--- /dev/null
+From 9502b7df5a3c7e174f74f20324ac1fe781fc5c2d Mon Sep 17 00:00:00 2001
+From: Zhang Heng <zhangheng@kylinos.cn>
+Date: Mon, 26 Jan 2026 09:49:52 +0800
+Subject: ASoC: amd: yc: Add DMI quirk for Acer TravelMate P216-41-TCO
+
+From: Zhang Heng <zhangheng@kylinos.cn>
+
+commit 9502b7df5a3c7e174f74f20324ac1fe781fc5c2d upstream.
+
+Add a DMI quirk for the Acer TravelMate P216-41-TCO fixing the
+issue where the internal microphone was not detected.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=220983
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
+Link: https://patch.msgid.link/20260126014952.3674450-1-zhangheng@kylinos.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -661,6 +661,14 @@ static const struct dmi_system_id yc_acp
+ DMI_MATCH(DMI_PRODUCT_NAME, "GOH-X"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "RB"),
++ DMI_MATCH(DMI_BOARD_NAME, "XyloD5_RBU"),
++ }
++ },
++
+ {}
+ };
+
--- /dev/null
+From 9210f5ff6318163835d9e42ee68006be4da0f531 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Sun, 18 Jan 2026 17:50:30 -0300
+Subject: ASoC: fsl: imx-card: Do not force slot width to sample width
+
+From: Fabio Estevam <festevam@gmail.com>
+
+commit 9210f5ff6318163835d9e42ee68006be4da0f531 upstream.
+
+imx-card currently sets the slot width to the physical sample width
+for I2S links. This breaks controllers that use fixed-width slots
+(e.g. 32-bit FIFO words), causing the unused bits in the slot to
+contain undefined data when playing 16-bit streams.
+
+Do not override the slot width in the machine driver and let the CPU
+DAI select an appropriate default instead. This matches the behavior
+of simple-audio-card and avoids embedding controller-specific policy
+in the machine driver.
+
+On an i.MX8MP-based board using SAI as the I2S master with 32-bit slots,
+playing 16-bit audio resulted in spurious frequencies and an incorrect
+SAI data waveform, as the slot width was forced to 16 bits. After this
+change, audio artifacts are eliminated and the 16-bit samples correctly
+occupy the first half of the 32-bit slot, with the remaining bits padded
+with zeroes.
+
+Cc: stable@vger.kernel.org
+Fixes: aa736700f42f ("ASoC: imx-card: Add imx-card machine driver")
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Acked-by: Shengjiu Wang <shengjiu.wang@gmail.com>
+Link: https://patch.msgid.link/20260118205030.1532696-1-festevam@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/fsl/imx-card.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/sound/soc/fsl/imx-card.c
++++ b/sound/soc/fsl/imx-card.c
+@@ -313,7 +313,6 @@ static int imx_aif_hw_params(struct snd_
+ SND_SOC_DAIFMT_PDM;
+ } else {
+ slots = 2;
+- slot_width = params_physical_width(params);
+ fmt = (rtd->dai_link->dai_fmt & ~SND_SOC_DAIFMT_FORMAT_MASK) |
+ SND_SOC_DAIFMT_I2S;
+ }
--- /dev/null
+From 4b22ec1685ce1fc0d862dcda3225d852fb107995 Mon Sep 17 00:00:00 2001
+From: Kohei Enju <kohei@enjuk.jp>
+Date: Sat, 17 Jan 2026 16:00:45 +0000
+Subject: efivarfs: fix error propagation in efivar_entry_get()
+
+From: Kohei Enju <kohei@enjuk.jp>
+
+commit 4b22ec1685ce1fc0d862dcda3225d852fb107995 upstream.
+
+efivar_entry_get() always returns success even if the underlying
+__efivar_entry_get() fails, masking errors.
+
+This may result in uninitialized heap memory being copied to userspace
+in the efivarfs_file_read() path.
+
+Fix it by returning the error from __efivar_entry_get().
+
+Fixes: 2d82e6227ea1 ("efi: vars: Move efivar caching layer into efivarfs")
+Cc: <stable@vger.kernel.org> # v6.1+
+Signed-off-by: Kohei Enju <kohei@enjuk.jp>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/efivarfs/vars.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/efivarfs/vars.c
++++ b/fs/efivarfs/vars.c
+@@ -609,7 +609,7 @@ int efivar_entry_get(struct efivar_entry
+ err = __efivar_entry_get(entry, attributes, size, data);
+ efivar_unlock();
+
+- return 0;
++ return err;
+ }
+
+ /**
--- /dev/null
+From dd9e2f5b38f1fdd49b1ab6d3a85f81c14369eacc Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 21 Jan 2026 12:27:30 +0100
+Subject: flex_proportions: make fprop_new_period() hardirq safe
+
+From: Jan Kara <jack@suse.cz>
+
+commit dd9e2f5b38f1fdd49b1ab6d3a85f81c14369eacc upstream.
+
+Bernd has reported a lockdep splat from flexible proportions code that is
+essentially complaining about the following race:
+
+<timer fires>
+run_timer_softirq - we are in softirq context
+ call_timer_fn
+ writeout_period
+ fprop_new_period
+ write_seqcount_begin(&p->sequence);
+
+ <hardirq is raised>
+ ...
+ blk_mq_end_request()
+ blk_update_request()
+ ext4_end_bio()
+ folio_end_writeback()
+ __wb_writeout_add()
+ __fprop_add_percpu_max()
+ if (unlikely(max_frac < FPROP_FRAC_BASE)) {
+ fprop_fraction_percpu()
+ seq = read_seqcount_begin(&p->sequence);
+ - sees odd sequence so loops indefinitely
+
+Note that a deadlock like this is only possible if the bdi has configured
+maximum fraction of writeout throughput which is very rare in general but
+frequent for example for FUSE bdis. To fix this problem we have to make
+sure write section of the sequence counter is irqsafe.
+
+Link: https://lkml.kernel.org/r/20260121112729.24463-2-jack@suse.cz
+Fixes: a91befde3503 ("lib/flex_proportions.c: remove local_irq_ops in fprop_new_period()")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reported-by: Bernd Schubert <bernd@bsbernd.com>
+Link: https://lore.kernel.org/all/9b845a47-9aee-43dd-99bc-1a82bea00442@bsbernd.com/
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Joanne Koong <joannelkoong@gmail.com>
+Cc: Miklos Szeredi <miklos@szeredi.hu>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/flex_proportions.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/lib/flex_proportions.c
++++ b/lib/flex_proportions.c
+@@ -64,13 +64,14 @@ void fprop_global_destroy(struct fprop_g
+ bool fprop_new_period(struct fprop_global *p, int periods)
+ {
+ s64 events = percpu_counter_sum(&p->events);
++ unsigned long flags;
+
+ /*
+ * Don't do anything if there are no events.
+ */
+ if (events <= 1)
+ return false;
+- preempt_disable_nested();
++ local_irq_save(flags);
+ write_seqcount_begin(&p->sequence);
+ if (periods < 64)
+ events -= events >> periods;
+@@ -78,7 +79,7 @@ bool fprop_new_period(struct fprop_globa
+ percpu_counter_add(&p->events, -events);
+ p->period += periods;
+ write_seqcount_end(&p->sequence);
+- preempt_enable_nested();
++ local_irq_restore(flags);
+
+ return true;
+ }
--- /dev/null
+From d02f20a4de0c498fbba2b0e3c1496e72c630a91e Mon Sep 17 00:00:00 2001
+From: Martin Larsson <martin.larsson@actia.se>
+Date: Wed, 21 Jan 2026 12:57:22 +0000
+Subject: gpio: pca953x: mask interrupts in irq shutdown
+
+From: Martin Larsson <martin.larsson@actia.se>
+
+commit d02f20a4de0c498fbba2b0e3c1496e72c630a91e upstream.
+
+In the existing implementation irq_shutdown does not mask the interrupts
+in hardware. This can cause spurious interrupts from the IO expander.
+Add masking to irq_shutdown to prevent spurious interrupts.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Martin Larsson <martin.larsson@actia.se>
+Reviewed-by: Linus Walleij <linusw@kernel.org>
+Link: https://lore.kernel.org/r/20260121125631.2758346-1-martin.larsson@actia.se
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-pca953x.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpio/gpio-pca953x.c
++++ b/drivers/gpio/gpio-pca953x.c
+@@ -817,6 +817,8 @@ static void pca953x_irq_shutdown(struct
+ clear_bit(hwirq, chip->irq_trig_fall);
+ clear_bit(hwirq, chip->irq_trig_level_low);
+ clear_bit(hwirq, chip->irq_trig_level_high);
++
++ pca953x_irq_mask(d);
+ }
+
+ static void pca953x_irq_print_chip(struct irq_data *data, struct seq_file *p)
--- /dev/null
+From 7ca497be00163610afb663867db24ac408752f13 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Mon, 26 Jan 2026 12:12:26 +0000
+Subject: gpio: rockchip: Stop calling pinctrl for set_direction
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 7ca497be00163610afb663867db24ac408752f13 upstream.
