--- /dev/null
+From 45424e871abf2a152e247a9cff78359f18dd95c0 Mon Sep 17 00:00:00 2001
+From: Berk Cem Goksel <berkcgoksel@gmail.com>
+Date: Sun, 29 Mar 2026 16:38:25 +0300
+Subject: ALSA: caiaq: fix stack out-of-bounds read in init_card
+
+From: Berk Cem Goksel <berkcgoksel@gmail.com>
+
+commit 45424e871abf2a152e247a9cff78359f18dd95c0 upstream.
+
+The loop creates a whitespace-stripped copy of the card shortname
+where `len < sizeof(card->id)` is used for the bounds check. Since
+sizeof(card->id) is 16 and the local id buffer is also 16 bytes,
+writing 16 non-space characters fills the entire buffer,
+overwriting the terminating nullbyte.
+
+When this non-null-terminated string is later passed to
+snd_card_set_id() -> copy_valid_id_string(), the function scans
+forward with `while (*nid && ...)` and reads past the end of the
+stack buffer, reading the contents of the stack.
+
+A USB device with a product name containing many non-ASCII, non-space
+characters (e.g. multibyte UTF-8) will reliably trigger this as follows:
+
+ BUG: KASAN: stack-out-of-bounds in copy_valid_id_string
+ sound/core/init.c:696 [inline]
+ BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c
+ sound/core/init.c:718
+
+The off-by-one has been present since commit bafeee5b1f8d ("ALSA:
+snd_usb_caiaq: give better shortname") from June 2009 (v2.6.31-rc1),
+which first introduced this whitespace-stripping loop. The original
+code never accounted for the null terminator when bounding the copy.
+
+Fix this by changing the loop bound to `sizeof(card->id) - 1`,
+ensuring at least one byte remains as the null terminator.
+
+Fixes: bafeee5b1f8d ("ALSA: snd_usb_caiaq: give better shortname")
+Cc: stable@vger.kernel.org
+Cc: Andrey Konovalov <andreyknvl@gmail.com>
+Reported-by: Berk Cem Goksel <berkcgoksel@gmail.com>
+Signed-off-by: Berk Cem Goksel <berkcgoksel@gmail.com>
+Link: https://patch.msgid.link/20260329133825.581585-1-berkcgoksel@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/caiaq/device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/caiaq/device.c
++++ b/sound/usb/caiaq/device.c
+@@ -488,7 +488,7 @@ static int init_card(struct snd_usb_caia
+ memset(id, 0, sizeof(id));
+
+ for (c = card->shortname, len = 0;
+- *c && len < sizeof(card->id); c++)
++ *c && len < sizeof(card->id) - 1; c++)
+ if (*c != ' ')
+ id[len++] = *c;
+
--- /dev/null
+From b045ab3dff97edae6d538eeff900a34c098761f8 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 29 Mar 2026 11:12:37 +0200
+Subject: ALSA: ctxfi: Fix missing SPDIFI1 index handling
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit b045ab3dff97edae6d538eeff900a34c098761f8 upstream.
+
+SPDIF1 DAIO type isn't properly handled in daio_device_index() for
+hw20k2, and it returned -EINVAL, which ended up with the out-of-bounds
+array access. Follow the hw20k1 pattern and return the proper index
+for this type, too.
+
+Reported-and-tested-by: Karsten Hohmeier <linux@hohmatik.de>
+Closes: https://lore.kernel.org/20260315155004.15633-1-linux@hohmatik.de
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20260329091240.420194-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/ctxfi/ctdaio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/ctxfi/ctdaio.c
++++ b/sound/pci/ctxfi/ctdaio.c
+@@ -119,6 +119,7 @@ static unsigned int daio_device_index(en
+ switch (type) {
+ case SPDIFOO: return 0;
+ case SPDIFIO: return 0;
++ case SPDIFI1: return 1;
+ case LINEO1: return 4;
+ case LINEO2: return 7;
+ case LINEO3: return 5;
--- /dev/null
+From f1af71d568e55536d9297bfa7907ad497108cf30 Mon Sep 17 00:00:00 2001
+From: Zhang Heng <zhangheng@kylinos.cn>
+Date: Mon, 30 Mar 2026 15:53:34 +0800
+Subject: ALSA: hda/realtek: Add quirk for ASUS ROG Strix SCAR 15
+
+From: Zhang Heng <zhangheng@kylinos.cn>
+
+commit f1af71d568e55536d9297bfa7907ad497108cf30 upstream.
+
+ASUS ROG Strix SCAR 15, like the Strix G15, requires the
+ALC285_FIXUP_ASUS_G533Z_PINS quirk to work properly.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=221247
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
+Link: https://patch.msgid.link/20260330075334.50962-2-zhangheng@kylinos.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7067,6 +7067,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x1043, 0x1533, "ASUS GV302XA/XJ/XQ/XU/XV/XI", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x1573, "ASUS GZ301VV/VQ/VU/VJ/VA/VC/VE/VVC/VQC/VUC/VJC/VEC/VCC", ALC285_FIXUP_ASUS_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1043, 0x1584, "ASUS UM3406GA ", ALC287_FIXUP_CS35L41_I2C_2),
++ SND_PCI_QUIRK(0x1043, 0x1602, "ASUS ROG Strix SCAR 15", ALC285_FIXUP_ASUS_G533Z_PINS),
+ SND_PCI_QUIRK(0x1043, 0x1652, "ASUS ROG Zephyrus Do 15 SE", ALC289_FIXUP_ASUS_ZEPHYRUS_DUAL_SPK),
+ SND_PCI_QUIRK(0x1043, 0x1662, "ASUS GV301QH", ALC294_FIXUP_ASUS_DUAL_SPK),
+ SND_PCI_QUIRK(0x1043, 0x1663, "ASUS GU603ZI/ZJ/ZQ/ZU/ZV", ALC285_FIXUP_ASUS_HEADSET_MIC),
--- /dev/null
+From 1fbf85dbf02c96c318e056fb5b8fc614758fee3c Mon Sep 17 00:00:00 2001
+From: Sourav Nayak <nonameblank007@gmail.com>
+Date: Fri, 27 Mar 2026 19:58:05 +0530
+Subject: ALSA: hda/realtek: add quirk for HP Victus 15-fb0xxx
+
+From: Sourav Nayak <nonameblank007@gmail.com>
+
+commit 1fbf85dbf02c96c318e056fb5b8fc614758fee3c upstream.
+
+This adds a mute led quirck for HP Victus 15-fb0xxx (103c:8a3d) model
+
+- As it used 0x8(full bright)/0x7f(little dim) for mute led on and other
+ values as 0ff (0x0, 0x4, ...)
+
+- So, use ALC245_FIXUP_HP_MUTE_LED_V2_COEFBIT insted for safer approach
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Sourav Nayak <nonameblank007@gmail.com>
+Link: https://patch.msgid.link/20260327142805.17139-1-nonameblank007@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -6832,6 +6832,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x103c, 0x8a30, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8a31, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8a34, "HP Pavilion x360 2-in-1 Laptop 14-ek0xxx", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
++ SND_PCI_QUIRK(0x103c, 0x8a3d, "HP Victus 15-fb0xxx (MB 8A3D)", ALC245_FIXUP_HP_MUTE_LED_V2_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x8a4f, "HP Victus 15-fa0xxx (MB 8A4F)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x8a6e, "HP EDNA 360", ALC287_FIXUP_CS35L41_I2C_4),
+ SND_PCI_QUIRK(0x103c, 0x8a74, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
--- /dev/null
+From bc39a094730ce062fa034a529c93147c096cb488 Mon Sep 17 00:00:00 2001
+From: hkbinbin <hkbinbinbin@gmail.com>
+Date: Tue, 31 Mar 2026 05:39:16 +0000
+Subject: Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: hkbinbin <hkbinbinbin@gmail.com>
+
+commit bc39a094730ce062fa034a529c93147c096cb488 upstream.
+
+hci_le_big_create_sync() uses DEFINE_FLEX to allocate a
+struct hci_cp_le_big_create_sync on the stack with room for 0x11 (17)
+BIS entries. However, conn->num_bis can hold up to HCI_MAX_ISO_BIS (31)
+entries — validated against ISO_MAX_NUM_BIS (0x1f) in the caller
+hci_conn_big_create_sync(). When conn->num_bis is between 18 and 31,
+the memcpy that copies conn->bis into cp->bis writes up to 14 bytes
+past the stack buffer, corrupting adjacent stack memory.
+
+This is trivially reproducible: binding an ISO socket with
+bc_num_bis = ISO_MAX_NUM_BIS (31) and calling listen() will
+eventually trigger hci_le_big_create_sync() from the HCI command
+sync worker, causing a KASAN-detectable stack-out-of-bounds write:
+
+ BUG: KASAN: stack-out-of-bounds in hci_le_big_create_sync+0x256/0x3b0
+ Write of size 31 at addr ffffc90000487b48 by task kworker/u9:0/71
+
+Fix this by changing the DEFINE_FLEX count from the incorrect 0x11 to
+HCI_MAX_ISO_BIS, which matches the maximum number of BIS entries that
+conn->bis can actually carry.
+
+Fixes: 42ecf1947135 ("Bluetooth: ISO: Do not emit LE BIG Create Sync if previous is pending")
+Cc: stable@vger.kernel.org
+Signed-off-by: hkbinbin <hkbinbinbin@gmail.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sync.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -7131,7 +7131,8 @@ static void create_big_complete(struct h
+
+ static int hci_le_big_create_sync(struct hci_dev *hdev, void *data)
+ {
+- DEFINE_FLEX(struct hci_cp_le_big_create_sync, cp, bis, num_bis, 0x11);
++ DEFINE_FLEX(struct hci_cp_le_big_create_sync, cp, bis, num_bis,
++ HCI_MAX_ISO_BIS);
+ struct hci_conn *conn = data;
+ struct bt_iso_qos *qos = &conn->iso_qos;
+ int err;
--- /dev/null
+From 20756fec2f0108cb88e815941f1ffff88dc286fe Mon Sep 17 00:00:00 2001
+From: Oleh Konko <security@1seal.org>
+Date: Tue, 31 Mar 2026 11:52:13 +0000
+Subject: Bluetooth: SMP: derive legacy responder STK authentication from MITM state
+
+From: Oleh Konko <security@1seal.org>
+
+commit 20756fec2f0108cb88e815941f1ffff88dc286fe upstream.
+
+The legacy responder path in smp_random() currently labels the stored
+STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH.
+That reflects what the local service requested, not what the pairing
+flow actually achieved.
+
+For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear
+and the resulting STK should remain unauthenticated even if the local
+side requested HIGH security. Use the established MITM state when
+storing the responder STK so the key metadata matches the pairing result.
+
+This also keeps the legacy path aligned with the Secure Connections code,
+which already treats JUST_WORKS/JUST_CFM as unauthenticated.
+
+Fixes: fff3490f4781 ("Bluetooth: Fix setting correct authentication information for SMP STK")
+Cc: stable@vger.kernel.org
+Signed-off-by: Oleh Konko <security@1seal.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/smp.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -1018,10 +1018,7 @@ static u8 smp_random(struct smp_chan *sm
+
+ smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
+
+- if (hcon->pending_sec_level == BT_SECURITY_HIGH)
+- auth = 1;
+- else
+- auth = 0;
++ auth = test_bit(SMP_FLAG_MITM_AUTH, &smp->flags) ? 1 : 0;
+
+ /* Even though there's no _RESPONDER suffix this is the
+ * responder STK we're adding for later lookup (the initiator
--- /dev/null
+From d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7 Mon Sep 17 00:00:00 2001
+From: Oleh Konko <security@1seal.org>
+Date: Tue, 31 Mar 2026 11:52:12 +0000
+Subject: Bluetooth: SMP: force responder MITM requirements before building the pairing response
+
+From: Oleh Konko <security@1seal.org>
+
+commit d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7 upstream.
+
+smp_cmd_pairing_req() currently builds the pairing response from the
+initiator auth_req before enforcing the local BT_SECURITY_HIGH
+requirement. If the initiator omits SMP_AUTH_MITM, the response can
+also omit it even though the local side still requires MITM.
+
+tk_request() then sees an auth value without SMP_AUTH_MITM and may
+select JUST_CFM, making method selection inconsistent with the pairing
+policy the responder already enforces.
+
+When the local side requires HIGH security, first verify that MITM can
+be achieved from the IO capabilities and then force SMP_AUTH_MITM in the
+response in both rsp.auth_req and auth. This keeps the responder auth bits
+and later method selection aligned.
+
+Fixes: 2b64d153a0cc ("Bluetooth: Add MITM mechanism to LE-SMP")
+Cc: stable@vger.kernel.org
+Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
+Signed-off-by: Oleh Konko <security@1seal.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/smp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -1823,7 +1823,7 @@ static u8 smp_cmd_pairing_req(struct l2c
+ if (sec_level > conn->hcon->pending_sec_level)
+ conn->hcon->pending_sec_level = sec_level;
+
+- /* If we need MITM check that it can be achieved */
++ /* If we need MITM check that it can be achieved. */
+ if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
+ u8 method;
+
+@@ -1831,6 +1831,10 @@ static u8 smp_cmd_pairing_req(struct l2c
+ req->io_capability);
+ if (method == JUST_WORKS || method == JUST_CFM)
+ return SMP_AUTH_REQUIREMENTS;
++
++ /* Force MITM bit if it isn't set by the initiator. */
++ auth |= SMP_AUTH_MITM;
++ rsp.auth_req |= SMP_AUTH_MITM;
+ }
+
+ key_size = min(req->max_key_size, rsp.max_key_size);
--- /dev/null
+From e927b36ae18b66b49219eaa9f46edc7b4fdbb25e Mon Sep 17 00:00:00 2001
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Date: Sat, 21 Mar 2026 17:25:14 +0530
+Subject: drm/amd/display: Fix NULL pointer dereference in dcn401_init_hw()
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+commit e927b36ae18b66b49219eaa9f46edc7b4fdbb25e upstream.
+
+dcn401_init_hw() assumes that update_bw_bounding_box() is valid when
+entering the update path. However, the existing condition:
+
+ ((!fams2_enable && update_bw_bounding_box) || freq_changed)
+
+does not guarantee this, as the freq_changed branch can evaluate to true
+independently of the callback pointer.
+
+This can result in calling update_bw_bounding_box() when it is NULL.
+
+Fix this by separating the update condition from the pointer checks and
+ensuring the callback, dc->clk_mgr, and bw_params are validated before
+use.
+
+Fixes the below:
+../dc/hwss/dcn401/dcn401_hwseq.c:367 dcn401_init_hw() error: we previously assumed 'dc->res_pool->funcs->update_bw_bounding_box' could be null (see line 362)
+
+Fixes: ca0fb243c3bb ("drm/amd/display: Underflow Seen on DCN401 eGPU")
+Cc: Daniel Sa <Daniel.Sa@amd.com>
+Cc: Alvin Lee <alvin.lee2@amd.com>
+Cc: Roman Li <roman.li@amd.com>
+Cc: Alex Hung <alex.hung@amd.com>
+Cc: Tom Chung <chiahsuan.chung@amd.com>
+Cc: Dan Carpenter <dan.carpenter@linaro.org>
+Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 86117c5ab42f21562fedb0a64bffea3ee5fcd477)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 17 +++++++++-----
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c
+@@ -143,6 +143,7 @@ void dcn401_init_hw(struct dc *dc)
+ int edp_num;
+ uint32_t backlight = MAX_BACKLIGHT_LEVEL;
+ uint32_t user_level = MAX_BACKLIGHT_LEVEL;
++ bool dchub_ref_freq_changed;
+ int current_dchub_ref_freq = 0;
+
+ if (dc->clk_mgr && dc->clk_mgr->funcs && dc->clk_mgr->funcs->init_clocks) {
+@@ -357,14 +358,18 @@ void dcn401_init_hw(struct dc *dc)
+ dc->caps.dmub_caps.psr = dc->ctx->dmub_srv->dmub->feature_caps.psr;
+ dc->caps.dmub_caps.mclk_sw = dc->ctx->dmub_srv->dmub->feature_caps.fw_assisted_mclk_switch_ver > 0;
+ dc->caps.dmub_caps.fams_ver = dc->ctx->dmub_srv->dmub->feature_caps.fw_assisted_mclk_switch_ver;
++
++ /* sw and fw FAMS versions must match for support */
+ dc->debug.fams2_config.bits.enable &=
+- dc->caps.dmub_caps.fams_ver == dc->debug.fams_version.ver; // sw & fw fams versions must match for support
+- if ((!dc->debug.fams2_config.bits.enable && dc->res_pool->funcs->update_bw_bounding_box)
+- || res_pool->ref_clocks.dchub_ref_clock_inKhz / 1000 != current_dchub_ref_freq) {
++ dc->caps.dmub_caps.fams_ver == dc->debug.fams_version.ver;
++ dchub_ref_freq_changed =
++ res_pool->ref_clocks.dchub_ref_clock_inKhz / 1000 != current_dchub_ref_freq;
++ if ((!dc->debug.fams2_config.bits.enable || dchub_ref_freq_changed) &&
++ dc->res_pool->funcs->update_bw_bounding_box &&
++ dc->clk_mgr && dc->clk_mgr->bw_params) {
+ /* update bounding box if FAMS2 disabled, or if dchub clk has changed */
+- if (dc->clk_mgr)
+- dc->res_pool->funcs->update_bw_bounding_box(dc,
+- dc->clk_mgr->bw_params);
++ dc->res_pool->funcs->update_bw_bounding_box(dc,
++ dc->clk_mgr->bw_params);
+ }
+ }
+ }
--- /dev/null
+From 4487571ef17a30d274600b3bd6965f497a881299 Mon Sep 17 00:00:00 2001
+From: Donet Tom <donettom@linux.ibm.com>
+Date: Thu, 26 Mar 2026 17:51:28 +0530
+Subject: drm/amdgpu: Change AMDGPU_VA_RESERVED_TRAP_SIZE to 64KB
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Donet Tom <donettom@linux.ibm.com>
+
+commit 4487571ef17a30d274600b3bd6965f497a881299 upstream.
