--- /dev/null
+From 45424e871abf2a152e247a9cff78359f18dd95c0 Mon Sep 17 00:00:00 2001
+From: Berk Cem Goksel <berkcgoksel@gmail.com>
+Date: Sun, 29 Mar 2026 16:38:25 +0300
+Subject: ALSA: caiaq: fix stack out-of-bounds read in init_card
+
+From: Berk Cem Goksel <berkcgoksel@gmail.com>
+
+commit 45424e871abf2a152e247a9cff78359f18dd95c0 upstream.
+
+The loop creates a whitespace-stripped copy of the card shortname
+where `len < sizeof(card->id)` is used for the bounds check. Since
+sizeof(card->id) is 16 and the local id buffer is also 16 bytes,
+writing 16 non-space characters fills the entire buffer,
+overwriting the terminating nullbyte.
+
+When this non-null-terminated string is later passed to
+snd_card_set_id() -> copy_valid_id_string(), the function scans
+forward with `while (*nid && ...)` and reads past the end of the
+stack buffer, reading the contents of the stack.
+
+A USB device with a product name containing many non-ASCII, non-space
+characters (e.g. multibyte UTF-8) will reliably trigger this as follows:
+
+ BUG: KASAN: stack-out-of-bounds in copy_valid_id_string
+ sound/core/init.c:696 [inline]
+ BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c
+ sound/core/init.c:718
+
+The off-by-one has been present since commit bafeee5b1f8d ("ALSA:
+snd_usb_caiaq: give better shortname") from June 2009 (v2.6.31-rc1),
+which first introduced this whitespace-stripping loop. The original
+code never accounted for the null terminator when bounding the copy.
+
+Fix this by changing the loop bound to `sizeof(card->id) - 1`,
+ensuring at least one byte remains as the null terminator.
+
+Fixes: bafeee5b1f8d ("ALSA: snd_usb_caiaq: give better shortname")
+Cc: stable@vger.kernel.org
+Cc: Andrey Konovalov <andreyknvl@gmail.com>
+Reported-by: Berk Cem Goksel <berkcgoksel@gmail.com>
+Signed-off-by: Berk Cem Goksel <berkcgoksel@gmail.com>
+Link: https://patch.msgid.link/20260329133825.581585-1-berkcgoksel@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/caiaq/device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/caiaq/device.c
++++ b/sound/usb/caiaq/device.c
+@@ -488,7 +488,7 @@ static int init_card(struct snd_usb_caia
+ memset(id, 0, sizeof(id));
+
+ for (c = card->shortname, len = 0;
+- *c && len < sizeof(card->id); c++)
++ *c && len < sizeof(card->id) - 1; c++)
+ if (*c != ' ')
+ id[len++] = *c;
+
--- /dev/null
+From b045ab3dff97edae6d538eeff900a34c098761f8 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 29 Mar 2026 11:12:37 +0200
+Subject: ALSA: ctxfi: Fix missing SPDIFI1 index handling
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit b045ab3dff97edae6d538eeff900a34c098761f8 upstream.
+
+SPDIF1 DAIO type isn't properly handled in daio_device_index() for
+hw20k2, and it returned -EINVAL, which ended up with the out-of-bounds
+array access. Follow the hw20k1 pattern and return the proper index
+for this type, too.
+
+Reported-and-tested-by: Karsten Hohmeier <linux@hohmatik.de>
+Closes: https://lore.kernel.org/20260315155004.15633-1-linux@hohmatik.de
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20260329091240.420194-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/ctxfi/ctdaio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/ctxfi/ctdaio.c
++++ b/sound/pci/ctxfi/ctdaio.c
+@@ -119,6 +119,7 @@ static unsigned int daio_device_index(en
+ switch (type) {
+ case SPDIFOO: return 0;
+ case SPDIFIO: return 0;
++ case SPDIFI1: return 1;
+ case LINEO1: return 4;
+ case LINEO2: return 7;
+ case LINEO3: return 5;
--- /dev/null
+From bc39a094730ce062fa034a529c93147c096cb488 Mon Sep 17 00:00:00 2001
+From: hkbinbin <hkbinbinbin@gmail.com>
+Date: Tue, 31 Mar 2026 05:39:16 +0000
+Subject: Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: hkbinbin <hkbinbinbin@gmail.com>
+
+commit bc39a094730ce062fa034a529c93147c096cb488 upstream.
+
+hci_le_big_create_sync() uses DEFINE_FLEX to allocate a
+struct hci_cp_le_big_create_sync on the stack with room for 0x11 (17)
+BIS entries. However, conn->num_bis can hold up to HCI_MAX_ISO_BIS (31)
+entries — validated against ISO_MAX_NUM_BIS (0x1f) in the caller
+hci_conn_big_create_sync(). When conn->num_bis is between 18 and 31,
+the memcpy that copies conn->bis into cp->bis writes up to 14 bytes
+past the stack buffer, corrupting adjacent stack memory.
+
+This is trivially reproducible: binding an ISO socket with
+bc_num_bis = ISO_MAX_NUM_BIS (31) and calling listen() will
+eventually trigger hci_le_big_create_sync() from the HCI command
+sync worker, causing a KASAN-detectable stack-out-of-bounds write:
+
+ BUG: KASAN: stack-out-of-bounds in hci_le_big_create_sync+0x256/0x3b0
+ Write of size 31 at addr ffffc90000487b48 by task kworker/u9:0/71
+
+Fix this by changing the DEFINE_FLEX count from the incorrect 0x11 to
+HCI_MAX_ISO_BIS, which matches the maximum number of BIS entries that
+conn->bis can actually carry.
+
+Fixes: 42ecf1947135 ("Bluetooth: ISO: Do not emit LE BIG Create Sync if previous is pending")
+Cc: stable@vger.kernel.org
+Signed-off-by: hkbinbin <hkbinbinbin@gmail.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sync.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -7105,7 +7105,8 @@ static void create_big_complete(struct h
+
+ static int hci_le_big_create_sync(struct hci_dev *hdev, void *data)
+ {
+- DEFINE_FLEX(struct hci_cp_le_big_create_sync, cp, bis, num_bis, 0x11);
++ DEFINE_FLEX(struct hci_cp_le_big_create_sync, cp, bis, num_bis,
++ HCI_MAX_ISO_BIS);
+ struct hci_conn *conn = data;
+ struct bt_iso_qos *qos = &conn->iso_qos;
+ int err;
--- /dev/null
+From 20756fec2f0108cb88e815941f1ffff88dc286fe Mon Sep 17 00:00:00 2001
+From: Oleh Konko <security@1seal.org>
+Date: Tue, 31 Mar 2026 11:52:13 +0000
+Subject: Bluetooth: SMP: derive legacy responder STK authentication from MITM state
+
+From: Oleh Konko <security@1seal.org>
+
+commit 20756fec2f0108cb88e815941f1ffff88dc286fe upstream.
+
+The legacy responder path in smp_random() currently labels the stored
+STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH.
+That reflects what the local service requested, not what the pairing
+flow actually achieved.
+
+For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear
+and the resulting STK should remain unauthenticated even if the local
+side requested HIGH security. Use the established MITM state when
+storing the responder STK so the key metadata matches the pairing result.
+
+This also keeps the legacy path aligned with the Secure Connections code,
+which already treats JUST_WORKS/JUST_CFM as unauthenticated.
+
+Fixes: fff3490f4781 ("Bluetooth: Fix setting correct authentication information for SMP STK")
+Cc: stable@vger.kernel.org
+Signed-off-by: Oleh Konko <security@1seal.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/smp.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -1018,10 +1018,7 @@ static u8 smp_random(struct smp_chan *sm
+
+ smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
+
+- if (hcon->pending_sec_level == BT_SECURITY_HIGH)
+- auth = 1;
+- else
+- auth = 0;
++ auth = test_bit(SMP_FLAG_MITM_AUTH, &smp->flags) ? 1 : 0;
+
+ /* Even though there's no _RESPONDER suffix this is the
+ * responder STK we're adding for later lookup (the initiator
--- /dev/null
+From d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7 Mon Sep 17 00:00:00 2001
+From: Oleh Konko <security@1seal.org>
+Date: Tue, 31 Mar 2026 11:52:12 +0000
+Subject: Bluetooth: SMP: force responder MITM requirements before building the pairing response
+
+From: Oleh Konko <security@1seal.org>
+
+commit d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7 upstream.
+
+smp_cmd_pairing_req() currently builds the pairing response from the
+initiator auth_req before enforcing the local BT_SECURITY_HIGH
+requirement. If the initiator omits SMP_AUTH_MITM, the response can
+also omit it even though the local side still requires MITM.
+
+tk_request() then sees an auth value without SMP_AUTH_MITM and may
+select JUST_CFM, making method selection inconsistent with the pairing
+policy the responder already enforces.
+
+When the local side requires HIGH security, first verify that MITM can
+be achieved from the IO capabilities and then force SMP_AUTH_MITM in the
+response in both rsp.auth_req and auth. This keeps the responder auth bits
+and later method selection aligned.
+
+Fixes: 2b64d153a0cc ("Bluetooth: Add MITM mechanism to LE-SMP")
+Cc: stable@vger.kernel.org
+Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
+Signed-off-by: Oleh Konko <security@1seal.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/smp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -1823,7 +1823,7 @@ static u8 smp_cmd_pairing_req(struct l2c
+ if (sec_level > conn->hcon->pending_sec_level)
+ conn->hcon->pending_sec_level = sec_level;
+
+- /* If we need MITM check that it can be achieved */
++ /* If we need MITM check that it can be achieved. */
+ if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
+ u8 method;
+
+@@ -1831,6 +1831,10 @@ static u8 smp_cmd_pairing_req(struct l2c
+ req->io_capability);
+ if (method == JUST_WORKS || method == JUST_CFM)
+ return SMP_AUTH_REQUIREMENTS;
++
++ /* Force MITM bit if it isn't set by the initiator. */
++ auth |= SMP_AUTH_MITM;
++ rsp.auth_req |= SMP_AUTH_MITM;
+ }
+
+ key_size = min(req->max_key_size, rsp.max_key_size);
--- /dev/null
+From 4487571ef17a30d274600b3bd6965f497a881299 Mon Sep 17 00:00:00 2001
+From: Donet Tom <donettom@linux.ibm.com>
+Date: Thu, 26 Mar 2026 17:51:28 +0530
+Subject: drm/amdgpu: Change AMDGPU_VA_RESERVED_TRAP_SIZE to 64KB
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Donet Tom <donettom@linux.ibm.com>
+
+commit 4487571ef17a30d274600b3bd6965f497a881299 upstream.
+
+Currently, AMDGPU_VA_RESERVED_TRAP_SIZE is hardcoded to 8KB, while
+KFD_CWSR_TBA_TMA_SIZE is defined as 2 * PAGE_SIZE. On systems with
+4K pages, both values match (8KB), so allocation and reserved space
+are consistent.
+
+However, on 64K page-size systems, KFD_CWSR_TBA_TMA_SIZE becomes 128KB,
+while the reserved trap area remains 8KB. This mismatch causes the
+kernel to crash when running rocminfo or rccl unit tests.
