: 0033:0x7fdfb8495047
+
+Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method")
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260108212657.25090-2-saeed@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en.h | 9 ++--
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 48 +++++++++++++------
+ .../net/ethernet/mellanox/mlx5/core/en_rep.c | 11 ++---
+ 3 files changed, 44 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+index a6479e4d8d8c6..cfdbeb21b61cf 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+@@ -1239,9 +1239,12 @@ mlx5e_create_netdev(struct mlx5_core_dev *mdev, const struct mlx5e_profile *prof
+ int mlx5e_attach_netdev(struct mlx5e_priv *priv);
+ void mlx5e_detach_netdev(struct mlx5e_priv *priv);
+ void mlx5e_destroy_netdev(struct mlx5e_priv *priv);
+-int mlx5e_netdev_change_profile(struct mlx5e_priv *priv,
+- const struct mlx5e_profile *new_profile, void *new_ppriv);
+-void mlx5e_netdev_attach_nic_profile(struct mlx5e_priv *priv);
++int mlx5e_netdev_change_profile(struct net_device *netdev,
++ struct mlx5_core_dev *mdev,
++ const struct mlx5e_profile *new_profile,
++ void *new_ppriv);
++void mlx5e_netdev_attach_nic_profile(struct net_device *netdev,
++ struct mlx5_core_dev *mdev);
+ void mlx5e_set_netdev_mtu_boundaries(struct mlx5e_priv *priv);
+ void mlx5e_build_nic_params(struct mlx5e_priv *priv, struct mlx5e_xsk *xsk, u16 mtu);
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 1545f9c008f49..3850c267dfc02 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -6564,19 +6564,28 @@ mlx5e_netdev_attach_profile(struct net_device *netdev, struct mlx5_core_dev *mde
+ return err;
+ }
+
+-int mlx5e_netdev_change_profile(struct mlx5e_priv *priv,
+- const struct mlx5e_profile *new_profile, void *new_ppriv)
++int mlx5e_netdev_change_profile(struct net_device *netdev,
++ struct mlx5_core_dev *mdev,
++ const struct mlx5e_profile *new_profile,
++ void *new_ppriv)
+ {
+- const struct mlx5e_profile *orig_profile = priv->profile;
+- struct net_device *netdev = priv->netdev;
+- struct mlx5_core_dev *mdev = priv->mdev;
+- void *orig_ppriv = priv->ppriv;
++ struct mlx5e_priv *priv = netdev_priv(netdev);
++ const struct mlx5e_profile *orig_profile;
+ int err, rollback_err;
++ void *orig_ppriv;
+
+- /* cleanup old profile */
+- mlx5e_detach_netdev(priv);
+- priv->profile->cleanup(priv);
+- mlx5e_priv_cleanup(priv);
++ orig_profile = priv->profile;
++ orig_ppriv = priv->ppriv;
++
++ /* NULL could happen if previous change_profile failed to rollback */
++ if (priv->profile) {
++ WARN_ON_ONCE(priv->mdev != mdev);
++ /* cleanup old profile */
++ mlx5e_detach_netdev(priv);
++ priv->profile->cleanup(priv);
++ mlx5e_priv_cleanup(priv);
++ }
++ /* priv members are not valid from this point ... */
+
+ if (mdev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) {
+ mlx5e_netdev_init_profile(netdev, mdev, new_profile, new_ppriv);
+@@ -6593,16 +6602,25 @@ int mlx5e_netdev_change_profile(struct mlx5e_priv *priv,
+ return 0;
+
+ rollback:
++ if (!orig_profile) {
++ netdev_warn(netdev, "no original profile to rollback to\n");
++ priv->profile = NULL;
++ return err;
++ }
++
+ rollback_err = mlx5e_netdev_attach_profile(netdev, mdev, orig_profile, orig_ppriv);
+- if (rollback_err)
+- netdev_err(netdev, "%s: failed to rollback to orig profile, %d\n",
+- __func__, rollback_err);
++ if (rollback_err) {
++ netdev_err(netdev, "failed to rollback to orig profile, %d\n",
++ rollback_err);
++ priv->profile = NULL;
++ }
+ return err;
+ }
+
+-void mlx5e_netdev_attach_nic_profile(struct mlx5e_priv *priv)
++void mlx5e_netdev_attach_nic_profile(struct net_device *netdev,
++ struct mlx5_core_dev *mdev)
+ {
+- mlx5e_netdev_change_profile(priv, &mlx5e_nic_profile, NULL);
++ mlx5e_netdev_change_profile(netdev, mdev, &mlx5e_nic_profile, NULL);
+ }
+
+ void mlx5e_destroy_netdev(struct mlx5e_priv *priv)
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+index 0335ca8277efa..2f6aa5e61747c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -1508,17 +1508,16 @@ mlx5e_vport_uplink_rep_load(struct mlx5_core_dev *dev, struct mlx5_eswitch_rep *
+ {
+ struct mlx5e_rep_priv *rpriv = mlx5e_rep_to_rep_priv(rep);
+ struct net_device *netdev;
+- struct mlx5e_priv *priv;
+ int err;
+
+ netdev = mlx5_uplink_netdev_get(dev);
+ if (!netdev)
+ return 0;
+
+- priv = netdev_priv(netdev);
+- rpriv->netdev = priv->netdev;
+- err = mlx5e_netdev_change_profile(priv, &mlx5e_uplink_rep_profile,
+- rpriv);
++ /* must not use netdev_priv(netdev), it might not be initialized yet */
++ rpriv->netdev = netdev;
++ err = mlx5e_netdev_change_profile(netdev, dev,
++ &mlx5e_uplink_rep_profile, rpriv);
+ mlx5_uplink_netdev_put(dev, netdev);
+ return err;
+ }
+@@ -1546,7 +1545,7 @@ mlx5e_vport_uplink_rep_unload(struct mlx5e_rep_priv *rpriv)
+ if (!(priv->mdev->priv.flags & MLX5_PRIV_FLAGS_SWITCH_LEGACY))
+ unregister_netdev(netdev);
+
+- mlx5e_netdev_attach_nic_profile(priv);
++ mlx5e_netdev_attach_nic_profile(netdev, priv->mdev);
+ }
+
+ static int
+--
+2.51.0
+
--- /dev/null
+From 03196f0d214285a9959efb43faf3672e0a624e22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 13:26:56 -0800
+Subject: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv
+
+From: Saeed Mahameed <saeedm@nvidia.com>
+
+[ Upstream commit 4ef8512e1427111f7ba92b4a847d181ff0aeec42 ]
+
+mlx5e_priv is an unstable structure that can be memset(0) if profile
+attaching fails.
+
+Pass netdev to mlx5e_destroy_netdev() to guarantee it will work on a
+valid netdev.
+
+On mlx5e_remove: Check validity of priv->profile, before attempting
+to cleanup any resources that might be not there.
+
+This fixes a kernel oops in mlx5e_remove when switchdev mode fails due
+to change profile failure.
+
+$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev
+Error: mlx5_core: Failed setting eswitch to offloads.
+dmesg:
+workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
+mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
+mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12
+workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
+mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
+mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
+
+$ devlink dev reload pci/0000:00:03.0 ==> oops
+
+BUG: kernel NULL pointer dereference, address: 0000000000000370
+PGD 0 P4D 0
+Oops: Oops: 0000 [#1] SMP NOPTI
+CPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
+RIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100
+RSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286
+RAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45
+RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0
+RBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10
+R10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0
+R13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400
+FS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0
+Call Trace:
+ <TASK>
+ mlx5e_remove+0x57/0x110
+ device_release_driver_internal+0x19c/0x200
+ bus_remove_device+0xc6/0x130
+ device_del+0x160/0x3d0
+ ? devl_param_driverinit_value_get+0x2d/0x90
+ mlx5_detach_device+0x89/0xe0
+ mlx5_unload_one_devl_locked+0x3a/0x70
+ mlx5_devlink_reload_down+0xc8/0x220
+ devlink_reload+0x7d/0x260
+ devlink_nl_reload_doit+0x45b/0x5a0
+ genl_family_rcv_msg_doit+0xe8/0x140
+
+Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method")
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Reviewed-by: Shay Drori <shayd@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260108212657.25090-4-saeed@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 +-
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 15 +++++++++------
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 4 ++--
+ 3 files changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+index bc1b343f89a25..b34b85539f3b1 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+@@ -1238,7 +1238,7 @@ struct net_device *
+ mlx5e_create_netdev(struct mlx5_core_dev *mdev, const struct mlx5e_profile *profile);
+ int mlx5e_attach_netdev(struct mlx5e_priv *priv);
+ void mlx5e_detach_netdev(struct mlx5e_priv *priv);
+-void mlx5e_destroy_netdev(struct mlx5e_priv *priv);
++void mlx5e_destroy_netdev(struct net_device *netdev);
+ int mlx5e_netdev_change_profile(struct net_device *netdev,
+ struct mlx5_core_dev *mdev,
+ const struct mlx5e_profile *new_profile,
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index dcf1cd3488709..3863fb40ff929 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -6623,11 +6623,12 @@ void mlx5e_netdev_attach_nic_profile(struct net_device *netdev,
+ mlx5e_netdev_change_profile(netdev, mdev, &mlx5e_nic_profile, NULL);
+ }
+
+-void mlx5e_destroy_netdev(struct mlx5e_priv *priv)
++void mlx5e_destroy_netdev(struct net_device *netdev)
+ {
+- struct net_device *netdev = priv->netdev;
++ struct mlx5e_priv *priv = netdev_priv(netdev);
+
+- mlx5e_priv_cleanup(priv);
++ if (priv->profile)
++ mlx5e_priv_cleanup(priv);
+ free_netdev(netdev);
+ }
+
+@@ -6784,7 +6785,7 @@ static int _mlx5e_probe(struct auxiliary_device *adev)
+ err_profile_cleanup:
+ profile->cleanup(priv);
+ err_destroy_netdev:
+- mlx5e_destroy_netdev(priv);
++ mlx5e_destroy_netdev(netdev);
+ err_devlink_port_unregister:
+ mlx5e_devlink_port_unregister(mlx5e_dev);
+ err_devlink_unregister:
+@@ -6819,7 +6820,9 @@ static void _mlx5e_remove(struct auxiliary_device *adev)
+ struct mlx5_core_dev *mdev = edev->mdev;
+
+ mlx5_core_uplink_netdev_set(mdev, NULL);
+- mlx5e_dcbnl_delete_app(priv);
++
++ if (priv->profile)
++ mlx5e_dcbnl_delete_app(priv);
+ /* When unload driver, the netdev is in registered state
+ * if it's from legacy mode. If from switchdev mode, it
+ * is already unregistered before changing to NIC profile.
+@@ -6840,7 +6843,7 @@ static void _mlx5e_remove(struct auxiliary_device *adev)
+ /* Avoid cleanup if profile rollback failed. */
+ if (priv->profile)
+ priv->profile->cleanup(priv);
+- mlx5e_destroy_netdev(priv);
++ mlx5e_destroy_netdev(netdev);
+ mlx5e_devlink_port_unregister(mlx5e_dev);
+ mlx5e_destroy_devlink(mlx5e_dev);
+ }
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+index 2f6aa5e61747c..8b65441246244 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -1611,7 +1611,7 @@ mlx5e_vport_vf_rep_load(struct mlx5_core_dev *dev, struct mlx5_eswitch_rep *rep)
+ priv->profile->cleanup(priv);
+
+ err_destroy_netdev:
+- mlx5e_destroy_netdev(netdev_priv(netdev));
++ mlx5e_destroy_netdev(netdev);
+ return err;
+ }
+
+@@ -1666,7 +1666,7 @@ mlx5e_vport_rep_unload(struct mlx5_eswitch_rep *rep)
+ mlx5e_rep_vnic_reporter_destroy(priv);
+ mlx5e_detach_netdev(priv);
+ priv->profile->cleanup(priv);
+- mlx5e_destroy_netdev(priv);
++ mlx5e_destroy_netdev(netdev);
+ free_ppriv:
+ kvfree(ppriv); /* mlx5e_rep_priv */
+ }
+--
+2.51.0
+
--- /dev/null
+From b754de54e6650b886bb60826d8fd7e00b4be7a95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 13:26:57 -0800
+Subject: net/mlx5e: Restore destroying state bit after profile cleanup
+
+From: Saeed Mahameed <saeedm@nvidia.com>
+
+[ Upstream commit 5629f8859dca7ef74d7314b60de6a957f23166c0 ]
+
+Profile rollback can fail in mlx5e_netdev_change_profile() and we will
+end up with invalid mlx5e_priv memset to 0, we must maintain the
+'destroying' bit in order to gracefully shutdown even if the
+profile/priv are not valid.
+
+This patch maintains the previous state of the 'destroying' state of
+mlx5e_priv after priv cleanup, to allow the remove flow to cleanup
+common resources from mlx5_core to avoid FW fatal errors as seen below:
+
+$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev
+ Error: mlx5_core: Failed setting eswitch to offloads.
+dmesg: mlx5_core 0000:00:03.0 enp0s3np0: failed to rollback to orig profile, ...
+
+$ devlink dev reload pci/0000:00:03.0
+
+mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)
+mlx5_core 0000:00:03.0: poll_health:803:(pid 519): Fatal error 3 detected
+mlx5_core 0000:00:03.0: firmware version: 28.41.1000
+mlx5_core 0000:00:03.0: 0.000 Gb/s available PCIe bandwidth (Unknown x255 link)
+mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed
+mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed
+mlx5_core 0000:00:03.0: mlx5_health_try_recover:340:(pid 141): handling bad device here
+mlx5_core 0000:00:03.0: mlx5_handle_bad_state:285:(pid 141): Expected to see disabled NIC but it is full driver
+mlx5_core 0000:00:03.0: mlx5_error_sw_reset:236:(pid 141): start
+mlx5_core 0000:00:03.0: NIC IFC still 0 after 4000ms.
+
+Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method")
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260108212657.25090-5-saeed@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 3863fb40ff929..f8d9968542d9c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -6305,6 +6305,7 @@ int mlx5e_priv_init(struct mlx5e_priv *priv,
+
+ void mlx5e_priv_cleanup(struct mlx5e_priv *priv)
+ {
++ bool destroying = test_bit(MLX5E_STATE_DESTROYING, &priv->state);
+ int i;
+
+ /* bail if change profile failed and also rollback failed */
+@@ -6332,6 +6333,8 @@ void mlx5e_priv_cleanup(struct mlx5e_priv *priv)
+ }
+
+ memset(priv, 0, sizeof(*priv));
++ if (destroying) /* restore destroying bit, to allow unload */
++ set_bit(MLX5E_STATE_DESTROYING, &priv->state);
+ }
+
+ static unsigned int mlx5e_get_max_num_txqs(struct mlx5_core_dev *mdev,
+--
+2.51.0
+
--- /dev/null
+From 0ee50d47d305dddec32abcc6e03cd685c8763e67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jan 2026 00:42:57 +0800
+Subject: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback
+
+From: Kery Qi <qikeyu2017@gmail.com>
+
+[ Upstream commit f93fc5d12d69012788f82151bee55fce937e1432 ]
+
+octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to
+ioq_vector. If request_irq() fails part-way, the rollback loop calls
+free_irq() with dev_id set to 'oct', which does not match the original
+dev_id and may leave the irqaction registered.
+
+This can keep IRQ handlers alive while ioq_vector is later freed during
+unwind/teardown, leading to a use-after-free or crash when an interrupt
+fires.
+
+Fix the error path to free IRQs with the same ioq_vector dev_id used
+during request_irq().
+
+Fixes: 1cd3b407977c ("octeon_ep_vf: add Tx/Rx processing and interrupt support")
+Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
+Link: https://patch.msgid.link/20260108164256.1749-2-qikeyu2017@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c
+index 420c3f4cf7417..1d9760b4b8f47 100644
+--- a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c
++++ b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c
+@@ -218,7 +218,7 @@ static int octep_vf_request_irqs(struct octep_vf_device *oct)
+ ioq_irq_err:
+ while (i) {
+ --i;
+- free_irq(oct->msix_entries[i].vector, oct);
++ free_irq(oct->msix_entries[i].vector, oct->ioq_vector[i]);
+ }
+ return -1;
+ }
+--
+2.51.0
+
--- /dev/null
+From d030a49fcb812e894eca8ed65b85381b5b1deef3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 15:14:09 +0800
+Subject: net: phy: motorcomm: fix duplex setting error for phy leds
+
+From: Jijie Shao <shaojijie@huawei.com>
+
+[ Upstream commit e02f2a0f1f9b6d4f0c620de2ce037d4436b58f70 ]
+
+fix duplex setting error for phy leds
+
+Fixes: 355b82c54c12 ("net: phy: motorcomm: Add support for PHY LEDs on YT8521")
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20260108071409.2750607-1-shaojijie@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/motorcomm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/phy/motorcomm.c b/drivers/net/phy/motorcomm.c
+index a3593e6630594..b49897500a592 100644
+--- a/drivers/net/phy/motorcomm.c
++++ b/drivers/net/phy/motorcomm.c
+@@ -1741,10 +1741,10 @@ static int yt8521_led_hw_control_set(struct phy_device *phydev, u8 index,
+ val |= YT8521_LED_1000_ON_EN;
+
+ if (test_bit(TRIGGER_NETDEV_FULL_DUPLEX, &rules))
+- val |= YT8521_LED_HDX_ON_EN;
++ val |= YT8521_LED_FDX_ON_EN;
+
+ if (test_bit(TRIGGER_NETDEV_HALF_DUPLEX, &rules))
+- val |= YT8521_LED_FDX_ON_EN;
++ val |= YT8521_LED_HDX_ON_EN;
+
+ if (test_bit(TRIGGER_NETDEV_TX, &rules) ||
+ test_bit(TRIGGER_NETDEV_RX, &rules))
+--
+2.51.0
+
--- /dev/null
+From 36200ed54a77398deeb56c261709cc1eb13f4c88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 17:56:56 +0000
+Subject: net/sched: sch_qfq: do not free existing class in qfq_change_class()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 ]
+
+Fixes qfq_change_class() error case.
+
+cl->qdisc and cl should only be freed if a new class and qdisc
+were allocated, or we risk various UAF.
+
+Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Reported-by: syzbot+07f3f38f723c335f106d@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6965351d.050a0220.eaf7.00c5.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260112175656.17605-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index a91a5bac8f737..9b16ad431028f 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -529,8 +529,10 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
+ return 0;
+
+ destroy_class:
+- qdisc_put(cl->qdisc);
+- kfree(cl);
++ if (!existing) {
++ qdisc_put(cl->qdisc);
++ kfree(cl);
++ }
+ return err;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 12e500d97fe9ff28f2aea3f2d2734fe1f3bb9fd6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 09:32:44 +0000
+Subject: net: update netdev_lock_{type,name}
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit eb74c19fe10872ee1f29a8f90ca5ce943921afe9 ]
+
+Add missing entries in netdev_lock_type[] and netdev_lock_name[] :
+
+CAN, MCTP, RAWIP, CAIF, IP6GRE, 6LOWPAN, NETLINK, VSOCKMON,
+IEEE802154_MONITOR.
+
+Also add a WARN_ONCE() in netdev_lock_pos() to help future bug hunting
+next time a protocol is added without updating these arrays.
+
+Fixes: 1a33e10e4a95 ("net: partially revert dynamic lockdep key changes")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260108093244.830280-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 2acfa44927daa..5b536860138d1 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -478,15 +478,21 @@ static const unsigned short netdev_lock_type[] = {
+ ARPHRD_IEEE1394, ARPHRD_EUI64, ARPHRD_INFINIBAND, ARPHRD_SLIP,
+ ARPHRD_CSLIP, ARPHRD_SLIP6, ARPHRD_CSLIP6, ARPHRD_RSRVD,
+ ARPHRD_ADAPT, ARPHRD_ROSE, ARPHRD_X25, ARPHRD_HWX25,
++ ARPHRD_CAN, ARPHRD_MCTP,
+ ARPHRD_PPP, ARPHRD_CISCO, ARPHRD_LAPB, ARPHRD_DDCMP,
+- ARPHRD_RAWHDLC, ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD,
++ ARPHRD_RAWHDLC, ARPHRD_RAWIP,
++ ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD,
+ ARPHRD_SKIP, ARPHRD_LOOPBACK, ARPHRD_LOCALTLK, ARPHRD_FDDI,
+ ARPHRD_BIF, ARPHRD_SIT, ARPHRD_IPDDP, ARPHRD_IPGRE,
+ ARPHRD_PIMREG, ARPHRD_HIPPI, ARPHRD_ASH, ARPHRD_ECONET,
+ ARPHRD_IRDA, ARPHRD_FCPP, ARPHRD_FCAL, ARPHRD_FCPL,
+ ARPHRD_FCFABRIC, ARPHRD_IEEE80211, ARPHRD_IEEE80211_PRISM,
+- ARPHRD_IEEE80211_RADIOTAP, ARPHRD_PHONET, ARPHRD_PHONET_PIPE,
+- ARPHRD_IEEE802154, ARPHRD_VOID, ARPHRD_NONE};
++ ARPHRD_IEEE80211_RADIOTAP,
++ ARPHRD_IEEE802154, ARPHRD_IEEE802154_MONITOR,
++ ARPHRD_PHONET, ARPHRD_PHONET_PIPE,
++ ARPHRD_CAIF, ARPHRD_IP6GRE, ARPHRD_NETLINK, ARPHRD_6LOWPAN,
++ ARPHRD_VSOCKMON,
++ ARPHRD_VOID, ARPHRD_NONE};
+
+ static const char *const netdev_lock_name[] = {
+ "_xmit_NETROM", "_xmit_ETHER", "_xmit_EETHER", "_xmit_AX25",
+@@ -495,15 +501,21 @@ static const char *const netdev_lock_name[] = {
+ "_xmit_IEEE1394", "_xmit_EUI64", "_xmit_INFINIBAND", "_xmit_SLIP",
+ "_xmit_CSLIP", "_xmit_SLIP6", "_xmit_CSLIP6", "_xmit_RSRVD",
+ "_xmit_ADAPT", "_xmit_ROSE", "_xmit_X25", "_xmit_HWX25",
++ "_xmit_CAN", "_xmit_MCTP",
+ "_xmit_PPP", "_xmit_CISCO", "_xmit_LAPB", "_xmit_DDCMP",
+- "_xmit_RAWHDLC", "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD",
++ "_xmit_RAWHDLC", "_xmit_RAWIP",
++ "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD",
+ "_xmit_SKIP", "_xmit_LOOPBACK", "_xmit_LOCALTLK", "_xmit_FDDI",
+ "_xmit_BIF", "_xmit_SIT", "_xmit_IPDDP", "_xmit_IPGRE",
+ "_xmit_PIMREG", "_xmit_HIPPI", "_xmit_ASH", "_xmit_ECONET",
+ "_xmit_IRDA", "_xmit_FCPP", "_xmit_FCAL", "_xmit_FCPL",
+ "_xmit_FCFABRIC", "_xmit_IEEE80211", "_xmit_IEEE80211_PRISM",
+- "_xmit_IEEE80211_RADIOTAP", "_xmit_PHONET", "_xmit_PHONET_PIPE",
+- "_xmit_IEEE802154", "_xmit_VOID", "_xmit_NONE"};
++ "_xmit_IEEE80211_RADIOTAP",
++ "_xmit_IEEE802154", "_xmit_IEEE802154_MONITOR",
++ "_xmit_PHONET", "_xmit_PHONET_PIPE",
++ "_xmit_CAIF", "_xmit_IP6GRE", "_xmit_NETLINK", "_xmit_6LOWPAN",
++ "_xmit_VSOCKMON",
++ "_xmit_VOID", "_xmit_NONE"};
+
+ static struct lock_class_key netdev_xmit_lock_key[ARRAY_SIZE(netdev_lock_type)];
+ static struct lock_class_key netdev_addr_lock_key[ARRAY_SIZE(netdev_lock_type)];
+@@ -516,6 +528,7 @@ static inline unsigned short netdev_lock_pos(unsigned short dev_type)
+ if (netdev_lock_type[i] == dev_type)
+ return i;
+ /* the last key is used by default */
++ WARN_ONCE(1, "netdev_lock_pos() could not find dev_type=%u\n", dev_type);
+ return ARRAY_SIZE(netdev_lock_type) - 1;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 98f2a285ea9ba853060046f839d866fa792b0499 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Dec 2025 11:42:31 -0500
+Subject: NFS: Fix a deadlock involving nfs_release_folio()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit cce0be6eb4971456b703aaeafd571650d314bcca ]
+
+Wang Zhaolong reports a deadlock involving NFSv4.1 state recovery
+waiting on kthreadd, which is attempting to reclaim memory by calling
+nfs_release_folio(). The latter cannot make progress due to state
+recovery being needed.
+
+It seems that the only safe thing to do here is to kick off a writeback
+of the folio, without waiting for completion, or else kicking off an
+asynchronous commit.
+
+Reported-by: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+Fixes: 96780ca55e3c ("NFS: fix up nfs_release_folio() to try to release the page")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/file.c | 3 ++-
+ fs/nfs/nfstrace.h | 3 +++
+ fs/nfs/write.c | 33 +++++++++++++++++++++++++++++++++
+ include/linux/nfs_fs.h | 1 +
+ 4 files changed, 39 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/file.c b/fs/nfs/file.c
+index d020aab40c64e..d1c138a416cfb 100644
+--- a/fs/nfs/file.c
++++ b/fs/nfs/file.c
+@@ -511,7 +511,8 @@ static bool nfs_release_folio(struct folio *folio, gfp_t gfp)
+ if ((current_gfp_context(gfp) & GFP_KERNEL) != GFP_KERNEL ||
+ current_is_kswapd() || current_is_kcompactd())
+ return false;
+- if (nfs_wb_folio(folio->mapping->host, folio) < 0)
++ if (nfs_wb_folio_reclaim(folio->mapping->host, folio) < 0 ||
++ folio_test_private(folio))
+ return false;
+ }
+ return nfs_fscache_release_folio(folio, gfp);
+diff --git a/fs/nfs/nfstrace.h b/fs/nfs/nfstrace.h
+index 6ce55e8e6b67c..9f9ce4a565ea6 100644
+--- a/fs/nfs/nfstrace.h
++++ b/fs/nfs/nfstrace.h
+@@ -1062,6 +1062,9 @@ DECLARE_EVENT_CLASS(nfs_folio_event_done,
+ DEFINE_NFS_FOLIO_EVENT(nfs_aop_readpage);
+ DEFINE_NFS_FOLIO_EVENT_DONE(nfs_aop_readpage_done);
+
++DEFINE_NFS_FOLIO_EVENT(nfs_writeback_folio_reclaim);
++DEFINE_NFS_FOLIO_EVENT_DONE(nfs_writeback_folio_reclaim_done);
++
+ DEFINE_NFS_FOLIO_EVENT(nfs_writeback_folio);
+ DEFINE_NFS_FOLIO_EVENT_DONE(nfs_writeback_folio_done);
+
+diff --git a/fs/nfs/write.c b/fs/nfs/write.c
+index 336c510f37502..bf412455e8edf 100644
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -2024,6 +2024,39 @@ int nfs_wb_folio_cancel(struct inode *inode, struct folio *folio)
+ return ret;
+ }
+
++/**
++ * nfs_wb_folio_reclaim - Write back all requests on one page
++ * @inode: pointer to page
++ * @folio: pointer to folio
++ *
++ * Assumes that the folio has been locked by the caller
++ */
++int nfs_wb_folio_reclaim(struct inode *inode, struct folio *folio)
++{
++ loff_t range_start = folio_pos(folio);
++ size_t len = folio_size(folio);
++ struct writeback_control wbc = {
++ .sync_mode = WB_SYNC_ALL,
++ .nr_to_write = 0,
++ .range_start = range_start,
++ .range_end = range_start + len - 1,
++ .for_sync = 1,
++ };
++ int ret;
++
++ if (folio_test_writeback(folio))
++ return -EBUSY;
++ if (folio_clear_dirty_for_io(folio)) {
++ trace_nfs_writeback_folio_reclaim(inode, range_start, len);
++ ret = nfs_writepage_locked(folio, &wbc);
++ trace_nfs_writeback_folio_reclaim_done(inode, range_start, len,
++ ret);
++ return ret;
++ }
++ nfs_commit_inode(inode, 0);
++ return 0;
++}
++
+ /**
+ * nfs_wb_folio - Write back all requests on one page
+ * @inode: pointer to page
+diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
+index c585939b6cd60..2cf490a3a239b 100644
+--- a/include/linux/nfs_fs.h
++++ b/include/linux/nfs_fs.h
+@@ -636,6 +636,7 @@ extern int nfs_update_folio(struct file *file, struct folio *folio,
+ extern int nfs_sync_inode(struct inode *inode);
+ extern int nfs_wb_all(struct inode *inode);
+ extern int nfs_wb_folio(struct inode *inode, struct folio *folio);
++extern int nfs_wb_folio_reclaim(struct inode *inode, struct folio *folio);
+ int nfs_wb_folio_cancel(struct inode *inode, struct folio *folio);
+ extern int nfs_commit_inode(struct inode *, int);
+ extern struct nfs_commit_data *nfs_commitdata_alloc(void);
+--
+2.51.0
+
--- /dev/null
+From 0c9317427a6e67b75dafd808019f7f9e7ca9b705 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Jan 2026 18:53:34 -0500
+Subject: NFS: Fix size read races in truncate, fallocate and copy offload
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit d5811e6297f3fd9020ac31f51fc317dfdb260cb0 ]
+
+If the pre-operation file size is read before locking the inode and
+quiescing O_DIRECT writes, then nfs_truncate_last_folio() might end up
+overwriting valid file data.