+
+Currently, AMDGPU_VA_RESERVED_TRAP_SIZE is hardcoded to 8KB, while
+KFD_CWSR_TBA_TMA_SIZE is defined as 2 * PAGE_SIZE. On systems with
+4K pages, both values match (8KB), so allocation and reserved space
+are consistent.
+
+However, on 64K page-size systems, KFD_CWSR_TBA_TMA_SIZE becomes 128KB,
+while the reserved trap area remains 8KB. This mismatch causes the
+kernel to crash when running rocminfo or rccl unit tests.
+
+Kernel attempted to read user page (2) - exploit attempt? (uid: 1001)
+BUG: Kernel NULL pointer dereference on read at 0x00000002
+Faulting instruction address: 0xc0000000002c8a64
+Oops: Kernel access of bad area, sig: 11 [#1]
+LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
+CPU: 34 UID: 1001 PID: 9379 Comm: rocminfo Tainted: G E
+6.19.0-rc4-amdgpu-00320-gf23176405700 #56 VOLUNTARY
+Tainted: [E]=UNSIGNED_MODULE
+Hardware name: IBM,9105-42A POWER10 (architected) 0x800200 0xf000006
+of:IBM,FW1060.30 (ML1060_896) hv:phyp pSeries
+NIP: c0000000002c8a64 LR: c00000000125dbc8 CTR: c00000000125e730
+REGS: c0000001e0957580 TRAP: 0300 Tainted: G E
+MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 24008268
+XER: 00000036
+CFAR: c00000000125dbc4 DAR: 0000000000000002 DSISR: 40000000
+IRQMASK: 1
+GPR00: c00000000125d908 c0000001e0957820 c0000000016e8100
+c00000013d814540
+GPR04: 0000000000000002 c00000013d814550 0000000000000045
+0000000000000000
+GPR08: c00000013444d000 c00000013d814538 c00000013d814538
+0000000084002268
+GPR12: c00000000125e730 c000007e2ffd5f00 ffffffffffffffff
+0000000000020000
+GPR16: 0000000000000000 0000000000000002 c00000015f653000
+0000000000000000
+GPR20: c000000138662400 c00000013d814540 0000000000000000
+c00000013d814500
+GPR24: 0000000000000000 0000000000000002 c0000001e0957888
+c0000001e0957878
+GPR28: c00000013d814548 0000000000000000 c00000013d814540
+c0000001e0957888
+NIP [c0000000002c8a64] __mutex_add_waiter+0x24/0xc0
+LR [c00000000125dbc8] __mutex_lock.constprop.0+0x318/0xd00
+Call Trace:
+0xc0000001e0957890 (unreliable)
+__mutex_lock.constprop.0+0x58/0xd00
+amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x6fc/0xb60 [amdgpu]
+kfd_process_alloc_gpuvm+0x54/0x1f0 [amdgpu]
+kfd_process_device_init_cwsr_dgpu+0xa4/0x1a0 [amdgpu]
+kfd_process_device_init_vm+0xd8/0x2e0 [amdgpu]
+kfd_ioctl_acquire_vm+0xd0/0x130 [amdgpu]
+kfd_ioctl+0x514/0x670 [amdgpu]
+sys_ioctl+0x134/0x180
+system_call_exception+0x114/0x300
+system_call_vectored_common+0x15c/0x2ec
+
+This patch changes AMDGPU_VA_RESERVED_TRAP_SIZE to 64 KB and
+KFD_CWSR_TBA_TMA_SIZE to the AMD GPU page size. This means we reserve
+64 KB for the trap in the address space, but only allocate 8 KB within
+it. With this approach, the allocation size never exceeds the reserved
+area.
+
+Fixes: 34a1de0f7935 ("drm/amdkfd: Relocate TBA/TMA to opposite side of VM hole")
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Suggested-by: Felix Kuehling <felix.kuehling@amd.com>
+Suggested-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Donet Tom <donettom@linux.ibm.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 31b8de5e55666f26ea7ece5f412b83eab3f56dbb)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h | 2 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h
+@@ -172,7 +172,7 @@ struct amdgpu_bo_vm;
+ #define AMDGPU_VA_RESERVED_SEQ64_SIZE (2ULL << 20)
+ #define AMDGPU_VA_RESERVED_SEQ64_START(adev) (AMDGPU_VA_RESERVED_CSA_START(adev) \
+ - AMDGPU_VA_RESERVED_SEQ64_SIZE)
+-#define AMDGPU_VA_RESERVED_TRAP_SIZE (2ULL << 12)
++#define AMDGPU_VA_RESERVED_TRAP_SIZE (1ULL << 16)
+ #define AMDGPU_VA_RESERVED_TRAP_START(adev) (AMDGPU_VA_RESERVED_SEQ64_START(adev) \
+ - AMDGPU_VA_RESERVED_TRAP_SIZE)
+ #define AMDGPU_VA_RESERVED_BOTTOM (1ULL << 16)
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
+@@ -102,8 +102,8 @@
+ * The first chunk is the TBA used for the CWSR ISA code. The second
+ * chunk is used as TMA for user-mode trap handler setup in daisy-chain mode.
+ */
+-#define KFD_CWSR_TBA_TMA_SIZE (PAGE_SIZE * 2)
+-#define KFD_CWSR_TMA_OFFSET (PAGE_SIZE + 2048)
++#define KFD_CWSR_TBA_TMA_SIZE (AMDGPU_GPU_PAGE_SIZE * 2)
++#define KFD_CWSR_TMA_OFFSET (AMDGPU_GPU_PAGE_SIZE + 2048)
+
+ #define KFD_MAX_NUM_OF_QUEUES_PER_DEVICE \
+ (KFD_MAX_NUM_OF_PROCESSES * \
--- /dev/null
+From 62f553d60a801384336f5867967c26ddf3b17038 Mon Sep 17 00:00:00 2001
+From: Prike Liang <Prike.Liang@amd.com>
+Date: Mon, 23 Mar 2026 16:07:02 +0800
+Subject: drm/amdgpu: fix the idr allocation flags
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Prike Liang <Prike.Liang@amd.com>
+
+commit 62f553d60a801384336f5867967c26ddf3b17038 upstream.
+
+Fix the IDR allocation flags by using atomic GFP
+flags in non‑sleepable contexts to avoid the __might_sleep()
+complaint.
+
+ 268.290239] [drm] Initialized amdgpu 3.64.0 for 0000:03:00.0 on minor 0
+[ 268.294900] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:323
+[ 268.295355] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1744, name: modprobe
+[ 268.295705] preempt_count: 1, expected: 0
+[ 268.295886] RCU nest depth: 0, expected: 0
+[ 268.296072] 2 locks held by modprobe/1744:
+[ 268.296077] #0: ffff8c3a44abd1b8 (&dev->mutex){....}-{4:4}, at: __driver_attach+0xe4/0x210
+[ 268.296100] #1: ffffffffc1a6ea78 (amdgpu_pasid_idr_lock){+.+.}-{3:3}, at: amdgpu_pasid_alloc+0x26/0xe0 [amdgpu]
+[ 268.296494] CPU: 12 UID: 0 PID: 1744 Comm: modprobe Tainted: G U OE 6.19.0-custom #16 PREEMPT(voluntary)
+[ 268.296498] Tainted: [U]=USER, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
+[ 268.296499] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021
+[ 268.296501] Call Trace:
+
+Fixes: 8f1de51f49be ("drm/amdgpu: prevent immediate PASID reuse case")
+Tested-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Prike Liang <Prike.Liang@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit ea56aa2625708eaf96f310032391ff37746310ef)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ids.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ids.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ids.c
+@@ -68,8 +68,11 @@ int amdgpu_pasid_alloc(unsigned int bits
+ return -EINVAL;
+
+ spin_lock(&amdgpu_pasid_idr_lock);
++ /* TODO: Need to replace the idr with an xarry, and then
++ * handle the internal locking with ATOMIC safe paths.
++ */
+ pasid = idr_alloc_cyclic(&amdgpu_pasid_idr, NULL, 1,
+- 1U << bits, GFP_KERNEL);
++ 1U << bits, GFP_ATOMIC);
+ spin_unlock(&amdgpu_pasid_idr_lock);
+
+ if (pasid >= 0)
--- /dev/null
+From daf470b8882b6f7f53cbfe9ec2b93a1b21528cdc Mon Sep 17 00:00:00 2001
+From: Lijo Lazar <lijo.lazar@amd.com>
+Date: Fri, 27 Mar 2026 14:29:17 +0530
+Subject: drm/amdgpu: Fix wait after reset sequence in S4
+
+From: Lijo Lazar <lijo.lazar@amd.com>
+
+commit daf470b8882b6f7f53cbfe9ec2b93a1b21528cdc upstream.
+
+For a mode-1 reset done at the end of S4 on PSPv11 dGPUs, only check if
+TOS is unloaded.
+
+Fixes: 32f73741d6ee ("drm/amdgpu: Wait for bootloader after PSPv11 reset")
+Closes: https://gitlab.freedesktop.org/drm/amd/-/work_items/4853
+Signed-off-by: Lijo Lazar <lijo.lazar@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 2fb4883b884a437d760bd7bdf7695a7e5a60bba3)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 8 ++++++--
+ drivers/gpu/drm/amd/amdgpu/psp_v11_0.c | 3 ++-
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+@@ -2683,8 +2683,12 @@ static int amdgpu_pmops_freeze(struct de
+ if (r)
+ return r;
+
+- if (amdgpu_acpi_should_gpu_reset(adev))
+- return amdgpu_asic_reset(adev);
++ if (amdgpu_acpi_should_gpu_reset(adev)) {
++ amdgpu_device_lock_reset_domain(adev->reset_domain);
++ r = amdgpu_asic_reset(adev);
++ amdgpu_device_unlock_reset_domain(adev->reset_domain);
++ return r;
++ }
+ return 0;
+ }
+
+--- a/drivers/gpu/drm/amd/amdgpu/psp_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/psp_v11_0.c
+@@ -170,7 +170,8 @@ static int psp_v11_0_wait_for_bootloader
+ int retry_loop;
+
+ /* For a reset done at the end of S3, only wait for TOS to be unloaded */
+- if (adev->in_s3 && !(adev->flags & AMD_IS_APU) && amdgpu_in_reset(adev))
++ if ((adev->in_s4 || adev->in_s3) && !(adev->flags & AMD_IS_APU) &&
++ amdgpu_in_reset(adev))
+ return psp_v11_wait_for_tos_unload(psp);
+
+ for (retry_loop = 0; retry_loop < 20; retry_loop++) {
--- /dev/null
+From a3ffaa5b397f4df9d6ac16b10583e9df8e6fa471 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Tue, 17 Mar 2026 16:34:41 -0400
+Subject: drm/amdgpu/pm: drop SMU driver if version not matched messages
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit a3ffaa5b397f4df9d6ac16b10583e9df8e6fa471 upstream.
+
+It just leads to user confusion.
+
+Cc: Yang Wang <kevinyang.wang@amd.com>
+Cc: Lijo Lazar <lijo.lazar@amd.com>
+Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit e471627d56272a791972f25e467348b611c31713)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c | 1 -
+ drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c | 1 -
+ drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0.c | 1 -
+ 3 files changed, 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c
+@@ -262,7 +262,6 @@ int smu_v11_0_check_fw_version(struct sm
+ "smu fw program = %d, version = 0x%08x (%d.%d.%d)\n",
+ smu->smc_driver_if_version, if_version,
+ smu_program, smu_version, smu_major, smu_minor, smu_debug);
+- dev_info(smu->adev->dev, "SMU driver if version not matched\n");
+ }
+
+ return ret;
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c
+@@ -101,7 +101,6 @@ int smu_v12_0_check_fw_version(struct sm
+ "smu fw program = %d, smu fw version = 0x%08x (%d.%d.%d)\n",
+ smu->smc_driver_if_version, if_version,
+ smu_program, smu_version, smu_major, smu_minor, smu_debug);
+- dev_info(smu->adev->dev, "SMU driver if version not matched\n");
+ }
+
+ return ret;
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0.c
+@@ -284,7 +284,6 @@ int smu_v14_0_check_fw_version(struct sm
+ "smu fw program = %d, smu fw version = 0x%08x (%d.%d.%d)\n",
+ smu->smc_driver_if_version, if_version,
+ smu_program, smu_version, smu_major, smu_minor, smu_debug);
+- dev_info(adev->dev, "SMU driver if version not matched\n");
+ }
+
+ return ret;
--- /dev/null
+From a018d1819f158991b7308e4f74609c6c029b670c Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Tue, 24 Mar 2026 17:39:02 +0800
+Subject: drm/amdgpu: validate doorbell_offset in user queue creation
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit a018d1819f158991b7308e4f74609c6c029b670c upstream.
+
+amdgpu_userq_get_doorbell_index() passes the user-provided
+doorbell_offset to amdgpu_doorbell_index_on_bar() without bounds
+checking. An arbitrarily large doorbell_offset can cause the
+calculated doorbell index to fall outside the allocated doorbell BO,
+potentially corrupting kernel doorbell space.
+
+Validate that doorbell_offset falls within the doorbell BO before
+computing the BAR index, using u64 arithmetic to prevent overflow.
+
+Fixes: f09c1e6077ab ("drm/amdgpu: generate doorbell index for userqueue")
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit de1ef4ffd70e1d15f0bf584fd22b1f28cbd5e2ec)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
+@@ -358,6 +358,13 @@ amdgpu_userq_get_doorbell_index(struct a
+ goto unpin_bo;
+ }
+
++ /* Validate doorbell_offset is within the doorbell BO */
++ if ((u64)db_info->doorbell_offset * db_size + db_size >
++ amdgpu_bo_size(db_obj->obj)) {
++ r = -EINVAL;
++ goto unpin_bo;
++ }
++
+ index = amdgpu_doorbell_index_on_bar(uq_mgr->adev, db_obj->obj,
+ db_info->doorbell_offset, db_size);
+ drm_dbg_driver(adev_to_drm(uq_mgr->adev),
--- /dev/null
+From 2f42c1a6161646cbd29b443459fd635d29eda634 Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Fri, 27 Mar 2026 14:32:53 +0100
+Subject: drm/ast: dp501: Fix initialization of SCU2C
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit 2f42c1a6161646cbd29b443459fd635d29eda634 upstream.
+
+Ast's DP501 initialization reads the register SCU2C at offset 0x1202c
+and tries to set it to source data from VGA. But writes the update to
+offset 0x0, with unknown results. Write the result to SCU instead.