+
+Kernel attempted to read user page (2) - exploit attempt? (uid: 1001)
+BUG: Kernel NULL pointer dereference on read at 0x00000002
+Faulting instruction address: 0xc0000000002c8a64
+Oops: Kernel access of bad area, sig: 11 [#1]
+LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
+CPU: 34 UID: 1001 PID: 9379 Comm: rocminfo Tainted: G E
+6.19.0-rc4-amdgpu-00320-gf23176405700 #56 VOLUNTARY
+Tainted: [E]=UNSIGNED_MODULE
+Hardware name: IBM,9105-42A POWER10 (architected) 0x800200 0xf000006
+of:IBM,FW1060.30 (ML1060_896) hv:phyp pSeries
+NIP: c0000000002c8a64 LR: c00000000125dbc8 CTR: c00000000125e730
+REGS: c0000001e0957580 TRAP: 0300 Tainted: G E
+MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 24008268
+XER: 00000036
+CFAR: c00000000125dbc4 DAR: 0000000000000002 DSISR: 40000000
+IRQMASK: 1
+GPR00: c00000000125d908 c0000001e0957820 c0000000016e8100
+c00000013d814540
+GPR04: 0000000000000002 c00000013d814550 0000000000000045
+0000000000000000
+GPR08: c00000013444d000 c00000013d814538 c00000013d814538
+0000000084002268
+GPR12: c00000000125e730 c000007e2ffd5f00 ffffffffffffffff
+0000000000020000
+GPR16: 0000000000000000 0000000000000002 c00000015f653000
+0000000000000000
+GPR20: c000000138662400 c00000013d814540 0000000000000000
+c00000013d814500
+GPR24: 0000000000000000 0000000000000002 c0000001e0957888
+c0000001e0957878
+GPR28: c00000013d814548 0000000000000000 c00000013d814540
+c0000001e0957888
+NIP [c0000000002c8a64] __mutex_add_waiter+0x24/0xc0
+LR [c00000000125dbc8] __mutex_lock.constprop.0+0x318/0xd00
+Call Trace:
+0xc0000001e0957890 (unreliable)
+__mutex_lock.constprop.0+0x58/0xd00
+amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x6fc/0xb60 [amdgpu]
+kfd_process_alloc_gpuvm+0x54/0x1f0 [amdgpu]
+kfd_process_device_init_cwsr_dgpu+0xa4/0x1a0 [amdgpu]
+kfd_process_device_init_vm+0xd8/0x2e0 [amdgpu]
+kfd_ioctl_acquire_vm+0xd0/0x130 [amdgpu]
+kfd_ioctl+0x514/0x670 [amdgpu]
+sys_ioctl+0x134/0x180
+system_call_exception+0x114/0x300
+system_call_vectored_common+0x15c/0x2ec
+
+This patch changes AMDGPU_VA_RESERVED_TRAP_SIZE to 64 KB and
+KFD_CWSR_TBA_TMA_SIZE to the AMD GPU page size. This means we reserve
+64 KB for the trap in the address space, but only allocate 8 KB within
+it. With this approach, the allocation size never exceeds the reserved
+area.
+
+Fixes: 34a1de0f7935 ("drm/amdkfd: Relocate TBA/TMA to opposite side of VM hole")
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Suggested-by: Felix Kuehling <felix.kuehling@amd.com>
+Suggested-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Donet Tom <donettom@linux.ibm.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 31b8de5e55666f26ea7ece5f412b83eab3f56dbb)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h | 2 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h
+@@ -172,7 +172,7 @@ struct amdgpu_mem_stats;
+ #define AMDGPU_VA_RESERVED_SEQ64_SIZE (2ULL << 20)
+ #define AMDGPU_VA_RESERVED_SEQ64_START(adev) (AMDGPU_VA_RESERVED_CSA_START(adev) \
+ - AMDGPU_VA_RESERVED_SEQ64_SIZE)
+-#define AMDGPU_VA_RESERVED_TRAP_SIZE (2ULL << 12)
++#define AMDGPU_VA_RESERVED_TRAP_SIZE (1ULL << 16)
+ #define AMDGPU_VA_RESERVED_TRAP_START(adev) (AMDGPU_VA_RESERVED_SEQ64_START(adev) \
+ - AMDGPU_VA_RESERVED_TRAP_SIZE)
+ #define AMDGPU_VA_RESERVED_BOTTOM (1ULL << 16)
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
+@@ -102,8 +102,8 @@
+ * The first chunk is the TBA used for the CWSR ISA code. The second
+ * chunk is used as TMA for user-mode trap handler setup in daisy-chain mode.
+ */
+-#define KFD_CWSR_TBA_TMA_SIZE (PAGE_SIZE * 2)
+-#define KFD_CWSR_TMA_OFFSET (PAGE_SIZE + 2048)
++#define KFD_CWSR_TBA_TMA_SIZE (AMDGPU_GPU_PAGE_SIZE * 2)
++#define KFD_CWSR_TMA_OFFSET (AMDGPU_GPU_PAGE_SIZE + 2048)
+
+ #define KFD_MAX_NUM_OF_QUEUES_PER_DEVICE \
+ (KFD_MAX_NUM_OF_PROCESSES * \
--- /dev/null
+From 62f553d60a801384336f5867967c26ddf3b17038 Mon Sep 17 00:00:00 2001
+From: Prike Liang <Prike.Liang@amd.com>
+Date: Mon, 23 Mar 2026 16:07:02 +0800
+Subject: drm/amdgpu: fix the idr allocation flags
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Prike Liang <Prike.Liang@amd.com>
+
+commit 62f553d60a801384336f5867967c26ddf3b17038 upstream.
+
+Fix the IDR allocation flags by using atomic GFP
+flags in non‑sleepable contexts to avoid the __might_sleep()
+complaint.
+
+ 268.290239] [drm] Initialized amdgpu 3.64.0 for 0000:03:00.0 on minor 0
+[ 268.294900] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:323
+[ 268.295355] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1744, name: modprobe
+[ 268.295705] preempt_count: 1, expected: 0
+[ 268.295886] RCU nest depth: 0, expected: 0
+[ 268.296072] 2 locks held by modprobe/1744:
+[ 268.296077] #0: ffff8c3a44abd1b8 (&dev->mutex){....}-{4:4}, at: __driver_attach+0xe4/0x210
+[ 268.296100] #1: ffffffffc1a6ea78 (amdgpu_pasid_idr_lock){+.+.}-{3:3}, at: amdgpu_pasid_alloc+0x26/0xe0 [amdgpu]
+[ 268.296494] CPU: 12 UID: 0 PID: 1744 Comm: modprobe Tainted: G U OE 6.19.0-custom #16 PREEMPT(voluntary)
+[ 268.296498] Tainted: [U]=USER, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
+[ 268.296499] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021
+[ 268.296501] Call Trace:
+
+Fixes: 8f1de51f49be ("drm/amdgpu: prevent immediate PASID reuse case")
+Tested-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Prike Liang <Prike.Liang@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit ea56aa2625708eaf96f310032391ff37746310ef)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ids.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ids.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ids.c
+@@ -68,8 +68,11 @@ int amdgpu_pasid_alloc(unsigned int bits
+ return -EINVAL;
+
+ spin_lock(&amdgpu_pasid_idr_lock);
++ /* TODO: Need to replace the idr with an xarry, and then
++ * handle the internal locking with ATOMIC safe paths.
++ */
+ pasid = idr_alloc_cyclic(&amdgpu_pasid_idr, NULL, 1,
+- 1U << bits, GFP_KERNEL);
++ 1U << bits, GFP_ATOMIC);
+ spin_unlock(&amdgpu_pasid_idr_lock);
+
+ if (pasid >= 0)
--- /dev/null
+From a3ffaa5b397f4df9d6ac16b10583e9df8e6fa471 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Tue, 17 Mar 2026 16:34:41 -0400
+Subject: drm/amdgpu/pm: drop SMU driver if version not matched messages
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit a3ffaa5b397f4df9d6ac16b10583e9df8e6fa471 upstream.
+
+It just leads to user confusion.
+
+Cc: Yang Wang <kevinyang.wang@amd.com>
+Cc: Lijo Lazar <lijo.lazar@amd.com>
+Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit e471627d56272a791972f25e467348b611c31713)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c | 1 -
+ drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c | 1 -
+ drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0.c | 1 -
+ 3 files changed, 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c
+@@ -260,7 +260,6 @@ int smu_v11_0_check_fw_version(struct sm
+ "smu fw program = %d, version = 0x%08x (%d.%d.%d)\n",
+ smu->smc_driver_if_version, if_version,
+ smu_program, smu_version, smu_major, smu_minor, smu_debug);
+- dev_info(smu->adev->dev, "SMU driver if version not matched\n");
+ }
+
+ return ret;
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c
+@@ -101,7 +101,6 @@ int smu_v12_0_check_fw_version(struct sm
+ "smu fw program = %d, smu fw version = 0x%08x (%d.%d.%d)\n",
+ smu->smc_driver_if_version, if_version,
+ smu_program, smu_version, smu_major, smu_minor, smu_debug);
+- dev_info(smu->adev->dev, "SMU driver if version not matched\n");
+ }
+
+ return ret;
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0.c
+@@ -277,7 +277,6 @@ int smu_v14_0_check_fw_version(struct sm
+ "smu fw program = %d, smu fw version = 0x%08x (%d.%d.%d)\n",
+ smu->smc_driver_if_version, if_version,
+ smu_program, smu_version, smu_major, smu_minor, smu_debug);
+- dev_info(adev->dev, "SMU driver if version not matched\n");
+ }
+
+ return ret;
--- /dev/null
+From 2f42c1a6161646cbd29b443459fd635d29eda634 Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Fri, 27 Mar 2026 14:32:53 +0100
+Subject: drm/ast: dp501: Fix initialization of SCU2C
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit 2f42c1a6161646cbd29b443459fd635d29eda634 upstream.
+
+Ast's DP501 initialization reads the register SCU2C at offset 0x1202c
+and tries to set it to source data from VGA. But writes the update to
+offset 0x0, with unknown results. Write the result to SCU instead.
+
+The bug only happens in ast_init_analog(). There's similar code in
+ast_init_dvo(), which works correctly.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Fixes: 83c6620bae3f ("drm/ast: initial DP501 support (v0.2)")
+Reviewed-by: Jocelyn Falempe <jfalempe@redhat.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Jocelyn Falempe <jfalempe@redhat.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v3.16+
+Link: https://patch.msgid.link/20260327133532.79696-2-tzimmermann@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/ast/ast_dp501.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ast/ast_dp501.c
++++ b/drivers/gpu/drm/ast/ast_dp501.c
+@@ -442,7 +442,7 @@ static void ast_init_analog(struct drm_d
+ /* Finally, clear bits [17:16] of SCU2c */
+ data = ast_read32(ast, 0x1202c);
+ data &= 0xfffcffff;
+- ast_write32(ast, 0, data);
++ ast_write32(ast, 0x1202c, data);
+
+ /* Disable DVO */
+ ast_set_index_reg_mask(ast, AST_IO_VGACRI, 0xa3, 0xcf, 0x00);
--- /dev/null
+From 9c9a57e4e337f94e23ddf69263fd0685c91155fb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Wed, 25 Mar 2026 15:58:45 +0200
+Subject: drm/i915/dp: Use crtc_state->enhanced_framing properly on ivb/hsw CPU eDP
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 9c9a57e4e337f94e23ddf69263fd0685c91155fb upstream.
+
+Looks like I missed the drm_dp_enhanced_frame_cap() in the ivb/hsw CPU
+eDP code when I introduced crtc_state->enhanced_framing. Fix it up so
+that the state we program to the hardware is guaranteed to match what
+we computed earlier.
