--- /dev/null
+From 7f138de156b20d9f9da6f72f90b63c01941d97d3 Mon Sep 17 00:00:00 2001
+From: Guangshuo Li <lgs201920130244@gmail.com>
+Date: Fri, 27 Mar 2026 01:14:12 +0800
+Subject: auxdisplay: line-display: fix NULL dereference in linedisp_release
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+commit 7f138de156b20d9f9da6f72f90b63c01941d97d3 upstream.
+
+linedisp_release() currently retrieves the enclosing struct linedisp via
+to_linedisp(). That lookup depends on the attachment list, but the
+attachment may already have been removed before put_device() invokes the
+release callback. This can happen in linedisp_unregister(), and can also
+be reached from some linedisp_register() error paths.
+
+In that case, to_linedisp() returns NULL and linedisp_release()
+dereferences it while freeing the display resources.
+
+The struct device released here is the embedded linedisp->dev used by
+linedisp_register(), so retrieve the enclosing object directly with
+container_of() instead.
+
+Fixes: 66c93809487e ("auxdisplay: linedisp: encapsulate container_of usage within to_linedisp")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/auxdisplay/line-display.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/auxdisplay/line-display.c b/drivers/auxdisplay/line-display.c
+index 81b4aac65807..fb6d9294140d 100644
+--- a/drivers/auxdisplay/line-display.c
++++ b/drivers/auxdisplay/line-display.c
+@@ -365,7 +365,7 @@ static DEFINE_IDA(linedisp_id);
+
+ static void linedisp_release(struct device *dev)
+ {
+- struct linedisp *linedisp = to_linedisp(dev);
++ struct linedisp *linedisp = container_of(dev, struct linedisp, dev);
+
+ kfree(linedisp->map);
+ kfree(linedisp->message);
+--
+2.53.0
+
--- /dev/null
+From 850837965af15707fd3142c1cf3c5bfaf022299b Mon Sep 17 00:00:00 2001
+From: Yang Yang <n05ec@lzu.edu.cn>
+Date: Thu, 26 Mar 2026 03:44:40 +0000
+Subject: bridge: br_nd_send: validate ND option lengths
+
+From: Yang Yang <n05ec@lzu.edu.cn>
+
+commit 850837965af15707fd3142c1cf3c5bfaf022299b upstream.
+
+br_nd_send() walks ND options according to option-provided lengths.
+A malformed option can make the parser advance beyond the computed
+option span or use a too-short source LLADDR option payload.
+
+Validate option lengths against the remaining NS option area before
+advancing, and only read source LLADDR when the option is large enough
+for an Ethernet address.
+
+Fixes: ed842faeb2bd ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports")
+Cc: stable@vger.kernel.org
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Tested-by: Ao Zhou <n05ec@lzu.edu.cn>
+Co-developed-by: Yuan Tan <tanyuan98@outlook.com>
+Signed-off-by: Yuan Tan <tanyuan98@outlook.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Yang Yang <n05ec@lzu.edu.cn>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20260326034441.2037420-3-n05ec@lzu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_arp_nd_proxy.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/bridge/br_arp_nd_proxy.c
++++ b/net/bridge/br_arp_nd_proxy.c
+@@ -288,12 +288,14 @@ static void br_nd_send(struct net_bridge
+ ns_olen = request->len - (skb_network_offset(request) +
+ sizeof(struct ipv6hdr)) - sizeof(*ns);
+ for (i = 0; i < ns_olen - 1; i += (ns->opt[i + 1] << 3)) {
+- if (!ns->opt[i + 1]) {
++ if (!ns->opt[i + 1] || i + (ns->opt[i + 1] << 3) > ns_olen) {
+ kfree_skb(reply);
+ return;
+ }
+ if (ns->opt[i] == ND_OPT_SOURCE_LL_ADDR) {
+- daddr = ns->opt + i + sizeof(struct nd_opt_hdr);
++ if ((ns->opt[i + 1] << 3) >=
++ sizeof(struct nd_opt_hdr) + ETH_ALEN)
++ daddr = ns->opt + i + sizeof(struct nd_opt_hdr);
+ break;
+ }
+ }
--- /dev/null
+From f97e96c303d689708f7f713d8f3afcc31f1237e9 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 17 Mar 2026 09:41:10 +0100
+Subject: cdc-acm: new quirk for EPSON HMD
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit f97e96c303d689708f7f713d8f3afcc31f1237e9 upstream.
+
+This device has a union descriptor that is just garbage
+and needs a custom descriptor.
+In principle this could be done with a (conditionally
+activated) heuristic. That would match more devices
+without a need for defining a new quirk. However,
+this always carries the risk that the heuristics
+does the wrong thing and leads to more breakage.
+Defining the quirk and telling it exactly what to do
+is the safe and conservative approach.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/20260317084139.1461008-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-acm.c | 9 +++++++++
+ drivers/usb/class/cdc-acm.h | 1 +
+ 2 files changed, 10 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1225,6 +1225,12 @@ static int acm_probe(struct usb_interfac
+ if (!data_interface || !control_interface)
+ return -ENODEV;
+ goto skip_normal_probe;
++ } else if (quirks == NO_UNION_12) {
++ data_interface = usb_ifnum_to_if(usb_dev, 2);
++ control_interface = usb_ifnum_to_if(usb_dev, 1);
++ if (!data_interface || !control_interface)
++ return -ENODEV;
++ goto skip_normal_probe;
+ }
+
+ /* normal probing*/
+@@ -1748,6 +1754,9 @@ static const struct usb_device_id acm_id
+ { USB_DEVICE(0x045b, 0x024D), /* Renesas R-Car E3 USB Download mode */
+ .driver_info = DISABLE_ECHO, /* Don't echo banner */
+ },
++ { USB_DEVICE(0x04b8, 0x0d12), /* EPSON HMD Com&Sens */
++ .driver_info = NO_UNION_12, /* union descriptor is garbage */
++ },
+ { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@gmail.com */
+ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+ },
+--- a/drivers/usb/class/cdc-acm.h
++++ b/drivers/usb/class/cdc-acm.h
+@@ -114,3 +114,4 @@ struct acm {
+ #define SEND_ZERO_PACKET BIT(6)
+ #define DISABLE_ECHO BIT(7)
+ #define MISSING_CAP_BRK BIT(8)
++#define NO_UNION_12 BIT(9)
--- /dev/null
+From 93853512f565e625df2397f0d8050d6aafd7c3ad Mon Sep 17 00:00:00 2001
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+Date: Mon, 9 Mar 2026 16:18:59 +0530
+Subject: comedi: dt2815: add hardware detection to prevent crash
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+commit 93853512f565e625df2397f0d8050d6aafd7c3ad upstream.