+
+The bug only happens in ast_init_analog(). There's similar code in
+ast_init_dvo(), which works correctly.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Fixes: 83c6620bae3f ("drm/ast: initial DP501 support (v0.2)")
+Reviewed-by: Jocelyn Falempe <jfalempe@redhat.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Jocelyn Falempe <jfalempe@redhat.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v3.16+
+Link: https://patch.msgid.link/20260327133532.79696-2-tzimmermann@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/ast/ast_dp501.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ast/ast_dp501.c
++++ b/drivers/gpu/drm/ast/ast_dp501.c
+@@ -436,7 +436,7 @@ static void ast_init_analog(struct ast_d
+ /* Finally, clear bits [17:16] of SCU2c */
+ data = ast_read32(ast, 0x1202c);
+ data &= 0xfffcffff;
+- ast_write32(ast, 0, data);
++ ast_write32(ast, 0x1202c, data);
+
+ /* Disable DVO */
+ ast_set_index_reg_mask(ast, AST_IO_VGACRI, 0xa3, 0xcf, 0x00);
--- /dev/null
+From 9c9a57e4e337f94e23ddf69263fd0685c91155fb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Wed, 25 Mar 2026 15:58:45 +0200
+Subject: drm/i915/dp: Use crtc_state->enhanced_framing properly on ivb/hsw CPU eDP
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 9c9a57e4e337f94e23ddf69263fd0685c91155fb upstream.
+
+Looks like I missed the drm_dp_enhanced_frame_cap() in the ivb/hsw CPU
+eDP code when I introduced crtc_state->enhanced_framing. Fix it up so
+that the state we program to the hardware is guaranteed to match what
+we computed earlier.
+
+Cc: stable@vger.kernel.org
+Fixes: 3072a24c778a ("drm/i915: Introduce crtc_state->enhanced_framing")
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patch.msgid.link/20260325135849.12603-3-ville.syrjala@linux.intel.com
+Reviewed-by: Michał Grzelak <michal.grzelak@intel.com>
+(cherry picked from commit 799fe8dc2af52f35c78c4ac97f8e34994dfd8760)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/g4x_dp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/display/g4x_dp.c
++++ b/drivers/gpu/drm/i915/display/g4x_dp.c
+@@ -137,7 +137,7 @@ static void intel_dp_prepare(struct inte
+ intel_dp->DP |= DP_SYNC_VS_HIGH;
+ intel_dp->DP |= DP_LINK_TRAIN_OFF_CPT;
+
+- if (drm_dp_enhanced_frame_cap(intel_dp->dpcd))
++ if (pipe_config->enhanced_framing)
+ intel_dp->DP |= DP_ENHANCED_FRAMING;
+
+ intel_dp->DP |= DP_PIPE_SEL_IVB(crtc->pipe);
--- /dev/null
+From 4dfce79e098915d8e5fc2b9e1d980bc3251dd32c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Thu, 26 Mar 2026 13:18:10 +0200
+Subject: drm/i915/dsi: Don't do DSC horizontal timing adjustments in command mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 4dfce79e098915d8e5fc2b9e1d980bc3251dd32c upstream.
+
+Stop adjusting the horizontal timing values based on the
+compression ratio in command mode. Bspec seems to be telling
+us to do this only in video mode, and this is also how the
+Windows driver does things.
+
+This should also fix a div-by-zero on some machines because
+the adjusted htotal ends up being so small that we end up with
+line_time_us==0 when trying to determine the vtotal value in
+command mode.
+
+Note that this doesn't actually make the display on the
+Huawei Matebook E work, but at least the kernel no longer
+explodes when the driver loads.
+
+Cc: stable@vger.kernel.org
+Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/12045
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patch.msgid.link/20260326111814.9800-2-ville.syrjala@linux.intel.com
+Fixes: 53693f02d80e ("drm/i915/dsi: account for DSC in horizontal timings")
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+(cherry picked from commit 0b475e91ecc2313207196c6d7fd5c53e1a878525)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/icl_dsi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/display/icl_dsi.c
++++ b/drivers/gpu/drm/i915/display/icl_dsi.c
+@@ -890,7 +890,7 @@ gen11_dsi_set_transcoder_timings(struct
+ * non-compressed link speeds, and simplifies down to the ratio between
+ * compressed and non-compressed bpp.
+ */
+- if (crtc_state->dsc.compression_enable) {
++ if (is_vid_mode(intel_dsi) && crtc_state->dsc.compression_enable) {
+ mul = fxp_q4_to_int(crtc_state->dsc.compressed_bpp_x16);
+ div = mipi_dsi_pixel_format_to_bpp(intel_dsi->pixel_format);
+ }
+@@ -1506,7 +1506,7 @@ static void gen11_dsi_get_timings(struct
+ struct drm_display_mode *adjusted_mode =
+ &pipe_config->hw.adjusted_mode;
+
+- if (pipe_config->dsc.compressed_bpp_x16) {
++ if (is_vid_mode(intel_dsi) && pipe_config->dsc.compressed_bpp_x16) {
+ int div = fxp_q4_to_int(pipe_config->dsc.compressed_bpp_x16);
+ int mul = mipi_dsi_pixel_format_to_bpp(intel_dsi->pixel_format);
+
--- /dev/null
+From d1857f8296dceb75d00ab857fc3c61bc00c7f5c6 Mon Sep 17 00:00:00 2001
+From: Adam Crosser <adam.crosser@praetorian.com>
+Date: Tue, 17 Mar 2026 19:25:28 +0700
+Subject: gpib: fix use-after-free in IO ioctl handlers
+
+From: Adam Crosser <adam.crosser@praetorian.com>
+
+commit d1857f8296dceb75d00ab857fc3c61bc00c7f5c6 upstream.
+
+The IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers use a gpib_descriptor
+pointer after board->big_gpib_mutex has been released. A concurrent
+IBCLOSEDEV ioctl can free the descriptor via close_dev_ioctl() during
+this window, causing a use-after-free.
+
+The IO handlers (read_ioctl, write_ioctl, command_ioctl) explicitly
+release big_gpib_mutex before calling their handler. wait_ioctl() is
+called with big_gpib_mutex held, but ibwait() releases it internally
+when wait_mask is non-zero. In all four cases, the descriptor pointer
+obtained from handle_to_descriptor() becomes unprotected.
+
+Fix this by introducing a kernel-only descriptor_busy reference count
+in struct gpib_descriptor. Each handler atomically increments
+descriptor_busy under file_priv->descriptors_mutex before releasing the
+lock, and decrements it when done. close_dev_ioctl() checks
+descriptor_busy under the same lock and rejects the close with -EBUSY
+if the count is non-zero.
+
+A reference count rather than a simple flag is necessary because
+multiple handlers can operate on the same descriptor concurrently
+(e.g. IBRD and IBWAIT on the same handle from different threads).
+
+A separate counter is needed because io_in_progress can be cleared from
+unprivileged userspace via the IBWAIT ioctl (through general_ibstatus()
+with set_mask containing CMPL), which would allow an attacker to bypass
+a check based solely on io_in_progress. The new descriptor_busy
+counter is only modified by the kernel IO paths.
+
+The lock ordering is consistent (big_gpib_mutex -> descriptors_mutex)
+and the handlers only hold descriptors_mutex briefly during the lookup,
+so there is no deadlock risk and no impact on IO throughput.
+
+Signed-off-by: Adam Crosser <adam.crosser@praetorian.com>
+Cc: stable <stable@kernel.org>
+Reviewed-by: Dave Penkler <dpenkler@gmail.com>
+Tested-by: Dave Penkler <dpenkler@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/gpib/common/gpib_os.c | 96 ++++++++++++++++++++++--------
+ drivers/staging/gpib/include/gpib_types.h | 8 ++
+ 2 files changed, 81 insertions(+), 23 deletions(-)
+
+--- a/drivers/staging/gpib/common/gpib_os.c
++++ b/drivers/staging/gpib/common/gpib_os.c
+@@ -888,10 +888,6 @@ static int read_ioctl(struct gpib_file_p
+ if (read_cmd.completed_transfer_count > read_cmd.requested_transfer_count)
+ return -EINVAL;
+
+- desc = handle_to_descriptor(file_priv, read_cmd.handle);
+- if (!desc)
+- return -EINVAL;
+-
+ if (WARN_ON_ONCE(sizeof(userbuf) > sizeof(read_cmd.buffer_ptr)))
+ return -EFAULT;
+
+@@ -904,6 +900,17 @@ static int read_ioctl(struct gpib_file_p
+ if (!access_ok(userbuf, remain))
+ return -EFAULT;
+
++ /* Lock descriptors to prevent concurrent close from freeing descriptor */
++ if (mutex_lock_interruptible(&file_priv->descriptors_mutex))
++ return -ERESTARTSYS;
++ desc = handle_to_descriptor(file_priv, read_cmd.handle);
++ if (!desc) {
++ mutex_unlock(&file_priv->descriptors_mutex);
++ return -EINVAL;
++ }
++ atomic_inc(&desc->descriptor_busy);
++ mutex_unlock(&file_priv->descriptors_mutex);
++
+ atomic_set(&desc->io_in_progress, 1);
+
+ /* Read buffer loads till we fill the user supplied buffer */
+@@ -937,6 +944,7 @@ static int read_ioctl(struct gpib_file_p
+ retval = copy_to_user((void __user *)arg, &read_cmd, sizeof(read_cmd));
+
+ atomic_set(&desc->io_in_progress, 0);
++ atomic_dec(&desc->descriptor_busy);
+
+ wake_up_interruptible(&board->wait);
+ if (retval)
+@@ -964,10 +972,6 @@ static int command_ioctl(struct gpib_fil
+ if (cmd.completed_transfer_count > cmd.requested_transfer_count)
+ return -EINVAL;
+
+- desc = handle_to_descriptor(file_priv, cmd.handle);
+- if (!desc)
+- return -EINVAL;
+-
+ userbuf = (u8 __user *)(unsigned long)cmd.buffer_ptr;
+ userbuf += cmd.completed_transfer_count;
+
+@@ -980,6 +984,17 @@ static int command_ioctl(struct gpib_fil
+ if (!access_ok(userbuf, remain))
+ return -EFAULT;
+
++ /* Lock descriptors to prevent concurrent close from freeing descriptor */
++ if (mutex_lock_interruptible(&file_priv->descriptors_mutex))
++ return -ERESTARTSYS;
++ desc = handle_to_descriptor(file_priv, cmd.handle);
++ if (!desc) {
++ mutex_unlock(&file_priv->descriptors_mutex);
++ return -EINVAL;
++ }
++ atomic_inc(&desc->descriptor_busy);
++ mutex_unlock(&file_priv->descriptors_mutex);
++
+ /*
+ * Write buffer loads till we empty the user supplied buffer.
+ * Call drivers at least once, even if remain is zero, in
+@@ -1003,6 +1018,7 @@ static int command_ioctl(struct gpib_fil
+ userbuf += bytes_written;
+ if (retval < 0) {
+ atomic_set(&desc->io_in_progress, 0);
++ atomic_dec(&desc->descriptor_busy);
+
+ wake_up_interruptible(&board->wait);
+ break;
+@@ -1022,6 +1038,7 @@ static int command_ioctl(struct gpib_fil
+ */
+ if (!no_clear_io_in_prog || fault)
+ atomic_set(&desc->io_in_progress, 0);
++ atomic_dec(&desc->descriptor_busy);
+
+ wake_up_interruptible(&board->wait);
+ if (fault)
+@@ -1047,10 +1064,6 @@ static int write_ioctl(struct gpib_file_
+ if (write_cmd.completed_transfer_count > write_cmd.requested_transfer_count)
+ return -EINVAL;
+
+- desc = handle_to_descriptor(file_priv, write_cmd.handle);
+- if (!desc)
+- return -EINVAL;
+-
+ userbuf = (u8 __user *)(unsigned long)write_cmd.buffer_ptr;
+ userbuf += write_cmd.completed_transfer_count;
+
+@@ -1060,6 +1073,17 @@ static int write_ioctl(struct gpib_file_
+ if (!access_ok(userbuf, remain))
+ return -EFAULT;
+
++ /* Lock descriptors to prevent concurrent close from freeing descriptor */
++ if (mutex_lock_interruptible(&file_priv->descriptors_mutex))
++ return -ERESTARTSYS;
++ desc = handle_to_descriptor(file_priv, write_cmd.handle);
++ if (!desc) {
++ mutex_unlock(&file_priv->descriptors_mutex);
++ return -EINVAL;
++ }
++ atomic_inc(&desc->descriptor_busy);
++ mutex_unlock(&file_priv->descriptors_mutex);
++
+ atomic_set(&desc->io_in_progress, 1);
+
+ /* Write buffer loads till we empty the user supplied buffer */
+@@ -1094,6 +1118,7 @@ static int write_ioctl(struct gpib_file_
+ fault = copy_to_user((void __user *)arg, &write_cmd, sizeof(write_cmd));
+
+ atomic_set(&desc->io_in_progress, 0);
++ atomic_dec(&desc->descriptor_busy);
+
+ wake_up_interruptible(&board->wait);
+ if (fault)
+@@ -1276,6 +1301,9 @@ static int close_dev_ioctl(struct file *
+ {
+ struct gpib_close_dev_ioctl cmd;
+ struct gpib_file_private *file_priv = filep->private_data;
++ struct gpib_descriptor *desc;
++ unsigned int pad;
++ int sad;
+ int retval;
+
+ retval = copy_from_user(&cmd, (void __user *)arg, sizeof(cmd));
+@@ -1284,19 +1312,27 @@ static int close_dev_ioctl(struct file *
+
+ if (cmd.handle >= GPIB_MAX_NUM_DESCRIPTORS)
+ return -EINVAL;
+- if (!file_priv->descriptors[cmd.handle])
+- return -EINVAL;
+-
+- retval = decrement_open_device_count(board, &board->device_list,
+- file_priv->descriptors[cmd.handle]->pad,
+- file_priv->descriptors[cmd.handle]->sad);
+- if (retval < 0)
+- return retval;
+
+- kfree(file_priv->descriptors[cmd.handle]);
++ mutex_lock(&file_priv->descriptors_mutex);
++ desc = file_priv->descriptors[cmd.handle];
++ if (!desc) {
++ mutex_unlock(&file_priv->descriptors_mutex);
++ return -EINVAL;
++ }
++ if (atomic_read(&desc->descriptor_busy)) {
++ mutex_unlock(&file_priv->descriptors_mutex);
++ return -EBUSY;
++ }
++ /* Remove from table while holding lock to prevent new IO from starting */
+ file_priv->descriptors[cmd.handle] = NULL;
++ pad = desc->pad;
++ sad = desc->sad;
++ mutex_unlock(&file_priv->descriptors_mutex);
+
+- return 0;
++ retval = decrement_open_device_count(board, &board->device_list, pad, sad);
++
++ kfree(desc);
++ return retval;
+ }
+
+ static int serial_poll_ioctl(struct gpib_board *board, unsigned long arg)
+@@ -1331,12 +1367,25 @@ static int wait_ioctl(struct gpib_file_p
+ if (retval)
+ return -EFAULT;
+
++ /*
++ * Lock descriptors to prevent concurrent close from freeing
++ * descriptor. ibwait() releases big_gpib_mutex when wait_mask
++ * is non-zero, so desc must be pinned with descriptor_busy.
++ */
++ mutex_lock(&file_priv->descriptors_mutex);
+ desc = handle_to_descriptor(file_priv, wait_cmd.handle);
+- if (!desc)
++ if (!desc) {
++ mutex_unlock(&file_priv->descriptors_mutex);
+ return -EINVAL;
++ }
++ atomic_inc(&desc->descriptor_busy);
++ mutex_unlock(&file_priv->descriptors_mutex);
+
+ retval = ibwait(board, wait_cmd.wait_mask, wait_cmd.clear_mask,
+ wait_cmd.set_mask, &wait_cmd.ibsta, wait_cmd.usec_timeout, desc);
++
++ atomic_dec(&desc->descriptor_busy);
++
+ if (retval < 0)
+ return retval;
+
+@@ -2035,6 +2084,7 @@ void init_gpib_descriptor(struct gpib_de
+ desc->is_board = 0;
+ desc->autopoll_enabled = 0;
+ atomic_set(&desc->io_in_progress, 0);
++ atomic_set(&desc->descriptor_busy, 0);
+ }
+
+ int gpib_register_driver(struct gpib_interface *interface, struct module *provider_module)
+--- a/drivers/staging/gpib/include/gpib_types.h
++++ b/drivers/staging/gpib/include/gpib_types.h
+@@ -364,6 +364,14 @@ struct gpib_descriptor {
+ unsigned int pad; /* primary gpib address */
+ int sad; /* secondary gpib address (negative means disabled) */
+ atomic_t io_in_progress;
++ /*
++ * Kernel-only reference count to prevent descriptor from being
++ * freed while IO handlers hold a pointer to it. Incremented
++ * before each IO operation, decremented when done. Unlike
++ * io_in_progress, this cannot be modified from userspace via
++ * general_ibstatus().