+
+Cc: stable@vger.kernel.org
+Fixes: 3072a24c778a ("drm/i915: Introduce crtc_state->enhanced_framing")
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patch.msgid.link/20260325135849.12603-3-ville.syrjala@linux.intel.com
+Reviewed-by: Michał Grzelak <michal.grzelak@intel.com>
+(cherry picked from commit 799fe8dc2af52f35c78c4ac97f8e34994dfd8760)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/g4x_dp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/display/g4x_dp.c
++++ b/drivers/gpu/drm/i915/display/g4x_dp.c
+@@ -134,7 +134,7 @@ static void intel_dp_prepare(struct inte
+ intel_dp->DP |= DP_SYNC_VS_HIGH;
+ intel_dp->DP |= DP_LINK_TRAIN_OFF_CPT;
+
+- if (drm_dp_enhanced_frame_cap(intel_dp->dpcd))
++ if (pipe_config->enhanced_framing)
+ intel_dp->DP |= DP_ENHANCED_FRAMING;
+
+ intel_dp->DP |= DP_PIPE_SEL_IVB(crtc->pipe);
--- /dev/null
+From 4dfce79e098915d8e5fc2b9e1d980bc3251dd32c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Thu, 26 Mar 2026 13:18:10 +0200
+Subject: drm/i915/dsi: Don't do DSC horizontal timing adjustments in command mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 4dfce79e098915d8e5fc2b9e1d980bc3251dd32c upstream.
+
+Stop adjusting the horizontal timing values based on the
+compression ratio in command mode. Bspec seems to be telling
+us to do this only in video mode, and this is also how the
+Windows driver does things.
+
+This should also fix a div-by-zero on some machines because
+the adjusted htotal ends up being so small that we end up with
+line_time_us==0 when trying to determine the vtotal value in
+command mode.
+
+Note that this doesn't actually make the display on the
+Huawei Matebook E work, but at least the kernel no longer
+explodes when the driver loads.
+
+Cc: stable@vger.kernel.org
+Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/12045
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patch.msgid.link/20260326111814.9800-2-ville.syrjala@linux.intel.com
+Fixes: 53693f02d80e ("drm/i915/dsi: account for DSC in horizontal timings")
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+(cherry picked from commit 0b475e91ecc2313207196c6d7fd5c53e1a878525)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/icl_dsi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/display/icl_dsi.c
++++ b/drivers/gpu/drm/i915/display/icl_dsi.c
+@@ -869,7 +869,7 @@ gen11_dsi_set_transcoder_timings(struct
+ * non-compressed link speeds, and simplifies down to the ratio between
+ * compressed and non-compressed bpp.
+ */
+- if (crtc_state->dsc.compression_enable) {
++ if (is_vid_mode(intel_dsi) && crtc_state->dsc.compression_enable) {
+ mul = fxp_q4_to_int(crtc_state->dsc.compressed_bpp_x16);
+ div = mipi_dsi_pixel_format_to_bpp(intel_dsi->pixel_format);
+ }
+@@ -1477,7 +1477,7 @@ static void gen11_dsi_get_timings(struct
+ struct drm_display_mode *adjusted_mode =
+ &pipe_config->hw.adjusted_mode;
+
+- if (pipe_config->dsc.compressed_bpp_x16) {
++ if (is_vid_mode(intel_dsi) && pipe_config->dsc.compressed_bpp_x16) {
+ int div = fxp_q4_to_int(pipe_config->dsc.compressed_bpp_x16);
+ int mul = mipi_dsi_pixel_format_to_bpp(intel_dsi->pixel_format);
+
--- /dev/null
+From 39e2a5bf970402a8530a319cf06122e216ba57b8 Mon Sep 17 00:00:00 2001
+From: Sanman Pradhan <psanman@juniper.net>
+Date: Thu, 26 Mar 2026 22:45:23 +0000
+Subject: hwmon: (occ) Fix division by zero in occ_show_power_1()
+
+From: Sanman Pradhan <psanman@juniper.net>
+
+commit 39e2a5bf970402a8530a319cf06122e216ba57b8 upstream.
+
+In occ_show_power_1() case 1, the accumulator is divided by
+update_tag without checking for zero. If no samples have been
+collected yet (e.g. during early boot when the sensor block is
+included but hasn't been updated), update_tag is zero, causing
+a kernel divide-by-zero crash.
+
+The 2019 fix in commit 211186cae14d ("hwmon: (occ) Fix division by
+zero issue") only addressed occ_get_powr_avg() used by
+occ_show_power_2() and occ_show_power_a0(). This separate code
+path in occ_show_power_1() was missed.
+
+Fix this by reusing the existing occ_get_powr_avg() helper, which
+already handles the zero-sample case and uses mul_u64_u32_div()
+to multiply before dividing for better precision. Move the helper
+above occ_show_power_1() so it is visible at the call site.
+
+Fixes: c10e753d43eb ("hwmon (occ): Add sensor types and versions")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sanman Pradhan <psanman@juniper.net>
+Link: https://lore.kernel.org/r/20260326224510.294619-2-sanman.pradhan@hpe.com
+[groeck: Fix alignment problems reported by checkpatch]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/occ/common.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+--- a/drivers/hwmon/occ/common.c
++++ b/drivers/hwmon/occ/common.c
+@@ -420,6 +420,12 @@ static ssize_t occ_show_freq_2(struct de
+ return sysfs_emit(buf, "%u\n", val);
+ }
+
++static u64 occ_get_powr_avg(u64 accum, u32 samples)
++{
++ return (samples == 0) ? 0 :
++ mul_u64_u32_div(accum, 1000000UL, samples);
++}
++
+ static ssize_t occ_show_power_1(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+@@ -441,9 +447,8 @@ static ssize_t occ_show_power_1(struct d
+ val = get_unaligned_be16(&power->sensor_id);
+ break;
+ case 1:
+- val = get_unaligned_be32(&power->accumulator) /
+- get_unaligned_be32(&power->update_tag);
+- val *= 1000000ULL;
++ val = occ_get_powr_avg(get_unaligned_be32(&power->accumulator),
++ get_unaligned_be32(&power->update_tag));
+ break;
+ case 2:
+ val = (u64)get_unaligned_be32(&power->update_tag) *
+@@ -459,12 +464,6 @@ static ssize_t occ_show_power_1(struct d
+ return sysfs_emit(buf, "%llu\n", val);
+ }
+
+-static u64 occ_get_powr_avg(u64 accum, u32 samples)
+-{
+- return (samples == 0) ? 0 :
+- mul_u64_u32_div(accum, 1000000UL, samples);
+-}
+-
+ static ssize_t occ_show_power_2(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
--- /dev/null
+From 24869650dff34a6fc8fd1cc91b2058a72f9abc95 Mon Sep 17 00:00:00 2001
+From: David Lechner <dlechner@baylibre.com>
+Date: Sat, 14 Mar 2026 18:13:31 -0500
+Subject: iio: adc: ti-adc161s626: fix buffer read on big-endian
+
+From: David Lechner <dlechner@baylibre.com>
+
+commit 24869650dff34a6fc8fd1cc91b2058a72f9abc95 upstream.
+
+Rework ti_adc_trigger_handler() to properly handle data on big-endian
+architectures. The scan data format is 16-bit CPU-endian, so we can't
+cast it to a int * on big-endian and expect it to work. Instead, we
+introduce a local int variable to read the data into, and then copy it
+to the buffer.
+
+Since the buffer isn't passed to any SPI functions, we don't need it to
+be DMA-safe. So we can drop it from the driver data struct and just
+use stack memory for the scan data.
+
+Since there is only one data value (plus timestamp), we don't need an
+array and can just declare a struct with the correct data type instead.
+
+Also fix alignment of iio_get_time_ns() to ( while we are touching this.
+
+Fixes: 4d671b71beef ("iio: adc: ti-adc161s626: add support for TI 1-channel differential ADCs")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-adc161s626.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/drivers/iio/adc/ti-adc161s626.c
++++ b/drivers/iio/adc/ti-adc161s626.c
+@@ -70,8 +70,6 @@ struct ti_adc_data {
+
+ u8 read_size;
+ u8 shift;
+-
+- u8 buffer[16] __aligned(IIO_DMA_MINALIGN);
+ };
+
+ static int ti_adc_read_measurement(struct ti_adc_data *data,
+@@ -114,15 +112,20 @@ static irqreturn_t ti_adc_trigger_handle
+ struct iio_poll_func *pf = private;
+ struct iio_dev *indio_dev = pf->indio_dev;
+ struct ti_adc_data *data = iio_priv(indio_dev);
+- int ret;
++ struct {
++ s16 data;
++ aligned_s64 timestamp;
++ } scan = { };
++ int ret, val;
++
++ ret = ti_adc_read_measurement(data, &indio_dev->channels[0], &val);
++ if (ret)
++ goto exit_notify_done;
+
+- ret = ti_adc_read_measurement(data, &indio_dev->channels[0],
+- (int *) &data->buffer);
+- if (!ret)
+- iio_push_to_buffers_with_timestamp(indio_dev,
+- data->buffer,
+- iio_get_time_ns(indio_dev));
++ scan.data = val;
++ iio_push_to_buffers_with_timestamp(indio_dev, &scan, iio_get_time_ns(indio_dev));
+
++ exit_notify_done:
+ iio_trigger_notify_done(indio_dev->trig);
+
+ return IRQ_HANDLED;
--- /dev/null
+From 768461517a28d80fe81ea4d5d03a90cd184ea6ad Mon Sep 17 00:00:00 2001
+From: David Lechner <dlechner@baylibre.com>
+Date: Sat, 14 Mar 2026 18:13:32 -0500
+Subject: iio: adc: ti-adc161s626: use DMA-safe memory for spi_read()
+
+From: David Lechner <dlechner@baylibre.com>
+
+commit 768461517a28d80fe81ea4d5d03a90cd184ea6ad upstream.
+
+Add a DMA-safe buffer and use it for spi_read() instead of a stack
+memory. All SPI buffers must be DMA-safe.
+
+Since we only need up to 3 bytes, we just use a u8[] instead of __be16
+and __be32 and change the conversion functions appropriately.
+
+Fixes: 4d671b71beef ("iio: adc: ti-adc161s626: add support for TI 1-channel differential ADCs")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-adc161s626.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+--- a/drivers/iio/adc/ti-adc161s626.c
++++ b/drivers/iio/adc/ti-adc161s626.c
+@@ -15,6 +15,7 @@
+ #include <linux/init.h>
+ #include <linux/err.h>
+ #include <linux/spi/spi.h>
++#include <linux/unaligned.h>
+ #include <linux/iio/iio.h>
+ #include <linux/iio/trigger.h>
+ #include <linux/iio/buffer.h>
+@@ -70,6 +71,7 @@ struct ti_adc_data {
+
+ u8 read_size;
+ u8 shift;
++ u8 buf[3] __aligned(IIO_DMA_MINALIGN);
+ };
+
+ static int ti_adc_read_measurement(struct ti_adc_data *data,
+@@ -78,26 +80,20 @@ static int ti_adc_read_measurement(struc
+ int ret;
+
+ switch (data->read_size) {
+- case 2: {
+- __be16 buf;
+-
+- ret = spi_read(data->spi, (void *) &buf, 2);
++ case 2:
++ ret = spi_read(data->spi, data->buf, 2);
+ if (ret)
+ return ret;
+
+- *val = be16_to_cpu(buf);
++ *val = get_unaligned_be16(data->buf);
+ break;
+- }
+- case 3: {
+- __be32 buf;
+-
+- ret = spi_read(data->spi, (void *) &buf, 3);
++ case 3:
++ ret = spi_read(data->spi, data->buf, 3);
+ if (ret)
+ return ret;
+
+- *val = be32_to_cpu(buf) >> 8;
++ *val = get_unaligned_be24(data->buf);
+ break;
+- }
+ default:
+ return -EINVAL;
+ }
--- /dev/null
+From 48a5c36577ebe0144f8ede70e59b59ea18b75089 Mon Sep 17 00:00:00 2001
+From: Felix Gu <ustc.gu@gmail.com>
+Date: Sat, 28 Feb 2026 01:48:19 +0800
+Subject: iio: adc: ti-ads1119: Fix unbalanced pm reference count in ds1119_single_conversion()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+commit 48a5c36577ebe0144f8ede70e59b59ea18b75089 upstream.