+
+The dt2815 driver crashes when attached to I/O ports without actual
+hardware present. This occurs because syzkaller or users can attach
+the driver to arbitrary I/O addresses via COMEDI_DEVCONFIG ioctl.
+
+When no hardware exists at the specified port, inb() operations return
+0xff (floating bus), but outb() operations can trigger page faults due
+to undefined behavior, especially under race conditions:
+
+ BUG: unable to handle page fault for address: 000000007fffff90
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ RIP: 0010:dt2815_attach+0x6e0/0x1110
+
+Add hardware detection by reading the status register before attempting
+any write operations. If the read returns 0xff, assume no hardware is
+present and fail the attach with -ENODEV. This prevents crashes from
+outb() operations on non-existent hardware.
+
+Reported-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com
+Cc: stable <stable@kernel.org>
+Closes: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc
+Tested-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com
+Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Link: [https://lore.kernel.org/all/20260126070458.10974-1-kartikey406@gmail.com/T/]
+Link: [https://lore.kernel.org/all/20260126070458.10974-1-kartikey406@gmail.com/T/
+Link: https://patch.msgid.link/20260309104859.503529-1-kartikey406@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/dt2815.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/comedi/drivers/dt2815.c
++++ b/drivers/comedi/drivers/dt2815.c
+@@ -175,6 +175,18 @@ static int dt2815_attach(struct comedi_d
+ ? current_range_type : voltage_range_type;
+ }
+
++ /*
++ * Check if hardware is present before attempting any I/O operations.
++ * Reading 0xff from status register typically indicates no hardware
++ * on the bus (floating bus reads as all 1s).
++ */
++ if (inb(dev->iobase + DT2815_STATUS) == 0xff) {
++ dev_err(dev->class_dev,
++ "No hardware detected at I/O base 0x%lx\n",
++ dev->iobase);
++ return -ENODEV;
++ }
++
+ /* Init the 2815 */
+ outb(0x00, dev->iobase + DT2815_STATUS);
+ for (i = 0; i < 100; i++) {
--- /dev/null
+From 3fb43a7a5b44713f892c58ead2e5f3a1bc9f4ee7 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Thu, 5 Feb 2026 13:39:49 +0000
+Subject: comedi: me4000: Fix potential overrun of firmware buffer
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 3fb43a7a5b44713f892c58ead2e5f3a1bc9f4ee7 upstream.
+
+`me4000_xilinx_download()` loads the firmware that was requested by
+`request_firmware()`. It is possible for it to overrun the source
+buffer because it blindly trusts the file format. It reads a data
+stream length from the first 4 bytes into variable `file_length` and
+reads the data stream contents of length `file_length` from offset 16
+onwards.
+
+Add a test to ensure that the supplied firmware is long enough to
+contain the header and the data stream. On failure, log an error and
+return `-EINVAL`.
+
+Note: The firmware loading was totally broken before commit ac584af59945
+("staging: comedi: me4000: fix firmware downloading"), but that is the
+most sensible target for this fix.
+
+Fixes: ac584af59945 ("staging: comedi: me4000: fix firmware downloading")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20260205133949.71722-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/me4000.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/comedi/drivers/me4000.c
++++ b/drivers/comedi/drivers/me4000.c
+@@ -315,6 +315,18 @@ static int me4000_xilinx_download(struct
+ unsigned int val;
+ unsigned int i;
+
++ /* Get data stream length from header. */
++ if (size >= 4) {
++ file_length = (((unsigned int)data[0] & 0xff) << 24) +
++ (((unsigned int)data[1] & 0xff) << 16) +
++ (((unsigned int)data[2] & 0xff) << 8) +
++ ((unsigned int)data[3] & 0xff);
++ }
++ if (size < 16 || file_length > size - 16) {
++ dev_err(dev->class_dev, "Firmware length inconsistency\n");
++ return -EINVAL;
++ }
++
+ if (!xilinx_iobase)
+ return -ENODEV;
+
+@@ -346,10 +358,6 @@ static int me4000_xilinx_download(struct
+ outl(val, devpriv->plx_regbase + PLX9052_CNTRL);
+
+ /* Download Xilinx firmware */
+- file_length = (((unsigned int)data[0] & 0xff) << 24) +
+- (((unsigned int)data[1] & 0xff) << 16) +
+- (((unsigned int)data[2] & 0xff) << 8) +
+- ((unsigned int)data[3] & 0xff);
+ usleep_range(10, 1000);
+
+ for (i = 0; i < file_length; i++) {
--- /dev/null
+From cc797d4821c754c701d9714b58bea947e31dbbe0 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Thu, 5 Feb 2026 14:01:30 +0000
+Subject: comedi: me_daq: Fix potential overrun of firmware buffer
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit cc797d4821c754c701d9714b58bea947e31dbbe0 upstream.
+
+`me2600_xilinx_download()` loads the firmware that was requested by
+`request_firmware()`. It is possible for it to overrun the source
+buffer because it blindly trusts the file format. It reads a data
+stream length from the first 4 bytes into variable `file_length` and
+reads the data stream contents of length `file_length` from offset 16
+onwards. Although it checks that the supplied firmware is at least 16
+bytes long, it does not check that it is long enough to contain the data
+stream.
+
+Add a test to ensure that the supplied firmware is long enough to
+contain the header and the data stream. On failure, log an error and
+return `-EINVAL`.