++ */
++ atomic_t descriptor_busy;
+ unsigned is_board : 1;
+ unsigned autopoll_enabled : 1;
+ };
--- /dev/null
+From 39e2a5bf970402a8530a319cf06122e216ba57b8 Mon Sep 17 00:00:00 2001
+From: Sanman Pradhan <psanman@juniper.net>
+Date: Thu, 26 Mar 2026 22:45:23 +0000
+Subject: hwmon: (occ) Fix division by zero in occ_show_power_1()
+
+From: Sanman Pradhan <psanman@juniper.net>
+
+commit 39e2a5bf970402a8530a319cf06122e216ba57b8 upstream.
+
+In occ_show_power_1() case 1, the accumulator is divided by
+update_tag without checking for zero. If no samples have been
+collected yet (e.g. during early boot when the sensor block is
+included but hasn't been updated), update_tag is zero, causing
+a kernel divide-by-zero crash.
+
+The 2019 fix in commit 211186cae14d ("hwmon: (occ) Fix division by
+zero issue") only addressed occ_get_powr_avg() used by
+occ_show_power_2() and occ_show_power_a0(). This separate code
+path in occ_show_power_1() was missed.
+
+Fix this by reusing the existing occ_get_powr_avg() helper, which
+already handles the zero-sample case and uses mul_u64_u32_div()
+to multiply before dividing for better precision. Move the helper
+above occ_show_power_1() so it is visible at the call site.
+
+Fixes: c10e753d43eb ("hwmon (occ): Add sensor types and versions")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sanman Pradhan <psanman@juniper.net>
+Link: https://lore.kernel.org/r/20260326224510.294619-2-sanman.pradhan@hpe.com
+[groeck: Fix alignment problems reported by checkpatch]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/occ/common.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+--- a/drivers/hwmon/occ/common.c
++++ b/drivers/hwmon/occ/common.c
+@@ -420,6 +420,12 @@ static ssize_t occ_show_freq_2(struct de
+ return sysfs_emit(buf, "%u\n", val);
+ }
+
++static u64 occ_get_powr_avg(u64 accum, u32 samples)
++{
++ return (samples == 0) ? 0 :
++ mul_u64_u32_div(accum, 1000000UL, samples);
++}
++
+ static ssize_t occ_show_power_1(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+@@ -441,9 +447,8 @@ static ssize_t occ_show_power_1(struct d
+ val = get_unaligned_be16(&power->sensor_id);
+ break;
+ case 1:
+- val = get_unaligned_be32(&power->accumulator) /
+- get_unaligned_be32(&power->update_tag);
+- val *= 1000000ULL;
++ val = occ_get_powr_avg(get_unaligned_be32(&power->accumulator),
++ get_unaligned_be32(&power->update_tag));
+ break;
+ case 2:
+ val = (u64)get_unaligned_be32(&power->update_tag) *
+@@ -459,12 +464,6 @@ static ssize_t occ_show_power_1(struct d
+ return sysfs_emit(buf, "%llu\n", val);
+ }
+
+-static u64 occ_get_powr_avg(u64 accum, u32 samples)
+-{
+- return (samples == 0) ? 0 :
+- mul_u64_u32_div(accum, 1000000UL, samples);
+-}
+-
+ static ssize_t occ_show_power_2(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
--- /dev/null
+From 24869650dff34a6fc8fd1cc91b2058a72f9abc95 Mon Sep 17 00:00:00 2001
+From: David Lechner <dlechner@baylibre.com>
+Date: Sat, 14 Mar 2026 18:13:31 -0500
+Subject: iio: adc: ti-adc161s626: fix buffer read on big-endian
+
+From: David Lechner <dlechner@baylibre.com>
+
+commit 24869650dff34a6fc8fd1cc91b2058a72f9abc95 upstream.
+
+Rework ti_adc_trigger_handler() to properly handle data on big-endian
+architectures. The scan data format is 16-bit CPU-endian, so we can't
+cast it to a int * on big-endian and expect it to work. Instead, we
+introduce a local int variable to read the data into, and then copy it
+to the buffer.
+
+Since the buffer isn't passed to any SPI functions, we don't need it to
+be DMA-safe. So we can drop it from the driver data struct and just
+use stack memory for the scan data.
+
+Since there is only one data value (plus timestamp), we don't need an
+array and can just declare a struct with the correct data type instead.
+
+Also fix alignment of iio_get_time_ns() to ( while we are touching this.
+
+Fixes: 4d671b71beef ("iio: adc: ti-adc161s626: add support for TI 1-channel differential ADCs")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-adc161s626.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/drivers/iio/adc/ti-adc161s626.c
++++ b/drivers/iio/adc/ti-adc161s626.c
+@@ -70,8 +70,6 @@ struct ti_adc_data {
+
+ u8 read_size;
+ u8 shift;
+-
+- u8 buffer[16] __aligned(IIO_DMA_MINALIGN);
+ };
+
+ static int ti_adc_read_measurement(struct ti_adc_data *data,
+@@ -114,15 +112,20 @@ static irqreturn_t ti_adc_trigger_handle
+ struct iio_poll_func *pf = private;
+ struct iio_dev *indio_dev = pf->indio_dev;
+ struct ti_adc_data *data = iio_priv(indio_dev);
+- int ret;
++ struct {
++ s16 data;
++ aligned_s64 timestamp;
++ } scan = { };
++ int ret, val;
++
++ ret = ti_adc_read_measurement(data, &indio_dev->channels[0], &val);
++ if (ret)
++ goto exit_notify_done;
+
+- ret = ti_adc_read_measurement(data, &indio_dev->channels[0],
+- (int *) &data->buffer);
+- if (!ret)
+- iio_push_to_buffers_with_timestamp(indio_dev,
+- data->buffer,
+- iio_get_time_ns(indio_dev));
++ scan.data = val;
++ iio_push_to_buffers_with_timestamp(indio_dev, &scan, iio_get_time_ns(indio_dev));
+
++ exit_notify_done:
+ iio_trigger_notify_done(indio_dev->trig);
+
+ return IRQ_HANDLED;
--- /dev/null
+From 768461517a28d80fe81ea4d5d03a90cd184ea6ad Mon Sep 17 00:00:00 2001
+From: David Lechner <dlechner@baylibre.com>
+Date: Sat, 14 Mar 2026 18:13:32 -0500
+Subject: iio: adc: ti-adc161s626: use DMA-safe memory for spi_read()
+
+From: David Lechner <dlechner@baylibre.com>
+
+commit 768461517a28d80fe81ea4d5d03a90cd184ea6ad upstream.
+
+Add a DMA-safe buffer and use it for spi_read() instead of a stack
+memory. All SPI buffers must be DMA-safe.
+
+Since we only need up to 3 bytes, we just use a u8[] instead of __be16
+and __be32 and change the conversion functions appropriately.
+
+Fixes: 4d671b71beef ("iio: adc: ti-adc161s626: add support for TI 1-channel differential ADCs")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-adc161s626.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+--- a/drivers/iio/adc/ti-adc161s626.c
++++ b/drivers/iio/adc/ti-adc161s626.c
+@@ -15,6 +15,7 @@
+ #include <linux/init.h>
+ #include <linux/err.h>
+ #include <linux/spi/spi.h>
++#include <linux/unaligned.h>
+ #include <linux/iio/iio.h>
+ #include <linux/iio/trigger.h>
+ #include <linux/iio/buffer.h>
+@@ -70,6 +71,7 @@ struct ti_adc_data {
+
+ u8 read_size;
+ u8 shift;
++ u8 buf[3] __aligned(IIO_DMA_MINALIGN);
+ };
+
+ static int ti_adc_read_measurement(struct ti_adc_data *data,
+@@ -78,26 +80,20 @@ static int ti_adc_read_measurement(struc
+ int ret;
+
+ switch (data->read_size) {
+- case 2: {
+- __be16 buf;
+-
+- ret = spi_read(data->spi, (void *) &buf, 2);
++ case 2:
++ ret = spi_read(data->spi, data->buf, 2);
+ if (ret)
+ return ret;
+
+- *val = be16_to_cpu(buf);
++ *val = get_unaligned_be16(data->buf);
+ break;
+- }
+- case 3: {
+- __be32 buf;
+-
+- ret = spi_read(data->spi, (void *) &buf, 3);
++ case 3:
++ ret = spi_read(data->spi, data->buf, 3);
+ if (ret)
+ return ret;
+
+- *val = be32_to_cpu(buf) >> 8;
++ *val = get_unaligned_be24(data->buf);
+ break;
+- }
+ default:
+ return -EINVAL;
+ }
--- /dev/null
+From 48a5c36577ebe0144f8ede70e59b59ea18b75089 Mon Sep 17 00:00:00 2001
+From: Felix Gu <ustc.gu@gmail.com>
+Date: Sat, 28 Feb 2026 01:48:19 +0800
+Subject: iio: adc: ti-ads1119: Fix unbalanced pm reference count in ds1119_single_conversion()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+commit 48a5c36577ebe0144f8ede70e59b59ea18b75089 upstream.
+
+In ads1119_single_conversion(), if pm_runtime_resume_and_get() fails,
+the code jumps to the pdown label, which calls
+pm_runtime_put_autosuspend().
+
+Since pm_runtime_resume_and_get() automatically decrements the usage
+counter on failure, the subsequent call to pm_runtime_put_autosuspend()
+causes an unbalanced reference counter.
+
+Fixes: a9306887eba4 ("iio: adc: ti-ads1119: Add driver")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Reviewed-by: João Paulo Gonçalves <jpaulo.silvagoncalves@gmail.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-ads1119.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/ti-ads1119.c
++++ b/drivers/iio/adc/ti-ads1119.c
+@@ -274,7 +274,7 @@ static int ads1119_single_conversion(str
+
+ ret = pm_runtime_resume_and_get(dev);
+ if (ret)
+- goto pdown;
++ return ret;
+
+ ret = ads1119_configure_channel(st, mux, gain, datarate);
+ if (ret)
--- /dev/null
+From 2f168094177f8553a36046afce139001801ca917 Mon Sep 17 00:00:00 2001
+From: Felix Gu <ustc.gu@gmail.com>
+Date: Tue, 3 Mar 2026 21:47:33 +0800
+Subject: iio: adc: ti-ads1119: Reinit completion before wait_for_completion_timeout()
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+commit 2f168094177f8553a36046afce139001801ca917 upstream.
+
+The completion is not reinit before wait_for_completion_timeout(),
+so wait_for_completion_timeout() will return immediately after
+the first successful completion.
+
+Fixes: a9306887eba4 ("iio: adc: ti-ads1119: Add driver")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-ads1119.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/iio/adc/ti-ads1119.c
++++ b/drivers/iio/adc/ti-ads1119.c
+@@ -280,6 +280,9 @@ static int ads1119_single_conversion(str
+ if (ret)
+ goto pdown;
+
++ if (st->client->irq)
++ reinit_completion(&st->completion);
++
+ ret = i2c_smbus_write_byte(st->client, ADS1119_CMD_START_SYNC);
+ if (ret)
+ goto pdown;
--- /dev/null
+From 36f6d4db3c5cb0f58fb02b1f54f9e86522d2f918 Mon Sep 17 00:00:00 2001
+From: Felix Gu <ustc.gu@gmail.com>
+Date: Tue, 3 Mar 2026 00:00:04 +0800
+Subject: iio: adc: ti-ads1119: Replace IRQF_ONESHOT with IRQF_NO_THREAD
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+commit 36f6d4db3c5cb0f58fb02b1f54f9e86522d2f918 upstream.
+
+As there is no threaded handler, replace devm_request_threaded_irq()
+with devm_request_irq(), and as the handler calls iio_trigger_poll()
+which may not be called from a threaded handler replace IRQF_ONESHOT
+with IRQF_NO_THREAD.
+
+Since commit aef30c8d569c ("genirq: Warn about using IRQF_ONESHOT
+without a threaded handler"), the IRQ core checks IRQF_ONESHOT flag
+in IRQ request and gives a warning if there is no threaded handler.
+
+Fixes: a9306887eba4 ("iio: adc: ti-ads1119: Add driver")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-ads1119.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/adc/ti-ads1119.c
++++ b/drivers/iio/adc/ti-ads1119.c
+@@ -738,10 +738,8 @@ static int ads1119_probe(struct i2c_clie
+ return dev_err_probe(dev, ret, "Failed to setup IIO buffer\n");
+
+ if (client->irq > 0) {
+- ret = devm_request_threaded_irq(dev, client->irq,
+- ads1119_irq_handler,
+- NULL, IRQF_ONESHOT,
+- "ads1119", indio_dev);
++ ret = devm_request_irq(dev, client->irq, ads1119_irq_handler,
++ IRQF_NO_THREAD, "ads1119", indio_dev);
+ if (ret)
+ return dev_err_probe(dev, ret,
+ "Failed to allocate irq\n");
--- /dev/null
+From 56bd57e7b161f75535df91b229b0b2c64c6e5581 Mon Sep 17 00:00:00 2001
+From: David Lechner <dlechner@baylibre.com>
+Date: Sat, 28 Feb 2026 14:02:22 -0600
+Subject: iio: add IIO_DECLARE_QUATERNION() macro
+
+From: David Lechner <dlechner@baylibre.com>
+
+commit 56bd57e7b161f75535df91b229b0b2c64c6e5581 upstream.
+
+Add a new IIO_DECLARE_QUATERNION() macro that is used to declare the
+field in an IIO buffer struct that contains a quaternion vector.
+
+Quaternions are currently the only IIO data type that uses the .repeat
+feature of struct iio_scan_type. This has an implicit rule that the
+element in the buffer must be aligned to the entire size of the repeated
+element. This macro will make that requirement explicit. Since this is
+the only user, we just call the macro IIO_DECLARE_QUATERNION() instead
+of something more generic.
+
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/iio/iio.h | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/include/linux/iio/iio.h
++++ b/include/linux/iio/iio.h
+@@ -816,6 +816,18 @@ static inline void *iio_device_get_drvda
+ #define IIO_DECLARE_DMA_BUFFER_WITH_TS(type, name, count) \
+ __IIO_DECLARE_BUFFER_WITH_TS(type, name, count) __aligned(IIO_DMA_MINALIGN)
+
++/**
++ * IIO_DECLARE_QUATERNION() - Declare a quaternion element
++ * @type: element type of the individual vectors
++ * @name: identifier name
++ *
++ * Quaternions are a vector composed of 4 elements (W, X, Y, Z). Use this macro
++ * to declare a quaternion element in a struct to ensure proper alignment in
++ * an IIO buffer.
++ */
++#define IIO_DECLARE_QUATERNION(type, name) \
++ type name[4] __aligned(sizeof(type) * 4)
++
+ struct iio_dev *iio_device_alloc(struct device *parent, int sizeof_priv);
+
+ /* The information at the returned address is guaranteed to be cacheline aligned */
--- /dev/null
+From 79a86a6cc3669416a21fef32d0767d39ba84b3aa Mon Sep 17 00:00:00 2001
+From: David Lechner <dlechner@baylibre.com>
+Date: Sat, 7 Mar 2026 19:44:09 -0600
+Subject: iio: orientation: hid-sensor-rotation: add timestamp hack to not break userspace
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Lechner <dlechner@baylibre.com>
+
+commit 79a86a6cc3669416a21fef32d0767d39ba84b3aa upstream.
+
+Add a hack to push two timestamps in the hid-sensor-rotation scan data
+to avoid breaking userspace applications that depend on the timestamp
+being at the incorrect location in the scan data due to unintentional
+misalignment in older kernels.
+
+When this driver was written, the timestamp was in the correct location
+because of the way iio_compute_scan_bytes() was implemented at the time.
+(Samples were 24 bytes each.) Then commit 883f61653069 ("iio: buffer:
+align the size of scan bytes to size of the largest element") changed
+the computed scan_bytes to be a different size (32 bytes), which caused
+iio_push_to_buffers_with_timestamp() to place the timestamp at an
+incorrect offset.