+
+In ads1119_single_conversion(), if pm_runtime_resume_and_get() fails,
+the code jumps to the pdown label, which calls
+pm_runtime_put_autosuspend().
+
+Since pm_runtime_resume_and_get() automatically decrements the usage
+counter on failure, the subsequent call to pm_runtime_put_autosuspend()
+causes an unbalanced reference counter.
+
+Fixes: a9306887eba4 ("iio: adc: ti-ads1119: Add driver")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Reviewed-by: João Paulo Gonçalves <jpaulo.silvagoncalves@gmail.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-ads1119.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/adc/ti-ads1119.c b/drivers/iio/adc/ti-ads1119.c
+index c9cedc59cdcd..4454f28b2b58 100644
+--- a/drivers/iio/adc/ti-ads1119.c
++++ b/drivers/iio/adc/ti-ads1119.c
+@@ -274,7 +274,7 @@ static int ads1119_single_conversion(struct ads1119_state *st,
+
+ ret = pm_runtime_resume_and_get(dev);
+ if (ret)
+- goto pdown;
++ return ret;
+
+ ret = ads1119_configure_channel(st, mux, gain, datarate);
+ if (ret)
+--
+2.53.0
+
--- /dev/null
+From 2f168094177f8553a36046afce139001801ca917 Mon Sep 17 00:00:00 2001
+From: Felix Gu <ustc.gu@gmail.com>
+Date: Tue, 3 Mar 2026 21:47:33 +0800
+Subject: iio: adc: ti-ads1119: Reinit completion before wait_for_completion_timeout()
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+commit 2f168094177f8553a36046afce139001801ca917 upstream.
+
+The completion is not reinit before wait_for_completion_timeout(),
+so wait_for_completion_timeout() will return immediately after
+the first successful completion.
+
+Fixes: a9306887eba4 ("iio: adc: ti-ads1119: Add driver")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-ads1119.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/iio/adc/ti-ads1119.c
++++ b/drivers/iio/adc/ti-ads1119.c
+@@ -280,6 +280,9 @@ static int ads1119_single_conversion(str
+ if (ret)
+ goto pdown;
+
++ if (st->client->irq)
++ reinit_completion(&st->completion);
++
+ ret = i2c_smbus_write_byte(st->client, ADS1119_CMD_START_SYNC);
+ if (ret)
+ goto pdown;
--- /dev/null
+From 36f6d4db3c5cb0f58fb02b1f54f9e86522d2f918 Mon Sep 17 00:00:00 2001
+From: Felix Gu <ustc.gu@gmail.com>
+Date: Tue, 3 Mar 2026 00:00:04 +0800
+Subject: iio: adc: ti-ads1119: Replace IRQF_ONESHOT with IRQF_NO_THREAD
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+commit 36f6d4db3c5cb0f58fb02b1f54f9e86522d2f918 upstream.
+
+As there is no threaded handler, replace devm_request_threaded_irq()
+with devm_request_irq(), and as the handler calls iio_trigger_poll()
+which may not be called from a threaded handler replace IRQF_ONESHOT
+with IRQF_NO_THREAD.
+
+Since commit aef30c8d569c ("genirq: Warn about using IRQF_ONESHOT
+without a threaded handler"), the IRQ core checks IRQF_ONESHOT flag
+in IRQ request and gives a warning if there is no threaded handler.
+
+Fixes: a9306887eba4 ("iio: adc: ti-ads1119: Add driver")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-ads1119.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/adc/ti-ads1119.c
++++ b/drivers/iio/adc/ti-ads1119.c
+@@ -738,10 +738,8 @@ static int ads1119_probe(struct i2c_clie
+ return dev_err_probe(dev, ret, "Failed to setup IIO buffer\n");
+
+ if (client->irq > 0) {
+- ret = devm_request_threaded_irq(dev, client->irq,
+- ads1119_irq_handler,
+- NULL, IRQF_ONESHOT,
+- "ads1119", indio_dev);
++ ret = devm_request_irq(dev, client->irq, ads1119_irq_handler,
++ IRQF_NO_THREAD, "ads1119", indio_dev);
+ if (ret)
+ return dev_err_probe(dev, ret,
+ "Failed to allocate irq\n");
--- /dev/null
+From b948f9d5d3057b01188e36664e7c7604d1c8ecb5 Mon Sep 17 00:00:00 2001
+From: Junxi Qian <qjx1298677004@gmail.com>
+Date: Sun, 29 Mar 2026 23:39:09 +0800
+Subject: io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs()
+
+From: Junxi Qian <qjx1298677004@gmail.com>
+
+commit b948f9d5d3057b01188e36664e7c7604d1c8ecb5 upstream.
+
+sqe->len is __u32 but gets stored into sr->len which is int. When
+userspace passes sqe->len values exceeding INT_MAX (e.g. 0xFFFFFFFF),
+sr->len overflows to a negative value. This negative value propagates
+through the bundle recv/send path:
+
+ 1. io_recv(): sel.val = sr->len (ssize_t gets -1)
+ 2. io_recv_buf_select(): arg.max_len = sel->val (size_t gets
+ 0xFFFFFFFFFFFFFFFF)
+ 3. io_ring_buffers_peek(): buf->len is not clamped because max_len
+ is astronomically large
+ 4. iov[].iov_len = 0xFFFFFFFF flows into io_bundle_nbufs()
+ 5. io_bundle_nbufs(): min_t(int, 0xFFFFFFFF, ret) yields -1,
+ causing ret to increase instead of decrease, creating an
+ infinite loop that reads past the allocated iov[] array
+
+This results in a slab-out-of-bounds read in io_bundle_nbufs() from
+the kmalloc-64 slab, as nbufs increments past the allocated iovec
+entries.
+
+ BUG: KASAN: slab-out-of-bounds in io_bundle_nbufs+0x128/0x160
+ Read of size 8 at addr ffff888100ae05c8 by task exp/145
+ Call Trace:
+ io_bundle_nbufs+0x128/0x160
+ io_recv_finish+0x117/0xe20
+ io_recv+0x2db/0x1160
+
+Fix this by rejecting negative sr->len values early in both
+io_sendmsg_prep() and io_recvmsg_prep(). Since sqe->len is __u32,
+any value > INT_MAX indicates overflow and is not a valid length.
+
+Fixes: a05d1f625c7a ("io_uring/net: support bundles for send")
+Cc: stable@vger.kernel.org
+Signed-off-by: Junxi Qian <qjx1298677004@gmail.com>
+Link: https://patch.msgid.link/20260329153909.279046-1-qjx1298677004@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -429,6 +429,8 @@ int io_sendmsg_prep(struct io_kiocb *req
+
+ sr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr));
+ sr->len = READ_ONCE(sqe->len);
++ if (unlikely(sr->len < 0))
++ return -EINVAL;
+ sr->flags = READ_ONCE(sqe->ioprio);
+ if (sr->flags & ~SENDMSG_FLAGS)
+ return -EINVAL;
+@@ -808,6 +810,8 @@ int io_recvmsg_prep(struct io_kiocb *req
+
+ sr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr));
+ sr->len = READ_ONCE(sqe->len);
++ if (unlikely(sr->len < 0))
++ return -EINVAL;
+ sr->flags = READ_ONCE(sqe->ioprio);
+ if (sr->flags & ~RECVMSG_FLAGS)
+ return -EINVAL;
--- /dev/null
+From 90c5def10bea574b101b7a520c015ca81742183f Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Mon, 2 Mar 2026 18:22:52 -0400
+Subject: iommu: Do not call drivers for empty gathers
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit 90c5def10bea574b101b7a520c015ca81742183f upstream.
+
+An empty gather is coded with start=U64_MAX, end=0 and several drivers go
+on to convert that to a size with:
+
+ end - start + 1
+
+Which gives 2 for an empty gather. This then causes Weird Stuff to
+happen (for example an UBSAN splat in VT-d) that is hopefully harmless,
+but maybe not.
+
+Prevent drivers from being called right in iommu_iotlb_sync().
+
+Auditing shows that AMD, Intel, Mediatek and RSIC-V drivers all do things
+on these empty gathers.
+
+Further, there are several callers that can trigger empty gathers,
+especially in unusual conditions. For example iommu_map_nosync() will call
+a 0 size unmap on some error paths. Also in VFIO, iommupt and other
+places.
+
+Cc: stable@vger.kernel.org
+Reported-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+Closes: https://lore.kernel.org/r/11145826.aFP6jjVeTY@jkrzyszt-mobl2.ger.corp.intel.com
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
+Reviewed-by: Samiullah Khawaja <skhawaja@google.com>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/iommu.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/linux/iommu.h
++++ b/include/linux/iommu.h
+@@ -862,7 +862,8 @@ static inline void iommu_flush_iotlb_all
+ static inline void iommu_iotlb_sync(struct iommu_domain *domain,
+ struct iommu_iotlb_gather *iotlb_gather)
+ {
+- if (domain->ops->iotlb_sync)
++ if (domain->ops->iotlb_sync &&
++ likely(iotlb_gather->start < iotlb_gather->end))
+ domain->ops->iotlb_sync(domain, iotlb_gather);
+
+ iommu_iotlb_gather_init(iotlb_gather);
--- /dev/null
+From fda9522ed6afaec45cabc198d8492270c394c7bc Mon Sep 17 00:00:00 2001
+From: Asim Viladi Oglu Manizada <manizada@pm.me>
+Date: Wed, 25 Mar 2026 09:14:22 +0900
+Subject: ksmbd: fix OOB write in QUERY_INFO for compound requests
+
+From: Asim Viladi Oglu Manizada <manizada@pm.me>
+
+commit fda9522ed6afaec45cabc198d8492270c394c7bc upstream.
+
+When a compound request such as READ + QUERY_INFO(Security) is received,
+and the first command (READ) consumes most of the response buffer,
+ksmbd could write beyond the allocated buffer while building a security
+descriptor.
+
+The root cause was that smb2_get_info_sec() checked buffer space using
+ppntsd_size from xattr, while build_sec_desc() often synthesized a
+significantly larger descriptor from POSIX ACLs.
+
+This patch introduces smb_acl_sec_desc_scratch_len() to accurately
+compute the final descriptor size beforehand, performs proper buffer
+checking with smb2_calc_max_out_buf_len(), and uses exact-sized
+allocation + iov pinning.