+
+Fixes: b1817b18ff20 ("NFS: Protect against 'eof page pollution'")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/inode.c | 10 ++++++----
+ fs/nfs/io.c | 2 ++
+ fs/nfs/nfs42proc.c | 29 +++++++++++++++++++----------
+ 3 files changed, 27 insertions(+), 14 deletions(-)
+
+diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
+index 13ad70fc00d84..8c2bfcc323e02 100644
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -716,7 +716,7 @@ nfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
+ {
+ struct inode *inode = d_inode(dentry);
+ struct nfs_fattr *fattr;
+- loff_t oldsize = i_size_read(inode);
++ loff_t oldsize;
+ int error = 0;
+ kuid_t task_uid = current_fsuid();
+ kuid_t owner_uid = inode->i_uid;
+@@ -727,6 +727,10 @@ nfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
+ if (attr->ia_valid & (ATTR_KILL_SUID | ATTR_KILL_SGID))
+ attr->ia_valid &= ~ATTR_MODE;
+
++ if (S_ISREG(inode->i_mode))
++ nfs_file_block_o_direct(NFS_I(inode));
++
++ oldsize = i_size_read(inode);
+ if (attr->ia_valid & ATTR_SIZE) {
+ BUG_ON(!S_ISREG(inode->i_mode));
+
+@@ -774,10 +778,8 @@ nfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
+ trace_nfs_setattr_enter(inode);
+
+ /* Write all dirty data */
+- if (S_ISREG(inode->i_mode)) {
+- nfs_file_block_o_direct(NFS_I(inode));
++ if (S_ISREG(inode->i_mode))
+ nfs_sync_inode(inode);
+- }
+
+ fattr = nfs_alloc_fattr_with_label(NFS_SERVER(inode));
+ if (fattr == NULL) {
+diff --git a/fs/nfs/io.c b/fs/nfs/io.c
+index d275b0a250bf3..8337f0ae852d4 100644
+--- a/fs/nfs/io.c
++++ b/fs/nfs/io.c
+@@ -84,6 +84,7 @@ nfs_start_io_write(struct inode *inode)
+ nfs_file_block_o_direct(NFS_I(inode));
+ return err;
+ }
++EXPORT_SYMBOL_GPL(nfs_start_io_write);
+
+ /**
+ * nfs_end_io_write - declare that the buffered write operation is done
+@@ -97,6 +98,7 @@ nfs_end_io_write(struct inode *inode)
+ {
+ up_write(&inode->i_rwsem);
+ }
++EXPORT_SYMBOL_GPL(nfs_end_io_write);
+
+ /* Call with exclusively locked inode->i_rwsem */
+ static void nfs_block_buffered(struct nfs_inode *nfsi, struct inode *inode)
+diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c
+index d537fb0c230e8..c08520828708b 100644
+--- a/fs/nfs/nfs42proc.c
++++ b/fs/nfs/nfs42proc.c
+@@ -114,7 +114,6 @@ static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep,
+ exception.inode = inode;
+ exception.state = lock->open_context->state;
+
+- nfs_file_block_o_direct(NFS_I(inode));
+ err = nfs_sync_inode(inode);
+ if (err)
+ goto out;
+@@ -138,13 +137,17 @@ int nfs42_proc_allocate(struct file *filep, loff_t offset, loff_t len)
+ .rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_ALLOCATE],
+ };
+ struct inode *inode = file_inode(filep);
+- loff_t oldsize = i_size_read(inode);
++ loff_t oldsize;
+ int err;
+
+ if (!nfs_server_capable(inode, NFS_CAP_ALLOCATE))
+ return -EOPNOTSUPP;
+
+- inode_lock(inode);
++ err = nfs_start_io_write(inode);
++ if (err)
++ return err;
++
++ oldsize = i_size_read(inode);
+
+ err = nfs42_proc_fallocate(&msg, filep, offset, len);
+
+@@ -155,7 +158,7 @@ int nfs42_proc_allocate(struct file *filep, loff_t offset, loff_t len)
+ NFS_SERVER(inode)->caps &= ~(NFS_CAP_ALLOCATE |
+ NFS_CAP_ZERO_RANGE);
+
+- inode_unlock(inode);
++ nfs_end_io_write(inode);
+ return err;
+ }
+
+@@ -170,7 +173,9 @@ int nfs42_proc_deallocate(struct file *filep, loff_t offset, loff_t len)
+ if (!nfs_server_capable(inode, NFS_CAP_DEALLOCATE))
+ return -EOPNOTSUPP;
+
+- inode_lock(inode);
++ err = nfs_start_io_write(inode);
++ if (err)
++ return err;
+
+ err = nfs42_proc_fallocate(&msg, filep, offset, len);
+ if (err == 0)
+@@ -179,7 +184,7 @@ int nfs42_proc_deallocate(struct file *filep, loff_t offset, loff_t len)
+ NFS_SERVER(inode)->caps &= ~(NFS_CAP_DEALLOCATE |
+ NFS_CAP_ZERO_RANGE);
+
+- inode_unlock(inode);
++ nfs_end_io_write(inode);
+ return err;
+ }
+
+@@ -189,14 +194,17 @@ int nfs42_proc_zero_range(struct file *filep, loff_t offset, loff_t len)
+ .rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_ZERO_RANGE],
+ };
+ struct inode *inode = file_inode(filep);
+- loff_t oldsize = i_size_read(inode);
++ loff_t oldsize;
+ int err;
+
+ if (!nfs_server_capable(inode, NFS_CAP_ZERO_RANGE))
+ return -EOPNOTSUPP;
+
+- inode_lock(inode);
++ err = nfs_start_io_write(inode);
++ if (err)
++ return err;
+
++ oldsize = i_size_read(inode);
+ err = nfs42_proc_fallocate(&msg, filep, offset, len);
+ if (err == 0) {
+ nfs_truncate_last_folio(inode->i_mapping, oldsize,
+@@ -205,7 +213,7 @@ int nfs42_proc_zero_range(struct file *filep, loff_t offset, loff_t len)
+ } else if (err == -EOPNOTSUPP)
+ NFS_SERVER(inode)->caps &= ~NFS_CAP_ZERO_RANGE;
+
+- inode_unlock(inode);
++ nfs_end_io_write(inode);
+ return err;
+ }
+
+@@ -416,7 +424,7 @@ static ssize_t _nfs42_proc_copy(struct file *src,
+ struct nfs_server *src_server = NFS_SERVER(src_inode);
+ loff_t pos_src = args->src_pos;
+ loff_t pos_dst = args->dst_pos;
+- loff_t oldsize_dst = i_size_read(dst_inode);
++ loff_t oldsize_dst;
+ size_t count = args->count;
+ ssize_t status;
+
+@@ -461,6 +469,7 @@ static ssize_t _nfs42_proc_copy(struct file *src,
+ &src_lock->open_context->state->flags);
+ set_bit(NFS_CLNT_DST_SSC_COPY_STATE,
+ &dst_lock->open_context->state->flags);
++ oldsize_dst = i_size_read(dst_inode);
+
+ status = nfs4_call_sync(dst_server->client, dst_server, &msg,
+ &args->seq_args, &res->seq_res, 0);
+--
+2.51.0
+
--- /dev/null
+From 50fe87fb4a84054de6dada399029ec25b28f8fe7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jan 2026 18:55:08 -0500
+Subject: NFS/localio: Deal with page bases that are > PAGE_SIZE
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 60699ab7cbf0a4eb19929cce243002b39c67917d ]
+
+When resending requests, etc, the page base can quickly grow larger than
+the page size.
+
+Fixes: 091bdcfcece0 ("nfs/localio: refactor iocb and iov_iter_bvec initialization")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Reviewed-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/localio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/nfs/localio.c b/fs/nfs/localio.c
+index ed2a7efaf8f20..f537bc3386bf2 100644
+--- a/fs/nfs/localio.c
++++ b/fs/nfs/localio.c
+@@ -461,6 +461,8 @@ nfs_local_iters_init(struct nfs_local_kiocb *iocb, int rw)
+ v = 0;
+ total = hdr->args.count;
+ base = hdr->args.pgbase;
++ pagevec += base >> PAGE_SHIFT;
++ base &= ~PAGE_MASK;
+ while (total && v < hdr->page_array.npages) {
+ len = min_t(size_t, total, PAGE_SIZE - base);
+ bvec_set_page(&iocb->bvec[v], *pagevec, len, base);
+--
+2.51.0
+
--- /dev/null
+From 292e11aabbffddf984c4c8a5869de6591469683b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Dec 2025 13:57:48 -0500
+Subject: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shivam Kumar <kumar.shivam43666@gmail.com>
+
+[ Upstream commit 32b63acd78f577b332d976aa06b56e70d054cbba ]
+
+Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
+added ttag bounds checking and data_offset
+validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate
+whether the command's data structures (cmd->req.sg and cmd->iov) have
+been properly initialized before processing H2C_DATA PDUs.
+
+The nvmet_tcp_build_pdu_iovec() function dereferences these pointers
+without NULL checks. This can be triggered by sending H2C_DATA PDU
+immediately after the ICREQ/ICRESP handshake, before
+sending a CONNECT command or NVMe write command.
+
+Attack vectors that trigger NULL pointer dereferences:
+1. H2C_DATA PDU sent before CONNECT → both pointers NULL
+2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL
+3. H2C_DATA PDU for uninitialized command slot → both pointers NULL
+
+The fix validates both cmd->req.sg and cmd->iov before calling
+nvmet_tcp_build_pdu_iovec(). Both checks are required because:
+- Uninitialized commands: both NULL
+- READ commands: cmd->req.sg allocated, cmd->iov NULL
+- WRITE commands: both allocated
+
+Fixes: efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Shivam Kumar <kumar.shivam43666@gmail.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/tcp.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
+index 470bf37e5a637..41b6fd05519e4 100644
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -982,6 +982,18 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len);
+ goto err_proto;
+ }
++ /*
++ * Ensure command data structures are initialized. We must check both
++ * cmd->req.sg and cmd->iov because they can have different NULL states:
++ * - Uninitialized commands: both NULL
++ * - READ commands: cmd->req.sg allocated, cmd->iov NULL
++ * - WRITE commands: both allocated
++ */
++ if (unlikely(!cmd->req.sg || !cmd->iov)) {
++ pr_err("queue %d: H2CData PDU received for invalid command state (ttag %u)\n",
++ queue->idx, data->ttag);
++ goto err_proto;
++ }
+ cmd->pdu_recv = 0;
+ nvmet_tcp_build_pdu_iovec(cmd);
+ queue->cmd = cmd;
+--
+2.51.0
+
--- /dev/null
+From 43e81cb50298a7dc9ffd8fba5eb85ad47a6b207a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Dec 2025 12:55:34 +0100
+Subject: phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning
+ (again)
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+
+[ Upstream commit fb21116099bbea1fc59efa9207e63c4be390ab72 ]
+
+"family" is an enum, thus cast of pointer on 64-bit compile test with
+clang W=1 causes:
+
+ phy-bcm-ns-usb3.c:206:17: error: cast to smaller integer type 'enum bcm_ns_family' from 'const void *' [-Werror,-Wvoid-pointer-to-enum-cast]
+
+This was already fixed in commit bd6e74a2f0a0 ("phy: broadcom: ns-usb3:
+fix Wvoid-pointer-to-enum-cast warning") but then got bad in commit
+21bf6fc47a1e ("phy: Use device_get_match_data()").
+
+Note that after various discussions the preferred cast is via "unsigned
+long", not "uintptr_t".
+
+Fixes: 21bf6fc47a1e ("phy: Use device_get_match_data()")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251224115533.154162-2-krzysztof.kozlowski@oss.qualcomm.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/broadcom/phy-bcm-ns-usb3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/broadcom/phy-bcm-ns-usb3.c b/drivers/phy/broadcom/phy-bcm-ns-usb3.c
+index 9f995e156f755..6e56498d0644b 100644
+--- a/drivers/phy/broadcom/phy-bcm-ns-usb3.c
++++ b/drivers/phy/broadcom/phy-bcm-ns-usb3.c
+@@ -203,7 +203,7 @@ static int bcm_ns_usb3_mdio_probe(struct mdio_device *mdiodev)
+ usb3->dev = dev;
+ usb3->mdiodev = mdiodev;
+
+- usb3->family = (enum bcm_ns_family)device_get_match_data(dev);
++ usb3->family = (unsigned long)device_get_match_data(dev);
+
+ syscon_np = of_parse_phandle(dev->of_node, "usb3-dmp-syscon", 0);
+ err = of_address_to_resource(syscon_np, 0, &res);
+--
+2.51.0
+
--- /dev/null
+From 3b211b03eee4ee9f87885b124667fcbcae291a3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 17:09:12 +0100
+Subject: phy: fsl-imx8mq-usb: Clear the PCS_TX_SWING_FULL field before using
+ it
+
+From: Stefano Radaelli <stefano.radaelli21@gmail.com>
+
+[ Upstream commit 8becf9179a4b45104a1701010ed666b55bf4b3a6 ]
+
+Clear the PCS_TX_SWING_FULL field mask before setting the new value
+in PHY_CTRL5 register. Without clearing the mask first, the OR operation
+could leave previously set bits, resulting in incorrect register
+configuration.
+
+Fixes: 63c85ad0cd81 ("phy: fsl-imx8mp-usb: add support for phy tuning")
+Suggested-by: Leonid Segal <leonids@variscite.com>
+Acked-by: Pierluigi Passaro <pierluigi.p@variscite.com>
+Signed-off-by: Stefano Radaelli <stefano.r@variscite.com>
+Reviewed-by: Xu Yang <xu.yang_2@nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Reviewed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Link: https://patch.msgid.link/20251219160912.561431-1-stefano.r@variscite.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/freescale/phy-fsl-imx8mq-usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c
+index b94f242420fc7..0c84f5f7a82cb 100644
+--- a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c
++++ b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c
+@@ -502,6 +502,7 @@ static void imx8m_phy_tune(struct imx8mq_usb_phy *imx_phy)
+
+ if (imx_phy->pcs_tx_swing_full != PHY_TUNE_DEFAULT) {
+ value = readl(imx_phy->base + PHY_CTRL5);
++ value &= ~PHY_CTRL5_PCS_TX_SWING_FULL_MASK;
+ value |= FIELD_PREP(PHY_CTRL5_PCS_TX_SWING_FULL_MASK,
+ imx_phy->pcs_tx_swing_full);
+ writel(value, imx_phy->base + PHY_CTRL5);
+--
+2.51.0
+
--- /dev/null
+From 36bbf754cf61313145acaeee9117f914c3bff138 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 09:56:40 +0100
+Subject: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend
+
+From: Loic Poulain <loic.poulain@oss.qualcomm.com>
+
+[ Upstream commit 1ca52c0983c34fca506921791202ed5bdafd5306 ]
+
+Enabling runtime PM before attaching the QPHY instance as driver data
+can lead to a NULL pointer dereference in runtime PM callbacks that
+expect valid driver data. There is a small window where the suspend
+callback may run after PM runtime enabling and before runtime forbid.
+This causes a sporadic crash during boot:
+
+```
+Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1
+[...]
+CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT
+Workqueue: pm pm_runtime_work
+pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2]
+lr : pm_generic_runtime_suspend+0x2c/0x44
+[...]
+```
+
+Attach the QPHY instance as driver data before enabling runtime PM to
+prevent NULL pointer dereference in runtime PM callbacks.
+
+Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a
+short window where an unnecessary runtime suspend can occur.
+
+Use the devres-managed version to ensure PM runtime is symmetrically
+disabled during driver removal for proper cleanup.
+
+Fixes: 891a96f65ac3 ("phy: qcom-qusb2: Add support for runtime PM")
+Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251219085640.114473-1-loic.poulain@oss.qualcomm.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qusb2.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c
+index b5514a32ff8ff..eb93015be841f 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c
++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c
+@@ -1093,29 +1093,29 @@ static int qusb2_phy_probe(struct platform_device *pdev)
+ or->hsdisc_trim.override = true;
+ }
+
+- pm_runtime_set_active(dev);
+- pm_runtime_enable(dev);
++ dev_set_drvdata(dev, qphy);
++
+ /*
+- * Prevent runtime pm from being ON by default. Users can enable
+- * it using power/control in sysfs.
++ * Enable runtime PM support, but forbid it by default.
++ * Users can allow it again via the power/control attribute in sysfs.
+ */
++ pm_runtime_set_active(dev);
+ pm_runtime_forbid(dev);
++ ret = devm_pm_runtime_enable(dev);
++ if (ret)
++ return ret;
+
+ generic_phy = devm_phy_create(dev, NULL, &qusb2_phy_gen_ops);
+ if (IS_ERR(generic_phy)) {
+ ret = PTR_ERR(generic_phy);
+ dev_err(dev, "failed to create phy, %d\n", ret);
+- pm_runtime_disable(dev);
+ return ret;
+ }
+ qphy->phy = generic_phy;
+
+- dev_set_drvdata(dev, qphy);
+ phy_set_drvdata(generic_phy, qphy);
+
+ phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate);
+- if (IS_ERR(phy_provider))
+- pm_runtime_disable(dev);
+
+ return PTR_ERR_OR_ZERO(phy_provider);
+ }
+--
+2.51.0
+
--- /dev/null
+From d492b6df611c4e3b1e82b55697e5133a9a375a99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Dec 2025 09:53:36 +0300
+Subject: phy: stm32-usphyc: Fix off by one in probe()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit cabd25b57216ddc132efbcc31f972baa03aad15a ]
+
+The "index" variable is used as an index into the usbphyc->phys[] array
+which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys
+then it is one element out of bounds. The "index" comes from the
+device tree so it's data that we trust and it's unlikely to be wrong,
+however it's obviously still worth fixing the bug. Change the > to >=.
+
+Fixes: 94c358da3a05 ("phy: stm32: add support for STM32 USB PHY Controller (USBPHYC)")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Link: https://patch.msgid.link/aTfHcMJK1wFVnvEe@stanley.mountain
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/st/phy-stm32-usbphyc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c
+index 27fe92f73f331..b44afbff8616b 100644
+--- a/drivers/phy/st/phy-stm32-usbphyc.c
++++ b/drivers/phy/st/phy-stm32-usbphyc.c
+@@ -712,7 +712,7 @@ static int stm32_usbphyc_probe(struct platform_device *pdev)
+ }
+
+ ret = of_property_read_u32(child, "reg", &index);
+- if (ret || index > usbphyc->nphys) {
++ if (ret || index >= usbphyc->nphys) {
+ dev_err(&phy->dev, "invalid reg property: %d\n", ret);
+ if (!ret)
+ ret = -EINVAL;
+--
+2.51.0
+
--- /dev/null
+From 206734292793245bc9b6e1029efe45188734fe43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 18:57:34 +0800
+Subject: phy: ti: da8xx-usb: Handle devm_pm_runtime_enable() errors
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit 08aa19de72110df8ac10c9e67349dd884eeed41d ]
+
+devm_pm_runtime_enable() can fail due to memory allocation. The current
+code ignores its return value after calling pm_runtime_set_active(),
+leaving the device in an inconsistent state if runtime PM initialization
+fails.
+
+Check the return value of devm_pm_runtime_enable() and return on
+failure. Also move the declaration of 'ret' to the function scope
+to support this check.
+
+Fixes: ee8e41b5044f ("phy: ti: phy-da8xx-usb: Add runtime PM support")
+Suggested-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patch.msgid.link/20251124105734.1027-1-vulab@iscas.ac.cn
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/ti/phy-da8xx-usb.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/phy/ti/phy-da8xx-usb.c b/drivers/phy/ti/phy-da8xx-usb.c
+index 1d81a1e6ec6b6..62fa6f89c0e61 100644
+--- a/drivers/phy/ti/phy-da8xx-usb.c
++++ b/drivers/phy/ti/phy-da8xx-usb.c
+@@ -180,6 +180,7 @@ static int da8xx_usb_phy_probe(struct platform_device *pdev)
+ struct da8xx_usb_phy_platform_data *pdata = dev->platform_data;
+ struct device_node *node = dev->of_node;
+ struct da8xx_usb_phy *d_phy;
++ int ret;
+
+ d_phy = devm_kzalloc(dev, sizeof(*d_phy), GFP_KERNEL);
+ if (!d_phy)
+@@ -233,8 +234,6 @@ static int da8xx_usb_phy_probe(struct platform_device *pdev)
+ return PTR_ERR(d_phy->phy_provider);
+ }
+ } else {
+- int ret;
+-
+ ret = phy_create_lookup(d_phy->usb11_phy, "usb-phy",
+ "ohci-da8xx");
+ if (ret)
+@@ -249,7 +248,9 @@ static int da8xx_usb_phy_probe(struct platform_device *pdev)
+ PHY_INIT_BITS, PHY_INIT_BITS);
+
+ pm_runtime_set_active(dev);
+- devm_pm_runtime_enable(dev);
++ ret = devm_pm_runtime_enable(dev);
++ if (ret)
++ return ret;
+ /*
+ * Prevent runtime pm from being ON by default. Users can enable
+ * it using power/control in sysfs.
+--
+2.51.0
+
--- /dev/null
+From 748840f9dc9a4b51b2793cae377b3c1f74ccd648 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Dec 2025 14:15:34 +0800
+Subject: PM: EM: Fix incorrect description of the cost field in struct
+ em_perf_state
+
+From: Yaxiong Tian <tianyaxiong@kylinos.cn>
+
+[ Upstream commit 54b603f2db6b95495bc33a8f2bde80f044baff9a ]
+
+Due to commit 1b600da51073 ("PM: EM: Optimize em_cpu_energy() and remove
+division"), the logic for energy consumption calculation has been modified.
+The actual calculation of cost is 10 * power * max_frequency / frequency
+instead of power * max_frequency / frequency.
+
+Therefore, the comment for cost has been updated to reflect the correct
+content.
+
+Fixes: 1b600da51073 ("PM: EM: Optimize em_cpu_energy() and remove division")
+Signed-off-by: Yaxiong Tian <tianyaxiong@kylinos.cn>
+Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
+[ rjw: Added Fixes: tag ]
+Link: https://patch.msgid.link/20251230061534.816894-1-tianyaxiong@kylinos.cn
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/energy_model.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/energy_model.h b/include/linux/energy_model.h
+index 61d50571ad88a..ce2db5447d221 100644
+--- a/include/linux/energy_model.h
++++ b/include/linux/energy_model.h
+@@ -18,7 +18,7 @@
+ * @power: The power consumed at this level (by 1 CPU or by a registered
+ * device). It can be a total power: static and dynamic.
+ * @cost: The cost coefficient associated with this level, used during
+- * energy calculation. Equal to: power * max_frequency / frequency
++ * energy calculation. Equal to: 10 * power * max_frequency / frequency
+ * @flags: see "em_perf_state flags" description below.
+ */
+ struct em_perf_state {
+--
+2.51.0
+
--- /dev/null
+From a71db798d1bd1cd67468da8d1357cbfc0ced16a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Dec 2025 08:45:26 +0000
+Subject: pnfs/blocklayout: Fix memory leak in bl_parse_scsi()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 5a74af51c3a6f4cd22c128b0c1c019f68fa90011 ]
+
+In bl_parse_scsi(), if the block device length is zero, the function
+returns immediately without releasing the file reference obtained via
+bl_open_path(), leading to a memory leak.
+
+Fix this by jumping to the out_blkdev_put label to ensure the file
+reference is properly released.