+
+There have been long periods of time (6 years each) where the timestamp
+was in either location, so to not break either case, we open-code the
+timestamps to be pushed to both locations in the scan data.
+
+Reported-by: Jonathan Cameron <jic23@kernel.org>
+Closes: https://lore.kernel.org/linux-iio/20260215162351.79f40b32@jic23-huawei/
+Fixes: 883f61653069 ("iio: buffer: align the size of scan bytes to size of the largest element")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/orientation/hid-sensor-rotation.c | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/orientation/hid-sensor-rotation.c
++++ b/drivers/iio/orientation/hid-sensor-rotation.c
+@@ -20,7 +20,12 @@ struct dev_rot_state {
+ struct hid_sensor_hub_attribute_info quaternion;
+ struct {
+ IIO_DECLARE_QUATERNION(s32, sampled_vals);
+- aligned_s64 timestamp;
++ /*
++ * ABI regression avoidance: There are two copies of the same
++ * timestamp in case of userspace depending on broken alignment
++ * from older kernels.
++ */
++ aligned_s64 timestamp[2];
+ } scan;
+ int scale_pre_decml;
+ int scale_post_decml;
+@@ -154,8 +159,19 @@ static int dev_rot_proc_event(struct hid
+ if (!rot_state->timestamp)
+ rot_state->timestamp = iio_get_time_ns(indio_dev);
+
+- iio_push_to_buffers_with_timestamp(indio_dev, &rot_state->scan,
+- rot_state->timestamp);
++ /*
++ * ABI regression avoidance: IIO previously had an incorrect
++ * implementation of iio_push_to_buffers_with_timestamp() that
++ * put the timestamp in the last 8 bytes of the buffer, which
++ * was incorrect according to the IIO ABI. To avoid breaking
++ * userspace that may be depending on this broken behavior, we
++ * put the timestamp in both the correct place [0] and the old
++ * incorrect place [1].
++ */
++ rot_state->scan.timestamp[0] = rot_state->timestamp;
++ rot_state->scan.timestamp[1] = rot_state->timestamp;
++
++ iio_push_to_buffers(indio_dev, &rot_state->scan);
+
+ rot_state->timestamp = 0;
+ }
--- /dev/null
+From 50d4cc74b8a720a9682a9c94f7e62a5de6b2ed3a Mon Sep 17 00:00:00 2001
+From: David Lechner <dlechner@baylibre.com>
+Date: Sat, 28 Feb 2026 14:02:23 -0600
+Subject: iio: orientation: hid-sensor-rotation: fix quaternion alignment
+
+From: David Lechner <dlechner@baylibre.com>
+
+commit 50d4cc74b8a720a9682a9c94f7e62a5de6b2ed3a upstream.
+
+Restore the alignment of sampled_vals to 16 bytes by using
+IIO_DECLARE_QUATERNION(). This field contains a quaternion value which
+has scan_type.repeat = 4 and storagebits = 32. So the alignment must
+be 16 bytes to match the assumptions of iio_storage_bytes_for_si() and
+also to not break userspace.
+
+Reported-by: Lixu Zhang <lixu.zhang@intel.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221077
+Fixes: b31a74075cb4 ("iio: orientation: hid-sensor-rotation: remove unnecessary alignment")
+Tested-by: Lixu Zhang <lixu.zhang@intel.com>
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/orientation/hid-sensor-rotation.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/orientation/hid-sensor-rotation.c
++++ b/drivers/iio/orientation/hid-sensor-rotation.c
+@@ -19,7 +19,7 @@ struct dev_rot_state {
+ struct hid_sensor_common common_attributes;
+ struct hid_sensor_hub_attribute_info quaternion;
+ struct {
+- s32 sampled_vals[4];
++ IIO_DECLARE_QUATERNION(s32, sampled_vals);
+ aligned_s64 timestamp;
+ } scan;
+ int scale_pre_decml;
--- /dev/null
+From b948f9d5d3057b01188e36664e7c7604d1c8ecb5 Mon Sep 17 00:00:00 2001
+From: Junxi Qian <qjx1298677004@gmail.com>
+Date: Sun, 29 Mar 2026 23:39:09 +0800
+Subject: io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs()
+
+From: Junxi Qian <qjx1298677004@gmail.com>
+
+commit b948f9d5d3057b01188e36664e7c7604d1c8ecb5 upstream.
+
+sqe->len is __u32 but gets stored into sr->len which is int. When
+userspace passes sqe->len values exceeding INT_MAX (e.g. 0xFFFFFFFF),
+sr->len overflows to a negative value. This negative value propagates
+through the bundle recv/send path:
+
+ 1. io_recv(): sel.val = sr->len (ssize_t gets -1)
+ 2. io_recv_buf_select(): arg.max_len = sel->val (size_t gets
+ 0xFFFFFFFFFFFFFFFF)
+ 3. io_ring_buffers_peek(): buf->len is not clamped because max_len
+ is astronomically large
+ 4. iov[].iov_len = 0xFFFFFFFF flows into io_bundle_nbufs()
+ 5. io_bundle_nbufs(): min_t(int, 0xFFFFFFFF, ret) yields -1,
+ causing ret to increase instead of decrease, creating an
+ infinite loop that reads past the allocated iov[] array
+
+This results in a slab-out-of-bounds read in io_bundle_nbufs() from
+the kmalloc-64 slab, as nbufs increments past the allocated iovec
+entries.
+
+ BUG: KASAN: slab-out-of-bounds in io_bundle_nbufs+0x128/0x160
+ Read of size 8 at addr ffff888100ae05c8 by task exp/145
+ Call Trace:
+ io_bundle_nbufs+0x128/0x160
+ io_recv_finish+0x117/0xe20
+ io_recv+0x2db/0x1160
+
+Fix this by rejecting negative sr->len values early in both
+io_sendmsg_prep() and io_recvmsg_prep(). Since sqe->len is __u32,
+any value > INT_MAX indicates overflow and is not a valid length.
+
+Fixes: a05d1f625c7a ("io_uring/net: support bundles for send")
+Cc: stable@vger.kernel.org
+Signed-off-by: Junxi Qian <qjx1298677004@gmail.com>
+Link: https://patch.msgid.link/20260329153909.279046-1-qjx1298677004@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -422,6 +422,8 @@ int io_sendmsg_prep(struct io_kiocb *req
+
+ sr->done_io = 0;
+ sr->len = READ_ONCE(sqe->len);
++ if (unlikely(sr->len < 0))
++ return -EINVAL;
+ sr->flags = READ_ONCE(sqe->ioprio);
+ if (sr->flags & ~SENDMSG_FLAGS)
+ return -EINVAL;
+@@ -792,6 +794,8 @@ int io_recvmsg_prep(struct io_kiocb *req
+
+ sr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr));
+ sr->len = READ_ONCE(sqe->len);
++ if (unlikely(sr->len < 0))
++ return -EINVAL;
+ sr->flags = READ_ONCE(sqe->ioprio);
+ if (sr->flags & ~RECVMSG_FLAGS)
+ return -EINVAL;
--- /dev/null
+From 90c5def10bea574b101b7a520c015ca81742183f Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Mon, 2 Mar 2026 18:22:52 -0400
+Subject: iommu: Do not call drivers for empty gathers
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit 90c5def10bea574b101b7a520c015ca81742183f upstream.
+
+An empty gather is coded with start=U64_MAX, end=0 and several drivers go
+on to convert that to a size with:
+
+ end - start + 1
+
+Which gives 2 for an empty gather. This then causes Weird Stuff to
+happen (for example an UBSAN splat in VT-d) that is hopefully harmless,
+but maybe not.
+
+Prevent drivers from being called right in iommu_iotlb_sync().
+
+Auditing shows that AMD, Intel, Mediatek and RSIC-V drivers all do things
+on these empty gathers.
+
+Further, there are several callers that can trigger empty gathers,
+especially in unusual conditions. For example iommu_map_nosync() will call
+a 0 size unmap on some error paths. Also in VFIO, iommupt and other
+places.
+
+Cc: stable@vger.kernel.org
+Reported-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+Closes: https://lore.kernel.org/r/11145826.aFP6jjVeTY@jkrzyszt-mobl2.ger.corp.intel.com
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
+Reviewed-by: Samiullah Khawaja <skhawaja@google.com>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/iommu.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/linux/iommu.h
++++ b/include/linux/iommu.h
+@@ -978,7 +978,8 @@ static inline void iommu_flush_iotlb_all
+ static inline void iommu_iotlb_sync(struct iommu_domain *domain,
+ struct iommu_iotlb_gather *iotlb_gather)
+ {
+- if (domain->ops->iotlb_sync)
++ if (domain->ops->iotlb_sync &&
++ likely(iotlb_gather->start < iotlb_gather->end))
+ domain->ops->iotlb_sync(domain, iotlb_gather);
+
+ iommu_iotlb_gather_init(iotlb_gather);
--- /dev/null
+From fda9522ed6afaec45cabc198d8492270c394c7bc Mon Sep 17 00:00:00 2001
+From: Asim Viladi Oglu Manizada <manizada@pm.me>
+Date: Wed, 25 Mar 2026 09:14:22 +0900
+Subject: ksmbd: fix OOB write in QUERY_INFO for compound requests
+
+From: Asim Viladi Oglu Manizada <manizada@pm.me>
+
+commit fda9522ed6afaec45cabc198d8492270c394c7bc upstream.
+
+When a compound request such as READ + QUERY_INFO(Security) is received,
+and the first command (READ) consumes most of the response buffer,
+ksmbd could write beyond the allocated buffer while building a security
+descriptor.
+
+The root cause was that smb2_get_info_sec() checked buffer space using
+ppntsd_size from xattr, while build_sec_desc() often synthesized a
+significantly larger descriptor from POSIX ACLs.
+
+This patch introduces smb_acl_sec_desc_scratch_len() to accurately
+compute the final descriptor size beforehand, performs proper buffer
+checking with smb2_calc_max_out_buf_len(), and uses exact-sized
+allocation + iov pinning.
+
+Cc: stable@vger.kernel.org
+Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
+Signed-off-by: Asim Viladi Oglu Manizada <manizada@pm.me>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 121 +++++++++++++++++++++++++++++++++++-------------
+ fs/smb/server/smbacl.c | 43 +++++++++++++++++
+ fs/smb/server/smbacl.h | 2
+ 3 files changed, 134 insertions(+), 32 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -3411,20 +3411,24 @@ int smb2_open(struct ksmbd_work *work)
+ KSMBD_SHARE_FLAG_ACL_XATTR)) {
+ struct smb_fattr fattr;
+ struct smb_ntsd *pntsd;
+- int pntsd_size, ace_num = 0;
++ int pntsd_size;
++ size_t scratch_len;
+
+ ksmbd_acls_fattr(&fattr, idmap, inode);
+- if (fattr.cf_acls)
+- ace_num = fattr.cf_acls->a_count;
+- if (fattr.cf_dacls)
+- ace_num += fattr.cf_dacls->a_count;
+-
+- pntsd = kmalloc(sizeof(struct smb_ntsd) +
+- sizeof(struct smb_sid) * 3 +
+- sizeof(struct smb_acl) +
+- sizeof(struct smb_ace) * ace_num * 2,
+- KSMBD_DEFAULT_GFP);
++ scratch_len = smb_acl_sec_desc_scratch_len(&fattr,
++ NULL, 0,
++ OWNER_SECINFO | GROUP_SECINFO |
++ DACL_SECINFO);
++ if (!scratch_len || scratch_len == SIZE_MAX) {
++ rc = -EFBIG;
++ posix_acl_release(fattr.cf_acls);
++ posix_acl_release(fattr.cf_dacls);
++ goto err_out;
++ }
++
++ pntsd = kvzalloc(scratch_len, KSMBD_DEFAULT_GFP);
+ if (!pntsd) {
++ rc = -ENOMEM;
+ posix_acl_release(fattr.cf_acls);
+ posix_acl_release(fattr.cf_dacls);
+ goto err_out;
+@@ -3439,7 +3443,7 @@ int smb2_open(struct ksmbd_work *work)
+ posix_acl_release(fattr.cf_acls);
+ posix_acl_release(fattr.cf_dacls);
+ if (rc) {
+- kfree(pntsd);
++ kvfree(pntsd);
+ goto err_out;
+ }
+
+@@ -3449,7 +3453,7 @@ int smb2_open(struct ksmbd_work *work)
+ pntsd,
+ pntsd_size,
+ false);
+- kfree(pntsd);
++ kvfree(pntsd);
+ if (rc)
+ pr_err("failed to store ntacl in xattr : %d\n",
+ rc);
+@@ -5381,8 +5385,9 @@ static int smb2_get_info_file(struct ksm
+ if (test_share_config_flag(work->tcon->share_conf,
+ KSMBD_SHARE_FLAG_PIPE)) {
+ /* smb2 info file called for pipe */
+- return smb2_get_info_file_pipe(work->sess, req, rsp,
++ rc = smb2_get_info_file_pipe(work->sess, req, rsp,
+ work->response_buf);
++ goto iov_pin_out;
+ }
+
+ if (work->next_smb2_rcv_hdr_off) {
+@@ -5482,6 +5487,12 @@ static int smb2_get_info_file(struct ksm
+ rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength),
+ rsp, work->response_buf);
+ ksmbd_fd_put(work, fp);
++
++iov_pin_out:
++ if (!rc)
++ rc = ksmbd_iov_pin_rsp(work, (void *)rsp,
++ offsetof(struct smb2_query_info_rsp, Buffer) +
++ le32_to_cpu(rsp->OutputBufferLength));
+ return rc;
+ }
+
+@@ -5701,6 +5712,11 @@ static int smb2_get_info_filesystem(stru
+ rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength),
+ rsp, work->response_buf);
+ path_put(&path);
++
++ if (!rc)
++ rc = ksmbd_iov_pin_rsp(work, (void *)rsp,
++ offsetof(struct smb2_query_info_rsp, Buffer) +
++ le32_to_cpu(rsp->OutputBufferLength));
+ return rc;
+ }
+
+@@ -5710,13 +5726,14 @@ static int smb2_get_info_sec(struct ksmb
+ {
+ struct ksmbd_file *fp;
+ struct mnt_idmap *idmap;
+- struct smb_ntsd *pntsd = (struct smb_ntsd *)rsp->Buffer, *ppntsd = NULL;
++ struct smb_ntsd *pntsd = NULL, *ppntsd = NULL;
+ struct smb_fattr fattr = {{0}};
+ struct inode *inode;
+ __u32 secdesclen = 0;
+ unsigned int id = KSMBD_NO_FID, pid = KSMBD_NO_FID;
+ int addition_info = le32_to_cpu(req->AdditionalInformation);
+- int rc = 0, ppntsd_size = 0;
++ int rc = 0, ppntsd_size = 0, max_len;
++ size_t scratch_len = 0;
+
+ if (addition_info & ~(OWNER_SECINFO | GROUP_SECINFO | DACL_SECINFO |
+ PROTECTED_DACL_SECINFO |
+@@ -5724,6 +5741,11 @@ static int smb2_get_info_sec(struct ksmb
+ ksmbd_debug(SMB, "Unsupported addition info: 0x%x)\n",
+ addition_info);
+
++ pntsd = kzalloc(ALIGN(sizeof(struct smb_ntsd), 8),
++ KSMBD_DEFAULT_GFP);
++ if (!pntsd)
++ return -ENOMEM;
++
+ pntsd->revision = cpu_to_le16(1);
+ pntsd->type = cpu_to_le16(SELF_RELATIVE | DACL_PROTECTED);
+ pntsd->osidoffset = 0;
+@@ -5732,9 +5754,7 @@ static int smb2_get_info_sec(struct ksmb
+ pntsd->dacloffset = 0;
+
+ secdesclen = sizeof(struct smb_ntsd);
+- rsp->OutputBufferLength = cpu_to_le32(secdesclen);
+-
+- return 0;
++ goto iov_pin;
+ }
+
+ if (work->next_smb2_rcv_hdr_off) {
+@@ -5766,18 +5786,58 @@ static int smb2_get_info_sec(struct ksmb
+ &ppntsd);
+
+ /* Check if sd buffer size exceeds response buffer size */
+- if (smb2_resp_buf_len(work, 8) > ppntsd_size)
+- rc = build_sec_desc(idmap, pntsd, ppntsd, ppntsd_size,
