--- /dev/null
+From 49aadf830eb048134d33ad7329d92ecff45d8dbb Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 2 Jan 2026 12:14:10 +0100
+Subject: ASoC: codecs: wsa883x: fix unnecessary initialisation
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 49aadf830eb048134d33ad7329d92ecff45d8dbb upstream.
+
+The soundwire update_status() callback may be called multiple times with
+the same ATTACHED status but initialisation should only be done when
+transitioning from UNATTACHED to ATTACHED.
+
+This avoids repeated initialisation of the codecs during boot of
+machines like the Lenovo ThinkPad X13s:
+
+[ 11.614523] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2
+[ 11.618022] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2
+[ 11.621377] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2
+[ 11.624065] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2
+[ 11.631382] wsa883x-codec sdw:1:0:0217:0202:00:2: WSA883X Version 1_1, Variant: WSA8835_V2
+[ 11.634424] wsa883x-codec sdw:1:0:0217:0202:00:2: WSA883X Version 1_1, Variant: WSA8835_V2
+
+Fixes: 43b8c7dc85a1 ("ASoC: codecs: add wsa883x amplifier support")
+Cc: stable@vger.kernel.org # 6.0
+Cc: Srinivas Kandagatla <srini@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260102111413.9605-2-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/wsa883x.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/sound/soc/codecs/wsa883x.c
++++ b/sound/soc/codecs/wsa883x.c
+@@ -441,6 +441,7 @@ struct wsa883x_priv {
+ int active_ports;
+ int dev_mode;
+ int comp_offset;
++ bool hw_init;
+ };
+
+ enum {
+@@ -1002,6 +1003,9 @@ static int wsa883x_init(struct wsa883x_p
+ struct regmap *regmap = wsa883x->regmap;
+ int variant, version, ret;
+
++ if (wsa883x->hw_init)
++ return 0;
++
+ ret = regmap_read(regmap, WSA883X_OTP_REG_0, &variant);
+ if (ret)
+ return ret;
+@@ -1044,6 +1048,8 @@ static int wsa883x_init(struct wsa883x_p
+ wsa883x->comp_offset);
+ }
+
++ wsa883x->hw_init = true;
++
+ return 0;
+ }
+
+@@ -1052,6 +1058,9 @@ static int wsa883x_update_status(struct
+ {
+ struct wsa883x_priv *wsa883x = dev_get_drvdata(&slave->dev);
+
++ if (status == SDW_SLAVE_UNATTACHED)
++ wsa883x->hw_init = false;
++
+ if (status == SDW_SLAVE_ATTACHED && slave->dev_num > 0)
+ return wsa883x_init(wsa883x);
+
--- /dev/null
+From 7544f3f5b0b58c396f374d060898b5939da31709 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Thu, 19 Jun 2025 21:22:28 +0300
+Subject: bridge: mcast: Fix use-after-free during router port configuration
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 7544f3f5b0b58c396f374d060898b5939da31709 upstream.
+
+The bridge maintains a global list of ports behind which a multicast
+router resides. The list is consulted during forwarding to ensure
+multicast packets are forwarded to these ports even if the ports are not
+member in the matching MDB entry.