+
+Marking the whole controller as sleeping due to the pinctrl calls in the
+.direction_{input,output} callbacks has the unfortunate side effect that
+legitimate invocations of .get and .set, which cannot themselves sleep,
+in atomic context now spew WARN()s from gpiolib.
+
+However, as Heiko points out, the driver doing this is a bit silly to
+begin with, as the pinctrl .gpio_set_direction hook doesn't even care
+about the direction, the hook is only used to claim the mux. And sure
+enough, the .gpio_request_enable hook exists to serve this very purpose,
+so switch to that and remove the problematic business entirely.
+
+Cc: stable@vger.kernel.org
+Fixes: 20cf2aed89ac ("gpio: rockchip: mark the GPIO controller as sleeping")
+Suggested-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/bddc0469f25843ca5ae0cf578ab3671435ae98a7.1769429546.git.robin.murphy@arm.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-rockchip.c | 8 --------
+ drivers/pinctrl/pinctrl-rockchip.c | 9 ++++-----
+ 2 files changed, 4 insertions(+), 13 deletions(-)
+
+--- a/drivers/gpio/gpio-rockchip.c
++++ b/drivers/gpio/gpio-rockchip.c
+@@ -18,7 +18,6 @@
+ #include <linux/of.h>
+ #include <linux/of_address.h>
+ #include <linux/of_irq.h>
+-#include <linux/pinctrl/consumer.h>
+ #include <linux/pinctrl/pinconf-generic.h>
+ #include <linux/platform_device.h>
+ #include <linux/regmap.h>
+@@ -157,12 +156,6 @@ static int rockchip_gpio_set_direction(s
+ unsigned long flags;
+ u32 data = input ? 0 : 1;
+
+-
+- if (input)
+- pinctrl_gpio_direction_input(chip, offset);
+- else
+- pinctrl_gpio_direction_output(chip, offset);
+-
+ raw_spin_lock_irqsave(&bank->slock, flags);
+ rockchip_gpio_writel_bit(bank, offset, data, bank->gpio_regs->port_ddr);
+ raw_spin_unlock_irqrestore(&bank->slock, flags);
+@@ -584,7 +577,6 @@ static int rockchip_gpiolib_register(str
+ gc->ngpio = bank->nr_pins;
+ gc->label = bank->name;
+ gc->parent = bank->dev;
+- gc->can_sleep = true;
+
+ ret = gpiochip_add_data(gc, bank);
+ if (ret) {
+--- a/drivers/pinctrl/pinctrl-rockchip.c
++++ b/drivers/pinctrl/pinctrl-rockchip.c
+@@ -2922,10 +2922,9 @@ static int rockchip_pmx_set(struct pinct
+ return 0;
+ }
+
+-static int rockchip_pmx_gpio_set_direction(struct pinctrl_dev *pctldev,
+- struct pinctrl_gpio_range *range,
+- unsigned offset,
+- bool input)
++static int rockchip_pmx_gpio_request_enable(struct pinctrl_dev *pctldev,
++ struct pinctrl_gpio_range *range,
++ unsigned int offset)
+ {
+ struct rockchip_pinctrl *info = pinctrl_dev_get_drvdata(pctldev);
+ struct rockchip_pin_bank *bank;
+@@ -2939,7 +2938,7 @@ static const struct pinmux_ops rockchip_
+ .get_function_name = rockchip_pmx_get_func_name,
+ .get_function_groups = rockchip_pmx_get_groups,
+ .set_mux = rockchip_pmx_set,
+- .gpio_set_direction = rockchip_pmx_gpio_set_direction,
++ .gpio_request_enable = rockchip_pmx_gpio_request_enable,
+ };
+
+ /*
--- /dev/null
+From 9b47d4eea3f7c1f620e95bda1d6221660bde7d7b Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Date: Tue, 13 Jan 2026 20:15:15 +0100
+Subject: mm/kasan: fix KASAN poisoning in vrealloc()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+
+commit 9b47d4eea3f7c1f620e95bda1d6221660bde7d7b upstream.
+
+A KASAN warning can be triggered when vrealloc() changes the requested
+size to a value that is not aligned to KASAN_GRANULE_SIZE.
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 2 PID: 1 at mm/kasan/shadow.c:174 kasan_unpoison+0x40/0x48
+ ...
+ pc : kasan_unpoison+0x40/0x48
+ lr : __kasan_unpoison_vmalloc+0x40/0x68
+ Call trace:
+ kasan_unpoison+0x40/0x48 (P)
+ vrealloc_node_align_noprof+0x200/0x320
+ bpf_patch_insn_data+0x90/0x2f0
+ convert_ctx_accesses+0x8c0/0x1158
+ bpf_check+0x1488/0x1900
+ bpf_prog_load+0xd20/0x1258
+ __sys_bpf+0x96c/0xdf0
+ __arm64_sys_bpf+0x50/0xa0
+ invoke_syscall+0x90/0x160
+
+Introduce a dedicated kasan_vrealloc() helper that centralizes KASAN
+handling for vmalloc reallocations. The helper accounts for KASAN granule
+alignment when growing or shrinking an allocation and ensures that partial
+granules are handled correctly.
+
+Use this helper from vrealloc_node_align_noprof() to fix poisoning logic.
+
+[ryabinin.a.a@gmail.com: move kasan_enabled() check, fix build]
+ Link: https://lkml.kernel.org/r/20260119144509.32767-1-ryabinin.a.a@gmail.com
+Link: https://lkml.kernel.org/r/20260113191516.31015-1-ryabinin.a.a@gmail.com
+Fixes: d699440f58ce ("mm: fix vrealloc()'s KASAN poisoning logic")
+Signed-off-by: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Reported-by: Maciej Żenczykowski <maze@google.com>
+Reported-by: <joonki.min@samsung-slsi.corp-partner.google.com>
+Closes: https://lkml.kernel.org/r/CANP3RGeuRW53vukDy7WDO3FiVgu34-xVJYkfpm08oLO3odYFrA@mail.gmail.com
+Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
+Tested-by: Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Dmitriy Vyukov <dvyukov@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Uladzislau Rezki <urezki@gmail.com>
+Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/kasan.h | 14 ++++++++++++++
+ mm/kasan/common.c | 21 +++++++++++++++++++++
+ mm/vmalloc.c | 7 ++-----
+ 3 files changed, 37 insertions(+), 5 deletions(-)
+
+--- a/include/linux/kasan.h
++++ b/include/linux/kasan.h
+@@ -618,6 +618,17 @@ kasan_unpoison_vmap_areas(struct vm_stru
+ __kasan_unpoison_vmap_areas(vms, nr_vms, flags);
+ }
+
++void __kasan_vrealloc(const void *start, unsigned long old_size,
++ unsigned long new_size);
++
++static __always_inline void kasan_vrealloc(const void *start,
++ unsigned long old_size,
++ unsigned long new_size)
++{
++ if (kasan_enabled())
++ __kasan_vrealloc(start, old_size, new_size);
++}
++
+ #else /* CONFIG_KASAN_VMALLOC */
+
+ static inline void kasan_populate_early_vm_area_shadow(void *start,
+@@ -647,6 +658,9 @@ kasan_unpoison_vmap_areas(struct vm_stru
+ kasan_vmalloc_flags_t flags)
+ { }
+
++static inline void kasan_vrealloc(const void *start, unsigned long old_size,
++ unsigned long new_size) { }
++
+ #endif /* CONFIG_KASAN_VMALLOC */
+
+ #if (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) && \
+--- a/mm/kasan/common.c
++++ b/mm/kasan/common.c
+@@ -590,4 +590,25 @@ void __kasan_unpoison_vmap_areas(struct
+ __kasan_unpoison_vmalloc(addr, size, flags | KASAN_VMALLOC_KEEP_TAG);
+ }
+ }
++
++void __kasan_vrealloc(const void *addr, unsigned long old_size,
++ unsigned long new_size)
++{
++ if (new_size < old_size) {
++ kasan_poison_last_granule(addr, new_size);
++
++ new_size = round_up(new_size, KASAN_GRANULE_SIZE);
++ old_size = round_up(old_size, KASAN_GRANULE_SIZE);
++ if (new_size < old_size)
++ __kasan_poison_vmalloc(addr + new_size,
++ old_size - new_size);
++ } else if (new_size > old_size) {
++ old_size = round_down(old_size, KASAN_GRANULE_SIZE);
++ __kasan_unpoison_vmalloc(addr + old_size,
++ new_size - old_size,
++ KASAN_VMALLOC_PROT_NORMAL |
++ KASAN_VMALLOC_VM_ALLOC |
++ KASAN_VMALLOC_KEEP_TAG);
++ }
++}
+ #endif
+--- a/mm/vmalloc.c
++++ b/mm/vmalloc.c
+@@ -4109,7 +4109,7 @@ void *vrealloc_noprof(const void *p, siz
+ if (want_init_on_free() || want_init_on_alloc(flags))
+ memset((void *)p + size, 0, old_size - size);
+ vm->requested_size = size;
+- kasan_poison_vmalloc(p + size, old_size - size);
++ kasan_vrealloc(p, old_size, size);
+ return (void *)p;
+ }
+
+@@ -4117,16 +4117,13 @@ void *vrealloc_noprof(const void *p, siz
+ * We already have the bytes available in the allocation; use them.