+
+Fixes: 85acac61096f9 ("Staging: comedi: add me_daq driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20260205140130.76697-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/me_daq.c | 35 +++++++++++++++++++----------------
+ 1 file changed, 19 insertions(+), 16 deletions(-)
+
+--- a/drivers/comedi/drivers/me_daq.c
++++ b/drivers/comedi/drivers/me_daq.c
+@@ -344,6 +344,25 @@ static int me2600_xilinx_download(struct
+ unsigned int file_length;
+ unsigned int i;
+
++ /*
++ * Format of the firmware
++ * Build longs from the byte-wise coded header
++ * Byte 1-3: length of the array
++ * Byte 4-7: version
++ * Byte 8-11: date
++ * Byte 12-15: reserved
++ */
++ if (size >= 4) {
++ file_length = (((unsigned int)data[0] & 0xff) << 24) +
++ (((unsigned int)data[1] & 0xff) << 16) +
++ (((unsigned int)data[2] & 0xff) << 8) +
++ ((unsigned int)data[3] & 0xff);
++ }
++ if (size < 16 || file_length > size - 16) {
++ dev_err(dev->class_dev, "Firmware length inconsistency\n");
++ return -EINVAL;
++ }
++
+ /* disable irq's on PLX */
+ writel(0x00, devpriv->plx_regbase + PLX9052_INTCSR);
+
+@@ -358,22 +377,6 @@ static int me2600_xilinx_download(struct
+ sleep(1);
+
+ /*
+- * Format of the firmware
+- * Build longs from the byte-wise coded header
+- * Byte 1-3: length of the array
+- * Byte 4-7: version
+- * Byte 8-11: date
+- * Byte 12-15: reserved
+- */
+- if (size < 16)
+- return -EINVAL;
+-
+- file_length = (((unsigned int)data[0] & 0xff) << 24) +
+- (((unsigned int)data[1] & 0xff) << 16) +
+- (((unsigned int)data[2] & 0xff) << 8) +
+- ((unsigned int)data[3] & 0xff);
+-
+- /*
+ * Loop for writing firmware byte by byte to xilinx
+ * Firmware data start at offset 16
+ */
--- /dev/null
+From 101ab946b79ad83b36d5cfd47de587492a80acf0 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 28 Jan 2026 15:00:10 +0000
+Subject: comedi: ni_atmio16d: Fix invalid clean-up after failed attach
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 101ab946b79ad83b36d5cfd47de587492a80acf0 upstream.
+
+If the driver's COMEDI "attach" handler function (`atmio16d_attach()`)
+returns an error, the COMEDI core will call the driver's "detach"
+handler function (`atmio16d_detach()`) to clean up. This calls
+`reset_atmio16d()` unconditionally, but depending on where the error
+occurred in the attach handler, the device may not have been
+sufficiently initialized to call `reset_atmio16d()`. It uses
+`dev->iobase` as the I/O port base address and `dev->private` as the
+pointer to the COMEDI device's private data structure. `dev->iobase`
+may still be set to its initial value of 0, which would result in
+undesired writes to low I/O port addresses. `dev->private` may still be
+`NULL`, which would result in null pointer dereferences.
+
+Fix `atmio16d_detach()` by checking that `dev->private` is valid
+(non-null) before calling `reset_atmio16d()`. This implies that
+`dev->iobase` was set correctly since that is set up before
+`dev->private`.
+
+Fixes: 2323b276308a ("Staging: comedi: add ni_at_atmio16d driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20260128150011.5006-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/ni_atmio16d.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/comedi/drivers/ni_atmio16d.c
++++ b/drivers/comedi/drivers/ni_atmio16d.c
+@@ -698,7 +698,8 @@ static int atmio16d_attach(struct comedi
+
+ static void atmio16d_detach(struct comedi_device *dev)
+ {
+- reset_atmio16d(dev);
++ if (dev->private)
++ reset_atmio16d(dev);
+ comedi_legacy_detach(dev);
+ }
+
--- /dev/null
+From 4b9a9a6d71e3e252032f959fb3895a33acb5865c Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 25 Feb 2026 13:24:27 +0000
+Subject: comedi: Reinit dev->spinlock between attachments to low-level drivers
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 4b9a9a6d71e3e252032f959fb3895a33acb5865c upstream.
+
+`struct comedi_device` is the main controlling structure for a COMEDI
+device created by the COMEDI subsystem. It contains a member `spinlock`
+containing a spin-lock that is initialized by the COMEDI subsystem, but
+is reserved for use by a low-level driver attached to the COMEDI device
+(at least since commit 25436dc9d84f ("Staging: comedi: remove RT
+code")).
+
+Some COMEDI devices (those created on initialization of the COMEDI
+subsystem when the "comedi.comedi_num_legacy_minors" parameter is
+non-zero) can be attached to different low-level drivers over their
+lifetime using the `COMEDI_DEVCONFIG` ioctl command. This can result in
+inconsistent lock states being reported when there is a mismatch in the
+spin-lock locking levels used by each low-level driver to which the
+COMEDI device has been attached. Fix it by reinitializing
+`dev->spinlock` before calling the low-level driver's `attach` function
+pointer if `CONFIG_LOCKDEP` is enabled.
+
+Reported-by: syzbot+cc9f7f4a7df09f53c4a4@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=cc9f7f4a7df09f53c4a4
+Fixes: ed9eccbe8970 ("Staging: add comedi core")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20260225132427.86578-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/comedi/drivers.c
++++ b/drivers/comedi/drivers.c
+@@ -1063,6 +1063,14 @@ int comedi_device_attach(struct comedi_d
+ ret = -EIO;
+ goto out;
+ }
++ if (IS_ENABLED(CONFIG_LOCKDEP)) {
++ /*
++ * dev->spinlock is for private use by the attached low-level
++ * driver. Reinitialize it to stop lock-dependency tracking
++ * between attachments to different low-level drivers.
++ */
++ spin_lock_init(&dev->spinlock);
++ }
+ dev->driver = driv;
+ dev->board_name = dev->board_ptr ? *(const char **)dev->board_ptr
+ : dev->driver->driver_name;
--- /dev/null
+From 29f644f14b89e6c4965e3c89251929e451190a66 Mon Sep 17 00:00:00 2001
+From: Edward Adam Davis <eadavis@qq.com>
+Date: Tue, 10 Mar 2026 11:11:04 +0000
+Subject: comedi: runflags cannot determine whether to reclaim chanlist
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+commit 29f644f14b89e6c4965e3c89251929e451190a66 upstream.