+
+When per-VLAN multicast snooping is enabled, the per-port multicast
+context is disabled on each port and the port is removed from the global
+router port list:
+
+ # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1
+ # ip link add name dummy1 up master br1 type dummy
+ # ip link set dev dummy1 type bridge_slave mcast_router 2
+ $ bridge -d mdb show | grep router
+ router ports on br1: dummy1
+ # ip link set dev br1 type bridge mcast_vlan_snooping 1
+ $ bridge -d mdb show | grep router
+
+However, the port can be re-added to the global list even when per-VLAN
+multicast snooping is enabled:
+
+ # ip link set dev dummy1 type bridge_slave mcast_router 0
+ # ip link set dev dummy1 type bridge_slave mcast_router 2
+ $ bridge -d mdb show | grep router
+ router ports on br1: dummy1
+
+Since commit 4b30ae9adb04 ("net: bridge: mcast: re-implement
+br_multicast_{enable, disable}_port functions"), when per-VLAN multicast
+snooping is enabled, multicast disablement on a port will disable the
+per-{port, VLAN} multicast contexts and not the per-port one. As a
+result, a port will remain in the global router port list even after it
+is deleted. This will lead to a use-after-free [1] when the list is
+traversed (when adding a new port to the list, for example):
+
+ # ip link del dev dummy1
+ # ip link add name dummy2 up master br1 type dummy
+ # ip link set dev dummy2 type bridge_slave mcast_router 2
+
+Similarly, stale entries can also be found in the per-VLAN router port
+list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN}
+contexts are disabled on each port and the port is removed from the
+per-VLAN router port list:
+
+ # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1
+ # ip link add name dummy1 up master br1 type dummy
+ # bridge vlan add vid 2 dev dummy1
+ # bridge vlan global set vid 2 dev br1 mcast_snooping 1
+ # bridge vlan set vid 2 dev dummy1 mcast_router 2
+ $ bridge vlan global show dev br1 vid 2 | grep router
+ router ports: dummy1
+ # ip link set dev br1 type bridge mcast_vlan_snooping 0
+ $ bridge vlan global show dev br1 vid 2 | grep router
+
+However, the port can be re-added to the per-VLAN list even when
+per-VLAN multicast snooping is disabled:
+
+ # bridge vlan set vid 2 dev dummy1 mcast_router 0
+ # bridge vlan set vid 2 dev dummy1 mcast_router 2
+ $ bridge vlan global show dev br1 vid 2 | grep router
+ router ports: dummy1
+
+When the VLAN is deleted from the port, the per-{port, VLAN} multicast
+context will not be disabled since multicast snooping is not enabled
+on the VLAN. As a result, the port will remain in the per-VLAN router
+port list even after it is no longer member in the VLAN. This will lead
+to a use-after-free [2] when the list is traversed (when adding a new
+port to the list, for example):
+
+ # ip link add name dummy2 up master br1 type dummy
+ # bridge vlan add vid 2 dev dummy2
+ # bridge vlan del vid 2 dev dummy1
+ # bridge vlan set vid 2 dev dummy2 mcast_router 2
+
+Fix these issues by removing the port from the relevant (global or
+per-VLAN) router port list in br_multicast_port_ctx_deinit(). The
+function is invoked during port deletion with the per-port multicast
+context and during VLAN deletion with the per-{port, VLAN} multicast
+context.
+
+Note that deleting the multicast router timer is not enough as it only
+takes care of the temporary multicast router states (1 or 3) and not the
+permanent one (2).
+
+[1]
+BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560
+Write of size 8 at addr ffff888004a67328 by task ip/384
+[...]
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x6f/0xa0
+ print_address_description.constprop.0+0x6f/0x350
+ print_report+0x108/0x205
+ kasan_report+0xdf/0x110
+ br_multicast_add_router.part.0+0x3f1/0x560
+ br_multicast_set_port_router+0x74e/0xac0
+ br_setport+0xa55/0x1870
+ br_port_slave_changelink+0x95/0x120
+ __rtnl_newlink+0x5e8/0xa40
+ rtnl_newlink+0x627/0xb00
+ rtnetlink_rcv_msg+0x6fb/0xb70
+ netlink_rcv_skb+0x11f/0x350
+ netlink_unicast+0x426/0x710
+ netlink_sendmsg+0x75a/0xc20
+ __sock_sendmsg+0xc1/0x150
+ ____sys_sendmsg+0x5aa/0x7b0
+ ___sys_sendmsg+0xfc/0x180
+ __sys_sendmsg+0x124/0x1c0
+ do_syscall_64+0xbb/0x360
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+[2]
+BUG: KASAN: slab-use-after-free in br_multicast_add_router.part.0+0x378/0x560
+Read of size 8 at addr ffff888009f00840 by task bridge/391
+[...]