+ */
+ if (size <= alloced_size) {
+- kasan_unpoison_vmalloc(p + old_size, size - old_size,
+- KASAN_VMALLOC_PROT_NORMAL |
+- KASAN_VMALLOC_VM_ALLOC |
+- KASAN_VMALLOC_KEEP_TAG);
+ /*
+ * No need to zero memory here, as unused memory will have
+ * already been zeroed at initial allocation time or during
+ * realloc shrink time.
+ */
+ vm->requested_size = size;
++ kasan_vrealloc(p, old_size, size);
+ return (void *)p;
+ }
+
--- /dev/null
+From a148a2040191b12b45b82cb29c281cb3036baf90 Mon Sep 17 00:00:00 2001
+From: Jane Chu <jane.chu@oracle.com>
+Date: Tue, 20 Jan 2026 16:22:33 -0700
+Subject: mm/memory-failure: fix missing ->mf_stats count in hugetlb poison
+
+From: Jane Chu <jane.chu@oracle.com>
+
+commit a148a2040191b12b45b82cb29c281cb3036baf90 upstream.
+
+When a newly poisoned subpage ends up in an already poisoned hugetlb
+folio, 'num_poisoned_pages' is incremented, but the per node ->mf_stats is
+not. Fix the inconsistency by designating action_result() to update them
+both.
+
+While at it, define __get_huge_page_for_hwpoison() return values in terms
+of symbol names for better readibility. Also rename
+folio_set_hugetlb_hwpoison() to hugetlb_update_hwpoison() since the
+function does more than the conventional bit setting and the fact three
+possible return values are expected.
+
+Link: https://lkml.kernel.org/r/20260120232234.3462258-1-jane.chu@oracle.com
+Fixes: 18f41fa616ee ("mm: memory-failure: bump memory failure stats to pglist_data")
+Signed-off-by: Jane Chu <jane.chu@oracle.com>
+Acked-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Chris Mason <clm@meta.com>
+Cc: David Hildenbrand <david@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Jiaqi Yan <jiaqiyan@google.com>
+Cc: Liam R. Howlett <Liam.Howlett@oracle.com>
+Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: William Roche <william.roche@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memory-failure.c | 93 +++++++++++++++++++++++++++++++---------------------
+ 1 file changed, 56 insertions(+), 37 deletions(-)
+
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -1937,12 +1937,22 @@ static unsigned long __folio_free_raw_hw
+ return count;
+ }
+
+-static int folio_set_hugetlb_hwpoison(struct folio *folio, struct page *page)
++#define MF_HUGETLB_FREED 0 /* freed hugepage */
++#define MF_HUGETLB_IN_USED 1 /* in-use hugepage */
++#define MF_HUGETLB_NON_HUGEPAGE 2 /* not a hugepage */
++#define MF_HUGETLB_FOLIO_PRE_POISONED 3 /* folio already poisoned */
++#define MF_HUGETLB_PAGE_PRE_POISONED 4 /* exact page already poisoned */
++#define MF_HUGETLB_RETRY 5 /* hugepage is busy, retry */
++/*
++ * Set hugetlb folio as hwpoisoned, update folio private raw hwpoison list
++ * to keep track of the poisoned pages.
++ */
++static int hugetlb_update_hwpoison(struct folio *folio, struct page *page)
+ {
+ struct llist_head *head;
+ struct raw_hwp_page *raw_hwp;
+ struct raw_hwp_page *p;
+- int ret = folio_test_set_hwpoison(folio) ? -EHWPOISON : 0;
++ int ret = folio_test_set_hwpoison(folio) ? MF_HUGETLB_FOLIO_PRE_POISONED : 0;
+
+ /*
+ * Once the hwpoison hugepage has lost reliable raw error info,
+@@ -1950,20 +1960,17 @@ static int folio_set_hugetlb_hwpoison(st
+ * so skip to add additional raw error info.
+ */
+ if (folio_test_hugetlb_raw_hwp_unreliable(folio))
+- return -EHWPOISON;
++ return MF_HUGETLB_FOLIO_PRE_POISONED;
+ head = raw_hwp_list_head(folio);
+ llist_for_each_entry(p, head->first, node) {
+ if (p->page == page)
+- return -EHWPOISON;
++ return MF_HUGETLB_PAGE_PRE_POISONED;
+ }
+
+ raw_hwp = kmalloc(sizeof(struct raw_hwp_page), GFP_ATOMIC);
+ if (raw_hwp) {
+ raw_hwp->page = page;
+ llist_add(&raw_hwp->node, head);
+- /* the first error event will be counted in action_result(). */
+- if (ret)
+- num_poisoned_pages_inc(page_to_pfn(page));
+ } else {
+ /*
+ * Failed to save raw error info. We no longer trace all
+@@ -2011,42 +2018,39 @@ void folio_clear_hugetlb_hwpoison(struct
+
+ /*
+ * Called from hugetlb code with hugetlb_lock held.
+- *
+- * Return values:
+- * 0 - free hugepage
+- * 1 - in-use hugepage
+- * 2 - not a hugepage
+- * -EBUSY - the hugepage is busy (try to retry)
+- * -EHWPOISON - the hugepage is already hwpoisoned
+ */
+ int __get_huge_page_for_hwpoison(unsigned long pfn, int flags,
+ bool *migratable_cleared)
+ {
+ struct page *page = pfn_to_page(pfn);
+ struct folio *folio = page_folio(page);
+- int ret = 2; /* fallback to normal page handling */
+ bool count_increased = false;
++ int ret, rc;
+
+- if (!folio_test_hugetlb(folio))
++ if (!folio_test_hugetlb(folio)) {
++ ret = MF_HUGETLB_NON_HUGEPAGE;
+ goto out;
+-
+- if (flags & MF_COUNT_INCREASED) {
+- ret = 1;
++ } else if (flags & MF_COUNT_INCREASED) {
++ ret = MF_HUGETLB_IN_USED;
+ count_increased = true;
+ } else if (folio_test_hugetlb_freed(folio)) {
+- ret = 0;
++ ret = MF_HUGETLB_FREED;
+ } else if (folio_test_hugetlb_migratable(folio)) {
+- ret = folio_try_get(folio);
+- if (ret)
++ if (folio_try_get(folio)) {
++ ret = MF_HUGETLB_IN_USED;
+ count_increased = true;
++ } else {
++ ret = MF_HUGETLB_FREED;
++ }
+ } else {
+- ret = -EBUSY;
++ ret = MF_HUGETLB_RETRY;
+ if (!(flags & MF_NO_RETRY))
+ goto out;
+ }
+
+- if (folio_set_hugetlb_hwpoison(folio, page)) {
+- ret = -EHWPOISON;
++ rc = hugetlb_update_hwpoison(folio, page);
++ if (rc >= MF_HUGETLB_FOLIO_PRE_POISONED) {
++ ret = rc;
+ goto out;
+ }
+
+@@ -2071,10 +2075,16 @@ out:
+ * with basic operations like hugepage allocation/free/demotion.
+ * So some of prechecks for hwpoison (pinning, and testing/setting
+ * PageHWPoison) should be done in single hugetlb_lock range.