+
+Cc: stable@vger.kernel.org
+Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
+Signed-off-by: Asim Viladi Oglu Manizada <manizada@pm.me>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 121 +++++++++++++++++++++++++++++++++++-------------
+ fs/smb/server/smbacl.c | 43 +++++++++++++++++
+ fs/smb/server/smbacl.h | 2
+ 3 files changed, 134 insertions(+), 32 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -3403,20 +3403,24 @@ int smb2_open(struct ksmbd_work *work)
+ KSMBD_SHARE_FLAG_ACL_XATTR)) {
+ struct smb_fattr fattr;
+ struct smb_ntsd *pntsd;
+- int pntsd_size, ace_num = 0;
++ int pntsd_size;
++ size_t scratch_len;
+
+ ksmbd_acls_fattr(&fattr, idmap, inode);
+- if (fattr.cf_acls)
+- ace_num = fattr.cf_acls->a_count;
+- if (fattr.cf_dacls)
+- ace_num += fattr.cf_dacls->a_count;
+-
+- pntsd = kmalloc(sizeof(struct smb_ntsd) +
+- sizeof(struct smb_sid) * 3 +
+- sizeof(struct smb_acl) +
+- sizeof(struct smb_ace) * ace_num * 2,
+- KSMBD_DEFAULT_GFP);
++ scratch_len = smb_acl_sec_desc_scratch_len(&fattr,
++ NULL, 0,
++ OWNER_SECINFO | GROUP_SECINFO |
++ DACL_SECINFO);
++ if (!scratch_len || scratch_len == SIZE_MAX) {
++ rc = -EFBIG;
++ posix_acl_release(fattr.cf_acls);
++ posix_acl_release(fattr.cf_dacls);
++ goto err_out;
++ }
++
++ pntsd = kvzalloc(scratch_len, KSMBD_DEFAULT_GFP);
+ if (!pntsd) {
++ rc = -ENOMEM;
+ posix_acl_release(fattr.cf_acls);
+ posix_acl_release(fattr.cf_dacls);
+ goto err_out;
+@@ -3431,7 +3435,7 @@ int smb2_open(struct ksmbd_work *work)
+ posix_acl_release(fattr.cf_acls);
+ posix_acl_release(fattr.cf_dacls);
+ if (rc) {
+- kfree(pntsd);
++ kvfree(pntsd);
+ goto err_out;
+ }
+
+@@ -3441,7 +3445,7 @@ int smb2_open(struct ksmbd_work *work)
+ pntsd,
+ pntsd_size,
+ false);
+- kfree(pntsd);
++ kvfree(pntsd);
+ if (rc)
+ pr_err("failed to store ntacl in xattr : %d\n",
+ rc);
+@@ -5357,8 +5361,9 @@ static int smb2_get_info_file(struct ksm
+ if (test_share_config_flag(work->tcon->share_conf,
+ KSMBD_SHARE_FLAG_PIPE)) {
+ /* smb2 info file called for pipe */
+- return smb2_get_info_file_pipe(work->sess, req, rsp,
++ rc = smb2_get_info_file_pipe(work->sess, req, rsp,
+ work->response_buf);
++ goto iov_pin_out;
+ }
+
+ if (work->next_smb2_rcv_hdr_off) {
+@@ -5458,6 +5463,12 @@ static int smb2_get_info_file(struct ksm
+ rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength),
+ rsp, work->response_buf);
+ ksmbd_fd_put(work, fp);
++
++iov_pin_out:
++ if (!rc)
++ rc = ksmbd_iov_pin_rsp(work, (void *)rsp,
++ offsetof(struct smb2_query_info_rsp, Buffer) +
++ le32_to_cpu(rsp->OutputBufferLength));
+ return rc;
+ }
+
+@@ -5677,6 +5688,11 @@ static int smb2_get_info_filesystem(stru
+ rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength),
+ rsp, work->response_buf);
+ path_put(&path);
++
++ if (!rc)
++ rc = ksmbd_iov_pin_rsp(work, (void *)rsp,
++ offsetof(struct smb2_query_info_rsp, Buffer) +
++ le32_to_cpu(rsp->OutputBufferLength));
+ return rc;
+ }
+
+@@ -5686,13 +5702,14 @@ static int smb2_get_info_sec(struct ksmb
+ {
+ struct ksmbd_file *fp;
+ struct mnt_idmap *idmap;
+- struct smb_ntsd *pntsd = (struct smb_ntsd *)rsp->Buffer, *ppntsd = NULL;
++ struct smb_ntsd *pntsd = NULL, *ppntsd = NULL;
+ struct smb_fattr fattr = {{0}};
+ struct inode *inode;
+ __u32 secdesclen = 0;
+ unsigned int id = KSMBD_NO_FID, pid = KSMBD_NO_FID;
+ int addition_info = le32_to_cpu(req->AdditionalInformation);
+- int rc = 0, ppntsd_size = 0;
++ int rc = 0, ppntsd_size = 0, max_len;
++ size_t scratch_len = 0;
+
+ if (addition_info & ~(OWNER_SECINFO | GROUP_SECINFO | DACL_SECINFO |
+ PROTECTED_DACL_SECINFO |
+@@ -5700,6 +5717,11 @@ static int smb2_get_info_sec(struct ksmb
+ ksmbd_debug(SMB, "Unsupported addition info: 0x%x)\n",
+ addition_info);
+
++ pntsd = kzalloc(ALIGN(sizeof(struct smb_ntsd), 8),
++ KSMBD_DEFAULT_GFP);
++ if (!pntsd)
++ return -ENOMEM;
++
+ pntsd->revision = cpu_to_le16(1);
+ pntsd->type = cpu_to_le16(SELF_RELATIVE | DACL_PROTECTED);
+ pntsd->osidoffset = 0;
+@@ -5708,9 +5730,7 @@ static int smb2_get_info_sec(struct ksmb
+ pntsd->dacloffset = 0;
+
+ secdesclen = sizeof(struct smb_ntsd);
+- rsp->OutputBufferLength = cpu_to_le32(secdesclen);
+-
+- return 0;
++ goto iov_pin;
+ }
+
+ if (work->next_smb2_rcv_hdr_off) {
+@@ -5742,18 +5762,58 @@ static int smb2_get_info_sec(struct ksmb
+ &ppntsd);
+
+ /* Check if sd buffer size exceeds response buffer size */
+- if (smb2_resp_buf_len(work, 8) > ppntsd_size)
+- rc = build_sec_desc(idmap, pntsd, ppntsd, ppntsd_size,
+- addition_info, &secdesclen, &fattr);
++ max_len = smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_query_info_rsp, Buffer),
++ le32_to_cpu(req->OutputBufferLength));
++ if (max_len < 0) {
++ rc = -EINVAL;
++ goto release_acl;
++ }
++
++ scratch_len = smb_acl_sec_desc_scratch_len(&fattr, ppntsd,
++ ppntsd_size, addition_info);
++ if (!scratch_len || scratch_len == SIZE_MAX) {
++ rc = -EFBIG;
++ goto release_acl;
++ }
++
++ pntsd = kvzalloc(scratch_len, KSMBD_DEFAULT_GFP);
++ if (!pntsd) {
++ rc = -ENOMEM;
++ goto release_acl;
++ }
++
++ rc = build_sec_desc(idmap, pntsd, ppntsd, ppntsd_size,
++ addition_info, &secdesclen, &fattr);
++
++release_acl:
+ posix_acl_release(fattr.cf_acls);
+ posix_acl_release(fattr.cf_dacls);
+ kfree(ppntsd);
+ ksmbd_fd_put(work, fp);
++
++ if (!rc && ALIGN(secdesclen, 8) > scratch_len)
++ rc = -EFBIG;
+ if (rc)
+- return rc;
++ goto err_out;
+
++iov_pin:
+ rsp->OutputBufferLength = cpu_to_le32(secdesclen);
+- return 0;
++ rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength),
++ rsp, work->response_buf);
++ if (rc)
++ goto err_out;
++
++ rc = ksmbd_iov_pin_rsp_read(work, (void *)rsp,
++ offsetof(struct smb2_query_info_rsp, Buffer),
++ pntsd, secdesclen);
++err_out:
++ if (rc) {
++ rsp->OutputBufferLength = 0;
++ kvfree(pntsd);
++ }
++
++ return rc;
+ }
+
+ /**
+@@ -5777,6 +5837,9 @@ int smb2_query_info(struct ksmbd_work *w
+ goto err_out;
+ }
+
++ rsp->StructureSize = cpu_to_le16(9);
++ rsp->OutputBufferOffset = cpu_to_le16(72);
++
+ switch (req->InfoType) {
+ case SMB2_O_INFO_FILE:
+ ksmbd_debug(SMB, "GOT SMB2_O_INFO_FILE\n");
+@@ -5797,14 +5860,6 @@ int smb2_query_info(struct ksmbd_work *w
+ }
+ ksmbd_revert_fsids(work);
+
+- if (!rc) {
+- rsp->StructureSize = cpu_to_le16(9);
+- rsp->OutputBufferOffset = cpu_to_le16(72);
+- rc = ksmbd_iov_pin_rsp(work, (void *)rsp,
+- offsetof(struct smb2_query_info_rsp, Buffer) +
+- le32_to_cpu(rsp->OutputBufferLength));
+- }
+-
+ err_out:
+ if (rc < 0) {
+ if (rc == -EACCES)
+@@ -5815,6 +5870,8 @@ err_out:
+ rsp->hdr.Status = STATUS_UNEXPECTED_IO_ERROR;
+ else if (rc == -ENOMEM)
+ rsp->hdr.Status = STATUS_INSUFFICIENT_RESOURCES;
++ else if (rc == -EINVAL && rsp->hdr.Status == 0)
++ rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+ else if (rc == -EOPNOTSUPP || rsp->hdr.Status == 0)
+ rsp->hdr.Status = STATUS_INVALID_INFO_CLASS;
+ smb2_set_err_rsp(work);
+--- a/fs/smb/server/smbacl.c
++++ b/fs/smb/server/smbacl.c
+@@ -915,6 +915,49 @@ int parse_sec_desc(struct mnt_idmap *idm
+ return 0;
+ }
+
++size_t smb_acl_sec_desc_scratch_len(struct smb_fattr *fattr,
++ struct smb_ntsd *ppntsd, int ppntsd_size, int addition_info)
++{
++ size_t len = sizeof(struct smb_ntsd);
++ size_t tmp;
++
++ if (addition_info & OWNER_SECINFO)
++ len += sizeof(struct smb_sid);
++ if (addition_info & GROUP_SECINFO)
++ len += sizeof(struct smb_sid);
++ if (!(addition_info & DACL_SECINFO))
++ return len;
++
++ len += sizeof(struct smb_acl);
++ if (ppntsd && ppntsd_size > 0) {
++ unsigned int dacl_offset = le32_to_cpu(ppntsd->dacloffset);
++
++ if (dacl_offset < ppntsd_size &&
++ check_add_overflow(len, ppntsd_size - dacl_offset, &len))
++ return 0;
++ }
++
++ if (fattr->cf_acls) {
++ if (check_mul_overflow((size_t)fattr->cf_acls->a_count,
++ 2 * sizeof(struct smb_ace), &tmp) ||
++ check_add_overflow(len, tmp, &len))
++ return 0;
++ } else {
++ /* default/minimum DACL */
++ if (check_add_overflow(len, 5 * sizeof(struct smb_ace), &len))
++ return 0;
++ }
++
++ if (fattr->cf_dacls) {
++ if (check_mul_overflow((size_t)fattr->cf_dacls->a_count,
++ sizeof(struct smb_ace), &tmp) ||
++ check_add_overflow(len, tmp, &len))
++ return 0;
++ }
++
++ return len;
++}
++
+ /* Convert permission bits from mode to equivalent CIFS ACL */
+ int build_sec_desc(struct mnt_idmap *idmap,
+ struct smb_ntsd *pntsd, struct smb_ntsd *ppntsd,
+--- a/fs/smb/server/smbacl.h
++++ b/fs/smb/server/smbacl.h
+@@ -101,6 +101,8 @@ int set_info_sec(struct ksmbd_conn *conn
+ bool type_check, bool get_write);
+ void id_to_sid(unsigned int cid, uint sidtype, struct smb_sid *ssid);
+ void ksmbd_init_domain(u32 *sub_auth);
++size_t smb_acl_sec_desc_scratch_len(struct smb_fattr *fattr,
++ struct smb_ntsd *ppntsd, int ppntsd_size, int addition_info);
+
+ static inline uid_t posix_acl_uid_translate(struct mnt_idmap *idmap,
+ struct posix_acl_entry *pace)
--- /dev/null
+From ec8bf18814915460d9c617b556bf024efef26613 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Mon, 30 Mar 2026 02:54:09 +0100
+Subject: MIPS: Fix the GCC version check for `__multi3' workaround
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit ec8bf18814915460d9c617b556bf024efef26613 upstream.