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x6f/0xa0
+ print_address_description.constprop.0+0x6f/0x350
+ print_report+0x108/0x205
+ kasan_report+0xdf/0x110
+ br_multicast_add_router.part.0+0x378/0x560
+ br_multicast_set_port_router+0x6f9/0xac0
+ br_vlan_process_options+0x8b6/0x1430
+ br_vlan_rtm_process_one+0x605/0xa30
+ br_vlan_rtm_process+0x396/0x4c0
+ rtnetlink_rcv_msg+0x2f7/0xb70
+ netlink_rcv_skb+0x11f/0x350
+ netlink_unicast+0x426/0x710
+ netlink_sendmsg+0x75a/0xc20
+ __sock_sendmsg+0xc1/0x150
+ ____sys_sendmsg+0x5aa/0x7b0
+ ___sys_sendmsg+0xfc/0x180
+ __sys_sendmsg+0x124/0x1c0
+ do_syscall_64+0xbb/0x360
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Fixes: 2796d846d74a ("net: bridge: vlan: convert mcast router global option to per-vlan entry")
+Fixes: 4b30ae9adb04 ("net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions")
+Reported-by: syzbot+7bfa4b72c6a5da128d32@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/684c18bd.a00a0220.279073.000b.GAE@google.com/T/
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20250619182228.1656906-1-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_multicast.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -2014,10 +2014,19 @@ void br_multicast_port_ctx_init(struct n
+
+ void br_multicast_port_ctx_deinit(struct net_bridge_mcast_port *pmctx)
+ {
++ struct net_bridge *br = pmctx->port->br;
++ bool del = false;
++
+ #if IS_ENABLED(CONFIG_IPV6)
+ del_timer_sync(&pmctx->ip6_mc_router_timer);
+ #endif
+ del_timer_sync(&pmctx->ip4_mc_router_timer);
++
++ spin_lock_bh(&br->multicast_lock);
++ del |= br_ip6_multicast_rport_del(pmctx);
++ del |= br_ip4_multicast_rport_del(pmctx);
++ br_multicast_rport_del_notify(pmctx, del);
++ spin_unlock_bh(&br->multicast_lock);
+ }
+
+ int br_multicast_add_port(struct net_bridge_port *port)
--- /dev/null
+From a8d42cd228ec41ad99c50a270db82f0dd9127a28 Mon Sep 17 00:00:00 2001
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+Date: Thu, 9 Jan 2025 05:35:04 +0000
+Subject: drm/amd/display: mark static functions noinline_for_stack
+
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+
+commit a8d42cd228ec41ad99c50a270db82f0dd9127a28 upstream.
+
+When compiling allmodconfig (CONFIG_WERROR=y) with clang-19, see the
+following errors:
+
+.../display/dc/dml2/display_mode_core.c:6268:13: warning: stack frame size (3128) exceeds limit (3072) in 'dml_prefetch_check' [-Wframe-larger-than]
+.../display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c:7236:13: warning: stack frame size (3256) exceeds limit (3072) in 'dml_core_mode_support' [-Wframe-larger-than]
+
+Mark static functions called by dml_prefetch_check() and
+dml_core_mode_support() noinline_for_stack to avoid them become huge
+functions and thus exceed the frame size limit.
+
+A way to reproduce:
+$ git checkout next-20250107
+$ mkdir build_dir
+$ export PATH=/tmp/llvm-19.1.6-x86_64/bin:$PATH
+$ make LLVM=1 O=build_dir allmodconfig
+$ make LLVM=1 O=build_dir drivers/gpu/drm/ -j
+
+The way how it chose static functions to mark:
+[0] Unset CONFIG_WERROR in build_dir/.config.
+To get display_mode_core.o without errors.
+
+[1] Get a function list called by dml_prefetch_check().
+$ sed -n '6268,6711p' drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c \
+ | sed -n -r 's/.*\W(\w+)\(.*/\1/p' | sort -u >/tmp/syms
+
+[2] Get the non-inline function list.
+Objdump won't show the symbols if they are inline functions.