++ * Returns:
++ * 0 - not hugetlb, or recovered
++ * -EBUSY - not recovered
++ * -EOPNOTSUPP - hwpoison_filter'ed
++ * -EHWPOISON - folio or exact page already poisoned
++ * -EFAULT - kill_accessing_process finds current->mm null
+ */
+ static int try_memory_failure_hugetlb(unsigned long pfn, int flags, int *hugetlb)
+ {
+- int res;
++ int res, rv;
+ struct page *p = pfn_to_page(pfn);
+ struct folio *folio;
+ unsigned long page_flags;
+@@ -2083,22 +2093,31 @@ static int try_memory_failure_hugetlb(un
+ *hugetlb = 1;
+ retry:
+ res = get_huge_page_for_hwpoison(pfn, flags, &migratable_cleared);
+- if (res == 2) { /* fallback to normal page handling */
++ switch (res) {
++ case MF_HUGETLB_NON_HUGEPAGE: /* fallback to normal page handling */
+ *hugetlb = 0;
+ return 0;
+- } else if (res == -EHWPOISON) {
+- if (flags & MF_ACTION_REQUIRED) {
+- folio = page_folio(p);
+- res = kill_accessing_process(current, folio_pfn(folio), flags);
+- }
+- action_result(pfn, MF_MSG_ALREADY_POISONED, MF_FAILED);
+- return res;
+- } else if (res == -EBUSY) {
++ case MF_HUGETLB_RETRY:
+ if (!(flags & MF_NO_RETRY)) {
+ flags |= MF_NO_RETRY;
+ goto retry;
+ }
+ return action_result(pfn, MF_MSG_GET_HWPOISON, MF_IGNORED);
++ case MF_HUGETLB_FOLIO_PRE_POISONED:
++ case MF_HUGETLB_PAGE_PRE_POISONED:
++ rv = -EHWPOISON;
++ if (flags & MF_ACTION_REQUIRED) {
++ folio = page_folio(p);
++ rv = kill_accessing_process(current, folio_pfn(folio), flags);
++ }
++ if (res == MF_HUGETLB_PAGE_PRE_POISONED)
++ action_result(pfn, MF_MSG_ALREADY_POISONED, MF_FAILED);
++ else
++ action_result(pfn, MF_MSG_HUGE, MF_FAILED);
++ return rv;
++ default:
++ WARN_ON((res != MF_HUGETLB_FREED) && (res != MF_HUGETLB_IN_USED));
++ break;
+ }
+
+ folio = page_folio(p);
+@@ -2109,7 +2128,7 @@ retry:
+ if (migratable_cleared)
+ folio_set_hugetlb_migratable(folio);
+ folio_unlock(folio);
+- if (res == 1)
++ if (res == MF_HUGETLB_IN_USED)
+ folio_put(folio);
+ return -EOPNOTSUPP;
+ }
+@@ -2118,7 +2137,7 @@ retry:
+ * Handling free hugepage. The possible race with hugepage allocation
+ * or demotion can be prevented by PageHWPoison flag.
+ */
+- if (res == 0) {
++ if (res == MF_HUGETLB_FREED) {
+ folio_unlock(folio);
+ if (__page_handle_poison(p) > 0) {
+ page_ref_inc(p);
--- /dev/null
+From 057a6f2632c956483e2b2628477f0fcd1cd8a844 Mon Sep 17 00:00:00 2001
+From: Jane Chu <jane.chu@oracle.com>
+Date: Tue, 20 Jan 2026 16:22:34 -0700
+Subject: mm/memory-failure: teach kill_accessing_process to accept hugetlb tail page pfn
+
+From: Jane Chu <jane.chu@oracle.com>
+
+commit 057a6f2632c956483e2b2628477f0fcd1cd8a844 upstream.
+
+When a hugetlb folio is being poisoned again, try_memory_failure_hugetlb()
+passed head pfn to kill_accessing_process(), that is not right. The
+precise pfn of the poisoned page should be used in order to determine the
+precise vaddr as the SIGBUS payload.
+
+This issue has already been taken care of in the normal path, that is,
+hwpoison_user_mappings(), see [1][2]. Further more, for [3] to work
+correctly in the hugetlb repoisoning case, it's essential to inform VM the
+precise poisoned page, not the head page.
+
+[1] https://lkml.kernel.org/r/20231218135837.3310403-1-willy@infradead.org
+[2] https://lkml.kernel.org/r/20250224211445.2663312-1-jane.chu@oracle.com
+[3] https://lore.kernel.org/lkml/20251116013223.1557158-1-jiaqiyan@google.com/
+
+Link: https://lkml.kernel.org/r/20260120232234.3462258-2-jane.chu@oracle.com
+Signed-off-by: Jane Chu <jane.chu@oracle.com>
+Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Acked-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Chris Mason <clm@meta.com>
+Cc: David Hildenbrand <david@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Jiaqi Yan <jiaqiyan@google.com>
+Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: William Roche <william.roche@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memory-failure.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -754,6 +754,8 @@ static int check_hwpoisoned_entry(pte_t
+ unsigned long poisoned_pfn, struct to_kill *tk)
+ {
+ unsigned long pfn = 0;
++ unsigned long hwpoison_vaddr;
++ unsigned long mask;
+
+ if (pte_present(pte)) {
+ pfn = pte_pfn(pte);
+@@ -764,10 +766,12 @@ static int check_hwpoisoned_entry(pte_t
+ pfn = swp_offset_pfn(swp);
+ }
+
+- if (!pfn || pfn != poisoned_pfn)
++ mask = ~((1UL << (shift - PAGE_SHIFT)) - 1);
++ if (!pfn || pfn != (poisoned_pfn & mask))
+ return 0;
+
+- set_to_kill(tk, addr, shift);
++ hwpoison_vaddr = addr + ((poisoned_pfn - pfn) << PAGE_SHIFT);
++ set_to_kill(tk, hwpoison_vaddr, shift);
+ return 1;
+ }
+
+@@ -2106,10 +2110,8 @@ retry:
+ case MF_HUGETLB_FOLIO_PRE_POISONED:
+ case MF_HUGETLB_PAGE_PRE_POISONED:
+ rv = -EHWPOISON;
+- if (flags & MF_ACTION_REQUIRED) {
+- folio = page_folio(p);
+- rv = kill_accessing_process(current, folio_pfn(folio), flags);
+- }
++ if (flags & MF_ACTION_REQUIRED)
++ rv = kill_accessing_process(current, pfn, flags);
+ if (res == MF_HUGETLB_PAGE_PRE_POISONED)
+ action_result(pfn, MF_MSG_ALREADY_POISONED, MF_FAILED);
+ else
--- /dev/null
+From 8a1968bd997f45a9b11aefeabdd1232e1b6c7184 Mon Sep 17 00:00:00 2001
+From: Kairui Song <kasong@tencent.com>
+Date: Tue, 20 Jan 2026 00:11:21 +0800
+Subject: mm/shmem, swap: fix race of truncate and swap entry split
+
+From: Kairui Song <kasong@tencent.com>
+
+commit 8a1968bd997f45a9b11aefeabdd1232e1b6c7184 upstream.
+
+The helper for shmem swap freeing is not handling the order of swap
+entries correctly. It uses xa_cmpxchg_irq to erase the swap entry, but it
+gets the entry order before that using xa_get_order without lock
+protection, and it may get an outdated order value if the entry is split
+or changed in other ways after the xa_get_order and before the
+xa_cmpxchg_irq.
+
+And besides, the order could grow and be larger than expected, and cause
+truncation to erase data beyond the end border. For example, if the
+target entry and following entries are swapped in or freed, then a large
+folio was added in place and swapped out, using the same entry, the
+xa_cmpxchg_irq will still succeed, it's very unlikely to happen though.
+
+To fix that, open code the Xarray cmpxchg and put the order retrieval and
+value checking in the same critical section. Also, ensure the order won't
+exceed the end border, skip it if the entry goes across the border.
+
+Skipping large swap entries crosses the end border is safe here. Shmem
+truncate iterates the range twice, in the first iteration,
+find_lock_entries already filtered such entries, and shmem will swapin the
+entries that cross the end border and partially truncate the folio (split
+the folio or at least zero part of it). So in the second loop here, if we
+see a swap entry that crosses the end order, it must at least have its
+content erased already.
+
+I observed random swapoff hangs and kernel panics when stress testing
+ZSWAP with shmem. After applying this patch, all problems are gone.
+
+Link: https://lkml.kernel.org/r/20260120-shmem-swap-fix-v3-1-3d33ebfbc057@tencent.com
+Fixes: 809bc86517cc ("mm: shmem: support large folio swap out")
+Signed-off-by: Kairui Song <kasong@tencent.com>
+Reviewed-by: Nhat Pham <nphamcs@gmail.com>
+Acked-by: Chris Li <chrisl@kernel.org>
+Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Barry Song <baohua@kernel.org>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Kemeng Shi <shikemeng@huaweicloud.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/shmem.c | 45 ++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 34 insertions(+), 11 deletions(-)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -860,17 +860,29 @@ static void shmem_delete_from_page_cache
+ * being freed).
+ */
+ static long shmem_free_swap(struct address_space *mapping,
+- pgoff_t index, void *radswap)
++ pgoff_t index, pgoff_t end, void *radswap)
+ {
+- int order = xa_get_order(&mapping->i_pages, index);
+- void *old;
++ XA_STATE(xas, &mapping->i_pages, index);
++ unsigned int nr_pages = 0;
++ pgoff_t base;
++ void *entry;
++
++ xas_lock_irq(&xas);
++ entry = xas_load(&xas);
++ if (entry == radswap) {
++ nr_pages = 1 << xas_get_order(&xas);
++ base = round_down(xas.xa_index, nr_pages);
++ if (base < index || base + nr_pages - 1 > end)
++ nr_pages = 0;
++ else
++ xas_store(&xas, NULL);
++ }
++ xas_unlock_irq(&xas);
+
+- old = xa_cmpxchg_irq(&mapping->i_pages, index, radswap, NULL, 0);
+- if (old != radswap)
+- return 0;
+- free_swap_and_cache_nr(radix_to_swp_entry(radswap), 1 << order);
++ if (nr_pages)
++ free_swap_and_cache_nr(radix_to_swp_entry(radswap), nr_pages);
+
+- return 1 << order;
++ return nr_pages;
+ }
+
+ /*
+@@ -1022,8 +1034,8 @@ static void shmem_undo_range(struct inod
+ if (xa_is_value(folio)) {
+ if (unfalloc)
+ continue;
+- nr_swaps_freed += shmem_free_swap(mapping,
+- indices[i], folio);
++ nr_swaps_freed += shmem_free_swap(mapping, indices[i],
++ end - 1, folio);
+ continue;
+ }
+
+@@ -1089,12 +1101,23 @@ whole_folios:
+ folio = fbatch.folios[i];
+
+ if (xa_is_value(folio)) {
++ int order;
+ long swaps_freed;
+
+ if (unfalloc)
+ continue;
+- swaps_freed = shmem_free_swap(mapping, indices[i], folio);
++ swaps_freed = shmem_free_swap(mapping, indices[i],
++ end - 1, folio);
+ if (!swaps_freed) {
++ /*
++ * If found a large swap entry cross the end border,
++ * skip it as the truncate_inode_partial_folio above
++ * should have at least zerod its content once.