+
+It was only GCC 10 that fixed a MIPS64r6 code generation issue with a
+`__multi3' libcall inefficiently produced to perform 64-bit widening
+multiplication while suitable machine instructions exist to do such a
+calculation. The fix went in with GCC commit 48b2123f6336 ("re PR
+target/82981 (unnecessary __multi3 call for mips64r6 linux kernel)").
+
+Adjust our code accordingly, removing build failures such as:
+
+mips64-linux-ld: lib/math/div64.o: in function `mul_u64_add_u64_div_u64':
+div64.c:(.text+0x84): undefined reference to `__multi3'
+
+with the GCC versions affected.
+
+Fixes: ebabcf17bcd7 ("MIPS: Implement __multi3 for GCC7 MIPS64r6 builds")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202601140146.hMLODc6v-lkp@intel.com/
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Cc: stable@vger.kernel.org # v4.15+
+Reviewed-by: David Laight <david.laight.linux@gmail.com.
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/lib/multi3.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/mips/lib/multi3.c
++++ b/arch/mips/lib/multi3.c
+@@ -4,12 +4,12 @@
+ #include "libgcc.h"
+
+ /*
+- * GCC 7 & older can suboptimally generate __multi3 calls for mips64r6, so for
++ * GCC 9 & older can suboptimally generate __multi3 calls for mips64r6, so for
+ * that specific case only we implement that intrinsic here.
+ *
+ * See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82981
+ */
+-#if defined(CONFIG_64BIT) && defined(CONFIG_CPU_MIPSR6) && (__GNUC__ < 8)
++#if defined(CONFIG_64BIT) && defined(CONFIG_CPU_MIPSR6) && (__GNUC__ < 10)
+
+ /* multiply 64-bit values, low 64-bits returned */
+ static inline long long notrace dmulu(long long a, long long b)
+@@ -51,4 +51,4 @@ ti_type notrace __multi3(ti_type a, ti_t
+ }
+ EXPORT_SYMBOL(__multi3);
+
+-#endif /* 64BIT && CPU_MIPSR6 && GCC7 */
++#endif /* 64BIT && CPU_MIPSR6 && GCC9 */
--- /dev/null
+From 01cc50ea5167bb14117257ec084637abe9e5f691 Mon Sep 17 00:00:00 2001
+From: Stefan Wiehler <stefan.wiehler@nokia.com>
+Date: Tue, 10 Mar 2026 11:40:24 +0100
+Subject: mips: mm: Allocate tlb_vpn array atomically
+
+From: Stefan Wiehler <stefan.wiehler@nokia.com>
+
+commit 01cc50ea5167bb14117257ec084637abe9e5f691 upstream.
+
+Found by DEBUG_ATOMIC_SLEEP:
+
+ BUG: sleeping function called from invalid context at /include/linux/sched/mm.h:306
+ in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1
+ preempt_count: 1, expected: 0
+ RCU nest depth: 0, expected: 0
+ no locks held by swapper/1/0.
+ irq event stamp: 0
+ hardirqs last enabled at (0): [<0000000000000000>] 0x0
+ hardirqs last disabled at (0): [<ffffffff801477fc>] copy_process+0x75c/0x1b68
+ softirqs last enabled at (0): [<ffffffff801477fc>] copy_process+0x75c/0x1b68
+ softirqs last disabled at (0): [<0000000000000000>] 0x0
+ CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.119-d79e757675ec-fct #1
+ Stack : 800000000290bad8 0000000000000000 0000000000000008 800000000290bae8
+ 800000000290bae8 800000000290bc78 0000000000000000 0000000000000000
+ ffffffff80c80000 0000000000000001 ffffffff80d8dee8 ffffffff810d09c0
+ 784bb2a7ec10647d 0000000000000010 ffffffff80a6fd60 8000000001d8a9c0
+ 0000000000000000 0000000000000000 ffffffff80d90000 0000000000000000
+ ffffffff80c9e0e8 0000000007ffffff 0000000000000cc0 0000000000000400
+ ffffffffffffffff 0000000000000001 0000000000000002 ffffffffc0149ed8
+ fffffffffffffffe 8000000002908000 800000000290bae0 ffffffff80a81b74
+ ffffffff80129fb0 0000000000000000 0000000000000000 0000000000000000
+ 0000000000000000 0000000000000000 ffffffff80129fd0 0000000000000000
+ ...
+ Call Trace:
+ [<ffffffff80129fd0>] show_stack+0x60/0x158
+ [<ffffffff80a7f894>] dump_stack_lvl+0x88/0xbc
+ [<ffffffff8018d3c8>] __might_resched+0x268/0x288
+ [<ffffffff803648b0>] __kmem_cache_alloc_node+0x2e0/0x330
+ [<ffffffff80302788>] __kmalloc+0x58/0xd0
+ [<ffffffff80a81b74>] r4k_tlb_uniquify+0x7c/0x428
+ [<ffffffff80143e8c>] tlb_init+0x7c/0x110
+ [<ffffffff8012bdb4>] per_cpu_trap_init+0x16c/0x1d0
+ [<ffffffff80133258>] start_secondary+0x28/0x128
+
+Fixes: 231ac951faba ("MIPS: mm: kmalloc tlb_vpn array to avoid stack overflow")
+Signed-off-by: Stefan Wiehler <stefan.wiehler@nokia.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mm/tlb-r4k.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/mm/tlb-r4k.c
++++ b/arch/mips/mm/tlb-r4k.c
+@@ -751,7 +751,7 @@ static void __ref r4k_tlb_uniquify(void)
+
+ tlb_vpn_size = tlbsize * sizeof(*tlb_vpns);
+ tlb_vpns = (use_slab ?
+- kmalloc(tlb_vpn_size, GFP_KERNEL) :
++ kmalloc(tlb_vpn_size, GFP_ATOMIC) :
+ memblock_alloc_raw(tlb_vpn_size, sizeof(*tlb_vpns)));
+ if (WARN_ON(!tlb_vpns))
+ return; /* Pray local_flush_tlb_all() is good enough. */
--- /dev/null
+From 540760b77b8fc49d39d1b2b76196e5ec57711a32 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Fri, 27 Mar 2026 18:57:30 +0000
+Subject: MIPS: mm: Rewrite TLB uniquification for the hidden bit feature
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit 540760b77b8fc49d39d1b2b76196e5ec57711a32 upstream.
+
+Before the introduction of the EHINV feature, which lets software mark
+TLB entries invalid, certain older implementations of the MIPS ISA were
+equipped with an analogous bit, as a vendor extension, which however is
+hidden from software and only ever set at reset, and then any software
+write clears it, making the intended TLB entry valid.
+
+This feature makes it unsafe to read a TLB entry with TLBR, modify the
+page mask, and write the entry back with TLBWI, because this operation
+will implicitly clear the hidden bit and this may create a duplicate
+entry, as with the presence of the hidden bit there is no guarantee all
+the entries across the TLB are unique each.
+
+Usually the firmware has already uniquified TLB entries before handing
+control over, in which case we only need to guarantee at bootstrap no
+clash will happen with the VPN2 values chosen in local_flush_tlb_all().
+
+However with systems such as Mikrotik RB532 we get handed the TLB as at
+reset, with the hidden bit set across the entries and possibly duplicate
+entries present. This then causes a machine check exception when page
+sizes are reset in r4k_tlb_uniquify() and prevents the system from
+booting.
+
+Rewrite the algorithm used in r4k_tlb_uniquify() then such as to avoid
+the reuse of ASID/VPN values across the TLB. Get rid of global entries
+first as they may be blocking the entire address space, e.g. 16 256MiB
+pages will exhaust the whole address space of a 32-bit CPU and a single
+big page can exhaust the 32-bit compatibility space on a 64-bit CPU.
+
+Details of the algorithm chosen are given across the code itself.
+
+Fixes: 9f048fa48740 ("MIPS: mm: Prevent a TLB shutdown on initial uniquification")
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Cc: stable@vger.kernel.org # v6.18+
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mm/tlb-r4k.c | 282 +++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 228 insertions(+), 54 deletions(-)
+
+--- a/arch/mips/mm/tlb-r4k.c
++++ b/arch/mips/mm/tlb-r4k.c
+@@ -13,6 +13,7 @@
+ #include <linux/sched.h>
+ #include <linux/smp.h>
+ #include <linux/memblock.h>
++#include <linux/minmax.h>
+ #include <linux/mm.h>
+ #include <linux/hugetlb.h>
+ #include <linux/export.h>
+@@ -24,6 +25,7 @@
+ #include <asm/hazards.h>
+ #include <asm/mmu_context.h>
+ #include <asm/tlb.h>
++#include <asm/tlbdebug.h>
+ #include <asm/tlbex.h>
+ #include <asm/tlbmisc.h>
+ #include <asm/setup.h>
+@@ -511,12 +513,229 @@ static int __init set_ntlb(char *str)
+ __setup("ntlb=", set_ntlb);
+
+
+-/* Comparison function for EntryHi VPN fields. */
+-static int r4k_vpn_cmp(const void *a, const void *b)
++/* The start bit position of VPN2 and Mask in EntryHi/PageMask registers. */
++#define VPN2_SHIFT 13
++
++/* Read full EntryHi even with CONFIG_32BIT. */
++static inline unsigned long long read_c0_entryhi_native(void)
++{
++ return cpu_has_64bits ? read_c0_entryhi_64() : read_c0_entryhi();
++}
++
++/* Write full EntryHi even with CONFIG_32BIT. */
++static inline void write_c0_entryhi_native(unsigned long long v)
++{
++ if (cpu_has_64bits)
++ write_c0_entryhi_64(v);
++ else
++ write_c0_entryhi(v);
++}
++
++/* TLB entry state for uniquification. */
++struct tlbent {
++ unsigned long long wired:1;
++ unsigned long long global:1;
++ unsigned long long asid:10;
++ unsigned long long vpn:51;
++ unsigned long long pagesz:5;
++ unsigned long long index:14;
++};
++
++/*
++ * Comparison function for TLB entry sorting. Place wired entries first,
++ * then global entries, then order by the increasing VPN/ASID and the
++ * decreasing page size. This lets us avoid clashes with wired entries
++ * easily and get entries for larger pages out of the way first.
++ *
++ * We could group bits so as to reduce the number of comparisons, but this
++ * is seldom executed and not performance-critical, so prefer legibility.
++ */
++static int r4k_entry_cmp(const void *a, const void *b)
+ {
+- long v = *(unsigned long *)a - *(unsigned long *)b;
+- int s = sizeof(long) > sizeof(int) ? sizeof(long) * 8 - 1: 0;
+- return s ? (v != 0) | v >> s : v;
++ struct tlbent ea = *(struct tlbent *)a, eb = *(struct tlbent *)b;
++
++ if (ea.wired > eb.wired)
++ return -1;
++ else if (ea.wired < eb.wired)
++ return 1;
++ else if (ea.global > eb.global)
++ return -1;
++ else if (ea.global < eb.global)
++ return 1;
++ else if (ea.vpn < eb.vpn)
++ return -1;
++ else if (ea.vpn > eb.vpn)
++ return 1;
++ else if (ea.asid < eb.asid)
++ return -1;
++ else if (ea.asid > eb.asid)
++ return 1;
++ else if (ea.pagesz > eb.pagesz)
++ return -1;
++ else if (ea.pagesz < eb.pagesz)
++ return 1;
++ else
++ return 0;
++}
++
++/*
++ * Fetch all the TLB entries. Mask individual VPN values retrieved with
++ * the corresponding page mask and ignoring any 1KiB extension as we'll
++ * be using 4KiB pages for uniquification.