+- addition_info, &secdesclen, &fattr);
++ max_len = smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_query_info_rsp, Buffer),
++ le32_to_cpu(req->OutputBufferLength));
++ if (max_len < 0) {
++ rc = -EINVAL;
++ goto release_acl;
++ }
++
++ scratch_len = smb_acl_sec_desc_scratch_len(&fattr, ppntsd,
++ ppntsd_size, addition_info);
++ if (!scratch_len || scratch_len == SIZE_MAX) {
++ rc = -EFBIG;
++ goto release_acl;
++ }
++
++ pntsd = kvzalloc(scratch_len, KSMBD_DEFAULT_GFP);
++ if (!pntsd) {
++ rc = -ENOMEM;
++ goto release_acl;
++ }
++
++ rc = build_sec_desc(idmap, pntsd, ppntsd, ppntsd_size,
++ addition_info, &secdesclen, &fattr);
++
++release_acl:
+ posix_acl_release(fattr.cf_acls);
+ posix_acl_release(fattr.cf_dacls);
+ kfree(ppntsd);
+ ksmbd_fd_put(work, fp);
++
++ if (!rc && ALIGN(secdesclen, 8) > scratch_len)
++ rc = -EFBIG;
+ if (rc)
+- return rc;
++ goto err_out;
+
++iov_pin:
+ rsp->OutputBufferLength = cpu_to_le32(secdesclen);
+- return 0;
++ rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength),
++ rsp, work->response_buf);
++ if (rc)
++ goto err_out;
++
++ rc = ksmbd_iov_pin_rsp_read(work, (void *)rsp,
++ offsetof(struct smb2_query_info_rsp, Buffer),
++ pntsd, secdesclen);
++err_out:
++ if (rc) {
++ rsp->OutputBufferLength = 0;
++ kvfree(pntsd);
++ }
++
++ return rc;
+ }
+
+ /**
+@@ -5801,6 +5861,9 @@ int smb2_query_info(struct ksmbd_work *w
+ goto err_out;
+ }
+
++ rsp->StructureSize = cpu_to_le16(9);
++ rsp->OutputBufferOffset = cpu_to_le16(72);
++
+ switch (req->InfoType) {
+ case SMB2_O_INFO_FILE:
+ ksmbd_debug(SMB, "GOT SMB2_O_INFO_FILE\n");
+@@ -5821,14 +5884,6 @@ int smb2_query_info(struct ksmbd_work *w
+ }
+ ksmbd_revert_fsids(work);
+
+- if (!rc) {
+- rsp->StructureSize = cpu_to_le16(9);
+- rsp->OutputBufferOffset = cpu_to_le16(72);
+- rc = ksmbd_iov_pin_rsp(work, (void *)rsp,
+- offsetof(struct smb2_query_info_rsp, Buffer) +
+- le32_to_cpu(rsp->OutputBufferLength));
+- }
+-
+ err_out:
+ if (rc < 0) {
+ if (rc == -EACCES)
+@@ -5839,6 +5894,8 @@ err_out:
+ rsp->hdr.Status = STATUS_UNEXPECTED_IO_ERROR;
+ else if (rc == -ENOMEM)
+ rsp->hdr.Status = STATUS_INSUFFICIENT_RESOURCES;
++ else if (rc == -EINVAL && rsp->hdr.Status == 0)
++ rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+ else if (rc == -EOPNOTSUPP || rsp->hdr.Status == 0)
+ rsp->hdr.Status = STATUS_INVALID_INFO_CLASS;
+ smb2_set_err_rsp(work);
+--- a/fs/smb/server/smbacl.c
++++ b/fs/smb/server/smbacl.c
+@@ -915,6 +915,49 @@ int parse_sec_desc(struct mnt_idmap *idm
+ return 0;
+ }
+
++size_t smb_acl_sec_desc_scratch_len(struct smb_fattr *fattr,
++ struct smb_ntsd *ppntsd, int ppntsd_size, int addition_info)
++{
++ size_t len = sizeof(struct smb_ntsd);
++ size_t tmp;
++
++ if (addition_info & OWNER_SECINFO)
++ len += sizeof(struct smb_sid);
++ if (addition_info & GROUP_SECINFO)
++ len += sizeof(struct smb_sid);
++ if (!(addition_info & DACL_SECINFO))
++ return len;
++
++ len += sizeof(struct smb_acl);
++ if (ppntsd && ppntsd_size > 0) {
++ unsigned int dacl_offset = le32_to_cpu(ppntsd->dacloffset);
++
++ if (dacl_offset < ppntsd_size &&
++ check_add_overflow(len, ppntsd_size - dacl_offset, &len))
++ return 0;
++ }
++
++ if (fattr->cf_acls) {
++ if (check_mul_overflow((size_t)fattr->cf_acls->a_count,
++ 2 * sizeof(struct smb_ace), &tmp) ||
++ check_add_overflow(len, tmp, &len))
++ return 0;
++ } else {
++ /* default/minimum DACL */
++ if (check_add_overflow(len, 5 * sizeof(struct smb_ace), &len))
++ return 0;
++ }
++
++ if (fattr->cf_dacls) {
++ if (check_mul_overflow((size_t)fattr->cf_dacls->a_count,
++ sizeof(struct smb_ace), &tmp) ||
++ check_add_overflow(len, tmp, &len))
++ return 0;
++ }
++
++ return len;
++}
++
+ /* Convert permission bits from mode to equivalent CIFS ACL */
+ int build_sec_desc(struct mnt_idmap *idmap,
+ struct smb_ntsd *pntsd, struct smb_ntsd *ppntsd,
+--- a/fs/smb/server/smbacl.h
++++ b/fs/smb/server/smbacl.h
+@@ -101,6 +101,8 @@ int set_info_sec(struct ksmbd_conn *conn
+ bool type_check, bool get_write);
+ void id_to_sid(unsigned int cid, uint sidtype, struct smb_sid *ssid);
+ void ksmbd_init_domain(u32 *sub_auth);
++size_t smb_acl_sec_desc_scratch_len(struct smb_fattr *fattr,
++ struct smb_ntsd *ppntsd, int ppntsd_size, int addition_info);
+
+ static inline uid_t posix_acl_uid_translate(struct mnt_idmap *idmap,
+ struct posix_acl_entry *pace)
--- /dev/null
+From e5046823f8fa3677341b541a25af2fcb99a5b1e0 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Wed, 25 Mar 2026 20:29:20 -0700
+Subject: lib/crypto: chacha: Zeroize permuted_state before it leaves scope
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit e5046823f8fa3677341b541a25af2fcb99a5b1e0 upstream.
+
+Since the ChaCha permutation is invertible, the local variable
+'permuted_state' is sufficient to compute the original 'state', and thus
+the key, even after the permutation has been done.
+
+While the kernel is quite inconsistent about zeroizing secrets on the
+stack (and some prominent userspace crypto libraries don't bother at all
+since it's not guaranteed to work anyway), the kernel does try to do it
+as a best practice, especially in cases involving the RNG.
+
+Thus, explicitly zeroize 'permuted_state' before it goes out of scope.
+
+Fixes: c08d0e647305 ("crypto: chacha20 - Add a generic ChaCha20 stream cipher implementation")
+Cc: stable@vger.kernel.org
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Link: https://lore.kernel.org/r/20260326032920.39408-1-ebiggers@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/crypto/chacha-block-generic.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/lib/crypto/chacha-block-generic.c
++++ b/lib/crypto/chacha-block-generic.c
+@@ -87,6 +87,8 @@ void chacha_block_generic(struct chacha_
+ &out[i * sizeof(u32)]);
+
+ state->x[12]++;
++
++ chacha_zeroize_state(&permuted_state);
+ }
+ EXPORT_SYMBOL(chacha_block_generic);
+
+@@ -110,5 +112,7 @@ void hchacha_block_generic(const struct
+
+ memcpy(&out[0], &permuted_state.x[0], 16);
+ memcpy(&out[4], &permuted_state.x[12], 16);
++
++ chacha_zeroize_state(&permuted_state);
+ }
+ EXPORT_SYMBOL(hchacha_block_generic);
--- /dev/null
+From ec8bf18814915460d9c617b556bf024efef26613 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Mon, 30 Mar 2026 02:54:09 +0100
+Subject: MIPS: Fix the GCC version check for `__multi3' workaround
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit ec8bf18814915460d9c617b556bf024efef26613 upstream.
+
+It was only GCC 10 that fixed a MIPS64r6 code generation issue with a
+`__multi3' libcall inefficiently produced to perform 64-bit widening
+multiplication while suitable machine instructions exist to do such a
+calculation. The fix went in with GCC commit 48b2123f6336 ("re PR
+target/82981 (unnecessary __multi3 call for mips64r6 linux kernel)").
+
+Adjust our code accordingly, removing build failures such as:
+
+mips64-linux-ld: lib/math/div64.o: in function `mul_u64_add_u64_div_u64':
+div64.c:(.text+0x84): undefined reference to `__multi3'
+
+with the GCC versions affected.
+
+Fixes: ebabcf17bcd7 ("MIPS: Implement __multi3 for GCC7 MIPS64r6 builds")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202601140146.hMLODc6v-lkp@intel.com/
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Cc: stable@vger.kernel.org # v4.15+
+Reviewed-by: David Laight <david.laight.linux@gmail.com.
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/lib/multi3.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/mips/lib/multi3.c
++++ b/arch/mips/lib/multi3.c
+@@ -4,12 +4,12 @@
+ #include "libgcc.h"
+
+ /*
+- * GCC 7 & older can suboptimally generate __multi3 calls for mips64r6, so for
++ * GCC 9 & older can suboptimally generate __multi3 calls for mips64r6, so for
+ * that specific case only we implement that intrinsic here.
+ *
+ * See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82981
+ */
+-#if defined(CONFIG_64BIT) && defined(CONFIG_CPU_MIPSR6) && (__GNUC__ < 8)
++#if defined(CONFIG_64BIT) && defined(CONFIG_CPU_MIPSR6) && (__GNUC__ < 10)
+
+ /* multiply 64-bit values, low 64-bits returned */
+ static inline long long notrace dmulu(long long a, long long b)
+@@ -51,4 +51,4 @@ ti_type notrace __multi3(ti_type a, ti_t
+ }
+ EXPORT_SYMBOL(__multi3);
+
+-#endif /* 64BIT && CPU_MIPSR6 && GCC7 */
++#endif /* 64BIT && CPU_MIPSR6 && GCC9 */
--- /dev/null
+From 01cc50ea5167bb14117257ec084637abe9e5f691 Mon Sep 17 00:00:00 2001
+From: Stefan Wiehler <stefan.wiehler@nokia.com>
+Date: Tue, 10 Mar 2026 11:40:24 +0100
+Subject: mips: mm: Allocate tlb_vpn array atomically
+
+From: Stefan Wiehler <stefan.wiehler@nokia.com>
+
+commit 01cc50ea5167bb14117257ec084637abe9e5f691 upstream.
+
+Found by DEBUG_ATOMIC_SLEEP:
+
+ BUG: sleeping function called from invalid context at /include/linux/sched/mm.h:306
+ in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1
+ preempt_count: 1, expected: 0
+ RCU nest depth: 0, expected: 0
+ no locks held by swapper/1/0.
+ irq event stamp: 0
+ hardirqs last enabled at (0): [<0000000000000000>] 0x0
+ hardirqs last disabled at (0): [<ffffffff801477fc>] copy_process+0x75c/0x1b68
+ softirqs last enabled at (0): [<ffffffff801477fc>] copy_process+0x75c/0x1b68
+ softirqs last disabled at (0): [<0000000000000000>] 0x0
+ CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.119-d79e757675ec-fct #1
+ Stack : 800000000290bad8 0000000000000000 0000000000000008 800000000290bae8
+ 800000000290bae8 800000000290bc78 0000000000000000 0000000000000000
+ ffffffff80c80000 0000000000000001 ffffffff80d8dee8 ffffffff810d09c0
+ 784bb2a7ec10647d 0000000000000010 ffffffff80a6fd60 8000000001d8a9c0
+ 0000000000000000 0000000000000000 ffffffff80d90000 0000000000000000
+ ffffffff80c9e0e8 0000000007ffffff 0000000000000cc0 0000000000000400
+ ffffffffffffffff 0000000000000001 0000000000000002 ffffffffc0149ed8
+ fffffffffffffffe 8000000002908000 800000000290bae0 ffffffff80a81b74
+ ffffffff80129fb0 0000000000000000 0000000000000000 0000000000000000
+ 0000000000000000 0000000000000000 ffffffff80129fd0 0000000000000000
+ ...
+ Call Trace:
+ [<ffffffff80129fd0>] show_stack+0x60/0x158
+ [<ffffffff80a7f894>] dump_stack_lvl+0x88/0xbc
+ [<ffffffff8018d3c8>] __might_resched+0x268/0x288
+ [<ffffffff803648b0>] __kmem_cache_alloc_node+0x2e0/0x330
+ [<ffffffff80302788>] __kmalloc+0x58/0xd0
+ [<ffffffff80a81b74>] r4k_tlb_uniquify+0x7c/0x428
+ [<ffffffff80143e8c>] tlb_init+0x7c/0x110
+ [<ffffffff8012bdb4>] per_cpu_trap_init+0x16c/0x1d0
+ [<ffffffff80133258>] start_secondary+0x28/0x128
+
+Fixes: 231ac951faba ("MIPS: mm: kmalloc tlb_vpn array to avoid stack overflow")
+Signed-off-by: Stefan Wiehler <stefan.wiehler@nokia.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mm/tlb-r4k.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/mm/tlb-r4k.c
++++ b/arch/mips/mm/tlb-r4k.c
+@@ -751,7 +751,7 @@ static void __ref r4k_tlb_uniquify(void)
+
+ tlb_vpn_size = tlbsize * sizeof(*tlb_vpns);
+ tlb_vpns = (use_slab ?
+- kmalloc(tlb_vpn_size, GFP_KERNEL) :
++ kmalloc(tlb_vpn_size, GFP_ATOMIC) :
+ memblock_alloc_raw(tlb_vpn_size, sizeof(*tlb_vpns)));
+ if (WARN_ON(!tlb_vpns))
+ return; /* Pray local_flush_tlb_all() is good enough. */
--- /dev/null
+From 540760b77b8fc49d39d1b2b76196e5ec57711a32 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Fri, 27 Mar 2026 18:57:30 +0000
+Subject: MIPS: mm: Rewrite TLB uniquification for the hidden bit feature
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit 540760b77b8fc49d39d1b2b76196e5ec57711a32 upstream.
+
+Before the introduction of the EHINV feature, which lets software mark
+TLB entries invalid, certain older implementations of the MIPS ISA were
+equipped with an analogous bit, as a vendor extension, which however is
+hidden from software and only ever set at reset, and then any software
+write clears it, making the intended TLB entry valid.
+
+This feature makes it unsafe to read a TLB entry with TLBR, modify the
+page mask, and write the entry back with TLBWI, because this operation
+will implicitly clear the hidden bit and this may create a duplicate
+entry, as with the presence of the hidden bit there is no guarantee all
+the entries across the TLB are unique each.
+
+Usually the firmware has already uniquified TLB entries before handing
+control over, in which case we only need to guarantee at bootstrap no
+clash will happen with the VPN2 values chosen in local_flush_tlb_all().
+
+However with systems such as Mikrotik RB532 we get handed the TLB as at
+reset, with the hidden bit set across the entries and possibly duplicate
+entries present. This then causes a machine check exception when page
+sizes are reset in r4k_tlb_uniquify() and prevents the system from
+booting.
+
+Rewrite the algorithm used in r4k_tlb_uniquify() then such as to avoid
+the reuse of ASID/VPN values across the TLB. Get rid of global entries
+first as they may be blocking the entire address space, e.g. 16 256MiB
+pages will exhaust the whole address space of a 32-bit CPU and a single
+big page can exhaust the 32-bit compatibility space on a 64-bit CPU.
+
+Details of the algorithm chosen are given across the code itself.