++ */
++ order = shmem_confirm_swap(mapping, indices[i],
++ radix_to_swp_entry(folio));
++ if (order > 0 && indices[i] + (1 << order) > end)
++ continue;
+ /* Swap was replaced by page: retry */
+ index = indices[i];
+ break;
--- /dev/null
+From dccf46179ddd6c04c14be8ed584dc54665f53f0e Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Tue, 27 Jan 2026 20:27:25 +0100
+Subject: mptcp: only reset subflow errors when propagated
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit dccf46179ddd6c04c14be8ed584dc54665f53f0e upstream.
+
+Some subflow socket errors need to be reported to the MPTCP socket: the
+initial subflow connect (MP_CAPABLE), and the ones from the fallback
+sockets. The others are not propagated.
+
+The issue is that sock_error() was used to retrieve the error, which was
+also resetting the sk_err field. Because of that, when notifying the
+userspace about subflow close events later on from the MPTCP worker, the
+ssk->sk_err field was always 0.
+
+Now, the error (sk_err) is only reset when propagating it to the msk.
+
+Fixes: 15cc10453398 ("mptcp: deliver ssk errors to msk")
+Cc: stable@vger.kernel.org
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260127-net-mptcp-dup-nl-events-v1-3-7f71e1bc4feb@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -798,11 +798,8 @@ static bool __mptcp_ofo_queue(struct mpt
+
+ static bool __mptcp_subflow_error_report(struct sock *sk, struct sock *ssk)
+ {
+- int err = sock_error(ssk);
+ int ssk_state;
+-
+- if (!err)
+- return false;
++ int err;
+
+ /* only propagate errors on fallen-back sockets or
+ * on MPC connect
+@@ -810,6 +807,10 @@ static bool __mptcp_subflow_error_report
+ if (sk->sk_state != TCP_SYN_SENT && !__mptcp_check_fallback(mptcp_sk(sk)))
+ return false;
+
++ err = sock_error(ssk);
++ if (!err)
++ return false;
++
+ /* We need to propagate only transition to CLOSE state.
+ * Orphaned socket will see such state change via
+ * subflow_sched_work_if_closed() and that path will properly
--- /dev/null
+From 426ca15c7f6cb6562a081341ca88893a50c59fa2 Mon Sep 17 00:00:00 2001
+From: Jibin Zhang <jibin.zhang@mediatek.com>
+Date: Mon, 26 Jan 2026 23:21:11 +0800
+Subject: net: fix segmentation of forwarding fraglist GRO
+
+From: Jibin Zhang <jibin.zhang@mediatek.com>
+
+commit 426ca15c7f6cb6562a081341ca88893a50c59fa2 upstream.
+
+This patch enhances GSO segment handling by properly checking
+the SKB_GSO_DODGY flag for frag_list GSO packets, addressing
+low throughput issues observed when a station accesses IPv4
+servers via hotspots with an IPv6-only upstream interface.
+
+Specifically, it fixes a bug in GSO segmentation when forwarding
+GRO packets containing a frag_list. The function skb_segment_list
+cannot correctly process GRO skbs that have been converted by XLAT,
+since XLAT only translates the header of the head skb. Consequently,
+skbs in the frag_list may remain untranslated, resulting in protocol
+inconsistencies and reduced throughput.
+
+To address this, the patch explicitly sets the SKB_GSO_DODGY flag
+for GSO packets in XLAT's IPv4/IPv6 protocol translation helpers
+(bpf_skb_proto_4_to_6 and bpf_skb_proto_6_to_4). This marks GSO
+packets as potentially modified after protocol translation. As a
+result, GSO segmentation will avoid using skb_segment_list and
+instead falls back to skb_segment for packets with the SKB_GSO_DODGY
+flag. This ensures that only safe and fully translated frag_list
+packets are processed by skb_segment_list, resolving protocol
+inconsistencies and improving throughput when forwarding GRO packets
+converted by XLAT.
+
+Signed-off-by: Jibin Zhang <jibin.zhang@mediatek.com>
+Fixes: 9fd1ff5d2ac7 ("udp: Support UDP fraglist GRO/GSO.")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260126152114.1211-1-jibin.zhang@mediatek.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/filter.c | 2 ++
+ net/ipv4/tcp_offload.c | 3 ++-
+ net/ipv4/udp_offload.c | 3 ++-
+ net/ipv6/tcpv6_offload.c | 3 ++-
+ 4 files changed, 8 insertions(+), 3 deletions(-)
+
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -3360,6 +3360,7 @@ static int bpf_skb_proto_4_to_6(struct s
+ shinfo->gso_type &= ~SKB_GSO_TCPV4;
+ shinfo->gso_type |= SKB_GSO_TCPV6;
+ }
++ shinfo->gso_type |= SKB_GSO_DODGY;
+ }
+
+ bpf_skb_change_protocol(skb, ETH_P_IPV6);
+@@ -3390,6 +3391,7 @@ static int bpf_skb_proto_6_to_4(struct s
+ shinfo->gso_type &= ~SKB_GSO_TCPV6;
+ shinfo->gso_type |= SKB_GSO_TCPV4;
+ }
++ shinfo->gso_type |= SKB_GSO_DODGY;
+ }
+
+ bpf_skb_change_protocol(skb, ETH_P_IP);
+--- a/net/ipv4/tcp_offload.c
++++ b/net/ipv4/tcp_offload.c
+@@ -107,7 +107,8 @@ static struct sk_buff *tcp4_gso_segment(
+ if (skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST) {
+ struct tcphdr *th = tcp_hdr(skb);
+
+- if (skb_pagelen(skb) - th->doff * 4 == skb_shinfo(skb)->gso_size)
++ if ((skb_pagelen(skb) - th->doff * 4 == skb_shinfo(skb)->gso_size) &&
++ !(skb_shinfo(skb)->gso_type & SKB_GSO_DODGY))
+ return __tcp4_gso_segment_list(skb, features);
+
+ skb->ip_summed = CHECKSUM_NONE;
+--- a/net/ipv4/udp_offload.c
++++ b/net/ipv4/udp_offload.c
+@@ -358,7 +358,8 @@ struct sk_buff *__udp_gso_segment(struct
+
+ if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) {
+ /* Detect modified geometry and pass those to skb_segment. */
+- if (skb_pagelen(gso_skb) - sizeof(*uh) == skb_shinfo(gso_skb)->gso_size)
++ if ((skb_pagelen(gso_skb) - sizeof(*uh) == skb_shinfo(gso_skb)->gso_size) &&
++ !(skb_shinfo(gso_skb)->gso_type & SKB_GSO_DODGY))
+ return __udp_gso_segment_list(gso_skb, features, is_ipv6);
+
+ ret = __skb_linearize(gso_skb);
+--- a/net/ipv6/tcpv6_offload.c
++++ b/net/ipv6/tcpv6_offload.c
+@@ -171,7 +171,8 @@ static struct sk_buff *tcp6_gso_segment(
+ if (skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST) {
+ struct tcphdr *th = tcp_hdr(skb);
+
+- if (skb_pagelen(skb) - th->doff * 4 == skb_shinfo(skb)->gso_size)
++ if ((skb_pagelen(skb) - th->doff * 4 == skb_shinfo(skb)->gso_size) &&
++ !(skb_shinfo(skb)->gso_type & SKB_GSO_DODGY))
+ return __tcp6_gso_segment_list(skb, features);
+
+ skb->ip_summed = CHECKSUM_NONE;
--- /dev/null
+From 0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Wed, 21 Jan 2026 17:38:54 +0800
+Subject: nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit 0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e upstream.