+
+$ make LLVM=1 O=build_dir drivers/gpu/drm/ -j
+$ objdump -d build_dir/.../display_mode_core.o | \
+ ./scripts/checkstack.pl x86_64 0 | \
+ grep -f /tmp/syms | cut -d' ' -f2- >/tmp/orig
+
+[3] Get the full function list.
+Append "-fno-inline" to `CFLAGS_.../display_mode_core.o` in
+drivers/gpu/drm/amd/display/dc/dml2/Makefile.
+
+$ make LLVM=1 O=build_dir drivers/gpu/drm/ -j
+$ objdump -d build_dir/.../display_mode_core.o | \
+ ./scripts/checkstack.pl x86_64 0 | \
+ grep -f /tmp/syms | cut -d' ' -f2- >/tmp/noinline
+
+[4] Get the inline function list.
+If a symbol only in /tmp/noinline but not in /tmp/orig, it is a good
+candidate to mark noinline.
+
+$ diff /tmp/orig /tmp/noinline
+
+Chosen functions and their stack sizes:
+CalculateBandwidthAvailableForImmediateFlip [display_mode_core.o]:144
+CalculateExtraLatency [display_mode_core.o]:176
+CalculateTWait [display_mode_core.o]:64
+CalculateVActiveBandwithSupport [display_mode_core.o]:112
+set_calculate_prefetch_schedule_params [display_mode_core.o]:48
+
+CheckGlobalPrefetchAdmissibility [dml2_core_dcn4_calcs.o]:544
+calculate_bandwidth_available [dml2_core_dcn4_calcs.o]:320
+calculate_vactive_det_fill_latency [dml2_core_dcn4_calcs.o]:272
+CalculateDCFCLKDeepSleep [dml2_core_dcn4_calcs.o]:208
+CalculateODMMode [dml2_core_dcn4_calcs.o]:208
+CalculateOutputLink [dml2_core_dcn4_calcs.o]:176
+
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+[nathan: Fix conflicts in dml2_core_dcn4_calcs.c]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c | 12 +++++-----
+ drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 8 +++---
+ 2 files changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c
++++ b/drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c
+@@ -1736,7 +1736,7 @@ static void CalculateBytePerPixelAndBloc
+ #endif
+ } // CalculateBytePerPixelAndBlockSizes
+
+-static dml_float_t CalculateTWait(
++static noinline_for_stack dml_float_t CalculateTWait(
+ dml_uint_t PrefetchMode,
+ enum dml_use_mall_for_pstate_change_mode UseMALLForPStateChange,
+ dml_bool_t SynchronizeDRRDisplaysForUCLKPStateChangeFinal,
+@@ -4458,7 +4458,7 @@ static void CalculateSwathWidth(
+ }
+ } // CalculateSwathWidth
+
+-static dml_float_t CalculateExtraLatency(
++static noinline_for_stack dml_float_t CalculateExtraLatency(
+ dml_uint_t RoundTripPingLatencyCycles,
+ dml_uint_t ReorderingBytes,
+ dml_float_t DCFCLK,
+@@ -5915,7 +5915,7 @@ static dml_uint_t DSCDelayRequirement(
+ return DSCDelayRequirement_val;
+ }
+
+-static dml_bool_t CalculateVActiveBandwithSupport(dml_uint_t NumberOfActiveSurfaces,
++static noinline_for_stack dml_bool_t CalculateVActiveBandwithSupport(dml_uint_t NumberOfActiveSurfaces,
+ dml_float_t ReturnBW,
+ dml_bool_t NotUrgentLatencyHiding[],
+ dml_float_t ReadBandwidthLuma[],
+@@ -6019,7 +6019,7 @@ static void CalculatePrefetchBandwithSup
+ #endif
+ }
+
+-static dml_float_t CalculateBandwidthAvailableForImmediateFlip(
++static noinline_for_stack dml_float_t CalculateBandwidthAvailableForImmediateFlip(
+ dml_uint_t NumberOfActiveSurfaces,
+ dml_float_t ReturnBW,
+ dml_float_t ReadBandwidthLuma[],
+@@ -6213,7 +6213,7 @@ static dml_uint_t CalculateMaxVStartup(
+ return max_vstartup_lines;
+ }
+
+-static void set_calculate_prefetch_schedule_params(struct display_mode_lib_st *mode_lib,
++static noinline_for_stack void set_calculate_prefetch_schedule_params(struct display_mode_lib_st *mode_lib,
+ struct CalculatePrefetchSchedule_params_st *CalculatePrefetchSchedule_params,