+
+syzbot reported a memory leak [1], because commit 4e1da516debb ("comedi:
+Add reference counting for Comedi command handling") did not consider
+the exceptional exit case in do_cmd_ioctl() where runflags is not set.
+This caused chanlist not to be properly freed by do_become_nonbusy(),
+as it only frees chanlist when runflags is correctly set.
+
+Added a check in do_become_nonbusy() for the case where runflags is not
+set, to properly free the chanlist memory.
+
+[1]
+BUG: memory leak
+ backtrace (crc 844a0efa):
+ __comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline]
+ do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890
+ do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]
+
+Fixes: 4e1da516debb ("comedi: Add reference counting for Comedi command handling")
+Reported-by: syzbot+f238baf6ded841b5a82e@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=f238baf6ded841b5a82e
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
+Cc: stable <stable@kernel.org> # 6.19
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20260310111104.70959-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/comedi_fops.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c
+index 48a8a607a84c..0df9f4636fb6 100644
+--- a/drivers/comedi/comedi_fops.c
++++ b/drivers/comedi/comedi_fops.c
+@@ -793,13 +793,15 @@ static void do_become_nonbusy(struct comedi_device *dev,
+ __comedi_clear_subdevice_runflags(s, COMEDI_SRF_RUNNING |
+ COMEDI_SRF_BUSY);
+ spin_unlock_irqrestore(&s->spin_lock, flags);
+- if (comedi_is_runflags_busy(runflags)) {
++ if (async) {
+ /*
+ * "Run active" counter was set to 1 when setting up the
+ * command. Decrement it and wait for it to become 0.
+ */
+- comedi_put_is_subdevice_running(s);
+- wait_for_completion(&async->run_complete);
++ if (comedi_is_runflags_busy(runflags)) {
++ comedi_put_is_subdevice_running(s);
++ wait_for_completion(&async->run_complete);
++ }
+ comedi_buf_reset(s);
+ async->inttrig = NULL;
+ kfree(async->cmd.chanlist);
+--
+2.53.0
+
--- /dev/null
+From 269c26464dcf8b54b0dd9c333721c30ee44ae297 Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Mon, 30 Mar 2026 14:35:18 +0800
+Subject: dt-bindings: connector: add pd-disable dependency
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit 269c26464dcf8b54b0dd9c333721c30ee44ae297 upstream.
+
+When Power Delivery is not supported, the source is unable to obtain the
+current capability from the Source PDO. As a result, typec-power-opmode
+needs to be added to advertise such capability.
+
+Acked-by: Conor Dooley <conor.dooley@microchip.com>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Link: https://patch.msgid.link/20260330063518.719345-1-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/connector/usb-connector.yaml | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/Documentation/devicetree/bindings/connector/usb-connector.yaml
++++ b/Documentation/devicetree/bindings/connector/usb-connector.yaml
+@@ -301,6 +301,7 @@ properties:
+ maxItems: 4
+
+ dependencies:
++ pd-disable: [typec-power-opmode]
+ sink-vdos-v1: [ sink-vdos ]
+ sink-vdos: [ sink-vdos-v1 ]
+
--- /dev/null
+From c7596f9001e2b83293e3658e4e1addde69bb335d Mon Sep 17 00:00:00 2001
+From: Conor Dooley <conor.dooley@microchip.com>
+Date: Tue, 3 Mar 2026 11:24:06 +0000
+Subject: firmware: microchip: fail auto-update probe if no flash found
+
+From: Conor Dooley <conor.dooley@microchip.com>
+
+commit c7596f9001e2b83293e3658e4e1addde69bb335d upstream.
+
+There's no point letting the driver probe if there is no flash, as
+trying to do a firmware upload will fail. Move the code that attempts
+to get the flash from firmware upload to probe, and let it emit a
+message to users stating why auto-update is not supported.
+The code currently could have a problem if there's a flash in
+devicetree, but the system controller driver fails to get a pointer to
+it from the mtd subsystem, which will cause
+mpfs_sys_controller_get_flash() to return an error. Check for errors and
+null, instead of just null, in the new clause.
+
+CC: stable@vger.kernel.org
+Fixes: ec5b0f1193ad4 ("firmware: microchip: add PolarFire SoC Auto Update support")
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/microchip/mpfs-auto-update.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/firmware/microchip/mpfs-auto-update.c
++++ b/drivers/firmware/microchip/mpfs-auto-update.c
+@@ -113,10 +113,6 @@ static enum fw_upload_err mpfs_auto_upda
+ * be added here.
+ */
+
+- priv->flash = mpfs_sys_controller_get_flash(priv->sys_controller);
+- if (!priv->flash)
+- return FW_UPLOAD_ERR_HW_ERROR;
+-
+ erase_size = round_up(erase_size, (u64)priv->flash->erasesize);
+
+ /*
+@@ -427,6 +423,12 @@ static int mpfs_auto_update_probe(struct
+ return dev_err_probe(dev, PTR_ERR(priv->sys_controller),
+ "Could not register as a sub device of the system controller\n");
+
++ priv->flash = mpfs_sys_controller_get_flash(priv->sys_controller);
++ if (IS_ERR_OR_NULL(priv->flash)) {
++ dev_dbg(dev, "No flash connected to the system controller, auto-update not supported\n");
++ return -ENODEV;
++ }
++
+ priv->dev = dev;
+ platform_set_drvdata(pdev, priv);
+
--- /dev/null
+From 579af7204d762587f9cce0d6236a710a771f1f6f Mon Sep 17 00:00:00 2001
+From: Dave Penkler <dpenkler@gmail.com>
+Date: Mon, 2 Feb 2026 10:47:55 +0100
+Subject: gpib: Fix fluke driver s390 compile issue
+
+From: Dave Penkler <dpenkler@gmail.com>
+
+commit 579af7204d762587f9cce0d6236a710a771f1f6f upstream.