+
+Fixes: d76c769c8db4c ("pnfs/blocklayout: Don't add zero-length pnfs_block_dev")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/blocklayout/dev.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfs/blocklayout/dev.c b/fs/nfs/blocklayout/dev.c
+index ab76120705e20..134d7f760a33a 100644
+--- a/fs/nfs/blocklayout/dev.c
++++ b/fs/nfs/blocklayout/dev.c
+@@ -417,8 +417,10 @@ bl_parse_scsi(struct nfs_server *server, struct pnfs_block_dev *d,
+ d->map = bl_map_simple;
+ d->pr_key = v->scsi.pr_key;
+
+- if (d->len == 0)
+- return -ENODEV;
++ if (d->len == 0) {
++ error = -ENODEV;
++ goto out_blkdev_put;
++ }
+
+ ops = bdev->bd_disk->fops->pr_ops;
+ if (!ops) {
+--
+2.51.0
+
--- /dev/null
+From 67707456780d46c36437de633354edcf50491aca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Dec 2025 14:45:00 -0500
+Subject: pNFS: Fix a deadlock when returning a delegation during open()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 857bf9056291a16785ae3be1d291026b2437fc48 ]
+
+Ben Coddington reports seeing a hang in the following stack trace:
+ 0 [ffffd0b50e1774e0] __schedule at ffffffff9ca05415
+ 1 [ffffd0b50e177548] schedule at ffffffff9ca05717
+ 2 [ffffd0b50e177558] bit_wait at ffffffff9ca061e1
+ 3 [ffffd0b50e177568] __wait_on_bit at ffffffff9ca05cfb
+ 4 [ffffd0b50e1775c8] out_of_line_wait_on_bit at ffffffff9ca05ea5
+ 5 [ffffd0b50e177618] pnfs_roc at ffffffffc154207b [nfsv4]
+ 6 [ffffd0b50e1776b8] _nfs4_proc_delegreturn at ffffffffc1506586 [nfsv4]
+ 7 [ffffd0b50e177788] nfs4_proc_delegreturn at ffffffffc1507480 [nfsv4]
+ 8 [ffffd0b50e1777f8] nfs_do_return_delegation at ffffffffc1523e41 [nfsv4]
+ 9 [ffffd0b50e177838] nfs_inode_set_delegation at ffffffffc1524a75 [nfsv4]
+ 10 [ffffd0b50e177888] nfs4_process_delegation at ffffffffc14f41dd [nfsv4]
+ 11 [ffffd0b50e1778a0] _nfs4_opendata_to_nfs4_state at ffffffffc1503edf [nfsv4]
+ 12 [ffffd0b50e1778c0] _nfs4_open_and_get_state at ffffffffc1504e56 [nfsv4]
+ 13 [ffffd0b50e177978] _nfs4_do_open at ffffffffc15051b8 [nfsv4]
+ 14 [ffffd0b50e1779f8] nfs4_do_open at ffffffffc150559c [nfsv4]
+ 15 [ffffd0b50e177a80] nfs4_atomic_open at ffffffffc15057fb [nfsv4]
+ 16 [ffffd0b50e177ad0] nfs4_file_open at ffffffffc15219be [nfsv4]
+ 17 [ffffd0b50e177b78] do_dentry_open at ffffffff9c09e6ea
+ 18 [ffffd0b50e177ba8] vfs_open at ffffffff9c0a082e
+ 19 [ffffd0b50e177bd0] dentry_open at ffffffff9c0a0935
+
+The issue is that the delegreturn is being asked to wait for a layout
+return that cannot complete because a state recovery was initiated. The
+state recovery cannot complete until the open() finishes processing the
+delegations it was given.
+
+The solution is to propagate the existing flags that indicate a
+non-blocking call to the function pnfs_roc(), so that it knows not to
+wait in this situation.
+
+Reported-by: Benjamin Coddington <bcodding@hammerspace.com>
+Fixes: 29ade5db1293 ("pNFS: Wait on outstanding layoutreturns to complete in pnfs_roc()")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 6 ++---
+ fs/nfs/pnfs.c | 58 +++++++++++++++++++++++++++++++++--------------
+ fs/nfs/pnfs.h | 17 ++++++--------
+ 3 files changed, 51 insertions(+), 30 deletions(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 3b436ba2ed3bf..3745c59f0af25 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3894,8 +3894,8 @@ int nfs4_do_close(struct nfs4_state *state, gfp_t gfp_mask, int wait)
+ calldata->res.seqid = calldata->arg.seqid;
+ calldata->res.server = server;
+ calldata->res.lr_ret = -NFS4ERR_NOMATCHING_LAYOUT;
+- calldata->lr.roc = pnfs_roc(state->inode,
+- &calldata->lr.arg, &calldata->lr.res, msg.rpc_cred);
++ calldata->lr.roc = pnfs_roc(state->inode, &calldata->lr.arg,
++ &calldata->lr.res, msg.rpc_cred, wait);
+ if (calldata->lr.roc) {
+ calldata->arg.lr_args = &calldata->lr.arg;
+ calldata->res.lr_res = &calldata->lr.res;
+@@ -6946,7 +6946,7 @@ static int _nfs4_proc_delegreturn(struct inode *inode, const struct cred *cred,
+ data->inode = nfs_igrab_and_active(inode);
+ if (data->inode || issync) {
+ data->lr.roc = pnfs_roc(inode, &data->lr.arg, &data->lr.res,
+- cred);
++ cred, issync);
+ if (data->lr.roc) {
+ data->args.lr_args = &data->lr.arg;
+ data->res.lr_res = &data->lr.res;
+diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
+index 7ce2e840217cf..33bc6db0dc92f 100644
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1533,10 +1533,9 @@ static int pnfs_layout_return_on_reboot(struct pnfs_layout_hdr *lo)
+ PNFS_FL_LAYOUTRETURN_PRIVILEGED);
+ }
+
+-bool pnfs_roc(struct inode *ino,
+- struct nfs4_layoutreturn_args *args,
+- struct nfs4_layoutreturn_res *res,
+- const struct cred *cred)
++bool pnfs_roc(struct inode *ino, struct nfs4_layoutreturn_args *args,
++ struct nfs4_layoutreturn_res *res, const struct cred *cred,
++ bool sync)
+ {
+ struct nfs_inode *nfsi = NFS_I(ino);
+ struct nfs_open_context *ctx;
+@@ -1547,7 +1546,7 @@ bool pnfs_roc(struct inode *ino,
+ nfs4_stateid stateid;
+ enum pnfs_iomode iomode = 0;
+ bool layoutreturn = false, roc = false;
+- bool skip_read = false;
++ bool skip_read;
+
+ if (!nfs_have_layout(ino))
+ return false;
+@@ -1560,20 +1559,14 @@ bool pnfs_roc(struct inode *ino,
+ lo = NULL;
+ goto out_noroc;
+ }
+- pnfs_get_layout_hdr(lo);
+- if (test_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags)) {
+- spin_unlock(&ino->i_lock);
+- rcu_read_unlock();
+- wait_on_bit(&lo->plh_flags, NFS_LAYOUT_RETURN,
+- TASK_UNINTERRUPTIBLE);
+- pnfs_put_layout_hdr(lo);
+- goto retry;
+- }
+
+ /* no roc if we hold a delegation */
++ skip_read = false;
+ if (nfs4_check_delegation(ino, FMODE_READ)) {
+- if (nfs4_check_delegation(ino, FMODE_WRITE))
++ if (nfs4_check_delegation(ino, FMODE_WRITE)) {
++ lo = NULL;
+ goto out_noroc;
++ }
+ skip_read = true;
+ }
+
+@@ -1582,12 +1575,43 @@ bool pnfs_roc(struct inode *ino,
+ if (state == NULL)
+ continue;
+ /* Don't return layout if there is open file state */
+- if (state->state & FMODE_WRITE)
++ if (state->state & FMODE_WRITE) {
++ lo = NULL;
+ goto out_noroc;
++ }
+ if (state->state & FMODE_READ)
+ skip_read = true;
+ }
+
++ if (skip_read) {
++ bool writes = false;
++
++ list_for_each_entry(lseg, &lo->plh_segs, pls_list) {
++ if (lseg->pls_range.iomode != IOMODE_READ) {
++ writes = true;
++ break;
++ }
++ }
++ if (!writes) {
++ lo = NULL;
++ goto out_noroc;
++ }
++ }
++
++ pnfs_get_layout_hdr(lo);
++ if (test_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags)) {
++ if (!sync) {
++ pnfs_set_plh_return_info(
++ lo, skip_read ? IOMODE_RW : IOMODE_ANY, 0);
++ goto out_noroc;
++ }
++ spin_unlock(&ino->i_lock);
++ rcu_read_unlock();
++ wait_on_bit(&lo->plh_flags, NFS_LAYOUT_RETURN,
++ TASK_UNINTERRUPTIBLE);
++ pnfs_put_layout_hdr(lo);
++ goto retry;
++ }
+
+ list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list) {
+ if (skip_read && lseg->pls_range.iomode == IOMODE_READ)
+@@ -1627,7 +1651,7 @@ bool pnfs_roc(struct inode *ino,
+ out_noroc:
+ spin_unlock(&ino->i_lock);
+ rcu_read_unlock();
+- pnfs_layoutcommit_inode(ino, true);
++ pnfs_layoutcommit_inode(ino, sync);
+ if (roc) {
+ struct pnfs_layoutdriver_type *ld = NFS_SERVER(ino)->pnfs_curr_ld;
+ if (ld->prepare_layoutreturn)
+diff --git a/fs/nfs/pnfs.h b/fs/nfs/pnfs.h
+index 91ff877185c8a..3db8f13d8fe4e 100644
+--- a/fs/nfs/pnfs.h
++++ b/fs/nfs/pnfs.h
+@@ -303,10 +303,9 @@ int pnfs_mark_matching_lsegs_return(struct pnfs_layout_hdr *lo,
+ u32 seq);
+ int pnfs_mark_layout_stateid_invalid(struct pnfs_layout_hdr *lo,
+ struct list_head *lseg_list);
+-bool pnfs_roc(struct inode *ino,
+- struct nfs4_layoutreturn_args *args,
+- struct nfs4_layoutreturn_res *res,
+- const struct cred *cred);
++bool pnfs_roc(struct inode *ino, struct nfs4_layoutreturn_args *args,
++ struct nfs4_layoutreturn_res *res, const struct cred *cred,
++ bool sync);
+ int pnfs_roc_done(struct rpc_task *task, struct nfs4_layoutreturn_args **argpp,
+ struct nfs4_layoutreturn_res **respp, int *ret);
+ void pnfs_roc_release(struct nfs4_layoutreturn_args *args,
+@@ -773,12 +772,10 @@ pnfs_layoutcommit_outstanding(struct inode *inode)
+ return false;
+ }
+
+-
+-static inline bool
+-pnfs_roc(struct inode *ino,
+- struct nfs4_layoutreturn_args *args,
+- struct nfs4_layoutreturn_res *res,
+- const struct cred *cred)
++static inline bool pnfs_roc(struct inode *ino,
++ struct nfs4_layoutreturn_args *args,
++ struct nfs4_layoutreturn_res *res,
++ const struct cred *cred, bool sync)
+ {
+ return false;
+ }
+--
+2.51.0
+
--- /dev/null
+From 3e8c1425b802f179319f43ef1ad06c7ca90a2199 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Dec 2025 07:41:03 +0000
+Subject: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 0c728083654f0066f5e10a1d2b0bd0907af19a58 ]
+
+In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails,
+the function jumps to the out_scratch label without freeing the already
+allocated dsaddrs list, leading to a memory leak.
+
+Fix this by jumping to the out_err_drain_dsaddrs label, which properly
+frees the dsaddrs list before cleaning up other resources.
+
+Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+index c55ea8fa3bfa5..c2d8a13a9dbdd 100644
+--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+@@ -103,7 +103,7 @@ nfs4_ff_alloc_deviceid_node(struct nfs_server *server, struct pnfs_device *pdev,
+ sizeof(struct nfs4_ff_ds_version),
+ gfp_flags);
+ if (!ds_versions)
+- goto out_scratch;
++ goto out_err_drain_dsaddrs;
+
+ for (i = 0; i < version_count; i++) {
+ /* 20 = version(4) + minor_version(4) + rsize(4) + wsize(4) +
+--
+2.51.0
+
--- /dev/null
+From 1e4ab9ca75adf7f68e82e2283e2a93f613322424 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 12:57:14 +0100
+Subject: sched/deadline: Avoid double update_rq_clock()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 4de9ff76067b40c3660df73efaea57389e62ea7a ]
+
+When setup_new_dl_entity() is called from enqueue_task_dl() ->
+enqueue_dl_entity(), the rq-clock should already be updated, and
+calling update_rq_clock() again is not right.
+
+Move the update_rq_clock() to the one other caller of
+setup_new_dl_entity(): sched_init_dl_server().
+
+Fixes: 9f239df55546 ("sched/deadline: Initialize dl_servers after SMP")
+Reported-by: Pierre Gondois <pierre.gondois@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Pierre Gondois <pierre.gondois@arm.com>
+Link: https://patch.msgid.link/20260113115622.GA831285@noisy.programming.kicks-ass.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/deadline.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index d3be71d5a9ccc..465592fa530ef 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -761,8 +761,6 @@ static inline void setup_new_dl_entity(struct sched_dl_entity *dl_se)
+ struct dl_rq *dl_rq = dl_rq_of_se(dl_se);
+ struct rq *rq = rq_of_dl_rq(dl_rq);
+
+- update_rq_clock(rq);
+-
+ WARN_ON(is_dl_boosted(dl_se));
+ WARN_ON(dl_time_before(rq_clock(rq), dl_se->deadline));
+
+@@ -1623,6 +1621,7 @@ void sched_init_dl_servers(void)
+ rq = cpu_rq(cpu);
+
+ guard(rq_lock_irq)(rq);
++ update_rq_clock(rq);
+
+ dl_se = &rq->fair_server;
+
+--
+2.51.0
+
--- /dev/null
+From 432a1129c9a1caa79fd8d3e8445319560720f1a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 09:25:37 +0100
+Subject: sched: Deadline has dynamic priority
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit e008ec6c7904ed99d3b2cb634b6545b008a99288 ]
+
+While FIFO/RR have static priority, DEADLINE is a dynamic priority
+scheme. Notably it has static priority -1. Do not assume the priority
+doesn't change for deadline tasks just because the static priority
+doesn't change.
+
+This ensures DL always sees {DE,EN}QUEUE_MOVE where appropriate.
+
+Fixes: ff77e4685359 ("sched/rt: Fix PI handling vs. sched_setscheduler()")
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Pierre Gondois <pierre.gondois@arm.com>
+Tested-by: Juri Lelli <juri.lelli@redhat.com>
+Link: https://patch.msgid.link/20260114130528.GB831285@noisy.programming.kicks-ass.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 2 +-
+ kernel/sched/syscalls.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index eb47d294e2c5a..e460c22de8ad4 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -7383,7 +7383,7 @@ void rt_mutex_setprio(struct task_struct *p, struct task_struct *pi_task)
+ trace_sched_pi_setprio(p, pi_task);
+ oldprio = p->prio;
+
+- if (oldprio == prio)
++ if (oldprio == prio && !dl_prio(prio))
+ queue_flag &= ~DEQUEUE_MOVE;
+
+ prev_class = p->sched_class;
+diff --git a/kernel/sched/syscalls.c b/kernel/sched/syscalls.c
+index bf360a6fbb800..6805a63d47af7 100644
+--- a/kernel/sched/syscalls.c
++++ b/kernel/sched/syscalls.c
+@@ -688,7 +688,7 @@ int __sched_setscheduler(struct task_struct *p,
+ * itself.
+ */
+ newprio = rt_effective_prio(p, newprio);
+- if (newprio == oldprio)
++ if (newprio == oldprio && !dl_prio(newprio))
+ queue_flags &= ~DEQUEUE_MOVE;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 158b10aed5bd96915310c15cfd154c25a1e7a664 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 19:37:15 +0200
+Subject: selftests: drv-net: fix RPS mask handling for high CPU numbers
+
+From: Gal Pressman <gal@nvidia.com>
+
+[ Upstream commit cf055f8c000445aa688c53a706ef4f580818eedb ]
+
+The RPS bitmask bounds check uses ~(RPS_MAX_CPUS - 1) which equals ~15 =
+0xfff0, only allowing CPUs 0-3.
+
+Change the mask to ~((1UL << RPS_MAX_CPUS) - 1) = ~0xffff to allow CPUs
+0-15.
+
+Fixes: 5ebfb4cc3048 ("selftests/net: toeplitz test")
+Reviewed-by: Nimrod Oren <noren@nvidia.com>
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20260112173715.384843-3-gal@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/toeplitz.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/toeplitz.c b/tools/testing/selftests/net/toeplitz.c
+index 9ba03164d73a6..5099157f01b9a 100644
+--- a/tools/testing/selftests/net/toeplitz.c
++++ b/tools/testing/selftests/net/toeplitz.c
+@@ -473,8 +473,8 @@ static void parse_rps_bitmap(const char *arg)
+
+ bitmap = strtoul(arg, NULL, 0);
+
+- if (bitmap & ~(RPS_MAX_CPUS - 1))
+- error(1, 0, "rps bitmap 0x%lx out of bounds 0..%lu",
++ if (bitmap & ~((1UL << RPS_MAX_CPUS) - 1))
++ error(1, 0, "rps bitmap 0x%lx out of bounds, max cpu %lu",
+ bitmap, RPS_MAX_CPUS - 1);
+
+ for (i = 0; i < RPS_MAX_CPUS; i++)
+--
+2.51.0
+
--- /dev/null
+From 9eafd0369abd2b4f14806fc8146fb4c5f2c826f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Oct 2025 20:07:24 +0100
+Subject: selftests/landlock: Fix TCP bind(AF_UNSPEC) test case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthieu Buffet <matthieu@buffet.re>
+
+[ Upstream commit bd09d9a05cf04028f639e209b416bacaeffd4909 ]
+
+The nominal error code for bind(AF_UNSPEC) on an IPv6 socket
+is -EAFNOSUPPORT, not -EINVAL. -EINVAL is only returned when
+the supplied address struct is too short, which happens to be
+the case in current selftests because they treat AF_UNSPEC
+like IPv4 sockets do: as an alias for AF_INET (which is a
+16-byte struct instead of the 24 bytes required by IPv6
+sockets).
+
+Make the union large enough for any address (by adding struct
+sockaddr_storage to the union), and make AF_UNSPEC addresses
+large enough for any family.
+
+Test for -EAFNOSUPPORT instead, and add a dedicated test case
+for truncated inputs with -EINVAL.
+
+Fixes: a549d055a22e ("selftests/landlock: Add network tests")
+Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
+Link: https://lore.kernel.org/r/20251027190726.626244-2-matthieu@buffet.re
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/landlock/common.h | 1 +
+ tools/testing/selftests/landlock/net_test.c | 16 +++++++++++++++-
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/landlock/common.h b/tools/testing/selftests/landlock/common.h
+index 9acecae36f51b..98c2362954e21 100644
+--- a/tools/testing/selftests/landlock/common.h
++++ b/tools/testing/selftests/landlock/common.h
+@@ -237,6 +237,7 @@ struct service_fixture {
+ struct sockaddr_un unix_addr;
+ socklen_t unix_addr_len;
+ };
++ struct sockaddr_storage _largest;
+ };
+ };
+
+diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c
+index 2a45208551e61..3bbc0508420b1 100644
+--- a/tools/testing/selftests/landlock/net_test.c
++++ b/tools/testing/selftests/landlock/net_test.c
+@@ -121,6 +121,10 @@ static socklen_t get_addrlen(const struct service_fixture *const srv,
+ {
+ switch (srv->protocol.domain) {
+ case AF_UNSPEC:
++ if (minimal)
++ return sizeof(sa_family_t);
++ return sizeof(struct sockaddr_storage);
++
+ case AF_INET:
+ return sizeof(srv->ipv4_addr);
+
+@@ -758,6 +762,11 @@ TEST_F(protocol, bind_unspec)
+ bind_fd = socket_variant(&self->srv0);
+ ASSERT_LE(0, bind_fd);
+
++ /* Tries to bind with too small addrlen. */
++ EXPECT_EQ(-EINVAL, bind_variant_addrlen(
++ bind_fd, &self->unspec_any0,
++ get_addrlen(&self->unspec_any0, true) - 1));
++
+ /* Allowed bind on AF_UNSPEC/INADDR_ANY. */
+ ret = bind_variant(bind_fd, &self->unspec_any0);
+ if (variant->prot.domain == AF_INET) {
+@@ -766,6 +775,8 @@ TEST_F(protocol, bind_unspec)
+ TH_LOG("Failed to bind to unspec/any socket: %s",
+ strerror(errno));
+ }
++ } else if (variant->prot.domain == AF_INET6) {
++ EXPECT_EQ(-EAFNOSUPPORT, ret);
+ } else {
+ EXPECT_EQ(-EINVAL, ret);
+ }
+@@ -792,6 +803,8 @@ TEST_F(protocol, bind_unspec)
+ } else {
+ EXPECT_EQ(0, ret);
+ }
++ } else if (variant->prot.domain == AF_INET6) {
++ EXPECT_EQ(-EAFNOSUPPORT, ret);
+ } else {
+ EXPECT_EQ(-EINVAL, ret);
+ }
+@@ -801,7 +814,8 @@ TEST_F(protocol, bind_unspec)
+ bind_fd = socket_variant(&self->srv0);
+ ASSERT_LE(0, bind_fd);
+ ret = bind_variant(bind_fd, &self->unspec_srv0);
+- if (variant->prot.domain == AF_INET) {
++ if (variant->prot.domain == AF_INET ||
++ variant->prot.domain == AF_INET6) {
+ EXPECT_EQ(-EAFNOSUPPORT, ret);
+ } else {
+ EXPECT_EQ(-EINVAL, ret)
+--
+2.51.0
+
--- /dev/null
+From 92d8a0c1d53aefbabe709ec9745d3684cc4050de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jan 2026 14:40:58 +0100
+Subject: selftests/landlock: Properly close a file descriptor
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Günther Noack <gnoack3000@gmail.com>
+
+[ Upstream commit 15e8d739fda1084d81f7d3813e9600eba6e0f134 ]
+
+Add a missing close(srv_fd) call, and use EXPECT_EQ() to check the
+result.
+
+Signed-off-by: Günther Noack <gnoack3000@gmail.com>
+Fixes: f83d51a5bdfe ("selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets")
+Link: https://lore.kernel.org/r/20260101134102.25938-2-gnoack3000@gmail.com
+[mic: Use EXPECT_EQ() and update commit message]
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/landlock/fs_test.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
+index a6eb9681791a5..29cdbb8367358 100644
+--- a/tools/testing/selftests/landlock/fs_test.c
++++ b/tools/testing/selftests/landlock/fs_test.c
+@@ -4385,7 +4385,8 @@ TEST_F_FORK(layout1, named_unix_domain_socket_ioctl)
+ /* FIONREAD and other IOCTLs should not be forbidden. */
+ EXPECT_EQ(0, test_fionread_ioctl(cli_fd));
+
+- ASSERT_EQ(0, close(cli_fd));
++ EXPECT_EQ(0, close(cli_fd));
++ EXPECT_EQ(0, close(srv_fd));
+ }
+
+ /* clang-format off */
+--
+2.51.0
+
--- /dev/null
+From 8e7ebb3b76375ed00e68af71bf462349a7ee1e0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Dec 2025 01:36:31 +0100
+Subject: selftests/landlock: Remove invalid unix socket bind()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthieu Buffet <matthieu@buffet.re>
+
+[ Upstream commit e1a57c33590a50a6639798e60a597af4a23b0340 ]
+
+Remove bind() call on a client socket that doesn't make sense.
+Since strlen(cli_un.sun_path) returns a random value depending on stack
+garbage, that many uninitialized bytes are read from the stack as an
+unix socket address. This creates random test failures due to the bind
+address being invalid or already in use if the same stack value comes up
+twice.
+
+Fixes: f83d51a5bdfe ("selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets")
+Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
+Reviewed-by: Günther Noack <gnoack@google.com>
+Link: https://lore.kernel.org/r/20251201003631.190817-1-matthieu@buffet.re
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/landlock/fs_test.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
+index fa0f18ec62c41..a6eb9681791a5 100644
+--- a/tools/testing/selftests/landlock/fs_test.c
++++ b/tools/testing/selftests/landlock/fs_test.c
+@@ -4375,9 +4375,6 @@ TEST_F_FORK(layout1, named_unix_domain_socket_ioctl)
+ cli_fd = socket(AF_UNIX, SOCK_STREAM, 0);
+ ASSERT_LE(0, cli_fd);
+
+- size = offsetof(struct sockaddr_un, sun_path) + strlen(cli_un.sun_path);
+- ASSERT_EQ(0, bind(cli_fd, (struct sockaddr *)&cli_un, size));
+-
+ bzero(&cli_un, sizeof(cli_un));
+ cli_un.sun_family = AF_UNIX;
+ strncpy(cli_un.sun_path, path, sizeof(cli_un.sun_path));
+--
+2.51.0
+
drm-gud-fix-null-fb-and-crtc-dereferences-on-usb-disconnect.patch
virtio_net-fix-misalignment-bug-in-struct-virtnet_info.patch
io_uring-move-local-task_work-in-exit-cancel-loop.patch
+xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch
+xfrm-set-ipv4-no_pmtu_disc-flag-only-on-output-sa-wh.patch
+pnfs-fix-a-deadlock-when-returning-a-delegation-duri.patch
+nfs-fix-a-deadlock-involving-nfs_release_folio.patch
+pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch
+pnfs-blocklayout-fix-memory-leak-in-bl_parse_scsi.patch
+drm-bridge-dw-hdmi-qp-fix-spurious-irq-on-resume.patch
+drm-vmwgfx-fix-kms-with-3d-on-hw-version-10.patch
+drm-vmwgfx-merge-vmw_bo_release-and-vmw_bo_free-func.patch
+nfs-localio-deal-with-page-bases-that-are-page_size.patch
+drm-rockchip-vop2-add-delay-between-poll-registers.patch
+drm-rockchip-vop2-only-wait-for-changed-layer-cfg-do.patch
+pm-em-fix-incorrect-description-of-the-cost-field-in.patch
+ipv4-ip_tunnel-spread-netdev_lockdep_set_classes.patch
+can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch
+nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch
+cxl-port-fix-target-list-setup-for-multiple-decoders.patch
+btrfs-release-path-before-iget_failed-in-btrfs_read_.patch
+btrfs-send-check-for-inline-extents-in-range_is_hole.patch
+bluetooth-hci_sync-enable-pa-sync-lost-event.patch
+net-bridge-annotate-data-races-around-fdb-updated-us.patch
+ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch
+net-update-netdev_lock_-type-name.patch
+macvlan-fix-possible-uaf-in-macvlan_forward_source.patch
+block-zero-non-pi-portion-of-auto-integrity-buffer.patch
+ipv4-ip_gre-make-ipgre_header-robust.patch
+vsock-test-add-a-final-full-barrier-after-run-all-te.patch
+net-mlx5e-fix-crash-on-profile-change-rollback-failu.patch
+net-mlx5e-don-t-store-mlx5e_priv-in-mlx5e_dev-devlin.patch
+net-mlx5e-pass-netdev-to-mlx5e_destroy_netdev-instea.patch
+net-mlx5e-restore-destroying-state-bit-after-profile.patch
+btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch
+cxl-hdm-fix-potential-infinite-loop-in-__cxl_dpa_res.patch
+net-octeon_ep_vf-fix-free_irq-dev_id-mismatch-in-irq.patch
+net-phy-motorcomm-fix-duplex-setting-error-for-phy-l.patch
+net-airoha-fix-typo-in-airoha_ppe_setup_tc_block_cb-.patch
+alsa-hda-cirrus_scodec_test-fix-incorrect-setup-of-g.patch
+alsa-hda-cirrus_scodec_test-fix-test-suite-name.patch
+net-hv_netvsc-reject-rss-hash-key-programming-withou.patch
+dst-fix-races-in-rt6_uncached_list_del-and-rt_del_un.patch
+ipv6-fix-use-after-free-in-inet6_addr_del.patch
+selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch
+net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch
+asoc-sdw_utils-cs42l43-enable-headphone-pin-for-line.patch
+asoc-tlv320adcx140-fix-null-pointer.patch
+asoc-tlv320adcx140-fix-word-length.patch
+drm-amdgpu-fix-drm-panic-null-pointer-when-driver-no.patch
+drm-amd-display-show-link-name-in-psr-status-message.patch
+drm-amd-pm-fix-smu-overdrive-data-type-wrong-issue-o.patch
+drm-amdkfd-no-need-to-suspend-whole-mes-to-evict-pro.patch
+drm-amdgpu-userq-fix-fence-reference-leak-on-queue-t.patch
+mm-describe-flags-parameter-in-memalloc_flags_save.patch
+textsearch-describe-list-member-in-ts_ops-search.patch
+mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch
+mips-fix-highmem-initialization.patch
+drivers-dax-add-some-missing-kerneldoc-comment-field.patch
+nfs-fix-size-read-races-in-truncate-fallocate-and-co.patch
+dmaengine-mmp_pdma-fix-dma-mask-handling.patch
+dmaengine-xilinx-xdma-fix-regmap-max_register.patch
+dmaengine-tegra-adma-fix-use-after-free.patch
+dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch
+phy-fsl-imx8mq-usb-clear-the-pcs_tx_swing_full-field.patch
+phy-qcom-qusb2-fix-null-pointer-dereference-on-early.patch
+phy-stm32-usphyc-fix-off-by-one-in-probe.patch
+phy-ti-da8xx-usb-handle-devm_pm_runtime_enable-error.patch
+landlock-fix-tcp-handling-of-short-af_unspec-address.patch
+selftests-landlock-fix-tcp-bind-af_unspec-test-case.patch
+selftests-landlock-remove-invalid-unix-socket-bind.patch
+landlock-fix-wrong-type-usage.patch
+phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch
+selftests-landlock-properly-close-a-file-descriptor.patch
+dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch
+soundwire-bus-fix-off-by-one-when-allocating-slave-i.patch
+i2c-qcom-geni-make-sure-i2c-hub-controllers-can-t-us.patch
+i2c-imx-lpi2c-change-to-pio-mode-in-system-wide-susp.patch
+sched-deadline-avoid-double-update_rq_clock.patch
+sched-deadline-has-dynamic-priority.patch
--- /dev/null
+From 262bd5295ccd84edf3e3b1d4c0820600f35eedeb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Jan 2026 12:19:58 -0800
+Subject: soundwire: bus: fix off-by-one when allocating slave IDs
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+[ Upstream commit 12d4fd9a657174496677cff2841315090f1c11fc ]
+
+ida_alloc_max() interprets its max argument as inclusive.