++ */
++static void __ref r4k_tlb_uniquify_read(struct tlbent *tlb_vpns, int tlbsize)
++{
++ int start = num_wired_entries();
++ unsigned long long vpn_mask;
++ bool global;
++ int i;
++
++ vpn_mask = GENMASK(current_cpu_data.vmbits - 1, VPN2_SHIFT);
++ vpn_mask |= cpu_has_64bits ? 3ULL << 62 : 1 << 31;
++
++ for (i = 0; i < tlbsize; i++) {
++ unsigned long long entryhi, vpn, mask, asid;
++ unsigned int pagesz;
++
++ write_c0_index(i);
++ mtc0_tlbr_hazard();
++ tlb_read();
++ tlb_read_hazard();
++
++ global = !!(read_c0_entrylo0() & ENTRYLO_G);
++ entryhi = read_c0_entryhi_native();
++ mask = read_c0_pagemask();
++
++ asid = entryhi & cpu_asid_mask(¤t_cpu_data);
++ vpn = (entryhi & vpn_mask & ~mask) >> VPN2_SHIFT;
++ pagesz = ilog2((mask >> VPN2_SHIFT) + 1);
++
++ tlb_vpns[i].global = global;
++ tlb_vpns[i].asid = global ? 0 : asid;
++ tlb_vpns[i].vpn = vpn;
++ tlb_vpns[i].pagesz = pagesz;
++ tlb_vpns[i].wired = i < start;
++ tlb_vpns[i].index = i;
++ }
++}
++
++/*
++ * Write unique values to all but the wired TLB entries each, using
++ * the 4KiB page size. This size might not be supported with R6, but
++ * EHINV is mandatory for R6, so we won't ever be called in that case.
++ *
++ * A sorted table is supplied with any wired entries at the beginning,
++ * followed by any global entries, and then finally regular entries.
++ * We start at the VPN and ASID values of zero and only assign user
++ * addresses, therefore guaranteeing no clash with addresses produced
++ * by UNIQUE_ENTRYHI. We avoid any VPN values used by wired or global
++ * entries, by increasing the VPN value beyond the span of such entry.
++ *
++ * When a VPN/ASID clash is found with a regular entry we increment the
++ * ASID instead until no VPN/ASID clash has been found or the ASID space
++ * has been exhausted, in which case we increase the VPN value beyond
++ * the span of the largest clashing entry.
++ *
++ * We do not need to be concerned about FTLB or MMID configurations as
++ * those are required to implement the EHINV feature.
++ */
++static void __ref r4k_tlb_uniquify_write(struct tlbent *tlb_vpns, int tlbsize)
++{
++ unsigned long long asid, vpn, vpn_size, pagesz;
++ int widx, gidx, idx, sidx, lidx, i;
++
++ vpn_size = 1ULL << (current_cpu_data.vmbits - VPN2_SHIFT);
++ pagesz = ilog2((PM_4K >> VPN2_SHIFT) + 1);
++
++ write_c0_pagemask(PM_4K);
++ write_c0_entrylo0(0);
++ write_c0_entrylo1(0);
++
++ asid = 0;
++ vpn = 0;
++ widx = 0;
++ gidx = 0;
++ for (sidx = 0; sidx < tlbsize && tlb_vpns[sidx].wired; sidx++)
++ ;
++ for (lidx = sidx; lidx < tlbsize && tlb_vpns[lidx].global; lidx++)
++ ;
++ idx = gidx = sidx + 1;
++ for (i = sidx; i < tlbsize; i++) {
++ unsigned long long entryhi, vpn_pagesz = 0;
++
++ while (1) {
++ if (WARN_ON(vpn >= vpn_size)) {
++ dump_tlb_all();
++ /* Pray local_flush_tlb_all() will cope. */
++ return;
++ }
++
++ /* VPN must be below the next wired entry. */
++ if (widx < sidx && vpn >= tlb_vpns[widx].vpn) {
++ vpn = max(vpn,
++ (tlb_vpns[widx].vpn +
++ (1ULL << tlb_vpns[widx].pagesz)));
++ asid = 0;
++ widx++;
++ continue;
++ }
++ /* VPN must be below the next global entry. */
++ if (gidx < lidx && vpn >= tlb_vpns[gidx].vpn) {
++ vpn = max(vpn,
++ (tlb_vpns[gidx].vpn +
++ (1ULL << tlb_vpns[gidx].pagesz)));
++ asid = 0;
++ gidx++;
++ continue;
++ }
++ /* Try to find a free ASID so as to conserve VPNs. */
++ if (idx < tlbsize && vpn == tlb_vpns[idx].vpn &&
++ asid == tlb_vpns[idx].asid) {
++ unsigned long long idx_pagesz;
++
++ idx_pagesz = tlb_vpns[idx].pagesz;
++ vpn_pagesz = max(vpn_pagesz, idx_pagesz);
++ do
++ idx++;
++ while (idx < tlbsize &&
++ vpn == tlb_vpns[idx].vpn &&
++ asid == tlb_vpns[idx].asid);
++ asid++;
++ if (asid > cpu_asid_mask(¤t_cpu_data)) {
++ vpn += vpn_pagesz;
++ asid = 0;
++ vpn_pagesz = 0;
++ }
++ continue;
++ }
++ /* VPN mustn't be above the next regular entry. */
++ if (idx < tlbsize && vpn > tlb_vpns[idx].vpn) {
++ vpn = max(vpn,
++ (tlb_vpns[idx].vpn +
++ (1ULL << tlb_vpns[idx].pagesz)));
++ asid = 0;
++ idx++;
++ continue;
++ }
++ break;
++ }
++
++ entryhi = (vpn << VPN2_SHIFT) | asid;
++ write_c0_entryhi_native(entryhi);
++ write_c0_index(tlb_vpns[i].index);
++ mtc0_tlbw_hazard();
++ tlb_write_indexed();
++
++ tlb_vpns[i].asid = asid;
++ tlb_vpns[i].vpn = vpn;
++ tlb_vpns[i].pagesz = pagesz;
++
++ asid++;
++ if (asid > cpu_asid_mask(¤t_cpu_data)) {
++ vpn += 1ULL << pagesz;
++ asid = 0;
++ }
++ }
+ }
+
+ /*
+@@ -527,14 +746,8 @@ static void __ref r4k_tlb_uniquify(void)
+ {
+ int tlbsize = current_cpu_data.tlbsize;
+ bool use_slab = slab_is_available();
+- int start = num_wired_entries();
+ phys_addr_t tlb_vpn_size;
+- unsigned long *tlb_vpns;
+- unsigned long vpn_mask;
+- int cnt, ent, idx, i;
+-
+- vpn_mask = GENMASK(cpu_vmbits - 1, 13);
+- vpn_mask |= IS_ENABLED(CONFIG_64BIT) ? 3ULL << 62 : 1 << 31;
++ struct tlbent *tlb_vpns;
+
+ tlb_vpn_size = tlbsize * sizeof(*tlb_vpns);
+ tlb_vpns = (use_slab ?
+@@ -545,52 +758,13 @@ static void __ref r4k_tlb_uniquify(void)
+
+ htw_stop();
+
+- for (i = start, cnt = 0; i < tlbsize; i++, cnt++) {
+- unsigned long vpn;
++ r4k_tlb_uniquify_read(tlb_vpns, tlbsize);
+
+- write_c0_index(i);
+- mtc0_tlbr_hazard();
+- tlb_read();
+- tlb_read_hazard();
+- vpn = read_c0_entryhi();
+- vpn &= vpn_mask & PAGE_MASK;
+- tlb_vpns[cnt] = vpn;
+-
+- /* Prevent any large pages from overlapping regular ones. */
+- write_c0_pagemask(read_c0_pagemask() & PM_DEFAULT_MASK);
+- mtc0_tlbw_hazard();
+- tlb_write_indexed();
+- tlbw_use_hazard();
+- }
++ sort(tlb_vpns, tlbsize, sizeof(*tlb_vpns), r4k_entry_cmp, NULL);
+
+- sort(tlb_vpns, cnt, sizeof(tlb_vpns[0]), r4k_vpn_cmp, NULL);
++ r4k_tlb_uniquify_write(tlb_vpns, tlbsize);
+
+ write_c0_pagemask(PM_DEFAULT_MASK);
+- write_c0_entrylo0(0);
+- write_c0_entrylo1(0);
+-
+- idx = 0;
+- ent = tlbsize;
+- for (i = start; i < tlbsize; i++)
+- while (1) {
+- unsigned long entryhi, vpn;
+-
+- entryhi = UNIQUE_ENTRYHI(ent);
+- vpn = entryhi & vpn_mask & PAGE_MASK;
+-
+- if (idx >= cnt || vpn < tlb_vpns[idx]) {
+- write_c0_entryhi(entryhi);
+- write_c0_index(i);
+- mtc0_tlbw_hazard();
+- tlb_write_indexed();
+- ent++;
+- break;
+- } else if (vpn == tlb_vpns[idx]) {
+- ent++;
+- } else {
+- idx++;
+- }
+- }
+
+ tlbw_use_hazard();
+ htw_start();
--- /dev/null
+From d62cf1511743526f530a4c169424e50c757f5a5e Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Fri, 27 Mar 2026 11:38:06 +0000
+Subject: MIPS: SiByte: Bring back cache initialisation
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit d62cf1511743526f530a4c169424e50c757f5a5e upstream.
+
+Bring back cache initialisation for Broadcom SiByte SB1 cores, which has
+been removed causing the kernel to hang at bootstrap right after:
+
+Dentry cache hash table entries: 524288 (order: 8, 4194304 bytes, linear)
+Inode-cache hash table entries: 262144 (order: 7, 2097152 bytes, linear)
+
+The cause of the problem is R4k cache handlers are also used by Broadcom
+SiByte SB1 cores, however with a different cache error exception handler
+and therefore not using CPU_R4K_CACHE_TLB:
+
+obj-$(CONFIG_CPU_R4K_CACHE_TLB) += c-r4k.o cex-gen.o tlb-r4k.o
+obj-$(CONFIG_CPU_SB1) += c-r4k.o cerr-sb1.o cex-sb1.o tlb-r4k.o
+
+(from arch/mips/mm/Makefile).