+
+The following errors were reported for a s390 randconfig build
+of the fluke gpib driver:
+
+>> drivers/gpib/eastwood/fluke_gpib.c:1002:23: error: call to undeclared function 'ioremap'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
+ 1002 | nec_priv->mmiobase = ioremap(e_priv->gpib_iomem_res->start,
+ | ^
+>> drivers/gpib/eastwood/fluke_gpib.c:1002:21: error: incompatible integer to pointer conversion assigning to 'void *' from 'int' [-Wint-conversion]
+ 1002 | nec_priv->mmiobase = ioremap(e_priv->gpib_iomem_res->start,
+ | ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 1003 | resource_size(e_priv->gpib_iomem_res));
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ drivers/gpib/eastwood/fluke_gpib.c:1036:33: error: incompatible integer to pointer conversion assigning to 'void *' from 'int' [-Wint-conversion]
+ 1036 | e_priv->write_transfer_counter = ioremap(e_priv->write_transfer_counter_res->start,
+ | ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 1037 | resource_size(e_priv->write_transfer_counter_res));
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Add HAS_IOMEM dependency to Kconfig for fluke driver option
+
+Suggested-by: Arnd Bergmann <arnd@arndb.de>
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202601221748.AFAqHieJ-lkp@intel.com/
+Fixes: baf8855c9160 ("staging: gpib: fix address space mixup")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Dave Penkler <dpenkler@gmail.com>
+Link: https://patch.msgid.link/20260202094755.4259-1-dpenkler@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpib/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpib/Kconfig
++++ b/drivers/gpib/Kconfig
+@@ -122,6 +122,7 @@ config GPIB_FLUKE
+ depends on OF
+ select GPIB_COMMON
+ select GPIB_NEC7210
++ depends on HAS_IOMEM
+ help
+ GPIB driver for Fluke based cda devices.
+
--- /dev/null
+From 9862ef9ab0a116c6dca98842aab7de13a252ae02 Mon Sep 17 00:00:00 2001
+From: Yifan Wu <yifanwucs@gmail.com>
+Date: Mon, 30 Mar 2026 14:39:24 -0700
+Subject: netfilter: ipset: drop logically empty buckets in mtype_del
+
+From: Yifan Wu <yifanwucs@gmail.com>
+
+commit 9862ef9ab0a116c6dca98842aab7de13a252ae02 upstream.
+
+mtype_del() counts empty slots below n->pos in k, but it only drops the
+bucket when both n->pos and k are zero. This misses buckets whose live
+entries have all been removed while n->pos still points past deleted slots.
+
+Treat a bucket as empty when all positions below n->pos are unused and
+release it directly instead of shrinking it further.
+
+Fixes: 8af1c6fbd923 ("netfilter: ipset: Fix forceadd evaluation path")
+Cc: stable@vger.kernel.org
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <dstsmallbird@foxmail.com>
+Signed-off-by: Yifan Wu <yifanwucs@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Reviewed-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipset/ip_set_hash_gen.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/ipset/ip_set_hash_gen.h
++++ b/net/netfilter/ipset/ip_set_hash_gen.h
+@@ -1099,7 +1099,7 @@ mtype_del(struct ip_set *set, void *valu
+ if (!test_bit(i, n->used))
+ k++;
+ }
+- if (n->pos == 0 && k == 0) {
++ if (k == n->pos) {
+ t->hregion[r].ext_size -= ext_size(n->size, dsize);
+ rcu_assign_pointer(hbucket(t, key), NULL);
+ kfree_rcu(n, rcu);
--- /dev/null
+From 48b5163c957548f5854f14c90bfdedc33afbea3c Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Fri, 27 Mar 2026 13:16:44 +0000
+Subject: nvmem: imx: assign nvmem_cell_info::raw_len
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit 48b5163c957548f5854f14c90bfdedc33afbea3c upstream.
+
+Avoid getting error messages at startup like the following on i.MX6ULL:
+
+nvmem imx-ocotp0: cell mac-addr raw len 6 unaligned to nvmem word size 4
+nvmem imx-ocotp0: cell mac-addr raw len 6 unaligned to nvmem word size 4
+
+This shouldn't cause any functional change as this alignment would
+otherwise be done in nvmem_cell_info_to_nvmem_cell_entry_nodup().
+
+Cc: stable@vger.kernel.org
+Fixes: 13bcd440f2ff ("nvmem: core: verify cell's raw_len")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260327131645.3025781-2-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/imx-ocotp-ele.c | 1 +
+ drivers/nvmem/imx-ocotp.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/nvmem/imx-ocotp-ele.c
++++ b/drivers/nvmem/imx-ocotp-ele.c
+@@ -131,6 +131,7 @@ static int imx_ocotp_cell_pp(void *conte
+ static void imx_ocotp_fixup_dt_cell_info(struct nvmem_device *nvmem,
+ struct nvmem_cell_info *cell)
+ {
++ cell->raw_len = round_up(cell->bytes, 4);
+ cell->read_post_process = imx_ocotp_cell_pp;
+ }
+
+--- a/drivers/nvmem/imx-ocotp.c
++++ b/drivers/nvmem/imx-ocotp.c
+@@ -589,6 +589,7 @@ MODULE_DEVICE_TABLE(of, imx_ocotp_dt_ids
+ static void imx_ocotp_fixup_dt_cell_info(struct nvmem_device *nvmem,
+ struct nvmem_cell_info *cell)
+ {
++ cell->raw_len = round_up(cell->bytes, 4);
+ cell->read_post_process = imx_ocotp_cell_pp;
+ }
+
--- /dev/null
+From f9b88613ff402aa6fe8fd020573cb95867ae947e Mon Sep 17 00:00:00 2001
+From: Ivan Vera <ivanverasantos@gmail.com>
+Date: Fri, 27 Mar 2026 13:16:45 +0000
+Subject: nvmem: zynqmp_nvmem: Fix buffer size in DMA and memcpy
+
+From: Ivan Vera <ivanverasantos@gmail.com>
+
+commit f9b88613ff402aa6fe8fd020573cb95867ae947e upstream.
+
+Buffer size used in dma allocation and memcpy is wrong.
+It can lead to undersized DMA buffer access and possible
+memory corruption. use correct buffer size in dma_alloc_coherent
+and memcpy.