+
+Using SDW_FW_MAX_DEVICES(16) therefore allows an ID of 16 to be
+allocated, but the IRQ domain created for the bus is sized for IDs
+0-15. If 16 is returned, irq_create_mapping() fails and the driver
+ends up with an invalid IRQ mapping.
+
+Limit the allocation to 0-15 by passing SDW_FW_MAX_DEVICES - 1.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/r/202512240450.hlDH3nCs-lkp@intel.com/
+Fixes: aab12022b076 ("soundwire: bus: Add internal slave ID and use for IRQs")
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://patch.msgid.link/20260110201959.2523024-1-harshit.m.mogalapalli@oracle.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/bus_type.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soundwire/bus_type.c b/drivers/soundwire/bus_type.c
+index 91e70cb46fb57..5c67c13e57357 100644
+--- a/drivers/soundwire/bus_type.c
++++ b/drivers/soundwire/bus_type.c
+@@ -105,7 +105,7 @@ static int sdw_drv_probe(struct device *dev)
+ if (ret)
+ return ret;
+
+- ret = ida_alloc_max(&slave->bus->slave_ida, SDW_FW_MAX_DEVICES, GFP_KERNEL);
++ ret = ida_alloc_max(&slave->bus->slave_ida, SDW_FW_MAX_DEVICES - 1, GFP_KERNEL);
+ if (ret < 0) {
+ dev_err(dev, "Failed to allocated ID: %d\n", ret);
+ return ret;
+--
+2.51.0
+
--- /dev/null
+From aef085216dcdb4dbc361f91426a0461cb2a23966 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 08:40:05 +0700
+Subject: textsearch: describe @list member in ts_ops search
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit f26528478bb102c28e7ac0cbfc8ec8185afdafc7 ]
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./include/linux/textsearch.h:49 struct member 'list' not described in 'ts_ops'
+
+Describe @list member to fix it.
+
+Link: https://lkml.kernel.org/r/20251219014006.16328-4-bagasdotme@gmail.com
+Fixes: 2de4ff7bd658 ("[LIB]: Textsearch infrastructure.")
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Cc: Thomas Graf <tgraf@suug.ch>
+Cc: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/textsearch.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/textsearch.h b/include/linux/textsearch.h
+index 6673e4d4ac2e1..4933777404d61 100644
+--- a/include/linux/textsearch.h
++++ b/include/linux/textsearch.h
+@@ -35,6 +35,7 @@ struct ts_state
+ * @get_pattern: return head of pattern
+ * @get_pattern_len: return length of pattern
+ * @owner: module reference to algorithm
++ * @list: list to search
+ */
+ struct ts_ops
+ {
+--
+2.51.0
+
--- /dev/null
+From 60092051fe502bd091967455785a401c7b78c657 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 12:44:19 +0100
+Subject: vsock/test: add a final full barrier after run all tests
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit c39a6a277e0e67ffff6a8efcbbf7e7e23ce9e38c ]
+
+If the last test fails, the other side still completes correctly,
+which could lead to false positives.
+
+Let's add a final barrier that ensures that the last test has finished
+correctly on both sides, but also that the two sides agree on the
+number of tests to be performed.
+
+Fixes: 2f65b44e199c ("VSOCK: add full barrier between test cases")
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20260108114419.52747-1-sgarzare@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/vsock/util.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/tools/testing/vsock/util.c b/tools/testing/vsock/util.c
+index d843643ced6b7..9430ef5b8bc3e 100644
+--- a/tools/testing/vsock/util.c
++++ b/tools/testing/vsock/util.c
+@@ -511,6 +511,18 @@ void run_tests(const struct test_case *test_cases,
+
+ printf("ok\n");
+ }
++
++ printf("All tests have been executed. Waiting other peer...");
++ fflush(stdout);
++
++ /*
++ * Final full barrier, to ensure that all tests have been run and
++ * that even the last one has been successful on both sides.
++ */
++ control_writeln("COMPLETED");
++ control_expectln("COMPLETED");
++
++ printf("ok\n");
+ }
+
+ void list_tests(const struct test_case *test_cases)
+--
+2.51.0
+
--- /dev/null
+From 078a55769c8ccc066242dc92c7f3d9d108b6f833 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 05:56:09 +0200
+Subject: xfrm: Fix inner mode lookup in tunnel mode GSO segmentation
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 3d5221af9c7711b7aec8da1298c8fc393ef6183d ]
+
+Commit 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner
+protocol") attempted to fix GSO segmentation by reading the inner
+protocol from XFRM_MODE_SKB_CB(skb)->protocol. This was incorrect
+because the field holds the inner L4 protocol (TCP/UDP) instead of the
+required tunnel protocol. Also, the memory location (shared by
+XFRM_SKB_CB(skb) which could be overwritten by xfrm_replay_overflow())
+is prone to corruption. This combination caused the kernel to select
+the wrong inner mode and get the wrong address family.
+
+The correct value is in xfrm_offload(skb)->proto, which is set from
+the outer tunnel header's protocol field by esp[4|6]_gso_encap(). It
+is initialized by xfrm[4|6]_tunnel_encap_add() to either IPPROTO_IPIP
+or IPPROTO_IPV6, using xfrm_af2proto() and correctly reflects the
+inner packet's address family.
+
+Fixes: 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner protocol")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/esp4_offload.c | 4 ++--
+ net/ipv6/esp6_offload.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
+index 05828d4cb6cdb..abd77162f5e75 100644
+--- a/net/ipv4/esp4_offload.c
++++ b/net/ipv4/esp4_offload.c
+@@ -122,8 +122,8 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x,
+ struct sk_buff *skb,
+ netdev_features_t features)
+ {
+- const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
+- XFRM_MODE_SKB_CB(skb)->protocol);
++ struct xfrm_offload *xo = xfrm_offload(skb);
++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto);
+ __be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6)
+ : htons(ETH_P_IP);
+
+diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
+index 22410243ebe88..22895521a57d0 100644
+--- a/net/ipv6/esp6_offload.c
++++ b/net/ipv6/esp6_offload.c
+@@ -158,8 +158,8 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x,
+ struct sk_buff *skb,
+ netdev_features_t features)
+ {
+- const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
+- XFRM_MODE_SKB_CB(skb)->protocol);
++ struct xfrm_offload *xo = xfrm_offload(skb);
++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto);
+ __be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP)
+ : htons(ETH_P_IPV6);
+
+--
+2.51.0
+
--- /dev/null
+From b98cec3f69e0eff81ebbab3e89441176cc145c63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 11:30:27 +0100
+Subject: xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is
+ set
+
+From: Antony Antony <antony.antony@secunet.com>
+
+[ Upstream commit c196def07bbc6e8306d7a274433913444b0db20a ]
+
+The XFRM_STATE_NOPMTUDISC flag is only meaningful for output SAs, but
+it was being applied regardless of the SA direction when the sysctl
+ip_no_pmtu_disc is enabled. This can unintentionally affect input SAs.
+
+Limit setting XFRM_STATE_NOPMTUDISC to output SAs when the SA direction
+is configured.
+
+Closes: https://github.com/strongswan/strongswan/issues/2946
+Fixes: a4a87fa4e96c ("xfrm: Add Direction to the SA in or out")
+Signed-off-by: Antony Antony <antony.antony@secunet.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index 9e14e453b55cc..98b362d518363 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -3151,6 +3151,7 @@ int __xfrm_init_state(struct xfrm_state *x, struct netlink_ext_ack *extack)
+ int err;
+
+ if (family == AF_INET &&
++ (!x->dir || x->dir == XFRM_SA_DIR_OUT) &&
+ READ_ONCE(xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc))
+ x->props.flags |= XFRM_STATE_NOPMTUDISC;
+
+--
+2.51.0
+
--- /dev/null
+From 390eab5c16478c7b54a5b8bd6360d0daf1cf747f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 11:58:45 +0100
+Subject: ASoC: tlv320adcx140: fix null pointer
+
+From: Emil Svendsen <emas@bang-olufsen.dk>
+
+[ Upstream commit be7664c81d3129fc313ef62ff275fd3d33cfecd4 ]
+
+The "snd_soc_component" in "adcx140_priv" was only used once but never
+set. It was only used for reaching "dev" which is already present in
+"adcx140_priv".
+
+Fixes: 4e82971f7b55 ("ASoC: tlv320adcx140: Add a new kcontrol")
+Signed-off-by: Emil Svendsen <emas@bang-olufsen.dk>
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-2-8f7ecec525c8@pengutronix.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tlv320adcx140.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c
+index 41342b3406803..d366c1c51f07a 100644
+--- a/sound/soc/codecs/tlv320adcx140.c
++++ b/sound/soc/codecs/tlv320adcx140.c
+@@ -24,7 +24,6 @@
+ #include "tlv320adcx140.h"
+
+ struct adcx140_priv {
+- struct snd_soc_component *component;
+ struct regulator *supply_areg;
+ struct gpio_desc *gpio_reset;
+ struct regmap *regmap;
+@@ -702,7 +701,6 @@ static void adcx140_pwr_ctrl(struct adcx140_priv *adcx140, bool power_state)
+ {
+ int pwr_ctrl = 0;
+ int ret = 0;
+- struct snd_soc_component *component = adcx140->component;
+
+ if (power_state)
+ pwr_ctrl = ADCX140_PWR_CFG_ADC_PDZ | ADCX140_PWR_CFG_PLL_PDZ;
+@@ -714,7 +712,7 @@ static void adcx140_pwr_ctrl(struct adcx140_priv *adcx140, bool power_state)
+ ret = regmap_write(adcx140->regmap, ADCX140_PHASE_CALIB,
+ adcx140->phase_calib_on ? 0x00 : 0x40);
+ if (ret)
+- dev_err(component->dev, "%s: register write error %d\n",
++ dev_err(adcx140->dev, "%s: register write error %d\n",
+ __func__, ret);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 0c65367382999c0893914b8069dbb642d3eef139 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 11:58:47 +0100
+Subject: ASoC: tlv320adcx140: fix word length
+
+From: Emil Svendsen <emas@bang-olufsen.dk>
+
+[ Upstream commit 46378ab9fcb796dca46b51e10646f636e2c661f9 ]
+
+The word length is the physical width of the channel slots. So the
+hw_params would misconfigure when format width and physical width
+doesn't match. Like S24_LE which has data width of 24 bits but physical
+width of 32 bits. So if using asymmetric formats you will get a lot of
+noise.
+
+Fixes: 689c7655b50c5 ("ASoC: tlv320adcx140: Add the tlv320adcx140 codec driver family")
+Signed-off-by: Emil Svendsen <emas@bang-olufsen.dk>
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-4-8f7ecec525c8@pengutronix.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tlv320adcx140.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c
+index d366c1c51f07a..78d95b8be2f29 100644
+--- a/sound/soc/codecs/tlv320adcx140.c
++++ b/sound/soc/codecs/tlv320adcx140.c
+@@ -728,7 +728,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream,
+ struct adcx140_priv *adcx140 = snd_soc_component_get_drvdata(component);
+ u8 data = 0;
+
+- switch (params_width(params)) {
++ switch (params_physical_width(params)) {
+ case 16:
+ data = ADCX140_16_BIT_WORD;
+ break;
+@@ -743,7 +743,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream,
+ break;
+ default:
+ dev_err(component->dev, "%s: Unsupported width %d\n",
+- __func__, params_width(params));
++ __func__, params_physical_width(params));
+ return -EINVAL;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From d5019daced35ba04c9a269722df6295dac756a52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Apr 2025 11:43:45 +0900
+Subject: btrfs: factor out check_removing_space_info() from
+ btrfs_free_block_groups()
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+[ Upstream commit 1cfdbe0d53b27b4b4a4f4cf2a4e430bc65ba2ba5 ]
+
+Factor out check_removing_space_info() from btrfs_free_block_groups(). It
+sanity checks a to-be-removed space_info. There is no functional change.
+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/block-group.c | 49 +++++++++++++++++++++++-------------------
+ 1 file changed, 27 insertions(+), 22 deletions(-)
+
+diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c
+index 5a3a41c6d509f..18409b6beaedc 100644
+--- a/fs/btrfs/block-group.c
++++ b/fs/btrfs/block-group.c
+@@ -4377,6 +4377,32 @@ void btrfs_put_block_group_cache(struct btrfs_fs_info *info)
+ }
+ }
+
++static void check_removing_space_info(struct btrfs_space_info *space_info)
++{
++ struct btrfs_fs_info *info = space_info->fs_info;
++
++ /*
++ * Do not hide this behind enospc_debug, this is actually important and
++ * indicates a real bug if this happens.
++ */
++ if (WARN_ON(space_info->bytes_pinned > 0 || space_info->bytes_may_use > 0))
++ btrfs_dump_space_info(info, space_info, 0, 0);
++
++ /*
++ * If there was a failure to cleanup a log tree, very likely due to an
++ * IO failure on a writeback attempt of one or more of its extent
++ * buffers, we could not do proper (and cheap) unaccounting of their
++ * reserved space, so don't warn on bytes_reserved > 0 in that case.
++ */
++ if (!(space_info->flags & BTRFS_BLOCK_GROUP_METADATA) ||
++ !BTRFS_FS_LOG_CLEANUP_ERROR(info)) {
++ if (WARN_ON(space_info->bytes_reserved > 0))
++ btrfs_dump_space_info(info, space_info, 0, 0);
++ }
++
++ WARN_ON(space_info->reclaim_size > 0);
++}
++
+ /*
+ * Must be called only after stopping all workers, since we could have block
+ * group caching kthreads running, and therefore they could race with us if we
+@@ -4478,28 +4504,7 @@ int btrfs_free_block_groups(struct btrfs_fs_info *info)
+ struct btrfs_space_info,
+ list);
+
+- /*
+- * Do not hide this behind enospc_debug, this is actually
+- * important and indicates a real bug if this happens.
+- */
+- if (WARN_ON(space_info->bytes_pinned > 0 ||
+- space_info->bytes_may_use > 0))
+- btrfs_dump_space_info(info, space_info, 0, 0);
+-
+- /*
+- * If there was a failure to cleanup a log tree, very likely due
+- * to an IO failure on a writeback attempt of one or more of its
+- * extent buffers, we could not do proper (and cheap) unaccounting
+- * of their reserved space, so don't warn on bytes_reserved > 0 in
+- * that case.
+- */
+- if (!(space_info->flags & BTRFS_BLOCK_GROUP_METADATA) ||
+- !BTRFS_FS_LOG_CLEANUP_ERROR(info)) {
+- if (WARN_ON(space_info->bytes_reserved > 0))
+- btrfs_dump_space_info(info, space_info, 0, 0);
+- }
+-
+- WARN_ON(space_info->reclaim_size > 0);
++ check_removing_space_info(space_info);
+ list_del(&space_info->list);
+ btrfs_sysfs_remove_space_info(space_info);
+ }
+--
+2.51.0
+
--- /dev/null
+From 03e04c9c6b017a47098fa1913c027cd3d4369583 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Apr 2025 11:43:43 +0900
+Subject: btrfs: factor out init_space_info() from create_space_info()
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+[ Upstream commit ac5578fef380e68e539a2238ba63dd978a450ef2 ]
+
+Factor out initialization of the space_info struct, which is used in a
+later patch. There is no functional change.
+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/space-info.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
+index bf5e509eb9fa8..38f730246e02f 100644
+--- a/fs/btrfs/space-info.c
++++ b/fs/btrfs/space-info.c
+@@ -222,19 +222,11 @@ void btrfs_update_space_info_chunk_size(struct btrfs_space_info *space_info,
+ WRITE_ONCE(space_info->chunk_size, chunk_size);
+ }
+
+-static int create_space_info(struct btrfs_fs_info *info, u64 flags)
++static void init_space_info(struct btrfs_fs_info *info,
++ struct btrfs_space_info *space_info, u64 flags)
+ {
+-
+- struct btrfs_space_info *space_info;
+- int i;
+- int ret;
+-
+- space_info = kzalloc(sizeof(*space_info), GFP_NOFS);
+- if (!space_info)
+- return -ENOMEM;
+-
+ space_info->fs_info = info;
+- for (i = 0; i < BTRFS_NR_RAID_TYPES; i++)
++ for (int i = 0; i < BTRFS_NR_RAID_TYPES; i++)
+ INIT_LIST_HEAD(&space_info->block_groups[i]);
+ init_rwsem(&space_info->groups_sem);
+ spin_lock_init(&space_info->lock);
+@@ -248,6 +240,19 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
+
+ if (btrfs_is_zoned(info))
+ space_info->bg_reclaim_threshold = BTRFS_DEFAULT_ZONED_RECLAIM_THRESH;
++}
++
++static int create_space_info(struct btrfs_fs_info *info, u64 flags)
++{
++
++ struct btrfs_space_info *space_info;
++ int ret;
++
++ space_info = kzalloc(sizeof(*space_info), GFP_NOFS);
++ if (!space_info)
++ return -ENOMEM;
++
++ init_space_info(info, space_info, flags);
+
+ ret = btrfs_sysfs_add_space_info_type(info, space_info);
+ if (ret)
+--
+2.51.0
+
--- /dev/null
+From 8f18cb1dc0a78e6a71ba36beee5f07911d59ba65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Jan 2026 19:20:37 +0000
+Subject: btrfs: fix memory leaks in create_space_info() error paths
+
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+
+[ Upstream commit a11224a016d6d1d46a4d9b6573244448a80d4d7f ]
+
+In create_space_info(), the 'space_info' object is allocated at the
+beginning of the function. However, there are two error paths where the
+function returns an error code without freeing the allocated memory:
+
+1. When create_space_info_sub_group() fails in zoned mode.
+2. When btrfs_sysfs_add_space_info_type() fails.
+
+In both cases, 'space_info' has not yet been added to the
+fs_info->space_info list, resulting in a memory leak. Fix this by
+adding an error handling label to kfree(space_info) before returning.
+
+Fixes: 2be12ef79fe9 ("btrfs: Separate space_info create/update")
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/space-info.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
+index 01d9a93346c28..00d596a8176ff 100644
+--- a/fs/btrfs/space-info.c
++++ b/fs/btrfs/space-info.c
+@@ -288,18 +288,22 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
+ BTRFS_SUB_GROUP_DATA_RELOC,
+ 0);
+ if (ret)
+- return ret;
++ goto out_free;
+ }
+
+ ret = btrfs_sysfs_add_space_info_type(info, space_info);
+ if (ret)
+- return ret;
++ goto out_free;
+
+ list_add(&space_info->list, &info->space_info);
+ if (flags & BTRFS_BLOCK_GROUP_DATA)
+ info->data_sinfo = space_info;
+
+ return ret;
++
++out_free:
++ kfree(space_info);
++ return ret;
+ }
+
+ int btrfs_init_space_info(struct btrfs_fs_info *fs_info)
+--
+2.51.0
+
--- /dev/null
+From a6d52090da482da56e9f480be877a0007851901b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Apr 2025 11:43:48 +0900
+Subject: btrfs: introduce btrfs_space_info sub-group
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+[ Upstream commit f92ee31e031c7819126d2febdda0c3e91f5d2eb9 ]
+
+Current code assumes we have only one space_info for each block group type
+(DATA, METADATA, and SYSTEM). We sometime need multiple space infos to
+manage special block groups.
+
+One example is handling the data relocation block group for the zoned mode.
+That block group is dedicated for writing relocated data and we cannot
+allocate any regular extent from that block group, which is implemented in
+the zoned extent allocator. This block group still belongs to the normal
+data space_info. So, when all the normal data block groups are full and
+there is some free space in the dedicated block group, the space_info
+looks to have some free space, while it cannot allocate normal extent
+anymore. That results in a strange ENOSPC error. We need to have a
+space_info for the relocation data block group to represent the situation
+properly.
+
+Adds a basic infrastructure for having a "sub-group" of a space_info:
+creation and removing. A sub-group space_info belongs to one of the
+primary space_infos and has the same flags as its parent.
+
+This commit first introduces the relocation data sub-space_info, and the
+next commit will introduce tree-log sub-space_info. In the future, it could
+be useful to implement tiered storage for btrfs e.g. by implementing a
+sub-group space_info for block groups resides on a fast storage.
+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/block-group.c | 11 +++++++++++
+ fs/btrfs/space-info.c | 44 +++++++++++++++++++++++++++++++++++++++---
+ fs/btrfs/space-info.h | 9 +++++++++
+ fs/btrfs/sysfs.c | 18 ++++++++++++++---
+ 4 files changed, 76 insertions(+), 6 deletions(-)
+
+diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c
+index 18409b6beaedc..2dda388c98538 100644
+--- a/fs/btrfs/block-group.c
++++ b/fs/btrfs/block-group.c
+@@ -4381,6 +4381,17 @@ static void check_removing_space_info(struct btrfs_space_info *space_info)
+ {
+ struct btrfs_fs_info *info = space_info->fs_info;
+
++ if (space_info->subgroup_id == BTRFS_SUB_GROUP_PRIMARY) {
++ /* This is a top space_info, proceed with its children first. */
++ for (int i = 0; i < BTRFS_SPACE_INFO_SUB_GROUP_MAX; i++) {
++ if (space_info->sub_group[i]) {
++ check_removing_space_info(space_info->sub_group[i]);
++ kfree(space_info->sub_group[i]);
++ space_info->sub_group[i] = NULL;
++ }
++ }
++ }
++
+ /*
+ * Do not hide this behind enospc_debug, this is actually important and
+ * indicates a real bug if this happens.
+diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
+index 38f730246e02f..01d9a93346c28 100644
+--- a/fs/btrfs/space-info.c
++++ b/fs/btrfs/space-info.c
+@@ -237,16 +237,44 @@ static void init_space_info(struct btrfs_fs_info *info,
+ INIT_LIST_HEAD(&space_info->priority_tickets);
+ space_info->clamp = 1;
+ btrfs_update_space_info_chunk_size(space_info, calc_chunk_size(info, flags));
++ space_info->subgroup_id = BTRFS_SUB_GROUP_PRIMARY;
+
+ if (btrfs_is_zoned(info))
+ space_info->bg_reclaim_threshold = BTRFS_DEFAULT_ZONED_RECLAIM_THRESH;
+ }
+
++static int create_space_info_sub_group(struct btrfs_space_info *parent, u64 flags,
++ enum btrfs_space_info_sub_group id, int index)
++{
++ struct btrfs_fs_info *fs_info = parent->fs_info;
++ struct btrfs_space_info *sub_group;
++ int ret;
++
++ ASSERT(parent->subgroup_id == BTRFS_SUB_GROUP_PRIMARY);
++ ASSERT(id != BTRFS_SUB_GROUP_PRIMARY);
++
++ sub_group = kzalloc(sizeof(*sub_group), GFP_NOFS);
++ if (!sub_group)
++ return -ENOMEM;
++
++ init_space_info(fs_info, sub_group, flags);
++ parent->sub_group[index] = sub_group;
++ sub_group->parent = parent;
++ sub_group->subgroup_id = id;
++
++ ret = btrfs_sysfs_add_space_info_type(fs_info, sub_group);
++ if (ret) {
++ kfree(sub_group);
++ parent->sub_group[index] = NULL;
++ }
++ return ret;
++}
++
+ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
+ {
+
+ struct btrfs_space_info *space_info;
+- int ret;
++ int ret = 0;
+
+ space_info = kzalloc(sizeof(*space_info), GFP_NOFS);
+ if (!space_info)
+@@ -254,6 +282,15 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
+
+ init_space_info(info, space_info, flags);
+
++ if (btrfs_is_zoned(info)) {
++ if (flags & BTRFS_BLOCK_GROUP_DATA)
++ ret = create_space_info_sub_group(space_info, flags,
++ BTRFS_SUB_GROUP_DATA_RELOC,
++ 0);
++ if (ret)
++ return ret;
++ }
++
+ ret = btrfs_sysfs_add_space_info_type(info, space_info);
+ if (ret)
+ return ret;
+@@ -496,8 +533,9 @@ static void __btrfs_dump_space_info(const struct btrfs_fs_info *fs_info,
+ lockdep_assert_held(&info->lock);
+
+ /* The free space could be negative in case of overcommit */
+- btrfs_info(fs_info, "space_info %s has %lld free, is %sfull",
+- flag_str,
++ btrfs_info(fs_info,
++ "space_info %s (sub-group id %d) has %lld free, is %sfull",
++ flag_str, info->subgroup_id,
+ (s64)(info->total_bytes - btrfs_space_info_used(info, true)),
+ info->full ? "" : "not ");
+ btrfs_info(fs_info,
+diff --git a/fs/btrfs/space-info.h b/fs/btrfs/space-info.h
+index 39452e36625ae..0670f074902d0 100644
+--- a/fs/btrfs/space-info.h
++++ b/fs/btrfs/space-info.h
+@@ -83,8 +83,17 @@ enum btrfs_flush_state {
+ COMMIT_TRANS = 11,
+ };
+
++enum btrfs_space_info_sub_group {
++ BTRFS_SUB_GROUP_PRIMARY,
++ BTRFS_SUB_GROUP_DATA_RELOC,
++};
++
++#define BTRFS_SPACE_INFO_SUB_GROUP_MAX 1
+ struct btrfs_space_info {
+ struct btrfs_fs_info *fs_info;
++ struct btrfs_space_info *parent;
++ struct btrfs_space_info *sub_group[BTRFS_SPACE_INFO_SUB_GROUP_MAX];
++ int subgroup_id;
+ spinlock_t lock;
+
+ u64 total_bytes; /* total bytes in the space,
+diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c
+index 512d4cbac1ca0..9609579d2289c 100644
+--- a/fs/btrfs/sysfs.c
++++ b/fs/btrfs/sysfs.c
+@@ -1641,16 +1641,28 @@ void btrfs_sysfs_remove_space_info(struct btrfs_space_info *space_info)
+ kobject_put(&space_info->kobj);
+ }
+
+-static const char *alloc_name(u64 flags)
++static const char *alloc_name(struct btrfs_space_info *space_info)
+ {
++ u64 flags = space_info->flags;
++
+ switch (flags) {
+ case BTRFS_BLOCK_GROUP_METADATA | BTRFS_BLOCK_GROUP_DATA:
+ return "mixed";
+ case BTRFS_BLOCK_GROUP_METADATA:
++ ASSERT(space_info->subgroup_id == BTRFS_SUB_GROUP_PRIMARY);
+ return "metadata";
+ case BTRFS_BLOCK_GROUP_DATA:
+- return "data";
++ switch (space_info->subgroup_id) {
++ case BTRFS_SUB_GROUP_PRIMARY:
++ return "data";
++ case BTRFS_SUB_GROUP_DATA_RELOC:
++ return "data-reloc";
++ default:
++ WARN_ON_ONCE(1);
++ return "data (unknown sub-group)";
++ }
+ case BTRFS_BLOCK_GROUP_SYSTEM:
++ ASSERT(space_info->subgroup_id == BTRFS_SUB_GROUP_PRIMARY);
+ return "system";
+ default:
+ WARN_ON(1);
+@@ -1669,7 +1681,7 @@ int btrfs_sysfs_add_space_info_type(struct btrfs_fs_info *fs_info,
+
+ ret = kobject_init_and_add(&space_info->kobj, &space_info_ktype,
+ fs_info->space_info_kobj, "%s",
+- alloc_name(space_info->flags));
++ alloc_name(space_info));
+ if (ret) {
+ kobject_put(&space_info->kobj);
+ return ret;
+--
+2.51.0
+
--- /dev/null
+From dcf6af0bdb85654ea275e401f1249312f2561a48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jan 2026 20:26:40 +1030
+Subject: btrfs: send: check for inline extents in range_is_hole_in_parent()
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 08b096c1372cd69627f4f559fb47c9fb67a52b39 ]
+
+Before accessing the disk_bytenr field of a file extent item we need
+to check if we are dealing with an inline extent.