+
+Fixes: 9f048fa48740 ("MIPS: mm: Prevent a TLB shutdown on initial uniquification")
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Cc: stable@vger.kernel.org # v6.18+
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mm/tlb-r4k.c | 282 +++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 228 insertions(+), 54 deletions(-)
+
+--- a/arch/mips/mm/tlb-r4k.c
++++ b/arch/mips/mm/tlb-r4k.c
+@@ -13,6 +13,7 @@
+ #include <linux/sched.h>
+ #include <linux/smp.h>
+ #include <linux/memblock.h>
++#include <linux/minmax.h>
+ #include <linux/mm.h>
+ #include <linux/hugetlb.h>
+ #include <linux/export.h>
+@@ -24,6 +25,7 @@
+ #include <asm/hazards.h>
+ #include <asm/mmu_context.h>
+ #include <asm/tlb.h>
++#include <asm/tlbdebug.h>
+ #include <asm/tlbex.h>
+ #include <asm/tlbmisc.h>
+ #include <asm/setup.h>
+@@ -511,12 +513,229 @@ static int __init set_ntlb(char *str)
+ __setup("ntlb=", set_ntlb);
+
+
+-/* Comparison function for EntryHi VPN fields. */
+-static int r4k_vpn_cmp(const void *a, const void *b)
++/* The start bit position of VPN2 and Mask in EntryHi/PageMask registers. */
++#define VPN2_SHIFT 13
++
++/* Read full EntryHi even with CONFIG_32BIT. */
++static inline unsigned long long read_c0_entryhi_native(void)
++{
++ return cpu_has_64bits ? read_c0_entryhi_64() : read_c0_entryhi();
++}
++
++/* Write full EntryHi even with CONFIG_32BIT. */
++static inline void write_c0_entryhi_native(unsigned long long v)
++{
++ if (cpu_has_64bits)
++ write_c0_entryhi_64(v);
++ else
++ write_c0_entryhi(v);
++}
++
++/* TLB entry state for uniquification. */
++struct tlbent {
++ unsigned long long wired:1;
++ unsigned long long global:1;
++ unsigned long long asid:10;
++ unsigned long long vpn:51;
++ unsigned long long pagesz:5;
++ unsigned long long index:14;
++};
++
++/*
++ * Comparison function for TLB entry sorting. Place wired entries first,
++ * then global entries, then order by the increasing VPN/ASID and the
++ * decreasing page size. This lets us avoid clashes with wired entries
++ * easily and get entries for larger pages out of the way first.
++ *
++ * We could group bits so as to reduce the number of comparisons, but this
++ * is seldom executed and not performance-critical, so prefer legibility.
++ */
++static int r4k_entry_cmp(const void *a, const void *b)
+ {
+- long v = *(unsigned long *)a - *(unsigned long *)b;
+- int s = sizeof(long) > sizeof(int) ? sizeof(long) * 8 - 1: 0;
+- return s ? (v != 0) | v >> s : v;
++ struct tlbent ea = *(struct tlbent *)a, eb = *(struct tlbent *)b;
++
++ if (ea.wired > eb.wired)
++ return -1;
++ else if (ea.wired < eb.wired)
++ return 1;
++ else if (ea.global > eb.global)
++ return -1;
++ else if (ea.global < eb.global)
++ return 1;
++ else if (ea.vpn < eb.vpn)
++ return -1;
++ else if (ea.vpn > eb.vpn)
++ return 1;
++ else if (ea.asid < eb.asid)
++ return -1;
++ else if (ea.asid > eb.asid)
++ return 1;
++ else if (ea.pagesz > eb.pagesz)
++ return -1;
++ else if (ea.pagesz < eb.pagesz)
++ return 1;
++ else
++ return 0;
++}
++
++/*
++ * Fetch all the TLB entries. Mask individual VPN values retrieved with
++ * the corresponding page mask and ignoring any 1KiB extension as we'll
++ * be using 4KiB pages for uniquification.
++ */
++static void __ref r4k_tlb_uniquify_read(struct tlbent *tlb_vpns, int tlbsize)
++{
++ int start = num_wired_entries();
++ unsigned long long vpn_mask;
++ bool global;
++ int i;
++
++ vpn_mask = GENMASK(current_cpu_data.vmbits - 1, VPN2_SHIFT);
++ vpn_mask |= cpu_has_64bits ? 3ULL << 62 : 1 << 31;
++
++ for (i = 0; i < tlbsize; i++) {
++ unsigned long long entryhi, vpn, mask, asid;
++ unsigned int pagesz;
++
++ write_c0_index(i);
++ mtc0_tlbr_hazard();
++ tlb_read();
++ tlb_read_hazard();
++
++ global = !!(read_c0_entrylo0() & ENTRYLO_G);
++ entryhi = read_c0_entryhi_native();
++ mask = read_c0_pagemask();
++
++ asid = entryhi & cpu_asid_mask(¤t_cpu_data);
++ vpn = (entryhi & vpn_mask & ~mask) >> VPN2_SHIFT;
++ pagesz = ilog2((mask >> VPN2_SHIFT) + 1);
++
++ tlb_vpns[i].global = global;
++ tlb_vpns[i].asid = global ? 0 : asid;
++ tlb_vpns[i].vpn = vpn;
++ tlb_vpns[i].pagesz = pagesz;
++ tlb_vpns[i].wired = i < start;
++ tlb_vpns[i].index = i;
++ }
++}
++
++/*
++ * Write unique values to all but the wired TLB entries each, using
++ * the 4KiB page size. This size might not be supported with R6, but
++ * EHINV is mandatory for R6, so we won't ever be called in that case.
++ *
++ * A sorted table is supplied with any wired entries at the beginning,
++ * followed by any global entries, and then finally regular entries.
++ * We start at the VPN and ASID values of zero and only assign user
++ * addresses, therefore guaranteeing no clash with addresses produced
++ * by UNIQUE_ENTRYHI. We avoid any VPN values used by wired or global
++ * entries, by increasing the VPN value beyond the span of such entry.
++ *
++ * When a VPN/ASID clash is found with a regular entry we increment the
++ * ASID instead until no VPN/ASID clash has been found or the ASID space
++ * has been exhausted, in which case we increase the VPN value beyond
++ * the span of the largest clashing entry.
++ *
++ * We do not need to be concerned about FTLB or MMID configurations as
++ * those are required to implement the EHINV feature.
++ */
++static void __ref r4k_tlb_uniquify_write(struct tlbent *tlb_vpns, int tlbsize)
++{
++ unsigned long long asid, vpn, vpn_size, pagesz;
++ int widx, gidx, idx, sidx, lidx, i;
++
++ vpn_size = 1ULL << (current_cpu_data.vmbits - VPN2_SHIFT);
++ pagesz = ilog2((PM_4K >> VPN2_SHIFT) + 1);
++
++ write_c0_pagemask(PM_4K);
++ write_c0_entrylo0(0);
++ write_c0_entrylo1(0);
++
++ asid = 0;
++ vpn = 0;
++ widx = 0;
++ gidx = 0;
++ for (sidx = 0; sidx < tlbsize && tlb_vpns[sidx].wired; sidx++)
++ ;
++ for (lidx = sidx; lidx < tlbsize && tlb_vpns[lidx].global; lidx++)
++ ;
++ idx = gidx = sidx + 1;
++ for (i = sidx; i < tlbsize; i++) {
++ unsigned long long entryhi, vpn_pagesz = 0;
++
++ while (1) {
++ if (WARN_ON(vpn >= vpn_size)) {
++ dump_tlb_all();
++ /* Pray local_flush_tlb_all() will cope. */
++ return;
++ }
++
++ /* VPN must be below the next wired entry. */
++ if (widx < sidx && vpn >= tlb_vpns[widx].vpn) {
++ vpn = max(vpn,
++ (tlb_vpns[widx].vpn +
++ (1ULL << tlb_vpns[widx].pagesz)));
++ asid = 0;
++ widx++;
++ continue;
++ }
++ /* VPN must be below the next global entry. */
++ if (gidx < lidx && vpn >= tlb_vpns[gidx].vpn) {
++ vpn = max(vpn,
++ (tlb_vpns[gidx].vpn +
++ (1ULL << tlb_vpns[gidx].pagesz)));
++ asid = 0;
++ gidx++;
++ continue;
++ }
++ /* Try to find a free ASID so as to conserve VPNs. */
++ if (idx < tlbsize && vpn == tlb_vpns[idx].vpn &&
++ asid == tlb_vpns[idx].asid) {
++ unsigned long long idx_pagesz;
++
++ idx_pagesz = tlb_vpns[idx].pagesz;
++ vpn_pagesz = max(vpn_pagesz, idx_pagesz);
++ do
++ idx++;
++ while (idx < tlbsize &&
++ vpn == tlb_vpns[idx].vpn &&
++ asid == tlb_vpns[idx].asid);
++ asid++;
++ if (asid > cpu_asid_mask(¤t_cpu_data)) {
++ vpn += vpn_pagesz;
++ asid = 0;
++ vpn_pagesz = 0;
++ }
++ continue;
++ }
++ /* VPN mustn't be above the next regular entry. */
++ if (idx < tlbsize && vpn > tlb_vpns[idx].vpn) {
++ vpn = max(vpn,
++ (tlb_vpns[idx].vpn +
++ (1ULL << tlb_vpns[idx].pagesz)));
++ asid = 0;
++ idx++;
++ continue;
++ }
++ break;
++ }
++
++ entryhi = (vpn << VPN2_SHIFT) | asid;
++ write_c0_entryhi_native(entryhi);
++ write_c0_index(tlb_vpns[i].index);
++ mtc0_tlbw_hazard();
++ tlb_write_indexed();
++
++ tlb_vpns[i].asid = asid;
++ tlb_vpns[i].vpn = vpn;
++ tlb_vpns[i].pagesz = pagesz;
++
++ asid++;
++ if (asid > cpu_asid_mask(¤t_cpu_data)) {
++ vpn += 1ULL << pagesz;
++ asid = 0;
++ }
++ }
+ }
+
+ /*
+@@ -527,14 +746,8 @@ static void __ref r4k_tlb_uniquify(void)
+ {
+ int tlbsize = current_cpu_data.tlbsize;
+ bool use_slab = slab_is_available();
+- int start = num_wired_entries();
+ phys_addr_t tlb_vpn_size;
+- unsigned long *tlb_vpns;
+- unsigned long vpn_mask;
+- int cnt, ent, idx, i;
+-
+- vpn_mask = GENMASK(cpu_vmbits - 1, 13);
+- vpn_mask |= IS_ENABLED(CONFIG_64BIT) ? 3ULL << 62 : 1 << 31;
++ struct tlbent *tlb_vpns;
+
+ tlb_vpn_size = tlbsize * sizeof(*tlb_vpns);
+ tlb_vpns = (use_slab ?
+@@ -545,52 +758,13 @@ static void __ref r4k_tlb_uniquify(void)
+
+ htw_stop();
+
+- for (i = start, cnt = 0; i < tlbsize; i++, cnt++) {
+- unsigned long vpn;
++ r4k_tlb_uniquify_read(tlb_vpns, tlbsize);
+
+- write_c0_index(i);
+- mtc0_tlbr_hazard();
+- tlb_read();
+- tlb_read_hazard();
+- vpn = read_c0_entryhi();
+- vpn &= vpn_mask & PAGE_MASK;
+- tlb_vpns[cnt] = vpn;
+-
+- /* Prevent any large pages from overlapping regular ones. */
+- write_c0_pagemask(read_c0_pagemask() & PM_DEFAULT_MASK);
+- mtc0_tlbw_hazard();
+- tlb_write_indexed();
+- tlbw_use_hazard();
+- }
++ sort(tlb_vpns, tlbsize, sizeof(*tlb_vpns), r4k_entry_cmp, NULL);
+
+- sort(tlb_vpns, cnt, sizeof(tlb_vpns[0]), r4k_vpn_cmp, NULL);
++ r4k_tlb_uniquify_write(tlb_vpns, tlbsize);
+
+ write_c0_pagemask(PM_DEFAULT_MASK);
+- write_c0_entrylo0(0);
+- write_c0_entrylo1(0);
+-
+- idx = 0;
+- ent = tlbsize;
+- for (i = start; i < tlbsize; i++)
+- while (1) {
+- unsigned long entryhi, vpn;
+-
+- entryhi = UNIQUE_ENTRYHI(ent);
+- vpn = entryhi & vpn_mask & PAGE_MASK;
+-
+- if (idx >= cnt || vpn < tlb_vpns[idx]) {
+- write_c0_entryhi(entryhi);
+- write_c0_index(i);
+- mtc0_tlbw_hazard();
+- tlb_write_indexed();
+- ent++;
+- break;
+- } else if (vpn == tlb_vpns[idx]) {
+- ent++;
+- } else {
+- idx++;
+- }
+- }
+
+ tlbw_use_hazard();
+ htw_start();
--- /dev/null
+From d62cf1511743526f530a4c169424e50c757f5a5e Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Fri, 27 Mar 2026 11:38:06 +0000
+Subject: MIPS: SiByte: Bring back cache initialisation
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit d62cf1511743526f530a4c169424e50c757f5a5e upstream.
+
+Bring back cache initialisation for Broadcom SiByte SB1 cores, which has
+been removed causing the kernel to hang at bootstrap right after:
+
+Dentry cache hash table entries: 524288 (order: 8, 4194304 bytes, linear)
+Inode-cache hash table entries: 262144 (order: 7, 2097152 bytes, linear)
+
+The cause of the problem is R4k cache handlers are also used by Broadcom
+SiByte SB1 cores, however with a different cache error exception handler
+and therefore not using CPU_R4K_CACHE_TLB:
+
+obj-$(CONFIG_CPU_R4K_CACHE_TLB) += c-r4k.o cex-gen.o tlb-r4k.o
+obj-$(CONFIG_CPU_SB1) += c-r4k.o cerr-sb1.o cex-sb1.o tlb-r4k.o
+
+(from arch/mips/mm/Makefile).
+
+Fixes: bbe4f634f48c ("mips: fix r3k_cache_init build regression")
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Cc: stable@vger.kernel.org # v6.8+
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mm/cache.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/mm/cache.c
++++ b/arch/mips/mm/cache.c
+@@ -207,7 +207,8 @@ void cpu_cache_init(void)
+ {
+ if (IS_ENABLED(CONFIG_CPU_R3000) && cpu_has_3k_cache)
+ r3k_cache_init();
+- if (IS_ENABLED(CONFIG_CPU_R4K_CACHE_TLB) && cpu_has_4k_cache)
++ if ((IS_ENABLED(CONFIG_CPU_R4K_CACHE_TLB) ||
++ IS_ENABLED(CONFIG_CPU_SB1)) && cpu_has_4k_cache)
+ r4k_cache_init();
+
+ if (IS_ENABLED(CONFIG_CPU_CAVIUM_OCTEON) && cpu_has_octeon_cache)
--- /dev/null
+From db08b1940f4beb25460b4a4e9da3446454f2e8fe Mon Sep 17 00:00:00 2001
+From: Cheng-Yang Chou <yphbchou0911@gmail.com>
+Date: Sat, 21 Mar 2026 18:54:58 +0800
+Subject: sched_ext: Fix inconsistent NUMA node lookup in scx_select_cpu_dfl()
+
+From: Cheng-Yang Chou <yphbchou0911@gmail.com>
+
+commit db08b1940f4beb25460b4a4e9da3446454f2e8fe upstream.
+
+In the WAKE_SYNC path of scx_select_cpu_dfl(), waker_node was computed
+with cpu_to_node(), while node (for prev_cpu) was computed with
+scx_cpu_node_if_enabled(). When scx_builtin_idle_per_node is disabled,
+idle_cpumask(waker_node) is called with a real node ID even though
+per-node idle tracking is disabled, resulting in undefined behavior.
+
+Fix by using scx_cpu_node_if_enabled() for waker_node as well, ensuring
+both variables are computed consistently.
+
+Fixes: 48849271e6611 ("sched_ext: idle: Per-node idle cpumasks")
+Cc: stable@vger.kernel.org # v6.15+
+Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com>
+Reviewed-by: Andrea Righi <arighi@nvidia.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/ext_idle.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/sched/ext_idle.c b/kernel/sched/ext_idle.c
+index ba298ac3ce6c..0ae93cd64004 100644
+--- a/kernel/sched/ext_idle.c
++++ b/kernel/sched/ext_idle.c
+@@ -543,7 +543,7 @@ s32 scx_select_cpu_dfl(struct task_struct *p, s32 prev_cpu, u64 wake_flags,
+ * piled up on it even if there is an idle core elsewhere on
+ * the system.