+
+Fixes: 737c0c8d07b5 ("nvmem: zynqmp_nvmem: Add support to access efuse")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ivan Vera <ivanverasantos@gmail.com>
+Signed-off-by: Harish Ediga <harish.ediga@amd.com>
+Signed-off-by: Harsh Jain <h.jain@amd.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260327131645.3025781-3-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/zynqmp_nvmem.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/nvmem/zynqmp_nvmem.c
++++ b/drivers/nvmem/zynqmp_nvmem.c
+@@ -66,7 +66,7 @@ static int zynqmp_efuse_access(void *con
+ dma_addr_t dma_buf;
+ size_t words = bytes / WORD_INBYTES;
+ int ret;
+- int value;
++ unsigned int value;
+ char *data;
+
+ if (bytes % WORD_INBYTES != 0) {
+@@ -80,7 +80,7 @@ static int zynqmp_efuse_access(void *con
+ }
+
+ if (pufflag == 1 && flag == EFUSE_WRITE) {
+- memcpy(&value, val, bytes);
++ memcpy(&value, val, sizeof(value));
+ if ((offset == EFUSE_PUF_START_OFFSET ||
+ offset == EFUSE_PUF_MID_OFFSET) &&
+ value & P_USER_0_64_UPPER_MASK) {
+@@ -100,7 +100,7 @@ static int zynqmp_efuse_access(void *con
+ if (!efuse)
+ return -ENOMEM;
+
+- data = dma_alloc_coherent(dev, sizeof(bytes),
++ data = dma_alloc_coherent(dev, bytes,
+ &dma_buf, GFP_KERNEL);
+ if (!data) {
+ ret = -ENOMEM;
+@@ -134,7 +134,7 @@ static int zynqmp_efuse_access(void *con
+ if (flag == EFUSE_READ)
+ memcpy(val, data, bytes);
+ efuse_access_err:
+- dma_free_coherent(dev, sizeof(bytes),
++ dma_free_coherent(dev, bytes,
+ data, dma_buf);
+ efuse_data_fail:
+ dma_free_coherent(dev, sizeof(struct xilinx_efuse),
--- /dev/null
+From 9badc2a84e688be1275bb740942d5f6f51746908 Mon Sep 17 00:00:00 2001
+From: Changwoo Min <changwoo@igalia.com>
+Date: Sun, 29 Mar 2026 16:36:15 +0900
+Subject: PM: EM: Fix NULL pointer dereference when perf domain ID is not found
+
+From: Changwoo Min <changwoo@igalia.com>
+
+commit 9badc2a84e688be1275bb740942d5f6f51746908 upstream.
+
+dev_energymodel_nl_get_perf_domains_doit() calls
+em_perf_domain_get_by_id() but does not check the return value before
+passing it to __em_nl_get_pd_size(). When a caller supplies a
+non-existent perf domain ID, em_perf_domain_get_by_id() returns NULL,
+and __em_nl_get_pd_size() immediately dereferences pd->cpus
+(struct offset 0x30), causing a NULL pointer dereference.
+
+The sister handler dev_energymodel_nl_get_perf_table_doit() already
+handles this correctly via __em_nl_get_pd_table_id(), which returns
+NULL and causes the caller to return -EINVAL. Add the same NULL check
+in the get-perf-domains do handler.
+
+Fixes: 380ff27af25e ("PM: EM: Add dump to get-perf-domains in the EM YNL spec")
+Reported-by: Yi Lai <yi1.lai@linux.intel.com>
+Closes: https://lore.kernel.org/lkml/aXiySM79UYfk+ytd@ly-workstation/
+Signed-off-by: Changwoo Min <changwoo@igalia.com>
+Cc: 6.19+ <stable@vger.kernel.org> # 6.19+
+[ rjw: Subject and changelog edits ]
+Link: https://patch.msgid.link/20260329073615.649976-1-changwoo@igalia.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/power/em_netlink.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/power/em_netlink.c b/kernel/power/em_netlink.c
+index 5a611d3950fd..4d4fd29bd2be 100644
+--- a/kernel/power/em_netlink.c
++++ b/kernel/power/em_netlink.c
+@@ -109,6 +109,8 @@ int dev_energymodel_nl_get_perf_domains_doit(struct sk_buff *skb,
+
+ id = nla_get_u32(info->attrs[DEV_ENERGYMODEL_A_PERF_DOMAIN_PERF_DOMAIN_ID]);
+ pd = em_perf_domain_get_by_id(id);
++ if (!pd)
++ return -EINVAL;
+
+ __em_nl_get_pd_size(pd, &msg_sz);
+ msg = genlmsg_new(msg_sz, GFP_KERNEL);
+--
+2.53.0
+
--- /dev/null
+From fbffb8c7c7bb4d38e9f65e0bee446685011de5d8 Mon Sep 17 00:00:00 2001
+From: Guangshuo Li <lgs201920130244@gmail.com>
+Date: Sat, 21 Mar 2026 15:42:40 +0800
+Subject: reset: gpio: fix double free in reset_add_gpio_aux_device() error path
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+commit fbffb8c7c7bb4d38e9f65e0bee446685011de5d8 upstream.
+
+When __auxiliary_device_add() fails, reset_add_gpio_aux_device()
+calls auxiliary_device_uninit(adev).
+
+The device release callback reset_gpio_aux_device_release() frees
+adev, but the current error path then calls kfree(adev) again,
+causing a double free.
+
+Keep kfree(adev) for the auxiliary_device_init() failure path, but
+avoid freeing adev after auxiliary_device_uninit().
+
+Fixes: 5fc4e4cf7a22 ("reset: gpio: use software nodes to setup the GPIO lookup")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/reset/core.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/reset/core.c b/drivers/reset/core.c
+index fceec45c8afc..352c2360603b 100644
+--- a/drivers/reset/core.c
++++ b/drivers/reset/core.c
+@@ -856,7 +856,6 @@ static int reset_add_gpio_aux_device(struct device *parent,
+ ret = __auxiliary_device_add(adev, "reset");
+ if (ret) {
+ auxiliary_device_uninit(adev);
+- kfree(adev);
+ return ret;
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 57ad0d4a00f5d3e80f33ba2da8d560c73d83dc22 Mon Sep 17 00:00:00 2001
+From: Thomas Richter <tmricht@linux.ibm.com>
+Date: Fri, 6 Mar 2026 13:50:31 +0100
+Subject: s390/cpum_sf: Cap sampling rate to prevent lsctl exception
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+commit 57ad0d4a00f5d3e80f33ba2da8d560c73d83dc22 upstream.