+
+There is a race condition in nvmet_bio_done() that can cause a NULL
+pointer dereference in blk_cgroup_bio_start():
+
+1. nvmet_bio_done() is called when a bio completes
+2. nvmet_req_complete() is called, which invokes req->ops->queue_response(req)
+3. The queue_response callback can re-queue and re-submit the same request
+4. The re-submission reuses the same inline_bio from nvmet_req
+5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete)
+ invokes bio_uninit() for inline_bio, which sets bio->bi_blkg to NULL
+6. The re-submitted bio enters submit_bio_noacct_nocheck()
+7. blk_cgroup_bio_start() dereferences bio->bi_blkg, causing a crash:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000028
+ #PF: supervisor read access in kernel mode
+ RIP: 0010:blk_cgroup_bio_start+0x10/0xd0
+ Call Trace:
+ submit_bio_noacct_nocheck+0x44/0x250
+ nvmet_bdev_execute_rw+0x254/0x370 [nvmet]
+ process_one_work+0x193/0x3c0
+ worker_thread+0x281/0x3a0
+
+Fix this by reordering nvmet_bio_done() to call nvmet_req_bio_put()
+BEFORE nvmet_req_complete(). This ensures the bio is cleaned up before
+the request can be re-submitted, preventing the race condition.
+
+Fixes: 190f4c2c863a ("nvmet: fix memory leak of bio integrity")
+Cc: Dmitry Bogdanov <d.bogdanov@yadro.com>
+Cc: stable@vger.kernel.org
+Cc: Guangwu Zhang <guazhang@redhat.com>
+Link: http://www.mail-archive.com/debian-kernel@lists.debian.org/msg146238.html
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/target/io-cmd-bdev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvme/target/io-cmd-bdev.c
++++ b/drivers/nvme/target/io-cmd-bdev.c
+@@ -176,9 +176,10 @@ u16 blk_to_nvme_status(struct nvmet_req
+ static void nvmet_bio_done(struct bio *bio)
+ {
+ struct nvmet_req *req = bio->bi_private;
++ blk_status_t blk_status = bio->bi_status;
+
+- nvmet_req_complete(req, blk_to_nvme_status(req, bio->bi_status));
+ nvmet_req_bio_put(req, bio);
++ nvmet_req_complete(req, blk_to_nvme_status(req, blk_status));
+ }
+
+ #ifdef CONFIG_BLK_DEV_INTEGRITY
--- /dev/null
+From 28f24068387169722b508bba6b5257cb68b86e74 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Date: Mon, 5 Jan 2026 16:05:08 +0100
+Subject: pinctrl: meson: mark the GPIO controller as sleeping
+
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+
+commit 28f24068387169722b508bba6b5257cb68b86e74 upstream.
+
+The GPIO controller is configured as non-sleeping but it uses generic
+pinctrl helpers which use a mutex for synchronization.
+
+This can cause the following lockdep splat with shared GPIOs enabled on
+boards which have multiple devices using the same GPIO:
+
+BUG: sleeping function called from invalid context at
+kernel/locking/mutex.c:591
+in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 142, name:
+kworker/u25:3
+preempt_count: 1, expected: 0
+RCU nest depth: 0, expected: 0
+INFO: lockdep is turned off.
+irq event stamp: 46379
+hardirqs last enabled at (46379): [<ffff8000813acb24>]
+_raw_spin_unlock_irqrestore+0x74/0x78
+hardirqs last disabled at (46378): [<ffff8000813abf38>]
+_raw_spin_lock_irqsave+0x84/0x88
+softirqs last enabled at (46330): [<ffff8000800c71b4>]
+handle_softirqs+0x4c4/0x4dc
+softirqs last disabled at (46295): [<ffff800080010674>]
+__do_softirq+0x14/0x20
+CPU: 1 UID: 0 PID: 142 Comm: kworker/u25:3 Tainted: G C
+6.19.0-rc4-next-20260105+ #11963 PREEMPT
+Tainted: [C]=CRAP
+Hardware name: Khadas VIM3 (DT)
+Workqueue: events_unbound deferred_probe_work_func
+Call trace:
+ show_stack+0x18/0x24 (C)
+ dump_stack_lvl+0x90/0xd0
+ dump_stack+0x18/0x24
+ __might_resched+0x144/0x248
+ __might_sleep+0x48/0x98
+ __mutex_lock+0x5c/0x894
+ mutex_lock_nested+0x24/0x30
+ pinctrl_get_device_gpio_range+0x44/0x128
+ pinctrl_gpio_set_config+0x40/0xdc
+ gpiochip_generic_config+0x28/0x3c
+ gpio_do_set_config+0xa8/0x194
+ gpiod_set_config+0x34/0xfc
+ gpio_shared_proxy_set_config+0x6c/0xfc [gpio_shared_proxy]
+ gpio_do_set_config+0xa8/0x194
+ gpiod_set_transitory+0x4c/0xf0
+ gpiod_configure_flags+0xa4/0x480
+ gpiod_find_and_request+0x1a0/0x574
+ gpiod_get_index+0x58/0x84
+ devm_gpiod_get_index+0x20/0xb4
+ devm_gpiod_get+0x18/0x24
+ mmc_pwrseq_emmc_probe+0x40/0xb8
+ platform_probe+0x5c/0xac
+ really_probe+0xbc/0x298
+ __driver_probe_device+0x78/0x12c
+ driver_probe_device+0xdc/0x164
+ __device_attach_driver+0xb8/0x138
+ bus_for_each_drv+0x80/0xdc
+ __device_attach+0xa8/0x1b0
+
+Fixes: 6ac730951104 ("pinctrl: add driver for Amlogic Meson SoCs")
+Cc: stable@vger.kernel.org
+Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Closes: https://lore.kernel.org/all/00107523-7737-4b92-a785-14ce4e93b8cb@samsung.com/
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Linus Walleij <linusw@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/meson/pinctrl-meson.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/meson/pinctrl-meson.c
++++ b/drivers/pinctrl/meson/pinctrl-meson.c
+@@ -619,7 +619,7 @@ static int meson_gpiolib_register(struct
+ pc->chip.set = meson_gpio_set;
+ pc->chip.base = -1;
+ pc->chip.ngpio = pc->data->num_pins;
+- pc->chip.can_sleep = false;
++ pc->chip.can_sleep = true;
+
+ ret = gpiochip_add_data(&pc->chip, pc);
+ if (ret) {
--- /dev/null
+From 0ea05c4f7527a98f5946f96c829733788934311d Mon Sep 17 00:00:00 2001
+From: Han Gao <gaohan@iscas.ac.cn>
+Date: Wed, 28 Jan 2026 03:07:11 +0800
+Subject: riscv: compat: fix COMPAT_UTS_MACHINE definition
+
+From: Han Gao <gaohan@iscas.ac.cn>
+
+commit 0ea05c4f7527a98f5946f96c829733788934311d upstream.
+
+The COMPAT_UTS_MACHINE for riscv was incorrectly defined as "riscv".
+Change it to "riscv32" to reflect the correct 32-bit compat name.
+
+Fixes: 06d0e3723647 ("riscv: compat: Add basic compat data type implementation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Han Gao <gaohan@iscas.ac.cn>
+Reviewed-by: Guo Ren (Alibaba Damo Academy) <guoren@kernel.org>
+Link: https://patch.msgid.link/20260127190711.2264664-1-gaohan@iscas.ac.cn
+Signed-off-by: Paul Walmsley <pjw@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/compat.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/riscv/include/asm/compat.h
++++ b/arch/riscv/include/asm/compat.h
+@@ -2,7 +2,7 @@
+ #ifndef __ASM_COMPAT_H
+ #define __ASM_COMPAT_H
+
+-#define COMPAT_UTS_MACHINE "riscv\0\0"
++#define COMPAT_UTS_MACHINE "riscv32\0\0"
+
+ /*
+ * Architecture specific compatibility types
--- /dev/null
+From af20ae33e7dd949f2e770198e74ac8f058cb299d Mon Sep 17 00:00:00 2001
+From: Miguel Ojeda <ojeda@kernel.org>
+Date: Thu, 15 Jan 2026 19:38:32 +0100
+Subject: rust: kbuild: give `--config-path` to `rustfmt` in `.rsi` target
+
+From: Miguel Ojeda <ojeda@kernel.org>
+
+commit af20ae33e7dd949f2e770198e74ac8f058cb299d upstream.
+
+`rustfmt` is configured via the `.rustfmt.toml` file in the source tree,
+and we apply `rustfmt` to the macro expanded sources generated by the
+`.rsi` target.
+
+However, under an `O=` pointing to an external folder (i.e. not just
+a subdir), `rustfmt` will not find the file when checking the parent
+folders. Since the edition is configured in this file, this can lead to
+errors when it encounters newer syntax, e.g.