+This is because for inline extents their data starts at the offset of
+the disk_bytenr field. So accessing the disk_bytenr
+means we are accessing inline data or in case the inline data is less
+than 8 bytes we can actually cause an invalid
+memory access if this inline extent item is the first item in the leaf
+or access metadata from other items.
+
+Fixes: 82bfb2e7b645 ("Btrfs: incremental send, fix unnecessary hole writes for sparse files")
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index c25eb4416a671..6768e2231d610 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -6545,6 +6545,8 @@ static int range_is_hole_in_parent(struct send_ctx *sctx,
+ extent_end = btrfs_file_extent_end(path);
+ if (extent_end <= start)
+ goto next;
++ if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE)
++ return 0;
+ if (btrfs_file_extent_disk_bytenr(leaf, fi) == 0) {
+ search_start = extent_end;
+ goto next;
+--
+2.51.0
+
--- /dev/null
+From a329db8bdd8fa408954f7c4419cadccc138c4a6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Feb 2024 11:52:57 -0800
+Subject: btrfs: store fs_info in space_info
+
+From: Boris Burkov <boris@bur.io>
+
+[ Upstream commit 42f620aec182f62ee72e3fce41cb3353951b3508 ]
+
+This is handy when computing space_info dynamic reclaim thresholds where
+we do not have access to a block group. We could add it to the various
+functions as a parameter, but it seems reasonable for space_info to have
+an fs_info pointer.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Boris Burkov <boris@bur.io>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/space-info.c | 1 +
+ fs/btrfs/space-info.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
+index 27690c518f6d7..bf5e509eb9fa8 100644
+--- a/fs/btrfs/space-info.c
++++ b/fs/btrfs/space-info.c
+@@ -233,6 +233,7 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
+ if (!space_info)
+ return -ENOMEM;
+
++ space_info->fs_info = info;
+ for (i = 0; i < BTRFS_NR_RAID_TYPES; i++)
+ INIT_LIST_HEAD(&space_info->block_groups[i]);
+ init_rwsem(&space_info->groups_sem);
+diff --git a/fs/btrfs/space-info.h b/fs/btrfs/space-info.h
+index b0187f25dbb5e..39452e36625ae 100644
+--- a/fs/btrfs/space-info.h
++++ b/fs/btrfs/space-info.h
+@@ -84,6 +84,7 @@ enum btrfs_flush_state {
+ };
+
+ struct btrfs_space_info {
++ struct btrfs_fs_info *fs_info;
+ spinlock_t lock;
+
+ u64 total_bytes; /* total bytes in the space,
+--
+2.51.0
+
--- /dev/null
+From 83d90f84386c5469345e0e55bf46708df881320c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 02:17:32 +0100
+Subject: can: etas_es58x: allow partial RX URB allocation to succeed
+
+From: Szymon Wilczek <swilczek.lx@gmail.com>
+
+[ Upstream commit b1979778e98569c1e78c2c7f16bb24d76541ab00 ]
+
+When es58x_alloc_rx_urbs() fails to allocate the requested number of
+URBs but succeeds in allocating some, it returns an error code.
+This causes es58x_open() to return early, skipping the cleanup label
+'free_urbs', which leads to the anchored URBs being leaked.
+
+As pointed out by maintainer Vincent Mailhol, the driver is designed
+to handle partial URB allocation gracefully. Therefore, partial
+allocation should not be treated as a fatal error.
+
+Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been
+allocated, restoring the intended behavior and preventing the leak
+in es58x_open().
+
+Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces")
+Reported-by: syzbot+e8cb6691a7cf68256cb8@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=e8cb6691a7cf68256cb8
+Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>
+Reviewed-by: Vincent Mailhol <mailhol@kernel.org>
+Link: https://patch.msgid.link/20251223011732.39361-1-swilczek.lx@gmail.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/etas_es58x/es58x_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c
+index bb49a2c0a9a5c..77f193861bccc 100644
+--- a/drivers/net/can/usb/etas_es58x/es58x_core.c
++++ b/drivers/net/can/usb/etas_es58x/es58x_core.c
+@@ -1736,7 +1736,7 @@ static int es58x_alloc_rx_urbs(struct es58x_device *es58x_dev)
+ dev_dbg(dev, "%s: Allocated %d rx URBs each of size %u\n",
+ __func__, i, rx_buf_len);
+
+- return ret;
++ return 0;
+ }
+
+ /**
+--
+2.51.0
+
--- /dev/null
+From 4e498b08c3af5a754e730c07ae637256bf42d0b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Nov 2025 15:30:18 +0800
+Subject: dmaengine: omap-dma: fix dma_pool resource leak in error paths
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit 2e1136acf8a8887c29f52e35a77b537309af321f ]
+
+The dma_pool created by dma_pool_create() is not destroyed when
+dma_async_device_register() or of_dma_controller_register() fails,
+causing a resource leak in the probe error paths.
+
+Add dma_pool_destroy() in both error paths to properly release the
+allocated dma_pool resource.
+
+Fixes: 7bedaa553760 ("dmaengine: add OMAP DMA engine driver")
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Link: https://patch.msgid.link/20251103073018.643-1-vulab@iscas.ac.cn
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/ti/omap-dma.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/dma/ti/omap-dma.c b/drivers/dma/ti/omap-dma.c
+index cf96cf915c0c7..efc9093707e5a 100644
+--- a/drivers/dma/ti/omap-dma.c
++++ b/drivers/dma/ti/omap-dma.c
+@@ -1809,6 +1809,8 @@ static int omap_dma_probe(struct platform_device *pdev)
+ if (rc) {
+ pr_warn("OMAP-DMA: failed to register slave DMA engine device: %d\n",
+ rc);
++ if (od->ll123_supported)
++ dma_pool_destroy(od->desc_pool);
+ omap_dma_free(od);
+ return rc;
+ }
+@@ -1824,6 +1826,8 @@ static int omap_dma_probe(struct platform_device *pdev)
+ if (rc) {
+ pr_warn("OMAP-DMA: failed to register DMA controller\n");
+ dma_async_device_unregister(&od->ddev);
++ if (od->ll123_supported)
++ dma_pool_destroy(od->desc_pool);
+ omap_dma_free(od);
+ }
+ }
+--
+2.51.0
+
--- /dev/null
+From 73fe152be2f09ee64027b632a4a709b7e46dc17c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Nov 2025 19:54:45 +0530
+Subject: dmaengine: tegra-adma: Fix use-after-free
+
+From: Sheetal <sheetal@nvidia.com>
+
+[ Upstream commit 2efd07a7c36949e6fa36a69183df24d368bf9e96 ]
+
+A use-after-free bug exists in the Tegra ADMA driver when audio streams
+are terminated, particularly during XRUN conditions. The issue occurs
+when the DMA buffer is freed by tegra_adma_terminate_all() before the
+vchan completion tasklet finishes accessing it.
+
+The race condition follows this sequence:
+
+ 1. DMA transfer completes, triggering an interrupt that schedules the
+ completion tasklet (tasklet has not executed yet)
+ 2. Audio playback stops, calling tegra_adma_terminate_all() which
+ frees the DMA buffer memory via kfree()
+ 3. The scheduled tasklet finally executes, calling vchan_complete()
+ which attempts to access the already-freed memory
+
+Since tasklets can execute at any time after being scheduled, there is
+no guarantee that the buffer will remain valid when vchan_complete()
+runs.
+
+Fix this by properly synchronizing the virtual channel completion:
+ - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the
+ descriptors as terminated instead of freeing the descriptor.
+ - Add the callback tegra_adma_synchronize() that calls
+ vchan_synchronize() which kills any pending tasklets and frees any
+ terminated descriptors.
+
+Crash logs:
+[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0
+[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0
+
+[ 337.427562] Call trace:
+[ 337.427564] dump_backtrace+0x0/0x320
+[ 337.427571] show_stack+0x20/0x30
+[ 337.427575] dump_stack_lvl+0x68/0x84
+[ 337.427584] print_address_description.constprop.0+0x74/0x2b8
+[ 337.427590] kasan_report+0x1f4/0x210
+[ 337.427598] __asan_load8+0xa0/0xd0
+[ 337.427603] vchan_complete+0x124/0x3b0
+[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0
+[ 337.427617] tasklet_action+0x30/0x40
+[ 337.427623] __do_softirq+0x1a0/0x5c4
+[ 337.427628] irq_exit+0x110/0x140
+[ 337.427633] handle_domain_irq+0xa4/0xe0
+[ 337.427640] gic_handle_irq+0x64/0x160
+[ 337.427644] call_on_irq_stack+0x20/0x4c
+[ 337.427649] do_interrupt_handler+0x7c/0x90
+[ 337.427654] el1_interrupt+0x30/0x80
+[ 337.427659] el1h_64_irq_handler+0x18/0x30
+[ 337.427663] el1h_64_irq+0x7c/0x80
+[ 337.427667] cpuidle_enter_state+0xe4/0x540
+[ 337.427674] cpuidle_enter+0x54/0x80
+[ 337.427679] do_idle+0x2e0/0x380
+[ 337.427685] cpu_startup_entry+0x2c/0x70
+[ 337.427690] rest_init+0x114/0x130
+[ 337.427695] arch_call_rest_init+0x18/0x24
+[ 337.427702] start_kernel+0x380/0x3b4
+[ 337.427706] __primary_switched+0xc0/0xc8
+
+Fixes: f46b195799b5 ("dmaengine: tegra-adma: Add support for Tegra210 ADMA")
+Signed-off-by: Sheetal <sheetal@nvidia.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Link: https://patch.msgid.link/20251110142445.3842036-1-sheetal@nvidia.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/tegra210-adma.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c
+index e557bada15107..37848d558ae49 100644
+--- a/drivers/dma/tegra210-adma.c
++++ b/drivers/dma/tegra210-adma.c
+@@ -342,10 +342,17 @@ static void tegra_adma_stop(struct tegra_adma_chan *tdc)
+ return;
+ }
+
+- kfree(tdc->desc);
++ vchan_terminate_vdesc(&tdc->desc->vd);
+ tdc->desc = NULL;
+ }
+
++static void tegra_adma_synchronize(struct dma_chan *dc)
++{
++ struct tegra_adma_chan *tdc = to_tegra_adma_chan(dc);
++
++ vchan_synchronize(&tdc->vc);
++}
++
+ static void tegra_adma_start(struct tegra_adma_chan *tdc)
+ {
+ struct virt_dma_desc *vd = vchan_next_desc(&tdc->vc);
+@@ -909,6 +916,7 @@ static int tegra_adma_probe(struct platform_device *pdev)
+ tdma->dma_dev.device_config = tegra_adma_slave_config;
+ tdma->dma_dev.device_tx_status = tegra_adma_tx_status;
+ tdma->dma_dev.device_terminate_all = tegra_adma_terminate_all;
++ tdma->dma_dev.device_synchronize = tegra_adma_synchronize;
+ tdma->dma_dev.src_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES);
+ tdma->dma_dev.dst_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES);
+ tdma->dma_dev.directions = BIT(DMA_DEV_TO_MEM) | BIT(DMA_MEM_TO_DEV);
+--
+2.51.0
+
--- /dev/null
+From 32d2652159623771452eeecb602850a4cb629698 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 17:48:49 +0200
+Subject: dmaengine: xilinx: xdma: Fix regmap max_register
+
+From: Anthony Brandon <anthony@amarulasolutions.com>
+
+[ Upstream commit c7d436a6c1a274c1ac28d5fb3b8eb8f03b6d0e10 ]
+
+The max_register field is assigned the size of the register memory
+region instead of the offset of the last register.
+The result is that reading from the regmap via debugfs can cause
+a segmentation fault:
+
+tail /sys/kernel/debug/regmap/xdma.1.auto/registers
+Unable to handle kernel paging request at virtual address ffff800082f70000
+Mem abort info:
+ ESR = 0x0000000096000007
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x07: level 3 translation fault
+[...]
+Call trace:
+ regmap_mmio_read32le+0x10/0x30
+ _regmap_bus_reg_read+0x74/0xc0
+ _regmap_read+0x68/0x198
+ regmap_read+0x54/0x88
+ regmap_read_debugfs+0x140/0x380
+ regmap_map_read_file+0x30/0x48
+ full_proxy_read+0x68/0xc8
+ vfs_read+0xcc/0x310
+ ksys_read+0x7c/0x120
+ __arm64_sys_read+0x24/0x40
+ invoke_syscall.constprop.0+0x64/0x108
+ do_el0_svc+0xb0/0xd8
+ el0_svc+0x38/0x130
+ el0t_64_sync_handler+0x120/0x138
+ el0t_64_sync+0x194/0x198
+Code: aa1e03e9 d503201f f9400000 8b214000 (b9400000)
+---[ end trace 0000000000000000 ]---
+note: tail[1217] exited with irqs disabled
+note: tail[1217] exited with preempt_count 1
+Segmentation fault
+
+Fixes: 17ce252266c7 ("dmaengine: xilinx: xdma: Add xilinx xdma driver")
+Reviewed-by: Lizhi Hou <lizhi.hou@amd.com>
+Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
+Reviewed-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Anthony Brandon <anthony@amarulasolutions.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/xdma-regs.h | 1 +
+ drivers/dma/xilinx/xdma.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/xilinx/xdma-regs.h b/drivers/dma/xilinx/xdma-regs.h
+index dd98b4526b90a..b19c173d8bfce 100644
+--- a/drivers/dma/xilinx/xdma-regs.h
++++ b/drivers/dma/xilinx/xdma-regs.h
+@@ -9,6 +9,7 @@
+
+ /* The length of register space exposed to host */
+ #define XDMA_REG_SPACE_LEN 65536
++#define XDMA_MAX_REG_OFFSET (XDMA_REG_SPACE_LEN - 4)
+
+ /*
+ * maximum number of DMA channels for each direction:
+diff --git a/drivers/dma/xilinx/xdma.c b/drivers/dma/xilinx/xdma.c
+index e0bfd129d563f..dbab4c4499143 100644
+--- a/drivers/dma/xilinx/xdma.c
++++ b/drivers/dma/xilinx/xdma.c
+@@ -38,7 +38,7 @@ static const struct regmap_config xdma_regmap_config = {
+ .reg_bits = 32,
+ .val_bits = 32,
+ .reg_stride = 4,
+- .max_register = XDMA_REG_SPACE_LEN,
++ .max_register = XDMA_MAX_REG_OFFSET,
+ };
+
+ /**
+--
+2.51.0
+
--- /dev/null
+From 4f19389116e34214e4d34f1e6a440f22c4baa221 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 00:00:06 +0530
+Subject: dmaengine: xilinx_dma: Fix uninitialized addr_width when
+ "xlnx,addrwidth" property is missing
+
+From: Suraj Gupta <suraj.gupta2@amd.com>
+
+[ Upstream commit c0732fe78728718c853ef8e7af5bbb05262acbd1 ]
+
+When device tree lacks optional "xlnx,addrwidth" property, the addr_width
+variable remained uninitialized with garbage values, causing incorrect
+DMA mask configuration and subsequent probe failure. The fix ensures a
+fallback to the default 32-bit address width when this property is missing.
+
+Signed-off-by: Suraj Gupta <suraj.gupta2@amd.com>
+Fixes: b72db4005fe4 ("dmaengine: vdma: Add 64 bit addressing support to the driver")
+Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
+Reviewed-by: Folker Schwesinger <dev@folker-schwesinger.de>
+Link: https://patch.msgid.link/20251021183006.3434495-1-suraj.gupta2@amd.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/xilinx_dma.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
+index 14c4c5031b556..176cac3f37a73 100644
+--- a/drivers/dma/xilinx/xilinx_dma.c
++++ b/drivers/dma/xilinx/xilinx_dma.c
+@@ -128,6 +128,7 @@
+ #define XILINX_MCDMA_MAX_CHANS_PER_DEVICE 0x20
+ #define XILINX_DMA_MAX_CHANS_PER_DEVICE 0x2
+ #define XILINX_CDMA_MAX_CHANS_PER_DEVICE 0x1
++#define XILINX_DMA_DFAULT_ADDRWIDTH 0x20
+
+ #define XILINX_DMA_DMAXR_ALL_IRQ_MASK \
+ (XILINX_DMA_DMASR_FRM_CNT_IRQ | \
+@@ -3057,7 +3058,7 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+ struct device_node *node = pdev->dev.of_node;
+ struct xilinx_dma_device *xdev;
+ struct device_node *child, *np = pdev->dev.of_node;
+- u32 num_frames, addr_width, len_width;
++ u32 num_frames, addr_width = XILINX_DMA_DFAULT_ADDRWIDTH, len_width;
+ int i, err;
+
+ /* Allocate and initialize the DMA engine structure */
+@@ -3131,7 +3132,9 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+
+ err = of_property_read_u32(node, "xlnx,addrwidth", &addr_width);
+ if (err < 0)
+- dev_warn(xdev->dev, "missing xlnx,addrwidth property\n");
++ dev_warn(xdev->dev,
++ "missing xlnx,addrwidth property, using default value %d\n",
++ XILINX_DMA_DFAULT_ADDRWIDTH);
+
+ if (addr_width > 32)
+ xdev->ext_addr = true;
+--
+2.51.0
+
--- /dev/null
+From f7d6245385efaf77e08b53b345c2ecdcc9fdce0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Oct 2025 19:07:42 +0100
+Subject: i2c: qcom-geni: make sure I2C hub controllers can't use SE DMA
+
+From: Neil Armstrong <neil.armstrong@linaro.org>
+
+[ Upstream commit c0c50e3743e467ec4752c638e10e97f89c8644e2 ]
+
+The I2C Hub controller is a simpler GENI I2C variant that doesn't
+support DMA at all, add a no_dma flag to make sure it nevers selects
+the SE DMA mode with mappable 32bytes long transfers.
+
+Fixes: cacd9643eca7 ("i2c: qcom-geni: add support for I2C Master Hub variant")
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Mukesh Kumar Savaliya <mukesh.savaliya@oss.qualcomm.com>>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-qcom-geni.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-qcom-geni.c b/drivers/i2c/busses/i2c-qcom-geni.c
+index 350f7827fbaca..f6e46168571f5 100644
+--- a/drivers/i2c/busses/i2c-qcom-geni.c
++++ b/drivers/i2c/busses/i2c-qcom-geni.c
+@@ -97,6 +97,7 @@ struct geni_i2c_dev {
+ dma_addr_t dma_addr;
+ struct dma_chan *tx_c;
+ struct dma_chan *rx_c;
++ bool no_dma;
+ bool gpi_mode;
+ bool abort_done;
+ };
+@@ -411,7 +412,7 @@ static int geni_i2c_rx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg,
+ size_t len = msg->len;
+ struct i2c_msg *cur;
+
+- dma_buf = i2c_get_dma_safe_msg_buf(msg, 32);
++ dma_buf = gi2c->no_dma ? NULL : i2c_get_dma_safe_msg_buf(msg, 32);
+ if (dma_buf)
+ geni_se_select_mode(se, GENI_SE_DMA);
+ else
+@@ -450,7 +451,7 @@ static int geni_i2c_tx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg,
+ size_t len = msg->len;
+ struct i2c_msg *cur;
+
+- dma_buf = i2c_get_dma_safe_msg_buf(msg, 32);
++ dma_buf = gi2c->no_dma ? NULL : i2c_get_dma_safe_msg_buf(msg, 32);
+ if (dma_buf)
+ geni_se_select_mode(se, GENI_SE_DMA);
+ else
+@@ -866,10 +867,12 @@ static int geni_i2c_probe(struct platform_device *pdev)
+ return -ENXIO;
+ }
+
+- if (desc && desc->no_dma_support)
++ if (desc && desc->no_dma_support) {
+ fifo_disable = false;
+- else
++ gi2c->no_dma = true;
++ } else {
+ fifo_disable = readl_relaxed(gi2c->se.base + GENI_IF_DISABLE_RO) & FIFO_IF_DISABLE;
++ }
+
+ if (fifo_disable) {
+ /* FIFO is disabled, so we can only use GPI DMA */
+--
+2.51.0
+
--- /dev/null
+From 12ef5c033cf0bd0fd0506036772a5117e7696b3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jan 2026 16:31:09 +0000
+Subject: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 81c734dae203757fb3c9eee6f9896386940776bd ]
+
+Blamed commit did not take care of VLAN encapsulations
+as spotted by syzbot [1].
+
+Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull().
+
+[1]
+ BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
+ BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
+ BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
+ __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
+ INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
+ IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
+ ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729
+ __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860
+ ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903
+ gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1
+ ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438
+ ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489
+ NF_HOOK include/linux/netfilter.h:318 [inline]
+ ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500
+ ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590
+ dst_input include/net/dst.h:474 [inline]
+ ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79
+ NF_HOOK include/linux/netfilter.h:318 [inline]
+ ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311
+ __netif_receive_skb_one_core net/core/dev.c:6139 [inline]
+ __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252
+ netif_receive_skb_internal net/core/dev.c:6338 [inline]
+ netif_receive_skb+0x57/0x630 net/core/dev.c:6397
+ tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485
+ tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953
+ tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0xbe2/0x15d0 fs/read_write.c:686
+ ksys_write fs/read_write.c:738 [inline]
+ __do_sys_write fs/read_write.c:749 [inline]
+ __se_sys_write fs/read_write.c:746 [inline]
+ __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
+ x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:4960 [inline]
+ slab_alloc_node mm/slub.c:5263 [inline]
+ kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315
+ kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586
+ __alloc_skb+0x805/0x1040 net/core/skbuff.c:690
+ alloc_skb include/linux/skbuff.h:1383 [inline]
+ alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712
+ sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995
+ tun_alloc_skb drivers/net/tun.c:1461 [inline]
+ tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794
+ tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0xbe2/0x15d0 fs/read_write.c:686
+ ksys_write fs/read_write.c:738 [inline]
+ __do_sys_write fs/read_write.c:749 [inline]
+ __se_sys_write fs/read_write.c:746 [inline]
+ __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
+ x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+
+Fixes: 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")
+Reported-by: syzbot+d4dda070f833dc5dc89a@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/695e88b2.050a0220.1c677c.036d.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260107163109.4188620-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
+index e635ddd41aba6..69cace90ece16 100644
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -844,7 +844,7 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb,
+
+ skb_reset_network_header(skb);
+
+- if (!pskb_inet_may_pull(skb)) {
++ if (skb_vlan_inet_prepare(skb, true)) {
+ DEV_STATS_INC(tunnel->dev, rx_length_errors);
+ DEV_STATS_INC(tunnel->dev, rx_errors);
+ goto drop;
+--
+2.51.0
+
--- /dev/null
+From c511ec39b511c5888d6bfb15e55fa99c19a98d14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 19:02:14 +0000
+Subject: ipv4: ip_gre: make ipgre_header() robust
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e67c577d89894811ce4dcd1a9ed29d8b63476667 ]
+
+Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust")
+
+Over the years, syzbot found many ways to crash the kernel
+in ipgre_header() [1].
+
+This involves team or bonding drivers ability to dynamically
+change their dev->needed_headroom and/or dev->hard_header_len
+
+In this particular crash mld_newpack() allocated an skb
+with a too small reserve/headroom, and by the time mld_sendpack()
+was called, syzbot managed to attach an ipgre device.
+
+[1]
+skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0
+ kernel BUG at net/core/skbuff.c:213 !
+Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
+CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+Workqueue: mld mld_ifc_work
+ RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213
+Call Trace:
+ <TASK>
+ skb_under_panic net/core/skbuff.c:223 [inline]
+ skb_push+0xc3/0xe0 net/core/skbuff.c:2641
+ ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897
+ dev_hard_header include/linux/netdevice.h:3436 [inline]
+ neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
+ NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
+ mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
+ mld_send_cr net/ipv6/mcast.c:2154 [inline]
+ mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
+ process_one_work kernel/workqueue.c:3257 [inline]
+ process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
+ worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Reported-by: syzbot+7c134e1c3aa3283790b9@syzkaller.appspotmail.com
+Closes: https://www.spinics.net/lists/netdev/msg1147302.html
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260108190214.1667040-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_gre.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index f261e29adc7c2..75d388dd5ac62 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -860,10 +860,17 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
+ const void *daddr, const void *saddr, unsigned int len)
+ {
+ struct ip_tunnel *t = netdev_priv(dev);
+- struct iphdr *iph;
+ struct gre_base_hdr *greh;
++ struct iphdr *iph;
++ int needed;
++
++ needed = t->hlen + sizeof(*iph);
++ if (skb_headroom(skb) < needed &&
++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)),
++ 0, GFP_ATOMIC))
++ return -needed;
+
+- iph = skb_push(skb, t->hlen + sizeof(*iph));
++ iph = skb_push(skb, needed);
+ greh = (struct gre_base_hdr *)(iph+1);
+ greh->flags = gre_tnl_flags_to_gre_flags(t->parms.o_flags);
+ greh->protocol = htons(type);
+--
+2.51.0
+
--- /dev/null
+From c9ab220c7e3b71f2c78a552245ada93798f4e62e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 01:05:08 +0000
+Subject: ipv6: Fix use-after-free in inet6_addr_del().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit ddf96c393a33aef4887e2e406c76c2f8cda1419c ]
+
+syzbot reported use-after-free of inet6_ifaddr in
+inet6_addr_del(). [0]
+
+The cited commit accidentally moved ipv6_del_addr() for
+mngtmpaddr before reading its ifp->flags for temporary
+addresses in inet6_addr_del().