+
+Fixes: bbe4f634f48c ("mips: fix r3k_cache_init build regression")
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Cc: stable@vger.kernel.org # v6.8+
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mm/cache.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/mm/cache.c
++++ b/arch/mips/mm/cache.c
+@@ -207,7 +207,8 @@ void cpu_cache_init(void)
+ {
+ if (IS_ENABLED(CONFIG_CPU_R3000) && cpu_has_3k_cache)
+ r3k_cache_init();
+- if (IS_ENABLED(CONFIG_CPU_R4K_CACHE_TLB) && cpu_has_4k_cache)
++ if ((IS_ENABLED(CONFIG_CPU_R4K_CACHE_TLB) ||
++ IS_ENABLED(CONFIG_CPU_SB1)) && cpu_has_4k_cache)
+ r4k_cache_init();
+
+ if (IS_ENABLED(CONFIG_CPU_CAVIUM_OCTEON) && cpu_has_octeon_cache)
drm-ioc32-stop-speculation-on-the-drm_compat_ioctl-path.patch
wifi-wilc1000-fix-u8-overflow-in-ssid-scan-buffer-size-calculation.patch
wifi-iwlwifi-mvm-fix-potential-out-of-bounds-read-in-iwl_mvm_nd_match_info_handler.patch
+usb-serial-option-add-meig-smart-srm825wn.patch
+alsa-caiaq-fix-stack-out-of-bounds-read-in-init_card.patch
+alsa-ctxfi-fix-missing-spdifi1-index-handling.patch
+io_uring-net-fix-slab-out-of-bounds-read-in-io_bundle_nbufs.patch
+bluetooth-smp-derive-legacy-responder-stk-authentication-from-mitm-state.patch
+bluetooth-smp-force-responder-mitm-requirements-before-building-the-pairing-response.patch
+bluetooth-hci_sync-fix-stack-buffer-overflow-in-hci_le_big_create_sync.patch
+ksmbd-fix-oob-write-in-query_info-for-compound-requests.patch
+mips-mm-rewrite-tlb-uniquification-for-the-hidden-bit-feature.patch
+mips-sibyte-bring-back-cache-initialisation.patch
+mips-fix-the-gcc-version-check-for-__multi3-workaround.patch
+iommu-do-not-call-drivers-for-empty-gathers.patch
+hwmon-occ-fix-division-by-zero-in-occ_show_power_1.patch
+mips-mm-allocate-tlb_vpn-array-atomically.patch
+drm-amdgpu-fix-the-idr-allocation-flags.patch
+iio-adc-ti-adc161s626-fix-buffer-read-on-big-endian.patch
+iio-adc-ti-adc161s626-use-dma-safe-memory-for-spi_read.patch
+iio-adc-ti-ads1119-fix-unbalanced-pm-reference-count-in-ds1119_single_conversion.patch
+iio-adc-ti-ads1119-reinit-completion-before-wait_for_completion_timeout.patch
+iio-adc-ti-ads1119-replace-irqf_oneshot-with-irqf_no_thread.patch
+drm-ast-dp501-fix-initialization-of-scu2c.patch
+drm-i915-dsi-don-t-do-dsc-horizontal-timing-adjustments-in-command-mode.patch
+drm-i915-dp-use-crtc_state-enhanced_framing-properly-on-ivb-hsw-cpu-edp.patch
+drm-amdgpu-change-amdgpu_va_reserved_trap_size-to-64kb.patch
+drm-amdgpu-pm-drop-smu-driver-if-version-not-matched-messages.patch
+usb-serial-io_edgeport-add-support-for-blackbox-ic135a.patch
+usb-serial-option-add-support-for-rolling-wireless-rw135r-gl.patch
+usb-core-add-no_lpm-quirk-for-razer-kiyo-pro-webcam.patch
--- /dev/null
+From 8b7a42ecdcdeb55580d9345412f7f8fc5aca3f6c Mon Sep 17 00:00:00 2001
+From: JP Hein <jp@jphein.com>
+Date: Mon, 30 Mar 2026 17:38:04 -0700
+Subject: USB: core: add NO_LPM quirk for Razer Kiyo Pro webcam
+
+From: JP Hein <jp@jphein.com>
+
+commit 8b7a42ecdcdeb55580d9345412f7f8fc5aca3f6c upstream.
+
+The Razer Kiyo Pro (1532:0e05) is a USB 3.0 UVC webcam whose firmware
+does not handle USB Link Power Management transitions reliably. When LPM
+is active, the device can enter a state where it fails to respond to
+control transfers, producing EPIPE (-32) errors on UVC probe control
+SET_CUR requests. In the worst case, the stalled endpoint triggers an
+xHCI stop-endpoint command that times out, causing the host controller
+to be declared dead and every USB device on the bus to be disconnected.
+
+This has been reported as Ubuntu Launchpad Bug #2061177. The failure
+mode is:
+
+ 1. UVC probe control SET_CUR returns -32 (EPIPE)
+ 2. xHCI host not responding to stop endpoint command
+ 3. xHCI host controller not responding, assume dead
+ 4. All USB devices on the affected xHCI controller disconnect
+
+Disabling LPM prevents the firmware from entering the problematic low-
+power states that precede the stall. This is the same approach used for
+other webcams with similar firmware issues (e.g., Logitech HD Webcam C270).
+
+Cc: stable <stable@kernel.org>
+Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2061177
+Signed-off-by: JP Hein <jp@jphein.com>
+Link: https://patch.msgid.link/20260331003806.212565-2-jp@jphein.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -490,6 +490,8 @@ static const struct usb_device_id usb_qu
+ /* Razer - Razer Blade Keyboard */
+ { USB_DEVICE(0x1532, 0x0116), .driver_info =
+ USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
++ /* Razer - Razer Kiyo Pro Webcam */
++ { USB_DEVICE(0x1532, 0x0e05), .driver_info = USB_QUIRK_NO_LPM },
+
+ /* Lenovo ThinkPad OneLink+ Dock twin hub controllers (VIA Labs VL812) */
+ { USB_DEVICE(0x17ef, 0x1018), .driver_info = USB_QUIRK_RESET_RESUME },
--- /dev/null
+From 0e01c3416eb863ee7f156a9d7e7421ec0a9f68a0 Mon Sep 17 00:00:00 2001
+From: Frej Drejhammar <frej@stacken.kth.se>
+Date: Sun, 22 Feb 2026 18:00:42 +0100
+Subject: USB: serial: io_edgeport: add support for Blackbox IC135A
+
+From: Frej Drejhammar <frej@stacken.kth.se>
+
+commit 0e01c3416eb863ee7f156a9d7e7421ec0a9f68a0 upstream.
+
+The Blackbox 724-746-5500 USB Director USB-RS-232 HUB, part number
+IC135A, is a rebadged Edgeport/4 with its own USB device id.
+
+Signed-off-by: Frej Drejhammar <frej@stacken.kth.se>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/io_edgeport.c | 3 +++
+ drivers/usb/serial/io_usbvend.h | 1 +
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/io_edgeport.c
++++ b/drivers/usb/serial/io_edgeport.c
+@@ -73,6 +73,7 @@ static const struct usb_device_id edgepo
+ { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_EDGEPORT_22I) },
+ { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_EDGEPORT_412_4) },
+ { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_EDGEPORT_COMPATIBLE) },
++ { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_BLACKBOX_IC135A) },
+ { }
+ };
+
+@@ -121,6 +122,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_EDGEPORT_8R) },
+ { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_EDGEPORT_8RR) },
+ { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_EDGEPORT_412_8) },
++ { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_BLACKBOX_IC135A) },
+ { USB_DEVICE(USB_VENDOR_ID_NCR, NCR_DEVICE_ID_EPIC_0202) },
+ { USB_DEVICE(USB_VENDOR_ID_NCR, NCR_DEVICE_ID_EPIC_0203) },
+ { USB_DEVICE(USB_VENDOR_ID_NCR, NCR_DEVICE_ID_EPIC_0310) },
+@@ -470,6 +472,7 @@ static void get_product_info(struct edge
+ case ION_DEVICE_ID_EDGEPORT_2_DIN:
+ case ION_DEVICE_ID_EDGEPORT_4_DIN:
+ case ION_DEVICE_ID_EDGEPORT_16_DUAL_CPU:
++ case ION_DEVICE_ID_BLACKBOX_IC135A:
+ product_info->IsRS232 = 1;
+ break;
+
+--- a/drivers/usb/serial/io_usbvend.h
++++ b/drivers/usb/serial/io_usbvend.h
+@@ -211,6 +211,7 @@
+
+ //
+ // Definitions for other product IDs
++#define ION_DEVICE_ID_BLACKBOX_IC135A 0x0801 // OEM device (rebranded Edgeport/4)
+ #define ION_DEVICE_ID_MT4X56USB 0x1403 // OEM device
+ #define ION_DEVICE_ID_E5805A 0x1A01 // OEM device (rebranded Edgeport/4)
+
--- /dev/null
+From e8d0ed37bd51da52da6225d278e330c2f18a6198 Mon Sep 17 00:00:00 2001
+From: Ernestas Kulik <ernestas.k@iconn-networks.com>
+Date: Tue, 24 Mar 2026 13:07:16 +0200
+Subject: USB: serial: option: add MeiG Smart SRM825WN
+
+From: Ernestas Kulik <ernestas.k@iconn-networks.com>
+
+commit e8d0ed37bd51da52da6225d278e330c2f18a6198 upstream.
+
+Add support for the SDX62-based MeiG Smart SRM825WN module.
+
+If#= 0: RNDIS
+If#= 1: RNDIS
+If#= 2: Diag
+If#= 3: AT
+If#= 4: AT
+If#= 5: NMEA
+
+T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 19 Spd=480 MxCh= 0
+D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=2dee ProdID=4d38 Rev= 5.04
+S: Manufacturer=MEIG
+S: Product=LTE-A Module
+S: SerialNumber=da47a175
+C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA
+A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=03
+I:* If#= 0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host
+E: Ad=81(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
+E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
+E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Signed-off-by: Ernestas Kulik <ernestas.k@iconn-networks.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -2441,6 +2441,9 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d22, 0xff, 0xff, 0x30) }, /* MeiG Smart SRM815 and SRM825L */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d22, 0xff, 0xff, 0x40) }, /* MeiG Smart SRM825L */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d22, 0xff, 0xff, 0x60) }, /* MeiG Smart SRM825L */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x30) }, /* MeiG Smart SRM825WN (Diag) */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x40) }, /* MeiG Smart SRM825WN (AT) */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x60) }, /* MeiG Smart SRM825WN (NMEA) */
+ { USB_DEVICE_INTERFACE_CLASS(0x2df3, 0x9d03, 0xff) }, /* LongSung M5710 */
+ { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1404, 0xff) }, /* GosunCn GM500 RNDIS */
+ { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1405, 0xff) }, /* GosunCn GM500 MBIM */
--- /dev/null
+From 01e8d0f742222f1e68f48180d5480097adf7ae9f Mon Sep 17 00:00:00 2001
+From: Wanquan Zhong <wanquan.zhong@fibocom.com>
+Date: Mon, 16 Mar 2026 19:55:12 +0800
+Subject: USB: serial: option: add support for Rolling Wireless RW135R-GL
+
+From: Wanquan Zhong <wanquan.zhong@fibocom.com>
+
+commit 01e8d0f742222f1e68f48180d5480097adf7ae9f upstream.
+
+Add VID/PID 33f8:1003 for the Rolling Wireless RW135R-GL M.2 module,
+which is used in laptop debug cards with MBIM interface for
+Linux/Chrome OS. The device supports mbim, pipe functionalities.
+
+Here are the outputs of usb-devices:
+T: Bus=04 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0
+D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
+P: Vendor=33f8 ProdID=1003 Rev=05.15
+S: Manufacturer=Rolling Wireless S.a.r.l.
+S: Product=Rolling RW135R-GL Module
+S: SerialNumber=12345678
+C: #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=896mA
+I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
+E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option
+E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+
+Signed-off-by: Wanquan Zhong <wanquan.zhong@fibocom.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -2464,6 +2464,7 @@ static const struct usb_device_id option
+ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0302, 0xff) }, /* Rolling RW101R-GL (laptop MBIM) */
+ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0802, 0xff), /* Rolling RW350-GL (laptop MBIM) */
+ .driver_info = RSVD(5) },
++ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x1003, 0xff) }, /* Rolling RW135R-GL (laptop MBIM) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WWD for Global */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0x00, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x40) },
projects / thirdparty / kernel / stable-queue.git / commitdiff