+
+ error: expected one of `!`, `.`, `::`, `;`, `?`, `where`, `{`, or an operator, found `"rust_minimal"`
+ --> samples/rust/rust_minimal.rsi:29:49
+ |
+ 28 | impl ::kernel::ModuleMetadata for RustMinimal {
+ | - while parsing this item list starting here
+ 29 | const NAME: &'static ::kernel::str::CStr = c"rust_minimal";
+ | ^^^^^^^^^^^^^^ expected one of 8 possible tokens
+ 30 | }
+ | - the item list ends here
+ |
+ = note: you may be trying to write a c-string literal
+ = note: c-string literals require Rust 2021 or later
+ = help: pass `--edition 2024` to `rustc`
+ = note: for more on editions, read https://doc.rust-lang.org/edition-guide
+
+A workaround is to use `RUSTFMT=n`, which is documented in the `Makefile`
+help for cases where macro expanded source may happen to break `rustfmt`
+for other reasons, but this is not one of those cases.
+
+One solution would be to pass `--edition`, but we want `rustfmt` to
+use the entire configuration, even if currently we essentially use the
+default configuration.
+
+Thus explicitly give the path to the config file to `rustfmt` instead.
+
+Reported-by: Alice Ryhl <aliceryhl@google.com>
+Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support")
+Cc: stable@vger.kernel.org
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Gary Guo <gary@garyguo.net>
+Link: https://patch.msgid.link/20260115183832.46595-1-ojeda@kernel.org
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/Makefile.build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/Makefile.build
++++ b/scripts/Makefile.build
+@@ -286,7 +286,7 @@ $(obj)/%.o: $(obj)/%.rs FORCE
+ quiet_cmd_rustc_rsi_rs = $(RUSTC_OR_CLIPPY_QUIET) $(quiet_modtag) $@
+ cmd_rustc_rsi_rs = \
+ $(rust_common_cmd) -Zunpretty=expanded $< >$@; \
+- command -v $(RUSTFMT) >/dev/null && $(RUSTFMT) $@
++ command -v $(RUSTFMT) >/dev/null && $(RUSTFMT) --config-path $(srctree)/.rustfmt.toml $@
+
+ $(obj)/%.rsi: $(obj)/%.rs FORCE
+ +$(call if_changed_dep,rustc_rsi_rs)
--- /dev/null
+From 45f6aed8a835ee2bdd0a5d5ee626a91fe285014f Mon Sep 17 00:00:00 2001
+From: Hang Shu <m18080292938@163.com>
+Date: Fri, 7 Nov 2025 09:39:17 +0000
+Subject: rust: rbtree: fix documentation typo in CursorMut peek_next method
+
+From: Hang Shu <m18080292938@163.com>
+
+commit 45f6aed8a835ee2bdd0a5d5ee626a91fe285014f upstream.
+
+The peek_next method's doc comment incorrectly stated it accesses the
+"previous" node when it actually accesses the next node.
+
+Fix the documentation to accurately reflect the method's behavior.
+
+Fixes: 98c14e40e07a ("rust: rbtree: add cursor")
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Signed-off-by: Hang Shu <m18080292938@163.com>
+Reported-by: Miguel Ojeda <ojeda@kernel.org>
+Closes: https://github.com/Rust-for-Linux/linux/issues/1205
+Cc: stable@vger.kernel.org
+Reviewed-by: Gary Guo <gary@garyguo.net>
+Link: https://patch.msgid.link/20251107093921.3379954-1-m18080292938@163.com
+[ Reworded slightly. - Miguel ]
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ rust/kernel/rbtree.rs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/rust/kernel/rbtree.rs
++++ b/rust/kernel/rbtree.rs
+@@ -838,7 +838,7 @@ impl<'a, K, V> Cursor<'a, K, V> {
+ self.peek(Direction::Prev)
+ }
+
+- /// Access the previous node without moving the cursor.
++ /// Access the next node without moving the cursor.
+ pub fn peek_next(&self) -> Option<(&K, &V)> {
+ self.peek(Direction::Next)
+ }
--- /dev/null
+From 4747bafaa50115d9667ece446b1d2d4aba83dc7f Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
+Date: Sat, 13 Dec 2025 16:36:43 +0800
+Subject: scsi: be2iscsi: Fix a memory leak in beiscsi_boot_get_sinfo()
+
+From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
+
+commit 4747bafaa50115d9667ece446b1d2d4aba83dc7f upstream.
+
+If nonemb_cmd->va fails to be allocated, free the allocation previously
+made by alloc_mcc_wrb().
+
+Fixes: 50a4b824be9e ("scsi: be2iscsi: Fix to make boot discovery non-blocking")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
+Link: https://patch.msgid.link/20251213083643.301240-1-lihaoxiang@isrc.iscas.ac.cn
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/be2iscsi/be_mgmt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/be2iscsi/be_mgmt.c
++++ b/drivers/scsi/be2iscsi/be_mgmt.c
+@@ -1025,6 +1025,7 @@ unsigned int beiscsi_boot_get_sinfo(stru
+ &nonemb_cmd->dma,
+ GFP_KERNEL);
+ if (!nonemb_cmd->va) {
++ free_mcc_wrb(ctrl, tag);
+ mutex_unlock(&ctrl->mbox_lock);
+ return 0;
+ }
--- /dev/null
+From 56bd3c0f749f45793d1eae1d0ddde4255c749bf6 Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Mon, 12 Jan 2026 14:43:24 +0100
+Subject: scsi: qla2xxx: edif: Fix dma_free_coherent() size
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit 56bd3c0f749f45793d1eae1d0ddde4255c749bf6 upstream.
+
+Earlier in the function, the ha->flt buffer is allocated with size
+sizeof(struct qla_flt_header) + FLT_REGIONS_SIZE but freed in the error
+path with size SFP_DEV_SIZE.
+
+Fixes: 84318a9f01ce ("scsi: qla2xxx: edif: Add send, receive, and accept for auth_els")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20260112134326.55466-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -4484,7 +4484,7 @@ fail_lsrjt:
+ fail_elsrej:
+ dma_pool_destroy(ha->purex_dma_pool);
+ fail_flt:
+- dma_free_coherent(&ha->pdev->dev, SFP_DEV_SIZE,
++ dma_free_coherent(&ha->pdev->dev, sizeof(struct qla_flt_header) + FLT_REGIONS_SIZE,
+ ha->flt, ha->flt_dma);
+
+ fail_flt_buffer:
--- /dev/null
+From 8467458dfa61b37e259e3485a5d3e415d08193c1 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Tue, 27 Jan 2026 20:27:24 +0100
+Subject: selftests: mptcp: check no dup close events after error
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 8467458dfa61b37e259e3485a5d3e415d08193c1 upstream.
+
+This validates the previous commit: subflow closed events are re-sent
+with less info when the initial subflow is disconnected after an error
+and each time a subflow is closed after that.
+
+In this new test, the userspace PM is involved because that's how it was
+discovered, but it is not specific to it. The initial subflow is
+terminated with a RESET, and that will cause the subflow disconnect.
+Then, a new subflow is initiated, but also got rejected, which cause a
+second subflow closed event, but not a third one.
+
+While at it, in case of failure to get the expected amount of events,
+the events are printed.
+
+The 'Fixes' tag here below is the same as the one from the previous
+commit: this patch here is not fixing anything wrong in the selftests,
+but it validates the previous fix for an issue introduced by this commit
+ID.
+
+Fixes: d82809b6c5f2 ("mptcp: avoid duplicated SUB_CLOSED events")
+Cc: stable@vger.kernel.org
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260127-net-mptcp-dup-nl-events-v1-2-7f71e1bc4feb@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 51 ++++++++++++++++++++++++
+ 1 file changed, 51 insertions(+)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -3506,11 +3506,32 @@ chk_evt_nr()
+ count=$(grep -cw "type:${evt}" "${evts}")
+ if [ "${count}" != "${exp}" ]; then
+ fail_test "got ${count} events, expected ${exp}"
++ cat "${evts}"
+ else
+ print_ok
+ fi
+ }
+
++# $1: ns ; $2: event type ; $3: expected count
++wait_event()
++{
++ local ns="${1}"
++ local evt_name="${2}"
++ local exp="${3}"
++
++ local evt="${!evt_name}"
++ local evts="${evts_ns1}"
++ local count
++
++ [ "${ns}" == "ns2" ] && evts="${evts_ns2}"
++
++ for _ in $(seq 100); do
++ count=$(grep -cw "type:${evt}" "${evts}")
++ [ "${count}" -ge "${exp}" ] && break
++ sleep 0.1
++ done
++}
++
+ userspace_tests()
+ {
+ # userspace pm type prevents add_addr
+@@ -3717,6 +3738,36 @@ userspace_tests()
+ kill_events_pids
+ mptcp_lib_kill_group_wait $tests_pid
+ fi
++
++ # userspace pm no duplicated spurious close events after an error
++ if reset_with_events "userspace pm no dup close events after error" &&
++ continue_if mptcp_lib_has_file '/proc/sys/net/mptcp/pm_type'; then
++ set_userspace_pm $ns2
++ pm_nl_set_limits $ns1 0 2
++ { timeout_test=120 test_linkfail=128 speed=slow \
++ run_tests $ns1 $ns2 10.0.1.1 & } 2>/dev/null
++ local tests_pid=$!