+
+commit fcc43a7e294f ("s390/configs: Set HZ=1000") changed the interrupt
+frequency of the system. On machines with heavy load and many perf event
+overflows, this might lead to an exception. Dmesg displays these entries:
+ [112.242542] cpum_sf: Loading sampling controls failed: op 1 err -22
+One line per CPU online.
+
+The root cause is the CPU Measurement sampling facility overflow
+adjustment. Whenever an overflow (too much samples per tick) occurs, the
+sampling rate is adjusted and increased. This was done without observing
+the maximum sampling rate limit. When the current sampling interval is
+higher than the maximum sampling rate limit, the lsctl instruction raises
+an exception. The error messages is the result of such an exception.
+Observe the upper limit when the new sampling rate is recalculated.
+
+Cc: stable@vger.kernel.org
+Fixes: 39d4a501a9ef ("s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits")
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Reviewed-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
+Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/perf_cpum_sf.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -1168,6 +1168,7 @@ static void hw_collect_samples(struct pe
+ static void hw_perf_event_update(struct perf_event *event, int flush_all)
+ {
+ unsigned long long event_overflow, sampl_overflow, num_sdb;
++ struct cpu_hw_sf *cpuhw = this_cpu_ptr(&cpu_hw_sf);
+ struct hw_perf_event *hwc = &event->hw;
+ union hws_trailer_header prev, new;
+ struct hws_trailer_entry *te;
+@@ -1247,8 +1248,11 @@ static void hw_perf_event_update(struct
+ * are dropped.
+ * Slightly increase the interval to avoid hitting this limit.
+ */
+- if (event_overflow)
++ if (event_overflow) {
+ SAMPL_RATE(hwc) += DIV_ROUND_UP(SAMPL_RATE(hwc), 10);
++ if (SAMPL_RATE(hwc) > cpuhw->qsi.max_sampl_rate)
++ SAMPL_RATE(hwc) = cpuhw->qsi.max_sampl_rate;
++ }
+ }
+
+ static inline unsigned long aux_sdb_index(struct aux_buffer *aux,
--- /dev/null
+From c8d46f17c2fc7d25c18e60c008928aecab26184d Mon Sep 17 00:00:00 2001
+From: Harald Freudenberger <freude@linux.ibm.com>
+Date: Thu, 19 Mar 2026 09:06:52 +0100
+Subject: s390/zcrypt: Fix memory leak with CCA cards used as accelerator
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+commit c8d46f17c2fc7d25c18e60c008928aecab26184d upstream.
+
+Tests showed that there is a memory leak if CCA cards are used as
+accelerator for clear key RSA requests (ME and CRT). With the last
+rework for the memory allocation the AP messages are allocated by
+ap_init_apmsg() but for some reason on two places (ME and CRT) the
+older allocation was still in place. So the first allocation simple
+was never freed.
+
+Fixes: 57db62a130ce ("s390/ap/zcrypt: Rework AP message buffer allocation")
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Closes: https://lore.kernel.org/linux-s390/CAHj4cs9H67Uz0iVaRQv447p7JFPRPy3TKAT4=Y6_e=wSHCZM5w@mail.gmail.com/
+Reported-by: Nadja Hariz <Nadia.Hariz@ibm.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
+Acked-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/crypto/zcrypt_msgtype6.c | 32 ++++++++++++++------------------
+ 1 file changed, 14 insertions(+), 18 deletions(-)
+
+--- a/drivers/s390/crypto/zcrypt_msgtype6.c
++++ b/drivers/s390/crypto/zcrypt_msgtype6.c
+@@ -953,6 +953,10 @@ static atomic_t zcrypt_step = ATOMIC_INI
+ /*
+ * The request distributor calls this function if it picked the CEXxC
+ * device to handle a modexpo request.
++ * This function assumes that ap_msg has been initialized with
++ * ap_init_apmsg() and thus a valid buffer with the size of
++ * ap_msg->bufsize is available within ap_msg. Also the caller has
++ * to make sure ap_release_apmsg() is always called even on failure.
+ * @zq: pointer to zcrypt_queue structure that identifies the
+ * CEXxC device to the request distributor
+ * @mex: pointer to the modexpo request buffer
+@@ -964,21 +968,17 @@ static long zcrypt_msgtype6_modexpo(stru
+ struct ap_response_type *resp_type = &ap_msg->response;
+ int rc;
+
+- ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL);
+- if (!ap_msg->msg)
+- return -ENOMEM;
+- ap_msg->bufsize = PAGE_SIZE;
+ ap_msg->receive = zcrypt_msgtype6_receive;
+ ap_msg->psmid = (((unsigned long)current->pid) << 32) +
+ atomic_inc_return(&zcrypt_step);
+ rc = icamex_msg_to_type6mex_msgx(zq, ap_msg, mex);
+ if (rc)
+- goto out_free;
++ goto out;
+ resp_type->type = CEXXC_RESPONSE_TYPE_ICA;
+ init_completion(&resp_type->work);
+ rc = ap_queue_message(zq->queue, ap_msg);
+ if (rc)
+- goto out_free;
++ goto out;
+ rc = wait_for_completion_interruptible(&resp_type->work);
+ if (rc == 0) {
+ rc = ap_msg->rc;
+@@ -991,15 +991,17 @@ static long zcrypt_msgtype6_modexpo(stru
+ ap_cancel_message(zq->queue, ap_msg);
+ }
+
+-out_free:
+- free_page((unsigned long)ap_msg->msg);
+- ap_msg->msg = NULL;
++out:
+ return rc;
+ }
+
+ /*
+ * The request distributor calls this function if it picked the CEXxC
+ * device to handle a modexpo_crt request.
++ * This function assumes that ap_msg has been initialized with
++ * ap_init_apmsg() and thus a valid buffer with the size of
++ * ap_msg->bufsize is available within ap_msg. Also the caller has
++ * to make sure ap_release_apmsg() is always called even on failure.