+ */
+- waker_node = cpu_to_node(cpu);
++ waker_node = scx_cpu_node_if_enabled(cpu);
+ if (!(current->flags & PF_EXITING) &&
+ cpu_rq(cpu)->scx.local_dsq.nr == 0 &&
+ (!(flags & SCX_PICK_IDLE_IN_NODE) || (waker_node == node)) &&
+--
+2.53.0
+
rust_binder-use-assertsync-for-binder_vm_ops.patch
wifi-wilc1000-fix-u8-overflow-in-ssid-scan-buffer-size-calculation.patch
wifi-iwlwifi-mvm-fix-potential-out-of-bounds-read-in-iwl_mvm_nd_match_info_handler.patch
+usb-serial-option-add-meig-smart-srm825wn.patch
+drm-amd-display-fix-null-pointer-dereference-in-dcn401_init_hw.patch
+sched_ext-fix-inconsistent-numa-node-lookup-in-scx_select_cpu_dfl.patch
+lib-crypto-chacha-zeroize-permuted_state-before-it-leaves-scope.patch
+alsa-caiaq-fix-stack-out-of-bounds-read-in-init_card.patch
+alsa-ctxfi-fix-missing-spdifi1-index-handling.patch
+alsa-hda-realtek-add-quirk-for-asus-rog-strix-scar-15.patch
+alsa-hda-realtek-add-quirk-for-hp-victus-15-fb0xxx.patch
+io_uring-net-fix-slab-out-of-bounds-read-in-io_bundle_nbufs.patch
+bluetooth-smp-derive-legacy-responder-stk-authentication-from-mitm-state.patch
+bluetooth-smp-force-responder-mitm-requirements-before-building-the-pairing-response.patch
+bluetooth-hci_sync-fix-stack-buffer-overflow-in-hci_le_big_create_sync.patch
+ksmbd-fix-oob-write-in-query_info-for-compound-requests.patch
+mips-mm-rewrite-tlb-uniquification-for-the-hidden-bit-feature.patch
+mips-sibyte-bring-back-cache-initialisation.patch
+mips-fix-the-gcc-version-check-for-__multi3-workaround.patch
+iommu-do-not-call-drivers-for-empty-gathers.patch
+hwmon-occ-fix-division-by-zero-in-occ_show_power_1.patch
+mips-mm-allocate-tlb_vpn-array-atomically.patch
+x86-kexec-disable-kcov-instrumentation-after-load_segments.patch
+drm-amdgpu-fix-the-idr-allocation-flags.patch
+gpib-fix-use-after-free-in-io-ioctl-handlers.patch
+iio-add-iio_declare_quaternion-macro.patch
+iio-orientation-hid-sensor-rotation-fix-quaternion-alignment.patch
+iio-orientation-hid-sensor-rotation-add-timestamp-hack-to-not-break-userspace.patch
+iio-adc-ti-adc161s626-fix-buffer-read-on-big-endian.patch
+iio-adc-ti-adc161s626-use-dma-safe-memory-for-spi_read.patch
+iio-adc-ti-ads1119-fix-unbalanced-pm-reference-count-in-ds1119_single_conversion.patch
+iio-adc-ti-ads1119-reinit-completion-before-wait_for_completion_timeout.patch
+iio-adc-ti-ads1119-replace-irqf_oneshot-with-irqf_no_thread.patch
+drm-ast-dp501-fix-initialization-of-scu2c.patch
+drm-i915-dsi-don-t-do-dsc-horizontal-timing-adjustments-in-command-mode.patch
+drm-i915-dp-use-crtc_state-enhanced_framing-properly-on-ivb-hsw-cpu-edp.patch
+drm-amdgpu-fix-wait-after-reset-sequence-in-s4.patch
+drm-amdgpu-validate-doorbell_offset-in-user-queue-creation.patch
+drm-amdgpu-change-amdgpu_va_reserved_trap_size-to-64kb.patch
+drm-amdgpu-pm-drop-smu-driver-if-version-not-matched-messages.patch
+usb-serial-io_edgeport-add-support-for-blackbox-ic135a.patch
+usb-serial-option-add-support-for-rolling-wireless-rw135r-gl.patch
+usb-core-add-no_lpm-quirk-for-razer-kiyo-pro-webcam.patch
--- /dev/null
+From 8b7a42ecdcdeb55580d9345412f7f8fc5aca3f6c Mon Sep 17 00:00:00 2001
+From: JP Hein <jp@jphein.com>
+Date: Mon, 30 Mar 2026 17:38:04 -0700
+Subject: USB: core: add NO_LPM quirk for Razer Kiyo Pro webcam
+
+From: JP Hein <jp@jphein.com>
+
+commit 8b7a42ecdcdeb55580d9345412f7f8fc5aca3f6c upstream.
+
+The Razer Kiyo Pro (1532:0e05) is a USB 3.0 UVC webcam whose firmware
+does not handle USB Link Power Management transitions reliably. When LPM
+is active, the device can enter a state where it fails to respond to
+control transfers, producing EPIPE (-32) errors on UVC probe control
+SET_CUR requests. In the worst case, the stalled endpoint triggers an
+xHCI stop-endpoint command that times out, causing the host controller
+to be declared dead and every USB device on the bus to be disconnected.
+
+This has been reported as Ubuntu Launchpad Bug #2061177. The failure
+mode is:
+
+ 1. UVC probe control SET_CUR returns -32 (EPIPE)
+ 2. xHCI host not responding to stop endpoint command
+ 3. xHCI host controller not responding, assume dead
+ 4. All USB devices on the affected xHCI controller disconnect
+
+Disabling LPM prevents the firmware from entering the problematic low-
+power states that precede the stall. This is the same approach used for
+other webcams with similar firmware issues (e.g., Logitech HD Webcam C270).
+
+Cc: stable <stable@kernel.org>
+Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2061177
+Signed-off-by: JP Hein <jp@jphein.com>
+Link: https://patch.msgid.link/20260331003806.212565-2-jp@jphein.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -493,6 +493,8 @@ static const struct usb_device_id usb_qu
+ /* Razer - Razer Blade Keyboard */
+ { USB_DEVICE(0x1532, 0x0116), .driver_info =
+ USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
++ /* Razer - Razer Kiyo Pro Webcam */
++ { USB_DEVICE(0x1532, 0x0e05), .driver_info = USB_QUIRK_NO_LPM },
+
+ /* Lenovo ThinkPad OneLink+ Dock twin hub controllers (VIA Labs VL812) */
+ { USB_DEVICE(0x17ef, 0x1018), .driver_info = USB_QUIRK_RESET_RESUME },
--- /dev/null
+From 0e01c3416eb863ee7f156a9d7e7421ec0a9f68a0 Mon Sep 17 00:00:00 2001
+From: Frej Drejhammar <frej@stacken.kth.se>
+Date: Sun, 22 Feb 2026 18:00:42 +0100
+Subject: USB: serial: io_edgeport: add support for Blackbox IC135A
+
+From: Frej Drejhammar <frej@stacken.kth.se>
+
+commit 0e01c3416eb863ee7f156a9d7e7421ec0a9f68a0 upstream.
+
+The Blackbox 724-746-5500 USB Director USB-RS-232 HUB, part number
+IC135A, is a rebadged Edgeport/4 with its own USB device id.
+
+Signed-off-by: Frej Drejhammar <frej@stacken.kth.se>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/io_edgeport.c | 3 +++
+ drivers/usb/serial/io_usbvend.h | 1 +
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/io_edgeport.c
++++ b/drivers/usb/serial/io_edgeport.c
+@@ -73,6 +73,7 @@ static const struct usb_device_id edgepo
+ { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_EDGEPORT_22I) },
+ { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_EDGEPORT_412_4) },
+ { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_EDGEPORT_COMPATIBLE) },
++ { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_BLACKBOX_IC135A) },
+ { }
+ };
+
+@@ -121,6 +122,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_EDGEPORT_8R) },
+ { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_EDGEPORT_8RR) },
+ { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_EDGEPORT_412_8) },
++ { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_BLACKBOX_IC135A) },
+ { USB_DEVICE(USB_VENDOR_ID_NCR, NCR_DEVICE_ID_EPIC_0202) },
+ { USB_DEVICE(USB_VENDOR_ID_NCR, NCR_DEVICE_ID_EPIC_0203) },
+ { USB_DEVICE(USB_VENDOR_ID_NCR, NCR_DEVICE_ID_EPIC_0310) },
+@@ -470,6 +472,7 @@ static void get_product_info(struct edge
+ case ION_DEVICE_ID_EDGEPORT_2_DIN:
+ case ION_DEVICE_ID_EDGEPORT_4_DIN:
+ case ION_DEVICE_ID_EDGEPORT_16_DUAL_CPU:
++ case ION_DEVICE_ID_BLACKBOX_IC135A:
+ product_info->IsRS232 = 1;
+ break;
+
+--- a/drivers/usb/serial/io_usbvend.h
++++ b/drivers/usb/serial/io_usbvend.h
+@@ -211,6 +211,7 @@
+
+ //
+ // Definitions for other product IDs
++#define ION_DEVICE_ID_BLACKBOX_IC135A 0x0801 // OEM device (rebranded Edgeport/4)
+ #define ION_DEVICE_ID_MT4X56USB 0x1403 // OEM device
+ #define ION_DEVICE_ID_E5805A 0x1A01 // OEM device (rebranded Edgeport/4)
+
--- /dev/null
+From e8d0ed37bd51da52da6225d278e330c2f18a6198 Mon Sep 17 00:00:00 2001
+From: Ernestas Kulik <ernestas.k@iconn-networks.com>
+Date: Tue, 24 Mar 2026 13:07:16 +0200
+Subject: USB: serial: option: add MeiG Smart SRM825WN
+
+From: Ernestas Kulik <ernestas.k@iconn-networks.com>
+
+commit e8d0ed37bd51da52da6225d278e330c2f18a6198 upstream.
+
+Add support for the SDX62-based MeiG Smart SRM825WN module.
+
+If#= 0: RNDIS
+If#= 1: RNDIS
+If#= 2: Diag
+If#= 3: AT
+If#= 4: AT
+If#= 5: NMEA
+
+T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 19 Spd=480 MxCh= 0
+D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=2dee ProdID=4d38 Rev= 5.04
+S: Manufacturer=MEIG
+S: Product=LTE-A Module
+S: SerialNumber=da47a175
+C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA
+A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=03
+I:* If#= 0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host
+E: Ad=81(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
+E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
+E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Signed-off-by: Ernestas Kulik <ernestas.k@iconn-networks.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -2441,6 +2441,9 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d22, 0xff, 0xff, 0x30) }, /* MeiG Smart SRM815 and SRM825L */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d22, 0xff, 0xff, 0x40) }, /* MeiG Smart SRM825L */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d22, 0xff, 0xff, 0x60) }, /* MeiG Smart SRM825L */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x30) }, /* MeiG Smart SRM825WN (Diag) */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x40) }, /* MeiG Smart SRM825WN (AT) */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x60) }, /* MeiG Smart SRM825WN (NMEA) */
+ { USB_DEVICE_INTERFACE_CLASS(0x2df3, 0x9d03, 0xff) }, /* LongSung M5710 */
+ { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1404, 0xff) }, /* GosunCn GM500 RNDIS */
+ { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1405, 0xff) }, /* GosunCn GM500 MBIM */
--- /dev/null
+From 01e8d0f742222f1e68f48180d5480097adf7ae9f Mon Sep 17 00:00:00 2001
+From: Wanquan Zhong <wanquan.zhong@fibocom.com>
+Date: Mon, 16 Mar 2026 19:55:12 +0800
+Subject: USB: serial: option: add support for Rolling Wireless RW135R-GL
+
+From: Wanquan Zhong <wanquan.zhong@fibocom.com>
+
+commit 01e8d0f742222f1e68f48180d5480097adf7ae9f upstream.
+
+Add VID/PID 33f8:1003 for the Rolling Wireless RW135R-GL M.2 module,
+which is used in laptop debug cards with MBIM interface for
+Linux/Chrome OS. The device supports mbim, pipe functionalities.
+
+Here are the outputs of usb-devices:
+T: Bus=04 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0
+D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
+P: Vendor=33f8 ProdID=1003 Rev=05.15
+S: Manufacturer=Rolling Wireless S.a.r.l.
+S: Product=Rolling RW135R-GL Module
+S: SerialNumber=12345678
+C: #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=896mA
+I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
+E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option
+E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+
+Signed-off-by: Wanquan Zhong <wanquan.zhong@fibocom.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -2464,6 +2464,7 @@ static const struct usb_device_id option
+ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0302, 0xff) }, /* Rolling RW101R-GL (laptop MBIM) */
+ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0802, 0xff), /* Rolling RW350-GL (laptop MBIM) */
+ .driver_info = RSVD(5) },
++ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x1003, 0xff) }, /* Rolling RW135R-GL (laptop MBIM) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WWD for Global */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0x00, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x40) },
--- /dev/null
+From 917e3ad3321e75ca0223d5ccf26ceda116aa51e1 Mon Sep 17 00:00:00 2001
+From: Aleksandr Nogikh <nogikh@google.com>
+Date: Wed, 25 Mar 2026 16:48:24 +0100
+Subject: x86/kexec: Disable KCOV instrumentation after load_segments()
+
+From: Aleksandr Nogikh <nogikh@google.com>
+
+commit 917e3ad3321e75ca0223d5ccf26ceda116aa51e1 upstream.
+
+The load_segments() function changes segment registers, invalidating GS base
+(which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any
+subsequent instrumented C code call (e.g. native_gdt_invalidate()) begins
+crashing the kernel in an endless loop.
+
+To reproduce the problem, it's sufficient to do kexec on a KCOV-instrumented
+kernel:
+
+ $ kexec -l /boot/otherKernel
+ $ kexec -e
+
+The real-world context for this problem is enabling crash dump collection in
+syzkaller. For this, the tool loads a panic kernel before fuzzing and then
+calls makedumpfile after the panic. This workflow requires both CONFIG_KEXEC
+and CONFIG_KCOV to be enabled simultaneously.
+
+Adding safeguards directly to the KCOV fast-path (__sanitizer_cov_trace_pc())
+is also undesirable as it would introduce an extra performance overhead.
+
+Disabling instrumentation for the individual functions would be too fragile,
+so disable KCOV instrumentation for the entire machine_kexec_64.c and
+physaddr.c. If coverage-guided fuzzing ever needs these components in the
+future, other approaches should be considered.
+
+The problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported
+there.
+
+ [ bp: Space out comment for better readability. ]
+
+Fixes: 0d345996e4cb ("x86/kernel: increase kcov coverage under arch/x86/kernel folder")
+Signed-off-by: Aleksandr Nogikh <nogikh@google.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260325154825.551191-1-nogikh@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/Makefile | 14 ++++++++++++++
+ arch/x86/mm/Makefile | 2 ++
+ 2 files changed, 16 insertions(+)
+
+--- a/arch/x86/kernel/Makefile
++++ b/arch/x86/kernel/Makefile
+@@ -44,6 +44,20 @@ KCOV_INSTRUMENT_unwind_orc.o := n
+ KCOV_INSTRUMENT_unwind_frame.o := n
+ KCOV_INSTRUMENT_unwind_guess.o := n
+
++# Disable KCOV to prevent crashes during kexec: load_segments() invalidates
++# the GS base, which KCOV relies on for per-CPU data.
++#
++# As KCOV and KEXEC compatibility should be preserved (e.g. syzkaller is
++# using it to collect crash dumps during kernel fuzzing), disabling
++# KCOV for KEXEC kernels is not an option. Selectively disabling KCOV
++# instrumentation for individual affected functions can be fragile, while
++# adding more checks to KCOV would slow it down.
++#
++# As a compromise solution, disable KCOV instrumentation for the whole
++# source code file. If its coverage is ever needed, other approaches
++# should be considered.
++KCOV_INSTRUMENT_machine_kexec_64.o := n
++
+ CFLAGS_head32.o := -fno-stack-protector
+ CFLAGS_head64.o := -fno-stack-protector
+ CFLAGS_irq.o := -I $(src)/../include/asm/trace
+--- a/arch/x86/mm/Makefile
++++ b/arch/x86/mm/Makefile
+@@ -4,6 +4,8 @@ KCOV_INSTRUMENT_tlb.o := n
+ KCOV_INSTRUMENT_mem_encrypt.o := n
+ KCOV_INSTRUMENT_mem_encrypt_amd.o := n
+ KCOV_INSTRUMENT_pgprot.o := n
++# See the "Disable KCOV" comment in arch/x86/kernel/Makefile.
++KCOV_INSTRUMENT_physaddr.o := n
+
+ KASAN_SANITIZE_mem_encrypt.o := n
+ KASAN_SANITIZE_mem_encrypt_amd.o := n
projects / thirdparty / kernel / stable-queue.git / commitdiff