+
+Let's move ipv6_del_addr() down to fix the UAF.
+
+[0]:
+BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117
+Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593
+
+CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xcd/0x630 mm/kasan/report.c:482
+ kasan_report+0xe0/0x110 mm/kasan/report.c:595
+ inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117
+ addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181
+ inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582
+ sock_do_ioctl+0x118/0x280 net/socket.c:1254
+ sock_ioctl+0x227/0x6b0 net/socket.c:1375
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:597 [inline]
+ __se_sys_ioctl fs/ioctl.c:583 [inline]
+ __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f164cf8f749
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749
+RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003
+RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288
+ </TASK>
+
+Allocated by task 9593:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:77
+ poison_kmalloc_redzone mm/kasan/common.c:397 [inline]
+ __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414
+ kmalloc_noprof include/linux/slab.h:957 [inline]
+ kzalloc_noprof include/linux/slab.h:1094 [inline]
+ ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120
+ inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050
+ addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160
+ inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580
+ sock_do_ioctl+0x118/0x280 net/socket.c:1254
+ sock_ioctl+0x227/0x6b0 net/socket.c:1375
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:597 [inline]
+ __se_sys_ioctl fs/ioctl.c:583 [inline]
+ __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Freed by task 6099:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:77
+ kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584
+ poison_slab_object mm/kasan/common.c:252 [inline]
+ __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284
+ kasan_slab_free include/linux/kasan.h:234 [inline]
+ slab_free_hook mm/slub.c:2540 [inline]
+ slab_free_freelist_hook mm/slub.c:2569 [inline]
+ slab_free_bulk mm/slub.c:6696 [inline]
+ kmem_cache_free_bulk mm/slub.c:7383 [inline]
+ kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362
+ kfree_bulk include/linux/slab.h:830 [inline]
+ kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523
+ kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline]
+ kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801
+ process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
+ process_scheduled_works kernel/workqueue.c:3340 [inline]
+ worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
+ kthread+0x3c5/0x780 kernel/kthread.c:463
+ ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+Fixes: 00b5b7aab9e42 ("net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged")
+Reported-by: syzbot+72e610f4f1a930ca9d8a@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/696598e9.050a0220.3be5c5.0009.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260113010538.2019411-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/addrconf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 2737bb4751e4c..4958452cd3320 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -3111,12 +3111,12 @@ static int inet6_addr_del(struct net *net, int ifindex, u32 ifa_flags,
+ in6_ifa_hold(ifp);
+ read_unlock_bh(&idev->lock);
+
+- ipv6_del_addr(ifp);
+-
+ if (!(ifp->flags & IFA_F_TEMPORARY) &&
+ (ifp->flags & IFA_F_MANAGETEMPADDR))
+ delete_tempaddrs(idev, ifp);
+
++ ipv6_del_addr(ifp);
++
+ addrconf_verify_rtnl(net);
+ if (ipv6_addr_is_multicast(pfx)) {
+ ipv6_mc_config(net->ipv6.mc_autojoin_sk,
+--
+2.51.0
+
--- /dev/null
+From d31e3b3fd6a86ff73bbe27d1474190dc3e56274e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 13:36:51 +0000
+Subject: macvlan: fix possible UAF in macvlan_forward_source()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7470a7a63dc162f07c26dbf960e41ee1e248d80e ]
+
+Add RCU protection on (struct macvlan_source_entry)->vlan.
+
+Whenever macvlan_hash_del_source() is called, we must clear
+entry->vlan pointer before RCU grace period starts.
+
+This allows macvlan_forward_source() to skip over
+entries queued for freeing.
+
+Note that macvlan_dev are already RCU protected, as they
+are embedded in a standard netdev (netdev_priv(ndev)).
+
+Fixes: 79cf79abce71 ("macvlan: add source mode")
+Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com
+https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260108133651.1130486-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macvlan.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
+index c8da94af4161a..09db43ce31767 100644
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -58,7 +58,7 @@ struct macvlan_port {
+
+ struct macvlan_source_entry {
+ struct hlist_node hlist;
+- struct macvlan_dev *vlan;
++ struct macvlan_dev __rcu *vlan;
+ unsigned char addr[6+2] __aligned(sizeof(u16));
+ struct rcu_head rcu;
+ };
+@@ -145,7 +145,7 @@ static struct macvlan_source_entry *macvlan_hash_lookup_source(
+
+ hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) {
+ if (ether_addr_equal_64bits(entry->addr, addr) &&
+- entry->vlan == vlan)
++ rcu_access_pointer(entry->vlan) == vlan)
+ return entry;
+ }
+ return NULL;
+@@ -167,7 +167,7 @@ static int macvlan_hash_add_source(struct macvlan_dev *vlan,
+ return -ENOMEM;
+
+ ether_addr_copy(entry->addr, addr);
+- entry->vlan = vlan;
++ RCU_INIT_POINTER(entry->vlan, vlan);
+ h = &port->vlan_source_hash[macvlan_eth_hash(addr)];
+ hlist_add_head_rcu(&entry->hlist, h);
+ vlan->macaddr_count++;
+@@ -186,6 +186,7 @@ static void macvlan_hash_add(struct macvlan_dev *vlan)
+
+ static void macvlan_hash_del_source(struct macvlan_source_entry *entry)
+ {
++ RCU_INIT_POINTER(entry->vlan, NULL);
+ hlist_del_rcu(&entry->hlist);
+ kfree_rcu(entry, rcu);
+ }
+@@ -389,7 +390,7 @@ static void macvlan_flush_sources(struct macvlan_port *port,
+ int i;
+
+ hash_for_each_safe(port->vlan_source_hash, i, next, entry, hlist)
+- if (entry->vlan == vlan)
++ if (rcu_access_pointer(entry->vlan) == vlan)
+ macvlan_hash_del_source(entry);
+
+ vlan->macaddr_count = 0;
+@@ -432,9 +433,14 @@ static bool macvlan_forward_source(struct sk_buff *skb,
+
+ hlist_for_each_entry_rcu(entry, h, hlist) {
+ if (ether_addr_equal_64bits(entry->addr, addr)) {
+- if (entry->vlan->flags & MACVLAN_FLAG_NODST)
++ struct macvlan_dev *vlan = rcu_dereference(entry->vlan);
++
++ if (!vlan)
++ continue;
++
++ if (vlan->flags & MACVLAN_FLAG_NODST)
+ consume = true;
+- macvlan_forward_source_one(skb, entry->vlan);
++ macvlan_forward_source_one(skb, vlan);
+ }
+ }
+
+@@ -1685,7 +1691,7 @@ static int macvlan_fill_info_macaddr(struct sk_buff *skb,
+ struct macvlan_source_entry *entry;
+
+ hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) {
+- if (entry->vlan != vlan)
++ if (rcu_access_pointer(entry->vlan) != vlan)
+ continue;
+ if (nla_put(skb, IFLA_MACVLAN_MACADDR, ETH_ALEN, entry->addr))
+ return 1;
+--
+2.51.0
+
--- /dev/null
+From e394c8ba82556fc39ddaacea44c723eae0b498c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 08:40:07 +0700
+Subject: mm, kfence: describe @slab parameter in __kfence_obj_info()
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit 6cfab50e1440fde19af7c614aacd85e11aa4dcea ]
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./include/linux/kfence.h:220 function parameter 'slab' not described in '__kfence_obj_info'
+
+Fix it by describing @slab parameter.
+
+Link: https://lkml.kernel.org/r/20251219014006.16328-6-bagasdotme@gmail.com
+Fixes: 2dfe63e61cc3 ("mm, kfence: support kmem_dump_obj() for KFENCE objects")
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Acked-by: Marco Elver <elver@google.com>
+Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
+Acked-by: Harry Yoo <harry.yoo@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/kfence.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/kfence.h b/include/linux/kfence.h
+index 401af47575141..90edba2e59f95 100644
+--- a/include/linux/kfence.h
++++ b/include/linux/kfence.h
+@@ -211,6 +211,7 @@ struct kmem_obj_info;
+ * __kfence_obj_info() - fill kmem_obj_info struct
+ * @kpp: kmem_obj_info to be filled
+ * @object: the object
++ * @slab: the slab
+ *
+ * Return:
+ * * false - not a KFENCE object
+--
+2.51.0
+
--- /dev/null
+From d7e6dc7aa35791a894fd32fbbf27970dbc114dc8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 09:38:06 +0000
+Subject: net: bridge: annotate data-races around fdb->{updated,used}
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b25a0b4a2193407aa72a4cd1df66a7ed07dd4f1e ]
+
+fdb->updated and fdb->used are read and written locklessly.
+
+Add READ_ONCE()/WRITE_ONCE() annotations.
+
+Fixes: 31cbc39b6344 ("net: bridge: add option to allow activity notifications for any fdb entries")
+Reported-by: syzbot+bfab43087ad57222ce96@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/695e3d74.050a0220.1c677c.035f.GAE@google.com/
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20260108093806.834459-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c | 28 ++++++++++++++++------------
+ net/bridge/br_input.c | 4 ++--
+ 2 files changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index 91903076d30bd..fa2970db21301 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -73,7 +73,7 @@ static inline int has_expired(const struct net_bridge *br,
+ {
+ return !test_bit(BR_FDB_STATIC, &fdb->flags) &&
+ !test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags) &&
+- time_before_eq(fdb->updated + hold_time(br), jiffies);
++ time_before_eq(READ_ONCE(fdb->updated) + hold_time(br), jiffies);
+ }
+
+ static void fdb_rcu_free(struct rcu_head *head)
+@@ -136,9 +136,9 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br,
+ if (nla_put_u32(skb, NDA_FLAGS_EXT, ext_flags))
+ goto nla_put_failure;
+
+- ci.ndm_used = jiffies_to_clock_t(now - fdb->used);
++ ci.ndm_used = jiffies_to_clock_t(now - READ_ONCE(fdb->used));
+ ci.ndm_confirmed = 0;
+- ci.ndm_updated = jiffies_to_clock_t(now - fdb->updated);
++ ci.ndm_updated = jiffies_to_clock_t(now - READ_ONCE(fdb->updated));
+ ci.ndm_refcnt = 0;
+ if (nla_put(skb, NDA_CACHEINFO, sizeof(ci), &ci))
+ goto nla_put_failure;
+@@ -534,7 +534,7 @@ void br_fdb_cleanup(struct work_struct *work)
+ */
+ rcu_read_lock();
+ hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) {
+- unsigned long this_timer = f->updated + delay;
++ unsigned long this_timer = READ_ONCE(f->updated) + delay;
+
+ if (test_bit(BR_FDB_STATIC, &f->flags) ||
+ test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &f->flags)) {
+@@ -792,6 +792,7 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
+ {
+ struct net_bridge_fdb_entry *f;
+ struct __fdb_entry *fe = buf;
++ unsigned long delta;
+ int num = 0;
+
+ memset(buf, 0, maxnum*sizeof(struct __fdb_entry));
+@@ -821,8 +822,11 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
+ fe->port_hi = f->dst->port_no >> 8;
+
+ fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags);
+- if (!test_bit(BR_FDB_STATIC, &f->flags))
+- fe->ageing_timer_value = jiffies_delta_to_clock_t(jiffies - f->updated);
++ if (!test_bit(BR_FDB_STATIC, &f->flags)) {
++ delta = jiffies - READ_ONCE(f->updated);
++ fe->ageing_timer_value =
++ jiffies_delta_to_clock_t(delta);
++ }
+ ++fe;
+ ++num;
+ }
+@@ -870,8 +874,8 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
+ unsigned long now = jiffies;
+ bool fdb_modified = false;
+
+- if (now != fdb->updated) {
+- fdb->updated = now;
++ if (now != READ_ONCE(fdb->updated)) {
++ WRITE_ONCE(fdb->updated, now);
+ fdb_modified = __fdb_mark_active(fdb);
+ }
+
+@@ -1103,10 +1107,10 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+ if (fdb_handle_notify(fdb, notify))
+ modified = true;
+
+- fdb->used = jiffies;
++ WRITE_ONCE(fdb->used, jiffies);
+ if (modified) {
+ if (refresh)
+- fdb->updated = jiffies;
++ WRITE_ONCE(fdb->updated, jiffies);
+ fdb_notify(br, fdb, RTM_NEWNEIGH, true);
+ }
+
+@@ -1419,7 +1423,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+ goto err_unlock;
+ }
+
+- fdb->updated = jiffies;
++ WRITE_ONCE(fdb->updated, jiffies);
+
+ if (READ_ONCE(fdb->dst) != p) {
+ WRITE_ONCE(fdb->dst, p);
+@@ -1428,7 +1432,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+
+ if (test_and_set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) {
+ /* Refresh entry */
+- fdb->used = jiffies;
++ WRITE_ONCE(fdb->used, jiffies);
+ } else {
+ modified = true;
+ }
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+index 951330c1a813b..2d5b81ebbaa6d 100644
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -207,8 +207,8 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
+ if (test_bit(BR_FDB_LOCAL, &dst->flags))
+ return br_pass_frame_up(skb, false);
+
+- if (now != dst->used)
+- dst->used = now;
++ if (now != READ_ONCE(dst->used))
++ WRITE_ONCE(dst->used, now);
+ br_forward(dst->dst, skb, local_rcv, false);
+ } else {
+ if (!mcast_hit)
+--
+2.51.0
+
--- /dev/null
+From c011418195c96479b1173422a215f5f3a071b188 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Oct 2023 15:27:20 +0200
+Subject: net: bridge: Set BR_FDB_ADDED_BY_USER early in fdb_add_entry
+
+From: Johannes Nixdorf <jnixdorf-oss@avm.de>
+
+[ Upstream commit cbf51acbc5d50341290c79c97bda8cf46f5c4f22 ]
+
+In preparation of the following fdb limit for dynamically learned entries,
+allow fdb_create to detect that the entry was added by the user. This
+way it can skip applying the limit in this case.
+
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Signed-off-by: Johannes Nixdorf <jnixdorf-oss@avm.de>
+Link: https://lore.kernel.org/r/20231016-fdb_limit-v5-1-32cddff87758@avm.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: b25a0b4a2193 ("net: bridge: annotate data-races around fdb->{updated,used}")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index a6d8cd9a58078..91903076d30bd 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -1056,7 +1056,8 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+ if (!(flags & NLM_F_CREATE))
+ return -ENOENT;
+
+- fdb = fdb_create(br, source, addr, vid, 0);
++ fdb = fdb_create(br, source, addr, vid,
++ BIT(BR_FDB_ADDED_BY_USER));
+ if (!fdb)
+ return -ENOMEM;
+
+@@ -1069,6 +1070,8 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+ WRITE_ONCE(fdb->dst, source);
+ modified = true;
+ }
++
++ set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags);
+ }
+
+ if (fdb_to_nud(br, fdb) != state) {
+@@ -1100,8 +1103,6 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+ if (fdb_handle_notify(fdb, notify))
+ modified = true;
+
+- set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags);
+-
+ fdb->used = jiffies;
+ if (modified) {
+ if (refresh)
+--
+2.51.0
+
--- /dev/null
+From 706520c89382306192852b6195a19fc8f360f318 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 02:01:33 -0800
+Subject: net: hv_netvsc: reject RSS hash key programming without RX
+ indirection table
+
+From: Aditya Garg <gargaditya@linux.microsoft.com>
+
+[ Upstream commit d23564955811da493f34412d7de60fa268c8cb50 ]
+
+RSS configuration requires a valid RX indirection table. When the device
+reports a single receive queue, rndis_filter_device_add() does not
+allocate an indirection table, accepting RSS hash key updates in this
+state leads to a hang.
+
+Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return
+-EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device
+capabilities and prevents incorrect behavior.
+
+Fixes: 962f3fee83a4 ("netvsc: add ethtool ops to get/set RSS key")
+Signed-off-by: Aditya Garg <gargaditya@linux.microsoft.com>
+Reviewed-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Link: https://patch.msgid.link/1768212093-1594-1-git-send-email-gargaditya@linux.microsoft.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
+index aa114240e340d..af001e2e688b2 100644
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -1762,6 +1762,9 @@ static int netvsc_set_rxfh(struct net_device *dev, const u32 *indir,
+ if (hfunc != ETH_RSS_HASH_NO_CHANGE && hfunc != ETH_RSS_HASH_TOP)
+ return -EOPNOTSUPP;
+
++ if (!ndc->rx_table_sz)
++ return -EOPNOTSUPP;
++
+ rndis_dev = ndev->extension;
+ if (indir) {
+ for (i = 0; i < ndc->rx_table_sz; i++)
+--
+2.51.0
+
--- /dev/null
+From b2322a40c24603ee9337cb14b74c67c9ff9d0c10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 13:26:57 -0800
+Subject: net/mlx5e: Restore destroying state bit after profile cleanup
+
+From: Saeed Mahameed <saeedm@nvidia.com>
+
+[ Upstream commit 5629f8859dca7ef74d7314b60de6a957f23166c0 ]
+
+Profile rollback can fail in mlx5e_netdev_change_profile() and we will
+end up with invalid mlx5e_priv memset to 0, we must maintain the
+'destroying' bit in order to gracefully shutdown even if the
+profile/priv are not valid.
+
+This patch maintains the previous state of the 'destroying' state of
+mlx5e_priv after priv cleanup, to allow the remove flow to cleanup
+common resources from mlx5_core to avoid FW fatal errors as seen below:
+
+$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev
+ Error: mlx5_core: Failed setting eswitch to offloads.
+dmesg: mlx5_core 0000:00:03.0 enp0s3np0: failed to rollback to orig profile, ...
+
+$ devlink dev reload pci/0000:00:03.0
+
+mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)
+mlx5_core 0000:00:03.0: poll_health:803:(pid 519): Fatal error 3 detected
+mlx5_core 0000:00:03.0: firmware version: 28.41.1000
+mlx5_core 0000:00:03.0: 0.000 Gb/s available PCIe bandwidth (Unknown x255 link)
+mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed
+mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed
+mlx5_core 0000:00:03.0: mlx5_health_try_recover:340:(pid 141): handling bad device here
+mlx5_core 0000:00:03.0: mlx5_handle_bad_state:285:(pid 141): Expected to see disabled NIC but it is full driver
+mlx5_core 0000:00:03.0: mlx5_error_sw_reset:236:(pid 141): start
+mlx5_core 0000:00:03.0: NIC IFC still 0 after 4000ms.
+
+Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method")
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260108212657.25090-5-saeed@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 5c6f01abdcb91..03201bcda1a68 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -5687,6 +5687,7 @@ int mlx5e_priv_init(struct mlx5e_priv *priv,
+
+ void mlx5e_priv_cleanup(struct mlx5e_priv *priv)
+ {
++ bool destroying = test_bit(MLX5E_STATE_DESTROYING, &priv->state);
+ int i;
+
+ /* bail if change profile failed and also rollback failed */
+@@ -5712,6 +5713,8 @@ void mlx5e_priv_cleanup(struct mlx5e_priv *priv)
+ }
+
+ memset(priv, 0, sizeof(*priv));
++ if (destroying) /* restore destroying bit, to allow unload */
++ set_bit(MLX5E_STATE_DESTROYING, &priv->state);
+ }
+
+ static unsigned int mlx5e_get_max_num_txqs(struct mlx5_core_dev *mdev,
+--
+2.51.0
+
--- /dev/null
+From 61498af5f1b44726f10e78d33687b9916af25839 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 17:56:56 +0000
+Subject: net/sched: sch_qfq: do not free existing class in qfq_change_class()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 ]
+
+Fixes qfq_change_class() error case.
+
+cl->qdisc and cl should only be freed if a new class and qdisc
+were allocated, or we risk various UAF.
+
+Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Reported-by: syzbot+07f3f38f723c335f106d@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6965351d.050a0220.eaf7.00c5.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260112175656.17605-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index 29847c28ffaca..7c6b5428b8ed4 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -532,8 +532,10 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
+ return 0;
+
+ destroy_class:
+- qdisc_put(cl->qdisc);
+- kfree(cl);
++ if (!existing) {
++ qdisc_put(cl->qdisc);
++ kfree(cl);
++ }
+ return err;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 82c1f551a90fc08fcf1482e86fc110a985551503 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 09:32:44 +0000
+Subject: net: update netdev_lock_{type,name}
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit eb74c19fe10872ee1f29a8f90ca5ce943921afe9 ]
+
+Add missing entries in netdev_lock_type[] and netdev_lock_name[] :
+
+CAN, MCTP, RAWIP, CAIF, IP6GRE, 6LOWPAN, NETLINK, VSOCKMON,
+IEEE802154_MONITOR.
+
+Also add a WARN_ONCE() in netdev_lock_pos() to help future bug hunting
+next time a protocol is added without updating these arrays.
+
+Fixes: 1a33e10e4a95 ("net: partially revert dynamic lockdep key changes")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260108093244.830280-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index cf5b5a4cbfd70..8a7a5e16da00a 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -481,15 +481,21 @@ static const unsigned short netdev_lock_type[] = {
+ ARPHRD_IEEE1394, ARPHRD_EUI64, ARPHRD_INFINIBAND, ARPHRD_SLIP,
+ ARPHRD_CSLIP, ARPHRD_SLIP6, ARPHRD_CSLIP6, ARPHRD_RSRVD,
+ ARPHRD_ADAPT, ARPHRD_ROSE, ARPHRD_X25, ARPHRD_HWX25,
++ ARPHRD_CAN, ARPHRD_MCTP,
+ ARPHRD_PPP, ARPHRD_CISCO, ARPHRD_LAPB, ARPHRD_DDCMP,
+- ARPHRD_RAWHDLC, ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD,
++ ARPHRD_RAWHDLC, ARPHRD_RAWIP,
++ ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD,
+ ARPHRD_SKIP, ARPHRD_LOOPBACK, ARPHRD_LOCALTLK, ARPHRD_FDDI,
+ ARPHRD_BIF, ARPHRD_SIT, ARPHRD_IPDDP, ARPHRD_IPGRE,
+ ARPHRD_PIMREG, ARPHRD_HIPPI, ARPHRD_ASH, ARPHRD_ECONET,
+ ARPHRD_IRDA, ARPHRD_FCPP, ARPHRD_FCAL, ARPHRD_FCPL,
+ ARPHRD_FCFABRIC, ARPHRD_IEEE80211, ARPHRD_IEEE80211_PRISM,
+- ARPHRD_IEEE80211_RADIOTAP, ARPHRD_PHONET, ARPHRD_PHONET_PIPE,
+- ARPHRD_IEEE802154, ARPHRD_VOID, ARPHRD_NONE};
++ ARPHRD_IEEE80211_RADIOTAP,
++ ARPHRD_IEEE802154, ARPHRD_IEEE802154_MONITOR,
++ ARPHRD_PHONET, ARPHRD_PHONET_PIPE,
++ ARPHRD_CAIF, ARPHRD_IP6GRE, ARPHRD_NETLINK, ARPHRD_6LOWPAN,
++ ARPHRD_VSOCKMON,
++ ARPHRD_VOID, ARPHRD_NONE};
+
+ static const char *const netdev_lock_name[] = {
+ "_xmit_NETROM", "_xmit_ETHER", "_xmit_EETHER", "_xmit_AX25",
+@@ -498,15 +504,21 @@ static const char *const netdev_lock_name[] = {
+ "_xmit_IEEE1394", "_xmit_EUI64", "_xmit_INFINIBAND", "_xmit_SLIP",
+ "_xmit_CSLIP", "_xmit_SLIP6", "_xmit_CSLIP6", "_xmit_RSRVD",
+ "_xmit_ADAPT", "_xmit_ROSE", "_xmit_X25", "_xmit_HWX25",
++ "_xmit_CAN", "_xmit_MCTP",
+ "_xmit_PPP", "_xmit_CISCO", "_xmit_LAPB", "_xmit_DDCMP",
+- "_xmit_RAWHDLC", "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD",
++ "_xmit_RAWHDLC", "_xmit_RAWIP",
++ "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD",
+ "_xmit_SKIP", "_xmit_LOOPBACK", "_xmit_LOCALTLK", "_xmit_FDDI",
+ "_xmit_BIF", "_xmit_SIT", "_xmit_IPDDP", "_xmit_IPGRE",
+ "_xmit_PIMREG", "_xmit_HIPPI", "_xmit_ASH", "_xmit_ECONET",
+ "_xmit_IRDA", "_xmit_FCPP", "_xmit_FCAL", "_xmit_FCPL",
+ "_xmit_FCFABRIC", "_xmit_IEEE80211", "_xmit_IEEE80211_PRISM",
+- "_xmit_IEEE80211_RADIOTAP", "_xmit_PHONET", "_xmit_PHONET_PIPE",
+- "_xmit_IEEE802154", "_xmit_VOID", "_xmit_NONE"};
++ "_xmit_IEEE80211_RADIOTAP",
++ "_xmit_IEEE802154", "_xmit_IEEE802154_MONITOR",
++ "_xmit_PHONET", "_xmit_PHONET_PIPE",
++ "_xmit_CAIF", "_xmit_IP6GRE", "_xmit_NETLINK", "_xmit_6LOWPAN",
++ "_xmit_VSOCKMON",
++ "_xmit_VOID", "_xmit_NONE"};
+
+ static struct lock_class_key netdev_xmit_lock_key[ARRAY_SIZE(netdev_lock_type)];
+ static struct lock_class_key netdev_addr_lock_key[ARRAY_SIZE(netdev_lock_type)];
+@@ -519,6 +531,7 @@ static inline unsigned short netdev_lock_pos(unsigned short dev_type)
+ if (netdev_lock_type[i] == dev_type)
+ return i;
+ /* the last key is used by default */
++ WARN_ONCE(1, "netdev_lock_pos() could not find dev_type=%u\n", dev_type);
+ return ARRAY_SIZE(netdev_lock_type) - 1;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 630e4652128019abaf0e7f1550b89ac55df9bb94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Dec 2025 13:57:48 -0500
+Subject: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shivam Kumar <kumar.shivam43666@gmail.com>
+
+[ Upstream commit 32b63acd78f577b332d976aa06b56e70d054cbba ]
+
+Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
+added ttag bounds checking and data_offset
+validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate
+whether the command's data structures (cmd->req.sg and cmd->iov) have
+been properly initialized before processing H2C_DATA PDUs.
+
+The nvmet_tcp_build_pdu_iovec() function dereferences these pointers
+without NULL checks. This can be triggered by sending H2C_DATA PDU
+immediately after the ICREQ/ICRESP handshake, before
+sending a CONNECT command or NVMe write command.