+ * @zq: pointer to zcrypt_queue structure that identifies the
+ * CEXxC device to the request distributor
+ * @crt: pointer to the modexpoc_crt request buffer
+@@ -1011,21 +1013,17 @@ static long zcrypt_msgtype6_modexpo_crt(
+ struct ap_response_type *resp_type = &ap_msg->response;
+ int rc;
+
+- ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL);
+- if (!ap_msg->msg)
+- return -ENOMEM;
+- ap_msg->bufsize = PAGE_SIZE;
+ ap_msg->receive = zcrypt_msgtype6_receive;
+ ap_msg->psmid = (((unsigned long)current->pid) << 32) +
+ atomic_inc_return(&zcrypt_step);
+ rc = icacrt_msg_to_type6crt_msgx(zq, ap_msg, crt);
+ if (rc)
+- goto out_free;
++ goto out;
+ resp_type->type = CEXXC_RESPONSE_TYPE_ICA;
+ init_completion(&resp_type->work);
+ rc = ap_queue_message(zq->queue, ap_msg);
+ if (rc)
+- goto out_free;
++ goto out;
+ rc = wait_for_completion_interruptible(&resp_type->work);
+ if (rc == 0) {
+ rc = ap_msg->rc;
+@@ -1038,9 +1036,7 @@ static long zcrypt_msgtype6_modexpo_crt(
+ ap_cancel_message(zq->queue, ap_msg);
+ }
+
+-out_free:
+- free_page((unsigned long)ap_msg->msg);
+- ap_msg->msg = NULL;
++out:
+ return rc;
+ }
+
usb-core-use-dedicated-spinlock-for-offload-state.patch
x86-platform-geode-fix-on-stack-property-data-use-after-return-bug.patch
io_uring-protect-remaining-lockless-ctx-rings-access.patch
+auxdisplay-line-display-fix-null-dereference-in-linedisp_release.patch
+bridge-br_nd_send-validate-nd-option-lengths.patch
+cdc-acm-new-quirk-for-epson-hmd.patch
+comedi-dt2815-add-hardware-detection-to-prevent-crash.patch
+comedi-runflags-cannot-determine-whether-to-reclaim-chanlist.patch
+comedi-reinit-dev-spinlock-between-attachments-to-low-level-drivers.patch
+comedi-ni_atmio16d-fix-invalid-clean-up-after-failed-attach.patch
+comedi-me_daq-fix-potential-overrun-of-firmware-buffer.patch
+comedi-me4000-fix-potential-overrun-of-firmware-buffer.patch
+firmware-microchip-fail-auto-update-probe-if-no-flash-found.patch
+dt-bindings-connector-add-pd-disable-dependency.patch
+spi-cadence-qspi-fix-exec_mem_op-error-handling.patch
+s390-zcrypt-fix-memory-leak-with-cca-cards-used-as-accelerator.patch
+s390-cpum_sf-cap-sampling-rate-to-prevent-lsctl-exception.patch
+reset-gpio-fix-double-free-in-reset_add_gpio_aux_device-error-path.patch
+pm-em-fix-null-pointer-dereference-when-perf-domain-id-is-not-found.patch
+nvmem-imx-assign-nvmem_cell_info-raw_len.patch
+nvmem-zynqmp_nvmem-fix-buffer-size-in-dma-and-memcpy.patch
+netfilter-ipset-drop-logically-empty-buckets-in-mtype_del.patch
+gpib-fix-fluke-driver-s390-compile-issue.patch
--- /dev/null
+From 59e1be1278f064d7172b00473b7e0c453cb1ec52 Mon Sep 17 00:00:00 2001
+From: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Date: Fri, 13 Mar 2026 14:52:31 +0100
+Subject: spi: cadence-qspi: Fix exec_mem_op error handling
+
+From: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+
+commit 59e1be1278f064d7172b00473b7e0c453cb1ec52 upstream.
+
+cqspi_exec_mem_op() increments the runtime PM usage counter before all
+refcount checks are performed. If one of these checks fails, the function
+returns without dropping the PM reference.
+
+Move the pm_runtime_resume_and_get() call after the refcount checks so
+that runtime PM is only acquired when the operation can proceed and
+drop the inflight_ops refcount if the PM resume fails.
+
+Cc: stable@vger.kernel.org
+Fixes: 7446284023e8 ("spi: cadence-quadspi: Implement refcount to handle unbind during busy")
+Signed-off-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Link: https://patch.msgid.link/20260313135236.46642-1-ghidoliemanuele@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-cadence-quadspi.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/drivers/spi/spi-cadence-quadspi.c
++++ b/drivers/spi/spi-cadence-quadspi.c
+@@ -1478,14 +1478,6 @@ static int cqspi_exec_mem_op(struct spi_
+ if (refcount_read(&cqspi->inflight_ops) == 0)
+ return -ENODEV;
+
+- if (!(ddata && (ddata->quirks & CQSPI_DISABLE_RUNTIME_PM))) {
+- ret = pm_runtime_resume_and_get(dev);
+- if (ret) {
+- dev_err(&mem->spi->dev, "resume failed with %d\n", ret);
+- return ret;
+- }
+- }
+-
+ if (!refcount_read(&cqspi->refcount))
+ return -EBUSY;
+
+@@ -1497,6 +1489,14 @@ static int cqspi_exec_mem_op(struct spi_
+ return -EBUSY;
+ }
+
++ if (!(ddata && (ddata->quirks & CQSPI_DISABLE_RUNTIME_PM))) {
++ ret = pm_runtime_resume_and_get(dev);
++ if (ret) {
++ dev_err(&mem->spi->dev, "resume failed with %d\n", ret);
++ goto dec_inflight_refcount;
++ }
++ }
++
+ ret = cqspi_mem_process(mem, op);
+
+ if (!(ddata && (ddata->quirks & CQSPI_DISABLE_RUNTIME_PM)))
+@@ -1505,6 +1505,7 @@ static int cqspi_exec_mem_op(struct spi_
+ if (ret)
+ dev_err(&mem->spi->dev, "operation failed with %d\n", ret);
+
++dec_inflight_refcount:
+ if (refcount_read(&cqspi->inflight_ops) > 1)
+ refcount_dec(&cqspi->inflight_ops);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