+ dml_uint_t j,
+ dml_uint_t k)
+@@ -6265,7 +6265,7 @@ static void set_calculate_prefetch_sched
+ CalculatePrefetchSchedule_params->Tno_bw = &mode_lib->ms.Tno_bw[k];
+ }
+
+-static void dml_prefetch_check(struct display_mode_lib_st *mode_lib)
++static noinline_for_stack void dml_prefetch_check(struct display_mode_lib_st *mode_lib)
+ {
+ struct dml_core_mode_support_locals_st *s = &mode_lib->scratch.dml_core_mode_support_locals;
+ struct CalculatePrefetchSchedule_params_st *CalculatePrefetchSchedule_params = &mode_lib->scratch.CalculatePrefetchSchedule_params;
+--- a/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c
++++ b/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c
+@@ -2774,7 +2774,7 @@ static double dml_get_return_bandwidth_a
+ return return_bw_mbps;
+ }
+
+-static void calculate_bandwidth_available(
++static noinline_for_stack void calculate_bandwidth_available(
+ double avg_bandwidth_available_min[dml2_core_internal_soc_state_max],
+ double avg_bandwidth_available[dml2_core_internal_soc_state_max][dml2_core_internal_bw_max],
+ double urg_bandwidth_available_min[dml2_core_internal_soc_state_max], // min between SDP and DRAM
+@@ -4066,7 +4066,7 @@ static bool ValidateODMMode(enum dml2_od
+ return true;
+ }
+
+-static void CalculateODMMode(
++static noinline_for_stack void CalculateODMMode(
+ unsigned int MaximumPixelsPerLinePerDSCUnit,
+ unsigned int HActive,
+ enum dml2_output_format_class OutFormat,
+@@ -4164,7 +4164,7 @@ static void CalculateODMMode(
+ #endif
+ }
+
+-static void CalculateOutputLink(
++static noinline_for_stack void CalculateOutputLink(
+ struct dml2_core_internal_scratch *s,
+ double PHYCLK,
+ double PHYCLKD18,
+@@ -6731,7 +6731,7 @@ static void calculate_bytes_to_fetch_req
+ }
+ }
+
+-static void calculate_vactive_det_fill_latency(
++static noinline_for_stack void calculate_vactive_det_fill_latency(
+ const struct dml2_display_cfg *display_cfg,
+ unsigned int num_active_planes,
+ unsigned int bytes_required_l[],
--- /dev/null
+From f28beb69c51517aec7067dfb2074e7c751542384 Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <bentiss@kernel.org>
+Date: Mon, 15 Dec 2025 12:57:21 +0100
+Subject: HID: usbhid: paper over wrong bNumDescriptor field
+
+From: Benjamin Tissoires <bentiss@kernel.org>
+
+commit f28beb69c51517aec7067dfb2074e7c751542384 upstream.
+
+Some faulty devices (ZWO EFWmini) have a wrong optional HID class
+descriptor count compared to the provided length.
+
+Given that we plainly ignore those optional descriptor, we can attempt
+to fix the provided number so we do not lock out those devices.
+
+Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
+Cc: Salvatore Bonaccorso <carnil@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/usbhid/hid-core.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/usbhid/hid-core.c
++++ b/drivers/hid/usbhid/hid-core.c
+@@ -985,6 +985,7 @@ static int usbhid_parse(struct hid_devic
+ struct usb_device *dev = interface_to_usbdev (intf);
+ struct hid_descriptor *hdesc;
+ struct hid_class_descriptor *hcdesc;
++ __u8 fixed_opt_descriptors_size;
+ u32 quirks = 0;
+ unsigned int rsize = 0;
+ char *rdesc;
+@@ -1015,7 +1016,21 @@ static int usbhid_parse(struct hid_devic
+ (hdesc->bNumDescriptors - 1) * sizeof(*hcdesc)) {
+ dbg_hid("hid descriptor invalid, bLen=%hhu bNum=%hhu\n",
+ hdesc->bLength, hdesc->bNumDescriptors);
+- return -EINVAL;
++
++ /*
++ * Some devices may expose a wrong number of descriptors compared
++ * to the provided length.