++ wait_event ns2 MPTCP_LIB_EVENT_ESTABLISHED 1
++ userspace_pm_add_sf $ns2 10.0.3.2 20
++ chk_mptcp_info subflows 1 subflows 1
++ chk_subflows_total 2 2
++
++ # force quick loss
++ ip netns exec $ns2 sysctl -q net.ipv4.tcp_syn_retries=1
++ if ip netns exec "${ns1}" ${iptables} -A INPUT -s "10.0.1.2" \
++ -p tcp --tcp-option 30 -j REJECT --reject-with tcp-reset &&
++ ip netns exec "${ns2}" ${iptables} -A INPUT -d "10.0.1.2" \
++ -p tcp --tcp-option 30 -j REJECT --reject-with tcp-reset; then
++ wait_event ns2 MPTCP_LIB_EVENT_SUB_CLOSED 1
++ wait_event ns1 MPTCP_LIB_EVENT_SUB_CLOSED 1
++ chk_subflows_total 1 1
++ userspace_pm_add_sf $ns2 10.0.1.2 0
++ wait_event ns2 MPTCP_LIB_EVENT_SUB_CLOSED 2
++ chk_evt_nr ns2 MPTCP_LIB_EVENT_SUB_CLOSED 2
++ fi
++ kill_events_pids
++ mptcp_lib_kill_group_wait $tests_pid
++ fi
+ }
+
+ endpoint_tests()
--- /dev/null
+From 2ef9e3a3845d0a20b62b01f5b731debd0364688d Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Tue, 27 Jan 2026 20:27:26 +0100
+Subject: selftests: mptcp: check subflow errors in close events
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 2ef9e3a3845d0a20b62b01f5b731debd0364688d upstream.
+
+This validates the previous commit: subflow closed events should contain
+an error field when a subflow got closed with an error, e.g. reset or
+timeout.
+
+For this test, the chk_evt_nr helper has been extended to check
+attributes in the matched events.
+
+In this test, the 2 subflow closed events should have an error.
+
+The 'Fixes' tag here below is the same as the one from the previous
+commit: this patch here is not fixing anything wrong in the selftests,
+but it validates the previous fix for an issue introduced by this commit
+ID.
+
+Fixes: 15cc10453398 ("mptcp: deliver ssk errors to msk")
+Cc: stable@vger.kernel.org
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260127-net-mptcp-dup-nl-events-v1-4-7f71e1bc4feb@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -3481,21 +3481,28 @@ userspace_pm_chk_get_addr()
+ fi
+ }
+
+-# $1: ns ; $2: event type ; $3: count
++# $1: ns ; $2: event type ; $3: count ; [ $4: attr ; $5: attr count ]
+ chk_evt_nr()
+ {
+ local ns=${1}
+ local evt_name="${2}"
+ local exp="${3}"
++ local attr="${4}"
++ local attr_exp="${5}"
+
+ local evts="${evts_ns1}"
+ local evt="${!evt_name}"
++ local attr_name
+ local count
+
++ if [ -n "${attr}" ]; then
++ attr_name=", ${attr}: ${attr_exp}"
++ fi
++
+ evt_name="${evt_name:16}" # without MPTCP_LIB_EVENT_
+ [ "${ns}" == "ns2" ] && evts="${evts_ns2}"
+
+- print_check "event ${ns} ${evt_name} (${exp})"
++ print_check "event ${ns} ${evt_name} (${exp}${attr_name})"
+
+ if [[ "${evt_name}" = "LISTENER_"* ]] &&
+ ! mptcp_lib_kallsyms_has "mptcp_event_pm_listener$"; then
+@@ -3507,6 +3514,16 @@ chk_evt_nr()
+ if [ "${count}" != "${exp}" ]; then
+ fail_test "got ${count} events, expected ${exp}"
+ cat "${evts}"
++ return
++ elif [ -z "${attr}" ]; then
++ print_ok
++ return
++ fi
++
++ count=$(grep -w "type:${evt}" "${evts}" | grep -c ",${attr}:")
++ if [ "${count}" != "${attr_exp}" ]; then
++ fail_test "got ${count} event attributes, expected ${attr_exp}"
++ grep -w "type:${evt}" "${evts}"
+ else
+ print_ok
+ fi
+@@ -3763,7 +3780,7 @@ userspace_tests()
+ chk_subflows_total 1 1
+ userspace_pm_add_sf $ns2 10.0.1.2 0
+ wait_event ns2 MPTCP_LIB_EVENT_SUB_CLOSED 2
+- chk_evt_nr ns2 MPTCP_LIB_EVENT_SUB_CLOSED 2
++ chk_evt_nr ns2 MPTCP_LIB_EVENT_SUB_CLOSED 2 error 2
+ fi
+ kill_events_pids
+ mptcp_lib_kill_group_wait $tests_pid
--- /dev/null
+From c5d5ecf21fdd9ce91e6116feb3aa83cee73352cc Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Tue, 27 Jan 2026 20:27:27 +0100
+Subject: selftests: mptcp: join: fix local endp not being tracked
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit c5d5ecf21fdd9ce91e6116feb3aa83cee73352cc upstream.
+
+When running this mptcp_join.sh selftest on older kernel versions not
+supporting local endpoints tracking, this test fails because 3 MP_JOIN
+ACKs have been received, while only 2 were expected.
+
+It is not clear why only 2 MP_JOIN ACKs were expected on old kernel
+versions, while 3 MP_JOIN SYN and SYN+ACK were expected. When testing on
+the v5.15.197 kernel, 3 MP_JOIN ACKs are seen, which is also what is
+expected in the selftests included in this kernel version, see commit
+f4480eaad489 ("selftests: mptcp: add missing join check").
+
+Switch the expected MP_JOIN ACKs to 3. While at it, move this
+chk_join_nr helper out of the special condition for older kernel
+versions as it is now the same as with more recent ones. Also, invert
+the condition to be more logical: what's expected on newer kernel
+versions having such helper first.
+
+Fixes: d4c81bbb8600 ("selftests: mptcp: join: support local endpoint being tracked or not")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260127-net-mptcp-dup-nl-events-v1-5-7f71e1bc4feb@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -2162,17 +2162,16 @@ signal_address_tests()
+ ip netns exec $ns1 sysctl -q net.mptcp.add_addr_timeout=1
+ speed=slow \
+ run_tests $ns1 $ns2 10.0.1.1
++ chk_join_nr 3 3 3
+
+ # It is not directly linked to the commit introducing this
+ # symbol but for the parent one which is linked anyway.
+- if ! mptcp_lib_kallsyms_has "mptcp_pm_subflow_check_next$"; then
+- chk_join_nr 3 3 2
+- chk_add_nr 4 4
+- else
+- chk_join_nr 3 3 3
++ if mptcp_lib_kallsyms_has "mptcp_pm_subflow_check_next$"; then
+ # the server will not signal the address terminating
+ # the MPC subflow
+ chk_add_nr 3 3
++ else
++ chk_add_nr 4 4
+ fi
+ fi
+ }
dma-pool-distinguish-between-missing-and-exhausted-a.patch
sched-deadline-document-dl_server.patch
sched-deadline-fix-stuck-dl_server.patch
+pinctrl-meson-mark-the-gpio-controller-as-sleeping.patch
+riscv-compat-fix-compat_uts_machine-definition.patch
+rust-rbtree-fix-documentation-typo-in-cursormut-peek_next-method.patch
+rust-kbuild-give-config-path-to-rustfmt-in-.rsi-target.patch
+asoc-fsl-imx-card-do-not-force-slot-width-to-sample-width.patch
+scsi-be2iscsi-fix-a-memory-leak-in-beiscsi_boot_get_sinfo.patch
+asoc-amd-yc-add-dmi-quirk-for-acer-travelmate-p216-41-tco.patch
+gpio-pca953x-mask-interrupts-in-irq-shutdown.patch
+scsi-qla2xxx-edif-fix-dma_free_coherent-size.patch
+efivarfs-fix-error-propagation-in-efivar_entry_get.patch
+nvmet-fix-race-in-nvmet_bio_done-leading-to-null-pointer-dereference.patch
+gpio-rockchip-stop-calling-pinctrl-for-set_direction.patch
+mm-kasan-fix-kasan-poisoning-in-vrealloc.patch
+mptcp-only-reset-subflow-errors-when-propagated.patch
+selftests-mptcp-check-no-dup-close-events-after-error.patch
+selftests-mptcp-check-subflow-errors-in-close-events.patch
+selftests-mptcp-join-fix-local-endp-not-being-tracked.patch
+flex_proportions-make-fprop_new_period-hardirq-safe.patch
+mm-memory-failure-fix-missing-mf_stats-count-in-hugetlb-poison.patch
+mm-memory-failure-teach-kill_accessing_process-to-accept-hugetlb-tail-page-pfn.patch
+mm-shmem-swap-fix-race-of-truncate-and-swap-entry-split.patch
+net-fix-segmentation-of-forwarding-fraglist-gro.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