+
+Attack vectors that trigger NULL pointer dereferences:
+1. H2C_DATA PDU sent before CONNECT → both pointers NULL
+2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL
+3. H2C_DATA PDU for uninitialized command slot → both pointers NULL
+
+The fix validates both cmd->req.sg and cmd->iov before calling
+nvmet_tcp_build_pdu_iovec(). Both checks are required because:
+- Uninitialized commands: both NULL
+- READ commands: cmd->req.sg allocated, cmd->iov NULL
+- WRITE commands: both allocated
+
+Fixes: efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Shivam Kumar <kumar.shivam43666@gmail.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/tcp.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
+index 6975b2a054e0d..3bdff81eb3af8 100644
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -995,6 +995,18 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len);
+ goto err_proto;
+ }
++ /*
++ * Ensure command data structures are initialized. We must check both
++ * cmd->req.sg and cmd->iov because they can have different NULL states:
++ * - Uninitialized commands: both NULL
++ * - READ commands: cmd->req.sg allocated, cmd->iov NULL
++ * - WRITE commands: both allocated
++ */
++ if (unlikely(!cmd->req.sg || !cmd->iov)) {
++ pr_err("queue %d: H2CData PDU received for invalid command state (ttag %u)\n",
++ queue->idx, data->ttag);
++ goto err_proto;
++ }
+ cmd->pdu_recv = 0;
+ nvmet_tcp_build_pdu_iovec(cmd);
+ queue->cmd = cmd;
+--
+2.51.0
+
--- /dev/null
+From 43d4a73045201ed8d813b310fd9c1a0d01605b47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Dec 2023 16:17:50 +0100
+Subject: nvmet-tcp: remove boilerplate code
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 75011bd0f9c55db523242f9f9a0b0b826165f14b ]
+
+Simplify the nvmet_tcp_handle_h2c_data_pdu() function by removing
+boilerplate code.
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Stable-dep-of: 32b63acd78f5 ("nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/tcp.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
+index 6a539c3b8b530..6975b2a054e0d 100644
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -969,8 +969,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ if (unlikely(data->ttag >= queue->nr_cmds)) {
+ pr_err("queue %d: received out of bound ttag %u, nr_cmds %u\n",
+ queue->idx, data->ttag, queue->nr_cmds);
+- nvmet_tcp_fatal_error(queue);
+- return -EPROTO;
++ goto err_proto;
+ }
+ cmd = &queue->cmds[data->ttag];
+ } else {
+@@ -981,9 +980,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ pr_err("ttag %u unexpected data offset %u (expected %u)\n",
+ data->ttag, le32_to_cpu(data->data_offset),
+ cmd->rbytes_done);
+- /* FIXME: use path and transport errors */
+- nvmet_tcp_fatal_error(queue);
+- return -EPROTO;
++ goto err_proto;
+ }
+
+ exp_data_len = le32_to_cpu(data->hdr.plen) -
+@@ -996,9 +993,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ cmd->pdu_len == 0 ||
+ cmd->pdu_len > NVMET_TCP_MAXH2CDATA)) {
+ pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len);
+- /* FIXME: use proper transport errors */
+- nvmet_tcp_fatal_error(queue);
+- return -EPROTO;
++ goto err_proto;
+ }
+ cmd->pdu_recv = 0;
+ nvmet_tcp_build_pdu_iovec(cmd);
+@@ -1006,6 +1001,11 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ queue->rcv_state = NVMET_TCP_RECV_DATA;
+
+ return 0;
++
++err_proto:
++ /* FIXME: use proper transport errors */
++ nvmet_tcp_fatal_error(queue);
++ return -EPROTO;
+ }
+
+ static int nvmet_tcp_done_recv_pdu(struct nvmet_tcp_queue *queue)
+--
+2.51.0
+
--- /dev/null
+From 40830775959f7b346e35dbef7562b8703a75ed50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Dec 2025 12:55:34 +0100
+Subject: phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning
+ (again)
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+
+[ Upstream commit fb21116099bbea1fc59efa9207e63c4be390ab72 ]
+
+"family" is an enum, thus cast of pointer on 64-bit compile test with
+clang W=1 causes:
+
+ phy-bcm-ns-usb3.c:206:17: error: cast to smaller integer type 'enum bcm_ns_family' from 'const void *' [-Werror,-Wvoid-pointer-to-enum-cast]
+
+This was already fixed in commit bd6e74a2f0a0 ("phy: broadcom: ns-usb3:
+fix Wvoid-pointer-to-enum-cast warning") but then got bad in commit
+21bf6fc47a1e ("phy: Use device_get_match_data()").
+
+Note that after various discussions the preferred cast is via "unsigned
+long", not "uintptr_t".
+
+Fixes: 21bf6fc47a1e ("phy: Use device_get_match_data()")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251224115533.154162-2-krzysztof.kozlowski@oss.qualcomm.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/broadcom/phy-bcm-ns-usb3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/broadcom/phy-bcm-ns-usb3.c b/drivers/phy/broadcom/phy-bcm-ns-usb3.c
+index 2c8b1b7dda5bd..5c2710597df2c 100644
+--- a/drivers/phy/broadcom/phy-bcm-ns-usb3.c
++++ b/drivers/phy/broadcom/phy-bcm-ns-usb3.c
+@@ -203,7 +203,7 @@ static int bcm_ns_usb3_mdio_probe(struct mdio_device *mdiodev)
+ usb3->dev = dev;
+ usb3->mdiodev = mdiodev;
+
+- usb3->family = (enum bcm_ns_family)device_get_match_data(dev);
++ usb3->family = (unsigned long)device_get_match_data(dev);
+
+ syscon_np = of_parse_phandle(dev->of_node, "usb3-dmp-syscon", 0);
+ err = of_address_to_resource(syscon_np, 0, &res);
+--
+2.51.0
+
--- /dev/null
+From 8a3eed594fa24bcd5ecaff99b088b250491cfac8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 10:51:12 +0200
+Subject: phy: drop probe registration printks
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 95463cbb4fe6489921fb8c72890113dca54ce83f ]
+
+Drivers should generally be quiet on successful probe, but this is not
+followed by some PHY drivers, for example:
+
+ snps-eusb2-hsphy 88e1000.phy: Registered Snps-eUSB2 phy
+ qcom-eusb2-repeater c432000.spmi:pmic@7:phy@fd00: Registered Qcom-eUSB2 repeater
+ qcom-eusb2-repeater c432000.spmi:pmic@a:phy@fd00: Registered Qcom-eUSB2 repeater
+ qcom-eusb2-repeater c432000.spmi:pmic@b:phy@fd00: Registered Qcom-eUSB2 repeater
+ snps-eusb2-hsphy fd3000.phy: Registered Snps-eUSB2 phy
+ snps-eusb2-hsphy fd9000.phy: Registered Snps-eUSB2 phy
+ snps-eusb2-hsphy fde000.phy: Registered Snps-eUSB2 phy
+ snps-eusb2-hsphy 88e0000.phy: Registered Snps-eUSB2 phy
+ snps-eusb2-hsphy 88e2000.phy: Registered Snps-eUSB2 phy
+
+Drop (or demote to debug level) unnecessary registration info messages
+to make boot logs a little less noisy.
+
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20250523085112.11287-1-johan+linaro@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Stable-dep-of: 1ca52c0983c3 ("phy: qcom-qusb2: Fix NULL pointer dereference on early suspend")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/broadcom/phy-bcm-ns2-pcie.c | 2 --
+ drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c | 1 -
+ drivers/phy/broadcom/phy-bcm-sr-pcie.c | 2 --
+ drivers/phy/broadcom/phy-brcm-sata.c | 2 +-
+ drivers/phy/marvell/phy-pxa-usb.c | 1 -
+ drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c | 2 --
+ drivers/phy/qualcomm/phy-qcom-m31.c | 2 --
+ drivers/phy/qualcomm/phy-qcom-qusb2.c | 4 +---
+ drivers/phy/qualcomm/phy-qcom-snps-eusb2.c | 2 --
+ drivers/phy/st/phy-stih407-usb.c | 2 --
+ drivers/phy/st/phy-stm32-usbphyc.c | 4 ++--
+ drivers/phy/ti/phy-twl4030-usb.c | 1 -
+ 12 files changed, 4 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/phy/broadcom/phy-bcm-ns2-pcie.c b/drivers/phy/broadcom/phy-bcm-ns2-pcie.c
+index 2eaa41f8fc70c..67a6ae5ecba02 100644
+--- a/drivers/phy/broadcom/phy-bcm-ns2-pcie.c
++++ b/drivers/phy/broadcom/phy-bcm-ns2-pcie.c
+@@ -61,8 +61,6 @@ static int ns2_pci_phy_probe(struct mdio_device *mdiodev)
+ return PTR_ERR(provider);
+ }
+
+- dev_info(dev, "%s PHY registered\n", dev_name(dev));
+-
+ return 0;
+ }
+
+diff --git a/drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c b/drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c
+index 36ad02c33ac55..8473fa5745296 100644
+--- a/drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c
++++ b/drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c
+@@ -395,7 +395,6 @@ static int ns2_drd_phy_probe(struct platform_device *pdev)
+
+ platform_set_drvdata(pdev, driver);
+
+- dev_info(dev, "Registered NS2 DRD Phy device\n");
+ queue_delayed_work(system_power_efficient_wq, &driver->wq_extcon,
+ driver->debounce_jiffies);
+
+diff --git a/drivers/phy/broadcom/phy-bcm-sr-pcie.c b/drivers/phy/broadcom/phy-bcm-sr-pcie.c
+index 8a4aadf166cf9..c85af65086773 100644
+--- a/drivers/phy/broadcom/phy-bcm-sr-pcie.c
++++ b/drivers/phy/broadcom/phy-bcm-sr-pcie.c
+@@ -277,8 +277,6 @@ static int sr_pcie_phy_probe(struct platform_device *pdev)
+ return PTR_ERR(provider);
+ }
+
+- dev_info(dev, "Stingray PCIe PHY driver initialized\n");
+-
+ return 0;
+ }
+
+diff --git a/drivers/phy/broadcom/phy-brcm-sata.c b/drivers/phy/broadcom/phy-brcm-sata.c
+index ed9e18791ec94..6838cb76e8268 100644
+--- a/drivers/phy/broadcom/phy-brcm-sata.c
++++ b/drivers/phy/broadcom/phy-brcm-sata.c
+@@ -836,7 +836,7 @@ static int brcm_sata_phy_probe(struct platform_device *pdev)
+ return PTR_ERR(provider);
+ }
+
+- dev_info(dev, "registered %d port(s)\n", count);
++ dev_dbg(dev, "registered %d port(s)\n", count);
+
+ return 0;
+ put_child:
+diff --git a/drivers/phy/marvell/phy-pxa-usb.c b/drivers/phy/marvell/phy-pxa-usb.c
+index 6c98eb9608e9c..c0bb71f80c042 100644
+--- a/drivers/phy/marvell/phy-pxa-usb.c
++++ b/drivers/phy/marvell/phy-pxa-usb.c
+@@ -325,7 +325,6 @@ static int pxa_usb_phy_probe(struct platform_device *pdev)
+ phy_create_lookup(pxa_usb_phy->phy, "usb", "mv-otg");
+ }
+
+- dev_info(dev, "Marvell PXA USB PHY");
+ return 0;
+ }
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c b/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c
+index a43e20abb10d5..ad7bf049d7263 100644
+--- a/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c
++++ b/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c
+@@ -251,8 +251,6 @@ static int eusb2_repeater_probe(struct platform_device *pdev)
+ if (IS_ERR(phy_provider))
+ return PTR_ERR(phy_provider);
+
+- dev_info(dev, "Registered Qcom-eUSB2 repeater\n");
+-
+ return 0;
+ }
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-m31.c b/drivers/phy/qualcomm/phy-qcom-m31.c
+index a5e60039a264a..116cfa6ddac6f 100644
+--- a/drivers/phy/qualcomm/phy-qcom-m31.c
++++ b/drivers/phy/qualcomm/phy-qcom-m31.c
+@@ -267,8 +267,6 @@ static int m31usb_phy_probe(struct platform_device *pdev)
+ phy_set_drvdata(qphy->phy, qphy);
+
+ phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate);
+- if (!IS_ERR(phy_provider))
+- dev_info(dev, "Registered M31 USB phy\n");
+
+ return PTR_ERR_OR_ZERO(phy_provider);
+ }
+diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c
+index c52655a383cef..531c3860c3160 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c
++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c
+@@ -1084,9 +1084,7 @@ static int qusb2_phy_probe(struct platform_device *pdev)
+ phy_set_drvdata(generic_phy, qphy);
+
+ phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate);
+- if (!IS_ERR(phy_provider))
+- dev_info(dev, "Registered Qcom-QUSB2 phy\n");
+- else
++ if (IS_ERR(phy_provider))
+ pm_runtime_disable(dev);
+
+ return PTR_ERR_OR_ZERO(phy_provider);
+diff --git a/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c b/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c
+index e1b175f481b4e..4a1dfef5ff8ff 100644
+--- a/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c
++++ b/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c
+@@ -418,8 +418,6 @@ static int snps_eusb2_hsphy_probe(struct platform_device *pdev)
+ if (IS_ERR(phy_provider))
+ return PTR_ERR(phy_provider);
+
+- dev_info(dev, "Registered Snps-eUSB2 phy\n");
+-
+ return 0;
+ }
+
+diff --git a/drivers/phy/st/phy-stih407-usb.c b/drivers/phy/st/phy-stih407-usb.c
+index a4ae2cca7f637..02e6117709dca 100644
+--- a/drivers/phy/st/phy-stih407-usb.c
++++ b/drivers/phy/st/phy-stih407-usb.c
+@@ -149,8 +149,6 @@ static int stih407_usb2_picophy_probe(struct platform_device *pdev)
+ if (IS_ERR(phy_provider))
+ return PTR_ERR(phy_provider);
+
+- dev_info(dev, "STiH407 USB Generic picoPHY driver probed!");
+-
+ return 0;
+ }
+
+diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c
+index d5e7e44000b56..f8374a7f3a655 100644
+--- a/drivers/phy/st/phy-stm32-usbphyc.c
++++ b/drivers/phy/st/phy-stm32-usbphyc.c
+@@ -757,8 +757,8 @@ static int stm32_usbphyc_probe(struct platform_device *pdev)
+ }
+
+ version = readl_relaxed(usbphyc->base + STM32_USBPHYC_VERSION);
+- dev_info(dev, "registered rev:%lu.%lu\n",
+- FIELD_GET(MAJREV, version), FIELD_GET(MINREV, version));
++ dev_dbg(dev, "registered rev: %lu.%lu\n",
++ FIELD_GET(MAJREV, version), FIELD_GET(MINREV, version));
+
+ return 0;
+
+diff --git a/drivers/phy/ti/phy-twl4030-usb.c b/drivers/phy/ti/phy-twl4030-usb.c
+index 6b265992d988f..e5918d3b486cc 100644
+--- a/drivers/phy/ti/phy-twl4030-usb.c
++++ b/drivers/phy/ti/phy-twl4030-usb.c
+@@ -784,7 +784,6 @@ static int twl4030_usb_probe(struct platform_device *pdev)
+ pm_runtime_mark_last_busy(&pdev->dev);
+ pm_runtime_put_autosuspend(twl->dev);
+
+- dev_info(&pdev->dev, "Initialized TWL4030 USB module\n");
+ return 0;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From dac78f0c087c3937d09e8475ee6b37705be82ca2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 17:09:12 +0100
+Subject: phy: fsl-imx8mq-usb: Clear the PCS_TX_SWING_FULL field before using
+ it
+
+From: Stefano Radaelli <stefano.radaelli21@gmail.com>
+
+[ Upstream commit 8becf9179a4b45104a1701010ed666b55bf4b3a6 ]
+
+Clear the PCS_TX_SWING_FULL field mask before setting the new value
+in PHY_CTRL5 register. Without clearing the mask first, the OR operation
+could leave previously set bits, resulting in incorrect register
+configuration.
+
+Fixes: 63c85ad0cd81 ("phy: fsl-imx8mp-usb: add support for phy tuning")
+Suggested-by: Leonid Segal <leonids@variscite.com>
+Acked-by: Pierluigi Passaro <pierluigi.p@variscite.com>
+Signed-off-by: Stefano Radaelli <stefano.r@variscite.com>
+Reviewed-by: Xu Yang <xu.yang_2@nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Reviewed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Link: https://patch.msgid.link/20251219160912.561431-1-stefano.r@variscite.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/freescale/phy-fsl-imx8mq-usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c
+index f914f016b3d2c..043063699e064 100644
+--- a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c
++++ b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c
+@@ -206,6 +206,7 @@ static void imx8m_phy_tune(struct imx8mq_usb_phy *imx_phy)
+
+ if (imx_phy->pcs_tx_swing_full != PHY_TUNE_DEFAULT) {
+ value = readl(imx_phy->base + PHY_CTRL5);
++ value &= ~PHY_CTRL5_PCS_TX_SWING_FULL_MASK;
+ value |= FIELD_PREP(PHY_CTRL5_PCS_TX_SWING_FULL_MASK,
+ imx_phy->pcs_tx_swing_full);
+ writel(value, imx_phy->base + PHY_CTRL5);
+--
+2.51.0
+
--- /dev/null
+From 5eab9af7e4e9c1257651e01217f04df582b7ab88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 May 2025 17:45:21 +0300
+Subject: phy: phy-snps-eusb2: refactor constructs names
+
+From: Ivaylo Ivanov <ivo.ivanov.ivanov1@gmail.com>
+
+[ Upstream commit 93dbe9b5b3a265c7e5466c7b6ada439b01577de5 ]
+
+As the driver now resides outside the phy subdirectory under a different
+name, refactor all definitions, structures and functions to explicitly
+specify what code is Qualcomm-specific and what is not.
+
+Signed-off-by: Ivaylo Ivanov <ivo.ivanov.ivanov1@gmail.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250504144527.1723980-5-ivo.ivanov.ivanov1@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Stable-dep-of: 1ca52c0983c3 ("phy: qcom-qusb2: Fix NULL pointer dereference on early suspend")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-snps-eusb2.c | 256 ++++++++++-----------
+ 1 file changed, 128 insertions(+), 128 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c b/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c
+index 1484691a41d59..e1b175f481b4e 100644
+--- a/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c
++++ b/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c
+@@ -13,15 +13,15 @@
+ #include <linux/regulator/consumer.h>
+ #include <linux/reset.h>
+
+-#define USB_PHY_UTMI_CTRL0 (0x3c)
++#define QCOM_USB_PHY_UTMI_CTRL0 (0x3c)
+ #define SLEEPM BIT(0)
+ #define OPMODE_MASK GENMASK(4, 3)
+ #define OPMODE_NONDRIVING BIT(3)
+
+-#define USB_PHY_UTMI_CTRL5 (0x50)
++#define QCOM_USB_PHY_UTMI_CTRL5 (0x50)
+ #define POR BIT(1)
+
+-#define USB_PHY_HS_PHY_CTRL_COMMON0 (0x54)
++#define QCOM_USB_PHY_HS_PHY_CTRL_COMMON0 (0x54)
+ #define PHY_ENABLE BIT(0)
+ #define SIDDQ_SEL BIT(1)
+ #define SIDDQ BIT(2)
+@@ -30,15 +30,15 @@
+ #define FSEL_19_2_MHZ_VAL (0x0)
+ #define FSEL_38_4_MHZ_VAL (0x4)
+
+-#define USB_PHY_CFG_CTRL_1 (0x58)
++#define QCOM_USB_PHY_CFG_CTRL_1 (0x58)
+ #define PHY_CFG_PLL_CPBIAS_CNTRL_MASK GENMASK(7, 1)
+
+-#define USB_PHY_CFG_CTRL_2 (0x5c)
++#define QCOM_USB_PHY_CFG_CTRL_2 (0x5c)
+ #define PHY_CFG_PLL_FB_DIV_7_0_MASK GENMASK(7, 0)
+ #define DIV_7_0_19_2_MHZ_VAL (0x90)
+ #define DIV_7_0_38_4_MHZ_VAL (0xc8)
+
+-#define USB_PHY_CFG_CTRL_3 (0x60)
++#define QCOM_USB_PHY_CFG_CTRL_3 (0x60)
+ #define PHY_CFG_PLL_FB_DIV_11_8_MASK GENMASK(3, 0)
+ #define DIV_11_8_19_2_MHZ_VAL (0x1)
+ #define DIV_11_8_38_4_MHZ_VAL (0x0)
+@@ -46,73 +46,73 @@
+ #define PHY_CFG_PLL_REF_DIV GENMASK(7, 4)
+ #define PLL_REF_DIV_VAL (0x0)
+
+-#define USB_PHY_HS_PHY_CTRL2 (0x64)
++#define QCOM_USB_PHY_HS_PHY_CTRL2 (0x64)
+ #define VBUSVLDEXT0 BIT(0)
+ #define USB2_SUSPEND_N BIT(2)
+ #define USB2_SUSPEND_N_SEL BIT(3)
+ #define VBUS_DET_EXT_SEL BIT(4)
+
+-#define USB_PHY_CFG_CTRL_4 (0x68)
++#define QCOM_USB_PHY_CFG_CTRL_4 (0x68)
+ #define PHY_CFG_PLL_GMP_CNTRL_MASK GENMASK(1, 0)
+ #define PHY_CFG_PLL_INT_CNTRL_MASK GENMASK(7, 2)
+
+-#define USB_PHY_CFG_CTRL_5 (0x6c)
++#define QCOM_USB_PHY_CFG_CTRL_5 (0x6c)
+ #define PHY_CFG_PLL_PROP_CNTRL_MASK GENMASK(4, 0)
+ #define PHY_CFG_PLL_VREF_TUNE_MASK GENMASK(7, 6)
+
+-#define USB_PHY_CFG_CTRL_6 (0x70)
++#define QCOM_USB_PHY_CFG_CTRL_6 (0x70)
+ #define PHY_CFG_PLL_VCO_CNTRL_MASK GENMASK(2, 0)
+
+-#define USB_PHY_CFG_CTRL_7 (0x74)
++#define QCOM_USB_PHY_CFG_CTRL_7 (0x74)
+
+-#define USB_PHY_CFG_CTRL_8 (0x78)
++#define QCOM_USB_PHY_CFG_CTRL_8 (0x78)
+ #define PHY_CFG_TX_FSLS_VREF_TUNE_MASK GENMASK(1, 0)
+ #define PHY_CFG_TX_FSLS_VREG_BYPASS BIT(2)
+ #define PHY_CFG_TX_HS_VREF_TUNE_MASK GENMASK(5, 3)
+ #define PHY_CFG_TX_HS_XV_TUNE_MASK GENMASK(7, 6)
+
+-#define USB_PHY_CFG_CTRL_9 (0x7c)
++#define QCOM_USB_PHY_CFG_CTRL_9 (0x7c)
+ #define PHY_CFG_TX_PREEMP_TUNE_MASK GENMASK(2, 0)
+ #define PHY_CFG_TX_RES_TUNE_MASK GENMASK(4, 3)
+ #define PHY_CFG_TX_RISE_TUNE_MASK GENMASK(6, 5)
+ #define PHY_CFG_RCAL_BYPASS BIT(7)
+
+-#define USB_PHY_CFG_CTRL_10 (0x80)
++#define QCOM_USB_PHY_CFG_CTRL_10 (0x80)
+
+-#define USB_PHY_CFG0 (0x94)
++#define QCOM_USB_PHY_CFG0 (0x94)
+ #define DATAPATH_CTRL_OVERRIDE_EN BIT(0)
+ #define CMN_CTRL_OVERRIDE_EN BIT(1)
+
+-#define UTMI_PHY_CMN_CTRL0 (0x98)
++#define QCOM_UTMI_PHY_CMN_CTRL0 (0x98)
+ #define TESTBURNIN BIT(6)
+
+-#define USB_PHY_FSEL_SEL (0xb8)
++#define QCOM_USB_PHY_FSEL_SEL (0xb8)
+ #define FSEL_SEL BIT(0)
+
+-#define USB_PHY_APB_ACCESS_CMD (0x130)
++#define QCOM_USB_PHY_APB_ACCESS_CMD (0x130)
+ #define RW_ACCESS BIT(0)
+ #define APB_START_CMD BIT(1)
+ #define APB_LOGIC_RESET BIT(2)
+
+-#define USB_PHY_APB_ACCESS_STATUS (0x134)
++#define QCOM_USB_PHY_APB_ACCESS_STATUS (0x134)
+ #define ACCESS_DONE BIT(0)
+ #define TIMED_OUT BIT(1)
+ #define ACCESS_ERROR BIT(2)
+ #define ACCESS_IN_PROGRESS BIT(3)
+
+-#define USB_PHY_APB_ADDRESS (0x138)
++#define QCOM_USB_PHY_APB_ADDRESS (0x138)
+ #define APB_REG_ADDR_MASK GENMASK(7, 0)
+
+-#define USB_PHY_APB_WRDATA_LSB (0x13c)
++#define QCOM_USB_PHY_APB_WRDATA_LSB (0x13c)
+ #define APB_REG_WRDATA_7_0_MASK GENMASK(3, 0)
+
+-#define USB_PHY_APB_WRDATA_MSB (0x140)
++#define QCOM_USB_PHY_APB_WRDATA_MSB (0x140)
+ #define APB_REG_WRDATA_15_8_MASK GENMASK(7, 4)
+
+-#define USB_PHY_APB_RDDATA_LSB (0x144)
++#define QCOM_USB_PHY_APB_RDDATA_LSB (0x144)
+ #define APB_REG_RDDATA_7_0_MASK GENMASK(3, 0)
+
+-#define USB_PHY_APB_RDDATA_MSB (0x148)
++#define QCOM_USB_PHY_APB_RDDATA_MSB (0x148)
+ #define APB_REG_RDDATA_15_8_MASK GENMASK(7, 4)
+
+ static const char * const eusb2_hsphy_vreg_names[] = {
+@@ -121,7 +121,7 @@ static const char * const eusb2_hsphy_vreg_names[] = {
+
+ #define EUSB2_NUM_VREGS ARRAY_SIZE(eusb2_hsphy_vreg_names)
+
+-struct qcom_snps_eusb2_hsphy {
++struct snps_eusb2_hsphy {
+ struct phy *phy;
+ void __iomem *base;
+
+@@ -135,17 +135,17 @@ struct qcom_snps_eusb2_hsphy {
+ struct phy *repeater;
+ };
+
+-static int qcom_snps_eusb2_hsphy_set_mode(struct phy *p, enum phy_mode mode, int submode)
++static int snps_eusb2_hsphy_set_mode(struct phy *p, enum phy_mode mode, int submode)
+ {
+- struct qcom_snps_eusb2_hsphy *phy = phy_get_drvdata(p);
++ struct snps_eusb2_hsphy *phy = phy_get_drvdata(p);
+
+ phy->mode = mode;
+
+ return phy_set_mode_ext(phy->repeater, mode, submode);
+ }
+
+-static void qcom_snps_eusb2_hsphy_write_mask(void __iomem *base, u32 offset,
+- u32 mask, u32 val)
++static void snps_eusb2_hsphy_write_mask(void __iomem *base, u32 offset,
++ u32 mask, u32 val)
+ {
+ u32 reg;
+
+@@ -158,65 +158,65 @@ static void qcom_snps_eusb2_hsphy_write_mask(void __iomem *base, u32 offset,
+ readl_relaxed(base + offset);
+ }
+
+-static void qcom_eusb2_default_parameters(struct qcom_snps_eusb2_hsphy *phy)
++static void qcom_eusb2_default_parameters(struct snps_eusb2_hsphy *phy)
+ {
+ /* default parameters: tx pre-emphasis */
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_9,
+- PHY_CFG_TX_PREEMP_TUNE_MASK,
+- FIELD_PREP(PHY_CFG_TX_PREEMP_TUNE_MASK, 0));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_9,
++ PHY_CFG_TX_PREEMP_TUNE_MASK,
++ FIELD_PREP(PHY_CFG_TX_PREEMP_TUNE_MASK, 0));
+
+ /* tx rise/fall time */
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_9,
+- PHY_CFG_TX_RISE_TUNE_MASK,
+- FIELD_PREP(PHY_CFG_TX_RISE_TUNE_MASK, 0x2));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_9,
++ PHY_CFG_TX_RISE_TUNE_MASK,
++ FIELD_PREP(PHY_CFG_TX_RISE_TUNE_MASK, 0x2));
+
+ /* source impedance adjustment */
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_9,
+- PHY_CFG_TX_RES_TUNE_MASK,
+- FIELD_PREP(PHY_CFG_TX_RES_TUNE_MASK, 0x1));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_9,
++ PHY_CFG_TX_RES_TUNE_MASK,
++ FIELD_PREP(PHY_CFG_TX_RES_TUNE_MASK, 0x1));
+
+ /* dc voltage level adjustement */
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_8,
+- PHY_CFG_TX_HS_VREF_TUNE_MASK,
+- FIELD_PREP(PHY_CFG_TX_HS_VREF_TUNE_MASK, 0x3));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_8,
++ PHY_CFG_TX_HS_VREF_TUNE_MASK,
++ FIELD_PREP(PHY_CFG_TX_HS_VREF_TUNE_MASK, 0x3));
+
+ /* transmitter HS crossover adjustement */
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_8,
+- PHY_CFG_TX_HS_XV_TUNE_MASK,
+- FIELD_PREP(PHY_CFG_TX_HS_XV_TUNE_MASK, 0x0));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_8,
++ PHY_CFG_TX_HS_XV_TUNE_MASK,
++ FIELD_PREP(PHY_CFG_TX_HS_XV_TUNE_MASK, 0x0));
+ }
+
+-static int qcom_eusb2_ref_clk_init(struct qcom_snps_eusb2_hsphy *phy)
++static int qcom_eusb2_ref_clk_init(struct snps_eusb2_hsphy *phy)
+ {
+ unsigned long ref_clk_freq = clk_get_rate(phy->ref_clk);
+
+ switch (ref_clk_freq) {
+ case 19200000:
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0,