++ * However, we ignore the optional hid class descriptors entirely
++ * so we can safely recompute the proper field.
++ */
++ if (hdesc->bLength >= sizeof(*hdesc)) {
++ fixed_opt_descriptors_size = hdesc->bLength - sizeof(*hdesc);
++
++ hid_warn(intf, "fixing wrong optional hid class descriptors count\n");
++ hdesc->bNumDescriptors = fixed_opt_descriptors_size / sizeof(*hcdesc) + 1;
++ } else {
++ return -EINVAL;
++ }
+ }
+
+ hid->version = le16_to_cpu(hdesc->bcdHID);
--- /dev/null
+From da579f05ef0faada3559e7faddf761c75cdf85e1 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Wed, 14 Jan 2026 16:54:05 +0800
+Subject: io_uring: move local task_work in exit cancel loop
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit da579f05ef0faada3559e7faddf761c75cdf85e1 upstream.
+
+With IORING_SETUP_DEFER_TASKRUN, task work is queued to ctx->work_llist
+(local work) rather than the fallback list. During io_ring_exit_work(),
+io_move_task_work_from_local() was called once before the cancel loop,
+moving work from work_llist to fallback_llist.
+
+However, task work can be added to work_llist during the cancel loop
+itself. There are two cases:
+
+1) io_kill_timeouts() is called from io_uring_try_cancel_requests() to
+cancel pending timeouts, and it adds task work via io_req_queue_tw_complete()
+for each cancelled timeout:
+
+2) URING_CMD requests like ublk can be completed via
+io_uring_cmd_complete_in_task() from ublk_queue_rq() during canceling,
+given ublk request queue is only quiesced when canceling the 1st uring_cmd.
+
+Since io_allowed_defer_tw_run() returns false in io_ring_exit_work()
+(kworker != submitter_task), io_run_local_work() is never invoked,
+and the work_llist entries are never processed. This causes
+io_uring_try_cancel_requests() to loop indefinitely, resulting in
+100% CPU usage in kworker threads.
+
+Fix this by moving io_move_task_work_from_local() inside the cancel
+loop, ensuring any work on work_llist is moved to fallback before
+each cancel attempt.
+
+Cc: stable@vger.kernel.org
+Fixes: c0e0d6ba25f1 ("io_uring: add IORING_SETUP_DEFER_TASKRUN")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -2904,11 +2904,11 @@ static __cold void io_ring_exit_work(str
+ mutex_unlock(&ctx->uring_lock);
+ }
+
+- if (ctx->flags & IORING_SETUP_DEFER_TASKRUN)
+- io_move_task_work_from_local(ctx);
+-
+- while (io_uring_try_cancel_requests(ctx, NULL, true))
++ do {
++ if (ctx->flags & IORING_SETUP_DEFER_TASKRUN)
++ io_move_task_work_from_local(ctx);
+ cond_resched();
++ } while (io_uring_try_cancel_requests(ctx, NULL, true));
+
+ if (ctx->sq_data) {
+ struct io_sq_data *sqd = ctx->sq_data;
selftests-landlock-properly-close-a-file-descriptor.patch
dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch
i2c-qcom-geni-make-sure-i2c-hub-controllers-can-t-us.patch
+hid-usbhid-paper-over-wrong-bnumdescriptor-field.patch
+bridge-mcast-fix-use-after-free-during-router-port-configuration.patch
+asoc-codecs-wsa883x-fix-unnecessary-initialisation.patch
+drm-amd-display-mark-static-functions-noinline_for_stack.patch
+io_uring-move-local-task_work-in-exit-cancel-loop.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