+- FSEL_MASK,
+- FIELD_PREP(FSEL_MASK, FSEL_19_2_MHZ_VAL));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0,
++ FSEL_MASK,
++ FIELD_PREP(FSEL_MASK, FSEL_19_2_MHZ_VAL));
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_2,
+- PHY_CFG_PLL_FB_DIV_7_0_MASK,
+- DIV_7_0_19_2_MHZ_VAL);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_2,
++ PHY_CFG_PLL_FB_DIV_7_0_MASK,
++ DIV_7_0_19_2_MHZ_VAL);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_3,
+- PHY_CFG_PLL_FB_DIV_11_8_MASK,
+- DIV_11_8_19_2_MHZ_VAL);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_3,
++ PHY_CFG_PLL_FB_DIV_11_8_MASK,
++ DIV_11_8_19_2_MHZ_VAL);
+ break;
+
+ case 38400000:
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0,
+- FSEL_MASK,
+- FIELD_PREP(FSEL_MASK, FSEL_38_4_MHZ_VAL));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0,
++ FSEL_MASK,
++ FIELD_PREP(FSEL_MASK, FSEL_38_4_MHZ_VAL));
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_2,
+- PHY_CFG_PLL_FB_DIV_7_0_MASK,
+- DIV_7_0_38_4_MHZ_VAL);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_2,
++ PHY_CFG_PLL_FB_DIV_7_0_MASK,
++ DIV_7_0_38_4_MHZ_VAL);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_3,
+- PHY_CFG_PLL_FB_DIV_11_8_MASK,
+- DIV_11_8_38_4_MHZ_VAL);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_3,
++ PHY_CFG_PLL_FB_DIV_11_8_MASK,
++ DIV_11_8_38_4_MHZ_VAL);
+ break;
+
+ default:
+@@ -224,15 +224,15 @@ static int qcom_eusb2_ref_clk_init(struct qcom_snps_eusb2_hsphy *phy)
+ return -EINVAL;
+ }
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_3,
+- PHY_CFG_PLL_REF_DIV, PLL_REF_DIV_VAL);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_3,
++ PHY_CFG_PLL_REF_DIV, PLL_REF_DIV_VAL);
+
+ return 0;
+ }
+
+-static int qcom_snps_eusb2_hsphy_init(struct phy *p)
++static int snps_eusb2_hsphy_init(struct phy *p)
+ {
+- struct qcom_snps_eusb2_hsphy *phy = phy_get_drvdata(p);
++ struct snps_eusb2_hsphy *phy = phy_get_drvdata(p);
+ int ret;
+
+ ret = regulator_bulk_enable(ARRAY_SIZE(phy->vregs), phy->vregs);
+@@ -265,73 +265,73 @@ static int qcom_snps_eusb2_hsphy_init(struct phy *p)
+ goto disable_ref_clk;
+ }
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG0,
+- CMN_CTRL_OVERRIDE_EN, CMN_CTRL_OVERRIDE_EN);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG0,
++ CMN_CTRL_OVERRIDE_EN, CMN_CTRL_OVERRIDE_EN);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_UTMI_CTRL5, POR, POR);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_UTMI_CTRL5, POR, POR);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0,
+- PHY_ENABLE | RETENABLEN, PHY_ENABLE | RETENABLEN);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0,
++ PHY_ENABLE | RETENABLEN, PHY_ENABLE | RETENABLEN);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_APB_ACCESS_CMD,
+- APB_LOGIC_RESET, APB_LOGIC_RESET);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_APB_ACCESS_CMD,
++ APB_LOGIC_RESET, APB_LOGIC_RESET);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, UTMI_PHY_CMN_CTRL0, TESTBURNIN, 0);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_UTMI_PHY_CMN_CTRL0, TESTBURNIN, 0);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_FSEL_SEL,
+- FSEL_SEL, FSEL_SEL);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_FSEL_SEL,
++ FSEL_SEL, FSEL_SEL);
+
+ /* update ref_clk related registers */
+ ret = qcom_eusb2_ref_clk_init(phy);
+ if (ret)
+- goto disable_ref_clk;
++ return ret;
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_1,
+- PHY_CFG_PLL_CPBIAS_CNTRL_MASK,
+- FIELD_PREP(PHY_CFG_PLL_CPBIAS_CNTRL_MASK, 0x1));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_1,
++ PHY_CFG_PLL_CPBIAS_CNTRL_MASK,
++ FIELD_PREP(PHY_CFG_PLL_CPBIAS_CNTRL_MASK, 0x1));
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_4,
+- PHY_CFG_PLL_INT_CNTRL_MASK,
+- FIELD_PREP(PHY_CFG_PLL_INT_CNTRL_MASK, 0x8));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_4,
++ PHY_CFG_PLL_INT_CNTRL_MASK,
++ FIELD_PREP(PHY_CFG_PLL_INT_CNTRL_MASK, 0x8));
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_4,
+- PHY_CFG_PLL_GMP_CNTRL_MASK,
+- FIELD_PREP(PHY_CFG_PLL_GMP_CNTRL_MASK, 0x1));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_4,
++ PHY_CFG_PLL_GMP_CNTRL_MASK,
++ FIELD_PREP(PHY_CFG_PLL_GMP_CNTRL_MASK, 0x1));
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_5,
+- PHY_CFG_PLL_PROP_CNTRL_MASK,
+- FIELD_PREP(PHY_CFG_PLL_PROP_CNTRL_MASK, 0x10));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_5,
++ PHY_CFG_PLL_PROP_CNTRL_MASK,
++ FIELD_PREP(PHY_CFG_PLL_PROP_CNTRL_MASK, 0x10));
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_6,
+- PHY_CFG_PLL_VCO_CNTRL_MASK,
+- FIELD_PREP(PHY_CFG_PLL_VCO_CNTRL_MASK, 0x0));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_6,
++ PHY_CFG_PLL_VCO_CNTRL_MASK,
++ FIELD_PREP(PHY_CFG_PLL_VCO_CNTRL_MASK, 0x0));
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_5,
+- PHY_CFG_PLL_VREF_TUNE_MASK,
+- FIELD_PREP(PHY_CFG_PLL_VREF_TUNE_MASK, 0x1));
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_5,
++ PHY_CFG_PLL_VREF_TUNE_MASK,
++ FIELD_PREP(PHY_CFG_PLL_VREF_TUNE_MASK, 0x1));
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL2,
+- VBUS_DET_EXT_SEL, VBUS_DET_EXT_SEL);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL2,
++ VBUS_DET_EXT_SEL, VBUS_DET_EXT_SEL);
+
+ /* set default parameters */
+ qcom_eusb2_default_parameters(phy);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL2,
+- USB2_SUSPEND_N_SEL | USB2_SUSPEND_N,
+- USB2_SUSPEND_N_SEL | USB2_SUSPEND_N);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL2,
++ USB2_SUSPEND_N_SEL | USB2_SUSPEND_N,
++ USB2_SUSPEND_N_SEL | USB2_SUSPEND_N);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_UTMI_CTRL0, SLEEPM, SLEEPM);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_UTMI_CTRL0, SLEEPM, SLEEPM);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0,
+- SIDDQ_SEL, SIDDQ_SEL);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0,
++ SIDDQ_SEL, SIDDQ_SEL);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0,
+- SIDDQ, 0);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0,
++ SIDDQ, 0);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_UTMI_CTRL5, POR, 0);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_UTMI_CTRL5, POR, 0);
+
+- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL2,
+- USB2_SUSPEND_N_SEL, 0);
++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL2,
++ USB2_SUSPEND_N_SEL, 0);
+
+ return 0;
+
+@@ -344,9 +344,9 @@ static int qcom_snps_eusb2_hsphy_init(struct phy *p)
+ return ret;
+ }
+
+-static int qcom_snps_eusb2_hsphy_exit(struct phy *p)
++static int snps_eusb2_hsphy_exit(struct phy *p)
+ {
+- struct qcom_snps_eusb2_hsphy *phy = phy_get_drvdata(p);
++ struct snps_eusb2_hsphy *phy = phy_get_drvdata(p);
+
+ clk_disable_unprepare(phy->ref_clk);
+
+@@ -357,18 +357,18 @@ static int qcom_snps_eusb2_hsphy_exit(struct phy *p)
+ return 0;
+ }
+
+-static const struct phy_ops qcom_snps_eusb2_hsphy_ops = {
+- .init = qcom_snps_eusb2_hsphy_init,
+- .exit = qcom_snps_eusb2_hsphy_exit,
+- .set_mode = qcom_snps_eusb2_hsphy_set_mode,
++static const struct phy_ops snps_eusb2_hsphy_ops = {
++ .init = snps_eusb2_hsphy_init,
++ .exit = snps_eusb2_hsphy_exit,
++ .set_mode = snps_eusb2_hsphy_set_mode,
+ .owner = THIS_MODULE,
+ };
+
+-static int qcom_snps_eusb2_hsphy_probe(struct platform_device *pdev)
++static int snps_eusb2_hsphy_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+ struct device_node *np = dev->of_node;
+- struct qcom_snps_eusb2_hsphy *phy;
++ struct snps_eusb2_hsphy *phy;
+ struct phy_provider *phy_provider;
+ struct phy *generic_phy;
+ int ret, i;
+@@ -405,7 +405,7 @@ static int qcom_snps_eusb2_hsphy_probe(struct platform_device *pdev)
+ return dev_err_probe(dev, PTR_ERR(phy->repeater),
+ "failed to get repeater\n");
+
+- generic_phy = devm_phy_create(dev, NULL, &qcom_snps_eusb2_hsphy_ops);
++ generic_phy = devm_phy_create(dev, NULL, &snps_eusb2_hsphy_ops);
+ if (IS_ERR(generic_phy)) {
+ dev_err(dev, "failed to create phy %d\n", ret);
+ return PTR_ERR(generic_phy);
+@@ -418,25 +418,25 @@ static int qcom_snps_eusb2_hsphy_probe(struct platform_device *pdev)
+ if (IS_ERR(phy_provider))
+ return PTR_ERR(phy_provider);
+
+- dev_info(dev, "Registered Qcom-eUSB2 phy\n");
++ dev_info(dev, "Registered Snps-eUSB2 phy\n");
+
+ return 0;
+ }
+
+-static const struct of_device_id qcom_snps_eusb2_hsphy_of_match_table[] = {
++static const struct of_device_id snps_eusb2_hsphy_of_match_table[] = {
+ { .compatible = "qcom,sm8550-snps-eusb2-phy", },
+ { },
+ };
+-MODULE_DEVICE_TABLE(of, qcom_snps_eusb2_hsphy_of_match_table);
++MODULE_DEVICE_TABLE(of, snps_eusb2_hsphy_of_match_table);
+
+-static struct platform_driver qcom_snps_eusb2_hsphy_driver = {
+- .probe = qcom_snps_eusb2_hsphy_probe,
++static struct platform_driver snps_eusb2_hsphy_driver = {
++ .probe = snps_eusb2_hsphy_probe,
+ .driver = {
+- .name = "qcom-snps-eusb2-hsphy",
+- .of_match_table = qcom_snps_eusb2_hsphy_of_match_table,
++ .name = "snps-eusb2-hsphy",
++ .of_match_table = snps_eusb2_hsphy_of_match_table,
+ },
+ };
+
+-module_platform_driver(qcom_snps_eusb2_hsphy_driver);
+-MODULE_DESCRIPTION("Qualcomm SNPS eUSB2 HS PHY driver");
++module_platform_driver(snps_eusb2_hsphy_driver);
++MODULE_DESCRIPTION("Synopsys eUSB2 HS PHY driver");
+ MODULE_LICENSE("GPL");
+--
+2.51.0
+
--- /dev/null
+From 85f90803cb6ae0200f70662480649398b451c943 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 09:56:40 +0100
+Subject: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend
+
+From: Loic Poulain <loic.poulain@oss.qualcomm.com>
+
+[ Upstream commit 1ca52c0983c34fca506921791202ed5bdafd5306 ]
+
+Enabling runtime PM before attaching the QPHY instance as driver data
+can lead to a NULL pointer dereference in runtime PM callbacks that
+expect valid driver data. There is a small window where the suspend
+callback may run after PM runtime enabling and before runtime forbid.
+This causes a sporadic crash during boot:
+
+```
+Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1
+[...]
+CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT
+Workqueue: pm pm_runtime_work
+pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2]
+lr : pm_generic_runtime_suspend+0x2c/0x44
+[...]
+```
+
+Attach the QPHY instance as driver data before enabling runtime PM to
+prevent NULL pointer dereference in runtime PM callbacks.
+
+Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a
+short window where an unnecessary runtime suspend can occur.
+
+Use the devres-managed version to ensure PM runtime is symmetrically
+disabled during driver removal for proper cleanup.
+
+Fixes: 891a96f65ac3 ("phy: qcom-qusb2: Add support for runtime PM")
+Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251219085640.114473-1-loic.poulain@oss.qualcomm.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qusb2.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c
+index 531c3860c3160..d3c26a39873f7 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c
++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c
+@@ -1063,29 +1063,29 @@ static int qusb2_phy_probe(struct platform_device *pdev)
+ or->hsdisc_trim.override = true;
+ }
+
+- pm_runtime_set_active(dev);
+- pm_runtime_enable(dev);
++ dev_set_drvdata(dev, qphy);
++
+ /*
+- * Prevent runtime pm from being ON by default. Users can enable
+- * it using power/control in sysfs.
++ * Enable runtime PM support, but forbid it by default.
++ * Users can allow it again via the power/control attribute in sysfs.
+ */
++ pm_runtime_set_active(dev);
+ pm_runtime_forbid(dev);
++ ret = devm_pm_runtime_enable(dev);
++ if (ret)
++ return ret;
+
+ generic_phy = devm_phy_create(dev, NULL, &qusb2_phy_gen_ops);
+ if (IS_ERR(generic_phy)) {
+ ret = PTR_ERR(generic_phy);
+ dev_err(dev, "failed to create phy, %d\n", ret);
+- pm_runtime_disable(dev);
+ return ret;
+ }
+ qphy->phy = generic_phy;
+
+- dev_set_drvdata(dev, qphy);
+ phy_set_drvdata(generic_phy, qphy);
+
+ phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate);
+- if (IS_ERR(phy_provider))
+- pm_runtime_disable(dev);
+
+ return PTR_ERR_OR_ZERO(phy_provider);
+ }
+--
+2.51.0
+
--- /dev/null
+From c23e30f6c0fd835e3f36f77b1f9358c7dbbf90ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Dec 2025 09:53:36 +0300
+Subject: phy: stm32-usphyc: Fix off by one in probe()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit cabd25b57216ddc132efbcc31f972baa03aad15a ]
+
+The "index" variable is used as an index into the usbphyc->phys[] array
+which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys
+then it is one element out of bounds. The "index" comes from the
+device tree so it's data that we trust and it's unlikely to be wrong,
+however it's obviously still worth fixing the bug. Change the > to >=.
+
+Fixes: 94c358da3a05 ("phy: stm32: add support for STM32 USB PHY Controller (USBPHYC)")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Link: https://patch.msgid.link/aTfHcMJK1wFVnvEe@stanley.mountain
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/st/phy-stm32-usbphyc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c
+index f8374a7f3a655..4a8f2ab65571a 100644
+--- a/drivers/phy/st/phy-stm32-usbphyc.c
++++ b/drivers/phy/st/phy-stm32-usbphyc.c
+@@ -712,7 +712,7 @@ static int stm32_usbphyc_probe(struct platform_device *pdev)
+ }
+
+ ret = of_property_read_u32(child, "reg", &index);
+- if (ret || index > usbphyc->nphys) {
++ if (ret || index >= usbphyc->nphys) {
+ dev_err(&phy->dev, "invalid reg property: %d\n", ret);
+ if (!ret)
+ ret = -EINVAL;
+--
+2.51.0
+
--- /dev/null
+From 46854c7919efbfb288ee9e4a0f88270ca45c6df6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Dec 2025 07:41:03 +0000
+Subject: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 0c728083654f0066f5e10a1d2b0bd0907af19a58 ]
+
+In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails,
+the function jumps to the out_scratch label without freeing the already
+allocated dsaddrs list, leading to a memory leak.
+
+Fix this by jumping to the out_err_drain_dsaddrs label, which properly
+frees the dsaddrs list before cleaning up other resources.
+
+Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+index 95d5dca671456..ed18e9e87c25f 100644
+--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+@@ -103,7 +103,7 @@ nfs4_ff_alloc_deviceid_node(struct nfs_server *server, struct pnfs_device *pdev,
+ sizeof(struct nfs4_ff_ds_version),
+ gfp_flags);
+ if (!ds_versions)
+- goto out_scratch;
++ goto out_err_drain_dsaddrs;
+
+ for (i = 0; i < version_count; i++) {
+ /* 20 = version(4) + minor_version(4) + rsize(4) + wsize(4) +
+--
+2.51.0
+
--- /dev/null
+From db87b8f19b241380cdcd940bca10fcf0533f6e80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 19:37:15 +0200
+Subject: selftests: drv-net: fix RPS mask handling for high CPU numbers
+
+From: Gal Pressman <gal@nvidia.com>
+
+[ Upstream commit cf055f8c000445aa688c53a706ef4f580818eedb ]
+
+The RPS bitmask bounds check uses ~(RPS_MAX_CPUS - 1) which equals ~15 =
+0xfff0, only allowing CPUs 0-3.
+
+Change the mask to ~((1UL << RPS_MAX_CPUS) - 1) = ~0xffff to allow CPUs
+0-15.
+
+Fixes: 5ebfb4cc3048 ("selftests/net: toeplitz test")
+Reviewed-by: Nimrod Oren <noren@nvidia.com>
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20260112173715.384843-3-gal@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/toeplitz.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/toeplitz.c b/tools/testing/selftests/net/toeplitz.c
+index 9ba03164d73a6..5099157f01b9a 100644
+--- a/tools/testing/selftests/net/toeplitz.c
++++ b/tools/testing/selftests/net/toeplitz.c
+@@ -473,8 +473,8 @@ static void parse_rps_bitmap(const char *arg)
+
+ bitmap = strtoul(arg, NULL, 0);
+
+- if (bitmap & ~(RPS_MAX_CPUS - 1))
+- error(1, 0, "rps bitmap 0x%lx out of bounds 0..%lu",
++ if (bitmap & ~((1UL << RPS_MAX_CPUS) - 1))
++ error(1, 0, "rps bitmap 0x%lx out of bounds, max cpu %lu",
+ bitmap, RPS_MAX_CPUS - 1);
+
+ for (i = 0; i < RPS_MAX_CPUS; i++)
+--
+2.51.0
+
efi-cper-fix-cper_bits_to_str-buffer-handling-and-return-value.patch
revert-gfs2-fix-use-of-bio_chain.patch
asoc-codecs-wsa884x-fix-codec-initialisation.patch
+xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch
+pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch
+can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch
+nvmet-tcp-remove-boilerplate-code.patch
+nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch
+btrfs-send-check-for-inline-extents-in-range_is_hole.patch
+net-bridge-set-br_fdb_added_by_user-early-in-fdb_add.patch
+net-bridge-annotate-data-races-around-fdb-updated-us.patch
+ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch
+net-update-netdev_lock_-type-name.patch
+macvlan-fix-possible-uaf-in-macvlan_forward_source.patch
+ipv4-ip_gre-make-ipgre_header-robust.patch
+vsock-test-add-a-final-full-barrier-after-run-all-te.patch
+net-mlx5e-restore-destroying-state-bit-after-profile.patch
+btrfs-store-fs_info-in-space_info.patch
+btrfs-factor-out-init_space_info-from-create_space_i.patch
+btrfs-factor-out-check_removing_space_info-from-btrf.patch
+btrfs-introduce-btrfs_space_info-sub-group.patch
+btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch
+net-hv_netvsc-reject-rss-hash-key-programming-withou.patch
+ipv6-fix-use-after-free-in-inet6_addr_del.patch
+selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch
+net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch
+asoc-tlv320adcx140-fix-null-pointer.patch
+asoc-tlv320adcx140-fix-word-length.patch
+textsearch-describe-list-member-in-ts_ops-search.patch
+mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch
+dmaengine-xilinx-xdma-fix-regmap-max_register.patch
+dmaengine-tegra-adma-fix-use-after-free.patch
+dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch
+phy-fsl-imx8mq-usb-clear-the-pcs_tx_swing_full-field.patch
+phy-phy-snps-eusb2-refactor-constructs-names.patch
+phy-drop-probe-registration-printks.patch
+phy-qcom-qusb2-fix-null-pointer-dereference-on-early.patch
+phy-stm32-usphyc-fix-off-by-one-in-probe.patch
+phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch
+dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch
+i2c-qcom-geni-make-sure-i2c-hub-controllers-can-t-us.patch
--- /dev/null
+From 917994bd8ad30a24ca75d358250124ea6de06230 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 08:40:05 +0700
+Subject: textsearch: describe @list member in ts_ops search
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit f26528478bb102c28e7ac0cbfc8ec8185afdafc7 ]
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./include/linux/textsearch.h:49 struct member 'list' not described in 'ts_ops'
+
+Describe @list member to fix it.
+
+Link: https://lkml.kernel.org/r/20251219014006.16328-4-bagasdotme@gmail.com
+Fixes: 2de4ff7bd658 ("[LIB]: Textsearch infrastructure.")
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Cc: Thomas Graf <tgraf@suug.ch>
+Cc: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/textsearch.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/textsearch.h b/include/linux/textsearch.h
+index 6673e4d4ac2e1..4933777404d61 100644
+--- a/include/linux/textsearch.h
++++ b/include/linux/textsearch.h
+@@ -35,6 +35,7 @@ struct ts_state
+ * @get_pattern: return head of pattern
+ * @get_pattern_len: return length of pattern
+ * @owner: module reference to algorithm
++ * @list: list to search
+ */
+ struct ts_ops
+ {
+--
+2.51.0
+
--- /dev/null
+From e47355611caafa073aa30253d91e0a54aff6d469 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 12:44:19 +0100
+Subject: vsock/test: add a final full barrier after run all tests
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit c39a6a277e0e67ffff6a8efcbbf7e7e23ce9e38c ]
+
+If the last test fails, the other side still completes correctly,
+which could lead to false positives.
+
+Let's add a final barrier that ensures that the last test has finished
+correctly on both sides, but also that the two sides agree on the
+number of tests to be performed.
+
+Fixes: 2f65b44e199c ("VSOCK: add full barrier between test cases")
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20260108114419.52747-1-sgarzare@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/vsock/util.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/tools/testing/vsock/util.c b/tools/testing/vsock/util.c
+index 01b636d3039a0..751fe7c6632ea 100644
+--- a/tools/testing/vsock/util.c
++++ b/tools/testing/vsock/util.c
+@@ -360,6 +360,18 @@ void run_tests(const struct test_case *test_cases,
+
+ printf("ok\n");
+ }
++
++ printf("All tests have been executed. Waiting other peer...");
++ fflush(stdout);
++
++ /*
++ * Final full barrier, to ensure that all tests have been run and
++ * that even the last one has been successful on both sides.
++ */
++ control_writeln("COMPLETED");
++ control_expectln("COMPLETED");
++
++ printf("ok\n");
+ }
+
+ void list_tests(const struct test_case *test_cases)
+--
+2.51.0
+
--- /dev/null
+From da2467282d3f35f4bcfc9be4f3cbe0b61b983466 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 05:56:09 +0200
+Subject: xfrm: Fix inner mode lookup in tunnel mode GSO segmentation
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 3d5221af9c7711b7aec8da1298c8fc393ef6183d ]
+
+Commit 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner
+protocol") attempted to fix GSO segmentation by reading the inner
+protocol from XFRM_MODE_SKB_CB(skb)->protocol. This was incorrect
+because the field holds the inner L4 protocol (TCP/UDP) instead of the
+required tunnel protocol. Also, the memory location (shared by
+XFRM_SKB_CB(skb) which could be overwritten by xfrm_replay_overflow())
+is prone to corruption. This combination caused the kernel to select
+the wrong inner mode and get the wrong address family.
+
+The correct value is in xfrm_offload(skb)->proto, which is set from
+the outer tunnel header's protocol field by esp[4|6]_gso_encap(). It
+is initialized by xfrm[4|6]_tunnel_encap_add() to either IPPROTO_IPIP
+or IPPROTO_IPV6, using xfrm_af2proto() and correctly reflects the
+inner packet's address family.
+
+Fixes: 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner protocol")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/esp4_offload.c | 4 ++--
+ net/ipv6/esp6_offload.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
+index 11e33a4312674..028d2d3477d13 100644
+--- a/net/ipv4/esp4_offload.c
++++ b/net/ipv4/esp4_offload.c
+@@ -111,8 +111,8 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x,
+ struct sk_buff *skb,
+ netdev_features_t features)
+ {
+- const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
+- XFRM_MODE_SKB_CB(skb)->protocol);
++ struct xfrm_offload *xo = xfrm_offload(skb);
++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto);
+ __be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6)
+ : htons(ETH_P_IP);
+
+diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
+index 438f9cbdca299..333d87557bf32 100644
+--- a/net/ipv6/esp6_offload.c
++++ b/net/ipv6/esp6_offload.c
+@@ -145,8 +145,8 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x,
+ struct sk_buff *skb,
+ netdev_features_t features)
+ {
+- const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
+- XFRM_MODE_SKB_CB(skb)->protocol);
++ struct xfrm_offload *xo = xfrm_offload(skb);
++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto);
+ __be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP)
+ : htons(ETH_P_IPV6);
+
+--
+2.51.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
